[cabfpub] Proposed new ballot on IP Addresses in SANs

Tim Hollebeek THollebeek at trustwave.com
Thu Apr 21 15:12:59 UTC 2016

Regardless of whether this should be allowed for public certificate, it is worth noting that it is not uncommon to use IP addresses in certificates in order to to remove DNS as an attack vector.


-----Original Message-----
From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Rob Stradling
Sent: Thursday, April 21, 2016 10:19 AM
To: public at cabforum.org
Cc: Rick Andrews
Subject: Re: [cabfpub] Proposed new ballot on IP Addresses in SANs

Why do we need to allow IP addresses in certs anyway?

Are there actually any valid use cases where servers can't be addressed by domain names?

On 21/04/16 15:04, Jeremy Rowley wrote:
> We have and it's not practical. I'm encouraging the customers with the
> issue to post to the forum to explain why.
> Richard Barnes <rbarnes at mozilla.com> wrote:
> Jody, Rick: Have you guys evaluated Ryan's proposed solution?  It
> seems a bit rash to be changing the BRs if there are compliant options that work.
> On Thu, Apr 21, 2016 at 9:30 AM, Jody Cloutier <jodycl at microsoft.com
> <mailto:jodycl at microsoft.com>> wrote:
>     As a Forum member, Google is certainly within its purview to vote
>     no, then. Let's put it to a vote and see where it comes down.
>     ------------------------------------------------------------------------
>     *From:* Ryan Sleevi <sleevi at google.com <mailto:sleevi at google.com>>
>     *Sent:* Thursday, April 21, 2016 6:24:55 AM
>     *To:* Jody Cloutier
>     *Cc:* Richard Barnes; Rick Andrews; public at cabforum.org
>     <mailto:public at cabforum.org>
>     *Subject:* Re: [cabfpub] Proposed new ballot on IP Addresses in
> SANs
>     On Thu, Apr 21, 2016 at 6:24 AM, Jody Cloutier <jodycl at microsoft.com
>     <mailto:jodycl at microsoft.com>> wrote:
>         Simple - because we have customers who now need the
>         functionality, and without this change we cannot give it to them.
>     That's not correct - I gave a solution 8 months ago, fully compliant
>     with the BRs, that would have allowed that behaviour to be given to
>     them.
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> http://scanmail.trustwave.com/?c=4062&d=xOOY18SejsrPsLSFCwFp5d2qRC1dGS
> OR7jNbJCyBdA&s=5&u=https%3a%2f%2fcabforum%2eorg%2fmailman%2flistinfo%2
> fpublic

Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
Office Tel: +44.(0)1274.730505
Office Fax: +44.(0)1274.730909

COMODO CA Limited, Registered in England No. 04058690 Registered Office:
   3rd Floor, 26 Office Village, Exchange Quay,
   Trafford Road, Salford, Manchester M5 3EQ

This e-mail and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed.  If you have received this email in error please notify the sender by replying to the e-mail containing this attachment. Replies to this email may be monitored by COMODO for operational or business reasons. Whilst every endeavour is taken to ensure that e-mails are free from viruses, no liability can be accepted and the recipient is requested to use their own virus checking software.
Public mailing list
Public at cabforum.org


This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.

More information about the Public mailing list