[cabfpub] Discussion relate to IP address that belong to Cloud Service Provider.

Ryan Sleevi sleevi at google.com
Wed Jan 4 19:37:39 MST 2017


Using the BRs 1.4.1 (e.g. setting aside the discussion of Ballots 180 - 182)

It would be helpful to step back and first evaluate what the Baseline
Requirements require of the CA:

Section 3.2.2.5 of the BRs notes the acceptable ways to validate control
over an IP address.
Method 1 requires a practical demonstration of control - not documentation.
Method 2 requires documentation from IANA or the RIR - for which it sounds
like the Applicant (a subscriber of the Cloud Service Provider's service)
wouldn't be able to provide, because IANA/RIR's interaction were with the
Cloud Service Provider. Of course, if the Cloud Service Provider isn't
delegated the IP range (unlikely, given that they're a cloud provider, they
likely are the RIR's point of contact and advertise that prefix over a
variety of ISPs/ASes), they wouldn't be able to provide that documentation
- but it sounds like Method 2 is a complete wash for your case (because
Applicant != Cloud Service Provider)
Method 3 requires a practical demonstration of control - not documentation.
Method 4 is... well, it's 'any other method', but of note here is whether
or not documentation from the Cloud Service Provider meets the bar set out
in Method 2 (or the other methods). I would like to suggest that it does
not.

So to issue this certificate, it seems like your best, easiest, and
avoiding any form of paper documentation would be to employ one of either
method 1 or Method 3. Does that not work?


On Wed, Jan 4, 2017 at 6:21 PM, 张翼 via Public <public at cabforum.org> wrote:

> Greetings,
>
>
>
> I want to discuss what should CA do if subscriber provide proof that their
> IP address belong to a Cloud Service Provider.
>
>
>
> If subscribers that purchase Cloud service from a Cloud Service Provider
> (Such as Aliyun in China), and they have contract that indicate the IP
> address they are using is from the  Cloud Service Provider.
>
> But such contract or related document cannot prove that the IP address is
> from which ISP.
>
>
>
> In this case,  the certificate application material from users do not
> contain information about ISP, the Cloud Service Provider may signed many
> contracts with different ISP, those contract or agreement do not contain
> any specific IP address or IP range.
>
> In addition Cloud Service Provider refuse to provide contracts between
> them and ISP to CA because it’s confidential.
>
>
>
> What we are trying to do is verify IP address belong to the Cloud Service
> Provider via public channel (Such as IP address tools).
>
> (No Certificate in this case issued yet)
>
>
>
> In this case:
>
> 1, Should this be sufficient to issue certificate?(1,files that prove IP
> is subscriber applied from Cloud Service Provider. 2,Public tools indicate
> this IP belongs to this Cloud Service Provider)
>
> 2,Should CA take further actions such as contact ISP directly?(Note that
> this IP address can be from any ISP in the world, public IP address tools
> do not take any responsibility for “Bugs” or inaccurate info)
>
> 3,Any more document  CA should request from subscriber, Cloud Service
> Provider or ISP?
>
>
>
> Regards.
>
>
>
> Zhang Yi
>
> *Certificate Division Competent*
>
> China Financial Certification Authority
>
> Business Department
>
>
>
> Address: 20-3 PingYuanLi,CaiShiKou South Avenue, XiCheng District,
> Beijing, P.R.China
>
> Postcode: 100054
>
> TEL: +86 010-50955017 <+86%2010%205095%205017>
>
> Mobile: +86 18510280028 <+86%20185%201028%200028>
>
> Email: zhangyi at cfca.com.cn
>
>
>
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/public/attachments/20170104/d8aefce8/attachment.html>


More information about the Public mailing list