[cabfpub] Reply: Discussion relate to IP address that belong to Cloud Service Provider.

张翼 zhangyi at cfca.com.cn
Thu Jan 5 03:32:15 UTC 2017


Thanks Ryan

 

It seems method 1 is the best approach , they do not have domain name, just IP.

Method 1 is very practical but for some company in China, business department that apply for this certificate needs many steps(take many days even weeks) to make the “agreed‐upon

change to information found on an online Web page”, so they are reluctant to make this “agreed‐upon change”.

 

But anyway, we will request method 1 for them in this case for now. 

We will make more contact with Cloud Service Provider and ISPs in the future and try to find an easier approach for this case. 

 

Thanks again and regards.

 

Zhang Yi

Certificate Division Competent

China Financial Certification Authority 

Business Department

 

Address: 20-3 PingYuanLi,CaiShiKou South Avenue, XiCheng District, Beijing, P.R.China

Postcode: 100054

TEL:  <tel:+86%2010%205095%205017> +86 010-50955017

Mobile:  <tel:+86%20185%201028%200028> +86 18510280028

Email:  <mailto:zhangyi at cfca.com.cn> zhangyi at cfca.com.cn

 

发件人: Ryan Sleevi [mailto:sleevi at google.com] 
发送时间: 2017年1月5日 10:38
收件人: CA/Browser Forum Public Discussion List
抄送: Kirk.Hall; 张翼; 赵宇; 赵改侠
主题: Re: [cabfpub] Discussion relate to IP address that belong to Cloud Service Provider.

 

Using the BRs 1.4.1 (e.g. setting aside the discussion of Ballots 180 - 182)

 

It would be helpful to step back and first evaluate what the Baseline Requirements require of the CA:

 

Section 3.2.2.5 of the BRs notes the acceptable ways to validate control over an IP address.

Method 1 requires a practical demonstration of control - not documentation.

Method 2 requires documentation from IANA or the RIR - for which it sounds like the Applicant (a subscriber of the Cloud Service Provider's service) wouldn't be able to provide, because IANA/RIR's interaction were with the Cloud Service Provider. Of course, if the Cloud Service Provider isn't delegated the IP range (unlikely, given that they're a cloud provider, they likely are the RIR's point of contact and advertise that prefix over a variety of ISPs/ASes), they wouldn't be able to provide that documentation - but it sounds like Method 2 is a complete wash for your case (because Applicant != Cloud Service Provider)

Method 3 requires a practical demonstration of control - not documentation.

Method 4 is... well, it's 'any other method', but of note here is whether or not documentation from the Cloud Service Provider meets the bar set out in Method 2 (or the other methods). I would like to suggest that it does not.

 

So to issue this certificate, it seems like your best, easiest, and avoiding any form of paper documentation would be to employ one of either method 1 or Method 3. Does that not work?

 

 

On Wed, Jan 4, 2017 at 6:21 PM, 张翼 via Public <public at cabforum.org> wrote:

Greetings,

 

I want to discuss what should CA do if subscriber provide proof that their IP address belong to a Cloud Service Provider.

 

If subscribers that purchase Cloud service from a Cloud Service Provider (Such as Aliyun in China), and they have contract that indicate the IP address they are using is from the  Cloud Service Provider.

But such contract or related document cannot prove that the IP address is from which ISP.

 

In this case,  the certificate application material from users do not contain information about ISP, the Cloud Service Provider may signed many contracts with different ISP, those contract or agreement do not contain any specific IP address or IP range.

In addition Cloud Service Provider refuse to provide contracts between them and ISP to CA because it’s confidential.

 

What we are trying to do is verify IP address belong to the Cloud Service Provider via public channel (Such as IP address tools).

(No Certificate in this case issued yet)

 

In this case:

1, Should this be sufficient to issue certificate?(1,files that prove IP is subscriber applied from Cloud Service Provider. 2,Public tools indicate this IP belongs to this Cloud Service Provider)

2,Should CA take further actions such as contact ISP directly?(Note that this IP address can be from any ISP in the world, public IP address tools do not take any responsibility for “Bugs” or inaccurate info)

3,Any more document  CA should request from subscriber, Cloud Service Provider or ISP?

 

Regards.

 

Zhang Yi

Certificate Division Competent

China Financial Certification Authority 

Business Department

 

Address: 20-3 PingYuanLi,CaiShiKou South Avenue, XiCheng District, Beijing, P.R.China

Postcode: 100054

TEL: +86 010-50955017 <tel:+86%2010%205095%205017> 

Mobile: +86 18510280028 <tel:+86%20185%201028%200028> 

Email:  <mailto:zhangyi at cfca.com.cn> zhangyi at cfca.com.cn

 


_______________________________________________
Public mailing list
Public at cabforum.org
https://cabforum.org/mailman/listinfo/public

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/public/attachments/20170105/077731cc/attachment-0001.html>


More information about the Public mailing list