[cabfpub] Ballot 202 - Underscore and Wildcard Characters

Geoff Keating geoffk at apple.com
Tue Jul 25 12:25:29 MST 2017


> On 25 Jul 2017, at 12:01 pm, Peter Bowen via Public <public at cabforum.org> wrote:
> 
> Erwann,
> 
> Thank you for your detailed feedback and I appreciate you providing context for your vote.
> 
> With regards to reserved IP addresses, the definition in the current BRs allows a CA to deliver a certificate for 192.0.0.9.  They also allow a CA to deliver a certificate for 192.168.1.1.  This is because the current language (which has been in the BRs since at least V1) says “Reserved IP Address” is only defined by the whole /8 being reserved.  This means only 0/8, 10/8, 127/8 and 224/3 are currently Reserved IP v4 addresses.  While I agree we may be able to further restrict issuance, this ballot covers the common cases.

That’s not what the language says… the new language says

>>> F. In Section 1.6.1 of the Baseline Requirements, REPLACE the definition for "Reserved IP Address" with the following: An IPv4 or IPv6 address that the IANA has "False" for Globally Reachable in either of the IANA Special-Purpose IP Address Registries: 
>>> 
>>> https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml <https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml> or 
>>> 
>>> https://www.iana.org/assignments/iana-ipv6-special-registry/iana-ipv6-special-registry.xhtml <https://www.iana.org/assignments/iana-ipv6-special-registry/iana-ipv6-special-registry.xhtml>
and the first of those links has 192.168.0.0/16 marked as ‘false’ for globally reachable.  Now, it’s true that 192.0.0.9/32 is marked ‘true’ for globally reachable, but I don’t think that anyone should be able to authenticate themselves as controlling that address, so no CA would issue a certificate containing that address.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/public/attachments/20170725/cf7b284b/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3321 bytes
Desc: not available
URL: <http://cabforum.org/pipermail/public/attachments/20170725/cf7b284b/attachment.p7s>


More information about the Public mailing list