[cabfpub] [EXT] IP address validation proposal

Ryan Sleevi sleevi at google.com
Fri Mar 24 21:37:07 MST 2017 

On Fri, Mar 24, 2017 at 11:53 PM, Rick Andrews via Public <
public at cabforum.org> wrote:
>
> “Note: IP Addresses are listed in Subscriber Certificates using iPAddress
> in the subjectAltName extension
>
> or in Subordinate CA Certificates via iPAddress field in the
> permittedSubtress in the Name Constraints
>
> extension.” They can also appear in the excludedSubtrees extension.
> (3.2.2.4 could also be updated to mention excludedSubtrees.)
>

I disagree. In both cases, they do not need to be validated, because they
are restrictions, not permissions.


> “a Regional Internet Registry (RIPE, APNIC, ARIN, AfriNIC, LACNIC)”. Is
> this an exhaustive list? If not, we should add “etc” or some other
> indication that it’s not exhaustive.
>

This is a well-understood and specific term of Internet infrastructure.
https://www.iana.org/numbers

With a defined process for extending that list - ICP-2 (
https://www.icann.org/resources/pages/new-rirs-criteria-2012-02-25-en )

Which requires global coordination.


>
>
> “confirming the presence of a Request Token or Random Value
> contained in the content of a file or
>
> webpage in the form of a meta tag of the following…” I’ve always had
> trouble parsing this – is a meta tag required? Depends on whether you
> interpret it as:
>
> -          “…contained in the content of a file, or
> webpage in the form of a meta tag, of the following…”
>
> -          “…contained in the content of a (file or webpage)
> in the form of a meta tag of the following…”
>
> I prefer the former interpretation, because I see no harm in just using a
> file with no HTML in it. How do you interpret it?
>

Can you suggest how to clarify this?

For example, does a meta tag refer to the <meta> element of HTML, PDF
metadata, JPG metadata, or any other form of tag-structured file format
which has the concept of 'meta'?

This would suggest that even the former interpretation is incomplete.

Is the content contained within the file, or is it the sum totality of the
file? For example, can I create a polyglot file to embed my content in the
file format of my choice?

To be clear: I fully support maximum prescriptivity here, even to the
extent of describing an exact technical algorithm that the CA must perform
to validate according to this section (... or any section). I just figured
every CA in the Forum would vote against any efforts to tighten up the
definition to remove any of these ambiguities by ensuring that the Baseline
Requirements were a full technical profile.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/public/attachments/20170325/9ea0cea4/attachment.html>

More information about the Public mailing list