[Servercert-wg] Discussion Period Begins on Ballot SC7: Update IP Address Validation Methods

[Wayne Thayer]

On Thu, Jan 24, 2019 at 9:02 AM Wayne Thayer <wthayer at mozilla.com> wrote:

> Forwarding for Jürgen:
>
> ---------- Forwarded message ---------
> From: Jürgen Brauckmann <brauckmann at dfn-cert.de>
> Date: Thu, Jan 24, 2019 at 6:30 AM
> Subject: Re: [Servercert-wg] Discussion Period Begins on Ballot SC7:
> Update IP Address Validation Methods
> To: Wayne Thayer <wthayer at mozilla.com>, CA/B Forum Server Certificate WG
> Public Discussion List <servercert-wg at cabforum.org>
>
>
> [I guess I can't post to servercert-wg@; it would be great if you could
> forward my question. Thanks!]
>
> I have a question regarding:
>
>  > 3.2.2.5.3. Reverse Address Lookup
>  >
>  > Confirming the Applicant’s control over the IP Address by obtaining a
>  > Domain Name associated with the IP Address through a reverse-IP lookup
>  > on the IP Address and then verifying control over the FQDN using a
>  > method permitted under BR Section 3.2.2.4.
>
> ** Does this cover the szenario where a CA has an existing valid domain
> validation, and then, some time later but within the reuse-interval for
> the domain validation, receives a request for a certificate with an IP
> adress?
>
> Is the intention of 3.2.2.5.3 that the CA can rely on the existing
> domain validation? This would make sense as it prevents strange "double
> checking" situations.
>
> Sort of. The intent of the ballot is to remove "any other method" without
modifying existing methods (other than to renumber them), so this is a copy
of the existing 3.2.2.5(3) that has not been improved to remove ambiguities
and vulnerabilities.

If yes, then the wording might be not clear enough, and some additions
> might be helpful, e.g.
> "Previous completed validations of Applicant authority over the FQDN may
> be re-used if the validation was initiated within the time period
> specified in the relevant requirement (such as Section 4.2.1 of this
> document)."
>
> I'm hesitant to repeat the requirements of section 3.2.2.4 here.

** Or is the intention that the CA is required to perform a new domain
> validation on the result of the reverse-IP lookup in any case?
>
> That seems like a sensible suggestion. Another might be to restrict
validations using ADNs other than the FQDN returned by the reverse-IP
lookup. The question is if those changes should be part of this ballot, at
the risk of further delaying the removal of "any other method".

This would also make sense as it would probably be healthy if the re-use
> period for the ip address validation should not extend the re-use period
> for the underlying domain validation... .
>
> Thanks,
>    Jürgen
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20190124/53891265/attachment-0001.html>