[Servercert-wg] Update definition of IP Address Contact in the BRs

Ryan Sleevi sleevi at google.com
Thu Feb 4 16:58:16 UTC 2021


On Thu, Feb 4, 2021 at 11:55 AM Dimitris Zacharopoulos (HARICA) <
dzacharo at harica.gr> wrote:

> I thought about this a bit differently, not for the "delegation" as you
> frame it but contacting the chain of authority to the "owner" of the IP
> address. The "owner" of the IP address would be easily contacted if the
> "owner" was to request a Certificate using validation per 3.2.2.5.2. While
> I understand the call to "TLS Certificate issuance" delegation scope, as
> has been baked into the CAA DNS records, this change I proposed has the
> same security properties as the forward name lookups for a Domain Name
> which is currently allowed and no security risks have been documented or
> concerns raised. The same delegation scope issue applies for existing
> WHOIS/RDAP queries for Technical or Administrative Registrant contact email
> addresses/phone numbers that is widely used for 3.2.2.4.2 and 3.2.2.4.15.
>
> I see no different security risks compared to the existing requirement
> that applies to 3.2.2.4.2. Do others share the same interpretation?
>

No, I think you're missing something very important. Perhaps we should take
it up on the next validation call, because the security properties are
meaningfully different.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20210204/94d1536b/attachment.html>


More information about the Servercert-wg mailing list