[Servercert-wg] Update definition of IP Address Contact in the BRs

[Dimitris Zacharopoulos (HARICA)]

On 4/2/2021 6:58 μ.μ., Ryan Sleevi wrote:
>
>
> On Thu, Feb 4, 2021 at 11:55 AM Dimitris Zacharopoulos (HARICA) 
> <dzacharo at harica.gr <mailto:dzacharo at harica.gr>> wrote:
>
>     I thought about this a bit differently, not for the "delegation"
>     as you frame it but contacting the chain of authority to the
>     "owner" of the IP address. The "owner" of the IP address would be
>     easily contacted if the "owner" was to request a Certificate using
>     validation per 3.2.2.5.2. While I understand the call to "TLS
>     Certificate issuance" delegation scope, as has been baked into the
>     CAA DNS records, this change I proposed has the same security
>     properties as the forward name lookups for a Domain Name which is
>     currently allowed and no security risks have been documented or
>     concerns raised. The same delegation scope issue applies for
>     existing WHOIS/RDAP queries for Technical or Administrative
>     Registrant contact email addresses/phone numbers that is widely
>     used for 3.2.2.4.2 and 3.2.2.4.15.
>
>     I see no different security risks compared to the existing
>     requirement that applies to 3.2.2.4.2. Do others share the same
>     interpretation?
>
>
> No, I think you're missing something very important. Perhaps we should 
> take it up on the next validation call, because the security 
> properties are meaningfully different.

Sounds good.

Thanks.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20210204/4a487898/attachment.html>