[cabf_validation] In-use IP address validation methods

Doug Beattie doug.beattie at globalsign.com
Fri Feb 2 10:00:40 MST 2018 

Hi Quirin,

Yes, I agree with you categorization of the methods.

I hope other CAs send out the methods they use so the VWG can prepare a ballot to remove "any other method" from 3.2.2.5.  I think DigiCert had some new methods that were discussed a while back regarding a new approach that need to be added to these.

I'm curious what our strategy will be.  Will we include all the methods people use so we can remove "any other method" soon and then come back to the challenges of issuing certificates to DHCP type servers, or are we going to tackle this all at once?

Doug

> -----Original Message-----
> From: Quirin Scheitle [mailto:scheitle at net.in.tum.de]
> Sent: Friday, February 2, 2018 10:12 AM
> To: Doug Beattie <doug.beattie at globalsign.com>; CA/Browser Forum
> Validation WG List <validation at cabforum.org>
> Subject: Re: [cabf_validation] In-use IP address validation methods
> 
> Hi Doug,
> 
> thank you for sharing these!
> 
> In the spirit of our call yesterday, and with special attention to dynamically
> assigned IPs, I would group IANA-based methods 1-3 as providing a (hopefully)
> quite stable ownership validation, while methods 4+5 may only prove
> temporary control of a dynamic IP address?
> 
> Elaborating on 5, there are DNS servers that will set the rDNS pointer
> dynamically to a hostname you register via DHCP.
> These might not be many, but there will be cases where the rDNS pointer can
> be controlled by a short-time assignee of an IP address.
> 
> Would that be a correct interpretation at this stage of our discussion?
> 
> Kind regards
> Quirin
> 
> 
> > On 2. Feb 2018, at 15:25, Doug Beattie via Validation
> <validation at cabforum.org> wrote:
> >
> > Hi Tim,
> >
> > GlobalSign uses the following methods to validate IP addresses:
> > - Verify that the org owns the IP address via IANA, RIPE, etc.
> > - Email verification via IANA (ARIN RIPE, APNIC, LACNIC, AFRINIC)  supplied
> info for the IP address
> > - Phone verification via IANA (ARIN RIPE, APNIC, LACNIC, AFRINIC)  supplied
> info for the IP address
> > - HTTP/web site change
> > - Reverse DNS look-up of the IP and then validate the domain using one of
> the approved domain validation methods in 3.2.2.4
> >
> > Doug
> >
> > Doug Beattie
> > Vice President of Product Management
> > GlobalSign
> > Two International Drive | Suite 150 | Portsmouth, NH 03801
> > Email: doug.beattie at globalsign.com<mailto:doug.beattie at globalsign.com>
> > www.globalsign.com<https://urldefense.proofpoint.com/v2/url?u=https-
> 3A__www.globalsign.com_&d=AwMFAg&c=qRq7a-
> 87GiVVW7v8KD1gdQ&r=yL2kJgSsccUq5VcaUHiaiErHSMoqqBV4kmZtle8pI0U&
> m=7LSnl4Q_Qu_BEe5I_P8WSvWs0evmNYHNhThvhJlrvzE&s=8HjQZHbWrcD_ik
> 5cm6C2gK7iPzU_KT9tF7RSZfrF1c0&e=>
> >
> > <winmail.dat>_______________________________________________
> > Validation mailing list
> > Validation at cabforum.org
> > https://cabforum.org/mailman/listinfo/validation

More information about the Validation mailing list