[cabf_validation] In-use IP address validation methods

Jeremy Rowley jeremy.rowley at digicert.com
Sun Feb 4 22:49:37 MST 2018 

Yeah - the ones we used were added to the proposed ballot previously
submitted.

-----Original Message-----
From: Validation [mailto:validation-bounces at cabforum.org] On Behalf Of Doug
Beattie via Validation
Sent: Friday, February 2, 2018 10:01 AM
To: Quirin Scheitle <scheitle at net.in.tum.de>; CA/Browser Forum Validation WG
List <validation at cabforum.org>
Subject: Re: [cabf_validation] In-use IP address validation methods

Hi Quirin,

Yes, I agree with you categorization of the methods.

I hope other CAs send out the methods they use so the VWG can prepare a
ballot to remove "any other method" from 3.2.2.5.  I think DigiCert had some
new methods that were discussed a while back regarding a new approach that
need to be added to these.

I'm curious what our strategy will be.  Will we include all the methods
people use so we can remove "any other method" soon and then come back to
the challenges of issuing certificates to DHCP type servers, or are we going
to tackle this all at once?

Doug

> -----Original Message-----
> From: Quirin Scheitle [mailto:scheitle at net.in.tum.de]
> Sent: Friday, February 2, 2018 10:12 AM
> To: Doug Beattie <doug.beattie at globalsign.com>; CA/Browser Forum 
> Validation WG List <validation at cabforum.org>
> Subject: Re: [cabf_validation] In-use IP address validation methods
> 
> Hi Doug,
> 
> thank you for sharing these!
> 
> In the spirit of our call yesterday, and with special attention to 
> dynamically assigned IPs, I would group IANA-based methods 1-3 as 
> providing a (hopefully) quite stable ownership validation, while 
> methods 4+5 may only prove temporary control of a dynamic IP address?
> 
> Elaborating on 5, there are DNS servers that will set the rDNS pointer 
> dynamically to a hostname you register via DHCP.
> These might not be many, but there will be cases where the rDNS 
> pointer can be controlled by a short-time assignee of an IP address.
> 
> Would that be a correct interpretation at this stage of our discussion?
> 
> Kind regards
> Quirin
> 
> 
> > On 2. Feb 2018, at 15:25, Doug Beattie via Validation
> <validation at cabforum.org> wrote:
> >
> > Hi Tim,
> >
> > GlobalSign uses the following methods to validate IP addresses:
> > - Verify that the org owns the IP address via IANA, RIPE, etc.
> > - Email verification via IANA (ARIN RIPE, APNIC, LACNIC, AFRINIC)  
> > supplied
> info for the IP address
> > - Phone verification via IANA (ARIN RIPE, APNIC, LACNIC, AFRINIC)  
> > supplied
> info for the IP address
> > - HTTP/web site change
> > - Reverse DNS look-up of the IP and then validate the domain using 
> > one of
> the approved domain validation methods in 3.2.2.4
> >
> > Doug
> >
> > Doug Beattie
> > Vice President of Product Management GlobalSign Two International 
> > Drive | Suite 150 | Portsmouth, NH 03801
> > Email: 
> > doug.beattie at globalsign.com<mailto:doug.beattie at globalsign.com>
> > www.globalsign.com<https://urldefense.proofpoint.com/v2/url?u=https-
> 3A__www.globalsign.com_&d=AwMFAg&c=qRq7a-
> 87GiVVW7v8KD1gdQ&r=yL2kJgSsccUq5VcaUHiaiErHSMoqqBV4kmZtle8pI0U&
> m=7LSnl4Q_Qu_BEe5I_P8WSvWs0evmNYHNhThvhJlrvzE&s=8HjQZHbWrcD_ik
> 5cm6C2gK7iPzU_KT9tF7RSZfrF1c0&e=>
> >
> > <winmail.dat>_______________________________________________
> > Validation mailing list
> > Validation at cabforum.org
> > https://cabforum.org/mailman/listinfo/validation

_______________________________________________
Validation mailing list
Validation at cabforum.org
https://cabforum.org/mailman/listinfo/validation
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4984 bytes
Desc: not available
URL: <http://cabforum.org/pipermail/validation/attachments/20180205/87ac6d03/attachment.p7s>

More information about the Validation mailing list