[cabf_validation] IP address dates

Tim Hollebeek tim.hollebeek at digicert.com
Wed Sep 5 07:02:38 MST 2018

Yes, we’d support a relatively quick adoption of this.  I liked the proposal I heard on the call.


I generally choose fairly generous deadlines in order to attract votes from other CAs, but if that’s not necessary, we can pull it in.




From: Ryan Sleevi <sleevi at google.com> 
Sent: Tuesday, September 4, 2018 8:17 PM
To: Tim Hollebeek <tim.hollebeek at digicert.com>; CA/Browser Forum Validation WG List <validation at cabforum.org>
Subject: Re: [cabf_validation] IP address dates


Here's the summary data from CT that I spoke about on the call, broken down by associated intermediate issuer (of those w/ BR audits)


747 distinct IPs, 518 distinct certs, DigiCert SHA2 Secure Server CA

498 distinct IPs, 403 distinct certs, GlobalSign Organization Validation CA - SHA256 - G2

327 distinct IPs, 286 distinct certs, COMODO RSA Organization Validation Secure Server CA

162 distinct IPs, 232 distinct certs, Cybertrust Japan Public CA G3

115 distinct IPs, 128 distinct certs, DFN-Verein Global Issuing CA


If I group by issuer name (, then I get

847 distinct IPs, 586 distinct certs, DigiCert Inc

498 distinct IPs, 403 distinct certs, GlobalSign nv-sa

343 distinct IPs, 304 distinct certs, COMODO CA Limited

162 distinct IPs, 232 distinct certs, Cybertrust Japan Co., Ltd.

128 distinct IPs, 113 distinct certs, Entrust, Inc.


This is all unexpired certificates issued in the past 825 days - that is, the upper-bound of those that might be able to reuse information.


So it really doesn't seem to require a long phase-in time at all.


On Tue, Sep 4, 2018 at 7:44 PM Tim Hollebeek via Validation <validation at cabforum.org <mailto:validation at cabforum.org> > wrote:


I finally had an opportunity to listen to the Validation WG call from 8/30.


I agree with Ryan that splitting the dates would be a good thing.  I didn’t do that just to keep the ballot simple, but am very open to it.


The date moved from April to June (day that doesn’t exist, sorry) solely because I received comments from one CA suggesting an effective date in 2019.  That seemed way too far way from me.  But given some of the problems we have had recently with getting ballots passed, I tried to pick a date that was a compromise between not too far in the future, and a date CAs could support given that they often have other things they need to be doing.  I’m not horribly picky about what the date is (as long as it’s not 2019!!!), and am encouraged that it sounds like we might be able to agree on an earlier date.




Validation mailing list
Validation at cabforum.org <mailto:Validation at cabforum.org> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/validation/attachments/20180905/13ee1053/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4940 bytes
Desc: not available
URL: <http://cabforum.org/pipermail/validation/attachments/20180905/13ee1053/attachment-0001.p7s>

More information about the Validation mailing list