[cabf_validation] Doubt on validation of IP addresses by CAs that are also

Adriano Santoni adriano.santoni at staff.aruba.it
Fri Aug 7 01:13:59 MST 2020 

Ryan,

thank you for your remarks, but I am not sure I fully understand your 
explanation.

I never suggested that there are RIRs that are also CAs. And I am aware 
of the fact that domains are registered via a hierarchical organization 
of entities, ultimately by Registrars, while the thing is different for 
IP addresses, for which there is no real equivalent of a Registrar.

Allow me to make a concrete example, just for me to understand better.

Let's assume that a CA is also an ISP (Internet Service Provider) that 
manages a certain number of nets (ranges of IP addresses), as attested 
by the relevant RIR. In other words, this CA/ISP is the "responsible 
organization" for those ranges of IP addresses. Now, let's assume this 
CA also offers a range of hosting services, among which server hosting 
with dedicated IP addresses. In such case, the CA/ISP knows for certain, 
based on its records, which customers have bought such service and 
(therefore) controls which IP addresses. No-one else, in fact, has such 
knowledge but the CA/ISP itself.

If I am not mistaking, you say that even in this case, the records of 
the CA/ISP (the contracts for server hosting with dedicated IP 
addresses) are Not a valid proof that a certain customer controls 
certain IP addresses; did I understand correctly?

Adriano


Il 04/08/2020 17:13, Ryan Sleevi ha scritto:
> Adriano: Are you aware of any RIRs that are also CAs? I'm not sure I 
> am, and the 3.2.2.4.12 only applies if the CA is the Registrar, which 
> is the equivalent function (approximately) within DNS as the RIR 
> within the IP address space*.
>
> If you take your description and apply its counterpart to DNS, we 
> would say:
> "If a CA is also a domain name registrant and is managing its own 
> domains, the CA can know with certainty that the Applicant controls 
> its domain name."
>
> Which we'd quickly see as silly, because that would bypass any domain 
> validation at all!
>
> Methods 3.2.2.5.2 / 3.2.2.5.5 allow you to retrieve the relevant AS 
> records from the RIR and use that to perform the validation 
> activities. However, because the AS records are maintained by the RIR, 
> unless you are the RIR, you can't correctly implement an 
> "Authorization to manage the AS record is authorization to issue" 
> (akin to the 3.2.2.4.12 method you mention) without some 
> demonstration of proof you can manage the AS record - which is what 
> 3.2.2.5.2 / 3.2.2.5.5 are trying to work around.
>
> Not sure if any of this made sense, but hopefully?
>
> * Yes, this blurs the registrar / registry distinction, but the RIRs 
> don't subdelegate the master registration functions in the way the DNS 
> registrar/registry split does, and everyone working with the RIR is 
> effectively a direct registrant.
>
> On Tue, Aug 4, 2020 at 5:14 AM Adriano Santoni via Validation 
> <validation at cabforum.org <mailto:validation at cabforum.org>> wrote:
>
>     Hi all,
>
>     I have a doubt regarding the validation of IP addresses.
>
>     Maybe I am just overlooking some word or sentence in the BR that
>     solves my doubt, but right now I just cannot see it.
>
>     Among the methods allowed by the BR for the validation of domains,
>     we have method #12:
>
>     "3.2.2.4.12 Validating Applicant as a Domain Contact
>
>     Confirming the Applicant's control over the FQDN by validating the
>     Applicant is the Domain Contact. This method may only be used if
>     the CA is also the Domain Name Registrar, or an Affiliate of the
>     Registrar, of the Base Domain Name."
>
>     If I am not overlooking anything, it seems that we do not have a
>     similar method for IP addresses, and my doubt is then "why".
>
>     If a CA is also an Autonomous System and is directly managing a
>     dedicated server - on a specific IP address - for the Applicant,
>     the CA knows with certainty that the Applicant controls such IP
>     address, based on its records.
>
>     TIA for any hints and remarks,
>
>     Adriano
>
>
>
>     _______________________________________________
>     Validation mailing list
>     Validation at cabforum.org <mailto:Validation at cabforum.org>
>     https://lists.cabforum.org/mailman/listinfo/validation
>     <https://lists.cabforum.org/mailman/listinfo/validation>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/validation/attachments/20200807/5354e38d/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4557 bytes
Desc: Firma crittografica S/MIME
URL: <http://lists.cabforum.org/pipermail/validation/attachments/20200807/5354e38d/attachment.p7s>

More information about the Validation mailing list