I've drafted these changes: https://github.com/mozilla/pkipolicy/commit/e5269ff0d6ced93a6c6af65947712b8e4b2e18b8
On Tue, Mar 20, 2018 at 9:57 AM, Tim Hollebeek <tim.holleb...@digicert.com> wrote: > > > * Add a new bullet on IP Address validation that forbids the use of BR > > 3.2.2.5(4) (“any other method”) and requires disclosure of IP Address > > validation processes in the CA’s CP/CPS. > > This is a bit premature. Most CA's IP validation procedures still fall > under > any other method, and the draft ballot that we've been trying to pass > for a year or so is not done yet (I was writing it when the Validation > Summit started taking over my life...) There's a good chance we will > get a ballot passed on this issue this summer, but there's also a good > chance that work on improving the non-IP validation methods will be > prioritized above it. > > It might make sense, though, to require that if you use 3.2.2.4.8, you > cannot use 3.2.2.5(4). That would eliminate the ability to use .5(4) to > validate domain names. > > My commit includes this compromise. The IP validation disclosure language is fine and would actually help > get a ballot passed. I've been trying to get everyone to disclose their > IP validation practices and whether they issue IP certificates, but it > turns out that "the CABF Validation Chair is politely asking for your > cooperation" has some positive impact, but is mostly ignored. > > This is the new 2.2 (4) in my commit. I think disclosure and eliminating the loophole that allows IP validation > method risk to bleed into domain names is a good place to start. > > -Tim > > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
