I've drafted these changes:
https://github.com/mozilla/pkipolicy/commit/e5269ff0d6ced93a6c6af65947712b8e4b2e18b8

On Tue, Mar 20, 2018 at 9:57 AM, Tim Hollebeek <tim.holleb...@digicert.com>
wrote:

>
> > * Add a new bullet on IP Address validation that forbids the use of BR
> > 3.2.2.5(4) (“any other method”) and requires disclosure of IP Address
> > validation processes in the CA’s CP/CPS.
>
> This is a bit premature.  Most CA's IP validation procedures still fall
> under
> any other method, and the draft ballot that we've been trying to pass
> for a year or so is not done yet (I was writing it when the Validation
> Summit started taking over my life...)  There's a good chance we will
> get a ballot passed on this issue this summer, but there's also a good
> chance that work on improving the non-IP validation methods will be
> prioritized above it.
>
> It might make sense, though, to require that if you use 3.2.2.4.8, you
> cannot use 3.2.2.5(4).  That would eliminate the ability to use .5(4) to
> validate domain names.
>
> My commit includes this compromise.

The IP validation disclosure language is fine and would actually help
> get a ballot passed.  I've been trying to get everyone to disclose their
> IP validation practices and whether they issue IP certificates, but it
> turns out that "the CABF Validation Chair is politely asking for your
> cooperation" has some positive impact, but is mostly ignored.
>
> This is the new 2.2 (4) in my commit.

I think disclosure and eliminating the loophole that allows IP validation
> method risk to bleed into domain names is a good place to start.
>
> -Tim
>
>
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to