Robin Alden: >> I think an IP address is almost on the same level as a domain name, but >> even here there can be problems. For example if you are willing to >> validate dynamic assigned IP addresses, than this can be actively >> exploited obviously. An assigned IP may belong to somebody else within a >> few hours difference only and then what? > [Robin said...] > We do not consider dynamic IP addresses when validating IP addresses. We > look for static registration of an IP block. Ideally we want to see the > applicant registered as the owner of the block containing the IP address > being requested. Failing that we will accept written confirmation > (directly) from the block owner confirming that the IP address in question > is delegated to the applicant.
Robin, it would be good that your CP/CPS would make that clear as well. The policy which you mentioned above is in my opinion sufficient for the purpose of IP addresses. > > Frank, would you consider these practices of issuing certificates to > hostnames* and also of issuing to non-internet routable IP addresses as > being something to add to your problematic practices list? I think we should do that... > > * here we mean "hostnames" to be any domain name whose ownership or intended > resolution cannot be discovered through the public domain registration and > DNS system. Exactly. > Yes, we would. Jean-Marc identified one case where it is desirable. > There are also cases when a server has been wiped (and so they private key > lost) and must be re-installed. So what prevents you from revoking the affected certificate and issue a new one? Considering that the server was "wiped" for whatever reason, revoking this certificate would make sense if the "whipping" wasn't intentional (crash, mistake, etc). I think that the right action should be to revoke it. If the "whipping" was intentional, the subscriber could have backed up and reused the same certificate. >> And with your case of hostnames, we can have multiple certificates like >> server1 owned by different subscribers? That's interesting... > [Robin said...] > We are no longer requesting this facility for this root certificate. Good :-) > [Robin said...] > OK Eddy, it looks like you got us to move on an aspect of policy! We will > also review the provision of Intranet certificates (as provided for by > section 2.4.1 f of our CPS) from our other roots. Excellent Robin! I have a small backlog here, though I understand that your request is already approved. But I'm glad that we can improve certain aspects together with one of the leaders of this industry... -- Regards Signer: Eddy Nigg, StartCom Ltd. Jabber: [EMAIL PROTECTED] Blog: https://blog.startcom.org _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
