Closed Bug 1475563 Opened 6 years ago Closed 6 years ago

GDCA: Misissuance of certificates with IP address


(CA Program :: CA Certificate Compliance, task)

Not set


(Not tracked)



(Reporter: wwwww818, Assigned: wthayer, NeedInfo)


(Whiteboard: [ca-compliance])

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36

Steps to reproduce:

We can apply for IP or domain certificates here:
And when you apply for IP address,they only need file auth,you can get a certificate of IP address

Actual results:
We can find many certificates with IP address issued by GDCA at,I don't think these certificates are enough authorized

Expected results:

I think they violated BR.
Can you provide more specific information about what you believe to be the violation in GDCA's IP address validation mechanism?

The Baseline Requirements ( section specifically allows file-based authorization:

Having the Applicant demonstrate practical control over the IP Address by making an agreed-upon change to information found on an online Web page identified by a uniform resource identifier containing the IP Address;
Flags: needinfo?(wwwww818)
Summary: (GDCA) Misissuance of certificates with IP address → GDCA: Misissuance of certificates with IP address
Whiteboard: [ca-compliance]

Thank you for your attention over the conformity of the TLS/SSL certificates. 

We issued some certificates for IP addresses, in issuing these certificates, we validated those IP addresses according to Section of the CA/B Forum Baseline Requirements 1.5.7, and meanwhile, we reject the certificate requests for Reserved IP Address as required by the BR. Therefore, we believe that the issuance of those certificates is in conformity of the BR.

However, from the perspective of best practices, we have switched the way of IP address certificates request and validation to manual mode. 


Xiu Lei
Having received no further evidence of misissuance, I am left to conclude that this report is a false alarm.
Closed: 6 years ago
Resolution: --- → INVALID
Product: NSS → CA Program
You need to log in before you can comment on or make changes to this bug.