Closed
Bug 1475563
Opened 6 years ago
Closed 6 years ago
GDCA: Misissuance of certificates with IP address
Categories
(CA Program :: CA Certificate Compliance, task)
CA Program
CA Certificate Compliance
Tracking
(Not tracked)
RESOLVED
INVALID
People
(Reporter: wwwww818, Assigned: wthayer, NeedInfo)
Details
(Whiteboard: [ca-compliance])
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36 Steps to reproduce: We can apply for IP or domain certificates here:https://certmall.trustauth.cn/Free And when you apply for IP address,they only need file auth,you can get a certificate of IP address Actual results: https://crt.sh/?identity=%25&iCAID=46853 We can find many certificates with IP address issued by GDCA at crt.sh,I don't think these certificates are enough authorized Expected results: I think they violated BR.
Assignee | ||
Comment 1•6 years ago
|
||
Can you provide more specific information about what you believe to be the violation in GDCA's IP address validation mechanism? The Baseline Requirements (https://cabforum.org/baseline-requirements-documents/) section 3.2.2.5 specifically allows file-based authorization: Having the Applicant demonstrate practical control over the IP Address by making an agreed-upon change to information found on an online Web page identified by a uniform resource identifier containing the IP Address;
Flags: needinfo?(wwwww818)
Summary: (GDCA) Misissuance of certificates with IP address → GDCA: Misissuance of certificates with IP address
Whiteboard: [ca-compliance]
Hi, Thank you for your attention over the conformity of the TLS/SSL certificates. We issued some certificates for IP addresses, in issuing these certificates, we validated those IP addresses according to Section 3.2.2.5 of the CA/B Forum Baseline Requirements 1.5.7, and meanwhile, we reject the certificate requests for Reserved IP Address as required by the BR. Therefore, we believe that the issuance of those certificates is in conformity of the BR. However, from the perspective of best practices, we have switched the way of IP address certificates request and validation to manual mode. Thanks. Xiu Lei
Assignee | ||
Comment 3•6 years ago
|
||
Having received no further evidence of misissuance, I am left to conclude that this report is a false alarm.
Status: UNCONFIRMED → RESOLVED
Closed: 6 years ago
Resolution: --- → INVALID
Updated•1 year ago
|
Product: NSS → CA Program
You need to log in
before you can comment on or make changes to this bug.
Description
•