Closed Bug 1475563 Opened Last year Closed Last year

GDCA: Misissuance of certificates with IP address

Categories

(NSS :: CA Certificate Compliance, task)

task
Not set

Tracking

(Not tracked)

RESOLVED INVALID

People

(Reporter: wwwww818, Assigned: wayne, NeedInfo)

Details

(Whiteboard: [ca-compliance])

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36

Steps to reproduce:

We can apply for IP or domain certificates here:https://certmall.trustauth.cn/Free
And when you apply for IP address,they only need file auth,you can get a certificate of IP address


Actual results:

https://crt.sh/?identity=%25&iCAID=46853
We can find many certificates with IP address issued by GDCA at crt.sh,I don't think these certificates are enough authorized


Expected results:

I think they violated BR.
Can you provide more specific information about what you believe to be the violation in GDCA's IP address validation mechanism?

The Baseline Requirements (https://cabforum.org/baseline-requirements-documents/) section 3.2.2.5 specifically allows file-based authorization:

Having the Applicant demonstrate practical control over the IP Address by making an agreed-upon change to information found on an online Web page identified by a uniform resource identifier containing the IP Address;
Flags: needinfo?(wwwww818)
Summary: (GDCA) Misissuance of certificates with IP address → GDCA: Misissuance of certificates with IP address
Whiteboard: [ca-compliance]
Hi,

Thank you for your attention over the conformity of the TLS/SSL certificates. 

We issued some certificates for IP addresses, in issuing these certificates, we validated those IP addresses according to Section 3.2.2.5 of the CA/B Forum Baseline Requirements 1.5.7, and meanwhile, we reject the certificate requests for Reserved IP Address as required by the BR. Therefore, we believe that the issuance of those certificates is in conformity of the BR.

However, from the perspective of best practices, we have switched the way of IP address certificates request and validation to manual mode. 

Thanks.

Xiu Lei
Having received no further evidence of misissuance, I am left to conclude that this report is a false alarm.
Status: UNCONFIRMED → RESOLVED
Closed: Last year
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.