1475563 - GDCA: Misissuance of certificates with IP address

Status: RESOLVED INVALID

(CA Program :: CA Certificate Compliance, task)

Description

[wwwww818]

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36

Steps to reproduce:

We can apply for IP or domain certificates here:https://certmall.trustauth.cn/Free
And when you apply for IP address,they only need file auth,you can get a certificate of IP address


Actual results:

https://crt.sh/?identity=%25&iCAID=46853
We can find many certificates with IP address issued by GDCA at crt.sh,I don't think these certificates are enough authorized


Expected results:

I think they violated BR.

Comment 1

[Wayne Thayer]

Can you provide more specific information about what you believe to be the violation in GDCA's IP address validation mechanism?

The Baseline Requirements (https://cabforum.org/baseline-requirements-documents/) section 3.2.2.5 specifically allows file-based authorization:

Having the Applicant demonstrate practical control over the IP Address by making an agreed-upon change to information found on an online Web page identified by a uniform resource identifier containing the IP Address;

Comment 2

[capoc]

Hi,

Thank you for your attention over the conformity of the TLS/SSL certificates. 

We issued some certificates for IP addresses, in issuing these certificates, we validated those IP addresses according to Section 3.2.2.5 of the CA/B Forum Baseline Requirements 1.5.7, and meanwhile, we reject the certificate requests for Reserved IP Address as required by the BR. Therefore, we believe that the issuance of those certificates is in conformity of the BR.

However, from the perspective of best practices, we have switched the way of IP address certificates request and validation to manual mode. 

Thanks.

Xiu Lei

Comment 3

[Wayne Thayer]

Having received no further evidence of misissuance, I am left to conclude that this report is a false alarm.