Closed Bug 1475563 Opened 5 years ago Closed 5 years ago
GDCA: Misissuance of certificates with IP address
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36 Steps to reproduce: We can apply for IP or domain certificates here:https://certmall.trustauth.cn/Free And when you apply for IP address,they only need file auth,you can get a certificate of IP address Actual results: https://crt.sh/?identity=%25&iCAID=46853 We can find many certificates with IP address issued by GDCA at crt.sh,I don't think these certificates are enough authorized Expected results: I think they violated BR.
Can you provide more specific information about what you believe to be the violation in GDCA's IP address validation mechanism? The Baseline Requirements (https://cabforum.org/baseline-requirements-documents/) section 188.8.131.52 specifically allows file-based authorization: Having the Applicant demonstrate practical control over the IP Address by making an agreed-upon change to information found on an online Web page identified by a uniform resource identifier containing the IP Address;
Summary: (GDCA) Misissuance of certificates with IP address → GDCA: Misissuance of certificates with IP address
Hi, Thank you for your attention over the conformity of the TLS/SSL certificates. We issued some certificates for IP addresses, in issuing these certificates, we validated those IP addresses according to Section 184.108.40.206 of the CA/B Forum Baseline Requirements 1.5.7, and meanwhile, we reject the certificate requests for Reserved IP Address as required by the BR. Therefore, we believe that the issuance of those certificates is in conformity of the BR. However, from the perspective of best practices, we have switched the way of IP address certificates request and validation to manual mode. Thanks. Xiu Lei
Having received no further evidence of misissuance, I am left to conclude that this report is a false alarm.
Status: UNCONFIRMED → RESOLVED
Closed: 5 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.