1550547 - IP certificate issued with Domain Validation

Status: RESOLVED INVALID

(CA Program :: CA Certificate Compliance, task)

Description

[steven]

Attachment: Issued Certificate chain

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.131 Safari/537.36

Steps to reproduce:

1. Go to trustocean.com
2. Register and Request an IP certificate
3. Complete the validation (HTTP file validation)
4. Got a certificate

Actual results:

I actually got a free certificate (DV Validation) that contains an IP address.

Expected results:

I think CAs aren't allowed to issue IP certificates with DV. (Sectigo also confirm that they can't issue IP certificate without validation)

Comment 1

[steven]

I've installed the certificate onto that IP address, in case anyone wants to test: https://35.169.244.206/

The certificate is not yet shown up on crt.sh or Google Certificate Transparency Log search, but the serial number is 05:b6:44:aa:7c:a6:24:d2:cf:ae:a3:77:06:ea:79:16.

The two SCT is: (Checked on 2:34 PM EST 5/9/2019)

SCTs present (2)

SCT validation status: valid
Signed Certificate Timestamp:
Version : v1 (0x0)
Log : Cloudflare Nimbus2019 Log
Log ID : 74:7E:DA:83:31:AD:33:10:91:21:9C:CE:25:4F:42:70:
C2:BF:FD:5E:42:20:08:C6:37:35:79:E6:10:7B:CC:56
Timestamp : May 9 17:54:56.112 2019 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:46:02:21:00:DF:91:F5:89:EA:05:69:9A:15:46:F1:
DC:53:7E:8D:6E:D7:FB:5D:F9:F1:07:72:66:14:3C:17:
2B:E6:B7:85:38:02:21:00:9E:A6:91:BB:D8:E9:F1:5F:
88:FE:20:2D:3C:8B:74:33:4D:B8:F9:45:99:15:47:D2:
37:54:57:0E:FB:E0:56:03

SCT validation status: valid
Signed Certificate Timestamp:
Version : v1 (0x0)
Log : Google Skydiver log
Log ID : BB:D9:DF:BC:1F:8A:71:B5:93:94:23:97:AA:92:7B:47:
38:57:95:0A:AB:52:E8:1A:90:96:64:36:8E:1E:D1:85
Timestamp : May 9 17:54:56.065 2019 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:44:02:20:3C:C9:2A:5D:08:95:83:6F:08:F9:33:43:
55:3E:CE:ED:68:8D:83:04:72:A9:22:65:0D:1C:4B:C6:
90:2F:7F:23:02:20:4C:87:7A:D2:B0:F6:00:B0:8E:20:
C3:97:3C:D8:4E:46:8E:DB:B2:0F:3E:7D:66:F7:FB:95:
97:E6:BA:DC:79:6D

Comment 2

[Wayne Thayer]

Steven: BR section 3.2.2.5.1 permits CAs to issue DV certificates for IP addresses via 'HTTP file validation' as follows:

Confirming the Applicant's control over the requested IP Address by confirming the presence of a Request Token or Random Value contained in the content of a file or webpage in the form of a meta tag under the "/.well-known/pki-validation" directory, or another path registered with IANA for the purpose of validating control of IP Addresses, on the IP Address that is accessible by the CA via HTTP/HTTPS over an Authorized Port. The Request Token or Random Value MUST NOT appear in the request.
3.2.2.5.1. Agreed-Upon Change to Website
If a Random Value is used, the CA SHALL provide a Random Value unique to the certificate request and SHALL not use the Random Value after the longer of (i) 30 days or (ii) if the Applicant submitted the certificate request, the timeframe permitted for reuse of validated information relevant to the certificate (such as in Section 4.2.1 of this document).

I do not believe that this is a misissuance. Based on this information, do you agree?

Comment 3

[steven]

Yeah... I agree.

Are there any limits on the DV IP certificate?
Since I do get this certificate for free, and the IP does not belong to me (Owner is AWS).

Isn't it weird to get a free IP certificate and only requires HTTP validation for that IP?

Thank you

Comment 4

[Wayne Thayer]

The fact the certificate is free and/or DV has no bearing on this. The issue of dynamic IP address assignment has been discussed in the CAB Forum more than once, but no good solution short of banning IP address certificates has been found. Shortening certificate lifetimes may be the most practical approach to reducing this risk.

Comment 5

[steven]

Ok.
Thank you for the explanation.