The CA/Browser Forum continues to update the validation methods used for issuing SSL/TLS certificates to improve security. The latest, Ballot 7, Update IP Address Validation Methods, has been approved and the new methods will be mandatory effective August 1, 2019.
The main goal for Ballot 7 was to remove the “any other method” clause from the Baseline Requirements (BRs) regarding IP address validation. Use of this clause would introduce risk because the level of security associated with it would be undefined. In a previous ballot, the “any other method” clause had already been removed for use with domain name validation. To improve the security of the SSL/TLS ecosystem, it was determined that the “any other method” clause must be removed.
Ballot 7 will update BR section 220.127.116.11 to provide the following allowable methods to validate an IP address:
Agreed-Upon Change to Website
A random token or random value must be in the content of a file or webpage under the “/.well-known/pki-validation” directory on the IP address that is accessible by the CA. The content could also be placed on another path registered with IANA for the purposes of validating control of IP addresses.
The random value used for all methods can only be used for a 30-day period; after which, the random value will expire and a new random value will be needed.
Email, Fax, SMS, or Postal Mail to IP Address Contact
A random value is sent by email, fax, SMS or postal mail to an IP address contact. The IP address contact must be a person or entity registered with an IP address registration authority as having the right to control the IP address. The IP address contact must include the random value in the response to approve use of the IP address.
Reverse Address Lookup
Control of the IP address is confirmed by obtaining a domain name through reverse-IP lookup, then verifying the domain name through an approved procedure.
Phone Contact with IP Address Contact
IP address control can be confirmed by calling the IP address contact’s phone number. The phone number must be identified by the IP address registration authority. This method allows the call to be transferred to the IP address contact. A random value may be left in a voicemail message that must be provided when the IP address contact returns the call.
ACME Methods for IP Addresses
There are two methods using the ACME protocol to verify an IP address:
- http-01: Confirming the Applicant’s control over the IP Address by performing the procedure documented for an “http-01″ challenge in draft 04 of “ACME IP Identifier Validation Extension“
- tls-alpn-01: Confirming the Applicant’s control over the IP Address by performing the procedure documented for a “tls-alpn-01″ challenge in draft 04 of “ACME IP Identifier Validation Extension“
The CAs will be updating their IP validation methods to help secure the issuance of certificates for IP addresses by the August 1, 2019 deadline.
The CA/Browser Forum will continue to monitor validation methods and may make further changes in a future ballot. One method under review is the reverse IP address lookup. Stay tuned.