Ballot SC007: Update IP Address Validation Methods

Result

• Ballot SC007: Update IP Address Validation Methods
• Voting by Certificate Issuers: 19 total votes (including abstentions), 19 Yes, 0 No, 0 Abstain
• Voting by Certificate Consumers: 4 total votes (including abstentions), 4 Yes, 0 No, 0 Abstain
• The ballot page states the voting period has ended and the ballot has Passed.

What the ballot changes

• Removes Baseline Requirements section 3.2.2.5 item 4 (Any Other Method) and replaces it with an explicit list of IP Address validation methods.
• Adds a compliance requirement in section 1.2.2:
  • Compliance: 2019-08-01
  • Section 3.2.2.5
  • Summary Description: CAs MUST follow revised validation requirements in section 3.2.2.5 and MUST keep a record of IP Address validation methods used.
• Adds definitions to section 1.6.1 for IP Address, IP Address Contact, and IP Address Registration Authority.
• Replaces Baseline Requirements section 3.2.2.5 in its entirety with revised IP Address authentication requirements, including:
  • The CA SHALL confirm prior to issuance that each IP Address listed in the Certificate was validated using at least one permitted method.
  • Completed validations may be valid for multiple Certificates over time, provided validation was initiated within the time period specified in the relevant requirement prior to issuance.
  • After July 31, 2019, CAs SHALL maintain a record of which IP validation method (including the relevant BR version number) was used to validate every IP Address.
  • Defines multiple permitted validation methods (3.2.2.5.1 through 3.2.2.5.7), including:
    • Agreed-Upon Change to Website
    • Email, Fax, SMS, or Postal Mail to IP Address Contact
    • Reverse Address Lookup
    • Any Other Method (with restrictions)
    • Phone Contact with IP Address Contact
    • ACME http-01 method for IP Addresses
    • ACME tls-alpn-01 method for IP Addresses

Restrictions on Any Other Method

• CAs SHALL NOT perform validations using Any Other Method after July 31, 2019.
• Completed validations using Any Other Method SHALL NOT be re-used for certificate issuance after July 31, 2019.
• Certificates issued prior to August 1, 2019 containing an IP Address validated using Any Other Method MAY continue to be used without revalidation until the certificate naturally expires.

Voting procedure and quorum (as stated on the ballot page)

• Bylaw 2.3(f): requires a yes vote by two-thirds of Certificate Issuer votes and 50%-plus-one Certificate Consumer votes; requirement was met for both groups.
• Bylaw 2.3(f): at least one Certificate Issuer and one Certificate Consumer Member must vote in favor; requirement was met.
• Bylaw 2.3(g): ballot result valid only when more than half of currently active Members has participated; quorum was met (half of currently active Members as of start of voting was 9, so quorum was 10 votes).