I don't know if it's specifically a CA/B forum thing, just since like I keep saying it's really not related to CAs. It's more complicated than just the B-half of "browsers" too, as a lot of "web connections" are from things like mobile apps or Internet-of-things devices connecting to a hostname (or IP!) with the actual destination hidden from a user. If you're looking for some "industry group" to lobby, rather than just trying to lobby individual libraries or browsers, I think you might be looking for the W3C or WHATWG.
Chromium has a whole guide to what a URL bar should display though I'm sure there are aspects in there that some (including probably me) might disagree with. And as I said, the whole situation is more complicated than just URL bars, too.
I can obtain a 398-day validity certificate from mainstream commercial certificate authorities such as DigiCert or Sectigo using the HTTP-01 validation method as same as Let's Encrypt. Because of certain good relationships, I wouldnât even need to pay for these certificates.
It is the service providerâwho uses a dynamic IP address to provide services and does not consider that those IPs may later be reassigned to someone elseâthat is at fault, not the CA. This is no different from past accusations that CAs issued certificates to phishing or scam websites.
Assuming that some powerful aliens could hijack BGP from multiple sources to forge proof, or that some malicious ISP could hijack traffic to apply for a certificate, is meaningless. Since the HTTP-01 validation method applies to both domain names and IP addresses, the same techniques could also be used to attack domain certificates.