Automated validation of IP addresses seems pretty fraught to me. You need to verify not only that the applicant controls the IP address in question, but also that he will continue to control it for some period of time, e.g., that it won't be assigned to some other DHCP client in 20 minutes. The definition of "control" is also a lot more fuzzy -- the 15 hosts behind my home NAT are indistinguishable from the point of view of an ACME server.
So I would put IP addresses in the bin of "not amenable to automated validation". The only path I see to automatic IP address validation goes through the RPKI, which implies that it is not a near-term proposition. --Richard On Wed, Mar 25, 2015 at 12:48 PM, Jacob Hoffman-Andrews <[email protected]> wrote: > On 03/25/2015 06:51 AM, James Cloos wrote: > > Will acme support CSRs with not just dns names in subjectAltNames, but > > also ip addresses? Verifying that the dns name(s) resolve to the ip > > address(es) is reasonable in such cases. > This is more a question of policy for the implementing CA than a > protocol question, though validating IP addresses might require a new > type of challenge response. > > _______________________________________________ > Acme mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/acme >
_______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
