On Sun, Jul 16, 2017 at 04:29:20PM -0700, Roland Bracewell Shoemaker wrote: > There was some previous discussion about possibly using a slightly > simpler DNS based verification method on the list last time I posted > this as an individual submission. After reading through the CABF BRs for > IP validation I'm pretty sure the proposed solution (checking for a TXT > record in the reverse mapping zone) would not be considered BR compliant > so I've stuck with the originally proposed challenge.
The relevant (proposed) text I could find says: "[...] in a TXT record for the IP Address." (This is from proposed "7 IP Address validation methods"[1]). The only way I can make sense for having DNS records for the IP address is the QNAME corresponding to the IP in reverse mapping. I don't see the "or prepend a underscore label" or similar language for the method, unlike the DNS domain validation, which has that sort of language. So I interpret that for IP address of 192.0.2.1, the QNAME has to be: "1.2.0.192.in-addr.arpa". I guess the person to ask would Jeremy Rowley (he posted the latest version of the text I could find to CABForum validation list). Also, the relevant section for TLS-SNI in the "7 methods" says: "[...] a Certificate on the IP Address [...]" Whatever that actually means (I can come up with at least two different interpretations, and both of these are probably wrong): - The certificate has to certify the IP address. - The connection has to ask for certificate on IP address, i.e., omit server_name. ... Both of these interpretations are technically problematic. And neither is compatible with what the I-D text says. [1] I presume CABForum wants to first get the "10 Domain Validation methods" through, and then work on getting the "7 IP Address Validation methods" passed. -Ilari _______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
