I'm pro moving forward (i personally want my SANs to include the machines ips so anyone connecting via ip doesn't have to click through a security warning before being redirected to the correct name, yes 0 - minimal legitimate users would try the ip, but same for many of the names in my SAN id just like to see them show in log like other unintended for https names (to find out where they come from more than anything else) they don't show if they stop at cert warning
but im an edge case (most don't care about the unexpected traffic/load) At 20:55 21/03/2018 Wednesday, Roland Bracewell Shoemaker wrote: >Hey all, Following on from the meeting today I wanted to start a discussion on >what to do moving forward with regard to the reverse-dns method defined in >draft-ietf-acme-ip. There were arguments on both sides about whether the >method should be retained or removed with Iâll quickly paraphrase (if you >feel Iâve misrepresented either please correct me). The argument for >removing this was that there are no technical issues with the method as-is but >that the reverse DNS zones are historically badly managed and that using them >for validation will cause problems down the line (presumably misissuance by a >person who controls the zone but doesnât actually control the IPs the zone >represents). The argument for keeping it is that the IETF (or more >specifically the ACME WG) should not be where CA or browser policy is dictated >and that given these methods are currently allowed under the CABF BRs and >browser root programs it would actually be useful to have a technically >defined method f or validation that can at least be used as a tool for further research on the topic. As stated at the meeting Iâm of the opinion that we should move forward with the method in the document and if individual browsers or CABF feel strongly that these methods are not secure they should disallow their usage in their root programs or the BRs respectively which would prevent any CA from actually using the method. That said there was obviously a contingent of people who disagree with me on this. I guess one thing to ask is do we have anyone who would actually _want_ to use this? My understanding is the main use case, much like for the dns-01 challenge, is to get certs for IP identifiers before actually having to stand anything up on a machine so that it can instantly start doing its job which seems valuable. Thanks, Roland _______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme _______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
