I see that this draft has been updated to specify how tls-alpn-01 can be used to validate IP addresses in section 4. However, IP addresses are not permitted in SNI, as RFC 6066 section 3 (https://tools.ietf.org/html/rfc6066#section-3) states that "Literal IPv4 and IPv6 addresses are not permitted in "HostName"."
Given that the tls-alpn-01 challenge mandates that servers support the acme-tls/1 ALPN, perhaps it is safe to merely state that the SNI extension MUST NOT be included in the TLS handshake at all for IP address validation using tls-alpn-01. The lack of the SNI extension in the TLS handshake would serve as an indicator to the server that IP address validation is being attempted by the TLS client (as opposed to hostname/domain validation, which will include SNI extension in the ClientHello). Thanks, Corey Bonnell Senior Software Engineer Trustwave | SMART SECURITY ON DEMAND https://www.trustwave.com On 7/25/18, 1:07 PM, "Acme on behalf of [email protected]" <[email protected] on behalf of [email protected]> wrote: A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Automated Certificate Management Environment WG of the IETF. Title : ACME IP Identifier Validation Extension Author : Roland Bracewell Shoemaker Filename : draft-ietf-acme-ip-03.txt Pages : 5 Date : 2018-07-25 Abstract: This document specifies identifiers and challenges required to enable the Automated Certificate Management Environment (ACME) to issue certificates for IP addresses. The IETF datatracker status page for this draft is: https://scanmail.trustwave.com/?c=4062&d=ta7Y2z7dF1ccVpbCGk7zPBjJD50CzMOpeX9MdngtgA&s=5&u=https%3a%2f%2fdatatracker%2eietf%2eorg%2fdoc%2fdraft-ietf-acme-ip%2f There are also htmlized versions available at: https://scanmail.trustwave.com/?c=4062&d=ta7Y2z7dF1ccVpbCGk7zPBjJD50CzMOpeXgRJSp90Q&s=5&u=https%3a%2f%2ftools%2eietf%2eorg%2fhtml%2fdraft-ietf-acme-ip-03 https://scanmail.trustwave.com/?c=4062&d=ta7Y2z7dF1ccVpbCGk7zPBjJD50CzMOpeX4RJy15gA&s=5&u=https%3a%2f%2fdatatracker%2eietf%2eorg%2fdoc%2fhtml%2fdraft-ietf-acme-ip-03 A diff from the previous version is available at: https://scanmail.trustwave.com/?c=4062&d=ta7Y2z7dF1ccVpbCGk7zPBjJD50CzMOpeS8aIXh9hw&s=5&u=https%3a%2f%2fwww%2eietf%2eorg%2frfcdiff%3furl2%3ddraft-ietf-acme-ip-03 Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at http://scanmail.trustwave.com/?c=4062&d=ta7Y2z7dF1ccVpbCGk7zPBjJD50CzMOpeS4fdy952Q&s=5&u=http%3a%2f%2ftools%2eietf%2eorg Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ _______________________________________________ Acme mailing list [email protected] https://scanmail.trustwave.com/?c=4062&d=ta7Y2z7dF1ccVpbCGk7zPBjJD50CzMOpeSgdJHZ20g&s=5&u=https%3a%2f%2fwww%2eietf%2eorg%2fmailman%2flistinfo%2facme _______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
