On Tue, Oct 1, 2019 at 5:20 PM Jacob Hoffman-Andrews <[email protected]> wrote: > > It's important to note that automated validation of IP addresses for > certificates is already a part of the Web PKI, but is not standardized. > This protocol will standardize it, which I believe will make overall > validation of IP addresses more secure, within the threat model that > Roland described. >
ACME is sufficiently useful that I think it will cause the proliferation of IP certificates, which to me seems like a bad outcome -- but, as I realized above, this is my own personal view / bias, and so I will be removing the DISCUSS. > We could attempt to ban automated validation of IP address certificates, > or ban IP address certificates entirely, but that wanders into the realm > of policy rather than standards, and would be better suited to browser > root programs IMO. > Yeah - *to me* that seems like that would be a grand outcome... > Overall, given the tradeoffs, I think it is better to have a > standardized method of IP address validation than to have none. True, but making something "dangerous" easier and faster to do doesn't necessarily seem like a win. Shooting myself in the foot used to require checking the bore, pouring in powder, stuffing in some wadding, shoving a ball down the muzzle, tamping everything down, removing the rod, clearing a vent hole, adding powder to a pan, and finally pointing it at my foot - now, with automation I can remove both feet in a hundreth of the time... (Why, yes, I have just been watching a documentary on the Prussian / Danish war, what makes you ask?...) W -- I don't think the execution is relevant when it was obviously a bad idea in the first place. This is like putting rabid weasels in your pants, and later expressing regret at having chosen those particular rabid weasels and that pair of pants. ---maf _______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
