Six day and IP address certificate options in 2025

It feels like there's something of an attack vector here with cloud providers who lease IPs for hours at a time.

1. Lease IP

2. Obtain cert (verify can receive traffic to IP on port 80)

3. Give IP back

4. Cloud provider gives IP to another customer

5. Bgp attack IP with 6 days.

While I support the idea of IP certs I do wonder how thought through this is and what the future consequences for security are.

I agree with another commenter here who said this should be limited to IPs behind RPKI.

Possibly also needs a mechanism for IP owners to clamp the cert time to be below their IP re-lease policy. As an example a provider like AWS could require max certs of (say) 6 hours and ensure any returned IPs stay unleased for 6 hours before reissuing them)

You can do the same BGP attacks with regular domain certs, though. If you hijack the IP that a domain resolves to, you can answer HTTP-01 challenges.

If you control the IP or domain via a BGP hack, you can get a certificate issued while you control it, as long as you control it from the perspective of their CA.

You've got to be pretty lucky, or do a lot of IP cycling for your vector to be terribly useful. A paranoid user of IP certs would let their new public facing assignments settle for a week before using them; but I suspect few people will start using IP address certs, because of usability.

I wouldn't write off the use of IP certs just yet.

AFAIK IP address certs would provide a way to create a secure browsing context in your browser, which is required for service worker ('offline' background threads) and some File API, which could open up a new class of programs that host for friends and family.

This is exactly why the LE IP certs will be limited to 6 days: this exact attack is possible today against any IP address cert, and such certs in general are allowed to have lifetimes up to 398 days. LE isn't comfortable with that situation, so IP certs will have the shortest feasible lifetimes.