Getting ready to issue IP address certificates

(community.letsencrypt.org)

314 points Bogdanp | 1 comments | 25 Jun 25 16:21 UTC | HN request time: 0.212s | source

Show context

mocko ◴[25 Jun 25 17:16 UTC] No.44379696[source]▶

I can see how this would work on a technical level but what's the intended use case?

replies(13): >>44379710 #>>44379735 #>>44379778 #>>44379786 #>>44379885 #>>44379946 #>>44380155 #>>44380377 #>>44380579 #>>44380856 #>>44381151 #>>44381389 #>>44386646 #

infogulch ◴[25 Jun 25 18:23 UTC] No.44380377[source]▶

>>44379696 #

Just ESNI/ECH is a big deal.

I recall one of the main arguments against Encrypted server name indication (ESNI) is that it would only be effective for the giant https proxy services like Cloudflare, that the idea of IP certs was floated as a solution but dismissed as a pipe dream. With IP address certificates, now every server can participate in ESNI, not just the giants. If it becomes common enough for clients to assume that all web servers have an IP cert and attempt to use ESNI on every connection, it could be a boon for privacy across the internet.

replies(2): >>44380676 #>>44380748 #

1. duskwuff ◴[25 Jun 25 18:51 UTC] No.44380676[source]▶

>>44380377 #

> If it becomes common enough for clients to assume that all web servers have an IP cert

That's never going to be a safe assumption; private and/or dynamically assigned IP addresses are always going to be a thing.

↑