←back to thread

Getting ready to issue IP address certificates

(community.letsencrypt.org)
314 points Bogdanp | 8 comments | 25 Jun 25 16:21 UTC | HN request time: 1.241s | source | bottom
1. msgodel ◴[25 Jun 25 19:15 UTC] No.44380911[source]
This is incredibly dumb. The three way handshake and initial key exchange is your certificate.
replies(2): >>44381814 #>>44382226 #
2. cpburns2009 ◴[25 Jun 25 21:03 UTC] No.44381814[source]
That would be fine if browsers didn't throw up giant warning signs when using self-signed certificates.
replies(2): >>44382565 #>>44383358 #
3. Dylan16807 ◴[25 Jun 25 22:05 UTC] No.44382226[source]
And this protects you from a hostile network how?
replies(1): >>44382560 #
4. msgodel ◴[25 Jun 25 22:56 UTC] No.44382560[source]
How does the certificate? If you already have to do the TLS handshake it doesn't change anything.
replies(1): >>44383605 #
5. msgodel ◴[25 Jun 25 22:56 UTC] No.44382565[source]
That sounds like a defect in the browser design.

Or maybe it's because you actually want an identity to verify (which an IP address is not.)

6. nijave ◴[26 Jun 25 01:16 UTC] No.44383358[source]
Usually you can just import the leaf self signed cert as a CA in your OS trust store and the problem goes away (assuming it has an IP SAN). Slightly tedious but you can issue the certs with long validity
7. Dylan16807 ◴[26 Jun 25 02:06 UTC] No.44383605{3}[source]
A verified certificate lets you know you didn't handshake with an attacker in the middle.
replies(1): >>44387620 #
8. msgodel ◴[26 Jun 25 14:11 UTC] No.44387620{4}[source]
Let me rephrase that: How is the CA supposed to know they didn't handshake with an attacker? All they have is the IP, there's no identity to check like with DNS.