←back to thread

Getting ready to issue IP address certificates

(community.letsencrypt.org)
315 points Bogdanp | 3 comments | 25 Jun 25 16:21 UTC | HN request time: 0.743s | source
Show context
Hizonner ◴[25 Jun 25 18:37 UTC] No.44380527[source]
So does anybody have a pointer to the official justification for this insanity?
replies(2): >>44380597 #>>44380926 #
ameliaquining ◴[25 Jun 25 19:17 UTC] No.44380926[source]
The announcement is https://letsencrypt.org/2025/01/16/6-day-and-ip-certs/. I don't think it's more complicated than: there exist services that for one reason or another don't have a domain name and are instead accessible by a public static IP address, and they need TLS certificates for security, and other CAs offer this, so Let's Encrypt should too. Is there any specific reason why they shouldn't?
replies(2): >>44381154 #>>44381234 #
1. leoh ◴[25 Jun 25 19:51 UTC] No.44381234[source]
It seems to me they could just as easily issue subdomains and certs for said IPs and make the whole thing infinitely safer.
replies(1): >>44381505 #
2. parliament32 ◴[25 Jun 25 20:24 UTC] No.44381505[source]
I could see the opposite argument: domain names who knows, someone could steal it or hack the registrar, registrar could be evil, DNS servers could be untrusted and/or evil or MITM'd... connecting to an IP you're engineering out entire classes of weaknesses in the scheme.
replies(1): >>44382878 #
3. leoh ◴[25 Jun 25 23:50 UTC] No.44382878[source]
Sure, someone could steal google.com I guess