(community.letsencrypt.org)

314 points Bogdanp | 2 comments | 25 Jun 25 16:21 UTC | HN request time: 0.47s | source

Show context

Hizonner ◴[25 Jun 25 18:37 UTC] No.44380527[source]▶

So does anybody have a pointer to the official justification for this insanity?

ameliaquining ◴[25 Jun 25 19:17 UTC] No.44380926[source]▶

The announcement is https://letsencrypt.org/2025/01/16/6-day-and-ip-certs/. I don't think it's more complicated than: there exist services that for one reason or another don't have a domain name and are instead accessible by a public static IP address, and they need TLS certificates for security, and other CAs offer this, so Let's Encrypt should too. Is there any specific reason why they shouldn't?

replies(2): >>44381154 #>>44381234 #

leoh ◴[25 Jun 25 19:51 UTC] No.44381234[source]▶

>>44380926 #

It seems to me they could just as easily issue subdomains and certs for said IPs and make the whole thing infinitely safer.

replies(1): >>44381505 #

1. parliament32 ◴[25 Jun 25 20:24 UTC] No.44381505[source]▶

>>44381234 #

I could see the opposite argument: domain names who knows, someone could steal it or hack the registrar, registrar could be evil, DNS servers could be untrusted and/or evil or MITM'd... connecting to an IP you're engineering out entire classes of weaknesses in the scheme.

replies(1): >>44382878 #

2. leoh ◴[25 Jun 25 23:50 UTC] No.44382878[source]▶

>>44381505 (TP) #

Sure, someone could steal google.com I guess

↑

Getting ready to issue IP address certificates