Getting ready to issue IP address certificates

(community.letsencrypt.org)

315 points Bogdanp | 1 comments | 25 Jun 25 16:21 UTC | HN request time: 0.289s | source

Show context

mocko ◴[25 Jun 25 17:16 UTC] No.44379696[source]▶

I can see how this would work on a technical level but what's the intended use case?

replies(13): >>44379710 #>>44379735 #>>44379778 #>>44379786 #>>44379885 #>>44379946 #>>44380155 #>>44380377 #>>44380579 #>>44380856 #>>44381151 #>>44381389 #>>44386646 #

move-on-by ◴[25 Jun 25 18:04 UTC] No.44380155[source]▶

>>44379696 #

Plenty of other responses with good use cases, but I didn’t see NTS mentioned.

If you want to use NTS, but can’t get an IP cert, then you are left requiring DNS before you can get a trusted time. If DNS is down- then you can’t get the time. A common issue with DNSSEC is having the wrong time- causing validation failures. If you have DNSSEC enforced and have the wrong time- but NTS depends on DNS, then you are out of luck with no way to recover. Having IP as part of your cert allows trusted time without the DNS requirement, which can then fix your broken DNSSEC enforcement.

replies(2): >>44380608 #>>44380660 #

codys ◴[25 Jun 25 18:50 UTC] No.44380660[source]▶

>>44380155 #

this seems possible to avoid as an issue without needing IP certs by having the configuration supply both an IP and a hostname, with the hostname used for the TLS validation.

replies(1): >>44381548 #

1. move-on-by ◴[25 Jun 25 20:31 UTC] No.44381548[source]▶

>>44380660 #

Yes, that is absolutely possible, but doesn't mean that will be the default. I commented recently [0] about Ubuntu's decision to have only NTS enabled (via domain) by default on 25.10. It begs the question how system time can be set if the initial time is outside of the cert's validity time-frame. I didn't look, but perhaps Chrony would still use the local network's published NTP servers.

[0]: https://news.ycombinator.com/context?id=44318784

↑