←back to thread

Getting ready to issue IP address certificates

(community.letsencrypt.org)

315 points Bogdanp | 1 comments | 25 Jun 25 16:21 UTC | HN request time: 0.202s | source

Show context

lq9AJ8yrfs ◴[25 Jun 25 17:56 UTC] No.44380076[source]▶

>>44379034 (OP) #

So all the addressing bodies (e.g., ISPs and cloud providers) are on board then right? They sometimes cycle through IP's with great velocity. Faster than 6 days at least.

Lots of sport here, unless perhaps they cool off IPs before reallocating, or perhaps query and revoke any certs before reusing the IP?

If the addressing bodies are not on board then it's a user responsibility to validate the host header and reject unwanted IP address based connections until any legacy certs are gone / or revoke any legacy certs. Or just wait to use your shiny new IP?

I wonder how many IP certs you could get for how much money with the different cloud providers.

replies(8): >>44380307 #>>44380480 #>>44380529 #>>44381336 #>>44381990 #>>44382179 #>>44383267 #>>44385523 #

1. jeroenhd ◴[25 Jun 25 21:59 UTC] No.44382179[source]▶

You can renew your HTTPS certificate for 90 days the day before your domain expires. Your CA can't see if the credit card attached to your auto renewal has hit its limit or not.

I don't think the people using IP certificates will be the same people that abandon their IP address after a week. The most useful thing I can think of is either some very weird legacy software, or Encrypted Client Hello/Encrypted SNI support without needing a shared IP like with Cloudflare. The former won't drop IPs on a whim, the latter wouldn't succeed in setting up a connection to the real domain.