Getting ready to issue IP address certificates

(community.letsencrypt.org)

320 points Bogdanp | 2 comments | 25 Jun 25 16:21 UTC | HN request time: 0.608s | source

Show context

zdw ◴[25 Jun 25 17:41 UTC] No.44379917[source]▶

This seems to be for public IP addresses, not private RFC1918 ipv4 range addresses.

The only challenges possible are HTTP and TLS-ALPN, not DNS, so the "proof" that you own the IP is that LetsEncrypt can contact it?

replies(2): >>44380959 #>>44381243 #

Hizonner ◴[25 Jun 25 19:52 UTC] No.44381243[source]▶

>>44379917 #

Having DNS available wouldn't be any more "proof". The person applying gets to choose which form of proof will be provided, so adding more options can only ever make it easier to "prove" things.

replies(1): >>44382724 #

1. tialaramex ◴[25 Jun 25 23:22 UTC] No.44382724[source]▶

>>44381243 #

I don't happen to know if it's actively in use, or whether any of the technical implementation details were formally standardized, but one obvious thing goes like this:

1. Write a DNS record for CAA the Certificate Authority Authorization for your names

2. In the CAA record, say that you forbid anybody except your chosen CA to issue. Competent CAs will obey this instruction (obeying it is mandated by the root trust stores, there are bugs of course but on the whole compliance is very good and is separate from their implementation of specific validation methods)

3. Further, indicate, either in this record or by agreement with your chosen CA, that they must use DNS proof of control. This might be something very nerdy like indicating a specific OID for the method in the CAA record or it might be a Memorandum of Understanding somebody signed and then they went out for a nice lunch.

replies(1): >>44392126 #

2. ameliaquining ◴[26 Jun 25 22:31 UTC] No.44392126[source]▶

>>44382724 (TP) #

Yes, this is a thing: https://www.rfc-editor.org/rfc/rfc8657.html#name-extensions-...

↑