←back to thread

Getting ready to issue IP address certificates

(community.letsencrypt.org)
314 points Bogdanp | 1 comments | 25 Jun 25 16:21 UTC | HN request time: 0.238s | source
Show context
mocko ◴[25 Jun 25 17:16 UTC] No.44379696[source]
I can see how this would work on a technical level but what's the intended use case?
replies(13): >>44379710 #>>44379735 #>>44379778 #>>44379786 #>>44379885 #>>44379946 #>>44380155 #>>44380377 #>>44380579 #>>44380856 #>>44381151 #>>44381389 #>>44386646 #
move-on-by ◴[25 Jun 25 18:04 UTC] No.44380155[source]
Plenty of other responses with good use cases, but I didn’t see NTS mentioned.

If you want to use NTS, but can’t get an IP cert, then you are left requiring DNS before you can get a trusted time. If DNS is down- then you can’t get the time. A common issue with DNSSEC is having the wrong time- causing validation failures. If you have DNSSEC enforced and have the wrong time- but NTS depends on DNS, then you are out of luck with no way to recover. Having IP as part of your cert allows trusted time without the DNS requirement, which can then fix your broken DNSSEC enforcement.

replies(2): >>44380608 #>>44380660 #
Hizonner ◴[25 Jun 25 18:45 UTC] No.44380608[source]
How are you going to validate an X.509 certificate if you don't know the time?
replies(3): >>44381483 #>>44382891 #>>44383899 #
1. CaliforniaKarl ◴[26 Jun 25 03:15 UTC] No.44383899[source]
Assuming your device gets an IP via DHCP, there is a solution that does not involve hard-coding IPs into software.

DHCP option 42 (defined in RFC 2132) can be used to specify multiple NTP server IPv4 addresses.

(There’s also DHCP option 4, but that’s used to specify the IP for the older RFC 868 time protocol.)

DHCPv6 has option 31 for SNTP (via deprecated RFC 4075), and option 56 for NTP (via RFC 5908).

So, that would probably be the best option: Get an NTP address from DHCP or DHCPv6, use that to set your clock, and then do whatever you need!

(Yes, it does require that you trust your DHCP source, and its NTP reference.)