←back to thread

Getting ready to issue IP address certificates

(community.letsencrypt.org)
315 points Bogdanp | 1 comments | 25 Jun 25 16:21 UTC | HN request time: 0.203s | source
Show context
lq9AJ8yrfs ◴[25 Jun 25 17:56 UTC] No.44380076[source]
So all the addressing bodies (e.g., ISPs and cloud providers) are on board then right? They sometimes cycle through IP's with great velocity. Faster than 6 days at least.

Lots of sport here, unless perhaps they cool off IPs before reallocating, or perhaps query and revoke any certs before reusing the IP?

If the addressing bodies are not on board then it's a user responsibility to validate the host header and reject unwanted IP address based connections until any legacy certs are gone / or revoke any legacy certs. Or just wait to use your shiny new IP?

I wonder how many IP certs you could get for how much money with the different cloud providers.

replies(8): >>44380307 #>>44380480 #>>44380529 #>>44381336 #>>44381990 #>>44382179 #>>44383267 #>>44385523 #
hk1337 ◴[25 Jun 25 18:16 UTC] No.44380307[source]
> I wonder how many IP certs you could get for how much money with the different cloud providers.

I wonder if they'll offer wildcard certs at some point.

replies(1): >>44383711 #
qyrreqjh ◴[26 Jun 25 02:27 UTC] No.44383711[source]
if you're talking about lets encrypt, they started offering wildcards in 2018
replies(1): >>44385039 #
DaSHacka ◴[26 Jun 25 07:25 UTC] No.44385039[source]
GP may have been talking about "wildcard IP certificates"

Or, even if they weren't, now I'm curious about that possibility too.

replies(1): >>44386679 #
1. bc569a80a344f9c ◴[26 Jun 25 12:17 UTC] No.44386679[source]
Doesn't seem like that's possible.

RFC5280 (https://datatracker.ietf.org/doc/html/rfc5280) defines these fields. Section 4.2.1.6 defines SANs, and specifies:

> When the subjectAltName extension contains an iPAddress, the address MUST be stored in the octet string in "network byte order", as specified in [RFC791]. The least significant bit (LSB) of each octet is the LSB of the corresponding byte in the network address. For IP version 4, as specified in [RFC791], the octet string MUST contain exactly four octets. For IP version 6, as specified in [RFC2460], the octet string MUST contain exactly sixteen octets.

That's 32 bits for IPv4 and 128 bits for IPv6. You can't store anything other than a single unicast IP address of either format with that much space.