[cabfpub] Proposed new ballot on IP Addresses in SANs
Ryan Sleevi
sleevi at google.com
Fri Apr 22 22:38:52 UTC 2016
On Fri, Apr 22, 2016 at 3:28 PM, Jeremy Rowley <jeremy.rowley at digicert.com>
wrote:
> We (and other CAs) have customers who are putting together an explanation
> of the need. It’s only been a few days.
>
It's been 8 months.
> Plus, I’m not sure customer input sways many people on the Forum. Would it
> really make a difference to you if a couple of customers chimed in? I hate
> to waste their time if it really isn’t going to make a difference what they
> say.
>
If there are real reasons the solutions don't work, it's incredibly useful
to hear them, because you're proposing violating core Internet standards
that have existed for decades - this is nothing 'new'.
If this is just "Well, we'd have to have our engineer work an extra weekend
to set this up, but sure, I guess it could work" - then that's unacceptably
risky.
>
> Multiple CNs don’t work well. I’m hoping we can share specifics next week.
>
To be clear, I did not suggest multiple CNs. I did not suggest them 8
months ago. I did not suggest them this time.
To be very clear and abundantly explicit: The proposal I gave 8 months ago,
and the proposal for which there has yet to be any evidence of
compatibility issues, is quite simple:
commonName=[IP address]
subjectAltName:
iPAddress=[IP address]
A single certificate for a single IP. Obviously, there's no conflict of IP
addresses as there are with dNSNames that would necessitate multiple
addresses in a single certificate in order to "conserve IP address space" -
because each IP address is a distinct listening point.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20160422/4f72bd86/attachment-0003.html>
More information about the Public
mailing list