[cabfpub] Proposed new ballot on IP Addresses in SANs

Ryan Sleevi sleevi at google.com
Fri Apr 22 22:38:52 UTC 2016

On Fri, Apr 22, 2016 at 3:28 PM, Jeremy Rowley <jeremy.rowley at digicert.com>

> We (and other CAs) have customers who are putting together an explanation
> of the need. It’s only been a few days.

It's been 8 months.

> Plus, I’m not sure customer input sways many people on the Forum. Would it
> really make a difference to you if a couple of customers chimed in? I hate
> to waste their time if it really isn’t going to make a difference what they
> say.

If there are real reasons the solutions don't work, it's incredibly useful
to hear them, because you're proposing violating core Internet standards
that have existed for decades - this is nothing 'new'.

If this is just "Well, we'd have to have our engineer work an extra weekend
to set this up, but sure, I guess it could work" - then that's unacceptably

> Multiple CNs don’t work well. I’m hoping we can share specifics next week.

To be clear, I did not suggest multiple CNs. I did not suggest them 8
months ago. I did not suggest them this time.

To be very clear and abundantly explicit: The proposal I gave 8 months ago,
and the proposal for which there has yet to be any evidence of
compatibility issues, is quite simple:

commonName=[IP address]
  iPAddress=[IP address]

A single certificate for a single IP. Obviously, there's no conflict of IP
addresses as there are with dNSNames that would necessitate multiple
addresses in a single certificate in order to "conserve IP address space" -
because each IP address is a distinct listening point.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20160422/4f72bd86/attachment-0003.html>

More information about the Public mailing list