[cabfpub] Proposed new ballot on IP Addresses in SANs
pzb at amzn.com
Fri Apr 22 22:50:48 UTC 2016
> On Apr 22, 2016, at 3:38 PM, Ryan Sleevi <sleevi at google.com> wrote:
> To be clear, I did not suggest multiple CNs. I did not suggest them 8 months ago. I did not suggest them this time.
> To be very clear and abundantly explicit: The proposal I gave 8 months ago, and the proposal for which there has yet to be any evidence of compatibility issues, is quite simple:
> commonName=[IP address]
> iPAddress=[IP address]
> A single certificate for a single IP. Obviously, there's no conflict of IP addresses as there are with dNSNames that would necessitate multiple addresses in a single certificate in order to "conserve IP address space" - because each IP address is a distinct listening point.
Thanks for clarifying this. I thought you were referring to an email from 8 months ago, which attributed a slightly different solution to you: https://groups.google.com/d/msg/mozilla.dev.security.policy/Av6oZxbjvB4/H6s9OVegBwAJ
As long as the server either only has one IP address or can switch which certificate it offers based on IP address, then you are completely right — this is a fully viable solution and is the right solution, IMHO.
More information about the Public