[cabfpub] Proposed new ballot on IP Addresses in SANs

Jeremy Rowley jeremy.rowley at digicert.com
Sat Apr 23 00:06:19 UTC 2016


They can. We've suggested this but have been told it won't work. They are writing up a test scenario why it won't work, which we will then share with the group.

-----Original Message-----
From: Peter Bowen [mailto:pzb at amzn.com] 
Sent: Friday, April 22, 2016 4:51 PM
To: Ryan Sleevi <sleevi at google.com>
Cc: Jeremy Rowley <jeremy.rowley at digicert.com>; Rick Andrews <Rick_Andrews at symantec.com>; public at cabforum.org
Subject: Re: [cabfpub] Proposed new ballot on IP Addresses in SANs


> On Apr 22, 2016, at 3:38 PM, Ryan Sleevi <sleevi at google.com> wrote:
> To be clear, I did not suggest multiple CNs. I did not suggest them 8 months ago. I did not suggest them this time.
> 
> To be very clear and abundantly explicit: The proposal I gave 8 months ago, and the proposal for which there has yet to be any evidence of compatibility issues, is quite simple:
> 
> commonName=[IP address]
> subjectAltName:
>   iPAddress=[IP address]
> 
> A single certificate for a single IP. Obviously, there's no conflict of IP addresses as there are with dNSNames that would necessitate multiple addresses in a single certificate in order to "conserve IP address space" - because each IP address is a distinct listening point.

Thanks for clarifying this.  I thought you were referring to an email from 8 months ago, which attributed a slightly different solution to you: https://groups.google.com/d/msg/mozilla.dev.security.policy/Av6oZxbjvB4/H6s9OVegBwAJ

As long as the server either only has one IP address or can switch which certificate it offers based on IP address, then you are completely right — this is a fully viable solution and is the right solution, IMHO.

Thanks,
Peter
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4964 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20160423/dceaf809/attachment-0001.p7s>


More information about the Public mailing list