[cabfpub] Proposed new ballot on IP Addresses in SANs
jeremy.rowley at digicert.com
Sat Apr 23 00:06:19 UTC 2016
They can. We've suggested this but have been told it won't work. They are writing up a test scenario why it won't work, which we will then share with the group.
From: Peter Bowen [mailto:pzb at amzn.com]
Sent: Friday, April 22, 2016 4:51 PM
To: Ryan Sleevi <sleevi at google.com>
Cc: Jeremy Rowley <jeremy.rowley at digicert.com>; Rick Andrews <Rick_Andrews at symantec.com>; public at cabforum.org
Subject: Re: [cabfpub] Proposed new ballot on IP Addresses in SANs
> On Apr 22, 2016, at 3:38 PM, Ryan Sleevi <sleevi at google.com> wrote:
> To be clear, I did not suggest multiple CNs. I did not suggest them 8 months ago. I did not suggest them this time.
> To be very clear and abundantly explicit: The proposal I gave 8 months ago, and the proposal for which there has yet to be any evidence of compatibility issues, is quite simple:
> commonName=[IP address]
> iPAddress=[IP address]
> A single certificate for a single IP. Obviously, there's no conflict of IP addresses as there are with dNSNames that would necessitate multiple addresses in a single certificate in order to "conserve IP address space" - because each IP address is a distinct listening point.
Thanks for clarifying this. I thought you were referring to an email from 8 months ago, which attributed a slightly different solution to you: https://groups.google.com/d/msg/mozilla.dev.security.policy/Av6oZxbjvB4/H6s9OVegBwAJ
As long as the server either only has one IP address or can switch which certificate it offers based on IP address, then you are completely right — this is a fully viable solution and is the right solution, IMHO.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 4964 bytes
Desc: not available
More information about the Public