[cabfpub] Proposed new ballot on IP Addresses in SANs
sleevi at google.com
Mon Apr 25 05:05:20 UTC 2016
On Fri, Apr 22, 2016 at 5:05 PM, Jeremy Rowley <jeremy.rowley at digicert.com>
> It’s been about two days since I asked them to submit their use case and
> description of why Ryan’s solution won’t work. Assuming they are doing
> their due diligence, it’ll probably be early next week. I suspect the
> reason it doesn’t work is the sheer volume of vhosts they will have to
> create to support individual certs. However, I don’t have enough
> information to share anything new.
I would be shocked to hear that certs bound to IP addresses are being used
in significant enough number as to be untenable, but your reply here
definitely sounds like it's in the "It's work and we don't want to do work"
side of the camp, not that it's fundamentally not viable. Given the risks,
and the ecosystem harm done by carving out bits of RFC5280 where it suits
customers who don't want to do work, rather than provides positive security
benefits, I think such requests should be treated with great skepticism.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Public