[cabfpub] Proposed new ballot on IP Addresses in SANs

Ryan Sleevi sleevi at google.com
Mon Apr 25 15:43:32 UTC 2016

On Mon, Apr 25, 2016 at 8:07 AM, Peter Bowen <pzb at amzn.com> wrote:

> Looking at the combination of the known CT logs, there are about 2216
> unexpired certificates with IP addresses in the SAN extension (either as an
> iPAddress or as an IPv4 address-as-text as a dNSName).  Of these 2216, 930
> have IPv4 in a dNSName. Of these, 435 have multiple distinct alternative
> names.
> https://gist.github.com/pzb/ecaf3701bc631a8f0589e8eff277e694 is the list
> of these 435 certificates.  A few dozen are certificates that cannot be
> renewed (as they have RFC1918/3330 addresses included) but the rest are
> examples of certificates where the proposed solution of one IP/name per
> cert might not be viable.

Alternatively, we can see it as a problem of 435 customers (which is
admittedly an underestimate, but likely within a power of 10, probably well
below) who, in order to avoid configuration, are asking that Internet
standards be set aside to accommodate their needs - standards that affect
billions of users and introduce known risks.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20160425/d8d44a34/attachment-0003.html>

More information about the Public mailing list