Taggart 17h ago
Buckle up: IP address SANs coming to LetsEncrypt: https://community.letsencrypt.org/t/getting-ready-to-issue-ip-address-certificates/238777
Getting ready to issue IP address certificates

Is there anything public available on which IPs will be able to get certs? I mean, obviously private/reserved ranges won't be available, but how about all those "cloud" services that rent IPs by the hour (or second)? Is it expected to be "normal" that someone could release an IP back into a pool and yet still have a valid certificate for almost-a-week, or will Let's Encrypt certificates only be available for IPs that are slightly less ephemeral?

Let's Encrypt Community Support
Show threadboB Rudis πŸ‡ΊπŸ‡¦ πŸ‡¬πŸ‡± πŸ‡¨πŸ‡¦

@mttaggart My Captain America "language filter" will not let me respond the way I'd like to.

Pretty sure the entire LE team is on the payrolls of China/NK/RUS.

Jun 25 at 5:27pmWeb
Show threadTaggart 16h ago
@hrbrmstr At least it's just for SANs, not CNs??
Show threadboB Rudis πŸ‡ΊπŸ‡¦ πŸ‡¬πŸ‡± πŸ‡¨πŸ‡¦16h ago
@mttaggart I just wish they'd stop enabling attacker more than they enable defenders.
Show thread  16h ago
@mttaggart @hrbrmstr does it matter? I mean CN is not a part of validation, so what can go wrong?
Show threadTaggart 16h ago
@pft @hrbrmstr It matters for attackers who don't want to be bothered setting up a domain. If they allowed IP for the CN, then that is no longer a barrier to a trusted LetsEncrypt cert. Fewer things to track on both ends.
Show thread  16h ago
@mttaggart @hrbrmstr I'm a bit confused. What happens if you have an IP address as common name? I know for example that in case of domain validation certs, CN has no significance to relying parties. BuyPass, for example, does not even set CN (in contrast to LE) for it's free DV certs.
Show threadTaggart 16h ago
@pft @hrbrmstr Think about how you get a LetsEncrypt certificate. They do not support IPs as CNs, period.
Show thread  16h ago
@mttaggart @hrbrmstr I just don't understand the security implication even if they did 🀷
Show threadTaggart 16h ago
@pft @hrbrmstr Yeah nevermind I guess
Show thread  16h ago
@mttaggart @hrbrmstr s/nevermind/i don't know/
Show threadTaggart 15h ago
@pft @hrbrmstr I didn't particularly feel like going 12 rounds with a stranger about it, and you know what? I still don't. Later.
Show threadboB Rudis πŸ‡ΊπŸ‡¦ πŸ‡¬πŸ‡± πŸ‡¨πŸ‡¦16h ago
@mttaggart Modern browsers and applications validate against SAN first, then fall back to CN only if SAN is absent. Many newer implementations ignore CN entirely.
Show threadTaggart 16h ago
@hrbrmstr Fair point
Show thread  15h ago
@hrbrmstr do they? There is even an ancient RFC that explicitly advises against considering CN in validation (I have to dig it up though...). CA/Browser Forum also mandates SAN in the baseline requirements (see image) and some CAs do not even fill CN in.
Show threadFritz Adalis15h ago
@hrbrmstr @mttaggart
They're putting ip addresses as DNS SAN? Ugh.