Taggart 1d ago
Buckle up: IP address SANs coming to LetsEncrypt: https://community.letsencrypt.org/t/getting-ready-to-issue-ip-address-certificates/238777
Getting ready to issue IP address certificates

Is there anything public available on which IPs will be able to get certs? I mean, obviously private/reserved ranges won't be available, but how about all those "cloud" services that rent IPs by the hour (or second)? Is it expected to be "normal" that someone could release an IP back into a pool and yet still have a valid certificate for almost-a-week, or will Let's Encrypt certificates only be available for IPs that are slightly less ephemeral?

Let's Encrypt Community Support
Show threadboB Rudis πŸ‡ΊπŸ‡¦ πŸ‡¬πŸ‡± πŸ‡¨πŸ‡¦1d ago

@mttaggart My Captain America "language filter" will not let me respond the way I'd like to.

Pretty sure the entire LE team is on the payrolls of China/NK/RUS.

Show threadTaggart 1d ago
@hrbrmstr At least it's just for SANs, not CNs??
Show thread  1d ago
@mttaggart @hrbrmstr does it matter? I mean CN is not a part of validation, so what can go wrong?
Show threadTaggart 1d ago
@pft @hrbrmstr It matters for attackers who don't want to be bothered setting up a domain. If they allowed IP for the CN, then that is no longer a barrier to a trusted LetsEncrypt cert. Fewer things to track on both ends.
Show thread  1d ago
@mttaggart @hrbrmstr I'm a bit confused. What happens if you have an IP address as common name? I know for example that in case of domain validation certs, CN has no significance to relying parties. BuyPass, for example, does not even set CN (in contrast to LE) for it's free DV certs.
Show threadTaggart 1d ago
@pft @hrbrmstr Think about how you get a LetsEncrypt certificate. They do not support IPs as CNs, period.
Show thread  1d ago
@mttaggart @hrbrmstr I just don't understand the security implication even if they did 🀷
Show threadTaggart 1d ago
@pft @hrbrmstr Yeah nevermind I guess
Show thread  1d ago
@mttaggart @hrbrmstr s/nevermind/i don't know/
Show threadTaggart 
@pft @hrbrmstr I didn't particularly feel like going 12 rounds with a stranger about it, and you know what? I still don't. Later.
Jun 25 at 6:14pmWeb