On 19 July 2017 at 03:45, Jacob Hoffman-Andrews <j...@eff.org> wrote: > On 07/17/2017 10:48 PM, Martin Thomson wrote: >> The biggest concern I have is the text regarding certificate lifetime >> and the handling of the possibility that IP addresses are dynamically >> allocated. This seems a little weak and it leaves a lot to the CA to >> manage. Is there anything that can be done to gain a stronger >> assertion that the allocation is (more) persistent? An affirmation >> from someone higher in the tree perhaps? > > I think ultimately this is a policy question and outside the scope of > ACME (except for pointing out that it's worth thinking about). If we > want a mechanism for owners of IP space to express the policy they'd > like CAs to apply to that space, it should probably look something like CAA.
In this case, I disagree. With names, there is an expectation that certificates can be issued for them. This is not the default case for IP addresses, so the defender is not naturally aware that they need to defend this way. I don't think that this needs to be onerous, but an explicit opt in (as opposed to an opt out) would be preferable. _______________________________________________ Acme mailing list Acme@ietf.org https://www.ietf.org/mailman/listinfo/acme
