Regarding inclusion of iPAddress identifiers, Ludwig Nussel and I had the following exchange...
On 4/9/10 6:43 AM, Ludwig Nussel wrote: > Peter Saint-Andre wrote: >> On 3/23/10 8:44 AM, Ludwig Nussel wrote: <snip/> >>> That would avoid having generic implementations look into the CN as >>> fallback when it doesn't make sense. iPAddress for example isn't >>> specified by the I-D (why anyways?). >> >> 1. Do certification authorities issue certificates to IP addresses? The >> ones I work with don't (probably because they base their certification >> decision on control over the whois data or reserved email addresses for >> a domain name). > > I don't know. Think of private CA's used internally by companies. > Software that implements the I-D isn't used exclusively on the > Internet after all. Good point. However, here again I'm not saying that it's bad to include or check iPAddress in a cert, only that we're not trying to tackle *that* problem in *this* spec. >> 2. If so, is that a best current practice for secure authentication? I >> don't think so. >> >> 3. Users don't expect to connect to "192.0.2.7", they expect to connect >> to "example.com". That, at least, is one assumption of this I-D. You are >> free to write an I-D that specifies rules for representation and >> verification of IP addresses in certificates, but that's out of scope >> for this I-D. > > The problem is that someone actually implementing the identity > checks for a program will come across iPAddress sooner or later. > Generic implementations like gnutls' > gnutls_x509_crt_check_hostname() also have to deal with IP addresses > somehow. > That RFC you are drafting is such a wonderful chance to have this > clarified as well :-) Well, since you've asked so nicely... :) I'd like more feedback on this issue. I'm open to adding text about iPAddress because Ludwig is probably right that certificates (e.g., certs issued by private CAs) sometimes include iPAddress, but on the other hand I've never seen a public CA do that. Peter -- Peter Saint-Andre https://stpeter.im/
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ certid mailing list [email protected] https://www.ietf.org/mailman/listinfo/certid
