Re: [Acme] IP addresses

Richard Barnes <rlb@ipv.sx> Wed, 25 March 2015 18:17 UTC

Return-Path: <rlb@ipv.sx>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0B38C1A8792 for <acme@ietfa.amsl.com>; Wed, 25 Mar 2015 11:17:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.977
X-Spam-Level:
X-Spam-Status: No, score=-1.977 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Fs6yPxdstVFc for <acme@ietfa.amsl.com>; Wed, 25 Mar 2015 11:17:20 -0700 (PDT)
Received: from mail-la0-f43.google.com (mail-la0-f43.google.com [209.85.215.43]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 193F91A8791 for <acme@ietf.org>; Wed, 25 Mar 2015 11:17:20 -0700 (PDT)
Received: by labto5 with SMTP id to5so26954750lab.0 for <acme@ietf.org>; Wed, 25 Mar 2015 11:17:18 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=d803Pgf9lQ+ntCB2TizdkdN83jsO1f7R7ItWQM17uS0=; b=ainH3C7dq3W78aPKr7SDuFY/tzkT/rq8p/ButuVb/XhHrqIPE0MCr+24fz77M9uyF3 XCJHiKOe1TbDsH9TFAb8YGm36xjt8tPrhYrSA/iyu20Qo8lHC7bDxs5il9pBCe1zVnnn DwYWBvOaDPK+7jdXf7F1v7caDKHffz+wtI9u9rNMTzrpKYmREAmhjMTBp/pQk4XGVLwc en586Dl3XsgEiJSz8BRbVPu0lcoF5OpVPq7U57pt+g0L5+OnJBVCIFTAodCRfjItM2kU AxwgWt2fQE1NTGtRWQ7SIyMzrQgJxq4qj53ampZsgv1fietlpoF+sbdW0eMFA8Ifvvhj gIjw==
X-Gm-Message-State: ALoCoQmMFb0F3GzyqYVdVP434ie8Ma7G9NkHQJ1ENFmFUPMivXYzTpUMLejLXZvFa8pwDrzW2zmF
MIME-Version: 1.0
X-Received: by 10.152.27.39 with SMTP id q7mr9380598lag.49.1427307438447; Wed, 25 Mar 2015 11:17:18 -0700 (PDT)
Received: by 10.25.135.139 with HTTP; Wed, 25 Mar 2015 11:17:18 -0700 (PDT)
In-Reply-To: <5512F4DB.5090805@eff.org>
References: <m31tkdgp7w.fsf@carbon.jhcloos.org> <5512F4DB.5090805@eff.org>
Date: Wed, 25 Mar 2015 13:17:18 -0500
Message-ID: <CAL02cgS1d1WHy3JVUaaWeG1UgWg_CP0vFnFfozrst-9Aomwiow@mail.gmail.com>
From: Richard Barnes <rlb@ipv.sx>
To: Jacob Hoffman-Andrews <jsha@eff.org>
Content-Type: multipart/alternative; boundary=089e0160aca4dab40a051220e827
Archived-At: <http://mailarchive.ietf.org/arch/msg/acme/2HNJNRM-H0Y1FmMGhKagqrN-UVU>
Cc: "acme@ietf.org" <acme@ietf.org>, James Cloos <cloos@jhcloos.com>
Subject: Re: [Acme] IP addresses
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 25 Mar 2015 18:17:22 -0000

Automated validation of IP addresses seems pretty fraught to me.  You need
to verify not only that the applicant controls the IP address in question,
but also that he will continue to control it for some period of time, e.g.,
that it won't be assigned to some other DHCP client in 20 minutes.  The
definition of "control" is also a lot more fuzzy -- the 15 hosts behind my
home NAT are indistinguishable from the point of view of an ACME server.

So I would put IP addresses in the bin of "not amenable to automated
validation".  The only path I see to automatic IP address validation goes
through the RPKI, which implies that it is not a near-term proposition.

--Richard

On Wed, Mar 25, 2015 at 12:48 PM, Jacob Hoffman-Andrews <jsha@eff.org>
wrote:

> On 03/25/2015 06:51 AM, James Cloos wrote:
> > Will acme support CSRs with not just dns names in subjectAltNames, but
> > also ip addresses?  Verifying that the dns name(s) resolve to the ip
> > address(es) is reasonable in such cases.
> This is more a question of policy for the implementing CA than a
> protocol question, though validating IP addresses might require a new
> type of challenge response.
>
> _______________________________________________
> Acme mailing list
> Acme@ietf.org
> https://www.ietf.org/mailman/listinfo/acme
>