[Acme] IP addresses

James Cloos <cloos@jhcloos.com> Wed, 25 March 2015 13:55 UTC

Return-Path: <cloos@jhcloos.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com []) by ietfa.amsl.com (Postfix) with ESMTP id 3D8DF1A03B3 for <acme@ietfa.amsl.com>; Wed, 25 Mar 2015 06:55:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.011
X-Spam-Status: No, score=-2.011 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id GCdjsH7AL_Gw for <acme@ietfa.amsl.com>; Wed, 25 Mar 2015 06:55:35 -0700 (PDT)
Received: from ore.jhcloos.com (ore.jhcloos.com []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C70A01A03A0 for <acme@ietf.org>; Wed, 25 Mar 2015 06:55:35 -0700 (PDT)
Received: by ore.jhcloos.com (Postfix, from userid 10) id 33DD51EC3B; Wed, 25 Mar 2015 13:55:35 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=jhcloos.com; s=ore14; t=1427291735; bh=hNa3f/Lr5xNcFM4h4lthSy7/n+gNnGL+NPE/PxKk1/M=; h=From:To:Subject:Date:From; b=CBqZV4rXnViMVGkSsxG7uaMW19gV76X7Dz7ml/hV4d0ciK/fKR+TRm6C54sd6d9yK dCl/THIZwxgKQvR4DQpcJEAV4hCxklOkiTitRDMJ9yeUqUqBT8/fOR/PJmqZsT4OFa oq+sEg807jvtFraQLt4vn0uWqJpsnmpig9Q0CEQY=
Received: by carbon.jhcloos.org (Postfix, from userid 500) id 8D304106FC0A0; Wed, 25 Mar 2015 13:51:15 +0000 (UTC)
From: James Cloos <cloos@jhcloos.com>
To: acme@ietf.org
User-Agent: Gnus/5.130012 (Ma Gnus v0.12) Emacs/25.0.50 (gnu/linux)
Copyright: Copyright 2015 James Cloos
OpenPGP: 0x997A9F17ED7DAEA6; url=https://jhcloos.com/public_key/0x997A9F17ED7DAEA6.asc
OpenPGP-Fingerprint: E9E9 F828 61A4 6EA9 0F2B 63E7 997A 9F17 ED7D AEA6
Date: Wed, 25 Mar 2015 09:51:15 -0400
Message-ID: <m31tkdgp7w.fsf@carbon.jhcloos.org>
Lines: 22
MIME-Version: 1.0
Content-Type: text/plain
X-Hashcash: 1:28:150325:acme@ietf.org::wpYtnudijgG0HzJE:000Kg5VW
Archived-At: <http://mailarchive.ietf.org/arch/msg/acme/3WhVXUAzkka7EPT0KsD10GTscJc>
Subject: [Acme] IP addresses
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 25 Mar 2015 13:55:37 -0000

There are cases where a cert covering both a dns name and its matching
ip addresses has value.  With SIP, for instance, it is common that urls
have ip rather than dns.  Remote validation therefore requires those
address(es) in the certs.

Even though web sites are the primary target, enabling other tls usages
is desirable.  Especially when it is reasonably easy.

(And I'll note that many SIP servers speak http, too.  Both for things
like webrtc, but also for control/monitoring and the like.  They may
also create custom per-call web pages for sip phones to display when
ringing.  All of which benefit from -- or even require -- https.  So
using acme to get certs for them is reasonable and can use the same auth
methods acme uses for web servers.)

Will acme support CSRs with not just dns names in subjectAltNames, but
also ip addresses?  Verifying that the dns name(s) resolve to the ip
address(es) is reasonable in such cases.

James Cloos <cloos@jhcloos.com>         OpenPGP: 0x997A9F17ED7DAEA6