Re: [TLS] Authenticating the client-facing server with an IP-based certificate

Peter Saint-Andre <stpeter@mozilla.com> Wed, 21 April 2021 15:26 UTC

Return-Path: <stpeter@mozilla.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 77E323A228A for <tls@ietfa.amsl.com>; Wed, 21 Apr 2021 08:26:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.101
X-Spam-Level:
X-Spam-Status: No, score=-2.101 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=mozilla.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nRK1Om1mtXMQ for <tls@ietfa.amsl.com>; Wed, 21 Apr 2021 08:26:24 -0700 (PDT)
Received: from mail-io1-xd36.google.com (mail-io1-xd36.google.com [IPv6:2607:f8b0:4864:20::d36]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A9A8A3A2C2C for <tls@ietf.org>; Wed, 21 Apr 2021 08:26:24 -0700 (PDT)
Received: by mail-io1-xd36.google.com with SMTP id a11so40341093ioo.0 for <tls@ietf.org>; Wed, 21 Apr 2021 08:26:24 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mozilla.com; s=google; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-language:content-transfer-encoding; bh=GiL147zcMF28mS5SMXUNMEBg89rNSfvl2gWyi04fzas=; b=VniZDXaxHxERkA+rBKNmRNvSNTB+BUWsXnSMwumxJX8UMij1lq7grDFUA45OX3ZucP S8qTapDjuYbD0GSrR++yHgJS/ZrA/B5WG1iSkUzE00tDskmphMbqOoBxyojBpz5KNHkd VjQfnNkYNbRnEscMvqs+BigUKGjP6sCG+5Mps=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=GiL147zcMF28mS5SMXUNMEBg89rNSfvl2gWyi04fzas=; b=siRRzqee5B1F5NnQamekA8vRdgXuQlwuvrFdmmRlTsub9NyhtTSL+pbt03Wb4jDq10 pLt7rrFM3Yhd2CShO4xYusrTBL/0JsaGfXowzde/bLBdgV2KqJZshz8SndSmTD4RNrXz d4qsnw17Riy76zLNTjdE0H+kPmtBOp1ke2GgXV2K6n3V3pJknQ4zC+SIywKBXLHzgmb6 UVdv4I3HPE+UuanwkE9/kCnfuqA9fipgCI8RzDOfndiMOzqTx9b/z1S8Cl9MD75qv3jO N3I1BRfWXtjEVw2owDNFSxS6SIbvExBhs+dJlp2GDHd6WMScMfhhujAemeiVm6e1gAJ0 cO+Q==
X-Gm-Message-State: AOAM532vQdYysq1OzPsnk2JQdOdw+SXfRwSvRtGYpaUshdFgnNoUlBpp nyo59d+5OpFKvj/zZHIHAMGJjK0KrVLq2B9B
X-Google-Smtp-Source: ABdhPJxGilCjba5TrAkWW4c0dOrr1Fjp6k7EPAq6HHe/rN1PN3Q2es16K4ziC9xJuQpy/4zkn8VW7w==
X-Received: by 2002:a05:6638:2591:: with SMTP id s17mr25818102jat.87.1619018783000; Wed, 21 Apr 2021 08:26:23 -0700 (PDT)
Received: from dragon.local (c-73-78-113-156.hsd1.co.comcast.net. [73.78.113.156]) by smtp.gmail.com with ESMTPSA id 13sm1323653ioz.40.2021.04.21.08.26.22 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 21 Apr 2021 08:26:22 -0700 (PDT)
To: Martin Thomson <mt@lowentropy.net>, tls@ietf.org
References: <38f4c969-90d8-478e-9c3d-0bdf538dabed@www.fastmail.com> <37c84b96-324b-46a6-a3c0-57eb275f439b@www.fastmail.com>
From: Peter Saint-Andre <stpeter@mozilla.com>
Message-ID: <e899f65d-ad8a-4922-cdba-03721a9d7bdd@mozilla.com>
Date: Wed, 21 Apr 2021 09:26:20 -0600
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:78.0) Gecko/20100101 Thunderbird/78.9.1
MIME-Version: 1.0
In-Reply-To: <37c84b96-324b-46a6-a3c0-57eb275f439b@www.fastmail.com>
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/HZZm5s809xMr5AwRnCA1-kEs7-k>
Subject: Re: [TLS] Authenticating the client-facing server with an IP-based certificate
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Apr 2021 15:26:30 -0000

On 4/20/21 7:00 PM, Martin Thomson wrote:
> On Wed, Apr 21, 2021, at 10:33, Christopher Wood wrote:
>> Taking a step back, it would be great if we could reach consensus on 
>> whether or not this is a use case we actually want to solve. 
> 
> The Web currently recognizes IP certificates.  The specs, thanks RFC 6125, largely missed this,

The scope of RFC 6125 was already huge so we explicitly specified that
IP addresses were out of scope. See §1.7.2. :-)

Peter