IETF Logo Mail Archive

Re: [TLS] Authenticating the client-facing server with an IP-based certificate

Carrick Bartle <cbartle891@icloud.com> Wed, 21 April 2021 02:13 UTC

Return-Path: <cbartle891@icloud.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4ADE03A0BB9 for <tls@ietfa.amsl.com>; Tue, 20 Apr 2021 19:13:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.848
X-Spam-Level:
X-Spam-Status: No, score=-1.848 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=icloud.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iVQ4ADii82kv for <tls@ietfa.amsl.com>; Tue, 20 Apr 2021 19:13:49 -0700 (PDT)
Received: from mr85p00im-zteg06011601.me.com (mr85p00im-zteg06011601.me.com [17.58.23.186]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B98223A0BA5 for <tls@ietf.org>; Tue, 20 Apr 2021 19:13:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=icloud.com; s=1a1hai; t=1618971229; bh=3VeMvGneUQYG7F5Q8NTX8TFk9jDqc3CvFfp27rVvxfc=; h=Content-Type:Mime-Version:Subject:From:Date:Message-Id:To; b=D2wLQYnm81lExPcDxAQifnEn98x2OI60YKgaTenXvEWM79R+OyZCenj4Wx2W6j8e3 hXS5jiic+8agnyOJTSKX7aBH6h2z4L4w2zMR1l6nY67Zp2DRiH5AHOPOzncThL5nDg Tyeyr16jVL61xbV2TH7rJyRdATqhrdSwBzEBZdg+ffj5jhWzPsfn7lWw972YKDaRVW 7SAzS1fsEBc8RZTpp2h91XVrMq1SljhvtZT6zPP9qTT0Q55wHCiH4JWoSpfk9JD6E7 IpX5bz/RVuPFlQYS89bi6qeudiKjvyip1R0toCrmiNPSLznLKkUfra788Hgv9TzZxi 8M1sAbQ9kcP9A==
Received: from smtpclient.apple (unknown [17.11.113.204]) by mr85p00im-zteg06011601.me.com (Postfix) with ESMTPSA id 006A0920B08; Wed, 21 Apr 2021 02:13:48 +0000 (UTC)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.80.0.2.43\))
From: Carrick Bartle <cbartle891@icloud.com>
In-Reply-To: <23392d3a-f34c-48f0-b9bf-0c0ca2539789@www.fastmail.com>
Date: Tue, 20 Apr 2021 19:13:48 -0700
Cc: tls@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <19AC8849-DCE2-489B-BAA5-F549A5A4273C@icloud.com>
References: <38f4c969-90d8-478e-9c3d-0bdf538dabed@www.fastmail.com> <37c84b96-324b-46a6-a3c0-57eb275f439b@www.fastmail.com> <674A5578-85C8-4134-B9AA-E9D287131701@icloud.com> <4837796a-4528-4df4-aa8b-383ff3229cb6@www.fastmail.com> <53B5686F-0A64-426B-8EC4-6A996F169EAC@icloud.com> <23392d3a-f34c-48f0-b9bf-0c0ca2539789@www.fastmail.com>
To: Martin Thomson <mt@lowentropy.net>
X-Mailer: Apple Mail (2.3654.80.0.2.43)
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.391, 18.0.761 definitions=2021-04-20_11:2021-04-20, 2021-04-20 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 mlxscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-2009150000 definitions=main-2104210016
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/vbRvUv6VQSYRk_Nns1ZCFyzgPis>
Subject: Re: [TLS] Authenticating the client-facing server with an IP-based certificate
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Apr 2021 02:13:54 -0000

> That in turn implies that getting an IP-based certificate might be easier than a DV certificate (and the associated name).  I'd need more supporting evidence to believe that.  Under what conditions could that be true?

I'm not making any claims at all about the ease with which one can get different types of certificates. I'm only stating that it's possible to get IP-based certificates, and people do, and thus it's possible to have a client-facing server that has an IP-based certificate.



> On Apr 20, 2021, at 7:10 PM, Martin Thomson <mt@lowentropy.net> wrote:
> 
> On Wed, Apr 21, 2021, at 11:48, Carrick Bartle wrote:
>>> I'm not sure what you are implying might be impossible.  Are you suggesting that it might be impossible to get a name for which you could get a certificate?
>> 
>> No. I'm implying that if we don't allow clients to authenticate 
>> client-facing servers with an IP-based certificate, ECH won't be 
>> possible in cases where the client-facing server doesn't have a name.
> 
> That in turn implies that getting an IP-based certificate might be easier than a DV certificate (and the associated name).  I'd need more supporting evidence to believe that.  Under what conditions could that be true?

v2.23.0 | Report a Bug | By Email