On 07/16/2017 10:14 PM, Ilari Liusvaara wrote: > On Sun, Jul 16, 2017 at 04:29:20PM -0700, Roland Bracewell Shoemaker wrote: >> There was some previous discussion about possibly using a slightly >> simpler DNS based verification method on the list last time I posted >> this as an individual submission. After reading through the CABF BRs for >> IP validation I'm pretty sure the proposed solution (checking for a TXT >> record in the reverse mapping zone) would not be considered BR compliant >> so I've stuck with the originally proposed challenge. > > The relevant (proposed) text I could find says: > > "[...] in a TXT record for the IP Address." > > (This is from proposed "7 IP Address validation methods"[1]). > > The only way I can make sense for having DNS records for the IP address > is the QNAME corresponding to the IP in reverse mapping. I don't see > the "or prepend a underscore label" or similar language for the method, > unlike the DNS domain validation, which has that sort of language. > > So I interpret that for IP address of 192.0.2.1, the QNAME has to be: > "1.2.0.192.in-addr.arpa". > > I guess the person to ask would Jeremy Rowley (he posted the latest > version of the text I could find to CABForum validation list). >
Could you clarify which proposed ballot or mailing list message you are referencing. As far as I am aware the most recent CABF validation WG product that discusses IP validation is from March and doesn't include any reference to using TXT records (https://cabforum.org/pipermail/public/2017-March/010214.html). The most recent proposed language clarifies that any method which looks up a DNS name for an IP using the reverse mapping then applies a 3.2.2.4 method is considered acceptable. > > Also, the relevant section for TLS-SNI in the "7 methods" says: > > "[...] a Certificate on the IP Address [...]" > > Whatever that actually means (I can come up with at least two different > interpretations, and both of these are probably wrong): > > - The certificate has to certify the IP address. > - The connection has to ask for certificate on IP address, i.e., omit > server_name. > > ... Both of these interpretations are technically problematic. And > neither is compatible with what the I-D text says. > My understanding of this, admittedly confusing, language simply means the certificate presented by whatever server is running on the IP, not that the cert needs to be for the IP or served blindly. This language is in fact basically a copy/paste of the 3.2.2.4.10 language, for which tls-sni-02 was designed to be compatible with, that is used for DNS names where "Authorization Domain Name" has been replaced with "IP Address". > > > [1] I presume CABForum wants to first get the "10 Domain Validation > methods" through, and then work on getting the "7 IP Address Validation > methods" passed. > > > -Ilari > _______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
