The biggest concern I have is the text regarding certificate lifetime and the handling of the possibility that IP addresses are dynamically allocated. This seems a little weak and it leaves a lot to the CA to manage. Is there anything that can be done to gain a stronger assertion that the allocation is (more) persistent? An affirmation from someone higher in the tree perhaps?
Some nits: You definitely want to reference RFC 5952 here when it comes to IPv6 addresses. Break the long line with the ip6.arpa example. I would also recommend a shorter label, maybe _acme-ip. You don't want a very long name in case the base name is long (which is relatively commonplace). On 18 July 2017 at 02:03, Jacob Hoffman-Andrews <j...@eff.org> wrote: > This looks good! Nice work. > > On 07/16/2017 04:29 PM, Roland Bracewell Shoemaker wrote: >> There was some previous discussion about possibly using a slightly >> simpler DNS based verification method on the list last time I posted >> this as an individual submission. After reading through the CABF BRs for >> IP validation I'm pretty sure the proposed solution (checking for a TXT >> record in the reverse mapping zone) would not be considered BR compliant >> so I've stuck with the originally proposed challenge. >> >> On 07/16/2017 04:24 PM, internet-dra...@ietf.org wrote: >>> A New Internet-Draft is available from the on-line Internet-Drafts >>> directories. >>> This draft is a work item of the Automated Certificate Management >>> Environment of the IETF. >>> >>> Title : ACME IP Identifier Validation Extension >>> Author : Roland Bracewell Shoemaker >>> Filename : draft-ietf-acme-ip-00.txt >>> Pages : 7 >>> Date : 2017-07-16 >>> >>> Abstract: >>> This document specifies identifiers and challenges required to enable >>> the Automated Certificate Management Environment (ACME) to issue >>> certificates for IP addresses. >>> >>> >>> The IETF datatracker status page for this draft is: >>> https://datatracker.ietf.org/doc/draft-ietf-acme-ip/ >>> >>> There are also htmlized versions available at: >>> https://tools.ietf.org/html/draft-ietf-acme-ip-00 >>> https://datatracker.ietf.org/doc/html/draft-ietf-acme-ip-00 >>> >>> >>> Please note that it may take a couple of minutes from the time of submission >>> until the htmlized version and diff are available at tools.ietf.org. >>> >>> Internet-Drafts are also available by anonymous FTP at: >>> ftp://ftp.ietf.org/internet-drafts/ >>> >>> _______________________________________________ >>> Acme mailing list >>> Acme@ietf.org >>> https://www.ietf.org/mailman/listinfo/acme >>> >> _______________________________________________ >> Acme mailing list >> Acme@ietf.org >> https://www.ietf.org/mailman/listinfo/acme >> > > _______________________________________________ > Acme mailing list > Acme@ietf.org > https://www.ietf.org/mailman/listinfo/acme _______________________________________________ Acme mailing list Acme@ietf.org https://www.ietf.org/mailman/listinfo/acme
