Little difference from the last draft, mostly small cleanups. There was some previous discussion about how to handle policy decisions for issuing certificates for IP addresses. It was suggested that this draft should contain some stronger language that would allow default denial of certificate issuance for IP addresses. I think there should definitely be some process for communicating these kinds of policy decisions but I don't think this document is the right place for it, nor do I think this document should attempt to dictate CA policy by requiring something like this. I believe doing so would be a step back for any CA implementing this document as they are all currently able to, and many do, issue certificates for any IP address as long as a user is able to prove control of it.
I believe we (or the IETF more generally) should instead focus on developing standards for communicating a policy about issuance for IP addresses to CAs such as a CAA lookup mechanism that can handle them (i.e. something like https://tools.ietf.org/html/draft-shoemaker-caa-ip-01, note this lacks the tree climbing behavior which after bouncing it around a bit I've come to the decision that it does actually require). (I also totally forgot to incorporate the reference to 5952 for IPv6 textual representation, only saw my note about doing that after submitting the docs, I'll make sure to resolve this in the next version!) On 09/18/2017 12:15 PM, [email protected] wrote: > > A New Internet-Draft is available from the on-line Internet-Drafts > directories. > This draft is a work item of the Automated Certificate Management Environment > WG of the IETF. > > Title : ACME IP Identifier Validation Extension > Author : Roland Bracewell Shoemaker > Filename : draft-ietf-acme-ip-01.txt > Pages : 7 > Date : 2017-09-18 > > Abstract: > This document specifies identifiers and challenges required to enable > the Automated Certificate Management Environment (ACME) to issue > certificates for IP addresses. > > > The IETF datatracker status page for this draft is: > https://datatracker.ietf.org/doc/draft-ietf-acme-ip/ > > There are also htmlized versions available at: > https://tools.ietf.org/html/draft-ietf-acme-ip-01 > https://datatracker.ietf.org/doc/html/draft-ietf-acme-ip-01 > > A diff from the previous version is available at: > https://www.ietf.org/rfcdiff?url2=draft-ietf-acme-ip-01 > > > Please note that it may take a couple of minutes from the time of submission > until the htmlized version and diff are available at tools.ietf.org. > > Internet-Drafts are also available by anonymous FTP at: > ftp://ftp.ietf.org/internet-drafts/ > > _______________________________________________ > Acme mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/acme > -- Roland Bracewell Shoemaker Software Engineer Linux Foundation / Internet Security Research Group _______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
