Rich version of this review at: https://mozphab-ietf.devsvcdev.mozaws.net/D4180
IMPORTANT S 3. > used to refer to fully qualified domain names. If a ACME server > wishes to request proof that a user controls a IPv4 or IPv6 address > it MUST create an authorization with the identifier type "ip". The > value field of the identifier MUST contain the textual form of the > address as defined in [RFC1123] Section 2.1 for IPv4 and in [RFC4291] > Section 2.2 for IPv6. Are all three variants here valid? S 4. > For the "tls-alpn-01" the subjectAltName extension in the validation > certificate MUST contain a single iPAddress which matches the address > being validated. As [RFC6066] does not permit IP addresses to be > used in the SNI extension the server MUST instead use the IN- > ADDR.ARPA [RFC1034] or IP6.ARPA [RFC3596] reverse mapping of the IP > address as the SNI value instead of the literal IP address. What happens if an attacker forces an incorrect SNI on you here? I don't see any security analysis below, but I suspect it's bad, COMMENTS S 6. > > 6. Security Considerations > > Given the often short delegation periods for IP addresses provided by > various service providers CAs MAY want to impose shorter lifetimes > for certificates which contain IP identifiers. They MAY also impose https://tools.ietf.org/rfcmarkup?doc=6919#section-6 If the WG thinks that providers ought to do this, then it should say so.
_______________________________________________ Acme mailing list Acme@ietf.org https://www.ietf.org/mailman/listinfo/acme
