I see that this draft has been updated to specify how tls-alpn-01 can be used
to validate IP addresses in section 4. However, IP addresses are not permitted
in SNI, as RFC 6066 section 3 (https://tools.ietf.org/html/rfc6066#section-3)
states that "Literal IPv4 and IPv6 addresses are not permitted in "HostName"."
Given that the tls-alpn-01 challenge mandates that servers support the
acme-tls/1 ALPN, perhaps it is safe to merely state that the SNI extension MUST
NOT be included in the TLS handshake at all for IP address validation using
tls-alpn-01. The lack of the SNI extension in the TLS handshake would serve as
an indicator to the server that IP address validation is being attempted by the
TLS client (as opposed to hostname/domain validation, which will include SNI
extension in the ClientHello).
Thanks,
Corey Bonnell
Senior Software Engineer
Trustwave | SMART SECURITY ON DEMAND
https://www.trustwave.com
On 7/25/18, 1:07 PM, "Acme on behalf of internet-dra...@ietf.org"
wrote:
A New Internet-Draft is available from the on-line Internet-Drafts
directories.
This draft is a work item of the Automated Certificate Management
Environment WG of the IETF.
Title : ACME IP Identifier Validation Extension
Author : Roland Bracewell Shoemaker
Filename: draft-ietf-acme-ip-03.txt
Pages : 5
Date: 2018-07-25
Abstract:
This document specifies identifiers and challenges required to enable
the Automated Certificate Management Environment (ACME) to issue
certificates for IP addresses.
The IETF datatracker status page for this draft is:
https://scanmail.trustwave.com/?c=4062=ta7Y2z7dF1ccVpbCGk7zPBjJD50CzMOpeX9MdngtgA=5=https%3a%2f%2fdatatracker%2eietf%2eorg%2fdoc%2fdraft-ietf-acme-ip%2f
There are also htmlized versions available at:
https://scanmail.trustwave.com/?c=4062=ta7Y2z7dF1ccVpbCGk7zPBjJD50CzMOpeXgRJSp90Q=5=https%3a%2f%2ftools%2eietf%2eorg%2fhtml%2fdraft-ietf-acme-ip-03
https://scanmail.trustwave.com/?c=4062=ta7Y2z7dF1ccVpbCGk7zPBjJD50CzMOpeX4RJy15gA=5=https%3a%2f%2fdatatracker%2eietf%2eorg%2fdoc%2fhtml%2fdraft-ietf-acme-ip-03
A diff from the previous version is available at:
https://scanmail.trustwave.com/?c=4062=ta7Y2z7dF1ccVpbCGk7zPBjJD50CzMOpeS8aIXh9hw=5=https%3a%2f%2fwww%2eietf%2eorg%2frfcdiff%3furl2%3ddraft-ietf-acme-ip-03
Please note that it may take a couple of minutes from the time of submission
until the htmlized version and diff are available at
http://scanmail.trustwave.com/?c=4062=ta7Y2z7dF1ccVpbCGk7zPBjJD50CzMOpeS4fdy952Q=5=http%3a%2f%2ftools%2eietf%2eorg
Internet-Drafts are also available by anonymous FTP at:
ftp://ftp.ietf.org/internet-drafts/
___
Acme mailing list
Acme@ietf.org
https://scanmail.trustwave.com/?c=4062=ta7Y2z7dF1ccVpbCGk7zPBjJD50CzMOpeSgdJHZ20g=5=https%3a%2f%2fwww%2eietf%2eorg%2fmailman%2flistinfo%2facme
___
Acme mailing list
Acme@ietf.org
https://www.ietf.org/mailman/listinfo/acme