By controlling the reverse tree do you mean the actual DNS zone? If so that
provide no leverage for an attack. The value sent in the SNI isn’t any value
retrieved from the DNS for the reverse mapping of the address, but the reverse
mapping itself. If the IP being validated was 1.2.3.4 then the
On Thu, Jan 24, 2019 at 11:50 AM Roland Shoemaker
wrote:
> Comments inline:
>
> > On Dec 24, 2018, at 12:32 PM, Eric Rescorla wrote:
> >
> > Rich version of this review at:
> > https://mozphab-ietf.devsvcdev.mozaws.net/D4180
> >
> >
> > IMPORTANT
> > S 3.
> > > used to refer to fully
Comments inline:
> On Dec 24, 2018, at 12:32 PM, Eric Rescorla wrote:
>
> Rich version of this review at:
> https://mozphab-ietf.devsvcdev.mozaws.net/D4180
>
>
> IMPORTANT
> S 3.
> > used to refer to fully qualified domain names. If a ACME server
> > wishes to request proof that a
On Tue, Dec 25, 2018, at 07:32, Eric Rescorla wrote:
> IMPORTANT
> S 3.
> > used to refer to fully qualified domain names. If a ACME server
> > wishes to request proof that a user controls a IPv4 or IPv6 address
> > it MUST create an authorization with the identifier type "ip".
Rich version of this review at:
https://mozphab-ietf.devsvcdev.mozaws.net/D4180
IMPORTANT
S 3.
> used to refer to fully qualified domain names. If a ACME server
> wishes to request proof that a user controls a IPv4 or IPv6 address
> it MUST create an authorization with the