> That in turn implies that getting an IP-based certificate might be easier > than a DV certificate (and the associated name). I'd need more supporting > evidence to believe that. Under what conditions could that be true?
I'm not making any claims at all about the ease with which one can get different types of certificates. I'm only stating that it's possible to get IP-based certificates, and people do, and thus it's possible to have a client-facing server that has an IP-based certificate. > On Apr 20, 2021, at 7:10 PM, Martin Thomson <[email protected]> wrote: > > On Wed, Apr 21, 2021, at 11:48, Carrick Bartle wrote: >>> I'm not sure what you are implying might be impossible. Are you suggesting >>> that it might be impossible to get a name for which you could get a >>> certificate? >> >> No. I'm implying that if we don't allow clients to authenticate >> client-facing servers with an IP-based certificate, ECH won't be >> possible in cases where the client-facing server doesn't have a name. > > That in turn implies that getting an IP-based certificate might be easier > than a DV certificate (and the associated name). I'd need more supporting > evidence to believe that. Under what conditions could that be true? _______________________________________________ TLS mailing list [email protected] https://www.ietf.org/mailman/listinfo/tls
