[cabfpub] Proposed new ballot on IP Addresses in SANs

Jeremy Rowley jeremy.rowley at digicert.com
Sat Apr 23 00:05:30 UTC 2016


It’s been about two days since I asked them to submit their use case and description of why Ryan’s solution won’t work. Assuming they are doing their due diligence, it’ll probably be early next week. I suspect the reason it doesn’t work is the sheer volume of vhosts they will have to create to support individual certs. However, I don’t have enough information to share anything new.

 

From: Ryan Sleevi [mailto:sleevi at google.com] 
Sent: Friday, April 22, 2016 4:39 PM
To: Jeremy Rowley <jeremy.rowley at digicert.com>
Cc: Peter Bowen <pzb at amzn.com>; Rick Andrews <Rick_Andrews at symantec.com>; public at cabforum.org
Subject: Re: [cabfpub] Proposed new ballot on IP Addresses in SANs

 

 

 

On Fri, Apr 22, 2016 at 3:28 PM, Jeremy Rowley <jeremy.rowley at digicert.com <mailto:jeremy.rowley at digicert.com> > wrote:

We (and other CAs) have customers who are putting together an explanation of the need. It’s only been a few days. 

 

It's been 8 months.

 

Plus, I’m not sure customer input sways many people on the Forum. Would it really make a difference to you if a couple of customers chimed in? I hate to waste their time if it really isn’t going to make a difference what they say.

 

If there are real reasons the solutions don't work, it's incredibly useful to hear them, because you're proposing violating core Internet standards that have existed for decades - this is nothing 'new'.

 

If this is just "Well, we'd have to have our engineer work an extra weekend to set this up, but sure, I guess it could work" - then that's unacceptably risky.

 

 

Multiple CNs don’t work well. I’m hoping we can share specifics next week.

 

To be clear, I did not suggest multiple CNs. I did not suggest them 8 months ago. I did not suggest them this time.

 

To be very clear and abundantly explicit: The proposal I gave 8 months ago, and the proposal for which there has yet to be any evidence of compatibility issues, is quite simple:

 

commonName=[IP address]
subjectAltName:

  iPAddress=[IP address]

 

A single certificate for a single IP. Obviously, there's no conflict of IP addresses as there are with dNSNames that would necessitate multiple addresses in a single certificate in order to "conserve IP address space" - because each IP address is a distinct listening point.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20160423/ed300859/attachment-0003.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4964 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20160423/ed300859/attachment-0001.p7s>


More information about the Public mailing list