Re: CSP: Drop IP-matching? (was Re: [CSP] URI/IRI normalization and comparison) from Brad Hill on 2015-01-22 (public-webappsec@w3.org from January 2015)

From: Brad Hill <hillbrad@gmail.com>
Date: Thu, 22 Jan 2015 20:04:27 +0000
To: Brian Smith <brian@briansmith.org>, Mike West <mkwst@google.com>
Cc: Anne van Kesteren <annevk@annevk.nl>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <CAEeYn8jRZ3uEUcX9rQf-iwumkmgtxPTBAzh9U=HVXRvV18zF_A@mail.gmail.com>

Public CAs are only to stop issuing for IP addresses in reserved ranges, I
believe. (10.0.0.0, 171.16.0.0, 192.168.0.0, 127.0.0.1)

On Thu Jan 22 2015 at 11:56:07 AM Brian Smith <brian@briansmith.org> wrote:

> Mike West <mkwst@google.com> wrote:
> > Either way, it seems like something we're stuck with supporting. Skipping
> > IPv6, however, seems pretty viable.
>
> Do you need to support any IP address other than "127.0.0.1" and
> "::1"? I'd suggest limiting support to just those two IP addresses,
> and only those two notations, instead of all IP addresses.
>
> Otherwise, in general, no new specification should specify support for
> IPv4 without specifying IPv6 support. The IPv6 syntax isn't as
> complicated as it initially looks. (source: I wrote a IPv6 address
> parser for mozilla::pkix a couple of months ago.)
>
> Similarly, nobody should be defining things that only work for http://
> but not https://. Publicly-trusted CAs are not supposed to be issuing
> certificates for IP addresses (IPv4 or IPv6) anymore, IIRC. This means
> that https://<ip-address> should eventually stop working completely,
> for the most part.
>
> Cheers,
> Brian
>

Received on Thursday, 22 January 2015 20:04:55 UTC