On Tue, Jun 5, 2018 at 5:55 AM, Martin Thomson <martin.thomson@gmail.com> wrote: > On Mon, Jun 4, 2018 at 10:56 PM Emily Stark <estark@google.com> wrote: > > Might have been blindly cribbed from HSTS/HPKP -- I don't remember > discussing it specifically for Expect-CT. Filed https://github.com/httpwg/ > http-extensions/issues/637 > > Thanks. > > >> CAs can (and do) issue IP certificates, so why does this specifically > >> exclude those? If this is a requirement imposed by CT, then please > >> cite that. Otherwise, I think that this should allow IP literals. > > > > > > This was also cribbed from HSTS/HPKP. I'll try to find out the > motivation for including it in those specs; I'm a little wary of dropping > it from Expect-CT without understanding why it's there for the other two... > > There was some confusion about the status of IP certificates at some > points in the past. I don't think that it is necessary to concern > this spec with the types of identifier that need to be covered. > Right, that's listed in https://tools.ietf.org/html/rfc6797#appendix-A for HSTS, and as HPKP originally started as an option of HSTS, it retained that functionality. The difficulty in both interoperability (in clients) and obtaining an IP certificate (by servers)
Received on Wednesday, 6 June 2018 11:48:12 UTC