W3C home > Mailing lists > Public > ietf-http-wg@w3.org > April to June 2018

Re: Working Group Last Call for draft-ietf-httpbis-expect-ct-05

From: Ryan Sleevi <ryan-ietf@sleevi.com>
Date: Wed, 6 Jun 2018 07:47:06 -0400
Message-ID: <CAErg=HEigi6knAJn_Jy4WU8kcef77DN=WfQ1DHwYoC7V1B9Bng@mail.gmail.com>
To: Martin Thomson <martin.thomson@gmail.com>
Cc: "Emily Stark (Dunn)" <estark@google.com>, Mark Nottingham <mnot@mnot.net>, HTTP Working Group <ietf-http-wg@w3.org>, Patrick McManus <mcmanus@ducksong.com>
On Tue, Jun 5, 2018 at 5:55 AM, Martin Thomson <martin.thomson@gmail.com>
wrote:

> On Mon, Jun 4, 2018 at 10:56 PM Emily Stark <estark@google.com> wrote:
> > Might have been blindly cribbed from HSTS/HPKP -- I don't remember
> discussing it specifically for Expect-CT. Filed https://github.com/httpwg/
> http-extensions/issues/637
>
> Thanks.
>
> >> CAs can (and do) issue IP certificates, so why does this specifically
> >> exclude those?  If this is a requirement imposed by CT, then please
> >> cite that.  Otherwise, I think that this should allow IP literals.
> >
> >
> > This was also cribbed from HSTS/HPKP. I'll try to find out the
> motivation for including it in those specs; I'm a little wary of dropping
> it from Expect-CT without understanding why it's there for the other two...
>
> There was some confusion about the status of IP certificates at some
> points in the past.  I don't think that it is necessary to concern
> this spec with the types of identifier that need to be covered.
>

Right, that's listed in https://tools.ietf.org/html/rfc6797#appendix-A for
HSTS, and as HPKP originally started as an option of HSTS, it retained that
functionality. The difficulty in both interoperability (in clients) and
obtaining an IP certificate (by servers)
Received on Wednesday, 6 June 2018 11:48:12 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:15:21 UTC