- From: Brian Smith <brian@briansmith.org>
- Date: Thu, 22 Jan 2015 11:56:07 -0800
- To: Mike West <mkwst@google.com>
- Cc: Brad Hill <hillbrad@gmail.com>, Anne van Kesteren <annevk@annevk.nl>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Mike West <mkwst@google.com> wrote: > Either way, it seems like something we're stuck with supporting. Skipping > IPv6, however, seems pretty viable. Do you need to support any IP address other than "127.0.0.1" and "::1"? I'd suggest limiting support to just those two IP addresses, and only those two notations, instead of all IP addresses. Otherwise, in general, no new specification should specify support for IPv4 without specifying IPv6 support. The IPv6 syntax isn't as complicated as it initially looks. (source: I wrote a IPv6 address parser for mozilla::pkix a couple of months ago.) Similarly, nobody should be defining things that only work for http:// but not https://. Publicly-trusted CAs are not supposed to be issuing certificates for IP addresses (IPv4 or IPv6) anymore, IIRC. This means that https://<ip-address> should eventually stop working completely, for the most part. Cheers, Brian
Received on Thursday, 22 January 2015 19:56:33 UTC