Re: CSP: Drop IP-matching? (was Re: [CSP] URI/IRI normalization and comparison)

Public CAs are only to stop issuing for IP addresses in reserved ranges, I
believe. (10.0.0.0, 171.16.0.0, 192.168.0.0, 127.0.0.1)

On Thu Jan 22 2015 at 11:56:07 AM Brian Smith <brian@briansmith.org> wrote:

> Mike West <mkwst@google.com> wrote:
> > Either way, it seems like something we're stuck with supporting. Skipping
> > IPv6, however, seems pretty viable.
>
> Do you need to support any IP address other than "127.0.0.1" and
> "::1"? I'd suggest limiting support to just those two IP addresses,
> and only those two notations, instead of all IP addresses.
>
> Otherwise, in general, no new specification should specify support for
> IPv4 without specifying IPv6 support. The IPv6 syntax isn't as
> complicated as it initially looks. (source: I wrote a IPv6 address
> parser for mozilla::pkix a couple of months ago.)
>
> Similarly, nobody should be defining things that only work for http://
> but not https://. Publicly-trusted CAs are not supposed to be issuing
> certificates for IP addresses (IPv4 or IPv6) anymore, IIRC. This means
> that https://<ip-address> should eventually stop working completely,
> for the most part.
>
> Cheers,
> Brian
>

Received on Thursday, 22 January 2015 20:04:55 UTC