nanog mailing list archives
Re: Certificates for DoT and DoH?
From: Bill Woodcock <woody () pch net>
Date: Mon, 28 Feb 2022 16:11:27 +0100
On Feb 28, 2022, at 3:29 PM, Bjørn Mork <bjorn () mork no> wrote: Any recommendations for a CA with a published policy allowing an IP address SAN (Subject Alternative Name)? Both Quad9 got their certificate from DigiCert: Issuer: C = US, O = DigiCert Inc, CN = DigiCert TLS Hybrid ECC SHA384 2020 CA1 Subject: C = US, ST = California, L = Berkeley, O = Quad9, CN = *.quad9.net X509v3 Subject Alternative Name: DNS:*.quad9.net, DNS:quad9.net, IP Address:9.9.9.9, IP Address:9.9.9.10, IP Address:9.9.9.11, IP Address:9.9.9.12, IP Address:9.9.9.13, IP Address:9.9.9.14, IP Address:9.9.9.15, IP Address:149.112.112.9, IP Address:149.112.112.10, IP Address:149.112.112.11, IP Address:149.112.112.12, IP Address:149.112.112.13, IP Address:149.112.112.14, IP Address:149.112.112.15, IP Address:149.112.112.112, IP Address:2620:FE:0:0:0:0:0:9, IP Address:2620:FE:0:0:0:0:0:10, IP Address:2620:FE:0:0:0:0:0:11, IP Address:2620:FE:0:0:0:0:0:12, IP Address:2620:FE:0:0:0:0:0:13, IP Address:2620:FE:0:0:0:0:0:14, IP Address:2620:FE:0:0:0:0:0:15, IP Address:2620:FE:0:0:0:0:0:FE, IP Address:2620:FE:0:0:0:0:FE:9, IP Address:2620:FE:0:0:0:0:FE:10, IP Address:2620:FE:0:0:0:0:FE:11, IP Address:2620:FE:0:0:0:0:FE:12, IP Address:2620:FE:0:0:0:0:FE:13, IP Address:2620:FE:0:0:0:0:FE:14, IP Address:2620:FE:0:0:0:0:FE:15 Does this mean that DigiCert is the only alternative?
I assume not, but we’d already used them for other things, and they didn’t have a problem doing it, so we didn’t shop any further.
And do they really have this offer for ordinary users, or is this also some special arrangement for big players only?
No, we didn’t have to do anything special, to the best of my knowledge.
That does make me wonder how they verify that I'm the rightful owner of "sites, IP addresses, common names, etc.". In particular, "etc" :-) Or you could ask yourself if you trust a CA with such an offer...
Yep. DANE is the correct answer. CAs are not. But that’s been true for a very long time, and people are still trying to pretend that CAs know what’s what. -Bill
Attachment:
signature.asc
Description: Message signed with OpenPGP
Current thread:
- Certificates for DoT and DoH? Bjørn Mork (Feb 28)
- Re: Certificates for DoT and DoH? Bill Woodcock (Feb 28)
- Re: Certificates for DoT and DoH? Bjørn Mork (Feb 28)
- Re: Certificates for DoT and DoH? John Todd (Feb 28)
- Re: Certificates for DoT and DoH? Bjørn Mork (Feb 28)
- RE: Certificates for DoT and DoH? David Guo via NANOG (Feb 28)
- Re: Certificates for DoT and DoH? Bjørn Mork (Feb 28)
- Re: Certificates for DoT and DoH? Bill Woodcock (Feb 28)