nanog mailing list archives

Re: Certificates for DoT and DoH?

From: Bill Woodcock <woody () pch net>
Date: Mon, 28 Feb 2022 16:11:27 +0100

On Feb 28, 2022, at 3:29 PM, Bjørn Mork <bjorn () mork no> wrote:
Any recommendations for a CA with a published policy allowing an IP
address SAN (Subject Alternative Name)?
Both Quad9 got their certificate from DigiCert:

       Issuer: C = US, O = DigiCert Inc, CN = DigiCert TLS Hybrid ECC SHA384 2020 CA1
       Subject: C = US, ST = California, L = Berkeley, O = Quad9, CN = *.quad9.net
           X509v3 Subject Alternative Name:
               DNS:*.quad9.net, DNS:quad9.net, IP Address:9.9.9.9, IP Address:9.9.9.10, IP Address:9.9.9.11, IP 
Address:9.9.9.12, IP Address:9.9.9.13, IP Address:9.9.9.14, IP Address:9.9.9.15, IP Address:149.112.112.9, IP 
Address:149.112.112.10, IP Address:149.112.112.11, IP Address:149.112.112.12, IP Address:149.112.112.13, IP 
Address:149.112.112.14, IP Address:149.112.112.15, IP Address:149.112.112.112, IP Address:2620:FE:0:0:0:0:0:9, IP 
Address:2620:FE:0:0:0:0:0:10, IP Address:2620:FE:0:0:0:0:0:11, IP Address:2620:FE:0:0:0:0:0:12, IP 
Address:2620:FE:0:0:0:0:0:13, IP Address:2620:FE:0:0:0:0:0:14, IP Address:2620:FE:0:0:0:0:0:15, IP 
Address:2620:FE:0:0:0:0:0:FE, IP Address:2620:FE:0:0:0:0:FE:9, IP Address:2620:FE:0:0:0:0:FE:10, IP 
Address:2620:FE:0:0:0:0:FE:11, IP Address:2620:FE:0:0:0:0:FE:12, IP Address:2620:FE:0:0:0:0:FE:13, IP 
Address:2620:FE:0:0:0:0:FE:14, IP Address:2620:FE:0:0:0:0:FE:15

Does this mean that DigiCert is the only alternative?


I assume not, but we’d already used them for other things, and they didn’t have a problem doing it, so we didn’t shop 
any further.

And do they really have this offer for ordinary users, or is this also some special
arrangement for big players only?


No, we didn’t have to do anything special, to the best of my knowledge.

That does make me wonder how they verify that I'm the rightful owner of
"sites, IP addresses, common names, etc.".  In particular, "etc" :-)
Or you could ask yourself if you trust a CA with such an offer...


Yep.  DANE is the correct answer.  CAs are not.  But that’s been true for a very long time, and people are still trying 
to pretend that CAs know what’s what.

                                -Bill

Attachment: signature.asc
Description: Message signed with OpenPGP

Current thread:

Certificates for DoT and DoH? Bjørn Mork (Feb 28)
- Re: Certificates for DoT and DoH? Bill Woodcock (Feb 28)
  - Re: Certificates for DoT and DoH? Bjørn Mork (Feb 28)
  - Re: Certificates for DoT and DoH? John Todd (Feb 28)
    - Re: Certificates for DoT and DoH? Bjørn Mork (Feb 28)
- RE: Certificates for DoT and DoH? David Guo via NANOG (Feb 28)
  - Re: Certificates for DoT and DoH? Bjørn Mork (Feb 28)