Do certificates for IP Addresses work?

Gary E. Miller gem at rellim.com
Fri Feb 1 23:35:57 UTC 2019 

Yo Hal!

On Fri, 01 Feb 2019 15:24:09 -0800
Hal Murray via devel <devel at ntpsec.org> wrote:

> If I start with a name, translate that to an IP Address, make a TLS
> connection to that system, I expect to get a certificate that matches
> the name.

Yup, but not always.  Some will want to stop on mismatch, some want
to continue.  Thus the new "noval" keyword.

> But that translation step adds another layer of security
> considerations.

Which have been well thought out by the TLS people.  The proposed RFC
says to reuse that very well constructed wheel.

> Is it practical to bypass the DNS lookup and use a certificate for
> the IP Address?

Trivial, not quite.  Practical, yes.  But not common.  Leave that to
wizards.

The common case you are looking for is when you contact a TLS server
by IP, not name, and then either validate, or not, the returned
certificate.  This is very common for testing before moving a
server into its production IP.

> Is there an option I can give to something like getaddrinfo() that
> says require DNSSEC?  What fraction of the world is using DNSSEC
> and/or pays attention if somebody else uses it?

Leave that battle to the TLS people.  They discuss the next step all
the time and DNSSEC has been a battle for a long time.

The vulnerability window there is very small.  I can easily spoof
a client to think my server is google.com.  I can easily create a
certificate that says my server is google.com.  But I can not create a
google.com certificate that will validate without a lot of hard work.

NSA can do it, but not me.

RGDS
GARY
---------------------------------------------------------------------------
Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703
	gem at rellim.com  Tel:+1 541 382 8588

	    Veritas liberabit vos. -- Quid est veritas?
    "If you can’t measure it, you can’t improve it." - Lord Kelvin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 851 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ntpsec.org/pipermail/devel/attachments/20190201/6268fd58/attachment.bin>

More information about the devel mailing list