Certificates for DoT and DoH?

• Previous message (by thread): Certificates for DoT and DoH?
• Next message (by thread): Certificates for DoT and DoH?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> On Feb 28, 2022, at 3:29 PM, Bjørn Mork <bjorn at mork.no> wrote:
> Any recommendations for a CA with a published policy allowing an IP
> address SAN (Subject Alternative Name)?
> Both Quad9 got their certificate from DigiCert:
> 
>        Issuer: C = US, O = DigiCert Inc, CN = DigiCert TLS Hybrid ECC SHA384 2020 CA1
>        Subject: C = US, ST = California, L = Berkeley, O = Quad9, CN = *.quad9.net
>            X509v3 Subject Alternative Name:
>                DNS:*.quad9.net, DNS:quad9.net, IP Address:9.9.9.9, IP Address:9.9.9.10, IP Address:9.9.9.11, IP Address:9.9.9.12, IP Address:9.9.9.13, IP Address:9.9.9.14, IP Address:9.9.9.15, IP Address:149.112.112.9, IP Address:149.112.112.10, IP Address:149.112.112.11, IP Address:149.112.112.12, IP Address:149.112.112.13, IP Address:149.112.112.14, IP Address:149.112.112.15, IP Address:149.112.112.112, IP Address:2620:FE:0:0:0:0:0:9, IP Address:2620:FE:0:0:0:0:0:10, IP Address:2620:FE:0:0:0:0:0:11, IP Address:2620:FE:0:0:0:0:0:12, IP Address:2620:FE:0:0:0:0:0:13, IP Address:2620:FE:0:0:0:0:0:14, IP Address:2620:FE:0:0:0:0:0:15, IP Address:2620:FE:0:0:0:0:0:FE, IP Address:2620:FE:0:0:0:0:FE:9, IP Address:2620:FE:0:0:0:0:FE:10, IP Address:2620:FE:0:0:0:0:FE:11, IP Address:2620:FE:0:0:0:0:FE:12, IP Address:2620:FE:0:0:0:0:FE:13, IP Address:2620:FE:0:0:0:0:FE:14, IP Address:2620:FE:0:0:0:0:FE:15
> 
> Does this mean that DigiCert is the only alternative?

I assume not, but we’d already used them for other things, and they didn’t have a problem doing it, so we didn’t shop any further.

> And do they really have this offer for ordinary users, or is this also some special
> arrangement for big players only?

No, we didn’t have to do anything special, to the best of my knowledge.

> That does make me wonder how they verify that I'm the rightful owner of
> "sites, IP addresses, common names, etc.".  In particular, "etc" :-)
> Or you could ask yourself if you trust a CA with such an offer...

Yep.  DANE is the correct answer.  CAs are not.  But that’s been true for a very long time, and people are still trying to pretend that CAs know what’s what.

                                -Bill

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Message signed with OpenPGP
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20220228/4598aedd/attachment.sig>

• Previous message (by thread): Certificates for DoT and DoH?
• Next message (by thread): Certificates for DoT and DoH?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]