boulder icon indicating copy to clipboard operation
boulder copied to clipboard

Published 20 hours ago verified publisher icon letsencrypt

Begin issuing certificates with IP Address identifiers

Open aarongable opened this issue 1 year ago • 4 comments

This bug is an umbrella/tracking bug, acting as a one-stop-shop to see progress on the multiple sub-tasks necessary to achieve this 2024 OKR.

We intend to support IP Address identifiers only in short-lived certificates.

Prerequisities:

  • [ ] https://github.com/letsencrypt/boulder/issues/7309
  • [ ] https://github.com/letsencrypt/boulder/issues/7310

Subtasks:

  • [ ] Teach the SA to store authorization objects with identifier type "ipAddress"
  • [ ] #7647
  • [ ] https://github.com/letsencrypt/boulder/issues/2706 in the VA and RVA
  • [ ] Teach the RA to plumb challenge ipAddress identifiers to the VA and RVA
  • [ ] Ensure the CA produces correct and compliant certificates including IP addresses
  • [ ] Ensure the CA rejects issuance of long-lived certs with ipAddress identifiers
  • [ ] Teach the RA to plumb finalize ipAddress identifiers to the CA
  • [ ] Teach the WFE to plumb ipAddress identifiers to the RA
  • [ ] Optional: Restrict ipAddress identifiers to an allow-list of registration IDs, to allow slow controlled roll-out

aarongable avatar Feb 06 '24 23:02 aarongable

Is there any planned target date for this? =)

Manouchehri avatar Mar 14 '24 15:03 Manouchehri

While we do have internal goals, we do not have a date that we are willing to commit to in public, sorry.

aarongable avatar Mar 14 '24 21:03 aarongable

No worries, I’m just excited!

Manouchehri avatar Mar 14 '24 22:03 Manouchehri