Roland Bracewell Shoemaker
Roland Bracewell Shoemaker
The underlying logic for this should probably be implemented upstream in CFSSL since it'll require a key that (_I think_) should be stored in a HSM, there is already an...
`cfssl` now has a [`crl`](https://github.com/cloudflare/cfssl/blob/master/crl/crl.go) lib which can be used to generate CRLs using a `crypto.Signer`.
Blocked on #140 (allowing user to specify the revocation reason instead of always setting it to `ocsp.Unspecified` ourselves).
While it's not a immediate priority this is something we intend on supporting in the future.
Developing a ACME challenge for the CSR verification method seems complicated mainly because of the `Verified Method of Communication` requirement. I'm not sure there is an easy way we could...
> For LE would this require a CP/CPS update before it could be deployed? Yes, CPS 7.1.5 restricts issuance of certs for IP addresses.
Open questions: * Do we want to restrict any CIDRs (i.e. those held by ISPs)? * Do we want to reduce the lifetime of certs containing IP addresses? cc @jsha...
> Definitely yep to both. Any thoughts on determining the values of either? Not really sure how we'd go about figuring out which CIDRs to block, is there a public...
The RFC is progressing through the IETF process, there is nothing we can do to speed that process up ourselves, we just have to wait. We also don't have any...
Looks like `zmap/zcrypto/x509` is already enforcing IP constraint validity [during parsing](https://github.com/zmap/zcrypto/blob/master/x509/x509.go#L1655-L1665). Stdlib `crypto/x509` does its own DNS name validity check, but [disagrees that leading periods are invalid](https://golang.org/src/crypto/x509/x509.go#L1245). See https://github.com/golang/go/issues/16347 for...