w3c
need some language about implementing https within private IP range
Originally posted by @TallTed in https://github.com/w3c/did-resolution/pull/167#discussion_r2213713129
It might be good to include something about this typically requiring a self-signed certificate, and maybe a pointer to some documentation of the general case (i.e., not specific to Apache, nginx, or whatever http(s) server, on whatever OS)?
This could be one or more links to external documentation. My concerns are about people who don't have experience or education at the level of most of those involved in writing DID Resolution and similar specs. We should not take for granted that "commonly known issues" are actually commonly known.
This was discussed during the #did meeting on 28 August 2025.
View the transcript
w3c/did-resolution#173
Wip: TallTed, do you want to talk about this?
TallTed: I know this is an issue, but I don't know what the answer is.
manu: TallTed is correct, it is a problem.
… I'm wondering if we need to say anything, though.
… In any context, when you run an HTTPS in a local environment, you need to jump through some hoops, that are not good security practices
… Maybe just a sentence in the Security Consideration section: "if you run an HTTPS service on a private IP range, consult your sysadmin"
… we should not explain *how* to solve it.
TallTed: I agree
Wip: I would like somebody to volunteer to write a PR for that.
… Otherwise we will have to close this.
manu: not volunteering, but this is the kind of job an LLM could help with.
@TallTed would you be able to take a stab at some text for this issue? Something along the lines of what @msporny proposed:
Maybe just a sentence in the Security Consideration section: "if you run an HTTPS service on a private IP range, consult your sysadmin"
