draft-ietf-acme-ip-02.txt   draft-ietf-acme-ip-03.txt 
ACME Working Group R. Shoemaker ACME Working Group R. Shoemaker
Internet-Draft ISRG Internet-Draft ISRG
Intended status: Standards Track May 18, 2018 Intended status: Standards Track July 25, 2018
Expires: November 19, 2018 Expires: January 26, 2019
ACME IP Identifier Validation Extension ACME IP Identifier Validation Extension
draft-ietf-acme-ip-02 draft-ietf-acme-ip-03
Abstract Abstract
This document specifies identifiers and challenges required to enable This document specifies identifiers and challenges required to enable
the Automated Certificate Management Environment (ACME) to issue the Automated Certificate Management Environment (ACME) to issue
certificates for IP addresses. certificates for IP addresses.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
skipping to change at page 1, line 32 skipping to change at page 1, line 32
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on November 19, 2018. This Internet-Draft will expire on January 26, 2019.
Copyright Notice Copyright Notice
Copyright (c) 2018 IETF Trust and the persons identified as the Copyright (c) 2018 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 16 skipping to change at page 2, line 16
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 2 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 2
3. IP Identifier . . . . . . . . . . . . . . . . . . . . . . . . 2 3. IP Identifier . . . . . . . . . . . . . . . . . . . . . . . . 2
4. Identifier Validation Challenges . . . . . . . . . . . . . . 3 4. Identifier Validation Challenges . . . . . . . . . . . . . . 3
5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 3 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 3
5.1. Identifier Types . . . . . . . . . . . . . . . . . . . . 3 5.1. Identifier Types . . . . . . . . . . . . . . . . . . . . 3
5.2. Challenge Types . . . . . . . . . . . . . . . . . . . . . 3 5.2. Challenge Types . . . . . . . . . . . . . . . . . . . . . 3
6. Security Considerations . . . . . . . . . . . . . . . . . . . 3 6. Security Considerations . . . . . . . . . . . . . . . . . . . 3
7. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 3 7. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 3
8. Normative References . . . . . . . . . . . . . . . . . . . . 3 8. Normative References . . . . . . . . . . . . . . . . . . . . 4
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 4 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 5
1. Introduction 1. Introduction
The Automatic Certificate Management Environment (ACME) The Automatic Certificate Management Environment (ACME)
[I-D.ietf-acme-acme] only defines challenges for validating control [I-D.ietf-acme-acme] only defines challenges for validating control
of DNS host name identifiers which limits its use to being used for of DNS host name identifiers which limits its use to being used for
issuing certificates for DNS identifiers. In order to allow issuing certificates for DNS identifiers. In order to allow
validation of IPv4 and IPv6 identifiers for inclusion in X.509 validation of IPv4 and IPv6 identifiers for inclusion in X.509
certificates this document specifies how challenges defined in the certificates this document specifies how challenges defined in the
original ACME specification can be used to validate IP identifiers. original ACME specification and the TLS-ALPN extension specification
[I-D.ietf-acme-tls-alpn] can be used to validate IP identifiers.
2. Terminology 2. Terminology
In this document, the key words "MUST", "MUST NOT", "REQUIRED", In this document, the key words "MUST", "MUST NOT", "REQUIRED",
"SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY",
and "OPTIONAL" are to be interpreted as described in BCP 14, and "OPTIONAL" are to be interpreted as described in BCP 14,
[RFC2119]. [RFC2119].
3. IP Identifier 3. IP Identifier
skipping to change at page 3, line 7 skipping to change at page 3, line 7
address as defined in [RFC1123] Section 2.1 for IPv4 and in [RFC4291] address as defined in [RFC1123] Section 2.1 for IPv4 and in [RFC4291]
Section 2.2 for IPv6. Section 2.2 for IPv6.
An identifier for the IPv6 address 2001:db8::1 would be formatted An identifier for the IPv6 address 2001:db8::1 would be formatted
like so: like so:
{"type": "ip", "value": "2001:db8::1"} {"type": "ip", "value": "2001:db8::1"}
4. Identifier Validation Challenges 4. Identifier Validation Challenges
IP identifiers MAY be used with the existing "http-01" and "tls-sni- IP identifiers MAY be used with the existing "http-01" and "tls-alpn-
02" challenges from [I-D.ietf-acme-acme] Sections 8.3 and 8.4 01" challenges from [I-D.ietf-acme-acme] Section 8.3 and
respectively. To use IP identifiers with these challenges their [I-D.ietf-acme-tls-alpn] Section 3 respectively. To use IP
initial DNS resolution step MUST be skipped and the IP address used identifiers with these challenges their initial DNS resolution step
for validation MUST be the value of the identifier. For the "http- MUST be skipped and the IP address used for validation MUST be the
01" challenge the Host header MUST be set to the IP address being value of the identifier.
used for validation per [RFC7230].
For the "http-01" challenge the Host header MUST be set to the IP
address being used for validation per [RFC7230].
For the "tls-alpn-01" challenge the SNI value MUST be set to the IP
address being used for validation and the subjectAltName extension in
the validation certificate MUST contain a single iPAddress which
matches the address being validated.
The existing "dns-01" challenge MUST NOT be used to validate IP The existing "dns-01" challenge MUST NOT be used to validate IP
identifiers. identifiers.
5. IANA Considerations 5. IANA Considerations
5.1. Identifier Types 5.1. Identifier Types
Adds a new type to the Identifier list defined in Section 9.7.5 of Adds a new type to the Identifier list defined in Section 9.7.7 of
[I-D.ietf-acme-acme] with the label "ip" and reference I-D.ietf-acme- [I-D.ietf-acme-acme] with the label "ip" and reference I-D.ietf-acme-
ip. ip.
5.2. Challenge Types 5.2. Challenge Types
Add the value "ip" to the identifier type column for the "http-01" Adds the value "ip" to the Identifier Type column in the Validation
and "tls-sni-02" challenges. Methods list defined in Section 9.7.8 of [I-D.ietf-acme-acme] for the
"http-01" and "tls-alpn-01" challenges.
6. Security Considerations 6. Security Considerations
Given the often short delegation periods for IP addresses provided by Given the often short delegation periods for IP addresses provided by
various service providers CAs MAY want to impose shorter lifetimes various service providers CAs MAY want to impose shorter lifetimes
for certificates which contain IP identifiers. They MAY also impose for certificates which contain IP identifiers. They MAY also impose
restrictions on IP identifiers which are in CIDRs known to be restrictions on IP identifiers which are in CIDRs known to be
assigned to service providers who dynamically assign addresses to assigned to service providers who dynamically assign addresses to
users for indeterminate periods of time. users for indeterminate periods of time.
skipping to change at page 4, line 8 skipping to change at page 4, line 16
[FIPS180-4] [FIPS180-4]
Department of Commerce, National., "NIST FIPS 180-4, Department of Commerce, National., "NIST FIPS 180-4,
Secure Hash Standard", March 2012, Secure Hash Standard", March 2012,
<http://csrc.nist.gov/publications/fips/fips180-4/ <http://csrc.nist.gov/publications/fips/fips180-4/
fips-180-4.pdf>. fips-180-4.pdf>.
[I-D.ietf-acme-acme] [I-D.ietf-acme-acme]
Barnes, R., Hoffman-Andrews, J., McCarney, D., and J. Barnes, R., Hoffman-Andrews, J., McCarney, D., and J.
Kasten, "Automatic Certificate Management Environment Kasten, "Automatic Certificate Management Environment
(ACME)", draft-ietf-acme-acme-12 (work in progress), April (ACME)", draft-ietf-acme-acme-13 (work in progress), July
2018. 2018.
[I-D.ietf-acme-tls-alpn]
Shoemaker, R., "ACME TLS ALPN Challenge Extension", draft-
ietf-acme-tls-alpn-01 (work in progress), May 2018.
[RFC1034] Mockapetris, P., "Domain names - concepts and facilities", [RFC1034] Mockapetris, P., "Domain names - concepts and facilities",
STD 13, RFC 1034, DOI 10.17487/RFC1034, November 1987, STD 13, RFC 1034, DOI 10.17487/RFC1034, November 1987,
<https://www.rfc-editor.org/info/rfc1034>. <https://www.rfc-editor.org/info/rfc1034>.
[RFC1123] Braden, R., Ed., "Requirements for Internet Hosts - [RFC1123] Braden, R., Ed., "Requirements for Internet Hosts -
Application and Support", STD 3, RFC 1123, Application and Support", STD 3, RFC 1123,
DOI 10.17487/RFC1123, October 1989, DOI 10.17487/RFC1123, October 1989,
<https://www.rfc-editor.org/info/rfc1123>. <https://www.rfc-editor.org/info/rfc1123>.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
 End of changes. 10 change blocks. 
18 lines changed or deleted 31 lines changed or added

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/