[Cryptography] ALPACA
Jerry Leichter
leichter at lrw.com
Thu Jun 10 09:34:48 EDT 2021
>
>> TLS certificates validate host names, not IP addresses or port
>> numbers.
>
> Well, TLS certificates can validate arbitrary Subject Alternative Names,
> which can be more specific that just a hostname. The real issue is that
> hostnames are the only things that the CA/B forum issuers (i.e. Let's
> Encrypt) know how to issue DV certificates for....
The paper points out that the entire technique can be avoided if the web site uses SNI *and marks SNI as required*. The problem is that (a) "SNI required" is almost never used in practice; (b) even if requested, many existing servers don't enforce it, even some that say they do. Of course, these two facts are self-reinforcing.
-- Jerry
More information about the cryptography
mailing list