Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Begin issuing certificates with IP Address identifiers #7311

Open
11 tasks
aarongable opened this issue Feb 6, 2024 · 4 comments
Open
11 tasks

Begin issuing certificates with IP Address identifiers #7311

aarongable opened this issue Feb 6, 2024 · 4 comments
Labels
area/ca area/ra area/sa area/va area/wfe blocked

Comments

@aarongable
Copy link
Contributor

aarongable commented Feb 6, 2024
edited
Loading

This bug is an umbrella/tracking bug, acting as a one-stop-shop to see progress on the multiple sub-tasks necessary to achieve this 2024 OKR.

We intend to support IP Address identifiers only in short-lived certificates.

Prerequisities:

Subtasks:

  • Teach the SA to store authorization objects with identifier type "ipAddress"
  • Teach the RA to plumb new-order ipAddress identifiers to the SA #7647
  • Implement RFC 8738: ACME IP Identifier Validation #2706 in the VA and RVA
  • Teach the RA to plumb challenge ipAddress identifiers to the VA and RVA
  • Ensure the CA produces correct and compliant certificates including IP addresses
  • Ensure the CA rejects issuance of long-lived certs with ipAddress identifiers
  • Teach the RA to plumb finalize ipAddress identifiers to the CA
  • Teach the WFE to plumb ipAddress identifiers to the RA
  • Optional: Restrict ipAddress identifiers to an allow-list of registration IDs, to allow slow controlled roll-out
@orangepizza orangepizza mentioned this issue Feb 7, 2024
Closed
@Manouchehri
Copy link

Is there any planned target date for this? =)

@aarongable
Copy link
Contributor Author

While we do have internal goals, we do not have a date that we are willing to commit to in public, sorry.

@Manouchehri
Copy link

No worries, I’m just excited!

@Tyrasuki
Copy link

Perhaps a trivial question, but I assume this would include IPv6 address identifiers?

@aarongable aarongable mentioned this issue Aug 29, 2024
Merged
jsha pushed a commit that referenced this issue Aug 30, 2024
@aarongable
Lay the groundwork for supporting IP identifiers (#7692)
dad9e08 
Clean up how we handle identifiers throughout the Boulder codebase by
- moving the Identifier protobuf message definition from sa.proto to
core.proto;
- adding support for IP identifier to the "identifier" package;
- renaming the "identifier" package's exported names to be clearer; and
- ensuring we use the identifier package's helper functions everywhere
we can.

This will make future work to actually respect identifier types (such as
in Authorization and Order protobuf messages) simpler and easier to
review.

Part of #7311
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/ca area/ra area/sa area/va area/wfe blocked
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@aarongable @Manouchehri @Tyrasuki