Comment by hojofpodge

1 day ago

Something about a 6 day long IP address based token brings me back to the question of why we are wasting so much time on utterly wrong TOFU authorization?

If you are supposed to have an establishable identity I think there is DNSSEC back to the registrar for a name and (I'm not quite sure what?) back to the AS.for the IP.

4 comments

hojofpodge

ycombinatrix 1 day ago

Domains map one-to-one with registrars, but multiple AS can be using the same IP address.

hojofpodge 1 day ago
Then it would be a grave error to issue an IP cert without active insight into BGP. (Or it doesn't matter which chain you have.. But calling a website from a sampling of locations can't be a more correct answer.)
- ycombinatrix 1 day ago
  
  >it would be a grave error to issue an IP cert without active insight into BGP
  Why? Even regular certs are handed out via IP address.
  
  1 reply →