1

In theory every AS, ISP provider or whatever, holds a certificate proving that it owns the range of addresses assigned to him. This is the Resource Public Key Infrastructure (RPKI) and it seems well implemented. If I understand correctly, the ISP is expected to use it to sign claims of routing and stuff related to BGP.

Now, if I need say a HTTPS or other kind of SSL-based certificate for a given machine, and the machine is going to be accessed using the IP address, can the AS use its certificate to sign my csr, in order to assert the claim that my machine is associated to this IP?

The question is at least three-fold: I do not know if such RPKI certificate is technically allowed to do this kind of signature, I do not know if it is allowed by the policies, and I do not know if browsers would accept the CA chain of the infrastructure.

arivero
  • 200
  • 1
  • 1
  • 6
  • https://stackoverflow.com/questions/2043617/is-it-possible-to-have-ssl-certificate-for-ip-address-not-domain-name – Barry Pollard Jan 25 '18 at 23:05
  • @BarryPollard yes, so the question is, can the AS, the owner of the IP, sign it, instead of requiring a different, DNS-whois inspired, organisational chain to do it? – arivero Jan 26 '18 at 23:51
  • But even if it would work (RFC6487 does not seem to deny using this CA to sign other certificates than the ones in RPKI), how would it scale? Each browser would need to have each CA from all AS/ISP providers in the world to be able to verify websites hosted on IPs in these AS/ISP. There are already far too much CA trusted in certificates stores, so having even more of them seems a wrong move. – Patrick Mevzek Mar 07 '18 at 23:24

0 Answers0