Chris's Wiki :: blog/tech/TLSCertVerifyTwoParts Commentshttps://utcc.utoronto.ca/~cks/space/blog/tech/TLSCertVerifyTwoParts?atomcommentsDWiki2019-09-20T10:57:36ZRecent comments in Chris's Wiki :: blog/tech/TLSCertVerifyTwoParts.By David Magda on /blog/tech/TLSCertVerifyTwoPartstag:CSpace:blog/tech/TLSCertVerifyTwoParts:bfd6063852e354edeb0008c41626b10767c09046David Magdahttp://www.magda.ca/<div class="wikitext"><p>It should be noted that there is an extension to the X.509v3 certificate format that allows one to specify IP address(es):</p>
<ul><li><a href="https://tools.ietf.org/html/rfc3779">https://tools.ietf.org/html/rfc3779</a></li>
</ul>
<p>It's probably almost never used, but it is technically possible.</p>
</div>2019-09-20T10:57:36ZFrom 193.219.181.226 on /blog/tech/TLSCertVerifyTwoPartstag:CSpace:blog/tech/TLSCertVerifyTwoParts:3d8189c90cccc1a8f953fccd5cd967bbffed53c7From 193.219.181.226<div class="wikitext"><blockquote><p>you can't trust anything the 801.2X server itself claims about what it should be called, and the only other information you have is (perhaps) the free-form name of the network (as, for example, the wireless SSID).</p>
</blockquote>
<p>To be honest I'm wondering why 802.1X clients do not default to using the domain name of your account as the server name to match against.</p>
<p>Recent Androids will ask for the server name along with the usual EAP credentials. (They perform a suffix match, so entering <code>utoronto.ca</code> will match any cert issued for any subdomain.) NetworkManager and wpa_supplicant both have the same "domain-suffix-match" option.</p>
<p>So IMHO it would be possible (and really convenient) if entering "Identity: foo@example.com" would auto-fill "Server domain: example.com". It would be perfectly suitable for eduroam-style networks, where the TLS cert depends on your identity.</p>
<blockquote><p>The second example is wanting to use DNS over TLS or DNS over HTTPS to talk to the DNS servers you find through DHCP or have in a normal resolv.conf. In both of these cases, the protocol and the configuration file only specify the DNS servers by IP address, with no names associated with them</p>
</blockquote>
<p>It seems one can nowadays get certificates issued for global IP addresses – at least the giants (1.1.1.1 and 8.8.8.8) have done so for DoH and DoT.</p>
<p>(For private addresses, I guess a private CA would be required as well.)</p>
</div>2019-09-20T07:55:46Z