Reading the spec, I can’t see why not, wondering if anyone knew.
Having not read the spec, if there are any requirements for HTTPS, you most certainly will need a domain name for the TLS certificate.
SAN does support IPs.
If you can point me to a CA that will allow your to request a cert for an IP address that’d be great
I haven’t tried this but searching google shows SSL.com does allow it granted you can demonstrate the requirements:
- The IP address you wish to secure must be public, and your organization must own it.
- The IP address ranges
10.x.x.xand192.168.x.xare prohibited. - A WHOIS lookup of the IP address should show your organization’s name, address, phone number, and email contacts (not your web hosting provider’s).
- The IP address ranges
- Control over the IP address must be demonstrated by the HTTP/HTTPS file lookup method. The email challenge response and DNS CNAME lookup methods may not be used to validate an IP address.
So you need to own and operate your own ASN. I guess that’s better than what I thought but it’s nowhere near attainable for regular people.
If you are ok with ipv6, you can get a /48, and a 4-byte ASN for a few hundred dollars for the registration fee. The 4-byte ASN isn’t even necessary. You can then use AWS/Oracle/AliBaba or some other public cloud to advertise your registered ipv6 address block on your behalf. A whois will show the details you used with the registrar.
I’m pretty sure most browsers will straight up refuse to load content from bare IPv6 adresses regardless of cert status no? I remember having problems with this with an internal CA.
Googleing it, is this relevant? https://superuser.com/a/367788
- The IP address you wish to secure must be public, and your organization must own it.
Right, it can be done, but would require a CA who supports that, not all do. For example, Let’s Encrypt doesn’t allow bare IP addresses. I was assuming the question about an IP address was raised due to aversion to purchase a domain name. If so, then TLS certificate is another cost to consider and if not using a domain name, then the main free option becomes unavailable.
there is a general “encrypted transport” requirement which in real world use mandates HTTPS (although it’s worded broadly to allow for onion services and whatnot which provide their own encryption outside TLS)
@Irelephant @activitypub Yes, IP addresses are often used in development and testing environments. I haven’t seen such servers in the global network though
Okay, thanks!
