[hojofpodge]

Something about a 6 day long IP address based token brings me back to the question of why we are wasting so much time on utterly wrong TOFU authorization?

If you are supposed to have an establishable identity I think there is DNSSEC back to the registrar for a name and (I'm not quite sure what?) back to the AS.for the IP.

[ycombinatrix]

Domains map one-to-one with registrars, but multiple AS can be using the same IP address.

[hojofpodge]

Then it would be a grave error to issue an IP cert without active insight into BGP. (Or it doesn't matter which chain you have.. But calling a website from a sampling of locations can't be a more correct answer.)

[ycombinatrix]

>it would be a grave error to issue an IP cert without active insight into BGP

Why? Even regular certs are handed out via IP address.

[hojofpodge]

> why we are wasting so much time on utterly wrong TOFU authorization? If you are supposed to have an establishable identity I think there is DNSSEC back to the registrar

They retire challenges that were once acceptable. What happens if they require a real chain of trust? They retire http and domain names keep working on DNS/DNSSEC.

Making IP with only http challenges is going backwards.