Domain or IP

[birgelee]

draft-mpic/draft-westerbaan-secdispatch-mpic.md

Line 110 in 42ee5bf

* `domain` (required, string): The domain to check the CAA records for.

The draft currently uses the label domain to refer to the domain being validated. ACME and the BRs also support certs for IP addresses. Open MPIC currently refers to this as domain_or_ip_target.

Do we want to change the language to allow this identifier to be an IP address or a domain? How should IP address targets be handled in the future?

[bwesterb]

How is a CAA check performed for an IP address?

[gcimaszewski]

@bwesterb In the BRs, it looks like CAA checking only applies to fully-qualified domain names, and thus there is no CAA check for IPs.
The API would also need some more changes to support IP validation, like a PTR lookup for DNS-based validation.

[SulemanAhmadd]

The BR document states: As part of the Certificate issuance process, the CA MUST retrieve and process CAA records in accordance with RFC 8659 for each **dNSName** in the subjectAltName extension

So it seems validation of only domain name entries on the SAN is required when validated CAA records. Not sure if CAA records for IP addresses are a thing. There is an expired draft in LAMPS working group at IETF for this line of work but it seems to be abandoned.

[SulemanAhmadd]

Ah, I was on a stale page so @gcimaszewski comment just got visible. With that context, I believe this issue is about supporting IP address control validation on the API, IIUC. The first comment on this issue references the CAA check description, hence the confusion.

The HTTP validation method in the draft can be generalized for both domain and IP address in that case.