Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Should usage of IP addresses be allowed/mentioned within the spec? #39

Open
kdenhartog opened this issue Sep 7, 2021 · 5 comments
Open

Comments

@kdenhartog
Copy link
Contributor

I was thinking about it recently and came to realize that if the domain is replaced with an IP address, did:web can be made fairly decentralized while still maintaining all the main benefits around ease of integration. Would it be worth explicitly mentioning it with some examples? From what I can tell with the referenced domain ABNF in [RFC1035], [RFC1123], and [RFC2181] there's no specific mention about how IP addresses could be a domain name (which makes sense). However, if we change the definition to be based around the host/path portion of a URL (thinking referencing WHATWG URL spec here) then it should make this possible.

Thoughts on supporting this?

@dmitrizagidulin
Copy link
Collaborator

@kdenhartog great question.
The main challenge with using IP addresses with did:web is SSL certificates. Specifically, did:web requires TLS encryption. And not all certificate companies allow IP addresses in their certs (even though it's allowed in the specs).
For example, one of the most commonly used orgs, Let's Encrypt, does not allow IP addresses in their certs.
So, it's more a practicality question I think.

@gribneau
Copy link
Contributor

gribneau commented Sep 7, 2021

An SSL certificate could be issued for an IP address in either the common name field or as a subject alternative name. Such a certificate should work for https://a.b.c.d where a.b.c.d is a publicly routable IPv4 address.

Cloudflare is a famous example:
https://1.1.1.1/

SAN records should also support ipv6, but I don't think either ipv4 or ipv6 addresses have gained much traction in SSL certificates.

@kdenhartog
Copy link
Contributor Author

kdenhartog commented Sep 8, 2021

I'd expect that someone running this would likely be running self signed certs as well. Some examples where I think this is useful is going to be in internal networks to be able to identify service requests (thinking like a zero trust micro service architecture) or in a limited number of IoT use cases where it's for IoT devices to validate requests within an internal network. Although I'll admit these are ideas that I've not actually implemented yet, but just had the idea when I was working on our web implementation and wanted to kick off the discussion for.

@pchampin
Copy link

I would also like to see IP addresses allowed in did:web, although I appreciate the issue related to SSL certificates.

Another issue I can see if with IPv6 addresses, because they use colons (:) instead of dots (.) as a separator. Would it be possible to unambiguously recognize an IPv6 "domain name" in a did:web DID?

@kdenhartog
Copy link
Contributor Author

If I'm remembering correctly we got around this issue previously through the usage of URL encoding characters to prevent confusion. We might be able to do that again so that IPv6 addresses are just a single long URL encoded string, but this would probably require more specific reading to make sure it's not violating did-core or introducing unintended side effects.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants