Add docs page about IP cert privacy issues#2059
Open
schoen wants to merge 2 commits intoletsencrypt:mainfrom
Open
Add docs page about IP cert privacy issues#2059schoen wants to merge 2 commits intoletsencrypt:mainfrom
schoen wants to merge 2 commits intoletsencrypt:mainfrom
Conversation
aarongable
requested changes
Oct 27, 2025
Contributor
aarongable
left a comment
aarongable
left a comment
There was a problem hiding this comment.
While I think the content and ideas here are good, structurally this feels odd to me. If the point of the article (as suggested by the title) is privacy concerns, then those concerns should be front-and-center, not buried in third-level headings halfway through the article.
I would recommend a simpler structure with just three sections:
# Privacy Considerations for IP Address Certificates
Intro, saying that IP certs are new, and that they have some privacy considerations which are shared with domain name certs, and some that are new.
## Revealing the Existence of IPs
Describe certificate transparency; point out that DNS certs are already in CT. Point out that the IPv4 space is constantly being crawled, but the IPv6 space is too big. Conclude that getting a cert for an IPv6 addr will reveal the existence of a web service at that addresses, and may result in actors both good and bad attempting to crawl that service.
## Binding IPs to Domain Names
The content you have for this is pretty good already. But also add the bit about sharing public keys between IP and DNS certs, so that doesn't have to be buried in the next section.
## Recommendations
The current text doesn't have any recommendations for individuals -- just for device manufacturers and people with data centers. Start with recommendations for Joe Schmoe, who just read this article and is now a bit scared he's gonna mess up. Then move on to device manufacturers and large operators.
|
|
||
| # Privacy Considerations for Home Use of IP Address Certificates | ||
|
|
||
| Since [July 2025](https://letsencrypt.org/2025/07/01/issuing-our-first-ip-address-certificate), Let’s Encrypt has been able to issue certificates for IP addresses, in addition to its traditional certificates covering domain names. |
Contributor
There was a problem hiding this comment.
Avoid using "smart quotes", here and throughout.
Suggested change
| Since [July 2025](https://letsencrypt.org/2025/07/01/issuing-our-first-ip-address-certificate), Let’s Encrypt has been able to issue certificates for IP addresses, in addition to its traditional certificates covering domain names. | |
| Since [July 2025](https://letsencrypt.org/2025/07/01/issuing-our-first-ip-address-certificate), Let's Encrypt has been able to issue certificates for IP addresses, in addition to its traditional certificates covering domain names. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This pull request proposes to add a new documentation page that talks about how combining IP address identifiers and domain names can create a privacy risk if the IP address identifiers are on a home network (e.g., with a NAS).