Let's Encrypt is about to launch an IP certificate, although its validity period is only seven days, it still cannot prevent IP former holders from MiTM attacks within 7 days.
I suggest that when issuing for an IP certificate, check if the current IP has valid certificates in CT. If so, require that it must come from Let's Encrypt and from the same ACME account. Otherwise, the issue will be rejected and need to resend request with extra manual confirmation flag(in case of lose account).
(It can come from the same account, as it is evident that the certificate needs to be renewed within its validity period)
And when the IP has been assigned to a different user who also needs an IP certificate, what then? Why are you suggesting that their legitimate order be rejected? I understand your motivation, but clearly the execution is flawed.
One of the big motivators for short lived certs is that revocation is broken and doesn't work as intended. So it's not that revoking previously used certs that are still valid doesn't help a little, it's just not the silver bullet you seem to think it might be.
I believe a revocation method is not required for short lived certificates.
Depending on the CA implementation, per CA/B rules, it may not be possible to revoke a short lived certificate
This is because OCSP responses were valid for 7 days, so theoretically you could revoke a certificate and continue serving a valid stapled response for 7 more days.
Note carefully the distinction between the cert itself having a CRL URL and the possibility of a shortlived cert still being revocable and appearing in a CRL dataset.
I think they are commenting about the life of the cert itself, not reuse of the authorization.
That is, person A gets a cert for an IP address. For whatever reason that IP is now controlled by person B. Person A's cert would still be valid for that traffic subject to all the normal, um, difficulties of hijack.
It is really no different than when a domain is sold or reused. Just that in some environments IP addresses don't "belong" to the same controlling entity for very long. For example, I have an AWS server that gets a fresh IPv4 address only for outbound IPV4 traffic if needed. The server releases that IPv4 address immediately after which may be just a few minutes. That IP may be assigned to someone else. (This server otherwise uses IPv6)
In fact, domain names usually have a protection period of several months after expiration before they can be purchased by others to avoid this situation.
The CA/B Forum sets the requirements for certs containing IP identifiers. It isn't something LE invented on its own. Any solution must consider the entire ecosystem. IP identifiers have been discussed for a long time.
LE is only automated solutions. Staff have said on other occasions they have no wish to engage in manual processes. They can provide a free service with a small team accordingly.
Other CA already issue certs with IP identifiers. Again, this is not unique to LE
As an aside ... I disagree as to why domain names have a protection period. While LE certs can have max life of 90 days today other CA offer longer-lived certs. It wasn't all that many years ago (well, maybe it was) but certs used to be good for several years well beyond any relatively brief domain name lockout.
Beyond what others have said, I'll note that this idea would prevent site operators from switching CAs. If they want to move from LE to any other CA, and that CA had implemented this algorithm, they would refuse to issue the cert: they can see that there's a valid cert in CT and that they didn't issue it, so they don't know what account requested it. This means the site operator would have to let their current cert expire before they can get a new one from a different CA, which is a bad experience for everyone.
I think a number of non icann public suffixes can be affected by this. Such as SAAS domains or dynamic DNS services
There's also been a long history of domains being purchased to capture residual traffic from services still communicating with them. Even after a protection period
For expired domains, sure. But domain ownership is transferred between entities all the time with zero delay beyond waiting for TLD NS record TTLs to expire.
Thank everyone, I understand the problem now.
But I remember the IP certificate will be launched in 2025, and now there are only two weeks left. May I ask if it has been postponed?