> TLS certificates for IP addresses are already a thing that exists.
Still not wide use. It's when it gets into wide use that you end up having to include it in everything.
For now, it's a parlor trick, and it's a parlor trick that shouldn't work.
> nobody is going to remove support for things that work today just because it'd be slightly cleaner.
Work, but shouldn't and aren't actually used except by crazy people.
> If that doesn't work in a given TLS client, this will be treated as a bug in that client, and rightly so.
I've tried to use TLS on microcontrollers that barely had the memory to parse X.509 at all. Including stuff just because you can doesn't make that better.
... and I'm not going to go check the relevant RFCs, but I very much doubt that IP SANs are listed as a MUST. If I'm wrong, well, that's still a bug in the RFCs.
> Also, how would DoH or DoT work without this?
Hardwired keys for your trusted resolvers. Given that the whole CA infrastructure long ago gave up on doing any really robust verification of who was asking for a cert, making your DNS dependent on X.509 is a bad idea anyway. But if you really want to do it even though it's a bad idea, you can also bootstrap via the local DNS resolver and then connect to your DoH/DoT server using a domain name.
DoH, of course, is a horrible idea in itself, but that's another can of worms.
Still not wide use. It's when it gets into wide use that you end up having to include it in everything.
For now, it's a parlor trick, and it's a parlor trick that shouldn't work.
> nobody is going to remove support for things that work today just because it'd be slightly cleaner.
Work, but shouldn't and aren't actually used except by crazy people.
> If that doesn't work in a given TLS client, this will be treated as a bug in that client, and rightly so.
I've tried to use TLS on microcontrollers that barely had the memory to parse X.509 at all. Including stuff just because you can doesn't make that better.
... and I'm not going to go check the relevant RFCs, but I very much doubt that IP SANs are listed as a MUST. If I'm wrong, well, that's still a bug in the RFCs.
> Also, how would DoH or DoT work without this?
Hardwired keys for your trusted resolvers. Given that the whole CA infrastructure long ago gave up on doing any really robust verification of who was asking for a cert, making your DNS dependent on X.509 is a bad idea anyway. But if you really want to do it even though it's a bad idea, you can also bootstrap via the local DNS resolver and then connect to your DoH/DoT server using a domain name.
DoH, of course, is a horrible idea in itself, but that's another can of worms.