Optionally set source-address critical extension?

[alex]

Certs can set a critical extension source-address to an IP address, which is then the only IP allowed to use this certificate.

Since we're issuing short lived certs, roaming is probably not a concern. Would it make sense to automatically set this to the requesting client's IP?

[alex]

Ran into another use case this would be a problem for: If you're SSHing into something on your local network, then your source address will be a local IP, but hallow would still see your global IP.

[paultag]

Having it be optional could be interesting - but passing it would either mean breaking API (and doing something like #66) or passing a header

[alex]

I was thinking it'd be a configuration option for hallow itself. Maybe `HALLOW_SOURCE`, default=`none`. Other values: `auto` (set it to the requesting IP) or a comma separated CIDR list

…

On Sat, Mar 7, 2020 at 12:08 PM Paul Tagliamonte ***@***.***> wrote: Having it be optional could be interesting - but passing it would either mean breaking API (and doing something like #66 <#66>) or passing a header — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#93?email_source=notifications&email_token=AAAAGBFUXYPSARFAJNGWUPLRGJ5PVA5CNFSM4KWSVVNKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEOD6PJY#issuecomment-596109223>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAAAGBA7TTXL7LU2XPHETETRGJ5PVANCNFSM4KWSVVNA> .

-- All that is necessary for evil to succeed is for good people to do nothing.