Begin issuing certificates with IP Address identifiers

[aarongable]

This bug is an umbrella/tracking bug, acting as a one-stop-shop to see progress on the multiple sub-tasks necessary to achieve this 2024 OKR.

We intend to support IP Address identifiers only in short-lived certificates.

Prerequisities:

• Allow clients to select a "profile" via ACME API query parameters #7309
• Begin issuing certificates with a validity period less than 10 days #7310

Subtasks:

• Teach the SA to store authorization objects with identifier type "ipAddress"
• Teach the RA to plumb new-order ipAddress identifiers to the SA
• Implement RFC 8738: ACME IP Identifier Validation #2706 in the VA and RVA
• Teach the RA to plumb challenge ipAddress identifiers to the VA and RVA
• Ensure the CA produces correct and compliant certificates including IP addresses
• Ensure the CA rejects issuance of long-lived certs with ipAddress identifiers
• Teach the RA to plumb finalize ipAddress identifiers to the CA
• Teach the WFE to plumb ipAddress identifiers to the RA
• Optional: Restrict ipAddress identifiers to an allow-list of registration IDs, to allow slow controlled roll-out

[Manouchehri]

Is there any planned target date for this? =)

[aarongable]

While we do have internal goals, we do not have a date that we are willing to commit to in public, sorry.

[Manouchehri]

No worries, I’m just excited!