On Thu, 2019-10-17 at 17:35 +0200, Laszlo Ersek wrote:
> Reference [2] advises to put the IP address in both CN and
> SAN.iPAddress
> for best compatibility, and that would be fine, for
> X509_VERIFY_PARAM_set1_ip(). But the word "only" in [3] is really bad
> for X509_VERIFY_PARAM_set1_ip().

I don't believe it's true, and it conflicts with what's in [2] which
suggests that you do it properly *and* put it in the legacy CN for the
benefit of broken clients.

None of this convinces me that EDK2 should deliberately be one of those
"broken clients". Just fix it. Let people worry about compatibility
with historical buggy versions of proprietary operating systems when
they issue their certs.