On 01/09/17 03:58, Martin Thomson wrote: > On Fri, Sep 1, 2017 at 10:47 AM, Adam Roach <a...@nostrum.com> wrote: >> On 8/31/17 19:25, Stephen Farrell wrote: >>> >>> I really like the idea that the acme WG aims to figure out a way to enable >>> people at home to use https with their home n/w routers. > ... >> There was some musing at the W3C TPAC in Lisbon last year on this topic. The >> tricky part is figuring out what kind of model makes sense for the certs at >> all. I suspect we'd need to come to some agreement on that issue before >> trying to work out how ACME can be used to issue them. There's some >> background reading at >> <https://www.w3.org/wiki/TPAC2016/session-https-local-summary>, mostly in >> the form of slide decks. > > I don't see acme-ip being the solution here. Everyone has - or could > have - a 10.0.0.1. The same applies to .local (see below). The > movement needs to come from the relying party side. > > Thanks for sharing the link Adam, I was not aware of this. For the > benefit of folks in the galleries, the three talks discuss two > options. > > The first two talk about providing *real* names for the devices > (<device-id>.<manufacturer>.com for example). The nice thing with > that is that that solution already works today. With ACME, if the > manufacturer is willing to answer the challenges, the device only > needs some way to talk to the manufacturer when it wants a > certificate, not have an actual online presence. (Insert usual > concerns about the manufacturer going out of business, etc...) >
There's also the concern of how to get that scheme to work for openwrt devices and similar, which is related. It'd be a fail if that couldn't work I reckon. Separately, I took a VPN-approach [1] in my highly-specific environment - I wonder if something like that (replacing the names and IPv6 addresses I used with device-id based names and addresses) might address some of the privacy issues with the first approach described. [2] S. [1] https://my-own.net/ab/forum/question/3/how-did-you-get-https-within-the-home/ [2] https://www.w3.org/wiki/images/4/43/Http-migration-in-local-network.pdf > I'm not sure that I fully grok the last one, but it talks about an > ACME-like protocol that is mediated by a browser. It also talks about > creating certificates for non-unique names on .local, so I'm not sure > that it's feasible. > > Not discussed here, but we've talked a bit about using key continuity > for network-local devices and changing the "bad certificate" page we > show on first connection (with a different page when a different key > is presented by the device). > > _______________________________________________ > Acme mailing list > Acme@ietf.org > https://www.ietf.org/mailman/listinfo/acme >
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Acme mailing list Acme@ietf.org https://www.ietf.org/mailman/listinfo/acme