> > UPnP Device Protection uses X.509 certificates (which can be self-signed, > > and in order not to assume a WAN connection, really should be self-signed) > >and TLS.
> I think that something like this, in combination with the promiscuous > registration mechanism that I think Michael described earlier, would do the > trick. It's not clear that we need X.509 certs, since I have trouble > imagining > that the keys these devices have would ever be signed by a CA. A bare key > might be plenty. But I think this is a better option than trying to shoehorn > this functionality into IPsec, which was designed for a _very_ different > security context. X.509 certificates can be self-signed. That is, the device acts as its own CA. In fact, this is the recommended approach. Barbara _______________________________________________ homenet mailing list homenet@ietf.org https://www.ietf.org/mailman/listinfo/homenet