On 9/18/14, 2:10 PM, STARK, BARBARA H wrote:
Self-signed certs bring only confusion, IMO: they are nothing more than a
raw key with an unsubstantiated claim to another name, along with a whole
lot more ASN.1 baggage beyond what is needed to parse the modulo and
exponent.
And you don't get usage or policy restrictions without a CA that the
*HOMENET* trusts to assert them, nor can that sort of policy assertion be
done with device certs since I don't have any reason to believe fly-by-night's
routers should be allowed to do whatever it is they claim they want to do.
No, this would only be true if there were an implied authorization to go along
with the authentication.
Yes, I agree and that's why self-signed and/or manufacturer certs are of
no help.
There is no believable authz in them. A homenet would need to run its
own CA, or
use a CA that it delegates authz to. Or does something that avoids certs
altogether
and provides its own enrollment/authz solution.
Mike
_______________________________________________
homenet mailing list
homenet@ietf.org
https://www.ietf.org/mailman/listinfo/homenet