How do you bootstrap trust relationships without an initial certificate (whether installed at manufacturing or during a customer fulfillment stage) ?
-------- Original message -------- From: Michael Thomas <m...@mtcc.com> Date:09/18/2014 4:17 PM (GMT-06:00) To: homenet@ietf.org Cc: Subject: Re: [homenet] HNCP security? On 9/18/14, 2:10 PM, STARK, BARBARA H wrote: >> Self-signed certs bring only confusion, IMO: they are nothing more than a >> raw key with an unsubstantiated claim to another name, along with a whole >> lot more ASN.1 baggage beyond what is needed to parse the modulo and >> exponent. >> >> And you don't get usage or policy restrictions without a CA that the >> *HOMENET* trusts to assert them, nor can that sort of policy assertion be >> done with device certs since I don't have any reason to believe >> fly-by-night's >> routers should be allowed to do whatever it is they claim they want to do. > No, this would only be true if there were an implied authorization to go > along with the authentication. Yes, I agree and that's why self-signed and/or manufacturer certs are of no help. There is no believable authz in them. A homenet would need to run its own CA, or use a CA that it delegates authz to. Or does something that avoids certs altogether and provides its own enrollment/authz solution. Mike _______________________________________________ homenet mailing list homenet@ietf.org https://www.ietf.org/mailman/listinfo/homenet
_______________________________________________ homenet mailing list homenet@ietf.org https://www.ietf.org/mailman/listinfo/homenet
