On 19/09/2014 09:17, Michael Thomas wrote: > > On 9/18/14, 2:10 PM, STARK, BARBARA H wrote: >>> Self-signed certs bring only confusion, IMO: they are nothing more >>> than a >>> raw key with an unsubstantiated claim to another name, along with a >>> whole >>> lot more ASN.1 baggage beyond what is needed to parse the modulo and >>> exponent. >>> >>> And you don't get usage or policy restrictions without a CA that the >>> *HOMENET* trusts to assert them, nor can that sort of policy >>> assertion be >>> done with device certs since I don't have any reason to believe >>> fly-by-night's >>> routers should be allowed to do whatever it is they claim they want >>> to do. >> No, this would only be true if there were an implied authorization to >> go along with the authentication. > > Yes, I agree and that's why self-signed and/or manufacturer certs are of > no help.
Surely they are of help for secure *identification* of devices? Authorisation is a separate step. > There is no believable authz in them. A homenet would need to run its > own CA, or > use a CA that it delegates authz to. Or does something that avoids certs > altogether > and provides its own enrollment/authz solution. Yes, but with the identity of the devices verified by cert. Brian _______________________________________________ homenet mailing list homenet@ietf.org https://www.ietf.org/mailman/listinfo/homenet