On 9/18/14, 3:39 PM, Brian E Carpenter wrote:
Yes, I agree and that's why self-signed and/or manufacturer certs are of
no help.
Surely they are of help for secure *identification* of devices?
No more so than the naked public key.
Authorisation is a separate step.
Yes.
There is no believable authz in them. A homenet would need to run its
own CA, or
use a CA that it delegates authz to. Or does something that avoids certs
altogether
and provides its own enrollment/authz solution.
Yes, but with the identity of the devices verified by cert.
A cert, at its heart, is used to bind a name (CN, DN, etc) to a key. You
don't need a
human friendly name binding to identify something that possesses the
corresponding
private key though. The public key itself is a unique identifier.
Mike
_______________________________________________
homenet mailing list
homenet@ietf.org
https://www.ietf.org/mailman/listinfo/homenet