On Sep 19, 2014, at 7:17 AM, Steven Barth <cy...@openwrt.org> wrote:
> Am 19.09.2014 um 16:00 schrieb Michael Thomas: >> And it's extremely unlikely that >> DTLS will be a one-sentence "solution" even if it gets adopted because DTLS, >> IPsec, etc say nothing >> about enrollment and authorization. Those are by far the hard problems with >> homenent security. > I wouldn't really want to lock HNCP to any trust scheme at this point where > we are not even sure what we want. I'd rather choose the underlying > mechanism, either DTLS or IPsec/IKE and leave the rest out-of-scope. Maybe > mention PSK-usage as baseline option and say various other certificate-based > approached are possible but out-of-scope of the HNCP draft itself. > > In practice users could probably run either their own in-home CA (e.g. like > draft-behringer-homenet-trust-bootstrap) or we could add a web-of-trust-like > extension to HNCP using transitive trust as proposed in > draft-bonnetain-hncp-security or some weird combination. Either way it all > stands and falls with the final user experience, e.g. the APP and the > router's interaction with it for trust-bootstrap or the > Web-UI/APP/Push-Button which let's you actively "trust" your peer in the > web-of-trust approach. But user-experience isn't something we can really > specify here. Dear Steven, As HNCP is deployed, there should be a sure way to ascertain a "home" network from that of outside traffic. Wi-Fi Protected Setup (WPS) tried to allow home users an easy way to add new devices to an existing Wi-Fi network without entering long pass-phrases. Making this easy for users, also made compromising the strategy easy for attackers. Will NFC replace that of the vulnerable PIN? Nor can ISP assigned prefixes be shared within a home environment without a sure way to exclude non-local traffic. This should not depend on establishing cryptographic trust methods because this will not prevent users from being deceived; it simply changes what is being unreliably shared. These methods must be bog standard to ensure plumbing works as expected. One such method might attempt to establish an overlay network using the private address space defined for IPv6 and IPv4. Regards, Douglas Otis _______________________________________________ homenet mailing list homenet@ietf.org https://www.ietf.org/mailman/listinfo/homenet
