On Mon, July 31, 2017 20:33, Ted Lemon wrote: > On Jul 31, 2017, at 2:21 PM, Walter H. <walte...@mathemainzel.info> wrote: >> Just a thought of mine, would it be possible to add a section, to make >> it possible >> to get official SSL certificates for these 'home.arpa.' domains (for >> free), >> so there would not be the need of running a own PKI? > > I don't see how that could work.
that is why my thoughts to add a section to this Draft/RFC how this will work > I agree that it's a problem in need of > a solution, but since home.arpa wouldn't be externally visible, of course, the sense of a private LAN domain name ... > you couldn't use the fact that you can publish in a name in it > to do the ACME authentication. there SHOULD NOT be the ACME authentication or any neccessarity of any other authentication, as these domain names need not be unique ... in case you use 'teddynet.home.arpa.' and I use this domain name, too; we wouldn't have the same x509 SSL certificate, because each of us uses its own private key ... why not just define the org. that hosts the ARPA TLD (IANA?), as the CA for these domains and the root certificate as built in token to the common browsers and/or operating systems? there it should only be neccessary to upload the certificate request, gicwn the '.home.arpa.' domain name, and an email address where the certificate is sent to; the certificate will be a wild card certificate for this .home.arpa. domain .. I would want this to be added as additional section to this Draft/RFC; > I was hoping to get IP-based certs, but it turns out that letsencrypt > (probably wisely) doesn't offer them. IP-based is a bad idea as there is no user agent (browser) that handles IPv6 correct in such case ... Thanks, Walter _______________________________________________ homenet mailing list homenet@ietf.org https://www.ietf.org/mailman/listinfo/homenet
