On 6/12/19 12:13 PM, Michael Richardson wrote:
MIchael Thomas <m...@fresheez.com> wrote:
>>> There are no passwords.
>> Yes please.
> Speaking of which, should we be encouraging router vendors to implement
> webauthn? Considering that probably half of home routers have the default
> password, that seems like it would be a Good Thing.
We have done an enrollment system which based upon BRSKI.
It is described in draft-richardson-ietf-anima-smarkaklink.
We have running code with a desktop acting as the client, with
the mobile app being built now. I am making a screencast today, actually.
There are similarities to some profiles of EAP-NOOB, but we do
rely on the manufacturer as the root of trust.
I guess we could/should have considered enhancing webauthn instead; I have to
think a bit about whether it would have work as well. I will need to see.
At the end of the day, we wind up with a mobile phone with a certificate
enrolled into a private CA on the router. The router itself has a
LetsEncrypt certificate acting as it's IDevID, although this could
be a private CA instead. There are issues in both directions.
Secondary admins are encouraged to guard against loss/destruction of mobile
phone, and it is also possible to enroll a second time, provided the
manufacturer agrees (this is both a feature and a bug)
The code is at https://github.com/CIRALabs/
I'm not sure we're talking about the same thing? I'm just talking about
the normal web interface that home routers have to hand configure them.
There's no need for certs at all.
I wrote a blog post which considered the enrollment problem of a
webauthn-like protocol (way before webauthn was even started). I'm not
sure if it works for the special case of a home router though.
http://rip-van-webble.blogspot.com/2012/06/using-asymmetric-keys-for-web-joinlogin.html
Enrollment, of course, is out of scope for webauthn, per se.
Mike
_______________________________________________
homenet mailing list
homenet@ietf.org
https://www.ietf.org/mailman/listinfo/homenet
