Michael Thomas <m...@fresheez.com> wrote: >> Secondary admins are encouraged to guard against loss/destruction of mobile >> phone, and it is also possible to enroll a second time, provided the >> manufacturer agrees (this is both a feature and a bug) >> >> The code is at https://github.com/CIRALabs/ >>
> I'm not sure we're talking about the same thing? I'm just talking about the > normal web interface that home routers have to hand configure them. There's > no need for certs at all. Yes, that's what I'm talking about. Yes, there is a need for strong security. The bad guys are inside already, they send trojans, and if the router has passwords ("admin"/"admin"), then the bad guys just change the security policy. They don't do this now, because they don't need to, our home routers are basically swiss cheese in the outbound direction, but I'm sure they will learn. Particularly, it will be easy if we have a standard (or defacto-standard) API. At this point, the luci interface is probably easily automated. Modern browsers practically don't let you even type passwords in over HTTP now, so you really really really need a certificate for the inside of the router, and it needs to be valid. > I wrote a blog post which considered the enrollment problem of a > webauthn-like protocol (way before webauthn was even started). I'm not sure > if it works for the special case of a home router though. > http://rip-van-webble.blogspot.com/2012/06/using-asymmetric-keys-for-web-joinlogin.html > Enrollment, of course, is out of scope for webauthn, per se. I'll read it. -- Michael Richardson <mcr+i...@sandelman.ca>, Sandelman Software Works -= IPv6 IoT consulting =-
signature.asc
Description: PGP signature
_______________________________________________ homenet mailing list homenet@ietf.org https://www.ietf.org/mailman/listinfo/homenet