Michael Thomas <m...@fresheez.com> wrote:
>> Secondary admins are encouraged to guard against loss/destruction of
mobile
>> phone, and it is also possible to enroll a second time, provided the
>> manufacturer agrees (this is both a feature and a bug)
>>
>> The code is at https://github.com/CIRALabs/
>>
> I'm not sure we're talking about the same thing? I'm just talking about
the
> normal web interface that home routers have to hand configure them.
There's
> no need for certs at all.
Yes, that's what I'm talking about.
Yes, there is a need for strong security.
The bad guys are inside already, they send trojans, and if the router has
passwords ("admin"/"admin"), then the bad guys just change the security
policy.
They don't do this now, because they don't need to, our home routers are
basically swiss cheese in the outbound direction, but I'm sure they will
learn. Particularly, it will be easy if we have a standard (or
defacto-standard) API. At this point, the luci interface is probably easily
automated.
Modern browsers practically don't let you even type passwords in over HTTP
now, so you really really really need a certificate for the inside of the
router, and it needs to be valid.
> I wrote a blog post which considered the enrollment problem of a
> webauthn-like protocol (way before webauthn was even started). I'm not
sure
> if it works for the special case of a home router though.
>
http://rip-van-webble.blogspot.com/2012/06/using-asymmetric-keys-for-web-joinlogin.html
> Enrollment, of course, is out of scope for webauthn, per se.
I'll read it.
--
Michael Richardson <mcr+i...@sandelman.ca>, Sandelman Software Works
-= IPv6 IoT consulting =-
signature.asc
Description: PGP signature
_______________________________________________ homenet mailing list homenet@ietf.org https://www.ietf.org/mailman/listinfo/homenet
