On 6/13/19 12:51 PM, Ted Lemon wrote:
On Jun 13, 2019, at 3:46 PM, Michael Thomas <m...@fresheez.com
<mailto:m...@fresheez.com>> wrote:
Possibly, but I think there are hardware based solutions (eg "press
to pair") and pure software based ones. The main point is to have
something to point vendors at. They are probably clueless that this
is a possibility now.
Ah. I don’t think that would be useful. The “if we spec it, they
will build it” approach has been an utter failure thus far. We should
have a clear use case and a clear solution that addresses that use
case. We should not specify the kitchen sink and let them pick. If
someone has a use case we didn’t address, then that’s demand to
address another use case, and we can do it, but we have to be real
about this. Right now, the only use case that really matters is
OpenWRT, because that is where _all_ of the running code is. So a
solution that works there is the place to start.
A hardware based solution is always going to be more secure than a
software-only solution but obviously that has even less likelihood of
being deployed. I'd be perfectly happy to write in the draft that
hardware assisted solutions would enhance security, but they are out of
scope, leaving exactly one recommendation for a software solution.
The thing about webauthn is that almost all of the heavy lifting is done
browser-side. The server side code is very straightforward: store public
keys of people who can log in, and verify them when they do. And I do
know this from experience, albeit not with webauthn specifically.
It would be good to do this on openwrt, that's for sure. I've never
tried to hack on it, but it can't be too horrible.
Mike
_______________________________________________
homenet mailing list
homenet@ietf.org
https://www.ietf.org/mailman/listinfo/homenet