Richard Barnes <r...@ipv.sx> wrote:
>> I don't think this is is this going to help eliminate the invalid
>> certificates that seem inevitable from things like ILOMs/iDRAC/etc.
because
>> the https interface to the service processor never knows what zone it
will
>> use. I'd love to find a way for such appliance uses of HTTPS to come
>> up secure in some way.
>>
> I would be interested in that as well, since those things are a major
> source of cert validation bugs. Any ideas for what the authentication
> would be? Or maybe there's no meaningful authentication here, and it's a
> use case for HTTP over unauthenticated TLS.
I agree that given what we have here, HTTP over unauthenticated TLS (with
TOFU, ideally) would be significant better than training IT managers to click
through the warning. I think that we should have, as a goal, elimination of
the click through certificate warning... nobody should ever do that.
In the case of an ILOM, we can't predict a name or an IP address which the
device can claim... but, the manufacturer usually has a MAC address, Asset
Tag, or other identifier which is often unique. If only *THAT* could go into
the Location Bar instead of the IP address. Yes, this is user interface
thing... sorta.. it's really about a different kind of URI.
--
Michael Richardson <mcr+i...@sandelman.ca>, Sandelman Software Works
-= IPv6 IoT consulting =-
pgpUBoiy1U19E.pgp
Description: PGP signature
_______________________________________________ perpass mailing list perpass@ietf.org https://www.ietf.org/mailman/listinfo/perpass
