[perpass] getting rid of appliance/ilom invalid certificate warnings

Thu, 20 Nov 2014 10:25:55 -0800 

On Wed, Nov 19, 2014 at 1:42 PM, Michael Richardson <mcr+i...@sandelman.ca>
wrote:
> In the case of an ILOM, we can't predict a name or an IP address which the
> device can claim... but, the manufacturer usually has a MAC address, Asset
> Tag, or other identifier which is often unique.  If only *THAT* could go
> into
> the Location Bar instead of the IP address.  Yes, this is user interface
> thing... sorta.. it's really about a different kind of URI.
>

    rlb> We do have some history of putting identifiers besides domain names
    rlb> in the URL bar.  Namely with EV certs, browsers typically display the
    rlb> authenticated owner name.

okay, but in my experience the EV cert still has to match the host part of
the zone that the user typed in.  ILOMs, home appliances, etc. get an IP
address by DHCP or SLAAC. In the IPv6 situation things are perhaps slightly
better because the odds that appliance vendors will tell peope to type in an
IPv6 address, vs using mDNS/Bonjour seem lower.
Maybe, in some of those situations, we can have a name like
       "dell-r420-ABCD1234.local" 
used, and then maybe Dell can convince someone to give them a certificate
with this name in it... but... ideally, Dell would have their own
intermediate CA, and would ship their iDRAC with a built-in certificate.

    rlb> So the real question is whether it's possible to make a PKI that can
    rlb> authenticate those identifiers.  We would of course need some new
    rlb> types for subjectAltName, but that's just more OIDs.  The more
    rlb> interesting question is how the PKI would be structured -- who are
    rlb> the trusted authorities for asset tags?

I think that CAs would have to have a new category for intermediate CAs
with subjectAltName constraints that mean they can only sign asset tags/
DeviceIDs.  Also see draft-richardson-6tisch-idevid-cert-00, which 6tisch
considers using as part of the ANIMA work.

I had no thoughts about ILOM and appliance use of this system until you
mentioned that browsers could put something different than an HTTP URL in the
Location bar.

Where could this work get done?

-- 
]               Never tell me the odds!                 | ipv6 mesh networks [ 
]   Michael Richardson, Sandelman Software Works        | network architect  [ 
]     m...@sandelman.ca  http://www.sandelman.ca/        |   ruby on rails    [

Attachment: pgpS1ikNawYIv.pgp
Description: PGP signature

_______________________________________________
perpass mailing list
perpass@ietf.org
https://www.ietf.org/mailman/listinfo/perpass

Reply via email to