On Wed, Nov 19, 2014 at 1:42 PM, Michael Richardson <mcr+i...@sandelman.ca> wrote: > In the case of an ILOM, we can't predict a name or an IP address which the > device can claim... but, the manufacturer usually has a MAC address, Asset > Tag, or other identifier which is often unique. If only *THAT* could go > into > the Location Bar instead of the IP address. Yes, this is user interface > thing... sorta.. it's really about a different kind of URI. >
rlb> We do have some history of putting identifiers besides domain names rlb> in the URL bar. Namely with EV certs, browsers typically display the rlb> authenticated owner name. okay, but in my experience the EV cert still has to match the host part of the zone that the user typed in. ILOMs, home appliances, etc. get an IP address by DHCP or SLAAC. In the IPv6 situation things are perhaps slightly better because the odds that appliance vendors will tell peope to type in an IPv6 address, vs using mDNS/Bonjour seem lower. Maybe, in some of those situations, we can have a name like "dell-r420-ABCD1234.local" used, and then maybe Dell can convince someone to give them a certificate with this name in it... but... ideally, Dell would have their own intermediate CA, and would ship their iDRAC with a built-in certificate. rlb> So the real question is whether it's possible to make a PKI that can rlb> authenticate those identifiers. We would of course need some new rlb> types for subjectAltName, but that's just more OIDs. The more rlb> interesting question is how the PKI would be structured -- who are rlb> the trusted authorities for asset tags? I think that CAs would have to have a new category for intermediate CAs with subjectAltName constraints that mean they can only sign asset tags/ DeviceIDs. Also see draft-richardson-6tisch-idevid-cert-00, which 6tisch considers using as part of the ANIMA work. I had no thoughts about ILOM and appliance use of this system until you mentioned that browsers could put something different than an HTTP URL in the Location bar. Where could this work get done? -- ] Never tell me the odds! | ipv6 mesh networks [ ] Michael Richardson, Sandelman Software Works | network architect [ ] m...@sandelman.ca http://www.sandelman.ca/ | ruby on rails [
pgpS1ikNawYIv.pgp
Description: PGP signature
_______________________________________________ perpass mailing list perpass@ietf.org https://www.ietf.org/mailman/listinfo/perpass