MIchael Thomas wrote:
>>> There are no passwords.
>> Yes please.
> Speaking of which, should we be encouraging router vendors to implement
> webauthn? Considering that probably half of home routers have the default
> password, that seems like it would be a Good Thing.
We have done an enrollment system which based upon BRSKI.
It is described in draft-richardson-ietf-anima-smarkaklink.
We have running code with a desktop acting as the client, with
the mobile app being built now. I am making a screencast today, actually.
There are similarities to some profiles of EAP-NOOB, but we do
rely on the manufacturer as the root of trust.
I guess we could/should have considered enhancing webauthn instead; I have to
think a bit about whether it would have work as well. I will need to see.
At the end of the day, we wind up with a mobile phone with a certificate
enrolled into a private CA on the router. The router itself has a
LetsEncrypt certificate acting as it's IDevID, although this could
be a private CA instead. There are issues in both directions.
Secondary admins are encouraged to guard against loss/destruction of mobile
phone, and it is also possible to enroll a second time, provided the
manufacturer agrees (this is both a feature and a bug)
The code is at https://github.com/CIRALabs/
--
Michael Richardson , Sandelman Software Works
-= IPv6 IoT consulting =-
signature.asc
Description: PGP signature
___
homenet mailing list
homenet@ietf.org
https://www.ietf.org/mailman/listinfo/homenet