Re: [homenet] I-D Action: draft-ietf-homenet-dot-10.txt

On 01.08.2017 23:15, Ted Lemon wrote: I addressed that question in a previous reply. Your home network does not have the equivalent security to letsencrypt.org 's certificate signing infrastructure (I hope!!). that is not the question, the question is: is it possible to

Re: [homenet] I-D Action: draft-ietf-homenet-dot-10.txt

On 01.08.2017 21:21, Ted Lemon wrote: On Aug 1, 2017, at 2:53 PM, Walter H. > wrote: is there a problem, to have the organization that has the delegation of ".home.arpa." also provide such SSL certificates signed by an intermediate that got signed by any CA?

Re: [homenet] I-D Action: draft-ietf-homenet-dot-10.txt

I addressed that question in a previous reply. Your home network does not have the equivalent security to letsencrypt.org's certificate signing infrastructure (I hope!!). Installing a trust anchor means that trust anchor has signing authority for any name—there's no way to install one that does

Re: [homenet] I-D Action: draft-ietf-homenet-dot-10.txt

Ted Lemon wrote: barbara> The CABF is about "publicly trusted certificates". There is no need or ... > (2) the issue with browser warnings isn't that they are annoying. It's that > if we train users to click through them when managing the homenet, we are > also training them to

Re: [homenet] I-D Action: draft-ietf-homenet-dot-10.txt

On Aug 1, 2017, at 2:53 PM, Walter H. wrote: > is there a problem, to have the organization that has the delegation of > ".home.arpa." also provide such SSL certificates > signed by an intermediate that got signed by any CA? This is not how PKI works. For a browser to trust a signing authorit

Re: [homenet] I-D Action: draft-ietf-homenet-dot-10.txt

On 01.08.2017 20:04, Ted Lemon wrote: On Aug 1, 2017, at 2:02 PM, Walter H. > wrote: what is the real problem having stricht rules in this Draft/RFC to get an SSL certificate that can be used inside such an environment; so that no own PKI is neccessary? The p

Re: [homenet] I-D Action: draft-ietf-homenet-dot-10.txt

On Aug 1, 2017, at 2:37 PM, Juliusz Chroboczek wrote: > Think of it as a knob with a wasps' nest behind it. I know how to build it, so no, I don't think of it that way. I can think much worse wasp's nests. One example would be a network with no trust model that encourages end-users to engag

Re: [homenet] I-D Action: draft-ietf-homenet-dot-10.txt

> The bottom line is that a global delegation+ACME PKI is a knob I can turn. Think of it as a knob with a wasps' nest behind it. > Fixing browsers is a knob I can't turn, and the browser vendors have spoken > pretty unequivocally on this topic. If you want to tilt at that windmill, I > will gladl

Re: [homenet] I-D Action: draft-ietf-homenet-dot-10.txt

On Aug 1, 2017, at 2:02 PM, Walter H. wrote: > what is the real problem having stricht rules in this Draft/RFC to get an > SSL certificate that can be used inside such an environment; > so that no own PKI is neccessary? The problem is that it's not up to us to set these rules—it's up to CABF, an

Re: [homenet] I-D Action: draft-ietf-homenet-dot-10.txt

On Aug 1, 2017, at 1:33 PM, Juliusz Chroboczek wrote: > Agreed. The problem, of course, is not Homenet-specific -- I've got > exactly the same problem with my printer, or with Babelweb. The problem, > in short, is that HTTP doesn't allow either BTN or TOFU security -- it's > either creartext of

Re: [homenet] I-D Action: draft-ietf-homenet-dot-10.txt

On 01.08.2017 19:33, Juliusz Chroboczek wrote: I think that Barbara expressed very clearly why the CA model is simply not adapted to the Homenet. I don't think we should be complicating the Homenet protocol stack in order to work around the limitations of the browser stack. I'm not thinking abo

Re: [homenet] I-D Action: draft-ietf-homenet-dot-10.txt

> (1) this isn't an issue for HNCP or babel. It's an issue for browsers. It's an issue *with* browsers. > (2) the issue with browser warnings isn't that they are annoying. It's that if > we train users to click through them when managing the homenet, we are also > training them to click through t

Re: [homenet] I-D Action: draft-ietf-homenet-dot-10.txt

On Aug 1, 2017, at 10:48 AM, STARK, BARBARA H wrote: > The CABF is about "publicly trusted certificates". There is no need or > applicability of "publicly trusted certificates" in the context of a home > network. No certificate authority in the world is capable of certifying that > a device ins

Re: [homenet] I-D Action: draft-ietf-homenet-dot-10.txt

> In order for a PKI solution to work, it has to be possible for any given cert > to apply to a unique name, the ownership of which can be defended somehow.   > The CABF has spoken unequivocally on this topic: > https://www.digicert.com/internal-names.htm > The point of having PKI in the homenet

Re: [homenet] I-D Action: draft-ietf-homenet-dot-10.txt

On Aug 1, 2017, at 5:52 AM, Toke Høiland-Jørgensen wrote: > If you're going through all this trouble of having a central API that > will hand out certificates, wouldn't it be possible to make that same > authority hand out pseudo-random unique subdomains (of some suitable > domain; not necessarily

Re: [homenet] I-D Action: draft-ietf-homenet-dot-10.txt

On Aug 1, 2017, at 2:01 AM, Walter H. wrote: > there SHOULD NOT be the ACME authentication or any neccessarity of any > other authentication, as these domain names need not be unique ... In order for a PKI solution to work, it has to be possible for any given cert to apply to a unique name, the

Re: [homenet] I-D Action: draft-ietf-homenet-dot-10.txt

On Tue, August 1, 2017 11:52, Toke Høiland-Jørgensen wrote: >>> you couldn't use the fact that you can publish in a name in it >>> to do the ACME authentication. >> >> there SHOULD NOT be the ACME authentication or any neccessarity of any >> other authentication, as these domain names need not be u

Re: [homenet] I-D Action: draft-ietf-homenet-dot-10.txt

>> you couldn't use the fact that you can publish in a name in it >> to do the ACME authentication. > > there SHOULD NOT be the ACME authentication or any neccessarity of any > other authentication, as these domain names need not be unique ... > > in case you use 'teddynet.home.arpa.' and I use thi

Re: [homenet] I-D Action: draft-ietf-homenet-dot-10.txt

On Mon, July 31, 2017 20:33, Ted Lemon wrote: > On Jul 31, 2017, at 2:21 PM, Walter H. wrote: >> Just a thought of mine, would it be possible to add a section, to make >> it possible >> to get official SSL certificates for these 'home.arpa.' domains (for >> free), >> so there would not be the need

Re: [homenet] I-D Action: draft-ietf-homenet-dot-10.txt

Thanks, Mark. That was sufficient detail. :) ___ homenet mailing list homenet@ietf.org https://www.ietf.org/mailman/listinfo/homenet

Re: [homenet] I-D Action: draft-ietf-homenet-dot-10.txt

In message <916eeeb9-3709-492b-8e19-5c832b11a...@fugue.com>, Ted Lemon writes: > On Jul 31, 2017, at 1:02 AM, Mark Andrews wrote: > > The delegatation is INSECURE and SIGNED not UNSIGNED. The wording > > here is *important*. > > Can you explain what the distinction is, and what the problem is th

Re: [homenet] I-D Action: draft-ietf-homenet-dot-10.txt

On Jul 31, 2017, at 2:21 PM, Walter H. wrote: > Just a thought of mine, would it be possible to add a section, to make it > possible > to get official SSL certificates for these 'home.arpa.' domains (for free), > so there would not be the need of running a own PKI? I don't see how that could wor

Re: [homenet] I-D Action: draft-ietf-homenet-dot-10.txt

On 28.07.2017 22:11, internet-dra...@ietf.org wrote: A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Home Networking WG of the IETF. Title : Special Use Domain 'home.arpa.' Authors : Pierre Pfist

Re: [homenet] I-D Action: draft-ietf-homenet-dot-10.txt

On Jul 31, 2017, at 11:42 AM, Warren Kumari wrote: > It really is an insecure delegation, not an unsigned delegation -- > calling it unsigned would be confusing to many people. The person I > was discussing it with wasn't aware of the term "insecure delegation" > and assumed that it meant an "unsi

Re: [homenet] I-D Action: draft-ietf-homenet-dot-10.txt

On Mon, Jul 31, 2017 at 5:36 AM, Ted Lemon wrote: > On Jul 31, 2017, at 1:02 AM, Mark Andrews wrote: > > The delegatation is INSECURE and SIGNED not UNSIGNED. The wording > here is *important*. > > > Can you explain what the distinction is, and what the problem is that you > see in point five?

Re: [homenet] I-D Action: draft-ietf-homenet-dot-10.txt

On Jul 31, 2017, at 1:02 AM, Mark Andrews wrote: > The delegatation is INSECURE and SIGNED not UNSIGNED. The wording > here is *important*. Can you explain what the distinction is, and what the problem is that you see in point five? The reason I ask is that we explicitly changed the wording

Re: [homenet] I-D Action: draft-ietf-homenet-dot-10.txt

DNSSEC describes the delegation as "insecure". Old: In addition, it's necessary, for compatibility with DNSSEC (Section 6), that an unsigned delegation be present for the name. There is an existing process for allocating names under '.arpa' [RFC3172]. No such process is available for

[homenet] I-D Action: draft-ietf-homenet-dot-10.txt

A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Home Networking WG of the IETF. Title : Special Use Domain 'home.arpa.' Authors : Pierre Pfister Ted Lemon Filename