On Fri, Sep 1, 2017 at 10:47 AM, Adam Roach <a...@nostrum.com> wrote: > On 8/31/17 19:25, Stephen Farrell wrote: >> >> I really like the idea that the acme WG aims to figure out a way to enable >> people at home to use https with their home n/w routers. ... > There was some musing at the W3C TPAC in Lisbon last year on this topic. The > tricky part is figuring out what kind of model makes sense for the certs at > all. I suspect we'd need to come to some agreement on that issue before > trying to work out how ACME can be used to issue them. There's some > background reading at > <https://www.w3.org/wiki/TPAC2016/session-https-local-summary>, mostly in > the form of slide decks.
I don't see acme-ip being the solution here. Everyone has - or could have - a 10.0.0.1. The same applies to .local (see below). The movement needs to come from the relying party side. Thanks for sharing the link Adam, I was not aware of this. For the benefit of folks in the galleries, the three talks discuss two options. The first two talk about providing *real* names for the devices (<device-id>.<manufacturer>.com for example). The nice thing with that is that that solution already works today. With ACME, if the manufacturer is willing to answer the challenges, the device only needs some way to talk to the manufacturer when it wants a certificate, not have an actual online presence. (Insert usual concerns about the manufacturer going out of business, etc...) I'm not sure that I fully grok the last one, but it talks about an ACME-like protocol that is mediated by a browser. It also talks about creating certificates for non-unique names on .local, so I'm not sure that it's feasible. Not discussed here, but we've talked a bit about using key continuity for network-local devices and changing the "bad certificate" page we show on first connection (with a different page when a different key is presented by the device). _______________________________________________ Acme mailing list Acme@ietf.org https://www.ietf.org/mailman/listinfo/acme
