> If the certificate is restricted to local domain names only, I suggest allowing validity up to 10 years.
Then why use ACME to begin with? 10 years means you never actually get to make sure the certificate issuance automation works. At least from my understanding, the point of this draft is to make automated certificate issuance in local environments possible. Do you see any harm in reducing the lifetime to 2 weeks? The benefits to me are that you're actually ensuring this is an automated system & that the automation works. On Wed, Aug 2, 2023 at 1:17 PM Sebastian Nielsen <sebastian= [email protected]> wrote: > 7) Validity of certificates: > https://www.ietf.org/archive/id/draft-sweet-iot-acme-04.html#name-iot-device-certificates > > > > >> I disagree with short validity. > > If the certificate is restricted to local domain names only, I suggest > allowing validity up to 10 years. > > > > HOWEVER, if local certificates should be accepted by browsers as root, > THEN there must be a mechanism, similar to DNS Rebinding protection, that > prohibits an external site (that are not an RFC1918-IP or local resources) > or a resource received externally (for example an email) from hyperlinking > or redirecting to a .local resource, an private, loopback or local IP, or a > mDNS resource. > > > > In the same thing, I see that reuse of key material, mentioned in 4.11 is > no problem, as long as key material is NEVER reused along multiple devices > (eDellSupport and such). > > If key material is reused among the same user only (same local network), I > see no risks. > > > > 4.9 and 3.3 solves any issues that may exist with attacks, since each root > certificate will only recongnize whatever exist on the very same local > network. > > > > Since the device SHOULD regenerate certificate (4.5) when a “factory > reset” is done, a device which changes owner (through selling on > marketplace as used product) will not pose a security risk. > > > > There could be good to impose a rule, that a IoT device, should, on each > power up: > > Set a flag “NeverConnected = true” > > Do power up connection. > > If a connection to a network for which it owns a certificate is found, > then: > > “NeverConnected” should be set to false. > > > > IF a pairing of a new user is done to the device, AND the pairing is not > done through a existing user (Pairing done with a button or similar) – AND > “NeverConnected” is set to true, then it should do an automatic factory > reset, or require a factory reset. > > > > However, if a new user is paired into the device through an old user, > there is clear evidence the device is still possessed by the old user, and > it does not make sense to reset the device otherwise. > > > > This ultimately protects a device which changes hands into a new user from > any malicious attacks, even by the previous user, even if the new user does > NOT factory reset the device. > > > > > > Best regards, Sebastian Nielsen > > _______________________________________________ > Acme mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/acme >
_______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
