On Thu, Dec 19, 2024 at 8:29 AM Michael Sweet <[email protected]> wrote: > > Watson, > > > On Dec 19, 2024, at 11:00 AM, Watson Ladd <[email protected]> wrote: > > > > Any solution will have to involve the device doing something, and something > > validating the device. If we can get the user ISP (I know, I know), to > > produce a residential domain setup like fijinb23.users.example.com, then > > the router ((I know I know)can somehow gather that a new printer has been > > added, give the printer printer.fijnb23.users.example.com via communication > > to the ISP, and set the DNS challenge entries to respond to a request for > > DCV validation that results in a cert being sent back to the printer with a > > CSR the printer generates. > > > > There's lots of problems here, but I think this strawman shows the problem > > can be solved, and it's just a matter of improvements. > > OK, so since discovery depends on DNS-SD (either using mDNS or traditional > DNS), we'd need a way for IoT devices to push their DNS-SD records up to the > DNS server, and/or for the ACME service to issue certificates that *also* > have the .local name as a SAN (something they won't do right now because they > cannot validate the address...)
Why do you need .local vs. .sdfi24241.subscribers.isp.example.com and setting that as a search domain? Also note that the local router can make DHCP option advertisements to configure things. > > This also has huge privacy issues - it is one thing to require local services > to be published/registered/validated locally, but quite another to make them > globally visible (if not globally accessible). Yes this is a weakness. > > Finally, this also depends on having Internet connectivity which IMHO makes > this a non-starter, even for homes that have a dedicated Internet service. > For example, my Starlink service drops out regularly as satellites transit > overhead, and cellular similarly comes and goes for a variety of reasons. We > need a *local* trusted authority for *local* services. I don't understand why a one time requirement of net connectivity at registration/renewal makes it worthless. Let's solve the 90% we can. The problem with local trusted authority is that we don't really have a way to get it on the local devices, especially limited ones, that people can use. > > ________________________ > Michael Sweet > -- Astra mortemque praestare gradatim _______________________________________________ Acme mailing list -- [email protected] To unsubscribe send an email to [email protected]
