Toerless Eckert <[email protected]> wrote: > My main point was that we seem to be trying to build workarounds for a > problem that exists (IMHO ONLY) for targets/URLs that may need to be > entered by muggles into browsers. For this case, W3C has come up with a > nice useful approach:
I am not convinced that's the exclusive case.
That's the case *today*, because we don't have interoperable IoT APIs.
WoT, SENML, NIPC/SDF, OPC UA, Matter. All these things will bring useful
APIs, and then people will want to do more, at which point device A needs to
validate device B. Yes, for HTTPS, but possibly also for CoAPS, QUIC ...
> - URLs need to have muggle safe, simple human recognizeable domain
> names - The authenticity of the domain names is validated via a WebPKI
> certificate
I don't think it's the W3C that says this, I think it's RFC9525.
> - TLS libraries only allow you to validate WebPKI certificates
That's not really the case.
They make it **easy** to validate the pre-loaded system certificates, which in
most cases it the same thing. Applications *can* add new anchors either
implicitely (adding to the system certificates), or explicitely ("--cacert"
to curl, for instance).
> IMHO, i would really lvoe to see TLS not being constrained to only
> browser business, but i'd love to use certificate authentication where
> feasible for all IOT environments. But that won't work with WebPKI
> certificates. And that's highly annoying because we already know how it
> is easily feasible to build IOT specific certificate extensions
> (because we've done it for other use cases in other RFCs).
Agreed.
To add some ADD content back [pun intended]: ultimately, home CPEs would just be
mains-powered IoT devices with really good connectivity. If IoT had already
solved the problem, then ADD wouldn't have to.
--
Michael Richardson <[email protected]>, Sandelman Software Works
-= IPv6 IoT consulting =- *I*LIKE*TRAINS*
signature.asc
Description: PGP signature
_______________________________________________ Anima mailing list -- [email protected] To unsubscribe send an email to [email protected]
