Responding to the scenario Jakob described which I agree is likely in outline
Let's Encrypt has seen a number of enquiries about relaxing their rate limits or granting some sort of exception so that firmware OEMs can use Let's Encrypt to have their devices self-issue using ACME from a name pool controlled by the OEM. With ACME, out of the box a device can get itself unique, working Web PKI certs periodically so long as: * It has some source of entropy * It has an FQDN in the Internet's public DNS or can get one * It can either make FQDN:80 or FQDN:443 reach it, or add DNS leaf records off the FQDN in the public DNS. These are all eminently soluble problems and don't involve changes to the manufacturing process, unless entropy has to be somehow "baked in" to the devices to achieve that bullet point. If you DIY, the rate limits obviously aren't a problem, and lots of DIY devices have Let's Encrypt issued certificates today. Home "routers" built out of a Raspberry Pi or a Mini PC are fairly popular with hobbyists. So rate limits (which exist for a perfectly sensible reason) are the only reason you can't buy a device that does this off the shelf. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
