> On Jan 9, 2018, at 19:31, Peter Gutmann via dev-security-policy > <dev-security-policy@lists.mozilla.org> wrote: > > Jonathan Rudenberg <jonat...@titanous.com> writes: > >> For communicating with other machines, the correct thing to do is to issue a >> unique certificate for each device from a publicly trusted CA. The way Plex >> does this is a good example: >> https://blog.filippo.io/how-plex-is-doing-https-for-all-its-users/ > > But the Plex solution required DynDNS, partnering with a CA for custom hash- > based wildcard certificates (and for which the CA had to create a new custom > CA cert), and other tricks, I don't think that generalises. In effect this > has given Plex their own in-house CA (by proxy), which is a point solution for > one vendor but not something that any vendor can build into a product.
There is nothing special about this, hardware vendors regularly do a similar amount of work around discovery/provisioning for their devices. Additionally, there is nothing special about the CA, it can be done with Let’s Encrypt! For example: https://crt.sh/?q=%25.myfritz.net These types of use cases (“IOT”) are regularly brought up by CAs on mailing lists, so I assume there are several that are quite happy to help you set something similar up. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
