On 09/18/2014 04:50 AM, Michael Sweet wrote:
One advantage of using X.509 certs is that the code to support them is widely
available with multiple implementations.
Another is that the same cert can be used for TLS negotiation in embedded web
services, etc. to each device.
And of course if the registration mechanism is integrated into client OS's then
those X.509 certs can easily participate in the usual trust policy stuff
supported by those OS's.
IMHO, if you're not going to use a CA, then putting x509 bits around the
public key only serves to confuse
the issue in my experience, and makes for a much more complicated
solution. Using raw public keys is
really quite simple codewise. And, of course, nothing prevents you from
manufacturing those fake
x509 certs for protocols that require them, and just using the bare key
for those that don't.
That said, it is possible to envision using local CA functionality such
that any currently enrolled homenet
router is able to sign a new enrollee's key which allows it to present
that cert to any other homenet
device without prior knowledge of that key and be accepted. It's just
another way of distributing the database.
Not sure how any of this would work with revocations though.
Mike
_______________________________________________
homenet mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/homenet
