On 18.9.2014, at 16.05, Ted Lemon <[email protected]> wrote: > On Sep 18, 2014, at 7:38 AM, STARK, BARBARA H <[email protected]> wrote: >> X.509 certificates can be self-signed. That is, the device acts as its own >> CA. In fact, this is the recommended approach. > Of course. But if there is never going to be a CA-signed key, there is no > reason to have a cert at all. Self-signed certs are essentially a way of > carrying a bare key in a cert, unless you install your signer key as a CA > key, in which case you have an administratively configured CA key that is > signing the cert, and it’s no longer really a self-signed cert.
On the other hand, use of certificates facilitates also use of something like (hardware bound) device certificates, that would be much harder to generate on demand (and therefore blacklisting them might actually make sense in opportunistic scheme). Cheers, -Markus _______________________________________________ homenet mailing list [email protected] https://www.ietf.org/mailman/listinfo/homenet
