Am 19.09.2014 um 16:00 schrieb Michael Thomas:
And it's extremely unlikely that
DTLS will be a one-sentence "solution" even if it gets adopted because
DTLS, IPsec, etc say nothing
about enrollment and authorization. Those are by far the hard problems
with homenent security.
I wouldn't really want to lock HNCP to any trust scheme at this point
where we are not even sure what we want. I'd rather choose the
underlying mechanism, either DTLS or IPsec/IKE and leave the rest
out-of-scope. Maybe mention PSK-usage as baseline option and say various
other certificate-based approached are possible but out-of-scope of the
HNCP draft itself.
In practice users could probably run either their own in-home CA (e.g.
like draft-behringer-homenet-trust-bootstrap) or we could add a
web-of-trust-like extension to HNCP using transitive trust as proposed
in draft-bonnetain-hncp-security or some weird combination. Either way
it all stands and falls with the final user experience, e.g. the APP and
the router's interaction with it for trust-bootstrap or the
Web-UI/APP/Push-Button which let's you actively "trust" your peer in the
web-of-trust approach. But user-experience isn't something we can really
specify here.
_______________________________________________
homenet mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/homenet
