On 09/19/2014 07:17 AM, Steven Barth wrote:
Am 19.09.2014 um 16:00 schrieb Michael Thomas:
And it's extremely unlikely that
DTLS will be a one-sentence "solution" even if it gets adopted
because DTLS, IPsec, etc say nothing
about enrollment and authorization. Those are by far the hard
problems with homenent security.
I wouldn't really want to lock HNCP to any trust scheme at this point
where we are not even sure what we want. I'd rather choose the
underlying mechanism, either DTLS or IPsec/IKE and leave the rest
out-of-scope. Maybe mention PSK-usage as baseline option and say
various other certificate-based approached are possible but
out-of-scope of the HNCP draft itself.
In practice users could probably run either their own in-home CA (e.g.
like draft-behringer-homenet-trust-bootstrap) or we could add a
web-of-trust-like extension to HNCP using transitive trust as proposed
in draft-bonnetain-hncp-security or some weird combination. Either way
it all stands and falls with the final user experience, e.g. the APP
and the router's interaction with it for trust-bootstrap or the
Web-UI/APP/Push-Button which let's you actively "trust" your peer in
the web-of-trust approach. But user-experience isn't something we can
really specify here.
Let's be clear: the enrollment and authorization problems are The hard
problems. How the bits one the
wire are encrypted/authenticated is straightforward in comparison. Not
having a standardized way of
setting this up will lead to chaos and the high likelihood that homenet
devices will not interoperate. Doubly
so because the homenet architecture requires as little operator
intervention as possible.
Punting on one of the hardest problems would be a travesty. There are
plenty of people in IETF that are
plenty smart about this subject; we will never get an opportunity to do
the right thing again if we loose
this into the wild and say "figure it out yourself." We know what
happens then.
Mike
_______________________________________________
homenet mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/homenet
