On 31/07/17 19:00, Ted Lemon wrote: > I don't know how to make that work without a fake domain tree. > Can't we just use ACME+letsencrypt.org <http://letsencrypt.org/>? I think the protocols would work fine, but I'm not sure there's a current challenge type that'd work here, for LE or any similar service. (The current set of challenges in the acme spec is at [1].)
For my main home router (a Turris), I setup a VPN connection so that the AAAA for a name I control is routed to the Turris when the VPN is up, and then I just used acme.sh [1] to talk to LE and all that works just fine and gets rid of the annoying browser insecurity warning when I use luci. (I further cheat by only having that VPN up when I need to talk to LE for renewal checks and otherwise just resolve the name using 10/8 inside the home, but I'm sure there're better options.) So the plumbing/protocols all do work if you have a name and address that works from the CA service provider POV. It's just that almost nobody can do that today. Is this something where it'd be worth trying to get a few folks from the various communities on a call to see if we can come up with something that might work for the openwrt/lede type cases? If so, I'd be happy to try set that up in a month or so, when holliers are done and I'm supposedly gonna be a chair-like being:-) I'd be happy to try that even if the chances of a Eureka! moment aren't very high. (And btw, the reason I suggest that scope is that I figure commercial device vendors can figure out the cert issuance part just fine already, and with better assurance, but probably have the same issues with browser trust stores as do the openwrt/lede folks, so I'm not suggesting excluding commercial device vendors, just limiting the scope to stuff that could be worked on today by anyone if we did have that Eureka! moment.) Cheers, S. [1] https://tools.ietf.org/html/draft-ietf-acme-acme-07#section-8 [2] https://github.com/Neilpang/acme.sh
signature.asc
Description: OpenPGP digital signature
_______________________________________________ homenet mailing list homenet@ietf.org https://www.ietf.org/mailman/listinfo/homenet