On Tue, August 1, 2017 11:52, Toke Høiland-Jørgensen wrote: >>> you couldn't use the fact that you can publish in a name in it >>> to do the ACME authentication. >> >> there SHOULD NOT be the ACME authentication or any neccessarity of any >> other authentication, as these domain names need not be unique ... >> >> in case you use 'teddynet.home.arpa.' and I use this domain name, too; >> we wouldn't have the same x509 SSL certificate, because each of us uses >> its own private key ... >> >> why not just define the org. that hosts the ARPA TLD (IANA?), as the CA >> for these domains and the root certificate as built in token to the >> common >> browsers and/or operating systems? >> there it should only be neccessary to upload the certificate request, >> gicwn the '.home.arpa.' domain name, and an email address where the >> certificate is sent to; >> the certificate will be a wild card certificate for this .home.arpa. >> domain .. >> >> I would want this to be added as additional section to this Draft/RFC; > > If you're going through all this trouble of having a central API that > will hand out certificates,
this need not neccessarily be a central API, just a sort of rules, to make the existing CAs hand out the certificate without the need of any authentication ... > wouldn't it be possible to make that same > authority hand out pseudo-random unique subdomains (of some suitable > domain; not necessarily .home.arpa)? are you talking about a TLD e.g. ".home" which is as the other TLDs like .com or .net or even .at with the difference, that the authoritatativ DNS servers of such a domain needn't be accessible from internet ...; and this registration could hand out the certificates, too; > Then you are only an NS record from > solving the globally visible naming problem... :) with the thought above these aren't globally visible and there is no need to; but the risk that a misconfiguration tells the folks the LAN structure ... _______________________________________________ homenet mailing list homenet@ietf.org https://www.ietf.org/mailman/listinfo/homenet