On 31/08/2020 14:26, Michael Richardson wrote:
Yes, many many many devices will break.
But browser makers don't really care about that.
This is a no-win situation until we can find a way to give proper names and
certificates to devices.
And offloading this into Let's Encrypt is **NOT** an answer unless
you're on the low end of a thousand certificates, and maybe not even
that much.
Fortunately, the sheer pain of trying to juggle the update schedule of a
largish number of certificates with current Let's Encrypt quotas is
already deterrent enough -- I assume most around here would agree that
it is in the best interest of society as a whole that we do NOT
endanger, nor allow the usual suspects to push us into endangering,
Let's Encrypt long-term viability.
The typical enterprise-ish solution to this (which is no problem for
Let's Encrypt or any other CA) is to have a cloud gateway, where you
need at most a hundred browser-PKI-blessed certificates, and several
orders of magnitudes more private-CA-issued certificates for the devices
to talk to the backend API endpoints.
The user has no HTTPS support unless he goes through the cloud. Initial
provisioning is http and self-signed-https, and stops working as soon as
cloud connectivity "happens".
It is a solution makes one want to puke, but it is one of the few viable
at the moment.
As long as users are being trained to override certificate exceptions, then
the certificate provides very little benefit.
Agreed, but it is mandatory in some circumstances.
It would be *nice* if we could easily deploy extremely restricted
self-signed CAs that can only sign a numeric pattern hostname under
<device>.iot.<your>.<domain>. That extremely restricted CA would get
"approved" by something from <your>.<domain> that the browser would use
to stop pestering the user of <device>: be that a certificate chaining
from <your>.<domain>, or DNSSEC, or whatever.
Well, one can hope and dream...
--
Henrique de Moraes Holschuh
Analista de Projetos
Centro de Estudos e Pesquisas em Tecnologias de Redes e Operações
(Ceptro.br)
+55 11 5509-3537 R.:4023
INOC 22548*625
www.nic.br
_______________________________________________
openwrt-devel mailing list
[email protected]
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
