IETF Logo Mail Archive

Re: [homenet] I-D Action: draft-ietf-homenet-dot-10.txt

"Walter H." <walter.h@mathemainzel.info> Tue, 01 August 2017 06:01 UTC

Return-Path: <walter.h@mathemainzel.info>
X-Original-To: homenet@ietfa.amsl.com
Delivered-To: homenet@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0DC60131600 for <homenet@ietfa.amsl.com>; Mon, 31 Jul 2017 23:01:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.721
X-Spam-Level:
X-Spam-Status: No, score=-2.721 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=mathemainzel.info
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id H6S9AXCUy7Wp for <homenet@ietfa.amsl.com>; Mon, 31 Jul 2017 23:01:51 -0700 (PDT)
Received: from mx12lb.world4you.com (mx12lb.world4you.com [81.19.149.122]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C456A124234 for <homenet@ietf.org>; Mon, 31 Jul 2017 23:01:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=mathemainzel.info; s=dkim11; h=Content-Transfer-Encoding:Content-Type:MIME-Version:Cc:To:From:Subject:Date:References:In-Reply-To:Message-ID; bh=rINfbjEU24IzPYYyQvQwKnwlmxqi9sYovFEnddobaYU=; b=WQFeV/L7FV1FLe8/7bVOmFN4PZuY4obt3hoeOFMxBqWaXrNa6of7LXHQauAuYPQVNqtxokw1cxPgshIexoSkN1nd41zRfoLIfCYRJoi//BhyyutuNh/iTggSeDg2gEXE9QMK6Dagj4PxY9a5KMYqvyoCQ4O/cCm+OUbExItYyhk=;
Received: from [90.146.55.206] (helo=home.mail) by mx12lb.world4you.com with esmtpsa (TLSv1.2:DHE-RSA-AES256-GCM-SHA384:256) (Exim 4.84_2) (envelope-from <walter.h@mathemainzel.info>) id 1dcQFY-0005g0-Hf; Tue, 01 Aug 2017 08:01:48 +0200
Message-ID: <b562a9fd0ce2d8af63109aac47d1d47a.1501567308@squirrel.mail>
In-Reply-To: <E51998F5-8EF9-4FC8-90BE-1D0BF1805339@fugue.com>
References: <150127266271.25329.18484770769960144@ietfa.amsl.com> <597F7545.9000702@mathemainzel.info> <E51998F5-8EF9-4FC8-90BE-1D0BF1805339@fugue.com>
Date: Tue, 01 Aug 2017 08:01:48 +0200
From: "Walter H." <walter.h@mathemainzel.info>
To: Ted Lemon <mellon@fugue.com>
Cc: homenet@ietf.org
User-Agent: Mozilla/5.0 (UNIX; U; Cray X-MP/48; en-US; rv:2.70) Gecko/20110929 Communicator/7.20
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
X-Priority: 3 (Normal)
Importance: Normal
X-SA-Do-Not-Run: Yes
X-AV-Do-Run: Yes
X-SA-Exim-Connect-IP: 90.146.55.206
X-SA-Exim-Mail-From: walter.h@mathemainzel.info
X-SA-Exim-Scanned: No (on mx12lb.world4you.com); SAEximRunCond expanded to false
Archived-At: <https://mailarchive.ietf.org/arch/msg/homenet/2776vEGS1dv8yMvDCBPtoBvIDv0>
Subject: Re: [homenet] I-D Action: draft-ietf-homenet-dot-10.txt
X-BeenThere: homenet@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF Homenet WG mailing list <homenet.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/homenet>, <mailto:homenet-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/homenet/>
List-Post: <mailto:homenet@ietf.org>
List-Help: <mailto:homenet-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/homenet>, <mailto:homenet-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 01 Aug 2017 06:01:54 -0000

On Mon, July 31, 2017 20:33, Ted Lemon wrote:
> On Jul 31, 2017, at 2:21 PM, Walter H. <Walter.H@mathemainzel.info> wrote:
>> Just a thought of mine, would it be possible to add a section, to make
>> it possible
>> to get official SSL certificates for these 'home.arpa.' domains (for
>> free),
>> so there would not be the need of running a own PKI?
>
> I don't see how that could work.

that is why my thoughts to add a section to this Draft/RFC how this will work

>  I agree that it's a problem in need of
> a solution, but since home.arpa wouldn't be externally visible,

of course, the sense of a private LAN domain name ...

> you couldn't use the fact that you can publish in a name in it
> to do the ACME authentication.

there SHOULD NOT be the ACME authentication or any neccessarity of any
other authentication, as these domain names need not be unique ...

in case you use 'teddynet.home.arpa.' and I use this domain name, too;
we wouldn't have the same x509 SSL certificate, because each of us uses
its own private key ...

why not just define the org. that hosts the ARPA TLD (IANA?), as the CA
for these domains and the root certificate as built in token to the common
browsers and/or operating systems?
there it should only be neccessary to upload the certificate request,
gicwn the '.home.arpa.' domain name, and an email address where the
certificate is sent to;
the certificate will be a wild card certificate for this .home.arpa.
domain ..

I would want this to be added as additional section to this Draft/RFC;

> I was hoping to get IP-based certs, but it turns out that letsencrypt
> (probably wisely) doesn't offer them.

IP-based is a bad idea as there is no user agent (browser) that handles
IPv6 correct in such case ...

Thanks,
Walter

v2.23.0 | Report a Bug | By Email