Re: [homenet] Ted's security talk at IETF99: DNCP Security
Stephen Farrell <stephen.farrell@cs.tcd.ie> Mon, 31 July 2017 19:23 UTC
Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: homenet@ietfa.amsl.com
Delivered-To: homenet@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C85BD132620 for <homenet@ietfa.amsl.com>; Mon, 31 Jul 2017 12:23:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.301
X-Spam-Level:
X-Spam-Status: No, score=-4.301 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cs.tcd.ie
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WpkxdaHmowQ2 for <homenet@ietfa.amsl.com>; Mon, 31 Jul 2017 12:23:01 -0700 (PDT)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AA364126B71 for <homenet@ietf.org>; Mon, 31 Jul 2017 12:23:01 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id 447BFBE4C; Mon, 31 Jul 2017 20:22:59 +0100 (IST)
X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HsRmOsnpHvrM; Mon, 31 Jul 2017 20:22:53 +0100 (IST)
Received: from [10.244.2.100] (95-45-153-252-dynamic.agg2.phb.bdt-fng.eircom.net [95.45.153.252]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id 2C1C7BE39; Mon, 31 Jul 2017 20:22:53 +0100 (IST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; s=mail; t=1501528973; bh=nkHhM7iMN4Lym5eKMCNHZglIFREWrnh0xzjWZ3+ln6Q=; h=Subject:To:Cc:References:From:Date:In-Reply-To:From; b=HK4q3KURjcFnEwvc37MX/4iWB2GNCGIjGLQcTSJZJIwog0S3gNg/LriDucm+a5SS7 B4J3dN0gJ3IfOm/fWyJSr5XhSCWEhmeZVQmp4NzL4rEd956LwRtPBHjN+OvfK8PImI 5wUPxJLqwoi9mhNnE9yCIsQ1n2fJ7FbJJIRZqYv0=
To: Ted Lemon <mellon@fugue.com>, Michael Richardson <mcr+ietf@sandelman.ca>
Cc: homenet@ietf.org
References: <3725.1501514462@obiwan.sandelman.ca> <52E1C5A0-FC0E-46A5-9016-AA95FB3DC1CB@fugue.com> <3184.1501522914@obiwan.sandelman.ca> <5A407EA3-AC8B-44A7-8EC2-8242480027FE@fugue.com>
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Openpgp: id=D66EA7906F0B897FB2E97D582F3C8736805F8DA2; url=
Message-ID: <6c9af76b-5d5c-3830-b0c2-9f7ddae9d565@cs.tcd.ie>
Date: Mon, 31 Jul 2017 20:22:52 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.2.1
MIME-Version: 1.0
In-Reply-To: <5A407EA3-AC8B-44A7-8EC2-8242480027FE@fugue.com>
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="2TtH8Nr3G7vxgJIO1v02NgI9fbC1PRj3f"
Archived-At: <https://mailarchive.ietf.org/arch/msg/homenet/7YlwDCMA57He61k4UbjstYa3mzs>
Subject: Re: [homenet] Ted's security talk at IETF99: DNCP Security
X-BeenThere: homenet@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF Homenet WG mailing list <homenet.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/homenet>, <mailto:homenet-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/homenet/>
List-Post: <mailto:homenet@ietf.org>
List-Help: <mailto:homenet-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/homenet>, <mailto:homenet-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 31 Jul 2017 19:23:04 -0000
On 31/07/17 19:00, Ted Lemon wrote: > I don't know how to make that work without a fake domain tree. > Can't we just use ACME+letsencrypt.org <http://letsencrypt.org/>? I think the protocols would work fine, but I'm not sure there's a current challenge type that'd work here, for LE or any similar service. (The current set of challenges in the acme spec is at [1].) For my main home router (a Turris), I setup a VPN connection so that the AAAA for a name I control is routed to the Turris when the VPN is up, and then I just used acme.sh [1] to talk to LE and all that works just fine and gets rid of the annoying browser insecurity warning when I use luci. (I further cheat by only having that VPN up when I need to talk to LE for renewal checks and otherwise just resolve the name using 10/8 inside the home, but I'm sure there're better options.) So the plumbing/protocols all do work if you have a name and address that works from the CA service provider POV. It's just that almost nobody can do that today. Is this something where it'd be worth trying to get a few folks from the various communities on a call to see if we can come up with something that might work for the openwrt/lede type cases? If so, I'd be happy to try set that up in a month or so, when holliers are done and I'm supposedly gonna be a chair-like being:-) I'd be happy to try that even if the chances of a Eureka! moment aren't very high. (And btw, the reason I suggest that scope is that I figure commercial device vendors can figure out the cert issuance part just fine already, and with better assurance, but probably have the same issues with browser trust stores as do the openwrt/lede folks, so I'm not suggesting excluding commercial device vendors, just limiting the scope to stuff that could be worked on today by anyone if we did have that Eureka! moment.) Cheers, S. [1] https://tools.ietf.org/html/draft-ietf-acme-acme-07#section-8 [2] https://github.com/Neilpang/acme.sh
- [homenet] Ted's security talk at IETF99: DNCP Sec… Michael Richardson
- Re: [homenet] Ted's security talk at IETF99: DNCP… Ted Lemon
- Re: [homenet] Ted's security talk at IETF99: DNCP… Michael Richardson
- Re: [homenet] Ted's security talk at IETF99: DNCP… Ted Lemon
- Re: [homenet] Ted's security talk at IETF99: DNCP… Stephen Farrell
- Re: [homenet] Ted's security talk at IETF99: DNCP… Ted Lemon
- Re: [homenet] Ted's security talk at IETF99: DNCP… Michael Richardson
- Re: [homenet] Ted's security talk at IETF99: DNCP… Ted Lemon
- Re: [homenet] Ted's security talk at IETF99: DNCP… Michael Richardson
- Re: [homenet] Ted's security talk at IETF99: DNCP… Ted Lemon
- Re: [homenet] Ted's security talk at IETF99: DNCP… Michael Richardson
- Re: [homenet] Ted's security talk at IETF99: DNCP… Ted Lemon
- Re: [homenet] Ted's security talk at IETF99: DNCP… Michael Richardson
- Re: [homenet] Ted's security talk at IETF99: DNCP… Ted Lemon
- Re: [homenet] Ted's security talk at IETF99: DNCP… Michael Richardson