IETF Logo Mail Archive

Re: [homenet] webauthn for routers

Michael Thomas <mike@fresheez.com> Wed, 12 June 2019 19:38 UTC

Return-Path: <mike@fresheez.com>
X-Original-To: homenet@ietfa.amsl.com
Delivered-To: homenet@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F30E61200EC for <homenet@ietfa.amsl.com>; Wed, 12 Jun 2019 12:38:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=fresheez.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wd0DoZVn59Hh for <homenet@ietfa.amsl.com>; Wed, 12 Jun 2019 12:38:52 -0700 (PDT)
Received: from mail-it1-x134.google.com (mail-it1-x134.google.com [IPv6:2607:f8b0:4864:20::134]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0625D120019 for <homenet@ietf.org>; Wed, 12 Jun 2019 12:38:52 -0700 (PDT)
Received: by mail-it1-x134.google.com with SMTP id j194so12854105ite.0 for <homenet@ietf.org>; Wed, 12 Jun 2019 12:38:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fresheez.com; s=fluffulence; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-transfer-encoding:content-language; bh=DNrFqQ8OPA1JNiqCJOc1pkuI57xelbQed/kTf4TlRCo=; b=j6ApbReBXNzTvChtpjHyTg2v0CU/9fufWZ4Euyws93OcrljFRLH11J92Rv2u7nwI/b mL3qyuyjTs8WFS70CJYeE35HPyVrZQk5zf0FZ8gwvDYwp4NcA5SZ3q1uB0ekwfyvu3P/ 8ZE7VOXJS2KkizM6vbcKSuwV8DXLJKNRfNiD4=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding :content-language; bh=DNrFqQ8OPA1JNiqCJOc1pkuI57xelbQed/kTf4TlRCo=; b=lcRHL3FTqFLxI3TPkLAtMih6Sm2sk6BopWqJGbBclSuGigrfMd09o5l82VptMnsHiP V+lZVN+CshP4irGPs9UFCuuhSkOZ7YdkU8reGFTOjvxgaCuhzm2wsWJ5b++vgSoiXESY b8cT1e2N/NAjWBuSJsF+l98VgRUVxu7EQOXNUcm2U2CzmnitCQefaUAejB6XCGigJbxv D9/EbeBZ8iTLDBYkLWIeD9gKBQYlVMhU5qTWRyRXlaePwg7GxkmqjQCu40uhvoZfrc4i rLlWFoAhka6OzNBqxWscuQMkMB93AO3fRMPhw+kkPKGBCDw8oNt90rjZOPJI/ddMHBYg 1W9w==
X-Gm-Message-State: APjAAAWAoCrVrDyGtInrzL5VmUd5AQjAdcSbV2IylF7iB6uXpkRgDbxx LvWQQ6lPsr6PqB1tUVwljFjsPEG3Y7E=
X-Google-Smtp-Source: APXvYqz7q3y1riRzdG+Cf2PY8WcAMX0bfNDzKAO+UmiVHTYiVk/RUFRIK2YlTA5dhxSgpC5uphn1+Q==
X-Received: by 2002:a02:cc6c:: with SMTP id j12mr19029602jaq.102.1560368330897; Wed, 12 Jun 2019 12:38:50 -0700 (PDT)
Received: from Michaels-MacBook.local (107-182-42-248.volcanocom.com. [107.182.42.248]) by smtp.gmail.com with ESMTPSA id n26sm252010ioc.74.2019.06.12.12.38.49 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 12 Jun 2019 12:38:50 -0700 (PDT)
To: Michael Richardson <mcr+ietf@sandelman.ca>
Cc: homenet@ietf.org
References: <CADZyTkkgd8f49V+yoZvPZXx3b-_YRzpgUY1-obroq9QMLnFWNw@mail.gmail.com> <878su8fj24.wl-jch@irif.fr> <2348.1560261275@localhost> <87ftofwqut.wl-jch@irif.fr> <27503.1560302791@localhost> <87ef3zwoew.wl-jch@irif.fr> <4109.1560349340@localhost> <EC7FDA4F-1859-4B35-A8AC-D33E1A96F979@fugue.com> <ff7f2700-3862-59bd-abfb-22589562bddb@mtcc.com> <20218.1560366783@localhost>
From: Michael Thomas <mike@fresheez.com>
Message-ID: <288a310b-3b99-748d-74ce-a878ff43ee77@fresheez.com>
Date: Wed, 12 Jun 2019 12:38:48 -0700
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:60.0) Gecko/20100101 Thunderbird/60.7.0
MIME-Version: 1.0
In-Reply-To: <20218.1560366783@localhost>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/homenet/F2i-mcTq2Lje3kds0aamwgYczz0>
Subject: Re: [homenet] webauthn for routers
X-BeenThere: homenet@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF Homenet WG mailing list <homenet.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/homenet>, <mailto:homenet-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/homenet/>
List-Post: <mailto:homenet@ietf.org>
List-Help: <mailto:homenet-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/homenet>, <mailto:homenet-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 12 Jun 2019 19:38:54 -0000

On 6/12/19 12:13 PM, Michael Richardson wrote:
> MIchael Thomas <mike@fresheez.com> wrote:
>      >>> There are no passwords.
>
>      >> Yes please.
>
>      > Speaking of which, should we be encouraging router vendors to implement
>      > webauthn? Considering that probably half of home routers have the default
>      > password, that seems like it would be a Good Thing.
>
> We have done an enrollment system which based upon BRSKI.
> It is described in draft-richardson-ietf-anima-smarkaklink.
> We have running code with a desktop acting as the client, with
> the mobile app being built now.  I am making a screencast today, actually.
> There are similarities to some profiles of EAP-NOOB, but we do
> rely on the manufacturer as the root of trust.
>
> I guess we could/should have considered enhancing webauthn instead; I have to
> think a bit about whether it would have work as well.  I will need to see.
>
> At the end of the day, we wind up with a mobile phone with a certificate
> enrolled into a private CA on the router.  The router itself has a
> LetsEncrypt certificate acting as it's IDevID, although this could
> be a private CA instead.  There are issues in both directions.
>
> Secondary admins are encouraged to guard against loss/destruction of mobile
> phone, and it is also possible to enroll a second time, provided the
> manufacturer agrees (this is both a feature and a bug)
>
> The code is at https://github.com/CIRALabs/
>

I'm not sure we're talking about the same thing? I'm just talking about 
the normal web interface that home routers have to hand configure them. 
There's no need for certs at all.

I wrote a blog post which considered the enrollment problem of a 
webauthn-like protocol (way before webauthn was even started). I'm not 
sure if it works for the special case of a home router though.

http://rip-van-webble.blogspot.com/2012/06/using-asymmetric-keys-for-web-joinlogin.html

Enrollment, of course, is out of scope for webauthn, per se.

Mike

v2.23.0 | Report a Bug | By Email