IETF Logo Mail Archive

Re: [homenet] webauthn for routers

Ted Lemon <mellon@fugue.com> Thu, 13 June 2019 18:46 UTC

Return-Path: <mellon@fugue.com>
X-Original-To: homenet@ietfa.amsl.com
Delivered-To: homenet@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 860EC1200B6 for <homenet@ietfa.amsl.com>; Thu, 13 Jun 2019 11:46:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fugue-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xkkoQFmoMI-P for <homenet@ietfa.amsl.com>; Thu, 13 Jun 2019 11:46:04 -0700 (PDT)
Received: from mail-qk1-x730.google.com (mail-qk1-x730.google.com [IPv6:2607:f8b0:4864:20::730]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ADD65120025 for <homenet@ietf.org>; Thu, 13 Jun 2019 11:46:04 -0700 (PDT)
Received: by mail-qk1-x730.google.com with SMTP id l128so66638qke.2 for <homenet@ietf.org>; Thu, 13 Jun 2019 11:46:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fugue-com.20150623.gappssmtp.com; s=20150623; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=YVqJHBMQsshavwgNElOX2TEq9fy/tDKQsPmi5elD1OU=; b=VrPiQViaUGEg1Opu7H7f5Hdz7fhFCmOnoF8mSsWW28kGJOzm8+v3+wnmE75QkNC+cn 759JKmeXNmwG9ENDM7q+OAESSTxzTzMQsuQ98zbEOzXv8Y1R/nFxjTyfVuhwdNKumK/x c8+Kujpn2ClUohJrnrdaG50WYtMt26EHQmuE19RMHMnISorqCEg4tiJ63N8ESN5giQyJ pYYD5U46JESLQSQyVim33pi4bwRlUC/xE9DagupsUwWWmf7a6OQQr73wgR0GlQ4XaoHN y84CegcX+QhFBZK0flSekRIlykjRxBKeDMhGXRYLiGygqAAbKKKobfp+VWFUJrkJnWdX vYuA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=YVqJHBMQsshavwgNElOX2TEq9fy/tDKQsPmi5elD1OU=; b=XpmWcOBuS85Lv38UjyTFFNZDVwkSGrlvgC27b7C3cKi6d4ft4qYlITvIWMVOIMgdVu muIPj7LPH5BVO07zVaOnd/k3zztJsfHsNot5a3ZypBF7pqrqD3UMu5ROp4yxKc0qjfJW Q6rhGxmQ2NuoKzzdTmH3R0nKqMOR/nvwfVN+83bMnSd8/9qkIaoFGDMUxUVKQwkslMM8 5D5tLKaWQ3hcqGmIj1MINnrzhcW9PIptAKzNBGEd9cYpI9I3hTzegKj5OPeTGA9o9Nob QRi4U0HhR4IE/921Cs8z/HsymwrcA8yB6XqmD60Ibp9JQemGlc3eMxyPK47NVEDlwoWE Qssw==
X-Gm-Message-State: APjAAAWCoM1JdxRDZGtPRFzxzNwf4sQtvsvyQ1z+vOqxMeQBiIZ6cGm1 Du24OsGYCmBFXnsw8HRBsqq4QA==
X-Google-Smtp-Source: APXvYqyclZ+cH6VVL+iNyG3MmcItW+9Jo/sSlEdBrcaqgmRlPOegnberB5Wk3BTsI7wEvQPfikrpbw==
X-Received: by 2002:a37:8e03:: with SMTP id q3mr74478896qkd.234.1560451563734; Thu, 13 Jun 2019 11:46:03 -0700 (PDT)
Received: from [10.0.10.34] (c-73-186-137-119.hsd1.nh.comcast.net. [73.186.137.119]) by smtp.gmail.com with ESMTPSA id c5sm261798qkb.41.2019.06.13.11.46.03 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 13 Jun 2019 11:46:03 -0700 (PDT)
From: Ted Lemon <mellon@fugue.com>
Message-Id: <3461D44E-DD00-485D-B1CB-2F5356653403@fugue.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_BFE59708-1A23-4480-BFC2-64B5ADBFC3A5"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
Date: Thu, 13 Jun 2019 14:46:01 -0400
In-Reply-To: <fc40f26f-0dc3-91bb-03a0-7e7d8820e931@fresheez.com>
Cc: Michael Richardson <mcr@sandelman.ca>, homenet@ietf.org
To: Michael Thomas <mike@fresheez.com>
References: <CADZyTkkgd8f49V+yoZvPZXx3b-_YRzpgUY1-obroq9QMLnFWNw@mail.gmail.com> <878su8fj24.wl-jch@irif.fr> <2348.1560261275@localhost> <87ftofwqut.wl-jch@irif.fr> <27503.1560302791@localhost> <87ef3zwoew.wl-jch@irif.fr> <4109.1560349340@localhost> <EC7FDA4F-1859-4B35-A8AC-D33E1A96F979@fugue.com> <ff7f2700-3862-59bd-abfb-22589562bddb@mtcc.com> <20218.1560366783@localhost> <288a310b-3b99-748d-74ce-a878ff43ee77@fresheez.com> <6179.1560377924@localhost> <604b4062-f2c5-30af-73ff-2e97b7541a9b@fresheez.com> <30470.1560435490@localhost> <cde3329b-cc06-b4eb-5d87-cf74f21368ea@fresheez.com> <496DBED4-24E6-49FE-B9D3-C2BFC7ACEE98@fugue.com> <20d72a3f-0b8f-c958-2482-25358854a96e@fresheez.com> <384451EC-7938-48B6-B167-1C246385C6D7@fugue.com> <fc40f26f-0dc3-91bb-03a0-7e7d8820e931@fresheez.com>
X-Mailer: Apple Mail (2.3445.104.11)
Archived-At: <https://mailarchive.ietf.org/arch/msg/homenet/SJBncyokybAfga8YIu0FfHG1wHY>
Subject: Re: [homenet] webauthn for routers
X-BeenThere: homenet@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF Homenet WG mailing list <homenet.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/homenet>, <mailto:homenet-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/homenet/>
List-Post: <mailto:homenet@ietf.org>
List-Help: <mailto:homenet-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/homenet>, <mailto:homenet-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 13 Jun 2019 18:46:07 -0000

On Jun 13, 2019, at 2:40 PM, Michael Thomas <mike@fresheez.com> wrote:
> Are we talking about the same thing? I'm not sure what naming has to do with dealing with crappy/default passwords on router web interfaces?
> 
If your router has a name, it can get a cert.  If it doesn’t have a name, it can’t.   That cert then becomes a basis for establishing trust.

In the case of devices on the home network establishing trust with the router, you have to bootstrap that somehow.   In that case, the easiest thing to do is as I suggested: 

you have access to the router’s network
nobody else has established trust yet

This isn’t ideal, but it creates a pathway for further trust establishment: once you have one device that has a trusted key, then that device can authorize additional devices, which can authorize additional devices.   A device that comes onto the network after initial trust establishment can’t get trust without being approved.

v2.23.0 | Report a Bug | By Email