IETF Logo Mail Archive

Re: [homenet] I-D Action: draft-ietf-homenet-dot-10.txt

Ted Lemon <mellon@fugue.com> Tue, 01 August 2017 13:22 UTC

Return-Path: <mellon@fugue.com>
X-Original-To: homenet@ietfa.amsl.com
Delivered-To: homenet@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9C58013215F for <homenet@ietfa.amsl.com>; Tue, 1 Aug 2017 06:22:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fugue-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8ZXYOt80uGFe for <homenet@ietfa.amsl.com>; Tue, 1 Aug 2017 06:22:22 -0700 (PDT)
Received: from mail-qk0-x22f.google.com (mail-qk0-x22f.google.com [IPv6:2607:f8b0:400d:c09::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CE574127868 for <homenet@ietf.org>; Tue, 1 Aug 2017 06:22:21 -0700 (PDT)
Received: by mail-qk0-x22f.google.com with SMTP id z18so8721862qka.4 for <homenet@ietf.org>; Tue, 01 Aug 2017 06:22:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fugue-com.20150623.gappssmtp.com; s=20150623; h=mime-version:subject:from:in-reply-to:date:cc:message-id:references :to; bh=y7y3GCwLQz1vcM68bneLCVlosWIiel1ZGVhGIkWXS2Y=; b=tusse1opjg8Kp7+pheugBjHmARsAu4igWc1vkFiAOdZ8DfHKx/CBc2lXx9IKF/gUYH NXm7BnsCZXvanzzzzn+dl+dr5bNX2XDnOCi2+aEGajWrifYnzEUlwEOBmeXLwLv64s+I /pSy32X/vAOOTYf0DkuZ9v1tprdf0iMUBEnBNYRtHF+QRANhBpGtkmXlzwkpUMTrydyB 1T2z1Yo9sMrICBycWcho6piRQ7gh2KzZteY8hOJY9XV6vJqollE+BmFK7VEMI4WXSxLV Optwx9nN5h1jVoQZbl2LcncayCRvaUnT5dVzPCmBuNWm9w78zKSfM3z0uyNSk1NO78kQ ybTA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :message-id:references:to; bh=y7y3GCwLQz1vcM68bneLCVlosWIiel1ZGVhGIkWXS2Y=; b=IqEb3Qg7sBt/IL39mCYjDwJ+gy984iy5bxNTw7ThgW1Iu1lGPNv3yTie0t9vMTUa9c B72pHqGXimBmJzzvx8AhrDMt3NwiI2LLosKp5ithASpBadJ75vJbZJH4XolRpsI7tBLO xh8dgykSmhR9cWziYjP47AXlaem8iyZ8Y5NyEvQHWVFTEUdSHOhl5SRMDwG6Z3mhhHQi Opp+4qZO4OCZucQueJak1vLR1OKCW5lKaPD/oCUG3yhMhmUduIdCNljjyselic7Hu1kd g7ljmYwuHJND8XzNia5aNqc/cEgdbgOtf78QMY69VwQNHMC7tbT6zAACrSUfMIXEhfef EYuA==
X-Gm-Message-State: AIVw110FpVNokuHH80oQUhUfSVC17wCxaezeqCMqELj0oIsYarGq1nKx W7N/l9lBlZ8/w/ZQfB/Dmg==
X-Received: by 10.55.78.23 with SMTP id c23mr24012461qkb.323.1501593740977; Tue, 01 Aug 2017 06:22:20 -0700 (PDT)
Received: from [10.0.30.153] (c-73-167-64-188.hsd1.ma.comcast.net. [73.167.64.188]) by smtp.gmail.com with ESMTPSA id q9sm22244476qki.73.2017.08.01.06.22.19 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 01 Aug 2017 06:22:20 -0700 (PDT)
Content-Type: multipart/alternative; boundary="Apple-Mail=_C52B549F-6ADE-4254-93D5-62269924B33B"
Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\))
From: Ted Lemon <mellon@fugue.com>
X-Priority: 3 (Normal)
In-Reply-To: <b562a9fd0ce2d8af63109aac47d1d47a.1501567308@squirrel.mail>
Date: Tue, 01 Aug 2017 09:22:19 -0400
Cc: homenet@ietf.org
Message-Id: <757C1755-AD78-43DE-93F0-E3D19BFE6C66@fugue.com>
References: <150127266271.25329.18484770769960144@ietfa.amsl.com> <597F7545.9000702@mathemainzel.info> <E51998F5-8EF9-4FC8-90BE-1D0BF1805339@fugue.com> <b562a9fd0ce2d8af63109aac47d1d47a.1501567308@squirrel.mail>
To: "Walter H." <walter.h@mathemainzel.info>
X-Mailer: Apple Mail (2.3273)
Archived-At: <https://mailarchive.ietf.org/arch/msg/homenet/ZjRxdR2kGADv4LA2cIoQAbvpURc>
Subject: Re: [homenet] I-D Action: draft-ietf-homenet-dot-10.txt
X-BeenThere: homenet@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF Homenet WG mailing list <homenet.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/homenet>, <mailto:homenet-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/homenet/>
List-Post: <mailto:homenet@ietf.org>
List-Help: <mailto:homenet-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/homenet>, <mailto:homenet-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 01 Aug 2017 13:22:24 -0000

On Aug 1, 2017, at 2:01 AM, Walter H. <walter.h@mathemainzel.info> wrote:
> there SHOULD NOT be the ACME authentication or any neccessarity of any
> other authentication, as these domain names need not be unique ...

In order for a PKI solution to work, it has to be possible for any given cert to apply to a unique name, the ownership of which can be defended somehow.   The CABF has spoken unequivocally on this topic:

https://www.digicert.com/internal-names.htm <https://www.digicert.com/internal-names.htm>

The point of having PKI in the homenet is so that we have secure connections between browsers and servers, and so that users aren't trained to click through certificate warnings just to get things working.   Any solution to this problem has to meet those two requirements.   And to achieve the second requirement, the CABF is going to want it to be the case that the cert identifies a specific endpoint for communication.

When I say "I don't know how to do that," this is what I'm talking about.   Actually, I do know how to do it: get a public delegation.

v2.23.0 | Report a Bug | By Email