IETF Logo Mail Archive

Re: [homenet] I-D Action: draft-ietf-homenet-dot-10.txt

"Walter H." <walter.h@mathemainzel.info> Tue, 01 August 2017 10:41 UTC

Return-Path: <walter.h@mathemainzel.info>
X-Original-To: homenet@ietfa.amsl.com
Delivered-To: homenet@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AA13F13209F for <homenet@ietfa.amsl.com>; Tue, 1 Aug 2017 03:41:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.701
X-Spam-Level:
X-Spam-Status: No, score=-2.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=mathemainzel.info
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kyvR76J6sAvd for <homenet@ietfa.amsl.com>; Tue, 1 Aug 2017 03:41:18 -0700 (PDT)
Received: from mx28lb.world4you.com (mx28lb.world4you.com [81.19.149.138]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C81F8132CF1 for <homenet@ietf.org>; Tue, 1 Aug 2017 03:41:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=mathemainzel.info; s=dkim11; h=Content-Transfer-Encoding:Content-Type:MIME-Version:Cc:To:From:Subject:Date:References:In-Reply-To:Message-ID; bh=MrSGSNs/Hx+z6oFGhP/NIamkf+6QqwbFeqT4CeXD2+c=; b=FvK0h2VRc+arTv25lQ0NF53tJ7W12l21zAjBs/yGfewkQnnDizh8jsu/1FMkj0FSq9g72TVlTb3weFDLlb9QV0opa4DCi/kIYf0B+/wycQEXDnk0qPNJr7HrcZzcCPH3aufD8NolOmd4NjN6GSJNV+2KE0tq3QPK8+UjLVM4xEU=;
Received: from [90.146.55.206] (helo=home.mail) by mx28lb.world4you.com with esmtpsa (TLSv1.2:DHE-RSA-AES256-GCM-SHA384:256) (Exim 4.84_2) (envelope-from <walter.h@mathemainzel.info>) id 1dcUbz-0002I4-10; Tue, 01 Aug 2017 12:41:15 +0200
Message-ID: <3a5145c7355a9dcdd0b737e46f3aa897.1501584074@squirrel.mail>
In-Reply-To: <87tw1r398u.fsf@toke.dk>
References: <150127266271.25329.18484770769960144@ietfa.amsl.com> <597F7545.9000702@mathemainzel.info> <E51998F5-8EF9-4FC8-90BE-1D0BF1805339@fugue.com> <b562a9fd0ce2d8af63109aac47d1d47a.1501567308@squirrel.mail> <87tw1r398u.fsf@toke.dk>
Date: Tue, 01 Aug 2017 12:41:14 +0200
From: "Walter H." <walter.h@mathemainzel.info>
To: "\"Toke Høiland-Jørgensen\"" <toke@toke.dk>
Cc: Ted Lemon <mellon@fugue.com>, homenet@ietf.org
User-Agent: Mozilla/5.0 (UNIX; U; Cray X-MP/48; en-US; rv:2.70) Gecko/20110929 Communicator/7.20
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
X-Priority: 3 (Normal)
Importance: Normal
X-SA-Do-Not-Run: Yes
X-AV-Do-Run: Yes
X-SA-Exim-Connect-IP: 90.146.55.206
X-SA-Exim-Mail-From: walter.h@mathemainzel.info
X-SA-Exim-Scanned: No (on mx28lb.world4you.com); SAEximRunCond expanded to false
Archived-At: <https://mailarchive.ietf.org/arch/msg/homenet/jFTmItcSpkFXmmV6BU0Jv6LnlEQ>
Subject: Re: [homenet] I-D Action: draft-ietf-homenet-dot-10.txt
X-BeenThere: homenet@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF Homenet WG mailing list <homenet.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/homenet>, <mailto:homenet-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/homenet/>
List-Post: <mailto:homenet@ietf.org>
List-Help: <mailto:homenet-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/homenet>, <mailto:homenet-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 01 Aug 2017 10:41:22 -0000

On Tue, August 1, 2017 11:52, Toke Høiland-Jørgensen wrote:
>>> you couldn't use the fact that you can publish in a name in it
>>> to do the ACME authentication.
>>
>> there SHOULD NOT be the ACME authentication or any neccessarity of any
>> other authentication, as these domain names need not be unique ...
>>
>> in case you use 'teddynet.home.arpa.' and I use this domain name, too;
>> we wouldn't have the same x509 SSL certificate, because each of us uses
>> its own private key ...
>>
>> why not just define the org. that hosts the ARPA TLD (IANA?), as the CA
>> for these domains and the root certificate as built in token to the
>> common
>> browsers and/or operating systems?
>> there it should only be neccessary to upload the certificate request,
>> gicwn the '.home.arpa.' domain name, and an email address where the
>> certificate is sent to;
>> the certificate will be a wild card certificate for this .home.arpa.
>> domain ..
>>
>> I would want this to be added as additional section to this Draft/RFC;
>
> If you're going through all this trouble of having a central API that
> will hand out certificates,

this need not neccessarily be a central API, just a sort of rules, to make
the existing CAs hand out the certificate without the need of any
authentication ...

> wouldn't it be possible to make that same
> authority hand out pseudo-random unique subdomains (of some suitable
> domain; not necessarily .home.arpa)?

are you talking about a TLD e.g. ".home" which is as the other TLDs like
.com or .net or even .at with the difference, that the authoritatativ DNS
servers of such a domain needn't be accessible from internet ...; and this
registration could hand out the certificates, too;

> Then you are only an NS record from
> solving the globally visible naming problem... :)

with the thought above these aren't globally visible and there is no need to;
but the risk that a misconfiguration tells the folks the LAN structure ...

v2.23.0 | Report a Bug | By Email