IETF Logo Mail Archive

Re: [homenet] I-D Action: draft-ietf-homenet-dot-10.txt

Michael Richardson <mcr+ietf@sandelman.ca> Tue, 01 August 2017 21:06 UTC

Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: homenet@ietfa.amsl.com
Delivered-To: homenet@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 35CDA131C56 for <homenet@ietfa.amsl.com>; Tue, 1 Aug 2017 14:06:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lLb34wWG8fMv for <homenet@ietfa.amsl.com>; Tue, 1 Aug 2017 14:06:37 -0700 (PDT)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [IPv6:2607:f0b0:f:3:216:3eff:fe7c:d1f3]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 01932129B40 for <homenet@ietf.org>; Tue, 1 Aug 2017 14:06:37 -0700 (PDT)
Received: from sandelman.ca (obiwan.sandelman.ca [209.87.249.21]) by tuna.sandelman.ca (Postfix) with ESMTP id 744D92009E for <homenet@ietf.org>; Tue, 1 Aug 2017 17:08:25 -0400 (EDT)
Received: from obiwan.sandelman.ca (localhost [IPv6:::1]) by sandelman.ca (Postfix) with ESMTP id 49A9D80B17 for <homenet@ietf.org>; Tue, 1 Aug 2017 17:06:36 -0400 (EDT)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: "homenet@ietf.org" <homenet@ietf.org>
In-Reply-To: <3A5D69EE-3F32-4773-90ED-D189E7523D9F@fugue.com>
References: <150127266271.25329.18484770769960144@ietfa.amsl.com> <597F7545.9000702@mathemainzel.info> <E51998F5-8EF9-4FC8-90BE-1D0BF1805339@fugue.com> <b562a9fd0ce2d8af63109aac47d1d47a.1501567308@squirrel.mail> <757C1755-AD78-43DE-93F0-E3D19BFE6C66@fugue.com> <2D09D61DDFA73D4C884805CC7865E6114DBE4251@GAALPA1MSGUSRBF.ITServices.sbc.com> <3A5D69EE-3F32-4773-90ED-D189E7523D9F@fugue.com>
X-Mailer: MH-E 8.6; nmh 1.6+dev; GNU Emacs 24.5.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha256"; protocol="application/pgp-signature"
Date: Tue, 01 Aug 2017 17:06:36 -0400
Message-ID: <25096.1501621596@obiwan.sandelman.ca>
Archived-At: <https://mailarchive.ietf.org/arch/msg/homenet/l4bD6MJ5ZPB6mhoqCQtDJITymJc>
Subject: Re: [homenet] I-D Action: draft-ietf-homenet-dot-10.txt
X-BeenThere: homenet@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF Homenet WG mailing list <homenet.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/homenet>, <mailto:homenet-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/homenet/>
List-Post: <mailto:homenet@ietf.org>
List-Help: <mailto:homenet-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/homenet>, <mailto:homenet-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 01 Aug 2017 21:06:38 -0000

Ted Lemon <mellon@fugue.com> wrote:
    barbara> The CABF is about "publicly trusted certificates". There is no need or

...
    > (2) the issue with browser warnings isn't that they are annoying. It's that
    > if we train users to click through them when managing the homenet, we are
    > also training them to click through them at other times. This creates an
    > attack surface in the user that we'd rather not create.

I was trying to understand how CABF was relevant.

I guess the point was how to get a new trust anchor added *globally* that
would somehow be able to issue certificates that were relevant/bound to
home.arpa names?

I don't think that this is an immediate concern; if we had some useful
experiment that we could do we could do it with a sub-CA or with a private
anchor.

I think that Windows, OSX, and Android have system-wide ways to install new
trust anchors that browser will generally trust.  libnss on many Linux
distros provides something similiar.  I assume iOS does too.  As such, it
should be possible for an application/app on a home desktop to exist that
would interact with all the devices involved (providing certificates from a
private trust anchor), and to install the private trust anchor.
How one spreads that trust anchor to the rest of the family, relatives,
etc. is an issue.

but, none of this is really relevant to delegation of home.arpa, I think.


--
Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works
 -= IPv6 IoT consulting =-

v2.23.0 | Report a Bug | By Email