IETF Logo Mail Archive

Re: [lamps] The Status of OCSP and its future

Phillip Hallam-Baker <phill@hallambaker.com> Fri, 25 October 2019 14:48 UTC

Return-Path: <hallam@gmail.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DF6EC120878 for <spasm@ietfa.amsl.com>; Fri, 25 Oct 2019 07:48:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.398
X-Spam-Level:
X-Spam-Status: No, score=-1.398 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.249, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, LOTS_OF_MONEY=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id APexxt7EOdcT for <spasm@ietfa.amsl.com>; Fri, 25 Oct 2019 07:48:38 -0700 (PDT)
Received: from mail-ot1-f45.google.com (mail-ot1-f45.google.com [209.85.210.45]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3BBDD12085D for <spasm@ietf.org>; Fri, 25 Oct 2019 07:48:38 -0700 (PDT)
Received: by mail-ot1-f45.google.com with SMTP id s22so2240882otr.6 for <spasm@ietf.org>; Fri, 25 Oct 2019 07:48:38 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=7Tm4ENBubim7n3GKzy284CGua/EW3q8b4eeifik9HQk=; b=Q145MzzYYJe+iUK6793RX9hK4lJgBAv9t8Sxv4phvgvc/MjAO/GwfCMJF3/JAzPtCk Oc4Nyb8Em06j3ivAMX1rrPPnHGYDoa1nrwuX4Gny0ChFuhAMyZ+tjO3lB5g24oWDCPtF egtohWL8PtH3flyjJMkg9c+pmxstLNjHT9gmSQTY9/22ABT6BWctHzvcNkcnbiqaZaSR RYgRKMzrIWrLgFRdlLskyuiDsaYZAkzCNkorqIQF0B7/SPZytBpnRD2EEWz4c6zNf1u3 MRE5G431zQkBQ1VGYNIbucOSUqHYRZJ0BNep2OwsjjR+HsLTHGy9/yFmn4B9IccnbDtM iy5Q==
X-Gm-Message-State: APjAAAXvWweojVhenTszTMTdDS3DobfYE5+qvQnGldXWRA+Q7OonVqvw rooFsAO3jGdxn5JGazPZF5t85wDBT7+aoiRlnMI=
X-Google-Smtp-Source: APXvYqxbhr/AzU5C3nu3zMn/AyJ+NFJb9xCC8Gr/8yZbSAxxI1+6onUdyqxwTp21vXicG/tc4bd8aDHNUnUjRmYWIPI=
X-Received: by 2002:a9d:4591:: with SMTP id x17mr3078186ote.112.1572014917261; Fri, 25 Oct 2019 07:48:37 -0700 (PDT)
MIME-Version: 1.0
References: <8c84cf2c-c192-c13b-17e5-7ae09b748530@openca.org> <84e130d2-2df2-2f96-0200-716b333a1390@primekey.com> <7c618415-21d7-64c8-e43d-2617d59185f4@openca.org>
In-Reply-To: <7c618415-21d7-64c8-e43d-2617d59185f4@openca.org>
From: Phillip Hallam-Baker <phill@hallambaker.com>
Date: Fri, 25 Oct 2019 10:48:27 -0400
Message-ID: <CAMm+LwjiM_2-fRD9kc_j0Az_HNjCXMWQXQ=O1MEtZofDBYDOQA@mail.gmail.com>
To: "Dr. Pala" <madwolf@openca.org>
Cc: SPASM <spasm@ietf.org>
Content-Type: multipart/related; boundary="000000000000b9c5020595bd3e66"
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/A_Cf_riV1UKmW6JtewMAec-aZ1w>
Subject: Re: [lamps] The Status of OCSP and its future
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 25 Oct 2019 14:48:40 -0000

On Fri, Oct 25, 2019 at 10:30 AM Dr. Pala <madwolf@openca.org> wrote:

> This is a good point - very practical approach. A sample use-case is our
> industry (Cable). In particular, in our industry, we leverage PKIs to
> secure the communication in our networks: each Cable Modem and DVRs come
> with one or more certificates from our infrastructure. This covers all
> modems from all vendors from all operators.
>
> Our Network, though, are going through radical changes that are aimed at
> providing the 10Gig platform we just released the standard for. In
> particular, the new architectures will see an increasing number of
> "entities" that require authentication.
>
Knowing that it is all hilariously insecure, I have deployed roughly
$20,000 worth of smarthome type equipment in my house so as to experience
it myself.

At this point, it is very clear to me that this stuff is really not suited
for anyone who is not an enthusiast. IoT is a hobby and it is going to
remain so unless we see some major improvements in manageability.

I currently have about 100 devices of which 50 have IP addresses. So
multiply by a billion or so households and that is a heck of a lot more
devices than we have been thinking about to date.


If we are going to get a handle on this, we have to change the
architecture. I don't think there was ever a business or such with 50
devices that would put itself on the internet without some sort of
co-ordination service on site. And to get to 100 there would be redundancy
and such.
Yes, peer to peer looks cool until you get to the point where n^2 is a big
number and then it is a headache. Peer to peer means that I have to
maintain each of my printers on every machine in the house. Just does not
scale.

The Cable Modem and DVR are the natural devices for such co-ordinating
services to reside.

v2.34.0 | Report a Bug | By Email | System Status