A proposal of https certificate assignment system for luci

Michael Richardson mcr at sandelman.ca
Mon Oct 5 12:34:14 EDT 2020 

Stefan Lippers-Hollmann <s.l-h at gmx.de> wrote:
    > On 2020-10-04, abnoeh wrote:
    >> Few months ago there was some debate for how we handle certificate for
    >> luci page: make user to click though certificate warning is not that
    >> great for security so here is a  proposal for autometically assign a
    >> worldwide unique subdomain and how to make valid certificate for it,
    >> and make sure we and connect to the device he is expecting.
    > […]

    > The elephant in the room remains, how do you propose to deal with
    > firstboot conditions? Not every internet connection can be
    > auto-detected, the most common examples would include having to
    > configure VLAN tagging on WAN or adding PPPoE credentials.

    > For these,
    > the user will have to accept a self-signed certificate at least once
    > for doing the initial configuration - at which point they can just
    > stick to the already accepted self-signed certificate as well.

There are really three use cases.

1) hardware that comes with openwrt.  There is a manufacturer controlled
   first boot.  (This is relatively easy, and I have running code)
   if we can build that subordinate CA that issues for longer than the 90
   days that the device is likely going to be in a box (in a warehouse).

2) hardware that didn't come with (this version) of openwrt, but is first
   flashed.  This probably a common case for most readers of this list,
   and yes, we are probably smart enough to deal with self-signed certificate
   the first time.
   But, we are a small group.

3) hardware that was running a version of openwrt with certificates, but
   had to be factory default'ed.  It would be nice to keep some identity
   things across such events.
   (The MOX has a private key that is stored across such events, for instance)

--
]               Never tell me the odds!                 | ipv6 mesh networks [
]   Michael Richardson, Sandelman Software Works        |    IoT architect   [
]     mcr at sandelman.ca  http://www.sandelman.ca/        |   ruby on rails    [

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 487 bytes
Desc: not available
URL: <http://lists.openwrt.org/pipermail/openwrt-devel/attachments/20201005/c99afcd6/attachment.sig>

More information about the openwrt-devel mailing list