A proposal of https certificate assignment system for luci
Michael Richardson
mcr at sandelman.ca
Mon Oct 5 12:34:14 EDT 2020
Stefan Lippers-Hollmann <s.l-h at gmx.de> wrote:
> On 2020-10-04, abnoeh wrote:
>> Few months ago there was some debate for how we handle certificate for
>> luci page: make user to click though certificate warning is not that
>> great for security so here is a proposal for autometically assign a
>> worldwide unique subdomain and how to make valid certificate for it,
>> and make sure we and connect to the device he is expecting.
> […]
> The elephant in the room remains, how do you propose to deal with
> firstboot conditions? Not every internet connection can be
> auto-detected, the most common examples would include having to
> configure VLAN tagging on WAN or adding PPPoE credentials.
> For these,
> the user will have to accept a self-signed certificate at least once
> for doing the initial configuration - at which point they can just
> stick to the already accepted self-signed certificate as well.
There are really three use cases.
1) hardware that comes with openwrt. There is a manufacturer controlled
first boot. (This is relatively easy, and I have running code)
if we can build that subordinate CA that issues for longer than the 90
days that the device is likely going to be in a box (in a warehouse).
2) hardware that didn't come with (this version) of openwrt, but is first
flashed. This probably a common case for most readers of this list,
and yes, we are probably smart enough to deal with self-signed certificate
the first time.
But, we are a small group.
3) hardware that was running a version of openwrt with certificates, but
had to be factory default'ed. It would be nice to keep some identity
things across such events.
(The MOX has a private key that is stored across such events, for instance)
--
] Never tell me the odds! | ipv6 mesh networks [
] Michael Richardson, Sandelman Software Works | IoT architect [
] mcr at sandelman.ca http://www.sandelman.ca/ | ruby on rails [
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 487 bytes
Desc: not available
URL: <http://lists.openwrt.org/pipermail/openwrt-devel/attachments/20201005/c99afcd6/attachment.sig>
More information about the openwrt-devel
mailing list