A proposal of https certificate assignment system for luci

Sam Kuper sampablokuper at posteo.net
Fri Oct 9 06:11:44 EDT 2020


On Thu, Oct 08, 2020 at 12:10:17AM +0200, Alberto Bursi wrote:
> On 07/10/20 15:34, abnoeh wrote:
>>> However, I think you are assuming a RA/DHCP-based WAN connection.
>>> For PPPoE (which is still a thing in a lot of places, including
>>> developing world, where last mile is often wifi), this won't work
>>> that well.
>>
>> at the end entire reason we need certificate is we having a
>> webserver, and all luci will do at the backend is running  uci
>> conmmand, can we run luci on client side, and send uci command to
>> ssh, wrap it all under the name of "easy-installer"?
>> 
>> if we don't have webserver we don't need a certificate. or uhttpd, in
>> fact.
> 
> Yeah, this is why Android/iOS apps should be considered as a way to
> approach this issue.

Not everybody (especially in the developing world, see above) has an
Android or iOS device.

Also, such an app would still have to either:

1. disregard certificate errors, or

2. handle old (& maybe even revoked) OpenWRT CA signatures/certificates,
   or

3. be subject to the same limitations as a web browser, defeating the
   point of an app.


I guess you had 1 or 2 in mind, and I can see the appeal - I'm not
dismissing your suggestion.  However, an app might not be quite the
panacea you imagine.   1 would be a security risk for app users, & 2
requires potentially uncomfortable trade-offs between security &
usability thus again slightly defeating the point of an app.

Ultimate, SSL/TLS on IoT is a hard problem: the two technologies are
currently not *fully* mutually compatible without imposing some burden
on the user.

-- 
A: When it messes up the order in which people normally read text.
Q: When is top-posting a bad thing?

()  ASCII ribbon campaign. Please avoid HTML emails & proprietary
/\  file formats. (Why? See e.g. https://v.gd/jrmGbS ). Thank you.



More information about the openwrt-devel mailing list