Watson, > On Dec 19, 2024, at 11:00 AM, Watson Ladd <watsonbl...@gmail.com> wrote: > > Any solution will have to involve the device doing something, and something > validating the device. If we can get the user ISP (I know, I know), to > produce a residential domain setup like fijinb23.users.example.com, then the > router ((I know I know)can somehow gather that a new printer has been added, > give the printer printer.fijnb23.users.example.com via communication to the > ISP, and set the DNS challenge entries to respond to a request for DCV > validation that results in a cert being sent back to the printer with a CSR > the printer generates. > > There's lots of problems here, but I think this strawman shows the problem > can be solved, and it's just a matter of improvements.
OK, so since discovery depends on DNS-SD (either using mDNS or traditional DNS), we'd need a way for IoT devices to push their DNS-SD records up to the DNS server, and/or for the ACME service to issue certificates that *also* have the .local name as a SAN (something they won't do right now because they cannot validate the address...) This also has huge privacy issues - it is one thing to require local services to be published/registered/validated locally, but quite another to make them globally visible (if not globally accessible). Finally, this also depends on having Internet connectivity which IMHO makes this a non-starter, even for homes that have a dedicated Internet service. For example, my Starlink service drops out regularly as satellites transit overhead, and cellular similarly comes and goes for a variety of reasons. We need a *local* trusted authority for *local* services. ________________________ Michael Sweet _______________________________________________ Acme mailing list -- acme@ietf.org To unsubscribe send an email to acme-le...@ietf.org
