Henrique de Moraes Holschuh <henri...@nic.br> writes: > It would be *nice* if we could easily deploy extremely restricted > self-signed CAs that can only sign a numeric pattern hostname under > <device>.iot.<your>.<domain>. That extremely restricted CA would get > "approved" by something from <your>.<domain> that the browser would > use to stop pestering the user of <device>: be that a certificate > chaining from <your>.<domain>, or DNSSEC, or whatever. > > Well, one can hope and dream...
Yes... Unfortunately, there still seems to be too much money involved here to make browsers work in the best interest of their users. Most services would have been better off with a pinned self-signed certificate than the current CA scheme. DANE provides the means for any DNS based service with DNSSEC, but is still not implemented by any major browser. TOFU based pinning has also been proposed several times. This would have solved the embedded device service use case, as well as many other cases where the TLS session really is unrelated to DNS. If the browser vendors wanted to they could have easily implemented a "TOFU acceptable flag", allowing a service to publish such a policy. The flag could have been part of either the TLS session or the HTTP session. The necessary tools to force "TOFU unacceptable" for DNS based services, using either CAA to pin a specific CA or DANE to pin a CA or key. I'll stop dreaming now... None of this will happen as long as there is money in the certificate industry. Bjørn _______________________________________________ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
