On Wed, May 18, 2016, at 18:58, Gregory Ewing wrote: > Grant Edwards wrote: > > Product spec explicitly states HTTPS only. I'm told that is not open > > for discussion. The customer is a large, somewhat bureaucratic German > > corporation, and they generally mean it when they say something is > > non-negotiable. > > They're probably being sensible. The way the Internet of > Things is shaping up, it's far better to have too much > security than too little.
HTTPS provides little to no security on a device which has no domain name, since we don't have any well-established way to manage self-signed certificates, or certificates signed on a basis other than the domain name. It'd be nice if there were a way for IOT devices to have a certificate signed *by the manufacturer*. The entire SSL browser UI paradigm is predicated on the fact that what is verified by a certificate is the domain name, which must match the CN field of the certificate, and provides no way to present a certificate issued on another basis to the user. -- https://mail.python.org/mailman/listinfo/python-list
