On Mon, April 4, 2016 7:17 am, Watson Ladd wrote: > On Mon, Apr 4, 2016 at 7:05 AM, Dan Harkins <dhark...@lounge.org> wrote: >> >> >> On Thu, March 31, 2016 10:51 am, Stephen Farrell wrote: >>> >>> If smaller devices don't use algorithms that can be used to talk to >>> random servers on the Internet, then they are choosing to not try to >>> get interop. That seems like a shame to me, unless there's a really >>> good reason and IMO, mostly there isn't, at the ciphersuite level. I >>> would hope we all won't make the GCM/CCM mistake again for example >>> (that "we" being roughly some combination of IETF/IEEE folks). >> >> That's because you incorrectly define "interop" as talking to >> random servers on the Internet. This browser-centric mode of thinking >> causes you to reject cipher suites that the browser/webserver >> community does not have any interest in. >> >> There are use cases where some app doesn't want to talk to random >> servers on the Internet. It wants to talk to a set of specific servers >> providing a specific stream of information unique to the app-- think >> of some network monitoring or RF-quality app that provides sensing >> data to servers and also sucks down neighbor air quality information >> as it roams around. There are IoT use cases where devices just want >> to talk to each other, not random servers on the Internet. >> >> The browser community wants 0-RTT; I don't give a damn about 0-RTT. >> I want a PAKE (specifically TLS-pwd); the browser community doesn't >> give a damn about PAKEs. We are both right. Because we have different >> requirements. > > Why can't embedded devices use certificates?
Code bloat for a one-off enrollment protocol, no way to authenticate to obtain the certificate, and the continued lack of that Global PKI that was supposed to take care of everything and that is currently 20 years late in being delivered. Actually, that's not quite right. Some do use certificates...wrongly. Usually what happens is the server generates a self-signed certificate and the apps are given some "username" and "password" and the app ignores the unauthenticated nature of the TLS connection and sends the u/p credential on through. Dan. _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
