A proposal of https certificate assignment system for luci

Stefan Lippers-Hollmann s.l-h at gmx.de
Sun Oct 4 15:44:59 EDT 2020


Hi

On 2020-10-04, abnoeh wrote:
> Few months ago there was some debate for how we handle certificate for
> luci page: make user to click though certificate warning is not that
> great for security so here is a  proposal for autometically assign a
> worldwide unique subdomain and how to make valid certificate for it, and
> make sure we and connect to the device he is expecting.
[…]

The elephant in the room remains, how do you propose to deal with
firstboot conditions? Not every internet connection can be 
auto-detected, the most common examples would include having to 
configure VLAN tagging on WAN or adding PPPoE credentials. For these,
the user will have to accept a self-signed certificate at least once
for doing the initial configuration - at which point they can just
stick to the already accepted self-signed certificate as well.

Regards
	Stefan Lippers-Hollmann

-- 
I'm ignoring the usage profiles for offline networking infrastructure
(e.g. the recent addition of the rtl838x subtarget for managed 
switches), what happens if you take an old device from the shelve 
(existing certificate expired) and want to reconfigure/ start using it
again or the significant costs (in hardware, manpower and certification)
to operate a CA here.



More information about the openwrt-devel mailing list