A proposal of https certificate assignment system for luci
Sam Kuper
sampablokuper at posteo.net
Fri Oct 9 06:11:44 EDT 2020
On Thu, Oct 08, 2020 at 12:10:17AM +0200, Alberto Bursi wrote:
> On 07/10/20 15:34, abnoeh wrote:
>>> However, I think you are assuming a RA/DHCP-based WAN connection.
>>> For PPPoE (which is still a thing in a lot of places, including
>>> developing world, where last mile is often wifi), this won't work
>>> that well.
>>
>> at the end entire reason we need certificate is we having a
>> webserver, and all luci will do at the backend is running uci
>> conmmand, can we run luci on client side, and send uci command to
>> ssh, wrap it all under the name of "easy-installer"?
>>
>> if we don't have webserver we don't need a certificate. or uhttpd, in
>> fact.
>
> Yeah, this is why Android/iOS apps should be considered as a way to
> approach this issue.
Not everybody (especially in the developing world, see above) has an
Android or iOS device.
Also, such an app would still have to either:
1. disregard certificate errors, or
2. handle old (& maybe even revoked) OpenWRT CA signatures/certificates,
or
3. be subject to the same limitations as a web browser, defeating the
point of an app.
I guess you had 1 or 2 in mind, and I can see the appeal - I'm not
dismissing your suggestion. However, an app might not be quite the
panacea you imagine. 1 would be a security risk for app users, & 2
requires potentially uncomfortable trade-offs between security &
usability thus again slightly defeating the point of an app.
Ultimate, SSL/TLS on IoT is a hard problem: the two technologies are
currently not *fully* mutually compatible without imposing some burden
on the user.
--
A: When it messes up the order in which people normally read text.
Q: When is top-posting a bad thing?
() ASCII ribbon campaign. Please avoid HTML emails & proprietary
/\ file formats. (Why? See e.g. https://v.gd/jrmGbS ). Thank you.
More information about the openwrt-devel
mailing list