[RFC] self-signed certificates for LuCI

Bjørn Mork bjorn at mork.no
Tue Sep 1 04:59:31 EDT 2020


Henrique de Moraes Holschuh <henrique at nic.br> writes:

> It would be *nice* if we could easily deploy extremely restricted
> self-signed CAs that can only sign a numeric pattern hostname under
> <device>.iot.<your>.<domain>.  That extremely restricted CA would get
> "approved" by something from <your>.<domain> that the browser would
> use to stop pestering the user of <device>: be that a certificate
> chaining from <your>.<domain>, or DNSSEC, or whatever.
>
> Well, one can hope and dream...

Yes...  Unfortunately, there still seems to be too much money involved
here to make browsers work in the best interest of their users.

Most services would have been better off with a pinned self-signed
certificate than the current CA scheme. DANE provides the means for any
DNS based service with DNSSEC, but is still not implemented by any major
browser.

TOFU based pinning has also been proposed several times.  This would
have solved the embedded device service use case, as well as many other
cases where the TLS session really is unrelated to DNS.

If the browser vendors wanted to they could have easily implemented a
"TOFU acceptable flag", allowing a service to publish such a policy. The
flag could have been part of either the TLS session or the HTTP
session. The necessary tools to force "TOFU unacceptable" for DNS based
services, using either CAA to pin a specific CA or DANE to pin a CA or
key.

I'll stop dreaming now...  None of this will happen as long as there is
money in the certificate industry.


Bjørn



More information about the openwrt-devel mailing list