Comment by icebraining
11 years ago
Technically, there's no reason why a fridge couldn't have a signed cert tied to some dynamic DNS (e.g. <fridge-serial-number>.<manufacturer>.<tld>).
11 years ago
Technically, there's no reason why a fridge couldn't have a signed cert tied to some dynamic DNS (e.g. <fridge-serial-number>.<manufacturer>.<tld>).
True, but on many small networks, you aren't addressing the embedded device by a FQDN.
All these appliances should let you change the cert on them, but you still need that initial connection, and at smaller organizations (or households) the certs will never ever be changed.
I used to work on embedded security projects so I care about this; I also realize that's a small portion of the market. I'm okay with making the people connecting to their new printer jump through a hoop in order to reduce the chances of someone hijacking www.paypal.comm but you still have to allow some way in.
True, but on many small networks, you aren't addressing the embedded device by a FQDN.
Why not?
Why should my fridge have a FQD name? What purpose does that serve?
Why install a firewall in each device if you can install one on the router that works for everything?
1 reply →
NAT traversal?
1 reply →
But note that only works if the manufacturer can choose the name without an issue from the customer. For things like network appliances in larger companies that aren't going to want [generic number]manufacturer.com but want [my name].corp.[my company].com, you're stuck.
Allow the cert to be configurable, then the company can use its internal CA to give certs to all its appliances.
Yes, that's the status quo, and has been for a while. The point is that's currently the best you can do. For boxes without external exposure, this work won't change anything, but a standardized protocol for dealing with boxes with external exposure would still help some use cases.