Comment by danielweber
11 years ago
True, but on many small networks, you aren't addressing the embedded device by a FQDN.
All these appliances should let you change the cert on them, but you still need that initial connection, and at smaller organizations (or households) the certs will never ever be changed.
I used to work on embedded security projects so I care about this; I also realize that's a small portion of the market. I'm okay with making the people connecting to their new printer jump through a hoop in order to reduce the chances of someone hijacking www.paypal.comm but you still have to allow some way in.
True, but on many small networks, you aren't addressing the embedded device by a FQDN.
Why not?
Why should my fridge have a FQD name? What purpose does that serve?
Why install a firewall in each device if you can install one on the router that works for everything?
Why should my fridge have a FQD name? What purpose does that serve?
To allow you to create a signed certificate to authenticate it?
Why install a firewall in each device if you can install one on the router that works for everything?
Having an FQDN doesn't mean you need to install a firewall on your device. You can still use the router's, and even prevent any inbound connections from the WAN to the device.
NAT traversal?
FQDN doesn't have to mean publicly accessible. I have a personal subdomain that points to an internal IP. It's kinda weird to do with IPv4, but it works fine, and with IPv6 it'll be natural, since each device will probably have a globally unique address anyway, even if it can't be accessed outside of your LAN.