- From: Martin Thomson <notifications@github.com>
- Date: Thu, 21 Jun 2018 19:23:05 -0700
- To: httpslocal/proposals <proposals@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Friday, 22 June 2018 02:23:33 UTC
> do you assume that devices [...] use self-signed certificates [...] ? Yes. There is no name for a CA to attest to, so that's the only real alternative. You could maybe use bare public keys, I guess. > the threat of MITM attack still remains. Is that right? If the name is not unique, then the notion of MitM is meaningless. Anyone can rightfully claim that name. > is there any possibility for browsers to provide local devices with ACME-server functionality [?] The shortcomings of that approach are fairly severe, as the document explains. This is effectively giving write access to the browser trust store, so extending to things on the local network is basically no-go. Even with the constraints we have, it might make sense to include more safeguards like explicit authorization for requests. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/httpslocal/proposals/issues/1#issuecomment-399300779
Received on Friday, 22 June 2018 02:23:33 UTC