Re: Moving forward on improving HTTP's security from Nicholas Hurley on 2013-11-14 (ietf-http-wg@w3.org from October to December 2013)

From: Nicholas Hurley <hurley@todesschaf.org>
Date: Thu, 14 Nov 2013 11:22:17 -0800
To: Julian Reschke <julian.reschke@gmx.de>
Cc: Zhong Yu <zhong.j.yu@gmail.com>, Mike Belshe <mike@belshe.com>, William Chan (陈智昌) <willchan@chromium.org>, James M Snell <jasnell@gmail.com>, Stephen Farrell <stephen.farrell@cs.tcd.ie>, Michael Sweet <msweet@apple.com>, Nicolas Mailhot <nicolas.mailhot@laposte.net>, Willy Tarreau <w@1wt.eu>, Tao Effect <contact@taoeffect.com>, Tim Bray <tbray@textuality.com>, Mark Nottingham <mnot@mnot.net>, HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <CANV5PPVfzuAVBxDxS=vffNvB5ngPzR6GbX2XPxKDzFchsLTveg@mail.gmail.com>

On Thu, Nov 14, 2013 at 10:52 AM, Julian Reschke <julian.reschke@gmx.de>wrote:

> So how does my home router get a certificate? In particular, if I need to
> configure it first to connect to the internet?
>
> Best regards, Julian
>

Off the top of my head, here's a couple ways (by no means an exhaustive
list, and by no means are these guaranteed to be the best options):

1. Comes with one from the vendor. The program CD (or USB stick or
whatever) used to do configuration can be specially configured to know
about the otherwise invalid cert being used.
2. First-time setup happens over an unencrypted HTTP/1.1 channel (which is
probably ok, as chances are you're going to be plugged directly into the
router at this point, and as you said - you're likely not connected to the
internet) which then generates a cert and has you install it in your
browser, allowing you to use the secure channel in the future.

All that said, I'm not a UX designer or anything like that, so I'm sure
there would be some rough edges around these workflows, but I'm confident
that we (and UX designers) are smart enough to solve those kinds of issues.

Received on Thursday, 14 November 2013 19:22:44 UTC