From 418f02a162bb288a9c4b9f44e2cf4f15b64663d5 Mon Sep 17 00:00:00 2001 From: Daisuke Ajitomi Date: Wed, 18 Oct 2017 06:45:07 +0000 Subject: [PATCH 1/5] Add Certificates.md. --- Certificates.md | 74 +++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 74 insertions(+) create mode 100644 Certificates.md diff --git a/Certificates.md b/Certificates.md new file mode 100644 index 0000000..6499f7d --- /dev/null +++ b/Certificates.md @@ -0,0 +1,74 @@ +# What type of TLS server certificates should we adopt for HTTPS/WSS in local network ? + +To realize HTTPS/WSS communication in local network, especially between UAs and devices, we have to consider the types of TLS server certificates issued to the devices and go through the pros and cons of each type. + +## Index +- Public CA Certificate +- Self-signed Certificate +- Private CA Certificate + +## Public CA Certificate + +### Public CA Certificate for the devices accessible globally. + +- How to issue + 1. The method of [Things Gateway by Mozilla](http://iot.mozilla.org/gateway/) ([Let's Encrypt](https://letsencrypt.org/) with [PageKite](https://pagekite.net/)). + 1. etc. +- Pros + - There is no need to extend the UA implementation to regard the certificates as trusted ones. +- Cons + - A UA cannot get acccess to the device when the upstream internet connection is down. + - The domain name of the device is disclosed globally because it must be registered in public DNS servers. + - The device is put in danger of DoS/DDoS because the device is reachable from everywhere in the internet. + - (Some manual operations or intermediate nodes are needed to make the device public.) + +### Public CA Certificate for the devices accessible only in local network. + +- How to issue + 1. The method of [PLEX](https://blog.filippo.io/how-plex-is-doing-https-for-all-its-users/). + 1. A kind of delegation method inspired on [Delegated Credentials](https://tools.ietf.org/html/draft-rescorla-tls-subcerts-00) or [STAR Certificates](https://tools.ietf.org/html/draft-ietf-acme-star-01) + - (TODO: develop the system to issue this type of certificates and confirm the feasibility.) + 1. etc. +- Pros + - There is no need to extend the UA implementation to regard the certificates as trusted ones. +- Cons + - A UA cannot get acccess to the device when the upstream internet connection is down. + - The domain name of the device is disclosed globally because it must be registered in public DNS servers. + +## Self-signed Certificate (for the devices accessible only in local network) + +(TODO: consider whether the certificate can be acceptable in terms of security.) + +- How to issue + 1. Granted by user only + - (TODO: explain the system in detail.) + 1. Granted by user on a specific web application's origin and Guaranteed by UA and device with [CORS-preflight request + Access-Control-{Request,Allow}-External](https://wicg.github.io/cors-rfc1918/#headers) proposed in [CORS and RFC1918](https://wicg.github.io/cors-rfc1918/) + - (TODO: explain the system in detail.) + 1. etc. +- Pros + - A UA can get acccess to the device even if the upstream internet connection is down. + - The domain name of the device is not disclosed globally. There is no such privacy concerns. +- Cons + - UA implementation has to be extented to regard the certificates as trusted ones. + +### Private CA Certificate (for the devices accessible only in local network) + +- How to issue + 1. Issued by a private certificate authority for devices (device CA) explicitly granted by the user. + - (TODO: develop the system to issue this type of certificates and confirm the feasibility.) + 1. etc. +- Pros + - A UA can get acccess to the device even if the upstream internet connection is down. + - The domain name of the device is not disclosed globally. There is no such privacy concerns. +- Cons + - UA implementation has to be extented to regard the certificates as trusted ones. + +## References + +- [Things Gateway by Mozilla](http://iot.mozilla.org/gateway/) +- [Let's Encrypt](https://letsencrypt.org/) +- [PageKite](https://pagekite.net/) +- [How Plex is doing HTTPS for all its users](https://blog.filippo.io/how-plex-is-doing-https-for-all-its-users/) +- [Delegated Credentials for TLS](https://tools.ietf.org/html/draft-rescorla-tls-subcerts-00) +- [Use of Short-Term, Automatically-Renewed (STAR) Certificates to Delegate Authority over Web Sites](https://tools.ietf.org/html/draft-ietf-acme-star-00) +- [CORS and RFC1918](https://wicg.github.io/cors-rfc1918/) From 82689a37b23ef8c027d55490af894af76b346fbd Mon Sep 17 00:00:00 2001 From: Daisuke Ajitomi Date: Wed, 18 Oct 2017 06:51:57 +0000 Subject: [PATCH 2/5] Modify subtitles. --- Certificates.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/Certificates.md b/Certificates.md index 6499f7d..67fb4c2 100644 --- a/Certificates.md +++ b/Certificates.md @@ -3,9 +3,9 @@ To realize HTTPS/WSS communication in local network, especially between UAs and devices, we have to consider the types of TLS server certificates issued to the devices and go through the pros and cons of each type. ## Index -- Public CA Certificate -- Self-signed Certificate -- Private CA Certificate +- [Public CA Certificate](#Public-CA-Certificate) +- [Self-signed Certificate](#Self-signed-Certificate) +- [Private CA Certificate](#Private-CA-Certificate) ## Public CA Certificate @@ -35,7 +35,7 @@ To realize HTTPS/WSS communication in local network, especially between UAs and - A UA cannot get acccess to the device when the upstream internet connection is down. - The domain name of the device is disclosed globally because it must be registered in public DNS servers. -## Self-signed Certificate (for the devices accessible only in local network) +## Self-signed Certificate (TODO: consider whether the certificate can be acceptable in terms of security.) @@ -51,7 +51,7 @@ To realize HTTPS/WSS communication in local network, especially between UAs and - Cons - UA implementation has to be extented to regard the certificates as trusted ones. -### Private CA Certificate (for the devices accessible only in local network) +## Private CA Certificate - How to issue 1. Issued by a private certificate authority for devices (device CA) explicitly granted by the user. From 87b12def63cb5b510d6dfc314a2ed92f86ae1096 Mon Sep 17 00:00:00 2001 From: Daisuke Ajitomi Date: Wed, 18 Oct 2017 06:53:51 +0000 Subject: [PATCH 3/5] Fix link. --- Certificates.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/Certificates.md b/Certificates.md index 67fb4c2..a095835 100644 --- a/Certificates.md +++ b/Certificates.md @@ -3,9 +3,9 @@ To realize HTTPS/WSS communication in local network, especially between UAs and devices, we have to consider the types of TLS server certificates issued to the devices and go through the pros and cons of each type. ## Index -- [Public CA Certificate](#Public-CA-Certificate) -- [Self-signed Certificate](#Self-signed-Certificate) -- [Private CA Certificate](#Private-CA-Certificate) +- [Public CA Certificate](#public-ca-certificate) +- [Self-signed Certificate](#self-signed-certificate) +- [Private CA Certificate](#private-ca-certificate) ## Public CA Certificate From 36ba45bb6d533e085e9cdca922c9a34dc5906d5b Mon Sep 17 00:00:00 2001 From: Daisuke Ajitomi Date: Fri, 27 Oct 2017 06:25:42 +0000 Subject: [PATCH 4/5] Add terminology and fix typo. --- Certificates.md | 54 +++++++++++++++++++++++++++++++------------------ 1 file changed, 34 insertions(+), 20 deletions(-) diff --git a/Certificates.md b/Certificates.md index a095835..17c0be9 100644 --- a/Certificates.md +++ b/Certificates.md @@ -3,10 +3,20 @@ To realize HTTPS/WSS communication in local network, especially between UAs and devices, we have to consider the types of TLS server certificates issued to the devices and go through the pros and cons of each type. ## Index + +- [Terminology](#terminology) - [Public CA Certificate](#public-ca-certificate) -- [Self-signed Certificate](#self-signed-certificate) - [Private CA Certificate](#private-ca-certificate) - +- [Self-signed Certificate](#self-signed-certificate) + +## Terminology + +- UA (User Agent): Web browser. +- Device: HTTPS/WSS server-capable device in local network. +- Public CA: CA (Certificate Authority) which issues server certificates to the devices. The certificates (hereafter, Public CA certificates) can chain up to root CAs which are regarded as the trusted ones by the UA. +- Private CA: CA (Certificate Authority) which issues server certificates to the devices. The certificates (hereafter, Private CA certificates) can not chain up to the root CAs. Ideally, the CA issues a PSK or a certificate for the device's bootstrapping to the device manufacturer in advance and issues the certificates by verifying the pre-issued credential. +- Web application: Web apprication wich gets access to the device via its frontend running on the UA in local network. There is a case that it takes the CA role mentioned above. + ## Public CA Certificate ### Public CA Certificate for the devices accessible globally. @@ -16,52 +26,54 @@ To realize HTTPS/WSS communication in local network, especially between UAs and 1. etc. - Pros - There is no need to extend the UA implementation to regard the certificates as trusted ones. + - The device can get the certificate in a standardized way. (ACME) - Cons - - A UA cannot get acccess to the device when the upstream internet connection is down. + - A UA cannot get access to the device when the upstream internet connection is down. - The domain name of the device is disclosed globally because it must be registered in public DNS servers. - The device is put in danger of DoS/DDoS because the device is reachable from everywhere in the internet. - - (Some manual operations or intermediate nodes are needed to make the device public.) ### Public CA Certificate for the devices accessible only in local network. - How to issue - 1. The method of [PLEX](https://blog.filippo.io/how-plex-is-doing-https-for-all-its-users/). 1. A kind of delegation method inspired on [Delegated Credentials](https://tools.ietf.org/html/draft-rescorla-tls-subcerts-00) or [STAR Certificates](https://tools.ietf.org/html/draft-ietf-acme-star-01) - (TODO: develop the system to issue this type of certificates and confirm the feasibility.) + 1. The method of [PLEX](https://blog.filippo.io/how-plex-is-doing-https-for-all-its-users/). 1. etc. - Pros - There is no need to extend the UA implementation to regard the certificates as trusted ones. - Cons - - A UA cannot get acccess to the device when the upstream internet connection is down. + - A UA cannot get access to the device when the upstream internet connection is down. - The domain name of the device is disclosed globally because it must be registered in public DNS servers. -## Self-signed Certificate - -(TODO: consider whether the certificate can be acceptable in terms of security.) +## Private CA Certificate - How to issue - 1. Granted by user only - - (TODO: explain the system in detail.) - 1. Granted by user on a specific web application's origin and Guaranteed by UA and device with [CORS-preflight request + Access-Control-{Request,Allow}-External](https://wicg.github.io/cors-rfc1918/#headers) proposed in [CORS and RFC1918](https://wicg.github.io/cors-rfc1918/) - - (TODO: explain the system in detail.) + 1. Issued by a private certificate authority for devices (device CA) explicitly granted by the user. + - An example of this solution was proposed in a breakout session held in TPAC 2016 ([".local" Server Certificate for HTTPS migration on local network](https://www.w3.org/wiki/images/3/37/2016.w3c.breakout_session.dot-local-server-cert.p.pdf)). + - (TODO: develop the system to issue this type of certificates and confirm the feasibility.) 1. etc. - Pros - - A UA can get acccess to the device even if the upstream internet connection is down. + - A UA can get access to the device even if the upstream internet connection is down. - The domain name of the device is not disclosed globally. There is no such privacy concerns. - Cons - - UA implementation has to be extented to regard the certificates as trusted ones. + - UA implementation has to be extended to regard the certificates as trusted ones. + - For now, there is no consensus about whether this sort of certificate can be acceptable for UA. -## Private CA Certificate +## Self-signed Certificate + +(TODO: consider whether the certificate can be acceptable in terms of security.) - How to issue - 1. Issued by a private certificate authority for devices (device CA) explicitly granted by the user. - - (TODO: develop the system to issue this type of certificates and confirm the feasibility.) + 1. Granted by user only + - (TODO: explain the system in detail.) + 1. Granted by user on a specific web application's origin and Guaranteed by UA and device with [CORS-preflight request + Access-Control-{Request,Allow}-External](https://wicg.github.io/cors-rfc1918/#headers) proposed in [CORS and RFC1918](https://wicg.github.io/cors-rfc1918/) + - (TODO: explain the system in detail.) 1. etc. - Pros - - A UA can get acccess to the device even if the upstream internet connection is down. + - A UA can get access to the device even if the upstream internet connection is down. - The domain name of the device is not disclosed globally. There is no such privacy concerns. - Cons - - UA implementation has to be extented to regard the certificates as trusted ones. + - UA implementation has to be extended to regard the certificates as trusted ones. ## References @@ -71,4 +83,6 @@ To realize HTTPS/WSS communication in local network, especially between UAs and - [How Plex is doing HTTPS for all its users](https://blog.filippo.io/how-plex-is-doing-https-for-all-its-users/) - [Delegated Credentials for TLS](https://tools.ietf.org/html/draft-rescorla-tls-subcerts-00) - [Use of Short-Term, Automatically-Renewed (STAR) Certificates to Delegate Authority over Web Sites](https://tools.ietf.org/html/draft-ietf-acme-star-00) +- [".local" Server Certificate for HTTPS migration on local network](https://www.w3.org/wiki/images/3/37/2016.w3c.breakout_session.dot-local-server-cert.p.pdf) - [CORS and RFC1918](https://wicg.github.io/cors-rfc1918/) + From 8fb011c3bdaa9e7ad27cc6b71227e7ecd5e44ff8 Mon Sep 17 00:00:00 2001 From: Daisuke Ajitomi Date: Fri, 27 Oct 2017 06:32:24 +0000 Subject: [PATCH 5/5] Add index for reference. --- Certificates.md | 1 + 1 file changed, 1 insertion(+) diff --git a/Certificates.md b/Certificates.md index 17c0be9..bcf3d8b 100644 --- a/Certificates.md +++ b/Certificates.md @@ -8,6 +8,7 @@ To realize HTTPS/WSS communication in local network, especially between UAs and - [Public CA Certificate](#public-ca-certificate) - [Private CA Certificate](#private-ca-certificate) - [Self-signed Certificate](#self-signed-certificate) +- [References](#references) ## Terminology