Solution Overview

This document describes the building blocks for potential solutions. The purpose is to describe current practices and spark ideas on how they can be applied in a different context. Some solutions may prove impractical, while other solutions involve working with standardisation bodies to amend or extend existing standards. Unfortunately there is no easy fix.

  • Compartmentalize the IOT network e.g. place them in dedicated VLAN's so they can only communicate through predefined paths.

  • Ask browser vendors to treat certificates for local ip addresses differently and at least change the warning message.

  • Ask the CA/B Forum to adapt the rules for signing certificates

    Currently a local domain for IOT, similar to .local used in mDNS, but for which certificates are allowed to be signed (like .onion)

  • Create a domain infrastructure to give local devices a globally unique domain name.

  • Let local gateways sign certificates and let browsers trust this as an alternative root of trust.

    Create a dedicated special purpose ROOT CA for IOT devices (learning from ISRG Letsenrypt and cacert.org)

  • Create a dedicated IOT browser or mobile app to manage IOT devices through a generic interface.

  • Setup a dedicated IOT domain name for which different certificate rules can apply

  • Create an infrastructure for onboarding devices using 802.11AR Device ID's and the brski bootstrapping.

  • Use special purpose TLS certificates by introducing a new extended key-usage field for IOT.

Apart from patching a browser to generate a softer warning message, all the other solutions require interworking with other standardisation organisations or creating an elaborate infrastructure.

Edit this page