Solution Overview
This document describes the building blocks for potential solutions. The purpose is to describe current practices and spark ideas on how they can be applied in a different context. Some solutions may prove impractical, while other solutions involve working with standardisation bodies to amend or extend existing standards. Unfortunately there is no easy fix.
Compartmentalize the IOT network e.g. place them in dedicated VLAN's so they can only communicate through predefined paths.
Ask browser vendors to treat certificates for local ip addresses differently and at least change the warning message.
Ask the CA/B Forum to adapt the rules for signing certificates
Currently a local domain for IOT, similar to .local used in mDNS, but for which certificates are allowed to be signed (like .onion)
Create a domain infrastructure to give local devices a globally unique domain name.
Let local gateways sign certificates and let browsers trust this as an alternative root of trust.
Create a dedicated special purpose ROOT CA for IOT devices (learning from ISRG Letsenrypt and cacert.org)
Create a dedicated IOT browser or mobile app to manage IOT devices through a generic interface.
Setup a dedicated IOT domain name for which different certificate rules can apply
Create an infrastructure for onboarding devices using 802.11AR Device ID's and the brski bootstrapping.
Use special purpose TLS certificates by introducing a new extended key-usage field for IOT.
Apart from patching a browser to generate a softer warning message, all the other solutions require interworking with other standardisation organisations or creating an elaborate infrastructure.