16 Oct
2013
16 Oct
'13
8:59 a.m.
On Wed, 16 Oct 2013 18:50:29 +1100, Mark Andrews said:
I can see this being done completely automatically by the CPE device. It is trivial to code. It just required ISP's to *allow* it to happen.
The rest of the plan looks OK at first glance.. However, step 0:
* CPE generates a RSA key pair. Stores this in non-volatile memory. [needs to be coded, no protocol work required]
has proven to be a lot harder to do in the field than one might expect, due to the very limited amount of entropy sources available to a CPE that Joe Sixpack just pulled out of a Best Buy shopping bag. Witness the truly huge pile of CPE that generate horribly insecure weak self-signed certs for https....