On 08/07/16 10:03, Olle E. Johansson wrote:
On 08 Jul 2016, at 10:02, Daniel Pocock daniel@pocock.pro wrote:
On 08/07/16 09:12, Olle E. Johansson wrote:
On 07 Jul 2016, at 19:37, Daniel Pocock daniel@pocock.pro wrote:
Every vendor of deskphones has their own provisioning system, they are all quite different. Some are quite effective, e.g. the way Polycom puts certificates in every phone to avoid the risk of exposing credentials during provisioning or subsequent updates.
Polycom’s system was broken because there was no secure way to validate their root ca. It was only available from a non-TLS site and wasn’t referred to in any printed documentation, not on promotional USB sticks or anything…
Good idea, poor implementation. If they made it available on a web site with HTTPS it would have been much easier to trust the CA.
For something like this, everybody who operates the provisioning system would be able to create their own CA. It may also work with public CAs (e.g. those who issue email certificates). Maybe we should include the root certificate or the CN and hash of the root certificate in the QR-code and then the provisioning client can verify it against the certificate that is eventually issued?
I think I suggested that in a follow-up email :-)
There you mentioned the fingerprint of the server cert, I was referring to the root that will sign the client cert. It may be the same root signing the server cert too.