Peter Steinhäuser <ps@embedd.com> wrote: > I did like the MUD proxy idea from Michael’s presentation that provides > „correct“ MUD files. Some of the security criticisms of the mud spec is that: a) a MUD controller does not have to check the signature b) the entity that signed the MUD file has no clear relationship to the manufacturer. It's basically TOFU. c) it is underspecified as to what to do if the URL inside the MUD file that points to the signature file is a relative URL. So our idea is that we would like to have a cloud service that provides currated MUD files, signed with a signature that is properly anchored. It is my understanding that for industrial uses, that this is where some vendors think the money is: in the subscription to this service. The SHG crew are looking towards some kind of crowd-sourced service where people collaborate to improve MUD files. It would be as simple as a github repo on which people can send pull requests, but the curration activitiy would require too much human resources in such a simple situation. In particular, we'd want a MUD-diff program that presented the changes in a much easier to understand format. With voting up/down... so think stackexchange.com/serverfault/uservoice/etc. instead. > Another concern is how far CPE/home gateway manufacturers would adopt > related technical proposals. So far most firmwares are based upon > chipset maker’s SDKs that serve the purpose of selling chipsets instead > of providing reliable and secure solutions. The lastest FCC and ETSI > rulings (=> RED discussion) did also not make it easier to provide > alternative firmware solutions (i.e. OpenWRT), let’s see how the RED > ruling goes. I'd say a lot depends upon whether or not ISPs will put out an RFP that asks for an IoT firewall based upon MUD in future products. Maybe some one here would like to test the waters with an RFI. -- ] Never tell me the odds! | ipv6 mesh networks [ ] Michael Richardson, Sandelman Software Works | network architect [ ] mcr@sandelman.ca http://www.sandelman.ca/ | ruby on rails [