On 3/4/21 3:52 PM, Sam Hartman wrote:
Keith> IOW it's not only TLS and X.509 that are needed, but a Keith> stack (including browser) that can use these without needing Keith> DNS or external connectivity. I've been doing this a fair bit for isolated networks for cyber training and for other things in that space. We end up providing a DNS and a PKI etc. At this point it's going to be simpler to provide some good devops'd dns and PKI than to go develop a custom browser.
I've written code for a variety of environments like these for the last 13 years or so: gas pipeline monitoring, broadcast television operations, traffic signal monitoring/control, factory monitoring/automation, avionics, cryogenic dewar monitoring for various kinds of environments, and some others that don't come to mind immediately. For the environments I've worked with, any of that kind of stuff would be a non-starter. DNS is rightly seen as yet another reason for things to fail, and factories, gas pipelines, etc. are intolerant of lines being shut down because some IT guy wanted to use a name rather than an IP address. Static IPs work just fine for these situations. External connections are also regarded as security threats and generally forbidden, which is not to say that the rules are never bent or that nobody every plugs in a nomadic laptop.
So they do need better protection against threats and sometimes they'll even admit it (the customers more than the equipment manufacturers), but the Big Internet assumptions don't work for them.
Keith