On 3/4/21 3:52 PM, Sam Hartman wrote:
Keith> IOW it's not only TLS and X.509 that are needed, but a
Keith> stack (including browser) that can use these without needing
Keith> DNS or external connectivity.
I've been doing this a fair bit for isolated networks for cyber training
and for other things in that space.
We end up providing a DNS and a PKI etc.
At this point it's going to be simpler to provide some good devops'd dns
and PKI than to go develop a custom browser.
I've written code for a variety of environments like these for the last
13 years or so: gas pipeline monitoring, broadcast television
operations, traffic signal monitoring/control, factory
monitoring/automation, avionics, cryogenic dewar monitoring for various
kinds of environments, and some others that don't come to mind
immediately. For the environments I've worked with, any of that kind
of stuff would be a non-starter. DNS is rightly seen as yet another
reason for things to fail, and factories, gas pipelines, etc. are
intolerant of lines being shut down because some IT guy wanted to use a
name rather than an IP address. Static IPs work just fine for these
situations. External connections are also regarded as security threats
and generally forbidden, which is not to say that the rules are never
bent or that nobody every plugs in a nomadic laptop.
So they do need better protection against threats and sometimes they'll
even admit it (the customers more than the equipment manufacturers), but
the Big Internet assumptions don't work for them.
Keith
