From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <toke@toke.dk>
Received: from mail.toke.dk (mail.toke.dk [45.145.95.4])
 (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by lists.bufferbloat.net (Postfix) with ESMTPS id EB8A13B2A4
 for <rpm@lists.bufferbloat.net>; Fri, 15 Oct 2021 12:38:26 -0400 (EDT)
From: Toke =?utf-8?Q?H=C3=B8iland-J=C3=B8rgensen?= <toke@toke.dk>
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=toke.dk; s=20161023;
 t=1634315905; bh=juFMEAaIlQ00FGsGsnOLg0xRvmSyLa2p8yGl1AbJzfQ=;
 h=From:To:Cc:Subject:In-Reply-To:References:Date:From;
 b=u6F/wW4L/WqA1NrRJC8xZjFw7OJYJJJ41tmpd8Ex3Adv47MsVUwazpz80YyEXxODP
 qlK+p+KlTz363Qiozkuj+G7f/hfeO/e08a0lilCC4xVKmeB+CalpdYoryfFBM3OW41
 emZzVptxSoWYvN035vdZPPiW8V7h0rL9xfsck3tB46vKC/pemQAim+BGYNhyNUtFl5
 bxv8dr1DDVrRez/m/JP665aj5M2K57WrTljw7Q/ClsgWeGiuG+m4gPnn23Q93bbjiR
 3187iQHLqrz22USeYuAhmYFtSKZf0fS7E4cWEZpdG1jJQbpPyl3DskT2fb26sjoNSc
 BpgjrZ4f3AC4A==
To: Rich Brown <richb.hanover@gmail.com>, Christoph Paasch <cpaasch@apple.com>
Cc: rpm@lists.bufferbloat.net
In-Reply-To: <D54D12B4-9DF1-4CEC-A68F-2D57F7CA7250@gmail.com>
References: <ED8D819B-BB2A-4538-A8A8-955D85824474@gmail.com>
 <6B7910A6-9157-40DD-8C50-FE42AEDB7797@apple.com>
 <8F8B59C1-9FB7-4B3E-9C15-14180721FEA8@gmail.com>
 <YWiSmRqTSzBQxvxU@MacBook-Pro-2.local>
 <D54D12B4-9DF1-4CEC-A68F-2D57F7CA7250@gmail.com>
Date: Fri, 15 Oct 2021 18:38:24 +0200
X-Clacks-Overhead: GNU Terry Pratchett
Message-ID: <87fst2z1j3.fsf@toke.dk>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Subject: Re: [Rpm] Does RPM measurement *require* a valid SSL certificate
X-BeenThere: rpm@lists.bufferbloat.net
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: revolutions per minute - a new metric for measuring responsiveness
 <rpm.lists.bufferbloat.net>
List-Unsubscribe: <https://lists.bufferbloat.net/options/rpm>,
 <mailto:rpm-request@lists.bufferbloat.net?subject=unsubscribe>
List-Archive: <https://lists.bufferbloat.net/pipermail/rpm>
List-Post: <mailto:rpm@lists.bufferbloat.net>
List-Help: <mailto:rpm-request@lists.bufferbloat.net?subject=help>
List-Subscribe: <https://lists.bufferbloat.net/listinfo/rpm>,
 <mailto:rpm-request@lists.bufferbloat.net?subject=subscribe>
X-List-Received-Date: Fri, 15 Oct 2021 16:38:27 -0000

Rich Brown via Rpm <rpm@lists.bufferbloat.net> writes:

>> On Oct 14, 2021, at 4:27 PM, Christoph Paasch <cpaasch@apple.com> wrote:
>>=20
>> On 10/13/21 - 17:57, Rich Brown via Rpm wrote:
>>>=20
>>>> On Oct 13, 2021, at 3:45 PM, Randall Meyer <rrm@apple.com> wrote:
>>>>=20
>>>> We could add a =E2=80=9C=E2=80=94insecure/-k=E2=80=9D switch as a feat=
ure enhancement to the CLI.
>>>=20
>>> Or maybe just ignore the certificate. More options is worse, if you hav=
e to implement/explain/justify them.=20
>>=20
>> Ignoring is not a good option. Otherwise, traffic could be intercepted a=
nd
>> one could cheat its RPM-value by having a local termination-point on its=
 AP.
>
> I see your concern, but I'm trying to balance that against my hope
> that RPM Servers can be widely deployed. I'm especially hopeful they'd
> be in our home routers, so we can check the local connections via
> Wi-Fi.
>
> To be clear about my concern: it's easy enough to stand up code to
> respond to the HTTPS requests. But it's a whole lot more work to get a
> signed SSL certificate, and that could discourage alternate
> implementations.

FYI, I maintain luci-app-acme on OpenWrt which makes it quite easy to
get a letsencrypt certificate. Requires the router to have a public IP,
and you need a domain name, but once you have that it's pretty point and
click :)

Not universal, but maybe doable for someone who is likely to deploy an
RPM server?

-Toke