Do you want to put a web page on a .local address to do something cool for your household or club? Here's the list of browser features that browser vendors have decided you're just not fuckin' allowed to use. https://developer.mozilla.org/en-US/docs/Web/Security/Defenses/Secure_Contexts/features_restricted_to_secure_contexts
Some random site halfway around the world, served over https with a robo-verified certificate, is allowed, though, so take some comfort in that.
There's a discussion thread about allowing RFC 1918 addresses and their ip6 equivalents to participate in secure contexts at https://github.com/w3c/webappsec-secure-contexts/issues/60 . It is _eight years_ old without resolution.
I can't find any discussion at all on allowing the user to designate certain origins as secure contexts. Maybe that's a thing for some browsers.
As proposed here which is continuing on from w3ctag/design-principles#75: It should be possible for people to create devices that are located on home networks that use modern browser features. One ...
@ryanc @owen I mean I have my own local CA with two different intermediate CAs, but I also run my own DNS.
And I need the CA to issue client certificates to VPN clients (I have a ban on password authentication, to the extent supported by the service, for anything network reachable). Once you have that infrastructure in place also issuing your own HTTPS certs is straightforward enough.
But it's certainly not something the average person wants to deal with.
@ryanc @owen I don't run my own mail, mostly because I'm on a DOCSIS pipe that (despite being a static) is probably part of a larger netblock that's on spam blacklists.
At some point maybe I'll look at getting a box in a colo or something to do that but right now I don't have time to deal with the hassle of actually making my mail be delivered.
I do want to move to a managed mail host that is anything-but-ms365 though, since my previous mail host rolled up their in house operation and turned into a 365 reseller
@jima @ryanc @owen Yep, that's the right way to do it.
Prior to DNS-PERSIST-01 announcement, I had an even fancier plan in the works: delegating _acme_challenge to a public server (run as a public service) with a DS whose key is held by your device that wants certs. When you need to do the ACME dance, the device would send a DNS packet to the public service, which would cache and serve it for up to some short time limit.
I never got around to implementing it, and once DNS-PERSIST-01 was announced, I dropped the idea because it's no longer needed.
@astraluma @ryanc @owen closest I've been able to get is:
- real domain
- tailscale (headscale actually) with local tunneling
- wildcard subdomain pointing to IP on tailnet
- DNS-01 wildcard cert
- internal DNS that just lies, served on both the tailnet and LAN
- internal sites use the wildcard cert
it... works? no, it works. end result is that a random device on the LAN without tailscale can point a browser at https://whatever-the-fuck.subdomain.bleh, and it ends up talking to a real webserver over TLS. Firefox even gives it the thumbs up.
however, this is not a place of honor. no great deeds are recorded here.
@nik ACME issuers are a huge usability improvement for TLS on the public internet but I’m not aware of any that will issue for private networks, unless those private networks correspond to a public internet domain or service.
Which is kind of my point. Any sketchy internet site can authenticate strongly enough for your browser to let it send notifications or use a gamepad, but a server ten feet away needs a fully managed network to do the same thing.
Owen
Ryan Castellucci (they/them) 
Andrew Zonenberg
Cassandrich
noodle
Gantua
Jima 
Haelwenn /элвэн/ 
Paul Martin
AstraLuma
veetee
Emma: ƒ(☕️, 🐈⬛️, 🚀️) ⇒ ℂ
Rob Ricci
Jeremy, aka Jaharmi
Nicolás Alvarez
Nik | Klampfradler 🎸🚲