OpenWrt and self-signed certificates

Thanks for laying out some high-level, conceptual issues and security requirements; something I wish the article had started with instead of the implementation details.

About the project itself I understand people love to code but I think it would avoid confusion and disappointments to discuss, clarify and publish the basic security requirements and objectives before sketching some new "on-the-fly PKI" system. These questions are indeed relevant far beyond OpenWRT and other comments here have unsurprisingly mentioned other efforts outside OpenWRT to solve the same issues.

I'm afraid they are only two high-level approaches to prove who you are on the Internet: centralized Public Key Infrastructure (https,...) versus peer to peer (ssh, PGP, self-signed https,...) So the very first question OpenWRT should answer is which approach it wants to support? Both? It should be obvious that you can't bootstrap a centralized approach without network access, no need to get lost in the implementation details to realize this.

Another very important question is indeed: does an OpenWRT router really want to prove who it is? Or just encrypt with an understood and accepted MitM security risk? Give the user the choice?

Another one: why can we choose "Yes, I will keep trusting this ssh server until further notice" on the very first connection attempt but not do the same with an https browser? Leading to awkward "solutions" like tunneling https (and other things...) in ssh, our security swiss army knife? For the record I set up my OpenWRT router with a back to back cable totally disconnected from everything else.

It's great OpenWRT developers look at these questions. It's not great they seem to look at them in the narrow scope of the OpenWRT code.