> On 11 Sep 2015, at 16:20, Giuseppe Piro <[email protected]> wrote: > > Hello Malisa, > > just another little consideration. > > In the case we would still consider PSK + COSE for handling the join > procedure at the application layer, can we introduce a pre-join phase > between JN and JA, useful for authenticating JN locally ? > > It can be done by 6top, for example. > > Some possibilities may exist. > > - JN sends a certificate. JA knowns that CA and verifies the > certificate. Then JA assists JN in the join process. > - JN sends a certificate. JA does not known that CA and it cannot > verify the certificate. JA may be configured for running different > behaviors (i.e., accept the request and postpone the authentication to > the JCE; discard the join request, ... other ? ) > - JN does not have a certificate. JA may follow the same decisions as > in the previous point. > - other ? > > Hence, we may have join procedure at the application layer (COSE) and > a pre-join process at the MAC/6top layer.
Sorry, did not read this email before sending the previous one. I don’t understand what do you consider as a start state of JN here, when it first tries to join. Is it a certificate or a PSK? I think we agree that with PSKs, JA cannot help much? With certificates, I agree with you that *if* JA could authenticate the JN before forwarding the message, it would reduce the risk but still wouldn’t completely eliminate it, as JN needs to be authorized by JCE to join. The details would depend on the exact forwarding mechanism and if/how we decide to use COSE… Regards, Mališa
_______________________________________________ 6tisch mailing list [email protected] https://www.ietf.org/mailman/listinfo/6tisch
