1. I created ASACORE-2673<https://jira.allseenalliance.org/browse/ASACORE-2673>: “Bring back the option for classic KEYX_ECDHE_ECDSA for use with raw ECC keys” for consideration.
Thank you S. From: Lioy, Marcello [mailto:[email protected]] Sent: Thursday, January 7, 2016 16:23 To: Stefan Thom <[email protected]>; McDonald, Cameron <[email protected]> Cc: [email protected] Subject: RE: [Allseen-core] Using AUTH_SUITE_ECDHE_ECDSA without certificates? Hi Stefan, I would recommend that you file a Jira ticket requesting the feature you describe, and we will see if someone steps up to implement. You could obviously discuss with the MSFT AllJoyn team as well. From: Stefan Thom [mailto:[email protected]] Sent: Thursday, January 07, 2016 3:10 PM To: Lioy, Marcello; McDonald, Cameron Cc: [email protected]<mailto:[email protected]> Subject: RE: [Allseen-core] Using AUTH_SUITE_ECDHE_ECDSA without certificates? Hello Lioy, I have written and tested the necessary fixes for the two issues around SLAP on Windows and AJTCL I opened and provided them to our AJ team. They will review and submit them likely next month, however they are unrelated to the question that was the matter of this mail. In this mail I was wondering if KEYX_ECDHE_ECDSA with raw ECC keys, that used to be working according to Cameron but has since been altered to mandate now certificates, could get reintroduced, since it offers a great alternative to KEYX_ECDHE_PSK and is a lot safer and easier to manage. Thank you S. From: Lioy, Marcello [mailto:[email protected]] Sent: Thursday, January 7, 2016 14:13 To: McDonald, Cameron <[email protected]<mailto:[email protected]>>; Stefan Thom <[email protected]<mailto:[email protected]>> Cc: [email protected]<mailto:[email protected]> Subject: RE: [Allseen-core] Using AUTH_SUITE_ECDHE_ECDSA without certificates? Stefan, Did you file some bugs related to this? We triaged a couple of bugs that you filed in the Core meeting today, and one of you fellow MSFT employees has taken those on. From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of McDonald, Cameron Sent: Wednesday, January 06, 2016 10:00 PM To: Stefan Thom Cc: [email protected]<mailto:[email protected]> Subject: Re: [Allseen-core] Using AUTH_SUITE_ECDHE_ECDSA without certificates? Sorry to get your hopes up.. I’m not involved in the project anymore, I was just giving my thoughts. No idea what’s planned for the future. On 7 Jan 2016, at 1:02 pm, Stefan Thom <[email protected]<mailto:[email protected]>> wrote: Hello Cameron That would have been very beneficial! My problem is that on my really lightweight MCU platform that is running ACTCL the KEYX_ECDHE_ECDSA authentication succeeds just fine, but the authorization step then makes my heap run over and the device goes belly up. Could I be carefully optimistic from your comment that there is a glimmer of hope that you guys in fact may bring raw ECC key usage back? My immediate need is addressed addressed by KEYX_ECDHE_PSK with a derived secret from the device attestation, however I would rather deal with asymmetric keys than a symmetric secret. Thank you S. From: McDonald, Cameron [mailto:[email protected]] Sent: Wednesday, January 6, 2016 14:51 To: Stefan Thom <[email protected]<mailto:[email protected]>> Cc: [email protected]<mailto:[email protected]> Subject: Re: [Allseen-core] Using AUTH_SUITE_ECDHE_ECDSA without certificates? Hi Stefan, The original (now deprecated) ECDSA authentication allowed this. Now, the mechanism is not just purely authentication, it requires manifest (+digest) etc. for authorisation. So the certificates are mandatory to capture those bindings. You could have a new mechanism that is just authentication and leave the authorisation to local access control. In hindsight, we probably should have left the original ECDSA authentication like that and created a different name for the current one with manifest etc. Cameron. On 7 Jan 2016, at 8:29 am, Stefan Thom <[email protected]<mailto:[email protected]>> wrote: Is it possible to use bare ECC key pairs with AUTH_SUITE_ECDHE_ECDSA without the use of certificates? I’m looking at SampleClientECDHE.cc<http://sampleclientecdhe.cc/> and SampleServiceECDHE.cc<http://sampleserviceecdhe.cc/> in alljoyn\alljoyn_core\samples\secure\ and am wondering if the usage of certificates is mandatory? I would like to import a trusted set of pub keys into the device and then authenticate against this key store rather than certificate chain building. If yes, how would the sample have to get changed to accomplish that? Thank you S. _______________________________________________ Allseen-core mailing list [email protected]<mailto:[email protected]> https://lists.allseenalliance.org/mailman/listinfo/allseen-core
_______________________________________________ Allseen-core mailing list [email protected] https://lists.allseenalliance.org/mailman/listinfo/allseen-core
