> Is it possible to setup server and client to automatically do pair-wise
> credentials or skip the need
> for pair-wise credentials?
I am not aware of an OCF documented/prescribed way of realizing this using PSK
credentials (though it seems very
doable, just technically speaking).
However, I believe that this may be achievable using certificate credentials.
For e.g. if you had an OBT separately provision identity certificates to all
devices in your network, and additionally
installed its root certificate to all devices in credential entries bearing the
wildcard subject and trustca credusage, then in theory
Clients and Servers could mutually authenticate each other by verifying the
other's certificate chain, and establish a TLS
session in a way that I believe complies with the OCF Security Spec. You would
carry out similar provisioning
steps on any new devices you later bring into your network, which could then
securely interact with other like provisioned devices
on the network without requiring any explicit pairing.
> I think this could be done by using the anon-clear permission.
If resources are exposed via only secure ("coaps") endpoints, something that
the specs require apps to do for all vertical
resources, then you'd need credentials set up (D)TLS sessions through those
secure endpoints.
While that ACE would technically grant anyone access to the resource from an
access-control standpoint, you still wouldn't
be able to reach it.
If you however also configured your application to expose a resource via an
unsecured "coap" endpoint, then a combination
of that and the anon-clear ACE would let you access the resource directly
without a (D)TLS session. But may be that
isn't what you wanted.
-Kishen.
--
Kishen Maloor
Intel Open Source Technology Center
From: <iotivity-dev@lists.iotivity.org> on behalf of George Nash
<george.n...@intel.com>
Date: Wednesday, January 2, 2019 at 4:14 PM
To: iotivity-dev <iotivity-dev@lists.iotivity.org>
Subject: [dev] Is it possible to default white-list pair-wise credentials
provisioning
Is it possible to setup server and client to automatically do pair-wise
credentials or skip the need for pair-wise credentials?
Right now I follow a multi-step process to get a client and server on-boarded
and provisioned to talk with one another. (Note some of this may be simplified
using the OTGC)
1. Discover unowned devices
2. Take ownership of devices
3. Discover owned devices
4. Provision server (I have been using auth-crypt with the all discoverable
resources wild card with read, update, notify permissions)
5. Pair client and server using pair-wise credentials provisioning
6. Restart devices
What I want to know is there a way to skip the pairing step (#5 above)? Is
there a way to let the client and server talk with each other without pairing
them. I already have a really permissive permissions set. I want any client
that is on the same network to be able to control my server without pairing if
possible. This would be a white-list by default behavior. I think this could
be done by using the anon-clear permission. So far I have not been able to get
this to work.
George N
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#10117):
https://lists.iotivity.org/g/iotivity-dev/message/10117
Mute This Topic: https://lists.iotivity.org/mt/28919480/21656
Group Owner: iotivity-dev+ow...@lists.iotivity.org
Unsubscribe: https://lists.iotivity.org/g/iotivity-dev/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
