Thanks Mats,
Yes, for sure agree with you. I have a security primer document for device vendors (see here<https://openconnectivity.org/wp-content/uploads/2018/06/4.-Security-Introduction-Architecture.pdf>; this doc is also on the list of links in the getting started page<https://iotivity.org/getting-started>) but it doesn’t quite hit this level of detail on certificate types. I was hoping we would have a clean reference Onboarding Tool/OBT to illustrate proper use of certificates, because the number of possible valid configurations is very high. But additional documentation on this particular area is probably important since the OBT that illustrates cert provisioning may not be available for another few months. Khaled, would you be willing to send this group just the top level 4 or 5 (or 10!) items you had to “discover” in order to get things working? I’ll polish and add your list to the primer document, or possibly to the getting started FAQ<https://wiki.iotivity.org/getting_started_troubleshooting_and_faq> (if it’s IoTivity Specific). Thanks, Nathan -----Original Message----- From: iotivity-dev@lists.iotivity.org [mailto:iotivity-dev@lists.iotivity.org] On Behalf Of Mats Wichmann Sent: Thursday, January 3, 2019 8:06 AM To: Heldt-Sheller, Nathan <nathan.heldt-shel...@intel.com> Cc: iotivity-dev <iotivity-dev@lists.iotivity.org> Subject: Re: [dev] Certificate-based credential (DTLS fails to find cipher suite) On 1/3/19 8:46 AM, Nathan Heldt-Sheller wrote: > Thank you Aleksey and Khaled for the great troubleshooting work. One > important point: the “mutual cert” configuration (using same cert as both > “mfgtrustca” and “trustca” type) is suggested for testing purposes only. A > real product would not want to use the same Root Cert for OTM and for normal > D2D authentication, as it would create a potential attack vector. The OBT is > responsible for configuring the Device correctly in this manner, but this is > something to note for those of us playing around with Certs. I assume that all of this stuff can be gleaned from reading the security specification, but as a long-time spec writer I know reading the specs is not what we want to do. They are there for verifying the details of an implementation, and setting up tests, but otherwise they are not really for general consumption. So we will want to capture these findings, and other setup instructions, in a more "accessible" place, no? -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#10127): https://lists.iotivity.org/g/iotivity-dev/message/10127 Mute This Topic: https://lists.iotivity.org/mt/28611921/21656 Group Owner: iotivity-dev+ow...@lists.iotivity.org Unsubscribe: https://lists.iotivity.org/g/iotivity-dev/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
