Thanks,
Yes this answers my question. I just need to learn how to properly do
certificate-based credentials within iotivity. I am already familiar with the
callbacks in IoTivity. Not sure if the same exist in IoTivity-lite.
George
From: Heldt-Sheller, Nathan
Sent: Wednesday, January 2, 2019 9:28 PM
To: Nash, George <george.n...@intel.com>; iotivity-dev
<iotivity-dev@lists.iotivity.org>
Subject: RE: Is it possible to default white-list pair-wise credentials
provisioning
Hi George,
With symmetric creds, unfortunately no, there is no way to establish a secure
connection (e.g. DTLS) without each Device having an installed /cred that is
uniquely correlated to the Device ID of the other Device... in other words,
your provisioning step 5) is mandatory in order to set up a dedicated PSK for
Client 1 and Server A to connect to one another.
With asymmetric creds (which in OCF is realized through certificates) the step
5) is not necessary, because all the Client needs in order to connect to the
Server (and vice versa) is a Certificate that can be validated using one of the
installed Root Certs (aka Trust Anchors) on the Server. That's one of the best
reasons to use certificates: it allows addition of a new Device N to the
network without having to add a /cred entry for that Device N on every other
Device already onboarded to the network.
Another approach as you noted is to bypass secure connections altogether (using
e.g. CoAP endpoint, rather than CoAPS) but this is a violation of the OCF
Specifications for any OCF-defined "Vertical" Resource types; only Vendor
Defined Resources (and a few select Core and Security Resources) may expose
CoAP endpoints. A request arriving over a non-secure connection (e.g. CoAP) is
the only case where "anon-clear" /acl2 entries would grant access to the
Resource... so they're unfortunately not much use.
In the certificate-based credential model, the sequence looks like this:
1. Client/OBT 1 Discovers and onboards Servers A, B and C... now Client 1
can connect via CoAPS to ABC (and they could each connect to each other if they
were Clients also)
a. As part of onboarding, Client 1 provisions A, B and C with
"auth-crypt" ACEs for all Discoverable NCRs ("+")
2. Client/OBT 1 Discovers and onboards Client 2... now Client 1 and 2 can
talk to ABC's NCRs without any further modification to ABC at all (e.g. no
changes to ABC's /cred or /acl2 Resource)
Please let me know if that answers your question or if I've missed your intent!
Thanks,
Nathan
From: iotivity-dev@lists.iotivity.org<mailto:iotivity-dev@lists.iotivity.org>
[mailto:iotivity-dev@lists.iotivity.org] On Behalf Of George Nash
Sent: Wednesday, January 2, 2019 4:14 PM
To: iotivity-dev
<iotivity-dev@lists.iotivity.org<mailto:iotivity-dev@lists.iotivity.org>>
Subject: [dev] Is it possible to default white-list pair-wise credentials
provisioning
Is it possible to setup server and client to automatically do pair-wise
credentials or skip the need for pair-wise credentials?
Right now I follow a multi-step process to get a client and server on-boarded
and provisioned to talk with one another. (Note some of this may be simplified
using the OTGC)
1. Discover unowned devices
2. Take ownership of devices
3. Discover owned devices
4. Provision server (I have been using auth-crypt with the all
discoverable resources wild card with read, update, notify permissions)
5. Pair client and server using pair-wise credentials provisioning
6. Restart devices
What I want to know is there a way to skip the pairing step (#5 above)? Is
there a way to let the client and server talk with each other without pairing
them. I already have a really permissive permissions set. I want any client
that is on the same network to be able to control my server without pairing if
possible. This would be a white-list by default behavior. I think this could
be done by using the anon-clear permission. So far I have not been able to get
this to work.
George N
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#10129):
https://lists.iotivity.org/g/iotivity-dev/message/10129
Mute This Topic: https://lists.iotivity.org/mt/28919480/21656
Group Owner: iotivity-dev+ow...@lists.iotivity.org
Unsubscribe: https://lists.iotivity.org/g/iotivity-dev/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
