Hi Michael,
OPC UA uses SecurityProfiles to specify the exact algorithms. The based RSA
profiles do not have PFS but the ECC profiles do.
We expect the ECC profiles (not released yet) to be most interesting to low end
device makers.
Randy Armstrong (OPC) wrote:
>> Thats what i referred to in my prior email: We would need to understand
how to most easily duplicate the mutual authentication with certificates during
TLS connection setup with OPC TCP UA messages.:
> OPC UA CP requires mutual authentication with
Toerless,
> Thats what i referred to in my prior email: We would need to understand how
> to most easily duplicate the mutual authentication with certificates during
> TLS connection setup with OPC TCP UA messages.:
OPC UA CP requires mutual authentication with Certificates bound to the
> If the MASA goes away or is compromised, then all the devices
> from that manufacturer can not be proved to not be counterfeit.
If each Device has a manufacturer issued Certificate with the private key in
secure storage like a TPM then the verification of a Device can happen as long
as the
Randy Armstrong (OPC) wrote:
> Counterfeit devices are huge issue in industrial automation. We need
> this infrastructure so the Operators can assure themselves that the
> Devices they plug into their network are genuine.
So, just to inject some existential angst:
If the MASA
Randy Armstrong (OPC) wrote:
> It would be easy to drop in a OPC UA aware registrar and implement all
> of the BRKSI flows back to the MASA. The only nuisance factor is the
> 'prior-signed-voucher-request'. If MASA's are willing allow this field
> to be omitted and to trust the
> On Aug 7, 2019, at 4:50 AM, Eliot Lear wrote:
>
> The purpose, as I see it, of the voucher, is simply to provide zero-touch
> network provisioning. I was asking a slightly different question: for
> purposes of network connectivity will operators want to know that only
> devices they
On Wed, Aug 07, 2019 at 10:59:17AM -0400, Michael Richardson wrote:
> > How does OPC handle such devices? I think this is also coming up
> > elsewhere. One question is whether TLS is required. Without TLS one
> > does lose confidentiality, but so long as the client can sign the
>
Randy,
Thanks. I will be away on holiday for the next week. However, before I go I
will kick off a doodle for the week of the 19th for on onboarding meeting to
discuss this. Please everyone indicate your interest in participating by
answering the doodle poll.
Eliot
> On 7 Aug 2019, at
HI Eliot,
Yes, the Operator needs to ensure that only Devices they authorize can connect
and the zero touch provisioning is a feature we desire.
Regards,
Randy
From: Eliot Lear
Sent: August 7, 2019 1:50 AM
To: Randy Armstrong (OPC)
Cc: Toerless Eckert ; iot-onboard...@ietf.org;
Hi Randy,
Thanks again for your comments. Please see below.
> On 7 Aug 2019, at 10:32, Randy Armstrong (OPC)
> wrote:
>
> Hi Eliot,
>
> 1) In an OPC UA environment, might one expect that the join registrar and the
> certificate manager be co-resident?
>
> Yes that is the expectation.
>
>
Hi Eliot,
1) In an OPC UA environment, might one expect that the join registrar and the
certificate manager be co-resident?
Yes that is the expectation.
2) My bigger question is whether you want to use all of this for network
authentication to avoid unauthorized devices joining the network in
Randy,
Thanks. We have irregular calls, but I will poll for one in the 3rd week of
August to discuss your use case.
In an OPC UA environment, might one expect that the join registrar and the
certificate manager be co-resident? This would be where EST/SCEP would happen
(BRSKI can be viewed
Push should be "Certificate Manager initiated"
From: Iot-onboarding On Behalf Of Randy
Armstrong (OPC)
Sent: August 6, 2019 4:17 PM
To: Toerless Eckert
Cc: iot-onboard...@ietf.org; anima@ietf.org; Eliot Lear
Subject: Re: [Iot-onboarding] OPC and BRSKI
Hi
1) Sure, need to understand how
On Tue, Aug 06, 2019 at 09:32:45PM +, Randy Armstrong (OPC) wrote:
> OPC is layered to separate the application from the choice of network
> protocol. TLS/WebSockets is an option but the primary protocol that will be
> used by low end devices is UA TCP which provides complete message based
15 matches
Mail list logo
