Hello Florian, all For the generation of certificates, a CSR is of course required, but also a mechanism to validate claims. What claims are you basing the certificate on? And is the broker supposed to become a CA?
For the generation of Certificates, there’s also the ACME protocol that can be used. It is well established, and works fine, even if it requires HTTP to the CA. Certificates are also limited in time, so I guess a mechanism to renew certificates is required. Question: What is the principle reason for using certificates in the first place? Is it to be able to use the EXTERNAL authentication mechanism, or is there another reason? For IoT, some form of public key cryptography is often used instead of certificates. You register an identity with a public key, and use the private key during authentication to prove you’re the rightful owner of the public key. I would personally suggest such a method instead. But it might require a new authentication mechanism. One way to avoid the invention of a new authentication mechanism is to derive a shared secret (for instance using ECDSA) between the server (which needs some for of public/private key also) and the client, and use that shared secret to authenticate the client (i.e. as password) using a traditional authentication scheme. You also have XEP-0348 which proposes a secure manner to create identities in a controlled fashion in IoT networks. It avoids the requirement to have to work with certificates, and the need to validate CSR claims properly. https://xmpp.org/extensions/xep-0348.html Best regards, Peter Waher
_______________________________________________ Standards mailing list Info: https://mail.jabber.org/mailman/listinfo/standards Unsubscribe: [email protected] _______________________________________________
