[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[
List Home]
|
Re: [cf-dev] Request for feedback on mixing different DTLS modes
|
On 2017-08-31 14:44, Kraus Achim (INST/ECS4) wrote:
Hi Ludwig,
so try the approach using the senders identity to decide on the permissions.
Mit freundlichen Grüßen / Best regards
Achim Kraus
The sender (=client) cannot establish a DTLS connection that would
provide an identity to the server.
I'm sorry I think I'm not describing the scenario in a way that is clear
enough, let me do a more verbose try:
The initial situation is this:
The client and the server know nothing about each other.
The client and the server have a relation to an authorization server
(AS) that they both trust.
The server has intermittent connectivity, i.e. it cannot communicate
with the AS.
The flow I'm working on goes as follows:
A. The client asks the AS for permission to access the server
B. The AS provides the client with the following:
1. A PSK
2. An access token containing (among other info) the same PSK
encrypted for the server
C. The client now needs to get that access token to the server
My plan for C. was to have the server offer a POST-your-token-here
resource. However since the server is configured to use DTLS, the client
won't be able to make a connection, since client and server have not yet
established a common PSK.
Sorry for the long text. Hope that makes my problem more understandable.
/Ludwig
--
Ludwig Seitz, PhD
Security Lab, RISE SICS
Phone +46(0)70-349 92 51
