[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[
List Home]
|
Re: [cf-dev] Request for feedback on mixing different DTLS modes
|
> The sender (=client) cannot establish a DTLS connection that would provide an identity to the server.
Assuming:
Server has a coap:// and a coaps:// endpoint. So generally, you can send request using coap:// or coaps://
Using coap://, the sender identity would be null.
So you could decide, what you want to do.
Your server may use two types of resources:
- one who accepts request with identity null but contains the token, which could be validated on its own.
- all other resources, which would deny the null identity.
Mit freundlichen Grüßen / Best regards
Achim Kraus
(INST/ECS4)
Bosch Software Innovations GmbH | Stuttgarter Straße 130 | 71332 Waiblingen | GERMANY | www.bosch-si.com
Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 148411 B
Aufsichtsratsvorsitzender: Dr.-Ing. Thorsten Lücke; Geschäftsführung: Dr.-Ing. Rainer Kallenbach, Michael Hahn
-----Original Message-----
From: cf-dev-bounces@xxxxxxxxxxx [mailto:cf-dev-bounces@xxxxxxxxxxx] On Behalf Of Ludwig Seitz
Sent: Donnerstag, 31. August 2017 14:57
To: cf-dev@xxxxxxxxxxx
Subject: Re: [cf-dev] Request for feedback on mixing different DTLS modes
On 2017-08-31 14:44, Kraus Achim (INST/ECS4) wrote:
> Hi Ludwig,
>
> so try the approach using the senders identity to decide on the permissions.
>
> Mit freundlichen Grüßen / Best regards
>
> Achim Kraus
The sender (=client) cannot establish a DTLS connection that would provide an identity to the server.
I'm sorry I think I'm not describing the scenario in a way that is clear
enough, let me do a more verbose try:
The initial situation is this:
The client and the server know nothing about each other.
The client and the server have a relation to an authorization server
(AS) that they both trust.
The server has intermittent connectivity, i.e. it cannot communicate
with the AS.
The flow I'm working on goes as follows:
A. The client asks the AS for permission to access the server
B. The AS provides the client with the following:
1. A PSK
2. An access token containing (among other info) the same PSK
encrypted for the server
C. The client now needs to get that access token to the server
My plan for C. was to have the server offer a POST-your-token-here
resource. However since the server is configured to use DTLS, the client
won't be able to make a connection, since client and server have not yet
established a common PSK.
Sorry for the long text. Hope that makes my problem more understandable.
/Ludwig
--
Ludwig Seitz, PhD
Security Lab, RISE SICS
Phone +46(0)70-349 92 51
_______________________________________________
cf-dev mailing list
cf-dev@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/cf-dev
