Dear all,
In the context of our research on security for IoT systems we implemented some changes in the Mosquitto auth plug-in interface with the broker, and we would like ask your opinion about this work.
Our research is on usage control policies, which extends access control with obligations and more complex enforcement options. The final objective is the enforcement of privacy and data protection.
In a nutshell our changes are:
1 - Additional calls from the broker to the auth plugin when a message is delivered to a subscriber, and when a client disconnects, in addition to the calls for publish/subscribe.
2 - Additional parameters to the auth-plugin for information about the topic, payload, and client (e.g. IP address).
3 - Additional enforcement options to allow the auth-plugin to modify the topic, the message payload, and to delay messages in addition to allowing or denying only.
We believe these additional changes could be added to Mosquitto in a future release to improve the flexibility of the security management, to allow obfuscation of messages, and dynamic context-based policies that are enforced not only when clients subscribe but also later when messages are delivered to them.
How is the procedure to suggest/contribute to these changes for the next releases of Mosquitto?
Best Regards,
Ricardo Neisse
