Hi Nathan and all, Sure, I just have one more issue to get DTLS hand-shake going through. Once that is done, I will write a full tutorial with all the steps which can be added to your tutorial or included in the IoTivity Getting Started. I also found the document UNDERSTANDING OCF CERTIFICATES IN IOTIVITY by Steven Saunders to be very useful. I contacted him to offer adding a section to the document but never heard back.
BR, Khaled On Thu, Jan 3, 2019 at 6:37 PM Nathan Heldt-Sheller < [email protected]> wrote: > Thanks Mats, > > > > Yes, for sure agree with you. I have a security primer document for > device vendors (see here > <https://openconnectivity.org/wp-content/uploads/2018/06/4.-Security-Introduction-Architecture.pdf>; > this doc is also on the list of links in the getting started page > <https://iotivity.org/getting-started>) but it doesn’t quite hit this > level of detail on certificate types. I was hoping we would have a clean > reference Onboarding Tool/OBT to illustrate proper use of certificates, > because the number of possible valid configurations is very high. But > additional documentation on this particular area is probably important > since the OBT that illustrates cert provisioning may not be available for > another few months. > > > > Khaled, would you be willing to send this group just the top level 4 or 5 > (or 10!) items you had to “discover” in order to get things working? I’ll > polish and add your list to the primer document, or possibly to the getting > started FAQ > <https://wiki.iotivity.org/getting_started_troubleshooting_and_faq> (if > it’s IoTivity Specific). > > > > Thanks, > Nathan > > > > > > > > > > > > -----Original Message----- > From: [email protected] [mailto: > [email protected]] On Behalf Of Mats Wichmann > Sent: Thursday, January 3, 2019 8:06 AM > To: Heldt-Sheller, Nathan <[email protected]> > Cc: iotivity-dev <[email protected]> > Subject: Re: [dev] Certificate-based credential (DTLS fails to find cipher > suite) > > > > On 1/3/19 8:46 AM, Nathan Heldt-Sheller wrote: > > > Thank you Aleksey and Khaled for the great troubleshooting work. One > important point: the “mutual cert” configuration (using same cert as both > “mfgtrustca” and “trustca” type) is suggested for testing purposes only. A > real product would not want to use the same Root Cert for OTM and for > normal D2D authentication, as it would create a potential attack vector. > The OBT is responsible for configuring the Device correctly in this manner, > but this is something to note for those of us playing around with Certs. > > > > > > I assume that all of this stuff can be gleaned from reading the security > specification, but as a long-time spec writer I know reading the specs is > not what we want to do. They are there for verifying the details of an > implementation, and setting up tests, but otherwise they are not really for > general consumption. > > > > So we will want to capture these findings, and other setup instructions, > in a more "accessible" place, no? > > > > > > > -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#10132): https://lists.iotivity.org/g/iotivity-dev/message/10132 Mute This Topic: https://lists.iotivity.org/mt/28611921/21656 Group Owner: [email protected] Unsubscribe: https://lists.iotivity.org/g/iotivity-dev/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
