Re: [dev] Certificate-based credential (DTLS fails to find cipher suite)

2019-01-03 Thread Clarke Stevens
To Nathan’s point, we want OTGC to be this reference implementation and at a minimum illustrate the “right” way to address primary use cases. When we put together the requirements for OTGC we should be explicit about the use case(s) we want implemented and how they are to be implemented. I’m hop

Re: [dev] Certificate-based credential (DTLS fails to find cipher suite)

2019-01-03 Thread Gregg Reynolds
On Thu, Jan 3, 2019, 10:37 AM Nathan Heldt-Sheller < nathan.heldt-shel...@intel.com wrote: > Thanks Mats, > > > > Yes, for sure agree with you. I have a security primer document for > device vendors (see here >

Re: [dev] Is it possible to default white-list pair-wise credentials provisioning

2019-01-03 Thread George Nash
Thanks, Yes this answers my question. I just need to learn how to properly do certificate-based credentials within iotivity. I am already familiar with the callbacks in IoTivity. Not sure if the same exist in IoTivity-lite. George From: Heldt-Sheller, Nathan Sent: Wednesday, January 2, 2019 9

Re: [dev] Is it possible to default white-list pair-wise credentials provisioning

2019-01-03 Thread Nathan Heldt-Sheller
PS: I remembered just now that the OCF Security Specification does mention at some points "symmetric group keys" but those have never been fully specified or implemented, so you can ignore SGKs as they don't really exist in OCF. From: iotivity-dev@lists.iotivity.org [mailto:iotivity-dev@lists.io

Re: [dev] Certificate-based credential (DTLS fails to find cipher suite)

2019-01-03 Thread Nathan Heldt-Sheller
Thanks Mats, Yes, for sure agree with you. I have a security primer document for device vendors (see here; this doc is also on the list of links in the getting started page

Re: [dev] Certificate-based credential (DTLS fails to find cipher suite)

2019-01-03 Thread Mats Wichmann
On 1/3/19 8:46 AM, Nathan Heldt-Sheller wrote: > Thank you Aleksey and Khaled for the great troubleshooting work. One > important point: the “mutual cert” configuration (using same cert as both > “mfgtrustca” and “trustca” type) is suggested for testing purposes only. A > real product would no

Re: [dev] Certificate-based credential (DTLS fails to find cipher suite)

2019-01-03 Thread Khaled Elsayed
Great. This is logical but not documented anywhere. I owe you a drink :) Now it passes the stage of not finding ciphersuite!! Just getting some handshake error. But at least they are trying to start the DTLS encrypted link. Will re-check the certificate chain. Talk to you soon. On Thu, Jan 3

Re: [dev] Certificate-based credential (DTLS fails to find cipher suite)

2019-01-03 Thread Nathan Heldt-Sheller
Thank you Aleksey and Khaled for the great troubleshooting work. One important point: the “mutual cert” configuration (using same cert as both “mfgtrustca” and “trustca” type) is suggested for testing purposes only. A real product would not want to use the same Root Cert for OTM and for normal

Re: [dev] Certificate-based credential (DTLS fails to find cipher suite)

2019-01-03 Thread Aleksey Volkov
Khaled,   one more thing :) If you planned to use same trustca for mfg otm and authentication (so-called mutual certificate), you need to create 2 credentials with different credUsage type (oic.sec.cred.mfgtrustca and oic.sec.cred.trustca), but with the same certificate data. Or you can

Re: [dev] Certificate-based credential (DTLS fails to find cipher suite)

2019-01-03 Thread Aleksey Volkov
Khaled,   Important addition: for the root certificate you need to use "oic.sec.cred.trustca" value credUsage field instead of "oic.sec.cred.mfgtrustca", since cipher suite list formed by trustca certificates. "oic.sec.cred.mfgcert" and "oic.sec.cred.mfgtrustca" types used only at the otm

Re: [dev] Certificate-based credential (DTLS fails to find cipher suite)

2019-01-03 Thread Khaled Elsayed
Thanks again. Will retry using 'oic.sec.cred.cert'. Was using "credusage": "oic.sec.cred.mfgcert" for the client own certificate and intermediate certificate and "credusage": "oic.sec.cred.mfgtrustca" for the peer certificate. I guess you meant oic.sec.cred.cert in place of the oic.sec.cred.mfgcert

Re: [dev] Certificate-based credential (DTLS fails to find cipher suite)

2019-01-03 Thread Aleksey Volkov
  ...Also, credUsage type must be 'oic.sec.cred.cert'...     Best regards, Aleksey Volkov   - Original Message - Sender : Oleksiy Volkov  Staff Engineer/Security Certification Part /SRK/Samsung Electronics Date : 2019-01-03 11:16 (GMT+2) Title : Re: [dev] Certificate

Re: [dev] Certificate-based credential (DTLS fails to find cipher suite)

2019-01-03 Thread Aleksey Volkov
  Hi Khaled,   InitManufacturerCipherSuiteList callback used at the one step of the mfg otm process. In all other cases (yours also) should be used InitCipherSuiteList as g_getCredentialTypesCallback (Please check SRMInitSecureResources function). According to your log, InitCipherSuiteList