Randy Armstrong (OPC) <randy.armstr...@opcfoundation.org> wrote:
>> Thats what i referred to in my prior email: We would need to understand
how to most easily duplicate the mutual authentication with certificates during
TLS connection setup with OPC TCP UA messages.:
> OPC UA CP requires mutual authentication with Certificates bound to the
> application rather than the machine. It provides everything that you
> get from TLS.
Based upon my reading of the diagram, it is not obvious that it provides
PFS, but I don't think PFS is particularly important for BRSKI. It seems
to support client certificates and server certificates, and that's enough.
We need an equivalent to tls-unique in order to properly bind the EST channel
to the UA CP SecureChannel, but that's all I think.
> So when the Pledge Device connects to the Registrar or the Certificate
> Manager using UA the Device proves it has possession of the Device
> private key.
> That said, the KeyPair used for communication does not need to be the
> same as the KeyPair used to authenticate.
--
Michael Richardson <mcr+i...@sandelman.ca>, Sandelman Software Works
-= IPv6 IoT consulting =-
signature.asc
Description: PGP signature
_______________________________________________ Anima mailing list Anima@ietf.org https://www.ietf.org/mailman/listinfo/anima
