Randy Armstrong (OPC) <randy.armstr...@opcfoundation.org> wrote: >> Thats what i referred to in my prior email: We would need to understand how to most easily duplicate the mutual authentication with certificates during TLS connection setup with OPC TCP UA messages.:
> OPC UA CP requires mutual authentication with Certificates bound to the > application rather than the machine. It provides everything that you > get from TLS. Based upon my reading of the diagram, it is not obvious that it provides PFS, but I don't think PFS is particularly important for BRSKI. It seems to support client certificates and server certificates, and that's enough. We need an equivalent to tls-unique in order to properly bind the EST channel to the UA CP SecureChannel, but that's all I think. > So when the Pledge Device connects to the Registrar or the Certificate > Manager using UA the Device proves it has possession of the Device > private key. > That said, the KeyPair used for communication does not need to be the > same as the KeyPair used to authenticate. -- Michael Richardson <mcr+i...@sandelman.ca>, Sandelman Software Works -= IPv6 IoT consulting =-
signature.asc
Description: PGP signature
_______________________________________________ Anima mailing list Anima@ietf.org https://www.ietf.org/mailman/listinfo/anima