Gateway issued certificate

Name: defined by user (or other ?)

Certificate issue: issued by local gateway

Name resolution: could be implemented in gateway

Certificate validation : needs new method in browser ??

In the Device DNS Name method, a method is defined for

  1. Giving each IOT device a unique resolvable name, which works with existing DNS methods
  2. Issuing a unique certificate to each device, using the same common name issued in (1) and makes user of existing Certificate Authorities (CAs), recognised by the CA/Browser Forum

In Device DNS Name method globally resolvable DNS servers must be used, and globally accessible certificate authorities must be used, in order to preserve compatibility with the existing internet security infrastructure.

An alternative approach, is to consider the use of a user owned, locally hosted gateway device to assist with either or both problems of name resolution and certificate issuer.

These approaches would have the advantage of:

  1. being locally resolvable: will work with no access to global intranet
  2. reduce infrastructure requirement: this approach limits the amount of server resident infrastructure that needs to be created and supported
  3. increase end user control: the end users has more autonomy, both in terms of physical hosting of equipment, and reducing the dependency on manufacturer, or manufacture assisted resources for the ongoing operation of their device

The disadvantages are:

  1. local only resolution: the system can be easily made to work within the local environment, but more work would be required to ensure that the name resolution and security attestation can operate over a global internet link
  2. hardware device security dependency: the gateway in this scenario has privileged access to the private signing keys, used in the certificate issuance. This changes the attack surface.
  3. it will require browser changes

NA: describe a method like Device DNS Name but differences are:

  1. the gateway issues the cert not the bound domain (the bound domain is actually implicitly local)
  2. the gateway provides an "alternative" name lookup service (complementing DNS)
Edit this page