Comment by jazzyjackson

10 months ago

Might consider good old x509 certificates, mTLS authentication. You can query and find peers but don’t exchange any data with them unless they can present a certificate signed by whatever issuer. Agree its probably an enterprise upsell because the openssl tooling is a PITA if you’ve never done it before, but somebody pointed me to KeyStore Explorer [0] and I’m going to give that a try to be my own certificate authority.

I wish it could be a more mainstream, hobbyist auth solution tho, it’s completely free and open and self sovereign etc etc and makes strong security guarantees, just a steep learning curve to grok what’s happening. I think it would be a big achievement if somebody slapped a friendly API / wizard over configuring a CA and creating certs to install on each of your robots / IoT sensors whathaveyou. Corsha [1] is one provider in this space, and Yubico is contributing too [2], allowing you to sign cert requests with your Yubikey.

[0] https://keystore-explorer.org/features.html

[1] https://corsha.com/

[2] https://www.yubico.com/resources/glossary/what-is-certificat...

2 comments

jazzyjackson

hannesfur 10 months ago

That's actually a pretty great idea! I will look into it! Thanks!

clayhacks 10 months ago

If you want to do the mTLS, I’d also suggest step-ca [0], it’s an open source TLS and SSH CA. You can setup a variety of methods to be the identity provider, then have step provide the certs
0: https://smallstep.com/docs/step-ca/