Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Update MQTT security text


Other technologies somewhat investigated in CCS project:


  •  Client Authentication. When a connection is established the client must authenticate before a connection is established.     A simple method is user/password but it can use an extended authentication described in MQTT 5, including multiple challenge-response message exchanges between client and server.  It is generally assumed that the client-server , before a connection is established.  Using auth methods as described by SASL are exchange will be protected by TLS as a starting point.  The authenticity of the provided TLS certificate is expected to be the main method for a client to ensure the server is authentic.
    • In the client connection with extended authentication, any method can be named as a string by the client, and the server responds only if this one is supported.  Using method names (and procedures) described by SASL seem to be recommended, but beyond that there are no requirements in the MQTT specification.  The particular
    • details must be agreed between server and client and implemented with compatibility on both sides.  In other words, when reusing implementations, it is
    • necessary to checked what they might support regarding authentication
  • Topic access control: A server could theoretically/optionally limit subscription to particular topics depending based on the identity (or theoretically any other credentials exchanged in the authentication sequence) that was associated with the active connection when the initial authentication was performed.  Doing this Limiting parts of the topic tree to certain clients seems also to be not described in detail.  In other words it this must also be a particular implementation in a particular case. implemented in some agreed-upon way which is left out of scope of the MQTT protocol specification itself.
  • Conclusion:  There seems to be work to do here to define, and implement, the mechanism specifically for VSS signal access, based on the topic tree defined from VSS.

  • Options in Apache NiFi / related technologies? - TBD
  • Access control principles defined by WAMPTBD