From bea1e2d47a0761a7c1e46c94e081f131652c7123 Mon Sep 17 00:00:00 2001 From: ciseng Date: Sun, 1 Nov 2020 20:04:26 +0000 Subject: [PATCH] Update draft-ietf-ace-mqtt-tls-profile.xml Fixed all the nits #65 --- draft-ietf-ace-mqtt-tls-profile.xml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/draft-ietf-ace-mqtt-tls-profile.xml b/draft-ietf-ace-mqtt-tls-profile.xml index 8828744..f3e97f5 100644 --- a/draft-ietf-ace-mqtt-tls-profile.xml +++ b/draft-ietf-ace-mqtt-tls-profile.xml @@ -459,7 +459,7 @@ The Client and the Broker MUST perform mutual authentication. The Client MUST authenticate to the Broker either over MQTT or TLS. For MQTT, the options are "None" and "ace". - For TLS, the options are "Anon" for an anonymous client, + For TLS, the options are "Anon" for an anonymous client, and "Known(RPK/PSK)" for Raw Public Keys (RPK) and Pre-Shared Keys (PSK), respectively. Combined, client authentication has the following options: @@ -474,7 +474,9 @@ "TLS:Known(RPK/PSK)-MQTT:ace": This option SHOULD NOT be chosen. In any case, the token transported in the CONNECT overwrites any permissions passed during the TLS authentication. - It is RECOMMENDED that the Client follows TLS:Anon-MQTT:ace. + It is RECOMMENDED that the Client uses "TLS:Anon-MQTT:ace" as a first choice when working with protected topics. + However, depending on the Client capability, Client MAY use "TLS:Known(RPK/PSK)-MQTT:none", and + consequently "TLS:Anon-MQTT:None" to submit its token to "authz-info". The Broker MUST be authenticated during the TLS handshake.