Because now there is shared key secret which can leak from ATM or Server, it would be nice to implement something like FIDO2 auth.
So ATM can have it own private key, which will never leak (for example TropicSquare01) and have two modes
- less secure as bleskomat uses - plaintext GET url but with signature
- more privacy with encryption. either pub/priv key (but actual tropic01 does not support encryption) or fallback shared key as now, but improved by that device signature. It will be used only because of proxy/http servers access logs privacy
Because now there is shared key secret which can leak from ATM or Server, it would be nice to implement something like FIDO2 auth.
So ATM can have it own private key, which will never leak (for example TropicSquare01) and have two modes