LWM2M Security - X.509 DM Enrollment Using CSR

[hannestschofenig]

Steven Upp <steve.upp AT sandc.com) said:

The current LWM2M specification provides for X.509 certificate enrollment of the DM client with the Bootstrap Server/Backend generating the DM client certificate and sending the certificate and private key to the device via the DTLS protected BS security association.

It would better if devices that were capable of generating their own key pairs could instead be requested to generate a CSR by the bootstrap server, and the BS would then act as an RA and get the CSR signed by a CA. The signed certificate containing only the public key could then be written to the device and the DM private key would never leave the LWM2M client. Could this method of certificate enrollment be considered by OMA?

[hannestschofenig]

Hi Steve,

Thanks for raising this issue. You might find it interesting that I raised this issue earlier this year as well in this contribution: http://member.openmobilealliance.org/ftp/Public_documents/DM/LightweightM2M/2016/OMA-DM-LightweightM2M-2016-0051-INP_bootstrapping.zip

The conclusion at the meeting was the following: We need to finish LWM2M version 1.0 as soon as possible (without adding new functionality). New features will be added to version 1.1.

[Megan-OMA]

Issue closed per Hannes' comment that new features will be addressed in 1.1