Need clarification about DTLS client identifier

[GiedriusM]

Document: OMA-TS-LightweightM2M_Transport-V1_1-20180710-A.pdf Section: 5.2.6

Since the endpoint client name is not authenticated at the application layer the LwM2M Server MUST compare the received endpoint client name identifier with the identifier used at the TLS/DTLS handshake.

I am pretty sure about the answer, but would like to be 100% sure on this:

Is this comparison/matching of the endpoint name, given during registration, and the DTLS identifier implementation specific? For example, can the client register to the LwM2M server with it's endpoint name being foobar if the underlying DTLS connection was established with PSK identity raboof? I assume AS LONG AS the server checks that the foobar is a valid "registration" name for the raboof connection, this is allowed by the standard.

Or should the endpoint name explicitly be used as PSK identity and CN/SAN field in client certificate?

[hannestschofenig]

If you keep information at the server what identifier to match from the different layers then everything is fine. If you don't keep any extra information around then you have to use the same identifier at the DTLS / TLS layer and at the CoAP layer since otherwise you can introduce attacks. You could also omit the endpoint name at the CoAP layer altogether in case you used security with DTLS/TLS at the lower layer.

[GiedriusM]

Thanks, that's what I thought. That resolves this issue.

[davideicardi]

I have the opposite question, adding a comment here because it is related I think: do you see problem to always use the endpoint name exactly equal to the DTLS identity? We are using PSK.

[sbernard31]

@davideicardi, AFAIK this is not forbidden by the specification.

But PSK Id visible in clear during DTLS handshake (not encrypted) while endpoint name is encrypted (as it is sent APPLICATION_DATA record). So if you are using endpoint name as PSK id, you should ensure before that endpoint does not contain "private" information. I don't know for example if you are using serial number in your endpoint name, maybe you don't want to make it "public".

Another point maybe, credentials could be changed by bootstrap server but endpoint name not really. So If your credentials are stolen and you want to change it using bootstrap server this could be not so easy to keep endpoint name and psk id synchronized. (Maybe not a real problem as you could eventually just change the PSK Key)