ciseng
commented
5 years ago [JLS] This is still not clear to me. Is the transport of the token via “auth-info” topic not considered to be part of the session? If you say that you look at just the last value published, then is there not going to be a race condition between two different clients trying to publish and connect?
[CS] Yes, I see that this is under-specified having been left out in the Appendix. Since "authz-info" a special topic, the broker would treat it differently. I agree this is stretching MQTT a bit. RS would make "authz-info" publish-only. RS would store all valid tokens published to this topic. Since there are no subscribers, there is no RETAIN of messages, or overwrite of the last message. Then, in the secure connection attempt, the RS would look up if it has any tokens associated with the raw public key, or psk_identity communicated in the TLS handshake as described in the DTLS draft.
Section 2.1.2: Somehow I missed on the first reading that you were suggesting the use of a topic /authz-info inside of the MQTT server for posting. I think that this needs to have a more detailed set of instructions. I assume but don't know that initially this would mean an anonymous connect, publish, disconnect, validated connect. This however is not clear from the text. It is also not clear that this should be over a TLS wrapped session for the publish.