Cannot use same PSK information for different endpoints

[andrau]

Say I want to register instances of the same (kind of) device at several different endpoints using the same (possibly hardcoded) PSK information, i.e. same identity and same secret. This is not currently possible in leshan-standalone, because I cannot define the corresponding security information ("identity already exists"). I can see that it might be a bad idea to define the same identity with different secrets (although even that could be distinguished by endpoint, no?), but the same identity and secret should work. Suggestion: either allow comma-separated list of endpoint names for an entry or allow same identity AND same secret for several endpoints.

[sbernard31]

It seems technically not doable to have same identity with different secrets. We could not distinguished by endpoint because we know the client endpoint only after the DTLS handshake was successful.

Having same Identity/key for different endpoint seems to me technically doable, but not sure it was a good Idea. At a security point of view, if the identity/key is stolen, all the device with this identity will be affected.

We will probably change the security api soon, if this does not make our code too complex we will maybe add the support of this "corner case".

[sbernard31]

Finally, we will not implement it for the reasons given above. Moreover this is not compatible with the new interface SecurityStore :

 /**
 * Returns the security information for a identity.
 * 
 * @param identity of the client
 * @return the security information of <code>null</code> if not found.
 */
SecurityInfo getByIdentity(String Identity);