Certificate validation and channel binding

摘要

A constrained network entity may determine, via an authentication procedure with a core network entity, the trustworthiness of an endpoint attempting to establish a secure channel with the constrained network entity. The constrained network entity may receive a certificate from the endpoint attempting to establish the secure channel and the constrained network entity may send the certificate asserted by the endpoint to a core network entity for validation. The core network entity may receive the certificate during a key exchange with the constrained network entity and the core network entity may indicate to the constrained network entity the validity of the certificate. The constrained network entity may determine whether to establish the secure channel with the endpoint based on the validity of the certificate.

主权项

1. A method comprising:
receiving, at a constrained network entity, a certificate associated with a network entity, wherein the certificate is received for establishing a secure channel between the constrained network entity and the network entity; establishing, at the constrained network entity, a tentative secure channel with the network entity, wherein the tentative secure channel is established using, at least in part, a public key of the network entity; sending, by the constrained network entity to a core network entity, the received certificate associated with the network entity to determine the validity of the received certificate, whereby the constrained network entity uses the core network entity as a proxy to validate the certificate; performing authentication with the core network entity using, at least in part, the public key of the network entity; and receiving, at the constrained network entity from the core network entity, an indication of the validity of the certificate based on an analysis by the core network entity of the certificate, wherein prior to the received indication of validity of the certificate the validity of the certificate was unknown by the constrained network entity.