flowdebacle, can you use TLS client certs without signing and encrypting the stream? If not, how is using OpenPGP heavier than TLS (client certs)?
flowIt really depends on your use case. I could be wrong, but assuming that using a TLS client cert requires the stream to get signed and encrypted, OpenPGP would at least provide you with the flexibilty to sign only specific parts
flowBut on the other hand, if you do IoT with XMPP you most certainly want to use TLS, so using a TLS client cert only adds a little bit more to the TLS handshake but next to nothing after that
flowBut if your IoT device needs to connect with different XMPP services, then using a (single) TLS client cert sounds not like the right approach
debacleflow, the connection is TLS anyway, i.e. PGP would come on top and therefore were heavier.
debacleBtw, if I wanted to use PGP, it would make sense to sign only the payload, not the stanza, so that I can pass that payload even outside of the XMPP world, while the signature still could be validated.
flowok, but if you don't PGP everything, and already do TLS, then I'd argue the PGP overhead is probably not an issue
flowof course, it really depends on the used hardware, software stack and what you actually want to do
debacleour hardware is very ancient, but probably PGP still runs fine
debacleand we have only to sign one file per second