debacle, can you use TLS client certs without signing and encrypting the stream? If not, how is using OpenPGP heavier than TLS (client certs)?
flow
It really depends on your use case. I could be wrong, but assuming that using a TLS client cert requires the stream to get signed and encrypted, OpenPGP would at least provide you with the flexibilty to sign only specific parts
flow
But on the other hand, if you do IoT with XMPP you most certainly want to use TLS, so using a TLS client cert only adds a little bit more to the TLS handshake but next to nothing after that
flow
But if your IoT device needs to connect with different XMPP services, then using a (single) TLS client cert sounds not like the right approach
Alacerhas left
Alacerhas joined
debaclehas left
debaclehas joined
debacle
flow, the connection is TLS anyway, i.e. PGP would come on top and therefore were heavier.
debacle
Btw, if I wanted to use PGP, it would make sense to sign only the payload, not the stanza, so that I can pass that payload even outside of the XMPP world, while the signature still could be validated.
Alacerhas left
Alacerhas joined
COM8has joined
COM8has left
Syndacehas left
Syndacehas joined
flow
ok, but if you don't PGP everything, and already do TLS, then I'd argue the PGP overhead is probably not an issue
flow
debacle, ^
flow
of course, it really depends on the used hardware, software stack and what you actually want to do
debacle
our hardware is very ancient, but probably PGP still runs fine