-
flow
COM8 congrats :)
-
flow
debacle, can you use TLS client certs without signing and encrypting the stream? If not, how is using OpenPGP heavier than TLS (client certs)?
-
flow
It really depends on your use case. I could be wrong, but assuming that using a TLS client cert requires the stream to get signed and encrypted, OpenPGP would at least provide you with the flexibilty to sign only specific parts
-
flow
But on the other hand, if you do IoT with XMPP you most certainly want to use TLS, so using a TLS client cert only adds a little bit more to the TLS handshake but next to nothing after that
-
flow
But if your IoT device needs to connect with different XMPP services, then using a (single) TLS client cert sounds not like the right approach
-
debacle
flow, the connection is TLS anyway, i.e. PGP would come on top and therefore were heavier.
-
debacle
Btw, if I wanted to use PGP, it would make sense to sign only the payload, not the stanza, so that I can pass that payload even outside of the XMPP world, while the signature still could be validated.
-
flow
ok, but if you don't PGP everything, and already do TLS, then I'd argue the PGP overhead is probably not an issue
-
flow
debacle, ^
-
flow
of course, it really depends on the used hardware, software stack and what you actually want to do
-
debacle
our hardware is very ancient, but probably PGP still runs fine
-
debacle
and we have only to sign one file per second
-
debacle
not hundreds
-
flow
depends on the size of that one file ;)