Reply to post: to quote him, “identity management for devices is best served when it's centralised.”

Connected car in the second-hand lot? Don't buy it if you're not hack-savvy

Voland's right hand Silver badge

to quote him, “identity management for devices is best served when it's centralised.”

to quote him, “identity management for devices is best served when it's centralised.”

Bollocks. What an idiot. Just the opposite. Run a CA on the car and have a "regenerate car certificate procedure" or "revoke all old keys" procedure.

1. Any device can be a smart lock/unlock - key, phone, you name it. Provided it can do STRONG crypto. The mere fact that you have managed to establish a connection means that you are legit. No pins, no passwords, no keys. Client cert, server cert. Most basic public key cryptography. Nearly all devices of interest (phones, etc) on the market have TPMs so the key cannot be stolen/recovered without access to NSA level resources to do direct surgery on the chip.

2. The "centralized identity management" does not belong. Sorry, any backdoor is a hackable backdoor. I do not see the rationale for using a weak, crippled and backdoored solution when you can run a strong one. It does not matter which brain rotting disease is at play "realtime embedditis - roll your own crypto" or "web 2.0 oAuthitis - use a token everywhere". There is no technical need for either.

3. The compute resource available in a normal car can run a proper CA. Running a cut-down one just to manage keys for for devices and their associated permissions is a trivial job.

The only potential role for a centralized point is to be a locator, the auth should still be completely in the OWNER's hands, not be rented out to a central identity management racketeering outfit.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019