[ros-users] [Discourse.ros.org] [ROS Projects] Developing with SROS
ros.discourse at gmail.com
Tue Nov 22 09:13:54 UTC 2016
The following is my current understanding on SROS workflow:
1. SROS keyserver first creates keypairs and certificates for the root and master nodes.
2. When publisher/subscriber nodes are launched for the first time, the keyserver creates keypairs and certificates for them. Subsequently, nodes send their certificates to the master and master signs/verifies the certificates and registers the nodes.
3. Finally, these nodes can use these master-verified certificates to create a TLS channel between them and have an encrypted communication.
I hope you could answer a few questions on SROS for me.
1. Do you assume a one-to-one synchronous TLS communication between the nodes using topics for communication (similar to ROS services)?
2. If I understand correctly the keyserver only generates the keys, certificates for the nodes (based on the user-defined configuration, policies etc.) but it does not sign the node's public key certificate i.e. keyserver does not act as CA for nodes. In the current SROS implementation, does the rosmaster register the node and sign its certificate acting as a CA when a node connects to the rosmaster for the first time?
If yes, does the rosmaster authenticate or check the node's authorization rights before it registers the node and verifies its certificate?
3. In your ROScon slides (http://roscon.ros.org/2016/presentations/sros.pdf) , you mention in your ToDo slide (Slide #11) "Harden Master and Slave API calls where caller's privilege must be checked before response". Have you already dealt with modifying ROS API functions in SROS to include an authentication token?
I am thinking of an SROS extension which includes modifying the Master API call (register call) from a node to the master, to include a node-authentication-token. This would mean that the node registration would be successful at the master only if this token is verified correctly. In addition to your answers to the above questions, it would be great to know your thoughts on this idea.
[Visit Topic](http://discourse.ros.org/t/developing-with-sros/861/2) or reply to this email to respond.
More information about the ros-users