Liability of Application Instance Certificates
Posted: 25 Mar 2020, 16:54
Dear Support Team,
the term Application Instance Certificate suggests that by the use of this kind of certificate it can be guaranteed that only a single instance of an application can for example connect to an OPC UA server who trusts this certificate. But actually any application knowing this certificate could use it to establish a secure channel. To my knowledge, there is no mechanism that would check for agreement of the application described by the certificate and the one using it. One example is UaExpert where it is possible to exchange the own certificate by any self or CA signed certificate as long as it defines an ApplicationURI. Even the host can differ.
My first impression was that the maximum number of OPC UA clients to an OPC UA server could be technically restricted by using Application Instance Certificates. But this additionally requires secret keeping and discipline. Is this true or am I missing something?
Regards,
Reinhard
the term Application Instance Certificate suggests that by the use of this kind of certificate it can be guaranteed that only a single instance of an application can for example connect to an OPC UA server who trusts this certificate. But actually any application knowing this certificate could use it to establish a secure channel. To my knowledge, there is no mechanism that would check for agreement of the application described by the certificate and the one using it. One example is UaExpert where it is possible to exchange the own certificate by any self or CA signed certificate as long as it defines an ApplicationURI. Even the host can differ.
My first impression was that the maximum number of OPC UA clients to an OPC UA server could be technically restricted by using Application Instance Certificates. But this additionally requires secret keeping and discipline. Is this true or am I missing something?
Regards,
Reinhard