6.5 Resource access authentication
Resource access authentication only applies using HTTPS. It may be possible to authenticate at a higher level using authentication based on HTTP-only transactions, but this is out of scope for this standard.
The use of TLS (IETF RFC 5246) requires that all hosts implementing server functionality SHALL use a device certificate whereby the server presents its device certificate as part of the TLS handshake.
The application authentication process is as follows:
1) The resource’s server listens on the TCP port associated with HTTPS.
2) The client initiates an HTTP request using a random unused source TCP port to the resource’s server using the TCP port associated with HTTPS.
3) If no TLS session is in place, a TLS handshake SHALL occur between the client and server:
a) Authentication of the server SHALL be done as part of the TLS handshake by validating its device certificate as described in (IETF RFC 5246), Section 7 using the inherent PKI. If security policy dictates, additional certificate validation MAY be required.
b) If the client has a device certificate, authentication of the client SHALL be done as part of the TLS handshake by validating the client’s device certificate as described in (IETF RFC 5246), Section 7 using the inherent PKI. If security policy dictates, additional certificate validation MAY be required. The authentication level to be compared with a resource’s corresponding AuthType attribute will be 0x8 (device certificate).
c) If the client has a self-signed certificate, the self-signed certificate SHALL be validated for correctness. The authentication level to be compared with a resource’s corresponding AuthType attribute will be 0x4 (self-signed certificate).
If the client does not have a certificate and the security policy allows, client authentication MAY NOT need to take place, or secondary client authentication MAY take place after the TLS handshake. If secondary client authentication has taken place, the authentication level to be compared with a resource’s corresponding AuthType attribute will be 0x2 (user authentication). If no client authentication has taken place, the authentication level to be compared with a resource’s corresponding AuthType attribute will be 0x1 (no authentication).