Hi all, Geoff Brown, Chet Ensign and I held a brief meeting this evening to agree how best to deliver MQTT security content. In summary, the proposal is as follows: Implementation level security content (e.g., TLS, cipher specs and general security awareness) should form part of the core MQTT specification / standard. Specific guidance aimed at those wishing to certify MQTT solutions against security standards (such as NIST or IEC) should be delivered as 'self contained' committee specifications. The core MQTT specification / standard should clearly reference and link to these dedicated committee specifications. This is similar to the approach taken by other OASIS TC's and has a number of advantages: Core protocol content can be developed independently of referenced material. Detailed security guidance is made available to MQTT specification consumers. Delivery timelines are decoupled. The MQTT Security SC has more scope to focus on individual standards. The MQTT TC retains the option to grow a range of industry specific security profiles over time. Best regards Richard Richard Coppen CEng FBCS Co-chair OASIS MQTT Technical Committee IBM United Kingdom Software Engineer Hursley Park WebSphere MQ Winchester SO21 2JN Phone: +44 (0)1962 817164 England e-mail:
coppen@uk.ibm.com blog: testingblues.com Unless stated otherwise above: IBM United Kingdom Limited - Registered in England and Wales with number 741598. Registered office: PO Box 41, North Harbour, Portsmouth, Hampshire PO6 3AU