I noticed with Azure IoT hub, a device can connect either using connection string which is composed with device Primary or Secondary key in form:
HostName=<host_name>;DeviceId=<device_id>;SharedAccessKey=<primary_key or secondary key>
or can connect with connection string which is composed with a generated SAS token in form:
HostName=<host_name>;DeviceId=<device_id>;SharedAccessSignature=SharedAccessSignature sr=<device_endpoint>&sig=<generated_token>&se=1453107988
In the first form, the symmetric key is hold by device and in second form the IoT hub owns the device's symmetric key.
So, my question is when should I use which form? and why?
Both can indeed be used.
I would suggest a SAS token. Seeing it could be a temporary token or it would only have a limited amount of right.
I you look at azure storage you see the same principles. If you give a user a sas-token only valid for one file for a certain time, he/she could not do much harm. If on the other hand you would give a user a primary key and he/she gets access to the storage name, it would be very easy for the user to delete everything on the storage account.
Also this is an interesting article where you can find some more info on the sas tokens with a deeper explanation: http://blogs.msdn.com/b/servicebus/archive/2015/02/02/event-hub-publisher-policy-in-action.aspx