I'm developing a memory constrained IoT device and would like to connect it to Google IoT Core via MQTT. The list of required root certificates that must be trusted to allow for server TLS certificate validation is very long. I am seeking a smaller list that is appropriate for limited-resource IoT devices but won't suddenly stop working. Is there a way to safely reduce this list of required certificates?
From the online documentation (https://cloud.google.com/iot/docs/concepts/device-security) under the Device Security Recommendations section it states:
'Use TLS 1.2 when communicating with mqtt.googleapis.com:8883 (or :443), and verify that the server certificate is valid using root certificate authorities. Read this security note for detailed TLS requirements and future compatibility.'
From the security note (https://security.googleblog.com/2015/09/disabling-sslv3-and-rc4.html) it states:
'At least the certificates in https://pki.google.com/roots.pem must be trusted.'
I can clearly see that the documentation states the full list is required but this doesn't seem acceptable for memory constrained IoT devices. As an example AWS requires only a single certificate - depending on the TLS cipher selected. See the AWS documentation under Server Authentication (https://docs.aws.amazon.com/iot/latest/developerguide/managing-device-certs.html)
Any help on understanding ways that the list of root certificates can be reduced - such as elemination based on ECC-based validation vs RSA-based validation - would be helpful.
Thanks to a helpful Google engineer on Github who answered the Issue Clarify how trusted_RootCA_certs were chosen in the Google provided iot-device-sdk-embedded-c project, the solution is to use a long-term support (LTS) domain.
From the documentation, the special domain "mqtt.2030.ltsapis.goog" can be used instead of "mqtt.googleapis.com" allowing the need of only two root CA certs w/ small ECC 256 public keys instead of the entire root.pem package (128KB).
These root CA certs are fixed through year 2030.
The required root CAs are:
Note other requirement and features for embedded devices in the long-term support (LTS) domain documentation.