Tying discovery to authentication
If device selection starts from a name, establishing security contexts has nothing to start from. This is kind of OK: The regular steps of "try access, receive an error, and read which AS to contact in the error message" can work.
If a connection should be established from a known security context, things are different: The central will know the relevant AS URI and audience, but can not narrow down the selection of BLE device without trying them one by one. How could this be mitigated?
Options:
- When the phone learns the identity (and audience), it also learns the advertised name of the device, and filters accordingly.
- The device advertises its AS and audience (or hashes thereof) in manufacturer / service data maps, allowing the phone to filter by concrete device (AS and audience) or just AS.
The latter sounds practical, but will need checking how much data we can pack into the advertisements, and how long the relevant identifiers are.