OPC UA Applications support Authentication of the entities with which they are communicating. As specified in the GetEndpoints and OpenSecureChannel services in OPC 10000-4, OPC UA Client and Server applications identify and authenticate themselves with X.509 v3 Certificates and associated private keys (see [X509]). Some choices of the communication stack require these Certificates to represent the machine or user instead of the application.
For publish subscribe communications Client Server communications is required to obtain the shared keys from a SecurityKeyService (SKS). Although the application authentication is not directly between the Subscriber and the Publisher, the SKS ensures that only authenticated applications can obtain the keys used by the Publisher and Subscriber.