(Author here.) Our thinking is that the protocol would enable a read-only monitor, which would be able to see the plaintext but not modify it without detection. As the article says, this is what it would take to build a good IDS/IPS for your things -- something that can audit the communications and make sure what's going in and out matches what you should expect.
We're not proposing that the IDS/IPS should necessarily be able to MITM the connections. Then you're just putting all your trust into the IDS/IPS and making it the single point of vulnerability (just like the device is now). But if you have a construction that lets you build a read-only IDS/IPS, then you could in theory buy 100 of them from different manufacturers and have them all audit each other.
One straw-man way to do this would be to run a stream of "integrity-only TLS" inside normal TLS. The outer TLS would allow the owner to install their own CA root certificate on the Thing. The inner TLS would be pinned to the public key of the cloud provider. The IDS/IPS would MITM the outer connection and would be able to read the inner stream, but the MAC on the inner stream would prevent tampering by the IDS/IPS.
That's an interesting proposal, but I'm concerned that it sounds a bit like intentionally crippling TLS. Historically, TLS has had all sorts of subtle bugs that could bite you in the ass unless you did things just right. It will take a lot of time and effort to demonstrate that the layered protocol you propose is no less secure than vanilla TLS.
I'm also not sure whether it's a good idea to make it so easy for typical users to add their own CA certificates to smart devices. Such a facility could be easily subverted by criminals and governments to eavesdrop on a large number of users. (Remember when people would XSS themselves on Facebook by pasting crap into their browser console?)
It's just as impossible to open a backdoor for the owner and nobody else as it is to open a backdoor for the FBI and nobody else. So I think there's some value in making it difficult to eavesdrop on your own devices. Perhaps it really should require taking off the cover and attaching a serial console.
We're not proposing that the IDS/IPS should necessarily be able to MITM the connections. Then you're just putting all your trust into the IDS/IPS and making it the single point of vulnerability (just like the device is now). But if you have a construction that lets you build a read-only IDS/IPS, then you could in theory buy 100 of them from different manufacturers and have them all audit each other.
One straw-man way to do this would be to run a stream of "integrity-only TLS" inside normal TLS. The outer TLS would allow the owner to install their own CA root certificate on the Thing. The inner TLS would be pinned to the public key of the cloud provider. The IDS/IPS would MITM the outer connection and would be able to read the inner stream, but the MAC on the inner stream would prevent tampering by the IDS/IPS.