Liubing (Remy) <[email protected]> wrote: > Is the following understanding correct? The difference between the > "one-touch" and the "zero-touch" methods is that whether the key or > certificate is provisioned by the manufacturer or by the operator at > the deployment site. As long as the key/IDevID/certificate is > provisioned before the device goes out of the factory, i.e., the > operator doesn't have to provision/touch it on site to get it securely > join the network, it can be considered as "zero-touch".
Yes, that's correct. The touches by the manufacturer and/or a VAR don't count.
Or to put it another way, it's the number of touches the by operator that count.
A further characteristic MAY be that it doesn't matter which unit is shipped
to which customer from the warehouse. (There seem to be use cases in
transportation
and manufacturing where it matters due to contractual warantee issues.
I think because refurbished devices may mingle with brand-new devices in the
warehouse. This is less interesting for enterprise routers and more relevant
for train braking systems)
> Even though the pledge ID is given privately by the manufacturer, and
> not as per 802.1 AR, the dtsecurity-zerotouch-join method can be
> implemented by using the MASA provided by the manufacturer? Is the
> dtsecurity-zerotouch-join method aimed at a scenario in which a
> certificate can't be provisioned a priori?
dtsecurity-zerotouch-join assumes a certificate provisioned prior to deployment.
So I can't agree with the last sentence.
--
Michael Richardson <[email protected]>, Sandelman Software Works
-= IPv6 IoT consulting =-
signature.asc
Description: PGP signature
_______________________________________________ 6lo mailing list [email protected] https://www.ietf.org/mailman/listinfo/6lo
