Applications that use Pull Management (see 7.2) to initialize their configuration need to know the location of the CertificateManager which they can use to request Certificates and download Trust Lists. This location may be auto-discovered via mDNS by looking for servers with the GDS capability (see Annex D) or by providing a URL via and out of band mechanism such as e-mail or a web page.
Once the location is known the Application can connect to the CertificateManager and establish a secure channel. This will require that the Application trust the Certificate provided by the CertificateManager even if it is not in the Application’s Trust List. If there is an interactive user the Application should warn the user before proceeding. If there is no interactive user the Application should ensure the domain in the URL matches one of the domains in the Certificate.
In some cases, the Application distributor or installer will know the CA used to sign the Certificate used by the CertificateManager and can add this CA to the Application’s Trust List during installation. If practical, this approach provides the best protection against accidental registration with rogue CertificateManagers.
After establishing a secure channel with the CertificateManager, the Application shall provide user credentials which allow it to register new applications and request new Certificates. The credentials may be provided by prompting a user or they may be one time use credentials delivered via some out of band mechanism such as a web site during the installation process.
For embedded systems it can be impractical to enter user credentials. As an alternative, a unique ApplicationInstance Certificate can be provided during manufacture and the Certificate or a unique identifier for the Certificate should be provided to the device installer. The installer would then register the unique identifier or Certificate with the CertificateManager which would allow the device to request a new Certificate by creating a Secure Channel with the manufacturer’s Certificate.
In addition, Servers shall go into a “provisioning state” that makes it possible for remote clients to update the security configuration via the ServerConfiguration Object (see 7.7.2). When a Server is in the “provisioning state” it should limit the available functionality.
Once a Server has been configured it automatically leaves the “provisioning state”. This step is necessary to ensure that security is not compromised.
A possible workflow for implementing the “provisioning state” include:
- A flag in the configuration file that defaults to ON;
- Always allow Clients to connect securely if the Trust List is empty;
- Connect to the Server and provide administrator credentials where:
- Toggle a physical switch on the device which enables access for a short period or
- Provide one-time use password specified via an out-of-band mechanism;
- Provide a new Certificate (optional) and Trust List;
- Set the configuration flag to OFF;
In some cases, the Application distributor or installer will know the CA used to sign the Certificate used by the CertificateManager and can add this CA to the Application’s Trust List during installation. If practical, this approach provides the best protection against accidental configuration by malicious Clients.
If the device is automatically discovered by the CertificateManager the CertificateManager needs some way to ensure that the device belongs on the network. The manufacturer can provide a unique ApplicationInstance Certificate during manufacture and provide the serial numbers to the device installer. The installer would then register the serial number or Certificate with the CertificateManager. When the CertificateManager discovers the device it would check that the Certificate is for one of the pre-authorized devices and continue with automatic provisioning of the device.
If a Private Key is stored on a regular file system it shall be protected from unauthorized access. This is best done by setting operating system permissions on the private key file that deny read/write access to anyone who is not using an account authorized to run the Application.
In some cases, additional protection can be added by protecting the Private Key with a password. Saving Private Key passwords in files should be avoided. This mode may also work in conjunction with “smart cards” that use hardware to protect the Private Key.
In addition to the Private Key, Applications shall be protected from unauthorized updates to their Trust List. This can also be done by setting operating system permissions on the directory where the Trust List is stored that deny write access to anyone who is not using an account authorized to administer the Application.
Finally, Applications may depend on one or more configuration files and/or databases which tell them where there Trust List and Private Key can be found. The source of any security related configuration information shall be protected from unauthorized updates. The exact mechanism used to implement these protections depends on the source of the information.