In addition, Servers shall go into a “provisioning state” that makes it possible for remote clients to update the security configuration via the ServerConfiguration Object (see 7.7.2). When a Server is in the “provisioning state” it should limit the available functionality.
Once a Server has been configured it automatically leaves the “provisioning state”. This step is necessary to ensure that security is not compromised.
A possible workflow for implementing the “provisioning state” include:
- A flag in the configuration file that defaults to ON;
- Always allow Clients to connect securely if the Trust List is empty;
- Connect to the Server and provide administrator credentials where:
- Toggle a physical switch on the device which enables access for a short period or
- Provide one-time use password specified via an out-of-band mechanism;
- Provide a new Certificate (optional) and Trust List;
- Set the configuration flag to OFF;
In some cases, the Application distributor or installer will know the CA used to sign the Certificate used by the CertificateManager and can add this CA to the Application’s Trust List during installation. If practical, this approach provides the best protection against accidental configuration by malicious Clients.
If the device is automatically discovered by the CertificateManager the CertificateManager needs some way to ensure that the device belongs on the network. The manufacturer can provide a unique ApplicationInstance Certificate during manufacture and provide the serial numbers to the device installer. The installer would then register the serial number or Certificate with the CertificateManager. When the CertificateManager discovers the device it would check that the Certificate is for one of the pre-authorized devices and continue with automatic provisioning of the device.