The Onboarding model is designed to allow the configuration of a Device to be managed over the complete lifecycle of the Device from manufacture to decommissioning. The entire lifecycle approach is needed because Devices, unlike PC-class computers, are often shipped with automation software pre-installed and are connected directly to sensitive networks. This requires a process to authenticate Devices before they are given access to a sensitive network.

The complete life cycle of a Device is shown in Figure 1.


Figure 1 – The Lifecycle of a Device

The actors in the Device lifecycle are described in Table 1.

Table 1 – The Actors in the Device Lifecycle




A computer that is able to communicate via a network. A Device has a unique identifier and may have one or more Applications (see 3.1.4)


A collection of Devices or Composites assembled into a single unit. Each Composite has a unique identifier and may appear as a single Device on a network or it may appear as multiple Devices (see 3.1.3).


A program that runs on a Device. Each Application has a unique identifier and communicates with other Applications on the network (see 3.1.1).


An organization deploying and operating a system that comprises of Devices, Composites or other computers connected via a network (see 3.1.13).


An organization that creates Devices (see 3.1.12).


An organization that creates Composites (see 3.1.4).


An organization that re-sells Devices and/or Composites. A Distributor enhances Devices and Composites by adding customized products or services before resale (see 3.1.11).


An organization that installs and configures a system for an OwnerOperator that comprises of Devices, Composites or other computers connected via a network (see 3.1.17).


A user authorized to change the configuration of the Registrar.


A user authorized to update the firmware running on a Device.


A user authorized to make changes to security configuration for Clients and Servers running on the network.

The stages in the lifecycle for a single Device are described in Table 2. This information model defines mechanisms to automate some of the tasks necessary for each stage.

Table 2 – The Stages in the Device Lifecycle



Device Manufacture

A Device is created and a DeviceIdentity Certificate is assigned. This Certificate is provided when the Device is transferred to other actors. During Device Manufacture, Applications may be installed on the Device. A Ticket describing the Device is created and signed by the Manufacturer.

Composite Assembly

A Composite is created from Devices and a unique identity is assigned to the Composite. This identity is provided when the Composite is transferred to other actors. During Composite Assembly, Applications may be installed on the Devices contained in the Composite. A Ticket describing the Composite is created and signed by the CompositeBuilder.


The Device or Composite is stored until it is delivered to a CompositeBuilder, SystemIntegrator, OwnerOperator or another Distributor.


The SystemIntegrator connects a Device to the network and verifies that the identity reported by the Device matches the identity in a Ticket provided by the Manufacturer or CompositeBuilder.

Application Setup

The SystemIntegrator configures the Applications running on the Device or Composite so they can communicate with other Applications running in the system. This process includes distributing TrustLists and issuing Certificates.


The OwnerOperator performs tasks that are not done while the Device is in full operation, such as updating firmware, installing new Applications, or changing Application configuration.


The Device does the tasks it was deployed to do.


The Device has all access revoked and, if the Device is still functional, then it is reset to the default factory settings.

The commonly understood concept of “Commissioning” is represented by the Onboarding, Application Setup and Configuration stages.

The stages in the Device lifecycle map onto workflows that are defined in this specification. The workflows are described in 4.2.