Hi folks,
I just want to mention that the
US e-gov certificate policy includes policy on issuance of X.509 certificates for devices and services. It's fairly standard enterprise IT stuff like TLS for HTTPS or SAML, and that scope lacks some IOT characteristics like device autonomy, wide geographic dispersal or susceptibility to physical attack, but I still think we can learn from it.
I believe the doc would be an exemplary use case for us to analyze using the approach in our draft document on the wiki. Much of the content of the document is technically tied to PKI, but there is plenty of guidance that could be classified as "identity of thing management" which is not technology dependent.
If the group thinks this makes sense, I may take a stab over the holidays at working up an annex to the draft document. Let me know what you think.
Best regards,
Scott
--
==========================================================
Scott Shorter, Principal Security Engineer
Electrosoft – Fueling Customer Success Through Outstanding Value and Trust!
Woman-Owned, Minority-Owned Small Business | ISO 9001 | CMMI Level 2
sshorter@electrosoft-inc.com (Email); http://www.electrosoft-inc.com (Web)
==========================================================