INTERNATIONAL ISO/IEC STANDARD 30118-2 Second edition 2021-10 Information technology Open Connectivity Foundation (OCF) Specification - Part 2: Security specification Technologies de I'information - Specification de la Fondation pour la connectivité ouverte (Fondation OCF) Partie 2: Spécification de sécurite Reference number IEC IS0/IEC 30118-2:2021(E) ISO @IS0/IEC2021 IS0/IEC 30118-2:2021(E) COPYRIGHT PROTECTED DOCUMENT @IS0/IEC2021 All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may the internet or an intranet, withoutpriorwrittenpermission.Permission can be requested from eitherIso at the addressbelow orIso's memberbody inthe country oftherequester ISO copyright office CP 401 · Ch. de Blandonnet 8 CH-1214Vernier,Geneva Phone: +41 22 749 01 11 Email: [email protected] Website: www.iso.org PublishedinSwitzerland i @ IS0/IEC 2021 - All rights reserved IS0/IEC 30118-2:2021(E) Contents Page Foreword .ix Introduction. 1 Scope 2 NormativeReferences 3 Terms, definitions and abbreviated terms..... 3 3.1 Terms and definitions .3 3.2 Symbols and abbreviated terms 4 Document conventions and organization... 4.1 Conventions 4.2 Notation.. 4.3 Data types .... .8 4.4 Document structure ...... .8 5 Security overview... .8 5.1 Preamble . 8 5.2 Access control... 10 5.2.1 Access control general.. 5.2.2 ACL architecture.... 5.3 Onboarding overview.... 5.3.1 Onboarding general... 5.3.2 Onboarding steps ... 14 5.3.3 Establishing a Device Owner . 15 5.3.4 Provisioning for Normal Operation.. 16 5.3.5 OcF Compliance Management System... 16 5.4 Provisioning.... 16 5.4.1 Provisioning general 16 5.4.2 Access control provisioning .. 7 5.4.3 Credential provisioning.. 5.4.4 Role provisioning .. 5.5 Secure Resource Manager (SRM) 5.6 Credential overview. 18 5.7 Event logging .... 18 5.7.1 Event logging general ... 18 6 Security for the discovery process... 6.1 Preamble ... 19 6.2 Security considerations for discovery.. .19 7 Security provisioning. 21 7.1 Device identity . 21 7.1.1 General Device identity.... 21 7.1.2 Device identity for devices with UAID [Deprecated] 21 7.2 Device ownership..... 21 7.3 Device Ownership Transfer Methods..... 22 7.3.1 OTM implementation requirements.. 22 7.3.2 SharedKey credential calculation .. 23 7.3.3 Certificate credential generation .. .24 7.3.4 Just-Works OTM . 24 @ IS0/IEC 2021 - All rights reserved ii IS0/IEC30118-2:2021(E) 7.3.5 Random PIN based OTM.... 7.3.6 Manufacturer Certificate Based OTM.. ...28 7.3.7 Vendor specific OTMs ... .30 7.3.8 Establishing Owner Credentials ..31 7.3.9 Security profile assignment ... ..34 7.4 Provisioning ...... .35 7.4.1 Provisioning flows.. 8 Device Onboarding state definitions ...... 8.1 Device Onboarding general.... .36 8.2 Device Onboarding-Reset state definition......... 8.3 Device Ready-for-OTM State definition......... 8.4 Device Ready-for-Provisioning State Definition..... ....39 8.5 Device Ready-for-Normal-Operation state definition ... ..39 8.6 Device Soft Reset State definition .. ..40 9 Security Credential management... 41 9.1 Preamble.. 9.2 Credential lifecycle... 9.2.1 Credential lifecycle general .... .41 9.2.2 Creation ..... .41 9.2.3 Deletion..... 41 9.2.4 Refresh..... 9.2.5 Revocation... 9.3 Credential types. 9.3.1 Preamble.. ..42 9.3.2 Pair-wise symmetric key credentials. .42 9.3.3 Group symmetric key credentials .. 9.3.4 Asymmetric authentication key credentials .43 9.3.5 Asymmetric Key Encryption Key credentials.. ...43 9.3.6 9.3.7 Password credentials ..... 9.4 Certificate based key management... ...44 9.4.1 Overview ......... 9.4.2 X.509 digital certificate profiles.... 9.4.3 Certificate Revocation List (CRL) Profile [deprecated]............ 9.4.4 Resource model........ .54 9.4.5 Certificate provisioning........... 9.4.6 CRL provisioning [deprecated] .... 10 Device authentication...... 10.1 Device authentication general.. .55 10.2 Device authentication with symmetric key credentials..