- Using self-signed certificates using elliptic curve key pairs
- Reasonable key size for 20 year time frame
- Considering adding certificate signing request
- At factory/install specify EVC plus root CA certificate for EVC
- Leverage TEE/TPM for secure key storage, measured boot, etc
- Several variants for on-boarding depending on factory constraints
- Want strong binding between user/purchaser and device identity
- Images are signed; verified by device; can pull from any datastore
- No remote (ssh) or keyboard access to EVE(*)
(*) Can enable using API for developer debug