Re: Intel EPID For Device Onboarding

Gardner, Doug

Hello Drasko,

We have looked into EPID also. It is interesting if the customer is concerned about privacy (consumer). The issues with the system is you must get all your keys from Intel as they are the only EPID key provider today. For the ICS use case, privacy is not a big driving factor and the complexity of the supply chain signing equipment at transfer points is not currently used. In general, we are monitoring EPID but have no plans to add it to our products and have no customers requesting EPID. Most of our customers want support for normal PKI certificates and PKI CA for identity management.

Doug Gardner
Office: 813.559.6617

-----Original Message-----
From: edgex-tsc-security-bounces@... [mailto:edgex-tsc-security-bounces@...] On Behalf Of Jason.A.Shepherd@...
Sent: Tuesday, October 31, 2017 8:47 AM
To: drasko@...; edgex-tsc-security@...; edgex-tsc-systems-mgmt@...; edgex-devel@...; Boran.Car@...
Subject: Re: [Edgex-tsc-security] Intel EPID For Device Onboarding

Dell - Internal Use - Confidential

Hi Drasko -

We actually aren't leveraging EPID on our gateway hardware today (just TPM) but are looking at it as part of the overall solution stack. FYI, the solution that Jennifer talks about in that video from about a year ago is Intel's Secure Device Onboard (SDO) which they just announced at Solutions World Congress:

Simplifying how devices are securely on-boarded is definitely key for deployment scale, however the way these types of solutions typically address the issue is to push the problem up the supply chain. So, in order for them to work the manufacturer/OEM has to program a unique identifier into every device that leaves their factory which is a major undertaking. Considerations also have to be made in the channel as devices inevitably pass through multiple levels of ownership before hitting the end user. While all possible, this will only be attractive to lots of device makers if the solution is pervasive and therefore really valuable to their customers.

I believe the interoperability between sensors and applications facilitated by the EdgeX ecosystem is key to the success of this type of solution because it will make it worthwhile for OEMs to do the extra work. EdgeX could potentially also be used to federate various ecosystems for this type of onboarding.

In any event, simple and secure onboarding is a key market need and we'll want to make sure we address it one way or another. We're in the process of re-engaging with a number of the major silicon providers (including Intel) on the heels of the Barcelona release and this will be a point of discussion.

Would be good to make this a topic in an upcoming security working group meeting.


-----Original Message-----
From: edgex-tsc-security-bounces@... [mailto:edgex-tsc-security-bounces@...] On Behalf Of Drasko DRASKOVIC
Sent: Tuesday, October 31, 2017 3:33 AM
To: edgex-tsc-security@...; edgex-tsc-systems-mgmt@...; edgex-devel@...; Car, Boran <Boran.Car@...>
Subject: [Edgex-tsc-security] Intel EPID For Device Onboarding

HI all,
during the last f2f meeting in Barcelona, we mentioned problem of device onboarding, and problem of dedicating a distinctive asymmetric key to each device during manufacturing phase.

I was looking yesterday a video on edge security:, and saw that there are already implementation of Intel's EPID
( used on Dell's gateways.

On a very fast glance
I like the idea of having one-to-many mapping of public-private keys, at least for two reasons:
1) It is easier to keep just one public on a server and not to have quaries each time a device onboards to find it's public key (although probably query for the group must be done) 2)You can keep anonymity on a group level

I was wondering - did anybody had experience with EPID before? I see that it is open standard, I saw even some Apache-2.0 device-side implementations (, but I was wondering how open it is and can it be useful for EdgeX case?

Best regards,
Mainflux Author and Technical Advisor | Industrial IoT Cloud
Engineering Division | Paris, France

Twitter: @draskodraskovic

EdgeX-TSC-Security mailing list
EdgeX-TSC-Security mailing list

Join to automatically receive all group messages.