(no title)
comandillos | 7 months ago
I mean, that PKI doesn't exclude non-approved manufacturers from producing Matter devices, you can always trust their PAA (their CA) in your border router if it's not a well-known manufacturer. And also, I am pretty sure that if this is the case the Matter border router should warn you of this and ignore the fact that the PAA is not in the local store of root CAs (as we did in the times when we had https without Let's Encrypt and didn't want to pay Comodo to sign our certs)
vineyardmike|7 months ago
Matter has a public blockchain with certificates added to enforce which products are considered certified. This is called the distributed compliance ledger (DCL). The hardware devices are expected to ship with certificates on them that match the public ones, and it’s generally not possible to change the on-device certs.
This is distinct from “normal” internet PKI certificate authority where you can just swap out a few files or grab a new cert from Let’s Encrypt. Because this uses a dedicated blockchain with a history of signatures. Depending on how you want to control the device, you’d need to rebuild the whole chain of trust, including eg signatures from Google or Apple.
Also, from a practical perspective, I’m not sure of any actual controllers that let you point to different certificate sources. You can create devices with a “test vendor ID” (0xFFFF) and the controllers are supposed to ignore certs. This has downsides, like OTA updates require signing, you can’t encode proper identifiers in the device so info pages in apps are wrong, etc.
Also, the “border router” isn’t really the point of trust here, it’d be the actual controller device. A border router is just that, an IP router, like a WiFi router or a Ethernet router.
https://webui.dcl.csa-iot.org/