6.3.1 Introduction
There are three credentials per device:
Short form device identifier (SFDI)
Long form device identifier (LFDI)
PIN
6.3.2 Certificate fingerprint
The certificate fingerprint is the result of performing a SHA256 operation over the whole DER-encoded certificate and is used to derive the SFDI and LFDI. A certificate fingerprint is not confidential and is never used to derive subsequent keying material.
An example certificate fingerprint used for illustration in the following examples is:
3E4F-45AB-31ED-FE5B-67E3-43E5-E456-2E31-984E-23E5-349E-2AD7-4567-2ED1-45EE-213A
6.3.3 Short-form device identifier (SFDI)
The SFDI SHALL be the certificate fingerprint left-truncated to 36 bits. For display purposes, this SHALL be expressed as 11 decimal (base 10) digits, with an additional sum-of-digits checksum digit right- concatenated. Based on the example in 6.3.2, this would be 167-261-211-391.
Left truncation to 36 bits: 0x3E4F45AB3 Expressed as a decimal: 16726121139
Right-concatenation of check digit and hyphenation: 167-261-211-391
For input validation purposes, the sum of the digits of the fingerprint including the checksum digit, modulo 10, SHALL be zero. The SFDI has sufficient entropy (236) to uniquely identify the device in the context of its usage and is used to identify a device within a home area network (HAN) or site domain. It should not
be used in a truly global context (i.e., where the identity of the device cannot be qualified with the domain it is in).
For a device with a device certificate, the SFDI can be printed on the device packaging.
6.3.4 Long-form device identifier (LFDI)
The LFDI SHALL be the certificate fingerprint left-truncated to 160 bits (20 octets). For display purposes, this SHALL be expressed as 40 hexadecimal (base 16) digits in groups of four. Based on the example in 6.3.2, this would be “3E4F-45AB-31ED-FE5B-67E3-43E5-E456-2E31-984E-23E5.” The LFDI is used
when a globally unique identity is required, for example in sending an event back to a service provider that is associated with a particular device.
6.3.5 6-digit PIN code
The SFDI and LFDI are derived from public information (i.e., a Certificate), therefore can potentially be recreated by an eavesdropper. Therefore, a device MAY also have an additional 6-digit PIN code, which can be shared out-of-band with a service provider in conjunction with the SFDI or LFDI. For display purposes, this SHALL be expressed as 5 decimal (base 10) digits, with an additional sum-of-digits checksum digit right-concatenated:
Original PIN: 12345
Right-concatenation of check digit and hyphenation: 123-455
For input validation purposes, the sum of the digits of the PIN including the checksum digit, modulo 10, SHALL be zero. The PIN MAY be obtainable from the EndDevice server through the Registration resource to validate that the client is in communication with the correct server. The PIN SHOULD be configurable on a device where possible for registration purposes, otherwise SHOULD be a random 5-digit value plus check digit pre-programmed into the device and printed on the device. The PIN is not overly secure and therefore SHALL NOT be used in any way to derive keys for actual data encryption.
6.3.6 Registration code
The SFDI and PIN are usually presented separately. However, in certain cases it may be convenient to provide a single registration code, which is simply the concatenation of the SFDI and the PIN expressed as a decimal (base 10) number:
SFDI || PIN
From the examples above, this would be 167-261-211-391-123-455.