6.9.1 Introduction
Registration describes the procedure whereby an out-of-band procedure is used to convey client registration information a priori to the server that houses a resource that will subsequently be accessed by the client. The registration information is the client’s SFDI and optionally, PIN, which uniquely identifies the client in the given context.
Registration may occur some time before the client attempts to access a resource, for example, using a web site or telephone to register the information with a service provider. The service provider will then provide the information to the EndDevice server using some out-of-band mechanism, (e.g., the AMI network) and the server will program its registration list accordingly.
Alternatively, there may be no actual registration before a client attempts to access a resource and, for example, the server may present the premises owner with the SFDI of the client attempting access via a user interface. The premises owner may then continue to authorize the client access, or deny access based on the information presented from the client’s certificate.
This subclause describes a typical registration procedure for a client using a device certificate with an EndDevice server.
Registration for clients SHALL occur via an EndDevice resource corresponding to the client, which typically resides on an energy services interface (ESI) associated with the utility, premises owner, or third party service provider that is trusted to perform registration.
Figure 2 —Device authentication with registration procedure examples using HTTPS
6.9.2 EndDeviceList
Clients SHALL locate HAN services by performing DNS service discovery (DNS-SD) queries to the HAN; see Clause 7 for details. The client can then resolve the URI of the EndDeviceList (given as /edev for illustration purposes) for registration and authentication purposes and know which port(s) the server for the EndDeviceList is listening on.
The EndDeviceList is the resource used by a client to complete the process initiated by registration of the client when the device owner wishes to register the device in a utility, premises owner, or service provider program. In some cases, registration MAY be required for access.
Upon registering a client, the EndDevice resource’s server aclLocalRegistrationList will be configured with:
The client SFDI, to be registered in the utility, premises owner, or third party service provider program.
Optionally, the client PIN
The required device types of the associated client.
Thus, at the point of registration, the EndDevice resource’s server is able to perform authentication based on the device certificate and additional user authentication based on the client SFDI.
The EndDevice resource’s server MAY allow access from clients that have not been pre-configured if the security policy allows.
The registration procedure is as follows:
a) The EndDevice resource’s server SHALL listen on the TCP port associated with HTTPS and follow the procedure described in (IETF RFC 5246) when a client attempts to access the EndDevice resource.
b) Authorization SHALL then occur whereby the ACLs of the server resources corresponding to the registering client are set according to the security policy and the presence in aclLocalRegistrationList. This ensures that following registration, a client can typically proceed to access all the resources it is authorized to without having to perform any further procedures.
c) If present, the client MUST verify that the EndDevice’s associated Registration resource contains the correct PIN for the client. If the PIN does not match, the client SHOULD NOT attempt any further access to that server.
d) The client SHALL subsequently re-use its device certificate to authenticate with any other server host. It does not need to re-authenticate with the EndDevice resource’s server.