How to become matter compliant & why you shouldn’t diy device attestation
September 2022 by Mike Nelson, the VP of IoT Security at DigiCert
With Matter approaching availability, device manufacturers need to start preparing their devices to be Matter trusted and receive the Matter logo on them. Public key infrastructure (PKI) will be a key component of the approach to becoming Matter trusted. Matter will have a few selected roots available in their trusted root store, known as product attestation authorities, or certificate authorities (CAs). These authorities will issue device attestation certificates, which every Matter-compliant device will be required to have to enable secure interoperability and trust.
Device attestation is critical to Matter-trusted devices and accomplishes secure interoperability in three main ways:.
provides assurance that the device comes from a trusted manufacturer, installs a strong identity on the device, so they can be tracked and identified, and enables validated, authenticated connections.
Thus, the first step to become Matter compliant is for manufacturers to get Matter-trusted device attestation certificates on their devices. How to obtain device attestation certificates
When it comes to obtaining Matter-trusted certificates, manufacturers essentially have two options: set up their own trusted root to issue device certificates or purchase certificates from an existing root in the Matter-trusted root store.
The CSA is working to define the process for submitting and accepting roots into their trust store. However, the process for acceptance into the root store will not be easy. Trusted roots will need to meet high standards and rigorous qualifications to be accepted. As a leader in digital trust, DigiCert has been involved with the development of Matter to ensure that it is secure since the early stages of the project. We plan to be among the first with a Matter-compliant root and are ready to submit as soon as the process for root certificate inclusion is finalized.
However, this post will examine both setting up a DIY path to device attestation and partnering with an existing trusted root.
Option 1: Set up your own trusted root
There are several hurdles to become a Matter-compliant CA, including that the operators of these roots will need to meet specific requirements and perform regular audits to ensure the highest levels of trust can be maintained. Much like a highly trusted certificate that authenticates credit card transactions on the internet, the Matter certificate process will require rigorous audits, authorizations and processes that ensure confidence in the vendor and digital trust across the internet eco-system.
Besides the hurdles to becoming a Matter-trusted CA, once you have your CA set up it will require regular monitoring, updates and management. If roots are compromised, it could compromise the entire PKI ecosystem, so constant monitoring is required to protect against threats and maintain compliance as standards evolve over time. Furthermore, the Matter specification is currently version 1.0, with the knowledge that functionality will evolve going forward. This means that root operators will require agility and updates to maintain continuity. Finally, as usage grows, it can be difficult to manage a DIY PKI at scale.
Thus, manual certificate lifecycle management, or a DIY PKI, requires staying up to date with a complex environment, as enterprise networks are continually becoming more complex and compliance standards evolve. Essentially, in order to DIY PKI, managers need to be PKI experts. Furthermore, manual certificate lifecycle management is prone to costly errors, which can lead to both financial and reputation costs. While it may seem like a DIY PKI can save you money, in reality the time and effort that it takes to manage, and the potential damage of mismanagement, can cost much more. That brings us to option two: partnering with an existing CA with a Matter-trusted root.
Option 2: Use an existing trusted root
A far easier way to obtain Matter-trusted device certificates is to use an existing trusted root. A managed PKI service will allow faster time to market, simpler scalability and consultation from PKI experts. Using a private CA will offer manufacturers adopting Matter the scalability and automation capabilities they need. According to an IDC study, investing in a fully managed PKI service can save organizations nearly $1 million over five years.
In summary, using a managed PKI service is much more affordable in the long run and will be easier to set up and manage. When manufacturers choose to partner with a Matter-trusted issuing CA, they can save time, money and headache while getting Matter-trusted devices on the market faster.
Work with a connected trust expert today
DigiCert can help manufacturers adopt Matter quickly, simply and at scale. We offer flexible provisioning methods, including cloud, batch or on-prem, for device attestation certificate issuance. We also have a test root available now so that manufacturers can test workflows pre-production. Additionally, DigiCert will have one of the first trusted roots in a Matter-trusted root store. Partnering with DigiCert will enable manufactures to get the fastest time to market so that manufactures do not need to worry about setting up an issuing CA.
DigiCert has the expertise of running PKI programs and is the PKI expert regarding Matter, as we’ve been involved in defining the standard for the past three years. As the global leader in digital trust, DigiCert can help you attain Matter-trusted devices to market rapidly, and at scale. Additionally, once devices are Matter-trusted, managing the certificate lifecycle on those devices is fast and easy with the help of DigiCert® IoT Device Manager, a scalable management platform. Get to market quicker, with the highest level of trust, without the need to build a DIY PKI system.