Credential life cycle management in open credential platforms (short paper)

Abstract

Hardware-based trusted execution environments (TEEs) allow remote provisioning of secure credentials. In a closed credential platform installation of credentials to a TEE is controlled by a centralized authority. Due to the central control point credential life cycle management in closed credential platforms is straight-forward to implement, but credential installation is limited to credentials approved by the control point. Open credential platforms allow free credential provisioning by any credential issuer, but subsequent credential life cycle management is more challenging to realize. In this paper we identify requirements for credential life cycle management and outline a model that meets the needs of both credential issuers and end users. We compare credential life cycle management in open and closed platforms, and conclude that contrary to a common perception open provisioning model does not have to imply reduced security or usability in subsequent credential management.