MP168 CPL Security Improvements

Smart Energy Code (SEC) Appendix Z ‘CPL Requirements Document’ requires the Panel to check that a communication requesting a firmware Image to be associated with a Device Model on the Central Products List (CPL) originates from the person who created the Image and is endorsed by a Supplier. At present, the nature of the signatures used by manufacturers do not enable cryptographic authentication that the communication originates from a specific manufacturer beyond reasonable doubt. Neither a Supplier nor the Panel can therefore suitably verify the authenticity of the communication and therefore fully meet the SEC obligation.

The DCC shall publish the Infrastructure Key Infrastructure (IKI) Certificate Revocation List (CRL) on-line for a range of uses that require authentication of IKI. In addition, the SEC legal drafting shall be updated to reflect that any organisation that needs to authenticate IKI Certificates is given access to and is required to check the CRL when receiving requests authenticated with an IKI token.

Large Suppliers
Small Suppliers
DCC
Other SEC Parties (Device Manufacturers)

Section A ‘Definitions and Interpretations
Section L ‘SMKI and DCC Key Infrastructure’
Appendix D ‘SMKI Registration Authority Policies and Procedures’
Appendix Q ‘IKI Certificate Policy’