Thank you, this is very good. I have some questions:
-
Do I understand it correct that if another certificate (for example X.509) is imported for the key, the CVC is overwritten.
-
Once the device identity changes during the firmware update, does this mean that the CVC need to be/will be regenerated when restoring the wrapped keys from the backup after the upgrade?
-
Coming back to the group identity being bound to the issuing device problem, how can we retain the validity of the CVC chain if the device identity changes? Would that be possible to sign a group membership with a higher-level authority like DICA to create a “virtual device” instead?