Bug description
The Device Client Onboarding sequence diagram shows "Secure API Usage with Signed Payloads can now begin" after the onboarding completes.
However, the spec correctly states:
Requests to this endpoint MUST be authenticated using the HTTP Message Signature method
The diagram should show that the POST /onboarding request itself is signed. Otherwise, anyone with a device's public certificate could impersonate it.
Proposed fix
Update the diagram to show signature verification on the onboarding request.
Anything else (optional)
No response
Bug description
The Device Client Onboarding sequence diagram shows "Secure API Usage with Signed Payloads can now begin" after the onboarding completes.
However, the spec correctly states:
The diagram should show that the
POST /onboardingrequest itself is signed. Otherwise, anyone with a device's public certificate could impersonate it.Proposed fix
Update the diagram to show signature verification on the onboarding request.
Anything else (optional)
No response