You are operating an industrial IoT infrastructure with a number of devices using X.509 attestation.
The devices monitor safety conditions of chemical reactors.
All the devices have been provisioned through the device provisioning service.
Now two of the reactors are going to be dismounted, and the related devices will be deprovisioned and sold.
Your task is to ensure that the devices will not be able to re-enroll in the future.
You have just deleted the devices' enrollment entry from the DPS, and deleted the identity registries from the IoT Hub.
Can you be sure that the devices will never be able to re-enroll?
Click on the arrows to vote for the correct answer
A. B.Correct Answer: B.
Option A is incorrect because if you delete an individual enrollment of devices using X.509 attestation and an enabled enrollment group exists for a signing certificate in the devices' certificate chain, there still is a chance that devices can re-enroll.
Option B is CORRECT because in case an enabled enrollment group exists on the DPS, which uses a signing certificate of the devices, there is a risk that the devices can re-enroll, even if their enrollment entry has been deleted.
In this case, the enrollment entry should be disabled, rather than deleted.
References:
Based on the information provided in the question, it is not possible to be sure that the devices will never be able to re-enroll.
When a device is provisioned using X.509 attestation, it presents a certificate that proves its identity to the Device Provisioning Service (DPS). The DPS then issues a unique registration ID and a shared access signature (SAS) token that the device can use to connect to the IoT Hub.
Deleting the devices' enrollment entry from the DPS and deleting the identity registries from the IoT Hub does prevent the devices from being able to connect to the IoT Hub using their previous registration ID and SAS token. However, this does not prevent the devices from generating a new certificate and re-enrolling in the future, which would result in the creation of a new registration ID and SAS token.
To ensure that the devices can never re-enroll, it is necessary to revoke the certificates that were used to provision the devices. This can be done by revoking the certificate authority (CA) that issued the certificates, or by adding the certificates to a Certificate Revocation List (CRL) or Online Certificate Status Protocol (OCSP) responder. By doing so, any attempts by the devices to use their previous certificates to re-enroll will be rejected.
In summary, deleting the enrollment entry and identity registries is not sufficient to ensure that the devices will never be able to re-enroll. Revoking the certificates used to provision the devices is necessary to prevent them from being able to re-enroll in the future.