7. Security Considerations
Trust establishment depends on the TLS server proving knowledge of the client's non-public BSK public key. The client trusts the TLS connection after successful TLS 1.3 completion using the EPSK derived from the BSK.
If the bootstrapping method is attacked and a rogue public key replaces an honest device public key, the TLS server may onboard and trust the rogue device. If an attacker learns the BSK public key, for example by scanning QR labels, the attacker may cause the client to bootstrap against the attacker's network. The model assumes physical possession implies ownership; TLS-POK cannot prevent onboarding of a stolen device.
The ECDSA BSK key pair MUST be generated and validated according to NIST FIPS 186-5 Section 6.2. Manufacturers SHOULD use a unique BSK for every device. Shared BSKs prevent operators from distinguishing devices and enforcing per-device authorization.