use_cases_device_on_ledger_certification.puml

@startuml
!pragma teoz true
hide footbox

actor Vendor as V
actor "Certification Center - CSA or ZB" as C
actor User as U
entity Device as D
database Ledger as L

note over V, L
In this case Device Certification is done on Ledger:
- Device doesn't have any certification when issued
- Certification results can be added/revoked any time in future
- Certification results must be added on ledger (as transactions)
- Device's certification needs to be checked on Ledger

The Ledger is also used as a PKI.
end note

note over L
Setup PKI (see [use_cases_pki]):
- Root Certificate `RootCert`
- Vendor Certificate `VendorCert(vid, pid, sv)`
end note

== 1. Setup Model Version ==
V -> L: ADD_MODEL(vid, pid)
V -> L: ADD_MODEL_VERSION(vid,pid,sv)

== 2. Issue Device ==
D -> D: generate `privKey` and `pubKey`
D -> D: X509 Device Cert `DeviceCert(vid,pid,sv)`\nwith `pubKey`, `vid`, `pid`, `sv`
V -> D: Sign `DeviceCert` by `VendorCert(vid,pid,sv)`

== 3.1. Attest Device Compliance ==
C -> L: CERTIFY_MODEL(vid, pid, sv)

== 3.2. Revoke Device Compliance (Optional) ==
C -> L: REVOKE_MODEL_CERTIFICATION(vid, pid, sv)

== 4. Use Device ==
U <- D: Get `DeviceCert(vid, pid, sv)`
U <-> D: Verify proof of privKey possession
U <-- L: GET_X509_CERT / GET_ALL_X509_ROOT_CERTS\n or GET_ALL_X509_CERTS / GET_ALL_X509_CERTS_SINCE\nor GET_CRL\nupdate cache if needed
U -> U: Verify `DeviceCert(vid, pid)` signature
U -> U: Verify that `DeviceCert`'s `pid`, `vid` and `sv`\nequals to `VendorCert`'s `vid` `pid` and `sv`
U <-- L:GET_CERTIFIED_MODEL(vid, pid, sv)\nor GET_VENDOR_CERTIFIED_MODELS(vid)\nor GET_ALL_CERTIFIED_MODELS / GET_ALL_CERTIFIED_MODELS_SINCE\nupdate cache if needed
U -> U: Check that the Device is certified
U -> D: Start using Device
@enduml