A Device shall be able to process four kinds of Security Credential Document:
its own Security Credential Documents, provided in the form of Device Certificates. Here the Device needs processing to cover (1) generating new Public-Private Key Pairs and so issuing Device Certificate Signing Requests, (2) storing its Device Certificates and (3) providing a copy of those Device Certificates on request;
Security Credential Documents relating to Known Remote Parties, provided in the form of Organisation Certificates. For these, the Device needs to be capable of (1) storing, (2) replacing and (3) providing details of those it holds on request;
Security Credential Documents relating to Unknown Remote Parties, provided in the form of Organisation Certificates. For these, the Device will receive them in a Command so that parts of the Response can be Encrypted. The Device does not need to store such Documents; and
Security Credential Documents relating to Certification Authorities, provided in the form of Certification Authority Certificates. These are processed by the Device only when replacing Remote Parties’ Security Credential Documents.
Sections 8 and 13 cover the above functionality.
Section 13 covers requirements related to the structure and content of such Security Credential Documents, where such requirements are relevant to Device processing requirements.
This Section 4.3.2 covers requirements for the storage of such Security Credentials on Devices and their usage in verifying cryptographic protections on Commands the Device receives.