Device identity at scale.

One device with one certificate is a manageable problem. A pilot of a hundred devices is a manageable problem. The architectures that work at a hundred do not survive a million. At fleet scale, four constraints stop being engineering preferences and start being hard requirements.

Issuance throughput. A connected-vehicle deployment refreshing pseudonymous certificates at the cadence ETSI TS 102 941 contemplates issues credentials at sustained rates that a single CA tier cannot serve. Issuance has to be batched, parallelised, and structurally split between the authority that knows the device and the authority that signs the per-message credential. Section three of this page goes deeper.

Rotation without recall. A field-deployed device that requires a return-to-base for certificate renewal is a deployment with a built-in attrition curve. Every credential lifecycle has to support over-the-air rotation under cryptographic continuity — the new credential proves itself to the device using material the device already trusts.

Revocation across connectivity tiers. Always-connected devices can poll. Intermittent devices need CRL refresh on next contact. Offline-tolerant devices — V2X OBUs verifying PC5 sidelink messages with no backhaul — need pre-distributed revocation material that has already arrived before the verification is needed. One revocation system, three connectivity profiles.

Field-replacement avoidance. The economic case for hardware-rooted identity hinges on the device lasting the depreciation window without being touched. Recalling a million OBUs to replace a secure element costs more than running the deployment. The architecture has to assume the silicon is fixed and the credentials, policies, and trust anchors are the only thing that changes.

Every cryptographic property of a deployed device traces back to a moment in a controlled environment when key material was injected and the device was attested. Get that moment right and the deployment has a defensible identity story for its lifetime. Get it wrong and no amount of operational hardening recovers the deployment.

The provisioning line is where the four properties above are established for the population. The pattern that survives audit looks the same across industries: an HSM holds the key-derivation material; per-device keys are derived under a key-ceremony procedure with split custody; the secure element accepts a wrapped key-injection APDU under SCP03 or an equivalent secure channel; the manufacturing host sees only ciphertext; the line logs every injection with a per-device serial; the device leaves the line attested.

What changes between industries is the chain that follows. A FIDO authenticator leaves the line with an attestation certificate signed by the manufacturer CA. An eSIM-capable IoT device leaves the line with an eUICC identity that subsequently downloads operator profiles from SM-DP+. A V2X OBU leaves the line with a manufacturer attestation that the Enrolment Authority will subsequently verify before issuing an Enrolment Credential. The provisioning step is identical in structure; the downstream authority differs.

AmbiSecure operates personalisation lines under this discipline. The HSM-backed key custody, SCP03-equivalent wrapping, per-device serialisation, and audit-grade logging are not optional features; they are the baseline. The page on smart-card personalisation covers the operational mechanics; this page treats provisioning as one stage in a longer lifecycle.

The eSIM Remote SIM Provisioning architecture is the most operationally mature fleet-PKI in production at scale. The patterns that emerged from GSMA SGP.22 (consumer) and SGP.32 (IoT) are now the reference architecture every other fleet credential system gets compared against. Three of them are worth carrying over.

SM-DP+ as the credential preparation service. The Subscription Manager — Data Preparation+ holds the operational profiles to be downloaded into eUICCs. It does not hold device identity. It holds credentials that have been bound to a target device by upstream coordination. The structural analogue in V2X is the Authorisation Authority — an authority that issues operational credentials without itself authenticating the device every time.

SM-DS as the discovery service. The Subscription Manager — Discovery Service lets an eUICC find which SM-DP+ has a pending profile for it. It indexes pending credentials by eUICC identity without storing the credentials themselves. The structural analogue in V2X is the Enrolment Authority — the authority that knows which device is which, but only orchestrates the issuance rather than performing it.

SGP.32 IoT profile. The IoT-specific SGP.32 architecture introduces the eUICC Identifier Manager (IPA) and Profile Provisioning Discovery (PPD) flows tailored for unattended devices that cannot drive a user-interactive profile-download UI. The analogue across automotive and embedded fleets is the OBU or RSU that must enrol and refresh without a human in the loop — identical architectural shape, different protocol surface.

The AmbiSecure eSIM Initiative operates in this domain directly. The lessons rotated through this part of the business inform the V2X and IoT credential-lifecycle work elsewhere on the site. The SGP.32 reference covers the eUICC IoT lifecycle in structured form.

The threat model for an in-laboratory device is not the threat model for a field-deployed device. The first assumes a controlled adversary on a controlled network; the second assumes physical access and indefinite time. Four failure modes recur across every deployment that tried software-only identity and ended up replacing it.

Flash extraction. A microcontroller's external SPI flash — or its internal flash via a debug interface left enabled or recoverable — can be read out by an attacker with bench-top equipment. A private key stored as bytes in flash is bytes in an attacker's possession. Encryption-at-rest of the flash with a key derived from a hardware-fused root is the minimum bar; what a secure element gives is one level above: the key never reaches flash at all.

Firmware extraction with key reuse. Extracting one device's firmware reveals the cryptographic patterns the entire fleet uses. If the per-device key is derived from a shared master in firmware, the firmware extract yields the master. Once the master is out, the entire fleet's identity is reproducible by anyone. A hardware-rooted per-device identity has no master to leak.

Key cloning. A device whose identity is software-stored can be cloned: the bytes are copied to a second device, and now two devices present the same identity to the fleet PKI. A pseudonymous V2X deployment with cloned keys allows a single attacker to amplify a hazard signal across geographies it does not occupy. A hardware-bound identity cannot be cloned without copying the silicon — an attack that costs more than the deployment.

Fleet compromise from a single device. The compounding failure mode. A successful extract on one device, given software-only identity, yields the cryptographic technique used across the fleet. The marginal cost of compromising the second device is near zero. Hardware identity inverts this property: every device requires its own attack, against its own silicon, with no scaling discount. Whether the fleet is one device or one million, the per-device attack cost is the same.

Procurement-grade positioning needs an explicit boundary. The list below exists to keep this page useful to integrators and auditors who need to know where AmbiSecure stops and an OEM, a CA operator, or a system integrator picks up. None of these are aspirational omissions; they are the architectural shape of what AmbiSecure ships.

• Not a Root CA operator. AmbiSecure does not operate the Root Certificate Authority for any V2X, FIDO, or government-identity deployment. Root operation belongs to the regulator-designated entity (in India, CCA for V2X under the proposed framework). AmbiSecure integrates against an operator-run Root.
• Not a turnkey OBU or RSU vendor. The integrated radio + compute + secure element + application stack that constitutes a V2X OBU is an OEM product. AmbiSecure supplies the secure-element silicon and the applet platform that the OEM integrates.
• No claim of ISO 26262 (functional safety) or ASPICE (automotive software process) certification of the integrated AmbiSEC Module product. Automotive-grade certification of the integrated product is a target, not a present claim. The underlying secure-element silicon's CC EAL5+ certification is at the chip level and is the only certification claim made for AmbiSEC Module today.
• No claim of TRAI or government endorsement. The TRAI Consultation Paper of 30 April 2026 is referenced on this and adjacent pages as a public document defining the proposed framework for V2X security in India. References are descriptive, not endorsements.
• No named customer or deployment claims. Where this page or any V2X page refers to "city-scale" or "fleet-scale" deployments, the framing is architectural. Specific deployments, where they exist, are covered under NDA and not disclosed on the public site.
• No fabricated chip-vendor or silicon-partner claims. Component-level partnerships, where they exist, are disclosed only with vendor authorisation.

The Trust Center documents the certification posture and the disclosure practice in full. The Certifications page lists the standards AmbiSecure designs against and the one chip-level certification (CC EAL5+) that is formally held.