You’re partially correct, but you’ve got enough details wrong details that you’re misrepresenting reality.
Matter has a public blockchain with certificates added to enforce which products are considered certified. This is called the distributed compliance ledger (DCL). The hardware devices are expected to ship with certificates on them that match the public ones, and it’s generally not possible to change the on-device certs.
This is distinct from “normal” internet PKI certificate authority where you can just swap out a few files or grab a new cert from Let’s Encrypt. Because this uses a dedicated blockchain with a history of signatures. Depending on how you want to control the device, you’d need to rebuild the whole chain of trust, including eg signatures from Google or Apple.
Also, from a practical perspective, I’m not sure of any actual controllers that let you point to different certificate sources. You can create devices with a “test vendor ID” (0xFFFF) and the controllers are supposed to ignore certs. This has downsides, like OTA updates require signing, you can’t encode proper identifiers in the device so info pages in apps are wrong, etc.
Also, the “border router” isn’t really the point of trust here, it’d be the actual controller device. A border router is just that, an IP router, like a WiFi router or a Ethernet router.
Matter has a public blockchain with certificates added to enforce which products are considered certified. This is called the distributed compliance ledger (DCL). The hardware devices are expected to ship with certificates on them that match the public ones, and it’s generally not possible to change the on-device certs.
This is distinct from “normal” internet PKI certificate authority where you can just swap out a few files or grab a new cert from Let’s Encrypt. Because this uses a dedicated blockchain with a history of signatures. Depending on how you want to control the device, you’d need to rebuild the whole chain of trust, including eg signatures from Google or Apple.
Also, from a practical perspective, I’m not sure of any actual controllers that let you point to different certificate sources. You can create devices with a “test vendor ID” (0xFFFF) and the controllers are supposed to ignore certs. This has downsides, like OTA updates require signing, you can’t encode proper identifiers in the device so info pages in apps are wrong, etc.
Also, the “border router” isn’t really the point of trust here, it’d be the actual controller device. A border router is just that, an IP router, like a WiFi router or a Ethernet router.
https://webui.dcl.csa-iot.org/