Trusted code groups
As discussed earlier, digital signatures in Brew MP allow for a single certificate authority to support and enable multiple signing authorities through the issuance of signing certificates. Similar to constraining what privileges a signing authority may allow, the certificate authority may constrain the devices for which a signing authority may authorize code through the use of trusted code groups (TCGs).
By design, a TCG is a unique identifier. The most familiar use of a TCG is to indicate a specific mobile network operator or mobile service provider.
Example - TCG as carrier identifier
Devices shipped by a mobile network operator may include a certificate authority's root certificate configured for a single TCG. (In this case, the TCG is sometimes referred to as a Carrier ID.) In the simplest case, that same mobile network operator may have contracted with one signing authority, whose signing certificate may be similarly constrained (by the certificate authority upon issuance) to a single TCG. Thus the signing authority has only been delegated the ability to authorize code that executes on the devices of that mobile network operator.
Example - TCG as service provider identifier
TCGs can be used to identify and independently authorize a mobile service provider (e.g. an application aggregator and distributor). Such providers may choose to function as their own signing authority under their own TCG. If a mobile network operator decides to enable the service provider, they do so by having their devices configured with the necessary root certificate with the service providers TCG.
What TCGs are authorized on a Brew MP device?
For an application to run on a Brew MP device, one of the TCGs in the signing certificate must be listed in the corresponding root certificate configuration on the device.
The manufacturer can configure a device to be globally constrained to a set of TCGs. These devices will only run code where the globally configured TCG in the signing certificate is listed in the corresponding root certificate configuration
Subsequent chapters present a more detailed discussion on how to configure TCGs in Brew MP devices and signing certificates.