(1) Worker is provided credentials by the Asset Owner.
(2-a) EITHER devices are on-boarded into the Asset DB via an LDevID
(2-b) OR devices store the JWT signing authority chain from the JWT token when first accessed after a factory reset.
Plant premises
This onboards the worker's mobile in the Asset DB.
Should only have to be done once.
An asset owner requests an "Access Token" for a worker.
The token is stored in the Asset DB for later retrieval by the worker.
The token is not confidential and can be sent via email to the worker.
For this demo we just copy-paste the token.
...
Field work (bluetooth, no internet)
Worker uses mobile to access the device over bluetooth.
The device only accepts a properly signed token, issued to that specific mobile/worker, unlocked by the worker's credentials.