Intel is recommending that EPID become the standard across the industry for use in authentication of devices in the Internet of Things (IoT) and in December 2014 announced that it was licensing the technology to third-party chip makers to broadly enable its use.
In 1999 the Pentium III added a Processor Serial Number (PSN) as a way to create identity for security of endpoints on the internet.
[7] Building on improving asymmetric cryptography of the time and group keys, Intel Labs researched and then standardized a way to get to the benefits of PSN while preserving privacy.
Current usage by Intel has the Intel Key Generation Facility as the Issuer, an Intel-based PC with embedded EPID key as a member, and a server (possibly running in the cloud) as the verifier (on behalf of some party that wishes to know that it is communicating with some trusted component in a device).
In recent years EPID has been used for attestation of applications in the platforms used for protected content streaming and financial transactions.
It is anticipated that EPID will become prevalent in IoT, where inherent key distribution with the processor chip, and optional privacy benefits will be especially valued.
Data Protection Technology (DPT) for Transactions is a product for doing a 2-way authentication of a point of sale (POS) terminal to a backend server based on EPID keys.
Using hardware roots of trust based on EPID authentication, the initial activation and provisioning of a POS terminal can securely be performed with a remote server.
In general, EPID can be used as the basis to securely provision any cryptographic key material over the air or down the wire with this method.
The peer expects a particular type of service or data structure but likely doesn't need to know about device failover, replacement or repair.
In many cases, peer networks do not want to track such movements as it would require, potentially, maintaining context involving multiple certificates and device lifecycles.
Where privacy is also a consideration, the details of device maintenance, failover, load balancing and replacement cannot be inferred by tracking authentication events.
Thus privacy of onboarding is preserved and adversaries can no longer collect data to create attack maps for later use when future IoT Device vulnerabilities are discovered.