| How about the following schema for adding a new key to the list of Authorized Keys when NO AUTHORIZED KEY IS PRESENT: * the procedure requires a module produced and sold by the manufacturer() to any garage that can verify its identity and satisfy manufacturer's specified security requirements (e.g. owning a safe and having no history with local police); each such module is unique. It contains unique public/private keys and its public key is singed by the manufacturer; * the procedure of adding the key to the list of Authorized Keys requires the car (actually, its ECU) to only accept incoming requests signed by such modules whose public keys are signed by the manufacturer. When the key is added, the ECU stores: the key info; the module's unique ID (IMPORTANT); timestamp + lat/long; * if there are no old authorized keys present (very rare scenario, since most of the time the owners want to replace just one lost/stolen key, but not both), the ECU requires 15 minute grace period with the module attached at all times, during which the car is flashing its hazard lights and honks. It makes a small nuisance in the garage once in a while, but attracts enough attention in the middle of the night if somebody is stealing it. Now, if the car is stolen and then recovered, the police would dump the list of authorization requests and identify the module used. If this module was stolen or copied, the garage who owned the module becomes responsible for the damage to the car's owner. The ID of the module is placed on the revocation list. The revocation list is broadcasted via Sirius/XM/FM/BMW Assist/OnStar/Intelsat/etc. This allows independent garages working on the cars, but places enough responsibility on them for keeping the system secure, with the override mechanism in form of revocation lists. This method would NOT prevent all types of thefts (thugs can put the car on the flatbed and do the swap in the middle of the desert, or they can swap the ECU unit completely, or do some manipulations with the stolen "good" key), but it makes it significantly more difficult to authorize a new key and drive away. (*) in case the manufacturer ceases to exist, some other company (another car manufacturer, perhaps) inherits the master key and will be responsible for authorizing garages to do key management. |
So now the manufacturer has yet another method of extorting would-be mechanics. You'd have to regulate pricing or aggressively prosecute attempts at anticompetitive tactics.
> in case the manufacturer ceases to exist...
And who goes to jail when the company folds and, in the fire sale, the master key is on a system that gets wiped when being transferred to the new owner? Key escrow sounds like a better idea to me. Perhaps legislation should specify the creation of a public agency, or maybe we could leave it to private competition.
As for the remainder of your points, I believe you're thinking in the right direction.