Currently if I didn't misread the docs the flow is for the provisioner device to have the customer key which means that the key is accessible to it and the provisioning device itself needs to be super hardened. This seems like a security risk if you want to give the provisioner to an untrusted party to do the flashing en masse. Isn't it more common to generate a signed image and only distribute the public key? Or am I totally misreading the docs about how it works?
Currently if I didn't misread the docs the flow is for the provisioner device to have the customer key which means that the key is accessible to it and the provisioning device itself needs to be super hardened. This seems like a security risk if you want to give the provisioner to an untrusted party to do the flashing en masse. Isn't it more common to generate a signed image and only distribute the public key? Or am I totally misreading the docs about how it works?