Sequence diagram incorrectly suggests HTTP signatures begin after onboarding #135
Description
Bug description
The Device Client Onboarding sequence diagram shows "Secure API Usage with Signed Payloads can now begin" after the onboarding completes.
However, the spec correctly states:
Requests to this endpoint MUST be authenticated using the HTTP Message Signature method
The diagram should show that the POST /onboarding request itself is signed. Otherwise, anyone with a device's public certificate could impersonate it.
Proposed fix
Update the diagram to show signature verification on the onboarding request.
Anything else (optional)
No response