The SCMS POC software is operated in three different environments (locations) for three different purposes. All environments have their own, independent Root CA.
SCMS Proof-of-Concept Connected Vehicle Pilot Environments Overview
The picture above shows these three environments and how they relate to each other:
- (CAMP) Test Stage (TEST): This environment is internal to CAMP and is not available to any outside stakeholders and is used for SCMS development and testing purposes.
- QA Stage (QA): This environment is publicly available via Internet IPv6 and IPv4 connections. It is used to evaluate new SCMS software versions, as well as bug fixes and enhancements. The environment is provides device developers with a working system that they can use to develop and test their devices. The level of security, as well as the security requirements for devices using certificates, is lower than the Production stage.
- Production Stage (PROD): This environment has the highest level of security, uses a production grade offline Root CA (including storing the CA's certificate in an HSM) and is strictly used for production devices only. These production devices are more specifically US DOT approved CV Pilot participants. Approved Devices that handle certificates issued by this system must implement all security requirements as outlined in Use Case 2: OBE Bootstrapping (Manual), Secure Environment for Device Enrollment and Hardware, Software and OS Security Requirements.
If any bugs are detected (in any of the stages) the SCMS software team will analyze the error, respectively create a new version of the SCMS POC software and then apply the following deployment cycle:
- The new version is deployed to TEST and tested internally at CAMP.
- After successful testing and assured stability, the software will be deployed to QA. This wiki's blog will be used to provide advanced notice.
- Following a few of weeks of monitoring the new software in the QA stage, and considering any feedback from the development community, the new version will eventually be deployed to PROD. US DOT will approve this deployment and advanced notice will be given using this wiki's blog.
SCMS Proof-of-Concept Connected Vehicle Pilot QA Environment
The QA environment has the capability to revoke certificates, however only manual revocation is supported. Bootstrapping is implemented with a manual enrollment as documented in Use Case 2: OBE Bootstrapping (Manual).
Features to be added at a later:
- Global Misbehavior Detection will be implemented to provide an (semi-)automatic way of revoking certificates based on misbehavior reports
- Automatic enrollment for selected device suppliers / operators
- Re-enrollment as documented in Use Case 20: EE Re-Enrollment
- Electors as documented in Elector-based Root Management
SCMS Proof-of-Concept Connected Vehicle Pilot PROD Environment
Initially the PROD environment will not have a MA, and therefore will not have the capability to receive or handle misbehavior reports. To achieve the expected security levels, the PROD stage uses a commercially available Root CA. The overall SCMS system has multiple levels of management as seen in the SCMS PKI hierarchy:
- As a governance body there is a Root CA Manager that sits above the system and is seen as the policy and technical arm. It is responsible to run and protect the Root CA and issue a PG, a CRLG and ICA certificates. Stakeholders that get an ICA must follow the Root CA policies, e.g. the Certificate Policy.
- In the SCMS PKI hierarchy below the Root CA Manager there can be multiple ICA Managers. The USDOT is considered an ICA Manager and will manage an ICA with the help of its policy and technical arm. The SCMS design can support many ICA Managers.
Given a single shared Root CA it's important to note that for certain SCMS features to work all of the ICA Managers have to cooperate with the Root CA Manager.