Page tree
Skip to end of metadata
Go to start of metadata

OBEs use this service to request the initial batch of Pseudonym Certificates. After the initial batch is requested, subsequent batches are automatically provisioned.

PORT8892
PATH/provision-pseudonym-certificate-batch
HTTP MethodPOST

HTTP Request Body

ASN.1 serialized SecuredPseudonymCertProvisioningRequest

HTTP Response BodySignedPseudonymCertProvisioningAck with a requestHash property containing the lower 8 bytes of the request hash. This value will identify this device for the download of the requested certificate. The reply property contains a PseudonymCertProvisioningAck with a certDLTime property containing the expected time for download of the requested batch, and a certDLURL property containing the URL where the batch can be downloaded.

Preconditions

  1. Policy referenced in the request message is previously known
  2. PLV Cache has at least one PLV chain
  3. Device is not revoked

Postconditions

None.

Error Handling

See "RA-EE Errors" in Overview of Used Error Codes

Quality of Service

Estimated values are per logical unit, meaning multiple individual nodes can contribute to achieve the desired level of service. This service will be used once for each initial provisioning request for each new OBE. There may also be a very small addition of OBEs re-requesting provisioning in order to update their parameters. However, this should be a low enough volume to have no significant impact on these calculations. 

Quality Metric
1 Year
3 Years
5 Years
10 Years
Throughput

(17,000,000 new vehicles)
/ 31,557,600 seconds/year

= .5 batch requests / second

(17,000,000 new vehicles)
/ 31,557,600 seconds/year

= .5 batch requests / second

(17,000,000 new vehicles)
/ 31,557,600 seconds/year

= .5 batch requests / second

(17,000,000 new vehicles)
/ 31,557,600 seconds/year

= .5 batch requests / second

Quality of Protection

  • RA protects access with HTTPS (TLS V1.2)
  • Supports at a minimum OpenSSL cipher suite ECDHE-ECDSA-AES128-SHA256
  • Uses certificate-based client authentication of data signed by the device enrollment certificate, validated at the application layer. This is a supplement to the one-way TLS authentication, to provide two-way authentication with a TLS/1609.2 hybrid scheme.
  • Incoming message is encrypted (within the ASN.1 message structure) with the RA Component certificate public key