Page tree
Skip to end of metadata
Go to start of metadata
Target releaseRelease 1.0
Document owner
Reviewer

Goals

The goal of this use case with its collection of subsequent steps is to describe the procedures for adding backend SCMS components to the system. In all cases, before a component can be added it must first be setup correctly using the appropriate Component Setup use case.

Assumptions

  • All components that will be added to the SCMS have already been configured using the appropriate Component Setup use case
  • All components that will be added to the SCMS have been certified and approved through a process defined by the SCMS Manager
  • The addition of any new SCMS component is coordinated and managed by an authorized agent of the SCMS Manage or local ICA Manager
  • Many of the steps in the component add procedure are defined as "manual" and are not fully specified or defined in SCMS requirements. The details for these procedures will be defined by individual implementations. The goal of the SCMS requirements and these use cases are to preserve the security and integrity of the SCMS system and ensure compatibility among individual SCMS components while granting significant latitude for diverse implementations.

Conditions

A new SCMS component may be added under five conditions. In many cases, these conditions require the same add procedure, but there are situations where the procedure is very different. The five conditions are defined here. Individual component use cases will describe the procedure for adding the new component or managing the transition to the component's parameters.

  1. Net New
    1. This is the case where a net-new component is being added to the SCMS. This new component will be configured to receive and process messages from other components.
    2. New components are assumed to have internal storage that is prepared to store new data, but that is in a state that is initially cleared.
  2. SCMS Certificate Retired and Re-Issued
    1. Most SCMS components have an SCMS certificate that has a useful life that is shorter than the expiration time for the certificate. At the end of this useful life, the old certificate is retired and an ICA or root CA will issue a new certificate.
    2. When a certificate is retired, previous signatures issued by that component may still be trusted, so normal operation may resume without the need to re-certify any sub-components.
  3. Component Decommissioned and Replaced
    1. An SCMS component may be securely decommissioned and replaced. At a high level, this implies that the private key is securely destroyed or the physical device is put into secure storage. When this happens, the SCMS Manager or local ICA Manager may determine that the component's SCMS certificate does not need to be revoked.
    2. In this situation, a replacement component may share the same network address as the original component and it may be possible to transfer securely the internal storage of the original component to the new device. However, the replacement component will have a new SCMS certificate.
    3. Note that this condition is very similar to a retired SCMS certificate, but in this case, the component is being replaced with a new device and it may happen prior to the planned end of useful life for the original SMCS certificate.
  4. SCMS Certificate Revoked, Component Replaced or Re-Certified
    1. When a component's certificate is revoked, it may be necessary to replace or re-certify the component.
    2. In this situation, the replacement (or re-certified) component is assumed to have the same network address (but it will require a new TLS certificate) as the original component but it will have a new key pair, new SCMS certificate, and the component's internal memory will be cleared.
  5. Certifying SCMS Certificate Revoked, Component Re-Certified
    1. When any higher level CA in the chain that issued a component's SCMS certificate is revoked, then the component' SCMS certificate shall also be treated as untrusted and implicitly revoked.
    2. When this happens, the SCMS Manager or local ICA Manager may determine that the impacted components can be re-certified and re-used.
    3. As in the case where the device itself is revoked, the component may retain the same network address (and possibly the same TLS certificate), but it will have a new SCMS certificate and the internal storage may be cleared.
    4. Note that this condition is very similar to the case where the SCMS certificate of the component is revoked and is treated as equivalent in most of the component add use cases.

Design