Page tree
Skip to end of metadata
Go to start of metadata
Target release Release 1.1
Document owner
Reviewer

Goals

The intended use of the Global Certificate Chain File (GCCF) and Local Certificate Chain File (LCCF) is to facilitate the distribution of certificates among SCMS components and EEs. Collecting certificate chains into these files will significantly reduce the need for collaborative distribution of certificates. These files will be the primary mechanism to inform components and EEs about new certificates in the system including replacements for components that have been revoked or whose certificates have expired or retired.  

Structure

The GCCF shall contain a copy of all SCMS component certificates. It will also contain the root certificate endorsement signed by electors and any elector endorsements for newly added electors. Specifically, it will contain endorsements for all electors' certificates that have been added since the launch of the SCMS and are still valid.

Each RA will create an LCCF that contains, at a minimum, all of the PCA certificate chains that are used to issue pseudonym certificates for its EEs (this is to support P2P certificate distribution) and the SCMS certificates of all components that the EE must interact with or trust (RA, MA, CRLG, Root CA and elector endorsements). Optionally, an RA may choose to provide other PCA certificate chains in the LCCF. Any EE connecting to its associated RA shall get the current LCCF if the RA has a later version than the EE. For the POC, all content in GCCF will be contained in the required section of LCCF and these files will be created manually. The GCCF and LCCF are not signed as each certificate within the file has a signature. The recipient of a GCCF or LCCF must validate all signatures up to a trusted CA prior to trusting certificates in these files.

Example: Let us say for a particular EE, RA uses PCA1 and PCA2 for generating its pseudonym certificates. RA must provide full certificate chains for PCA1 and PCA2 in the LCCF. The RA may choose to provide certificate chains for other PCAs as well.

Using this LCCF, EEs will be able to:

  • Validate certificates generated by their PCA
  • Respond to a certificate request in P2P certificate distribution protocol
  • Validate certificates signed by any other PCA that the RA included in the LCCF

In order to validate certificates signed by PCAs that were not included in the LCCF, the EE must request the PCA certificate chains from other EEs via collaborative distribution. The EE must validate all PCA certificate chains obtained via collaborative distribution.  

Access & Download

To download the LCCF, the EE will retrieve it from an URL defined in RA - Services View.

The EE will download the files via a HTTP get request, analogous with the mechanism used to download the pseudonym certificate batch files.

Format

The following diagram shows the relationship between GCCF and LCCF. Note that GCCF and LCCF do not contain initial elector or root CA certificates. However, they contain subsequent ballots endorsing elector and root CA certificates, as well as those new certificates themselves.

Relationship GCCF-LCCF

The following diagram shows the structure of GCCF and LCCF.

GCCF/LCCF Structure

Global Certificate Chain File (GCCF) Generation:

PG creates the GCCF and makes it available to all RAs whenever there is an update. It shall have the version number for updating purposes. Note that the version numbers are for management purposes only and do not serve any security purpose. The version number is the indicator that the content of the file has changed and is not an indicator of the validity of the content of the file. For the POC, the creation of GCCF is a manual process.

The GCCF structure shall contain the following elements:

ElementNotes
versionThis is a 16 bit unsigned integer that represents a unique identifier for this GCCF. It is generated by the PG when the GCCF is published (note that this value is not signed by the PG, it is for informational purposes only).
certStore

This is a structure that holds the following values:

ElementNotes
rootCAEndorsementsOne or more root certificate with signatures from at least 'n' valid electors where n >= the value of quorum defined in the GPF
electorEndorsementsList of electors that have been added since the launch of this instance of the SCMS (initial electors are not listed in the GCCF) with signatures from at least 'n' valid electors (not including the one endorsed) where n >= the value of quorum defined in the GPF
maCertificateMA certificate
certsList of certificates -  Note that it is the responsibility of the generator of this file (the PG in the case of GCCF) to ensure that the list contains a complete chain with all signers required to validate any certificate on the chain all the way up to the root CA
GCCF Structure Elements

Note that for the PoC, the GCCF will contain all certificates for all SCMS components.  

Creation of Local Certificate Chain File (LCCF)

The RA creates the LCCF and makes it available to all EEs whenever there is an update. For the POC, the creation of LCCF is a manual process. It is up to OEMs or other authorized RA operators to decide whether they want to use the complete GCCF as their LCCF, or create only a specific, proprietary LCCF using limited, pertinent information from the GCCF.

The LCCF structure shall contain the following elements:

ElementNotes
version

This is a structure that holds the following values:

ElementNotes
gccfVersionThis is the version number of the GCCF that was used to generate this LCCF
lccfVersionThis 16-bit, unsigned integer is a unique ID for this version of the LCCF that was derived from the specific GCCF on which it is based. The RA that issued this LCCF assigns this value.
raHostnameThe fully qualified domain name (FQDN) of the RA that generated this file
requiredCertStore

This is a structure that holds the following values:

ElementNotes
rootCAEndorsementsThe content of this field MUST be identical to the root CA endorsement list contained in the GCCF on which this file is based
electorEndorsementsThe content of this field MUST be identical to the elector endorsement list contained in the GCCF on which this file is based
maCertificateMA certificate
certsList of certificates - This must include the full certificate chain for the root itself and for all ECAs and PCAs that it services. There may be other required content based on current SCMS policy.
optionalCertListThis is a list of certificates. This list may include any additional certificates that the generating RA chooses to include. It should not duplicate any certificates already contained in the requiredCertStore.
LCCF Structure Elements

Note that for PoC, the requiredCertStore will contain the full certificate chains for all PCAs and the optionalCertList will be empty.  

Use Cases Affected 

  1. Use Case 1: SCMS Component Setup
  2. Use Case 2: OBE Bootstrapping (Manual) and Use Case 12: RSE Bootstrapping (Manual)
    1. During bootstrap the device gets all the necessary certificates, ECA, RA, MA and  LCCF
  3. Step 3.3: Initial Download of Pseudonym Certificates, Step 3.5: Top-off Pseudonym Certificates, Step 13.3: Download RSE Application Certificate, Step 19.3: Initial Download of OBE Identification Certificates, and Step 19.5: Top-off OBE Identification Certificates
    1. RA provides the updated LCCF
  4. Use Case 11: Backend Management

Requirements

Key Status Summary Description justification notes Component/s
Loading...
Refresh

Use Case 18.4 - Requirements

ASN.1 Definition

Include Bitbucket Server for Confluence: File content cannot be shown

Unauthenticated access to this resource is not allowed. Please login to Confluence first.