Page tree
Skip to end of metadata
Go to start of metadata
Target releaseRelease 1.1
Document owner
Reviewer

Goals

The goal of this use case is to define the messages and actions that allow a device to request new identification certificates from the RA.

Background and Strategic Fit

The OBE decides to request an identification certificate from its preconfigured RA. 

Having determined which RA to submit the request to, the OBE creates a request, signs it with the enrollment certificate, encrypts the signed request for the RA and sends it to the RA. The RA checks to make sure that the request is correct and authorized.

Assumptions

In order to facilitate the certificate request process, the following prerequisites should be met:

Process Steps

  1. The OBE downloads the Local Policy File (LPF) and the Local Certificate Chain File (LCCF) by using the API documented in RA - Download local policy file and RA - Download Local Certificate Chain File
    1. If there is an updated LCCF, the OBE applies all changes to its trust-store (necessary for PCA Certificate Validations)
    2. If there is an updated LPF, the OBE applies those changes
  2. The OBE creates the request, signs it with the enrollment certificate, encrypts the signed request for the RA and sends it to the RA using the API documented RA - Request Identification Certificate Provisioning.
  3. The RA ensures that the request is correct and authorized before it starts with Step 19.2: OBE Identification Certificate Generation

Error Handling 

  1. The OBE will abandon further interactions with the RA after a certain number of failed communication attempts resulted in errors
  2. The OBE will not attempt to execute the certificate provisioning process if it finds itself on the latest CRL (assumes that a willful violator has not compromised the device). The OBE will need to execute the certification/bootstrap process again to exit a revoked state.

Requirements

Key Status Summary Description justification notes Component/s
Loading...
Refresh

Use Case 19.1 - Requirements

Design

OBE-RA Communication

EE Request

The EE initiates the Certificate Provisioning Request message in order to provide the RA with critical information (key parameters, current time, etc.) necessary for the OBE identification certificate generation. New devices may experience some delay between the initial request and the time the first certificate is available for download to accommodate provisioning processes such as certificate generation and certificate encryption. The RA will store information from the initial Certificate Provisioning Request message and use for ongoing certificate pre-generation until:

  • The device provides new parameters in a subsequent Certificate Provisioning Request
  • The device is blacklisted at the RA due to misbehavior or malfunction

The Certificate Provisioning Request message shall be sent once for each unique request. No subsequent Certificate Provisioning Request is necessary to acquire new certificates.

Security / Privacy

The Certificate Provisioning Request message shall use signing and encryption to ensure:

  • The request has not been modified in transit
  • The RA can verify the message came from the device
  • The request is shared confidentially between the device and RA

The EE shall sign the request with the Enrollment Certificate. The EE shall also encrypt the request using the RA certificate and encapsulate in a 1609.2 frame of type encrypted. 

Message Contents

The EE shall use the ASN.1 defined for creating the Request Certificate message, details can be found at RA - Identification Certificate Provisioning Request . In order for a request to be validated by the RA, the EE shall include the following information in the Certificate Provisioning Request message:

  • Version
  • EE enrollment certificate
  • Butterfly public seed / expansion function (see Butterfly key for details) parameters for:
    • Certificate signing key (signed with enrollment certificate)
    • Response encryption key (to encrypt the created certificate towards EE)
    • Optionally certificate encryption key 
  • Current device time: 32-bit denoting number of seconds since the Epoch (as defined in 1609.2)
  • Requested certificate start time: 32-bit denoting number of seconds since the Epoch (as defined in 1609.2)

RA Response

The RA response to the Certificate Provisioning Request message may be accept (indicated by a Request Acknowledgement) or reject (indicated by a HTTP 500). Specific error codes should be hidden from EEs to avoid providing useful information to malicious actors. RA shall log the specific error for future investigation.

RA - EE Request Acknowledgement

The Request Acknowledge message is initiated by the RA in response to a Certificate Provisioning Request message successfully received from the EE. If the EE request is received and processed without triggering an error (invalid signature, blacklisted, etc.) the RA processes the certificate request and begins certificate pre-generation. The Request Acknowledge message provides the EE with the URL and the time where and at which the first certificates batches will be available for download.

Security / Privacy

The Request Acknowledge message shall use signing and encryption to ensure:

  • The request has not been modified in transit
  • The device can verify the message came from the RA
  • The request is shared confidentially between the device and RA

The RA shall sign and encrypt the Request Acknowledge message using the RA certificate and encapsulate in a 1609.2 frame of type encrypted. 

Message Contents

The RA shall use the ASN.1 defined for creating the Request Acknowledge message, which can be found at RA - Identification Certificate Provisioning Request and shall include the following information:

  • Case: Certificate Provisioning Request Accept
    • Version
    • Low order 8-bytes of the SHA-256 hash of the encoded "ToBeSigned" certificate request from the device. Returns 0 if RA cannot calculate hash of the original request.
    • Time at which the first certificate batches will be available for download (represented by IEEE 1609.2 Time32)
    • URL of the certificate repository (common for all devices serviced by an specific RA) 
  • Case: Certificate Provisioning Request Reject
    • HTTP-500 Error Code

EE Response

If the RA provides a positive acknowledgement (accept) to a Certificate Provisioning Request, the EE moves forward with the certificate batch download process using the provided URL and time both given in the acknowledge message.

If the EE does not receive an acknowledgement from the RA in response to the request within the defined time, the EE should retry. Several conditions may necessitate the EE sending the request more than once. This may be due to:

  • Request lost in transit (no TCP ack)
  • RA offline, unavailable or the RA network address has changed (EE must query DNS for latest RA network information)
  • The EE possesses an invalid RA certificate and cannot establish secure communications
  • The EE received HTTP-500 Error Code

The EE should not attempt to transmit the Request Certificate message without having completed the prerequisites.

ASN.1 Specification

Include Bitbucket Server for Confluence: File content cannot be shown

Unauthenticated access to this resource is not allowed. Please login to Confluence first.

Include Bitbucket Server for Confluence: File content cannot be shown

Unauthenticated access to this resource is not allowed. Please login to Confluence first.

Include Bitbucket Server for Confluence: File content cannot be shown

Unauthenticated access to this resource is not allowed. Please login to Confluence first.

Include Bitbucket Server for Confluence: File content cannot be shown

Unauthenticated access to this resource is not allowed. Please login to Confluence first.

Include Bitbucket Server for Confluence: File content cannot be shown

Unauthenticated access to this resource is not allowed. Please login to Confluence first.

Include Bitbucket Server for Confluence: File content cannot be shown

Unauthenticated access to this resource is not allowed. Please login to Confluence first.

1609dot2-schema.asn

1609dot2-base-types.asn