Page tree

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Changed CV-Pilot to POC in Jira requirement filter

...

  1. Establish a reasonable root certificate expiration period ( by shortening the EE Enrollment certificate expiration period from previous 30 years as mentioned in the Vehicle Safety Communications Security Studies Project (VSCS))
  2. Allow EE to use their existing enrollment certificate for authentication when requesting a rollover enrollment (Re-enrollment) certificate
  3. Minimize the number of root certificates that are valid at any time

...

Certificate lifetimes affect the security of PKI infrastructures. The longer a public/private key pair is in use, the greater the chances are that the keys can be compromised. As computing power increases and technologies improve over time, cryptanalysis becomes a risk. For these reasons, excessively , long-lived , CA certificate lifetimes are undesirable.

...

Some certificate authorities may issue certificates that are not valid until a significant time in the future. Examples of this within the SCMS are pseudonym certificates and rollover enrollment certificates. At the time of the writing of this reportAs a recommendation, the validity lag for these certificates can be up to 3 years. For example, a pseudonym certificate generated (issued) today may have a "Valid from" date that is up to 3 years from now. The below diagram illustrates the impact of the validity lag on the lifetime of the issuing CA certificate.

...

  • This concept is mandatory for all certificates issued by the root CA and intermediate CA
  • The certificate's in-use and expiration shall be reduced by the same amount
Scroll Title
titleExample of Mid-Sequence Certificates

...

Scroll Title
titlePoC Certificate Expiration Timelines - Certificate Expiration and Renewal


Certificate Type
Issuing CA
Expiration
In Use
Request for Renewal
Start of Validity for Renewal
Number of Concurrently Valid Certificates (In-Use [+ Legacy])
Example Size in Bytes (Certs are Not Fixed Size)
Notes
OBE Enrollment

ECA

6 years6 yearsAnytime (see notes)6 years1

 87

Rollover certificate will be available no more than 3 years before start of validity.
OBE PseudonymPCA1 week + 1 hour1 weekAnytime1 week20 + 20 (for just 1 hour)

 86

 
OBE IdentificationPCA1 month + 1 hour1 monthAnytime1 month1 + 1 (for just 1 hour)

 89

 
RSE Enrollment

ECA

6 years6 yearsAnytime (see notes)6 years1

 87

Rollover certificate will be available no more than 3 years before start of validity.
RSE ApplicationPCA1 week + 1 hour1 weekAnytime1 week1 + 1 (for just 1 hour)

 89

 
DCMICA3 years + 1 week3 years3 months before end of In-Use3 years1 + 1 (for just 1 week)

219

 
ECAICA11 years2 years3 months before end of In-Use2 years1 + 5

150 

 
RAICA3 years + 1 week3 years3 months before end of In-Use3 years1 + 1 (for just 1 week)217  
LAICA3 years + 1 week3 years3 months before end of In-Use3 years1 + 1 (for just 1 week)205 
PCAICA4 years1 year3 months before end of In-Use1 year1 + 3216  
ICARoot CA13 years4 years3 months before end of In-Use4 years1 + 3195 
MARoot CA4 years + 1 week4 years3 months before end of In-Use4 years1 + 1 (for just 1 week)205 
CRLGRoot CA4 years + 1 week4 years3 months before end of In-Use4 years1 + 1 (for just 1 week)190 
Policy Generator (PG)Root CA4 years + 1 week4 years3 months before end of In-Use4 years1 + 1 (for just 1 week)172 
Root CA (RCA)Self17 years8 years3 months before end of In-Use8 years1 + 2211 
ElectorSelf12 years12 years3 months before end of In-Use12 years3166The initial elector certificates have an expiration and "in use" time of 4, 8 and 12 years, respectively.


Expiration, In-use, and Overlap Requirements

Scroll Title
titleExpiration, In-use, and Overlap Requirements

Jira
serverJIRA
columnskey,summary,description,justification,notes,components
maximumIssues1000
jqlQueryproject = SCMS AND issuetype = Requirement AND labels = "POC" and labels = "Certificate" and ( labels = "Expiration" or labels = "InUse" ) order by component ASC
serverId3f76aaa0-2d76-3b5f-84c0-6ae2f6225665


Overview Diagrams

The following diagrams illustrate the expiration period of various certificate types. The diagrams show the specific duration of the certificate (valid from and to dates) only and does do not account for setup time (request generation, signing ceremony, distribution, etc.). Each section shows the life of a single instance of a component under typical (non-compromised) conditions. If multiple instances exist, they would follow a similar pattern but the specific dates may be shifted within the validity period.

...