Page tree
Skip to end of metadata
Go to start of metadata

Assumptions

  • The SCMS instance created for the CV Pilots shall be separate from the SCMS PoC instance
  • The estimated duration of the CV Pilot project shall be seven years
  • All EE-specific CV Pilot certificates shall expire by the end of the estimated project duration
  • No component certificates shall have a starting date after the end of the estimated project duration
  • The private keys of all component certificates subordinate to the root shall be destroyed at the end of the estimated project duration
  • All components subordinate to the ICA have an in-use lifetime that is sufficiently short and requires at least one rollover (renewal) event during the estimated project duration
  • PKI hierarchy:
    • The ICA, policy generator, CRL generator and MA certificates shall be issued directly by the Root CA
    • The subtree below ICA is similar to that of the POC, i.e., it has one instance of all components: ECA, PCA, RA, and LA, but no DCM. There might be a DCM introduced at a later stage.

Certificate Lifetime Overview

The following table provides the certificate expiration and renewal periods to be used for CV pilot deployments.

NOTE for certificate example sizes:  FQDN range was 14-23 bytes, and at most 2 PSID's (4 bytes each) were used where applicable.

Certificate TypeIssuing CAExpirationIn UseRequest for RenewalStart of Validity for RenewalNumber of Concurrently Valid Certificates (In-Use [+ Legacy])Example Size in Bytes (Certs are Not Fixed Size)Notes

OBE Enrollment

ECA

6 months

6 months

anytime

variable, max 6 months

1

 87

 

OBE Pseudonym

PCA

1 week + 1 hour

1 week

Anytime

1 week

20 + 20 (for just 1 hour)

 91

Limit pseudo cert load to 6 months (520 certs)

OBE Identification

PCA

1 month + 1 hour

1 month

Anytime

1 month

1 + 1 (for just 1 hour)

 89

 

RSE Enrollment

ECA

1 year

1 year

anytime

variable, max 1 yr

1

109

 

RSE Application

PCA

1 week + 1 hour

1 week

Anytime

1 week

1 + 1 (for just 1 hour)

 

 

DCM

ICA

2 years + 1 week

2 years

3 months before end of In-use

2 years

1 + 1 (for just 1 week)

219

 

ECA

ICA

3 years

2 years

3 months before end of In-use

2 years

1 + 1

150 

 

RA

ICA

2 years + 1 week

2 years

3 months before end of In-use

2 years

1 + 1 (for just 1 week)

217 

 

LA

ICA

2 years + 1 week

2 years

3 months before end of In-use

2 years

1 + 1 (for just 1 week)

205 

 

PCA

ICA

1.5 years

1 year

3 months before end of In-use

1 year

1 + 1 (for 6 months)

216 

 

ICA

Root CA

5 years

4 years

3 months before end of In-use

4 years

1 + 1 (for 1 yr)

195

 

MA

Root CA

2 years + 1 week

2 years

3 months before end of In-use

2 years

1 + 1 (for just 1 week)

205

 

CRLG

Root CA

2 years + 1 week

2 years

3 months before end of In-use

2 years

1 + 1 (for just 1 week)

190

 

Policy Generator

Root CA

2 years + 1 week

2 years

3 months before end of In-use

2 years

1 + 1 (for just 1 week)

172

 

Root CA

Self

9 years

8 years

3 months before end of In-use

8 years

1 + 1 (for 1 yr)

211 

Elector

Self

6 years

6 years

3 months before end of In-use

6 years

3 (1 per elector)

166

At start, electors are staggered, so first expiration's are 2, 4, 6 yrs -

The initial elector certificates have an expiration and "in use" time of 2, 4 and 6 years, respectively; and thereafter 6 years with their renewals.

CV Pilot Certificate Expiration Timelines - Certificate Expiration and Renewal