Page tree
Skip to end of metadata
Go to start of metadata

Table of Contents

Background and Goals

The bootstrap process enables the OBE to interact with the SCMS.

Bootstrapping is executed at the start of the OBE's lifecycle. At the start of bootstrapping, the OBE has no SCMS certificates and no knowledge of how to contact the SCMS. At the end of bootstrapping the OBE has the following:

  • Certificates and information that allows an OBE to trust the SCMS:
    • The required Root CA certificate(s), optional Intermediate CA and Pseudonym CA certificates to allow it to verify received messages. The OBE can learn unknown PCA and ICA certificates in ongoing operation as defined in IEEE 1609.2 P2P CD. At minimum, any EE needs the certificate chain of the PCA that issued certificates to it.
    • The latest CRL (includes the CRL Generator certificate, which in turn includes the FQDN of the CRL store)
    • The MA certificate to encrypt misbehavior reports, before submitting them to the RA
  • Credentials and information allowing an OBE to communicate with the SCMS:
    • A correctly issued enrollment certificate, private key reconstruction value, and ECA certificate.
    • The RA certificate (which includes the FQDN of the RA).

Bootstrapping must protect the OBE from getting incorrect information, and the ECA from issuing a certificate to an unauthorized OBE. Any bootstrapping process is acceptable, that results in secure placement of this information on an OBE device.

Assumptions and Preconditions

  • A documented procedure for performing the enrollment process.
  • A “secure environment” as defined in Secure Environment for Device Enrollment, ensures that the OBE is under control of the operator running the bootstrapping operation.

  • One or more authorized devices (computers) for managing the enrollment process.
  • An activity log or recording of the enrollment operations performed.
  • A user account at the USDOT workflow tool.

Process Steps

Manual Bootstrapping Process - QA Environment

The CV Pilot will initially use a manual bootstrapping process that combines device initialization and enrollment. The following process applies to the SCMS QA stage. The vendor will initiate this process by requesting device initialization information and enrollment certificate from a DOT Workflow Approval tool, as depicted in this process:


StepActorDescriptionStatusAssignee
1VendorLogs into CVCS Samanage, initiates an enrollment certificate request. There is a dedicated form for that.

New

USDOT

2USDOT

Logs into CVCS Samanage and reviews the enrollment certificate request form. They ensure that:

  • The vendor is on the list of known vendors for CV device manufacture.
  • If the request is not correct, USDOT will deny the request, and the vendor will need to correct the request and resubmit through Step 3.

USDOT Personnel approve the request, if it meets the above criteria, and USDOT sends the request back to the Vendor for them add the enrollment certificate signing request.

Awaiting Customer Input

Leidos

3Vendor

The vendor in his secure environment generates in each OBE a verification key pair (see Public Key Algorithms in CB2: Types of Cryptographic Algorithms). The private key is used to sign the enrollment certificate request (CSR) in step 4. The public key is added to the request and used by the ECA subsequently as input to calculating the public value within the implicit certificate, issued at end of this process.
NOTE: The verification key pair must be generated using an algorithm approved for use (see Approved Cryptographic Algorithms, Approved Random Number Generators). Best practice is to generate the verification key pair inside the EE's HSM and the private key never leaves the EE.

Awaiting Customer Input

Leidos

4Vendor

The vendor in a secure environment creates an enrollment certificate signing request for each device, a signed structure called SignedEeEnrollmentCertRequest. The CSR includes the verification public key to use to create the public key reconstruction value in the enrollment certificate. The enrollment certificate request permissions (PSIDs, SSPs, Geographic Region) and lifetime are stated in the CSR as well. The vendor signs the CSR with the device’s private key, and writes the CSR to a file with filename format <enrollment pub hex>.oer in OER encoding. The vendor then collects multiple CSRs, places them in a flat directory and zips the directory. The directory structure within the zip file should look identical to the following example. IMPORTANT: DUE TO AUTOMATED PROCESSING OF REQUESTS, DEVIATIONS FROM THIS ZIPFILE AND DIRECTORY STRUCTURE WILL RESULT IN REQUESTS FAILING TO BE PROCESSED.

Enrollment Request Zip File Example
+ 4A2...BC1.oer
+ 61C...E1F.oer
+ ...
+ ...
+ 23B1...5FF.oer

Awaiting Customer Input

Leidos

5Vendor

Vendor logs into CVCS Samanage and attaches the enrollment request zip file to the previous enrollment request form.

Awaiting Customer Input

Leidos

6Leidos

Reviews Enrollment Request Form and ensures files have been attached and manually verifies the following fields:

  • PSID
  • Region

Assigned

SCMS Operations

7SCMS Operations

Logs into CVCS Samanage and downloads the enrollment certificate request zip file.

Work in Progress

SCMS Operations

8SCMS Operations

Executes their enrollment requests script to create enrollment certificates. If successful move to Step 9.

The ECA generates and returns an enrollment certificate for each individual request. The response is a signed structure called SignedEeEnrollmentCertResponse. The SCMS operator collects all ECA responses, creates a directory structure that includes bootstrapping information as well as one directory per CSR using the filename of the CSR as directory name. Each of those directories contains the RA certificate to be used by the OBE to communicate with the SCMS, the certificate of the ECA that signed the enrollment certificate, as well as the enrollmentCert itself and the privKeyReconstruction. The SCMS operator zips all files into a single zip file. Following the example in step 4, the directory structure within the zip file would look like this (please be aware that the Root CA certificate is explicitly given in the file root.oer):

Enrollment Resonse Zip File Example
+ root.oer: IEEE 1609.2 root CA certificate encoded as OER
+ LCCF.oer: current Local Certificate Chain File including ICA and PCA certificates.
+ LPF.oer: current Local Policy File
+ CRL.oer: current Certificate Revocation List
+ root.tls: TLS (X.509) root certificate RA’s TLS cert chains to
+ 4A2...BC1 (dir)
|           +RA.oer: RA’s 1609.2 certificate
|           +ECA.oer: ECA’s 1609.2 certificate
|           +enrollment.oer:  (EE’s enrollment certificate, see enrollmentCert as part of the ECA response SignedEeEnrollmentCertResponse)
|           +enrollment.s:  (EE’s Private key reconstruction value, see privKeyReconstruction as part of the ECA response SignedEeEnrollmentCertResponse)
+ 61C...E1F (dir)
|           +RA.oer
|           +ECA.oer
|           +enrollment.oer
|           +enrollment.s
+ ...
+ ...
+ 23B1...5FF (dir)
|           +RA.oer
|           +ECA.oer
|           +enrollment.oer
|           +enrollment.s

Work in Progress

SCMS Operations

8aSCMS Operations

If SCMS Operations finds an error within the request, SCMS Operations will send the Error Response to the Vendor through the CVCS enrollment request.

Awaiting Customer Input

SCMS Operator

8bVendor

Requests help/clarification in understanding the error found in the enrollment certificate signing request as a comment to the Enrollment Request Form.

Work in Progress

Leidos

8cVendor

Looks for an existing solution that will fix the vendors error. If they find a solution they provide it to the vendor.

Awaiting Customer Input

SCMS Operator

8dVendor

If an existing solution cannot be found, Leidos requests the vendor submit the Technical Support form and sends the Vendor the link.

Awaiting Customer Input

SCMS Operator

8eVendor

Corrects the error and reattaches the enrollment certificate signing request to the Enrollment Request Form.

Awaiting Customer Input

SCMS Operator

9SCMS Operator

Logs into the CVCS Samanage and creates an enrollment certificate response for the appropriate vendor and attaches the enrollment response zip file.

Resolved

Vendor

10Vendor

Vendor logs into CVCS Samanage and downloads their device enrollment certificates in their secure environment.

Resolved

Vendor

11Vendor

The vendor loads the appropriate enrollment certificate onto the appropriate device, in their secure environment.

Resolved

Vendor

Manual Bootstrapping Process - PROD Environment

The CV Pilot will initially use a manual Bootstrap Process that combines device initialization and enrollment. The process on the SCMS PROD stage is essentially the same as for QA (see QA process above) with the exception that the vendor must first submit their OBE device to a certification lab for certification before requesting the device enrollment certificate. The complete process is described below:

  1. Vendor submits their device to one of the device certification companies for certification. Vendor logs into DOT Workflow Approval tool and creates a device certification request, for a specific model of device, selecting the appropriate device certification company.
  2. Device certification company conducts device certification testing. After successful completion of certification, device certification company notifies DOT Workflow Approval tool of certification for the specific device model, and attaches certification documentation. DOT Workflow Approval tool notifies the vendor and USDOT of the approval, and maintains device certification documentation in database of certified devices.
  3. to 11. Same as step 1-9 in QA

Enrollment certificate request checks

The following checks have to be done in step 6:

  • The CSR only contains PSID from SCMS PoC Supported V2X Applications
  • The CSR only contains PSIDs the device is eligible to
  • The CSR contains the right SSP values for the requested PSID
  • The CSR only contains SSP values the device is eligible to
  • The CSR only contains Region USA
  • The CSR does not contain a public key that was used with a previous enrollment cert request
  • The CSR does have a validity period that fits the ECA's validity period
  • The CSR contains the correct cracaId
  • The CSR contains the correct crlSeries
  • The CSR contains a useful CertificateId

OBE Bootstrap Process Logging Requirement

The following bootstrap operation information must be logged and maintained by the organization performing the PROD bootstrapping process, for each unique device, and for each enrollment certificate, if multiple enrollment certificates are requested for a single device.

  • OBE serial number or unique unit identifier
  • Initial Bootstrap Start Date
  • Bootstrap LCCF file version identifier
  • Bootstrap LPF file version identifier
  • Enrollment cert
  • Bootstrap Complete Date

Enrollment Certificate Request Example

The following clear text is an example for an enrollment certificate request that we provide in an OER encoded version, as it is supposed to be sent during manual enrollment.

Clear Text Before Signing/Encrypting
value ScmsPDU ::= {
  version 1,
  content eca-ee : eeEcaCertRequest : {
    version 1,
    currentTime 431026272,
    tbsData {
      id name : "obeenr",
      cracaId '000000'H,
      crlSeries 4,
      validityPeriod {
        start 431026272,
        duration hours : 4320
      },
      region identifiedRegion : {
        countryOnly : 124,
        countryOnly : 484,
        countryOnly : 840
      },
      certRequestPermissions {
        {
          subjectPermissions explicit : {
            {
              psid 32,
              sspRange opaque : {}
            },
            {
              psid 38,
              sspRange opaque : {}
            }
          },
          minChainDepth 0,
          chainDepthRange 0,
          eeType {app}
        }
      },
      verifyKeyIndicator verificationKey : ecdsaNistP256 : compressed-y-1 : '8751D2FDC5D7BF8CCE4A7FACE5E5AD7B92FA6B8CA0B202FBC93CBC08412AA934'H
    }
  }
}
Textual After Signing/Encrypting (SecuredScmsPDU Layer)
value SecuredScmsPDU ::= {
  protocolVersion 3,
  content signedCertificateRequest : '00018180000119B0F0604481066F6265656E72000000000419B0F0608410E083010380'H -- truncated --
}
Binary (Hexadecimal) After Signing/Encrypting
038381a500018180000119b0f0604481066f6265656e72000000000419b0f0608410e083010380007c8001e480034801018080010280012080010080012680010001008080838751d2fdc5d7bf8cce4a7face5e5ad7b92fa6b8ca0b202fbc93cbc08412aa934828080301d57f8d01e98c685428c49328be8164bae24e18d46030048911c5fd4275df73121b89c7919fd75d7ab411cfb254a44660997f7b1ae9235f2d0f1949198826
Textual After Signing/Encrypting (SignedCertificateRequest Layer)
value SignedCertificateRequest ::= {
  hashId sha256,
  tbsRequest {
    version 1,
    content eca-ee : eeEcaCertRequest : {
      version 1,
      currentTime 431026272,
      tbsData {
        id name : "obeenr",
        cracaId '000000'H,
        crlSeries 4,
        validityPeriod {
          start 431026272,
          duration hours : 4320
        },
        region identifiedRegion : {
          countryOnly : 124,
          countryOnly : 484,
          countryOnly : 840
        },
        certRequestPermissions {
          {
            subjectPermissions explicit : {
              {
                psid 32,
                sspRange opaque : {}
              },
              {
                psid 38,
                sspRange opaque : {}
              }
            },
            minChainDepth 0
          }
        },
        verifyKeyIndicator verificationKey : ecdsaNistP256 : compressed-y-1 : '8751D2FDC5D7BF8CCE4A7FACE5E5AD7B92FA6B8CA0B202FBC93CBC08412AA934'H
      }
    }
  },
  signer self : NULL,
  signature ecdsaNistP256Signature : {
    r x-only : '301D57F8D01E98C685428C49328BE8164BAE24E18D46030048911C5FD4275DF7'H,
    s '3121B89C7919FD75D7AB411CFB254A44660997F7B1AE9235F2D0F19491988265'H
  }
}

value ScmsPDU ::= {
  version 1,
  content eca-ee : eeEcaCertRequest : {
    version 1,
    currentTime 431026272,
    tbsData {
      id name : "obeenr",
      cracaId '000000'H,
      crlSeries 4,
      validityPeriod {
        start 431026272,
        duration hours : 4320
      },
      region identifiedRegion : {
        countryOnly : 124,
        countryOnly : 484,
        countryOnly : 840
      },
      certRequestPermissions {
        {
          subjectPermissions explicit : {
            {
              psid 32,
              sspRange opaque : {}
            },
            {
              psid 38,
              sspRange opaque : {}
            }
          },
          minChainDepth 0
        }
      },
      verifyKeyIndicator verificationKey : ecdsaNistP256 : compressed-y-1 : '8751D2FDC5D7BF8CCE4A7FACE5E5AD7B92FA6B8CA0B202FBC93CBC08412AA934'H
    }
  }
}

Requirements

Key Status Summary Description justification notes Component/s
Loading...
Refresh

Additional Reference Information

ASN.1 Specification

scms-protocol.asn  Expand source
 release/1.2.1  SCMS/scms-asn
-- 
--  Copyright 2017 Crash Avoidance Metrics Partner, VSC5 Consortium
-- 
--  Licensed under the Apache License, Version 2.0 (the "License");
--  you may not use this file except in compliance with the License.
--  You may obtain a copy of the License at
-- 
--     http://www.apache.org/licenses/LICENSE-2.0
-- 
--  Unless required by applicable law or agreed to in writing, software
--  distributed under the License is distributed on an "AS IS" BASIS,
--  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
--  See the License for the specific language governing permissions and
--  limitations under the License.
-- 

-- @namespace IEEE1609dot2ScmsProtocol 
IEEE1609dot2ScmsProtocol {iso(1) identified-organization(3) ieee(111)
standards-association-numbered-series-standards(2) wave-stds(1609)
dot2(2) scms(2) interfaces(1) protocol(1)}

DEFINITIONS AUTOMATIC TAGS ::= BEGIN

EXPORTS ALL;

IMPORTS
  HashAlgorithm,
  HashedId32,
  SequenceOfPsid,
  SequenceOfPsidSsp,
  Uint8,
  Uint16
FROM IEEE1609dot2BaseTypes {iso(1) identified-organization(3) ieee(111)
standards-association-numbered-series-standards(2) wave-stds(1609)
dot2(2) base(1) base-types(2)}

  Certificate,
  Ieee1609Dot2Data,
  SequenceOfCertificate,
  Signature,
  SignerIdentifier
FROM IEEE1609dot2 {iso(1) identified-organization(3) ieee(111)
standards-association-numbered-series-standards(2) wave-stds(1609)
dot2(2) base (1) schema (1)}

  MisbehaviorReportingPsid,
  SecurityMgmtPsid
FROM Ieee1609dot2ScmsBaseTypes {iso(1) identified-organization(3) ieee(111)
standards-association-numbered-series-standards(2) wave-stds(1609)  dot2(2)
scms (2) interfaces(1) base-types (2)}

  ScmsComponentCertificateManagementPDU
FROM Ieee1609Dot2ScmsComponentCertificateManagement
{iso(1) identified-organization(3) ieee(111)
standards-association-numbered-series-standards(2) wave-stds(1609)
dot2(2) scms(2) interfaces(1) component-certificate-management(3)}

  EcaEndEntityInterfacePDU
FROM Ieee1609Dot2EcaEndEntityInterface
{iso(1) identified-organization(3) ieee(111)
standards-association-numbered-series-standards(2) wave-stds(1609)
dot2(2) scms(2) interfaces(1) eca-ee(5)}

  EndEntityMaInterfacePDU
FROM Ieee1609Dot2EndEntityMaInterface
{iso(1) identified-organization(3) ieee(111)
standards-association-numbered-series-standards(2) wave-stds(1609)
dot2(2) scms(2) interfaces(1) ee-ma(7)}

  EndEntityRaInterfacePDU
FROM Ieee1609Dot2EndEntityRaInterface
{iso(1) identified-organization(3) ieee(111)
standards-association-numbered-series-standards(2) wave-stds(1609)
dot2(2) scms(2) interfaces(1) ee-ra(8)}

  LaMaInterfacePDU
FROM Ieee1609Dot2LaMaInterface
{iso(1) identified-organization(3) ieee(111)
standards-association-numbered-series-standards(2) wave-stds(1609)
dot2(2) scms(2) interfaces(1) la-ma(9)}

  LaPcaInterfacePDU
FROM Ieee1609Dot2LaPcaInterface
{iso(1) identified-organization(3) ieee(111)
standards-association-numbered-series-standards(2) wave-stds(1609)
dot2(2) scms(2) interfaces(1) la-pca(10)}

  LaRaInterfacePDU
FROM Ieee1609Dot2LaRaInterface
{iso(1) identified-organization(3) ieee(111)
standards-association-numbered-series-standards(2) wave-stds(1609)
dot2(2) scms(2) interfaces(1) la-ra(11)}

  MaPcaInterfacePDU
FROM Ieee1609Dot2MaPcaInterface
{iso(1) identified-organization(3) ieee(111)
standards-association-numbered-series-standards(2) wave-stds(1609)
dot2(2) scms(2) interfaces(1) ma-pca(13)}

  MaRaInterfacePDU
FROM Ieee1609Dot2MaRaInterface
{iso(1) identified-organization(3) ieee(111)
standards-association-numbered-series-standards(2) wave-stds(1609)
dot2(2) scms(2) interfaces(1) ma-ra(14)}

  PcaRaInterfacePDU
FROM Ieee1609Dot2PcaRaInterface
{iso(1) identified-organization(3) ieee(111)
standards-association-numbered-series-standards(2) wave-stds(1609)
dot2(2) scms(2) interfaces(1) pca-ra(15)}

  RaPgInterfacePDU
FROM Ieee1609Dot2RaPgInterface
{iso(1) identified-organization(3) ieee(111) 
standards-association-numbered-series-standards(2) wave-stds(1609) dot2(2)
scms(2) interfaces(1) ra-pg(16)}

  CertificateChainFiles
FROM IEEE1609dot2-cert-chains {iso(1) identified-organization(3) ieee(111)
standards-association-numbered-series-standards(2) wave-stds(1609)
dot2(2) base (1) cert-chains (4)}

  PolicyFiles
FROM Ieee1609dot2ScmsPolicyTypes {iso(1) identified-organization(3) ieee(111)
standards-association-numbered-series-standards(2) wave-stds(1609)  dot2(2)
scms (2) interfaces(1) policy-types (500)}
;

---
-- @brief The ScmsPDU is the parent structure that encompasses all parent 
--        structures of interfaces defined in the SCMS.
-- @class ScmsPDU
-- @param version contains the current version of the data type. The version 
--                specified in this document is version 1, represented by the
--                integer 1.
-- @param content encloses the information of an SCMS interface.
-- @param ccm     contains the component certificate management interface
--                structure.
-- @param eca-ee  contains the interface structure defined for interaction 
--                between Enrollment Certificate Authority (ECA) and an End
--                Entity (EE).
-- @param ee-ma   contains the interface structure defined for interaction 
--                between an End Entity (EE) and Misbehavior Authority (MA).
-- @param ee-ra   contains the interface structure defined for interaction 
--                between an End Entity (EE) and Registration Authority (RA).
-- @param la-ma   contains the interface structure defined for interaction 
--                between Linkage Authority (LA) and Misbehavior Authority (MA).
-- @param la-pca  contains the interface structure defined for interaction 
--                between Linkage Authority (LA) and Pseudonym Certificate
--                Authority (PCA).
-- @param la-ra   contains the interface structure defined for interaction 
--                between Linkage Authority (LA) and Registration Authority (RA).
-- @param ma-pca  contains the interface st@ucture defined for interaction 
--                between Misbehavior Authority (MA) and Pseudonym Certificate
--                Authority (PCA).
-- @param ma-ra   contains the interface structure defined for interactions 
--                between Misbehavior Authority (MA) and Registration Authority
--                (RA).
-- @param pca-ra  contains the interface structure defined for interactions 
--                between Pseudonym Certificate Authority (PCA) and Registration
--                Authority (RA).
-- @param ra-pg   contains the interface structure defined for interactions 
--                between Registration Authority (RA) and Policy Generator (PG).
ScmsPDU ::= SEQUENCE {
  version  Uint8(1),
  content  CHOICE {
    ccm       ScmsComponentCertificateManagementPDU,
    eca-ee    EcaEndEntityInterfacePDU,
    ee-ma     EndEntityMaInterfacePDU,
    ee-ra     EndEntityRaInterfacePDU,
    la-ma     LaMaInterfacePDU,
    la-pca    LaPcaInterfacePDU,
    la-ra     LaRaInterfacePDU,
    ma-pca    MaPcaInterfacePDU,
    ma-ra     MaRaInterfacePDU,
    pca-ra    PcaRaInterfacePDU,
    ra-pg     RaPgInterfacePDU,
    ...
 }
}

---
-- @brief This is a collection structure designed for transferring certificate 
--        and policy files among SCMS entities.
-- @class ScmsFile
-- @param version    contains the current version of the data type. The 
--                   version specified in this document is version 1,
--                   represented by the integer 1.
-- @param content    encloses information of an SCMS file. 
-- @param cert-chain contains the chain of certificates through which the 
--                   necessary entities can be recursively verified.
-- @param policy     contains files that define policies about certificates 
--                   (e.g. certificate lifetimes)
ScmsFile ::= SEQUENCE {
  version Uint8(1),
  content CHOICE {
    cert-chain CertificateChainFiles,
    policy PolicyFiles,
    ...
  }
}

-- *************************************************************************
--
--             Scoped
--
-- *************************************************************************

-- *** EE-CA ***************************************************************

---
-- @brief This structure defines the EeEcaCertRequest as a scoped version of
--        the ScmsPDU.
-- @class ScopedEeEnrollmentCertRequest
ScopedEeEnrollmentCertRequest ::=
  ScmsPDU  (WITH COMPONENTS {...,
    content (WITH COMPONENTS {
      eca-ee (WITH COMPONENTS {
        eeEcaCertRequest
      })
    })
 })

---
-- @brief This structure defines the EcaEeCertResponse as a scoped version of
--        the ScmsPDU.
-- @class ScopedEeEnrollmentCertResponse
ScopedEeEnrollmentCertResponse ::=
  ScmsPDU  (WITH COMPONENTS {...,
    content (WITH COMPONENTS {
      eca-ee (WITH COMPONENTS {
        ecaEeCertResponse
      })
    })
 })

-- *** EE-MA ***************************************************************

---
-- @brief This structure defines the MisbehaviorReport as a scoped version of
--        the ScmsPDU.
-- @class ScopedMisbehaviorReport
ScopedMisbehaviorReport ::=
  ScmsPDU (WITH COMPONENTS {...,
    content (WITH COMPONENTS {
      ee-ma (WITH COMPONENTS {
        misbehaviorReport
      })
    })
 })

-- *** EE-RA ***************************************************************

---
-- @brief This structure defines the EeRaCertRequest as a scoped version of the
--        ScmsPDU.
-- @class ScopedEeRaCertRequest
ScopedEeRaCertRequest ::=
  ScmsPDU  (WITH COMPONENTS {...,
    content (WITH COMPONENTS {
      ee-ra (WITH COMPONENTS {
        eeRaCertRequest
      })
    })
 })

---
-- @brief This structure defines the RaEeCertResponse as a scoped version of
--        the ScmsPDU.
-- @class ScopedRaEeCertResponse
ScopedRaEeCertResponse ::=
  ScmsPDU  (WITH COMPONENTS {...,
    content (WITH COMPONENTS {
      ee-ra (WITH COMPONENTS {
        raEeCertResponse
      })
    })
 })

---
-- @brief This structure defines the EeRaPseudonymCertProvisioningRequest as a
--        scoped version of the ScmsPDU.
-- @class ScopedPseudonymCertProvisioningRequest
ScopedPseudonymCertProvisioningRequest ::=
  ScmsPDU  (WITH COMPONENTS {...,
    content (WITH COMPONENTS {
      ee-ra (WITH COMPONENTS {
        eeRaPseudonymCertProvisioningRequest
      })
    })
  })

---
-- @brief This structure defines the RaEePseudonymCertProvisioningAck as a 
--        scoped version of the ScmsPDU.
-- @class ScopedPseudonymCertProvisioningAck
ScopedPseudonymCertProvisioningAck ::=
  ScmsPDU  (WITH COMPONENTS {...,
    content (WITH COMPONENTS {
      ee-ra (WITH COMPONENTS {
        raEePseudonymCertProvisioningAck
      })
    })
  })

---
-- @brief This structure defines the EeRaIdCertProvisioningRequest as a scoped
--        version of the ScmsPDU.
-- @class ScopedIdCertProvisioningRequest
ScopedIdCertProvisioningRequest ::=
  ScmsPDU  (WITH COMPONENTS {...,
    content (WITH COMPONENTS {
      ee-ra (WITH COMPONENTS {
        eeRaIdCertProvisioningRequest
      })
    })
  })

---
-- @brief This structure defines the RaEeIdCertProvisioningAck as a scoped 
--        version of the ScmsPDU. 
-- @class ScopedIdCertProvisioningAck
ScopedIdCertProvisioningAck ::=
  ScmsPDU  (WITH COMPONENTS {...,
    content (WITH COMPONENTS {
      ee-ra (WITH COMPONENTS {
        raEeIdCertProvisioningAck
      })
    })
  })

---
-- @brief This structure defines the EeRaAppCertProvisioningRequest as a 
--        scoped version of the ScmsPDU.
-- @class ScopedAppCertProvisioningRequest
ScopedAppCertProvisioningRequest ::=
  ScmsPDU  (WITH COMPONENTS {...,
    content (WITH COMPONENTS {
      ee-ra (WITH COMPONENTS {
        eeRaAppCertProvisioningRequest
      })
    })
  })

---
-- @brief This structure defines the RaEeAppCertProvisioningAck as a scoped 
--        version of the ScmsPDU.
-- @class ScopedAppCertProvisioningAck
ScopedAppCertProvisioningAck ::=
  ScmsPDU  (WITH COMPONENTS {...,
    content (WITH COMPONENTS {
      ee-ra (WITH COMPONENTS {
        raEeAppCertProvisioningAck
      })
    })
  })

---
-- @brief This structure defines the GlobalCertificateChainFile as a scoped 
--        version of the ScmsPDU.
-- @class ScopedGlobalCertificateChainFile
ScopedGlobalCertificateChainFile ::=
  ScmsFile (WITH COMPONENTS {...,
    content (WITH COMPONENTS {
      cert-chain( WITH COMPONENTS {
        globalCertificateChainFile
       })
    })
  })

---
-- @brief This structure defines the LocalCertificateChainFile as a scoped 
--        version of the ScmsPDU.
-- @class ScopedLocalCertificateChainFile
ScopedLocalCertificateChainFile ::=
  ScmsFile (WITH COMPONENTS {...,
    content (WITH COMPONENTS {
      cert-chain( WITH COMPONENTS {
        localCertificateChainFile
      })
    })
  })

---
-- @brief This structure defines the GlobalPolicyFile as a scoped version of 
--        the ScmsPDU.
-- @class ScopedGlobalPolicyFile
ScopedGlobalPolicyFile ::=
  ScmsFile (WITH COMPONENTS {...,
    content (WITH COMPONENTS {
      policy( WITH COMPONENTS {
        globalPolicyFile
      })
    })
  })

---
-- @brief This structure defines the LocalPolicyFile as a scoped version of 
--        the ScmsPDU.
-- @class ScopedLocalPolicyFile
ScopedLocalPolicyFile ::=
  ScmsFile (WITH COMPONENTS {...,
    content (WITH COMPONENTS {
      policy( WITH COMPONENTS {
        localPolicyFile
      })
    })
  })

---
-- @brief This structure defines the EeRaAuthenticatedDownloadRequest as a 
--        scoped version of the ScmsPDU.
-- @class ScopedAuthenticatedDownloadRequest
ScopedAuthenticatedDownloadRequest ::=
  ScmsPDU  (WITH COMPONENTS {...,
    content (WITH COMPONENTS {
      ee-ra (WITH COMPONENTS {
        eeRaAuthenticatedDownloadRequest
      })
    })
  })

-- *** LA-MA ***************************************************************

---
-- @brief This structure defines the MaLaLinkageInfoRequest as a scoped 
--        version of the ScmsPDU.
-- @class ScopedLIRequest
ScopedLIRequest ::=
  ScmsPDU  (WITH COMPONENTS {...,
    content (WITH COMPONENTS {
      la-ma (WITH COMPONENTS {
        maLaLinkageInfoRequest
      })
    })
  })

---
-- @brief This structure defines the LaMaLinkageInfoResponse as a scoped 
--        version of the ScmsPDU.
-- @class ScopedLIReply
ScopedLIReply ::=
  ScmsPDU  (WITH COMPONENTS {...,
    content (WITH COMPONENTS {
      la-ma (WITH COMPONENTS {
        laMaLinkageInfoResponse
      })
    })
  })

---
-- @brief This structure defines the MaLaLinkageSeedRequest as a scoped 
--        version of the ScmsPDU.
-- @class ScopedLSRequest
ScopedLSRequest ::=
  ScmsPDU  (WITH COMPONENTS {...,
    content (WITH COMPONENTS {
      la-ma (WITH COMPONENTS {
        maLaLinkageSeedRequest
      })
    })
  })

---
-- @brief This structure defines the LaMaLinkageSeedResponse as a scoped 
--        version of the ScmsPDU.
-- @class ScopedLSReply
ScopedLSReply ::=
  ScmsPDU  (WITH COMPONENTS {...,
    content (WITH COMPONENTS {
      la-ma (WITH COMPONENTS {
        laMaLinkageSeedResponse
      })
    })
  })


-- *** LA-PCA **************************************************************

---
-- @brief This structure defines the PcaLaKeyAgreementRequest as a scoped 
--        version of the ScmsPDU.
-- @class ScopedPcaLaKeyAgreementRequest
ScopedPcaLaKeyAgreementRequest ::=
  ScmsPDU  (WITH COMPONENTS {...,
    content (WITH COMPONENTS {
      la-pca (WITH COMPONENTS {
        pcaLaKeyAgreementRequest
      })
    })
  })

---
-- @brief This structure defines the LaPcaKeyAgreementResponse as a scoped 
--        version of the ScmsPDU.
-- @class ScopedLaPcaKeyAgreementResponse
ScopedLaPcaKeyAgreementResponse ::=
  ScmsPDU  (WITH COMPONENTS {...,
    content (WITH COMPONENTS {
      la-pca (WITH COMPONENTS {
        laPcaKeyAgreementResponse
      })
    })
  })

---
-- @brief This structure defines the PcaLaKeyAgreementAck as a scoped version 
--        of the ScmsPDU.
-- @class ScopedPcaLaKeyAgreementAck
ScopedPcaLaKeyAgreementAck ::=
  ScmsPDU  (WITH COMPONENTS {...,
    content (WITH COMPONENTS {
      la-pca (WITH COMPONENTS {
        pcaLaKeyAgreementAck
      })
    })
  })

-- *** LA-RA ***************************************************************

---
-- @brief This structure defines the RaLaIndividualPreLinkageValueRequest as a 
--        scoped version of the ScmsPDU.
-- @class ScopedRaLaIndividualPreLinkageValueRequest
ScopedRaLaIndividualPreLinkageValueRequest ::=
  ScmsPDU  (WITH COMPONENTS {...,
    content (WITH COMPONENTS {
      la-ra (WITH COMPONENTS {
        raLaIndividualPreLinkageValueRequest
      })
    })
  })

---
-- @brief This structure defines the RaLaGroupPreLinkageValueRequest as a 
--        scoped version of the ScmsPDU.
-- @class ScopedRaLaGroupPreLinkageValueRequest
ScopedRaLaGroupPreLinkageValueRequest ::=
  ScmsPDU  (WITH COMPONENTS {...,
    content (WITH COMPONENTS {
      la-ra (WITH COMPONENTS {
        raLaGroupPreLinkageValueRequest
      })
    })
  })


---
-- @brief This structure defines the LaRaPreLinkageValueResponse as a scoped 
--        version of the ScmsPDU.
-- @class ScopedLaRaPreLinkageValueResponse
ScopedLaRaPreLinkageValueResponse ::=
  ScmsPDU  (WITH COMPONENTS {...,
    content (WITH COMPONENTS {
      la-ra (WITH COMPONENTS {
        laRaPreLinkageValueResponse
      })
    })
  })

-- *** MA-PCA **************************************************************


---
-- @brief This structure defines the MaPcaPreLinkageValueRequest as a scoped 
--        version of the ScmsPDU.
-- @class ScopedMaPcaPreLinkageValueRequest
ScopedMaPcaPreLinkageValueRequest ::=
  ScmsPDU  (WITH COMPONENTS {...,
    content (WITH COMPONENTS {
      ma-pca (WITH COMPONENTS {
        maPcaPreLinkageValueRequest
      })
    })
  })


---
-- @brief This structure defines the PcaMaPreLinkageValueResponse as a scoped 
--        version of the ScmsPDU.
-- @class ScopedPcaMaPreLinkageValueResponse
ScopedPcaMaPreLinkageValueResponse ::=
  ScmsPDU  (WITH COMPONENTS {...,
    content (WITH COMPONENTS {
      ma-pca (WITH COMPONENTS {
        pcaMaPreLinkageValueResponse
      })
    })
  })


---
-- @brief This structure defines the MaPcaHPCRRequest as a scoped version of 
--        the ScmsPDU.
-- @class ScopedMaPcaHPCRRequest
ScopedMaPcaHPCRRequest ::=
  ScmsPDU  (WITH COMPONENTS {...,
    content (WITH COMPONENTS {
      ma-pca (WITH COMPONENTS {
        maPcaHPCRRequest
      })
    })
  })


---
-- @brief This structure defines the PcaMaHPCRResponse as a scoped version of 
--        the ScmsPDU.
-- @class ScopedPcaMaHPCRResponse
ScopedPcaMaHPCRResponse ::=
  ScmsPDU  (WITH COMPONENTS {...,
    content (WITH COMPONENTS {
      ma-pca (WITH COMPONENTS {
        pcaMaHPCRResponse
      })
    })
  })

-- *** MA-RA **************************************************************


---
-- @brief This structure defines the MaRaBlacklistRequest as a scoped version 
--        of the ScmsPDU.
-- @class ScopedBlacklistRequest
ScopedBlacklistRequest ::=
  ScmsPDU  (WITH COMPONENTS {...,
    content (WITH COMPONENTS {
      ma-ra (WITH COMPONENTS {
        maRaBlacklistRequest
      })
    })
  })

---
-- @brief This structure defines the RaMaBlacklistResponse as a scoped version 
--        of the ScmsPDU.
-- @class ScopedBlacklistResponse
ScopedBlacklistResponse ::=
  ScmsPDU  (WITH COMPONENTS {...,
    content (WITH COMPONENTS {
      ma-ra (WITH COMPONENTS {
        raMaBlacklistResponse
      })
    })
  })

---
-- @brief This structure defines the MaRaLCIRequest as a scoped version of the 
--        ScmsPDU.
-- @class ScopedLCIRequest
ScopedLCIRequest ::=
  ScmsPDU  (WITH COMPONENTS {...,
    content (WITH COMPONENTS {
      ma-ra (WITH COMPONENTS {
        maRaLCIRequest
      })
    })
  })


---
-- @brief This structure defines the RaMaLCIResponse as a scoped version of 
--        the ScmsPDU.
-- @class ScopedLCIResponse
ScopedLCIResponse ::=
  ScmsPDU  (WITH COMPONENTS {...,
    content (WITH COMPONENTS {
      ma-ra (WITH COMPONENTS {
        raMaLCIResponse
      })
    })
  })

  
---
-- @brief This structure defines the MaRaRseObeIdBlacklistRequest as a scoped 
--        version of the ScmsPDU.
-- @class ScopedRseObeIdBlacklistRequest
ScopedRseObeIdBlacklistRequest ::=
  ScmsPDU  (WITH COMPONENTS {...,
    content (WITH COMPONENTS {
      ma-ra (WITH COMPONENTS {
        maRaRseObeIdBlacklistRequest
      })
    })
  })


---
-- @brief This structure defines the RaMaRseObeIdBlacklistResponse as a scoped 
--        version of the ScmsPDU.
-- @class ScopedRseObeIdBlacklistResponse
ScopedRseObeIdBlacklistResponse ::=
  ScmsPDU  (WITH COMPONENTS {...,
    content (WITH COMPONENTS {
      ma-ra (WITH COMPONENTS {
        raMaRseObeIdBlacklistResponse
      })
    })
  })

-- *** PCA-RA *************************************************************

---
-- @brief This structure defines the RaPcaCertRequest as a scoped version of 
--        the ScmsPDU.
-- @class ScopedRaPcaCertificateRequest
ScopedRaPcaCertificateRequest ::=
  ScmsPDU  (WITH COMPONENTS {...,
    content (WITH COMPONENTS {
      pca-ra (WITH COMPONENTS {
        raPcaCertRequest
      })
    })
  })


---
-- @brief This structure defines the PcaRaCertResponse as a scoped version of 
--        the ScmsPDU.
-- @class ScopedPcaRaCertificateRequestReply
ScopedPcaRaCertificateRequestReply ::=
  ScmsPDU  (WITH COMPONENTS {...,
    content (WITH COMPONENTS {
      pca-ra (WITH COMPONENTS {
        pcaRaCertResponse
      })
    })
  })


-- *** RA-PG *************************************************************

---
-- @brief This structure defines the RaPgPolicySignatureRequest as a scoped 
--        version of the ScmsPDU.
-- @class ScopedRaPgPolicySignatureRequest
ScopedRaPgPolicySignatureRequest ::=
  ScmsPDU  (WITH COMPONENTS {...,
    content (WITH COMPONENTS {
      ra-pg (WITH COMPONENTS {
        raPgPolicySignatureRequest
      })
    })
  })


---
-- @brief This structure defines the RaPgPolicySignatureRequestReply as a 
--        scoped version of the ScmsPDU.
-- @class ScopedRaPgPolicySignatureRequestReply
ScopedRaPgPolicySignatureRequestReply ::=
  ScmsPDU  (WITH COMPONENTS {...,
    content (WITH COMPONENTS {
      ra-pg (WITH COMPONENTS {
        raPgPolicySignatureRequestReply
      })
    })
  })

  
-- *** Scoped certificate requests   **************************************

---
-- @brief This structure defines the all certificate requests messages as 
--        scoped version of the ScmsPDU.
-- @class ScopedCertificateRequest
  ScopedCertificateRequest ::= ScmsPDU (
     ScopedEeRaCertRequest |
     ScopedEeEnrollmentCertRequest |
     ScopedPseudonymCertProvisioningRequest |
     ScopedIdCertProvisioningRequest  |
     ScopedAppCertProvisioningRequest  |
     ScopedRaPcaCertificateRequest |
     ScopedAuthenticatedDownloadRequest )




--*************************************************************************
--
--  Certificate Request
--
--**********************************************************************

---
-- @brief This structure defines the a format of a signed certificate 
--        request.
-- @class SignedCertificateRequest
-- @param hashId     is the hash of the current request.
-- @param tbsRequest contains the certificate request information that
--                   is signed by the recipient.
-- @param signer     denotes the signing entity's identifier.
-- @param signature  contains the request sender's signature.
  SignedCertificateRequest ::= SEQUENCE  {
    hashId          HashAlgorithm,
    tbsRequest      ScopedCertificateRequest,
    signer          SignerIdentifier,
    signature       Signature
  }



-- *************************************************************************
-- *************************************************************************
--
--             Secured
--
-- *************************************************************************
-- *************************************************************************

---
-- @brief This structure contains either secured (encrypted) or unsecured
--        (plaintext) data as per need. It follows the same structure defined
--        for Ieee1609Dot2Data in
--        1609dot2-schema.asn.
-- @class SecuredScmsPDU
SecuredScmsPDU ::= Ieee1609Dot2Data

-- *************************************************************************
--
--             EE-ECA
--
-- *************************************************************************

---
-- @brief This structure contains the ScopedEeEnrollmentCertRequest which 
--        encloses the EeEcaCertRequest. EE sends this message to the ECA to 
--        request enrollment certificates for itself. EE signs this message 
--        using its private key generated during bootstrapping.
-- @class SignedEeEnrollmentCertRequest
-- @param content contains an EEs enrollment certificate request and the EEs
--        self signature.
-- @see EeEcaCertRequest 
SignedEeEnrollmentCertRequest ::= SecuredScmsPDU (WITH COMPONENTS {...,
  content (WITH COMPONENTS {...,
    signedCertificateRequest  (CONTAINING
      SignedCertificateRequest (WITH COMPONENTS {...,
        tbsRequest (ScopedEeEnrollmentCertRequest),
        signer (WITH COMPONENTS {
          self
        })
      })
    )
  })
})

---
-- @brief This structure contains the ScopedEeEnrollmentCertResponse which 
--        encloses the EcaEeCertResponse. ECA responds on an EE's 
--        SignedEeEnrollmentCertRequest using this message. ECA signs this 
--        message using its private key corresponding to its EcaCertificate.
-- @class SignedEeEnrollmentCertResponse
-- @param content contains the ScopedEeEnrollmentCertResponse.
-- @see EcaEeCertResponse, EcaCertificate
SignedEeEnrollmentCertResponse ::= SecuredScmsPDU (WITH COMPONENTS {...,
  content (WITH COMPONENTS {...,
    signedData  (WITH COMPONENTS {...,
      tbsData (WITH COMPONENTS {...,
        payload (WITH COMPONENTS {...,
          data (WITH COMPONENTS {...,
             content (WITH COMPONENTS {
                unsecuredData (CONTAINING ScopedEeEnrollmentCertResponse)
            })
          })
        }),
        headerInfo (WITH COMPONENTS {...,
          psid (SecurityMgmtPsid),
          generationTime ABSENT,
          expiryTime ABSENT,
          generationLocation ABSENT,
          p2pcdLearningRequest ABSENT,
          missingCrlIdentifier ABSENT,
          encryptionKey ABSENT
        })
      })
    })
  })
})

-- *************************************************************************
--
--             EE-MA
--
-- *************************************************************************

---
-- @brief This structure contains SignedMisbehaviorReport and is sent by an EE 
--        to MA through RA. EE sends this misbehavior reports to MA using 
--        using structure. EE encrypts this message using MA's public key from 
--        MaCertificate that it obtains during bootstrapping.
-- @class SecuredMisbehaviorReport
-- @param content contains the encrypted misbehavior reports generated by an
--                EE; decrypts to a SignedMisbehaviorReport.
-- @see MisbehaviorReportContents, MaCertificate  
SecuredMisbehaviorReport ::= SecuredScmsPDU(WITH COMPONENTS {...,
  content(WITH COMPONENTS {...,
    encryptedData 
  })
})

---
-- @brief This structure contains the misbehavior reports generated by an EE 
--        and sent to the RA. The RA forwards this message to the MA in the 
--        form of SecuredMisbehaviorReport. The reporting EE signs this message
--        using its private key corresponding to its active
--        ObePseudonymCertificate.
-- @class SignedMisbehaviorReport, ObePseudonymCertificate
-- @param content contains the misbehavior report in the form of 
--                ScopedMisbehaviorReport generated by the reporting EE.
-- @see MisbehaviorReportContents
SignedMisbehaviorReport ::= SecuredScmsPDU (WITH COMPONENTS {...,
  content (WITH COMPONENTS {...,
    signedData  (WITH COMPONENTS {...,
      tbsData (WITH COMPONENTS {...,
        payload (WITH COMPONENTS {...,
          data (WITH COMPONENTS {...,
             content (WITH COMPONENTS {
                unsecuredData (CONTAINING ScopedMisbehaviorReport)
            })
          })
        }),
        headerInfo (WITH COMPONENTS {...,
          psid (MisbehaviorReportingPsid),
          generationTime PRESENT,
          expiryTime ABSENT,
          generationLocation PRESENT,
          p2pcdLearningRequest ABSENT,
          missingCrlIdentifier ABSENT,
          encryptionKey ABSENT
        })
      }),
      signer (WITH COMPONENTS {...,
		certificate (SequenceOfCertificate (SIZE(1)))
	  })
    })
  })
})

-- *************************************************************************
--
--             EE-RA
--
-- *************************************************************************

---
-- @brief This structure contains the encrypted ScopedEeRaCertRequest which 
--        contains the EeRaCertRequestMsg. EE sends this message to RA to 
--        request RA's currently active RaCertificate. EE encrypts this message 
--        using the  RA's public key obtained from RaCertificate. If EE 
--        requests RA's certificate for the first time, it will encrypt using
--        the key obtained at the time of device bootstrapping.
-- @class SecuredRACertRequest
-- @param content contains the ScopedEeRaCertRequest.
-- @see EeRaCertRequestMsg, RaCertificate
SecuredRACertRequest ::= SecuredScmsPDU (WITH COMPONENTS {...,
    content (WITH COMPONENTS {...,
      unsecuredData (CONTAINING ScopedEeRaCertRequest)
    })
  })

---
-- @brief This structure contains the encrypted ScopedRaEeCertResponse which 
--        contains the RaEeCertResponseMsg. RA responds to
--        SecuredRACertRequest using this structure with its active
--        RaCertificate.
--        NOTE ERROR: RA cannot encrypt this message since EE does not send its encryptionKey in its ObeEnrollmentCertificate with SecuredRACertRequest.
-- @class SecuredRACertResponse
-- @param content contains the ScopedRaEeCertResponse
-- @see RaEeCertResponseMsg, ObeEnrollmentCertificate 
SecuredRACertResponse ::= SecuredScmsPDU (WITH COMPONENTS {...,
    content (WITH COMPONENTS {...,
      unsecuredData (CONTAINING ScopedRaEeCertResponse)
    })
  })

---
-- @brief This structure contains the ScopedPseudonymCertProvisioningRequest 
--        which contains the EeRaPseudonymCertProvisioningRequest structure. 
--        EE sends this message to PCA through RA to request 
--        ObePseudonymCertificate. EE signs this message using its private key
--        corresponding to its ObeEnrollmentCertificate.
-- @class SignedPseudonymCertProvisioningRequest
-- @param content contains the pseudonym certificate provisioning request and 
--        requesting EE's ObeEnrollmentCertificate.
-- @see EeRaPseudonymCertProvisioningRequest, ObePseudonymCertificate,
--      ObeEnrollmentCertificate 
SignedPseudonymCertProvisioningRequest ::= SecuredScmsPDU (WITH COMPONENTS {...,
  content (WITH COMPONENTS {...,
    signedCertificateRequest  (CONTAINING
      SignedCertificateRequest (WITH COMPONENTS {...,
        tbsRequest (ScopedPseudonymCertProvisioningRequest),
        signer (WITH COMPONENTS {
          certificate (SequenceOfCertificate (SIZE(1)))
        })
      })
    )
  })
})

---
-- @brief This structure contains SignedPseudonymCertProvisioningRequest 
--        generated by the requesting EE and sent to the RA. The RA forwards 
--        this request to the PCA. EE encrypts this message using PCA's public
--        key obtained during device bootstrapping.
-- @class SecuredPseudonymCertProvisioningRequest
-- @param content contains the encrypted pseudonym certificate provisioning 
--                request generated by an EE; decrypts to a
--                SignedPseudonymCertProvisioningRequest.
-- @see EeRaPseudonymCertProvisioningRequest 
SecuredPseudonymCertProvisioningRequest ::= SecuredScmsPDU (WITH COMPONENTS {...,
  content (WITH COMPONENTS {...,
    encryptedData
  })
})

---
-- @brief This structure contains ScopedPseudonymCertProvisioningAck which 
--        contains RaEePseudonymCertProvisioningAck. RA acknowledges receipt 
--        of an EE's SignedPseudonymCertProvisioningRequest using this 
--        structure. RA signs this message using its private key corresponding 
--        to its RaCertificate.
-- @class SignedPseudonymCertProvisioningAck
-- @param content contains the ScopedPseudonymCertProvisioningAck.
-- @see RaEePseudonymCertProvisioningAck, RaCertificate
SignedPseudonymCertProvisioningAck ::= SecuredScmsPDU (WITH COMPONENTS {...,
  content (WITH COMPONENTS {...,
    signedData  (WITH COMPONENTS {...,
      tbsData (WITH COMPONENTS {...,
        payload (WITH COMPONENTS {...,
          data (WITH COMPONENTS {...,
             content (WITH COMPONENTS {
                unsecuredData (CONTAINING ScopedPseudonymCertProvisioningAck)
            })
          })
        }),
        headerInfo (WITH COMPONENTS {...,
          psid (SecurityMgmtPsid),
          generationTime ABSENT,
          expiryTime ABSENT,
          generationLocation ABSENT,
          p2pcdLearningRequest ABSENT,
          missingCrlIdentifier ABSENT,
          encryptionKey ABSENT
        })
      })
    })
  })
})

---
-- @brief This structure contains the SignedPseudonymCertProvisioningAck.
--        NOTE ERROR: PCA cannot encrypt this message since EE does not send an encryptionKey in ObeEnrollmentCertificate in SignedPseudonymCertProvisioningRequest. 
-- @class SecuredPseudonymCertProvisioningAck
-- @param content contains the encrypted acknowledgement for pseudonym 
--                certificate provisioning; decrypts to
--                SignedPseudonymCertProvisioningAck.
-- @see RaEePseudonymCertProvisioningAck, ObeEnrollmentCertificate 
SecuredPseudonymCertProvisioningAck ::= SecuredScmsPDU (WITH COMPONENTS {...,
  content (WITH COMPONENTS {...,
    encryptedData
  })
})

---
-- @brief This structure contains the ScopedIdCertProvisioningRequest 
--        which contains the EeRaIdCertProvisioningRequest structure. 
--        EE signs this message using its private key corresponding to its
--        ObeEnrollmentCertificate.
-- @class SignedIdCertProvisioningRequest
-- @param content contains the pseudonym certificate provisioning request and 
--        requesting EE's enrollment certificate.
-- @see EeRaIdCertProvisioningRequest, ObeEnrollmentCertificate 
SignedIdCertProvisioningRequest ::= SecuredScmsPDU (WITH COMPONENTS {...,
  content (WITH COMPONENTS {...,
    signedCertificateRequest  (CONTAINING
      SignedCertificateRequest (WITH COMPONENTS {...,
        tbsRequest (ScopedIdCertProvisioningRequest),
        signer (WITH COMPONENTS {
          certificate (SequenceOfCertificate (SIZE(1)))
        })
      })
    )
  })
})

---
-- @brief This structure contains SignedIdCertProvisioningRequest 
--        generated by the requesting EE and sent to the RA. The RA forwards 
--        this request to the PCA. EE encrypts this message using PCA's public
--        key obtained during device bootstrapping.
-- @class SecuredIdCertProvisioningRequest
-- @param content contains the encrypted pseudonym certificate provisioning 
--                request generated by an EE; decrypts to a
--                SignedIdCertProvisioningRequest.
-- @see EeRaIdCertProvisioningRequest 
SecuredIdCertProvisioningRequest ::= SecuredScmsPDU (WITH COMPONENTS {...,
  content (WITH COMPONENTS {...,
    encryptedData 
  })
})

---
-- @brief This structure contains the ScopedIdCertProvisioningAck which 
--        contains the RaEeIdCertProvisioningAck. RA signs this message using 
--        its private key corresponding to its RaCertificate. RA sends this 
--        message to an EE in the form of SecuredIdCertProvisioningAck. 
-- @class SignedIdCertProvisioningAck
-- @param content contains the ScopedIdCertProvisioningAck which encloses the
--                RaEeIdCertProvisioningAck.
-- @see RaEeIdCertProvisioningAck, RaCertificate
SignedIdCertProvisioningAck ::= SecuredScmsPDU (WITH COMPONENTS {...,
  content (WITH COMPONENTS {...,
    signedData  (WITH COMPONENTS {...,
      tbsData (WITH COMPONENTS {...,
        payload (WITH COMPONENTS {...,
          data (WITH COMPONENTS {...,
             content (WITH COMPONENTS {
                unsecuredData (CONTAINING ScopedIdCertProvisioningAck)
            })
          })
        }),
        headerInfo (WITH COMPONENTS {...,
          psid (SecurityMgmtPsid),
          generationTime ABSENT,
          expiryTime ABSENT,
          generationLocation ABSENT,
          p2pcdLearningRequest ABSENT,
          missingCrlIdentifier ABSENT,
          encryptionKey ABSENT
        })
      })
    })
  })
})

---
-- @brief This structure contains the SignedIdCertProvisioningAck.
--        NOTE ERROR: PCA cannot encrypt this message since EE does not send an encryptionKey in ObeEnrollmentCertificate in SignedIdCertProvisioningRequest. 
-- @class SecuredIdCertProvisioningAck
-- @param content contains the encrypted acknowledgement for identification
--                certificate provisioning; decrypts to
--                SignedIdCertProvisioningAck.
-- @see RaEeIdCertProvisioningAck, ObeEnrollmentCertificate 
SecuredIdCertProvisioningAck ::= SecuredScmsPDU (WITH COMPONENTS {...,
  content (WITH COMPONENTS {...,
    encryptedData
  })
})

---
-- @brief This structure contains the ScopedAppCertProvisioningRequest 
--        which contains the EeRaAppCertProvisioningRequest structure. 
--        EE signs this message using its private key corresponding to its
--        ObeEnrollmentCertificate.
-- @class SignedAppCertProvisioningRequest
-- @param content contains the pseudonym certificate provisioning request and 
--        requesting EE's enrollment certificate.
-- @see EeRaAppCertProvisioningRequest 
SignedAppCertProvisioningRequest ::= SecuredScmsPDU (WITH COMPONENTS {...,
  content (WITH COMPONENTS {...,
    signedCertificateRequest  (CONTAINING
      SignedCertificateRequest (WITH COMPONENTS {...,
        tbsRequest (ScopedAppCertProvisioningRequest),
        signer (WITH COMPONENTS {
          certificate (SequenceOfCertificate (SIZE(1)))
        })
      })
    )
  })
})

---
-- @brief This structure contains SignedAppCertProvisioningRequest 
--        generated by the requesting EE and sent to the RA. The RA forwards 
--        this request to the PCA. EE encrypts this message using PCA's public
--        key obtained during device bootstrapping.
-- @class SecuredAppCertProvisioningRequest
-- @param content contains the encrypted pseudonym certificate provisioning 
--                request generated by an EE; decrypts to a
--                SignedAppCertProvisioningRequest.
-- @see EeRaAppCertProvisioningRequest 
SecuredAppCertProvisioningRequest ::= SecuredScmsPDU (WITH COMPONENTS {...,
  content (WITH COMPONENTS {...,
    encryptedData
  })
})

---
-- @brief This structure contains the ScopedAppCertProvisioningAck which 
--        contains the RaEeAppCertProvisioningAck. RA signs this message using 
--        its private key corresponding to its RaCertificate. RA sends this 
--        message to an EE in the form of SecuredAppCertProvisioningAck. 
-- @class SignedAppCertProvisioningAck
-- @param content contains the ScopedAppCertProvisioningAck which encloses the
--                RaEeAppCertProvisioningAck.
-- @see RaEeAppCertProvisioningAck, RaCertificate
SignedAppCertProvisioningAck ::= SecuredScmsPDU (WITH COMPONENTS {...,
  content (WITH COMPONENTS {...,
    signedData  (WITH COMPONENTS {...,
      tbsData (WITH COMPONENTS {...,
        payload (WITH COMPONENTS {...,
          data (WITH COMPONENTS {...,
             content (WITH COMPONENTS {
                unsecuredData (CONTAINING ScopedAppCertProvisioningAck)
            })
          })
        }),
        headerInfo (WITH COMPONENTS {...,
          psid (SecurityMgmtPsid),
          generationTime ABSENT,
          expiryTime ABSENT,
          generationLocation ABSENT,
          p2pcdLearningRequest ABSENT,
          missingCrlIdentifier ABSENT,
          encryptionKey ABSENT
        })
      })
    })
  })
})

---
-- @brief This structure contains the SignedAppCertProvisioningAck.
--        NOTE ERROR: PCA cannot encrypt this message since EE does not send an encryptionKey in ObeEnrollmentCertificate in SignedAppCertProvisioningRequest. 
-- @class SecuredAppCertProvisioningAck
-- @param content contains the encrypted acknowledgement for application
--                certificate provisioning; decrypts to
--                SignedAppCertProvisioningAck.
-- @see RaEeAppCertProvisioningAck, ObeEnrollmentCertificate 
SecuredAppCertProvisioningAck ::= SecuredScmsPDU (WITH COMPONENTS {...,
  content (WITH COMPONENTS {...,
    encryptedData
  })
})

---
-- @brief This structure contains the ScopedAuthenticatedDownloadRequest which 
--        contains the AuthenticatedDownloadRequest. EE signs this message 
--        using its private key corresponding to its ObeEnrollmentCertificate. 
--        EE sends this message to RA in the form of
--        SecuredAuthenticatedDownloadRequest.
-- @class SignedAuthenticatedDownloadRequest
-- @param content contains the authenticated download request and EE's
--                enrollment certificate.
-- @see AuthenticatedDownloadRequest, ObeEnrollmentCertificate
SignedAuthenticatedDownloadRequest ::= SecuredScmsPDU (WITH COMPONENTS {...,
  content (WITH COMPONENTS {...,
    signedCertificateRequest  (CONTAINING
      SignedCertificateRequest (WITH COMPONENTS {...,
        tbsRequest (ScopedAuthenticatedDownloadRequest),
        signer (WITH COMPONENTS {
          certificate (SequenceOfCertificate (SIZE(1)))
        })
      })
    )
  })
})

---
-- @brief This structure contains the SignedAuthenticatedDownloadRequest and 
--        is sent by an EE to the RA. EE encrypts this message using RA's 
--        public key obtained at device bootstrapping.
-- @class SecuredAuthenticatedDownloadRequest
-- @param content contains the authenticated download request signed by an EE; 
--                decrypts to SignedAuthenticatedDownloadRequest.
-- @see AuthenticatedDownloadRequest
SecuredAuthenticatedDownloadRequest  ::= SecuredScmsPDU (WITH COMPONENTS {...,
  content (WITH COMPONENTS {...,
    encryptedData
  })
})

---
-- @brief This structure contains ScopedGlobalPolicyFile which contains 
--        GlobalPolicyFile. PG signs this message using its private key 
--        corresponding to its PgCertificate. 
-- @class SignedGlobalPolicyFile
-- @param content contains the ScopedGlobalPolicyFile.
-- @see GlobalPolicyFile, PgCertificate 
SignedGlobalPolicyFile ::= Ieee1609Dot2Data( WITH COMPONENTS{...,
    content( WITH COMPONENTS{...,
      signedData( WITH COMPONENTS{...,
        tbsData( WITH COMPONENTS{...,
          payload( WITH COMPONENTS{...,
            data( WITH COMPONENTS{...,
              content( WITH COMPONENTS{...,
                unsecuredData( CONTAINING ScopedGlobalPolicyFile )
              })
            })
          })
        })
      })
   })
})

---
-- @brief This structure contains ScopedLocalPolicyFile which contains 
--        LocalPolicyFile. PG signs this message using its private key
--        corressponding to its PgCertificate.
-- @class SignedLocalPolicyFile
-- @param content contains the ScopedLocalPolicyFile.
-- @see LocalPolicyFile, PgCertificate
SignedLocalPolicyFile ::= Ieee1609Dot2Data( WITH COMPONENTS{...,
    content( WITH COMPONENTS{...,
      signedData( WITH COMPONENTS{...,
        tbsData( WITH COMPONENTS{...,
          payload( WITH COMPONENTS{...,
            data( WITH COMPONENTS{...,
              content( WITH COMPONENTS{...,
                unsecuredData( CONTAINING ScopedLocalPolicyFile )
              })
            })
          })
        })
      })
   })
})

-- *************************************************************************
--
--             LA-MA
--
-- *************************************************************************

---
-- @brief This structure contains ScopedLIRequest which contains 
--        MaLaLinkageInfoRequest. MA signs this message using its private key
--        corresponding to its MaCertificate.
-- @class SignedLIRequest
-- @param content contains the ScopedLIRequest.
-- @see MaLaLinkageInfoRequest
SignedLIRequest ::= SecuredScmsPDU (WITH COMPONENTS {...,
  content (WITH COMPONENTS {...,
    signedData  (WITH COMPONENTS {...,
      tbsData (WITH COMPONENTS {...,
        payload (WITH COMPONENTS {...,
          data (WITH COMPONENTS {...,
             content (WITH COMPONENTS {
                unsecuredData (CONTAINING ScopedLIRequest)
            })
          })
        }),
        headerInfo (WITH COMPONENTS {...,
          psid (SecurityMgmtPsid),
          generationTime ABSENT,
          expiryTime ABSENT,
          generationLocation ABSENT,
          p2pcdLearningRequest ABSENT,
          missingCrlIdentifier ABSENT,
          encryptionKey ABSENT
        })
      })
    })
  })
})

---
-- @brief This stucture contains SignedLIRequest and is sent by MA to LA.
--        MA encrypts this message using LA's public key that it obtains
--        from LaCertificate received from ICA at Add LA stage.
-- @class SecuredLIRequest
-- @param contains encrypted linkage information signed by MA; decrypts to a
--                 SignedLIRequest.
-- @see MaLaLinkageInfoRequest, LaCertificate 
SecuredLIRequest ::= SecuredScmsPDU (WITH COMPONENTS {...,
  content (WITH COMPONENTS {...,
    encryptedData
  })
})

---
-- @brief This structure contains ScopedLIReply which contains 
--        LaMaLinkageInfoResponseMsg. LA signs this message using its private
--        key corresponding to its LaCertificate.
-- @class SignedLIReply
-- @param content contains ScopedLIReply.
-- @see LaMaLinkageInfoResponseMsg, LaCertificate 
SignedLIReply ::= SecuredScmsPDU (WITH COMPONENTS {...,
  content (WITH COMPONENTS {...,
    signedData  (WITH COMPONENTS {...,
      tbsData (WITH COMPONENTS {...,
        payload (WITH COMPONENTS {...,
          data (WITH COMPONENTS {...,
             content (WITH COMPONENTS {
                unsecuredData (CONTAINING ScopedLIReply)
            })
          })
        }),
        headerInfo (WITH COMPONENTS {...,
          psid (SecurityMgmtPsid),
          generationTime ABSENT,
          expiryTime ABSENT,
          generationLocation ABSENT,
          p2pcdLearningRequest ABSENT,
          missingCrlIdentifier ABSENT,
          encryptionKey ABSENT
        })
      })
    })
  })
})

---
-- @brief This structure contains SignedLIReply and is sent by LA to an MA's 
--        SecuredLIRequest. LA encrypts this message using encryptionKey
--        obtained from MaCertificate.
-- @class SecuredLIReply
-- @param content contains LA's response with linkage information; decrypts to
--                a SignedLIReply.
-- @see LaMaLinkageInfoResponseMsg, MaCertificate
SecuredLIReply ::= SecuredScmsPDU (WITH COMPONENTS {...,
  content (WITH COMPONENTS {...,
    encryptedData
  })
})

---
-- @brief This structure contains ScopedLSRequest which contains 
--        MaLaLinkageSeedRequestMsg. MA signs this message using its private
--        key corresponding to its MaCertificate.
-- @class SignedLSRequest
-- @param content contains ScopedLSRequest.
-- @see MaLaLinkageSeedRequestMsg, MaCertificate
SignedLSRequest ::= SecuredScmsPDU (WITH COMPONENTS {...,
  content (WITH COMPONENTS {...,
    signedData  (WITH COMPONENTS {...,
      tbsData (WITH COMPONENTS {...,
        payload (WITH COMPONENTS {...,
          data (WITH COMPONENTS {...,
             content (WITH COMPONENTS {
                unsecuredData (CONTAINING ScopedLSRequest)
            })
          })
        }),
        headerInfo (WITH COMPONENTS {...,
          psid (SecurityMgmtPsid),
          generationTime ABSENT,
          expiryTime ABSENT,
          generationLocation ABSENT,
          p2pcdLearningRequest ABSENT,
          missingCrlIdentifier ABSENT,
          encryptionKey ABSENT
        })
      })
    })
  })
})

---
-- @brief This structure contains SignedLSRequest that is sent by MA to LA to 
--        request linkage seed information for misbehavior report analysis. MA 
--        encrypts this request using LA's public key that it obtains from
--        LaCertificate received from ICA at Add LA stage.
-- @class SecuredLSRequest
-- @param content contains encrypted linkage seed request message signed by MA
--                ; decrypts to a SignedLSRequest.
-- @see MaLaLinkageSeedRequestMsg, LaCertificate
SecuredLSRequest ::= SecuredScmsPDU (WITH COMPONENTS {...,
  content (WITH COMPONENTS {...,
    encryptedData
  })
})

---
-- @brief This structure contains ScopedLSReply which contains 
--        LaMaLinkageSeedResponseMsg. LA signs this message using its private
--        key corresponding to its LaCertificate.
-- @class SignedLSReply
-- @param content contains ScopedLSReply.
-- @see LaMaLinkageSeedResponseMsg, LaCertificate
SignedLSReply ::= SecuredScmsPDU (WITH COMPONENTS {...,
  content (WITH COMPONENTS {...,
    signedData  (WITH COMPONENTS {...,
      tbsData (WITH COMPONENTS {...,
        payload (WITH COMPONENTS {...,
          data (WITH COMPONENTS {...,
             content (WITH COMPONENTS {
                unsecuredData (CONTAINING ScopedLSReply)
            })
          })
        }),
        headerInfo (WITH COMPONENTS {...,
          psid (SecurityMgmtPsid),
          generationTime ABSENT,
          expiryTime ABSENT,
          generationLocation ABSENT,
          p2pcdLearningRequest ABSENT,
          missingCrlIdentifier ABSENT,
          encryptionKey ABSENT
        })
      })
    })
  })
})

---
-- @brief This structure contains SignedLSReply and is sent by LA to an MA's 
--        SecuredLSRequest. LA encrypts this message using encryptionKey in
--        MaCertificate.
-- @class SecuredLSReply
-- @param content contains LA's response with linkage information; decrypts to
--                a SignedLSReply.
-- @see LaMaLinkageSeedResponseMsg
SecuredLSReply ::= SecuredScmsPDU (WITH COMPONENTS {...,
  content (WITH COMPONENTS {...,
    encryptedData  -- decrypts to a SignedLSReply
  })
})



-- *************************************************************************
--
--             LA-PCA
--
-- *************************************************************************

---
-- @brief This structure contains ScopedPcaLaKeyAgreementRequest which 
--        contains PcaLaKeyAgreementRequestMsg and is sent from PCA to LA to 
--        initiate key agreement. PCA signs this message using its private key
--        corresponding to its PcaCertificate.
-- @class SignedPcaLaKeyAgreementRequest
-- @param content contains ScopedPcaLaKeyAgreementRequest.
-- @see PcaLaKeyAgreementRequestMsg
SignedPcaLaKeyAgreementRequest ::= SecuredScmsPDU (WITH COMPONENTS {...,
  content (WITH COMPONENTS {...,
    signedData  (WITH COMPONENTS {...,
      tbsData (WITH COMPONENTS {...,
        payload (WITH COMPONENTS {...,
          data (WITH COMPONENTS {...,
             content (WITH COMPONENTS {
                unsecuredData (CONTAINING ScopedPcaLaKeyAgreementRequest)
            })
          })
        }),
        headerInfo (WITH COMPONENTS {...,
          psid (SecurityMgmtPsid),
          generationTime ABSENT,
          expiryTime ABSENT,
          generationLocation ABSENT,
          p2pcdLearningRequest ABSENT,
          missingCrlIdentifier ABSENT,
          encryptionKey ABSENT
        })
      })
    })
  })
})

---
-- @brief This structure contains ScopedLaPcaKeyAgreementResponse which
--        contains LaPcaKeyAgreementResponse and is sent from LA to PCA. LA
--        signs this message using its private key corresponding to its
--        LaCertificate.
-- @class SignedLaPcaKeyAgreementResponse
-- @param content contains ScopedLaPcaKeyAgreementResponse.
-- @see LaPcaKeyAgreementResponse, LaCertificate
SignedLaPcaKeyAgreementResponse ::= SecuredScmsPDU (WITH COMPONENTS {...,
  content (WITH COMPONENTS {...,
    signedData  (WITH COMPONENTS {...,
      tbsData (WITH COMPONENTS {...,
        payload (WITH COMPONENTS {...,
          data (WITH COMPONENTS {...,
             content (WITH COMPONENTS {
                unsecuredData (CONTAINING ScopedLaPcaKeyAgreementResponse)
            })
          })
        }),
        headerInfo (WITH COMPONENTS {...,
          psid (SecurityMgmtPsid),
          generationTime ABSENT,
          expiryTime ABSENT,
          generationLocation ABSENT,
          p2pcdLearningRequest ABSENT,
          missingCrlIdentifier ABSENT,
          encryptionKey ABSENT
        })
      })
    })
  })
})

---
-- @brief This structure contains ScopedPcaLaKeyAgreementAck which contains
--        PcaLaKeyAgreementAck and is sent from PCA to LA. PCA signs this
--        message using private key corresponding to its PcaCertificate.
-- @class SignedPcaLaKeyAgreementAck
-- @param content contains ScopedPcaLaKeyAgreementAck.
-- @see PcaLaKeyAgreementAck, PcaCertificate
SignedPcaLaKeyAgreementAck ::= SecuredScmsPDU (WITH COMPONENTS {...,
  content (WITH COMPONENTS {...,
    signedData  (WITH COMPONENTS {...,
      tbsData (WITH COMPONENTS {...,
        payload (WITH COMPONENTS {...,
          data (WITH COMPONENTS {...,
             content (WITH COMPONENTS {
                unsecuredData (CONTAINING ScopedPcaLaKeyAgreementAck)
            })
          })
        }),
        headerInfo (WITH COMPONENTS {...,
          psid (SecurityMgmtPsid),
          generationTime ABSENT,
          expiryTime ABSENT,
          generationLocation ABSENT,
          p2pcdLearningRequest ABSENT,
          missingCrlIdentifier ABSENT,
          encryptionKey ABSENT
        })
      })
    })
  })
})


-- *************************************************************************
--
--             LA-RA
--
-- *************************************************************************


---
-- @brief This structure contains ScopedRaLaIndividualPreLinkageValueRequest
--        which contains RaLaIndividualPreLinkageValueRequest and is sent from
--        RA to LA. RA signs this message using its private key corresponding
--        to its RaCertificate. Generation time is present to prevent replay,
--        keep message for replay check until time corresponding to iMin has
--        been reached.
-- @class SignedRaLaIndividualPreLinkageValueRequest
-- @param content contains ScopedRaLaIndividualPreLinkageValueRequest.
-- @see RaLaIndividualPreLinkageValueRequest, RaCertificate
SignedRaLaIndividualPreLinkageValueRequest ::= SecuredScmsPDU (WITH COMPONENTS {...,
  content (WITH COMPONENTS {...,
    signedData  (WITH COMPONENTS {...,
      tbsData (WITH COMPONENTS {...,
        payload (WITH COMPONENTS {...,
          data (WITH COMPONENTS {...,
             content (WITH COMPONENTS {
                unsecuredData (CONTAINING ScopedRaLaIndividualPreLinkageValueRequest)
            })
          })
        }),
        headerInfo (WITH COMPONENTS {...,
          psid (SecurityMgmtPsid),
          generationTime PRESENT,
          expiryTime ABSENT,
          generationLocation ABSENT,
          p2pcdLearningRequest ABSENT,
          missingCrlIdentifier ABSENT,
          encryptionKey ABSENT
        })
      })
    })
  })
})


---
-- @brief This structure contains ScopedRaLaGroupPreLinkageValueRequest which
--        contains RaLaGroupPreLinkageValueRequest and is sent by RA to LA. RA
--        signs this message using its private key corresponding to its
--        RaCertificate. Generation time is present to prevent replay,
--        keep message for replay check until time corresponding to iMin has
--        been reached.
-- @class SignedRaLaGroupPreLinkageValueRequest
-- @param content contains ScopedRaLaGroupPreLinkageValueRequest.
-- @see RaLaGroupPreLinkageValueRequest, RaCertificate
SignedRaLaGroupPreLinkageValueRequest ::= SecuredScmsPDU (WITH COMPONENTS {...,
  content (WITH COMPONENTS {...,
    signedData  (WITH COMPONENTS {...,
      tbsData (WITH COMPONENTS {...,
        payload (WITH COMPONENTS {...,
          data (WITH COMPONENTS {...,
             content (WITH COMPONENTS {
                unsecuredData (CONTAINING ScopedRaLaGroupPreLinkageValueRequest)
            })
          })
        }),
        headerInfo (WITH COMPONENTS {...,
          psid (SecurityMgmtPsid),
          generationTime PRESENT,
          expiryTime ABSENT,
          generationLocation ABSENT,
          p2pcdLearningRequest ABSENT,
          missingCrlIdentifier ABSENT,
          encryptionKey ABSENT
        })
      })
    })
  })
})


---
-- @brief This structure contains ScopedLaRaPreLinkageValueResponse which
--        contains LaRaPreLinkageValueResponse and is sent by LA to RA. LA
--        signs this message using its private key corresponding to its
--        LaCertificate. Generation time is present to prevent replay,
--        keep message for replay check until time corresponding to iMin has
--        been reached.
-- @class SignedLaRaPreLinkageValueResponse
-- @param content contains ScopedLaRaPreLinkageValueResponse.
-- @see LaRaPreLinkageValueResponse, LaCertificate
SignedLaRaPreLinkageValueResponse ::= SecuredScmsPDU (WITH COMPONENTS {...,
  content (WITH COMPONENTS {...,
    signedData  (WITH COMPONENTS {...,
      tbsData (WITH COMPONENTS {...,
        payload (WITH COMPONENTS {...,
          data (WITH COMPONENTS {...,
             content (WITH COMPONENTS {
                unsecuredData (CONTAINING ScopedLaRaPreLinkageValueResponse)
            })
          })
        }),
        headerInfo (WITH COMPONENTS {...,
          psid (SecurityMgmtPsid),
          generationTime PRESENT,
          expiryTime ABSENT,
          generationLocation ABSENT,
          p2pcdLearningRequest ABSENT,
          missingCrlIdentifier ABSENT,
          encryptionKey ABSENT
        })
      })
    })
  })
})


-- *************************************************************************
--
--             MA-PCA
--
-- *************************************************************************

---
-- @brief This structure contains ScopedMaPcaPreLinkageValueRequest which
--        contains MaPcaPreLinkageValueRequest and is sent from MA to PCA. MA
--        signs this message using its private key corresponding to its
--        MaCertificate.
-- @class SignedMaPcaPreLinkageValueRequest
-- @param content contains ScopedMaPcaPreLinkageValueRequest.
-- @see MaPcaPreLinkageValueRequest, MaCertificate
SignedMaPcaPreLinkageValueRequest ::= SecuredScmsPDU (WITH COMPONENTS {...,
  content (WITH COMPONENTS {...,
    signedData  (WITH COMPONENTS {...,
      tbsData (WITH COMPONENTS {...,
        payload (WITH COMPONENTS {...,
          data (WITH COMPONENTS {...,
             content (WITH COMPONENTS {
                unsecuredData (CONTAINING ScopedMaPcaPreLinkageValueRequest)
            })
          })
        }),
        headerInfo (WITH COMPONENTS {...,
          psid (SecurityMgmtPsid),
          generationTime ABSENT,
          expiryTime ABSENT,
          generationLocation ABSENT,
          p2pcdLearningRequest ABSENT,
          missingCrlIdentifier ABSENT,
          encryptionKey ABSENT
        })
      })
    })
  })
})

---
-- @brief This structure contains SignedMaPcaPreLinkageValueRequest and is
--        sent by MA to PCA. MA encrypts this message using encryptionKey from
--        PCA's PcaCertificate.
-- @class SecuredMaPcaPreLinkageValueRequest
-- @param content contains MA's request to gain pre-linkage values from PCA;
--                decrypts to a SignedMaPcaPreLinkageValueRequest.
-- @see PcaCertificate
SecuredMaPcaPreLinkageValueRequest ::= SecuredScmsPDU (WITH COMPONENTS {...,
  content (WITH COMPONENTS {...,
    encryptedData
  })
})


---
-- @brief This structure contains ScopedPcaMaPreLinkageValueResponse which
--        contains PcaMaPreLinkageValueResponse and is sent by PCA to MA. PCA
--        signs this message using its private key corresponding to its
--        PcaCertificate.
-- @class SignedPcaMaPreLinkageValueResponse
-- @param content contains ScopedPcaMaPreLinkageValueResponse.
-- @see PcaMaPreLinkageValueResponse, PcaCertificate
SignedPcaMaPreLinkageValueResponse ::= SecuredScmsPDU (WITH COMPONENTS {...,
  content (WITH COMPONENTS {...,
    signedData  (WITH COMPONENTS {...,
      tbsData (WITH COMPONENTS {...,
        payload (WITH COMPONENTS {...,
          data (WITH COMPONENTS {...,
             content (WITH COMPONENTS {
                unsecuredData (CONTAINING ScopedPcaMaPreLinkageValueResponse)
            })
          })
        }),
        headerInfo (WITH COMPONENTS {...,
          psid (SecurityMgmtPsid),
          generationTime ABSENT,
          expiryTime ABSENT,
          generationLocation ABSENT,
          p2pcdLearningRequest ABSENT,
          missingCrlIdentifier ABSENT,
          encryptionKey ABSENT
        })
      })
    })
  })
})

---
-- @brief This structure contains SignedPcaMaPreLinkageValueResponse and is
--        sent by PCA to MA. PCA encrypts this message using the encryptionKey
--        in MaCertificate.
-- @class SecuredPcaMaPreLinkageValueResponse
-- @param content contains response from PCA with pre-linkage values requested
--                by MA; decrypts to a SignedPcaMaPreLinkageValueResponse.
-- @see MaCertificate
SecuredPcaMaPreLinkageValueResponse ::= SecuredScmsPDU (WITH COMPONENTS {...,
  content (WITH COMPONENTS {...,
    encryptedData
  })
})


---
-- @brief This structure contains ScopedMaPcaHPCRRequest which contains
--        MaPcaHPCRRequest and is sent by MA to PCA. MA signs this message
--        using its private key corresponding to its MaCertificate.
-- @class SignedMaPcaHPCRRequest
-- @param content contains ScopedMaPcaHPCRRequest.
-- @see MaPcaHPCRRequest, MaCertificate
SignedMaPcaHPCRRequest ::= SecuredScmsPDU (WITH COMPONENTS {...,
  content (WITH COMPONENTS {...,
    signedData  (WITH COMPONENTS {...,
      tbsData (WITH COMPONENTS {...,
        payload (WITH COMPONENTS {...,
          data (WITH COMPONENTS {...,
             content (WITH COMPONENTS {
                unsecuredData (CONTAINING ScopedMaPcaHPCRRequest)
            })
          })
        }),
        headerInfo (WITH COMPONENTS {...,
          psid (SecurityMgmtPsid),
          generationTime ABSENT,
          expiryTime ABSENT,
          generationLocation ABSENT,
          p2pcdLearningRequest ABSENT,
          missingCrlIdentifier ABSENT,
          encryptionKey ABSENT
        })
      })
    })
  })
})

---
-- @brief This structure contains SignedMaPcaHPCRRequest and is sent by MA to
--        PCA. MA encrypts this message using encryptionKey in PCA's
--        PcaCertificate.
-- @class SecuredMaPcaHPCRRequest
-- @param content contains the encrypted HPCR request from MA; decrypts to a
--                SignedMaPcaHPCRRequest.
SecuredMaPcaHPCRRequest ::= SecuredScmsPDU (WITH COMPONENTS {...,
  content (WITH COMPONENTS {...,
    encryptedData
  })
})


---
-- @brief This structure contains ScopedPcaMaHPCRResponse which contains
--        PcaMaHPCRResponse and is sent by PCA to MA. PCA signs this message
--        using its private key corresponding to its PcaCertificate.
-- @class SignedPcaMaHPCRResponse
-- @param content contains ScopedPcaMaHPCRResponse.
-- @see PcaMaHPCRResponse, PcaCertificate
SignedPcaMaHPCRResponse ::= SecuredScmsPDU (WITH COMPONENTS {...,
  content (WITH COMPONENTS {...,
    signedData  (WITH COMPONENTS {...,
      tbsData (WITH COMPONENTS {...,
        payload (WITH COMPONENTS {...,
          data (WITH COMPONENTS {...,
             content (WITH COMPONENTS {
                unsecuredData (CONTAINING ScopedPcaMaHPCRResponse)
            })
          })
        }),
        headerInfo (WITH COMPONENTS {...,
          psid (SecurityMgmtPsid),
          generationTime ABSENT,
          expiryTime ABSENT,
          generationLocation ABSENT,
          p2pcdLearningRequest ABSENT,
          missingCrlIdentifier ABSENT,
          encryptionKey ABSENT
        })
      })
    })
  })
})

---
-- @brief This structure contains SignedPcaMaHPCRResponse and is sent by PCA
--        to MA as a response to MA's SecuredMaPcaHPCRRequest. PCA encrypts
--        data in this message using encryptionKey in MaCertificate.
-- @class SecuredPcaMaHPCRResponse
-- @param content contains the encrypted response from PCA wih HPCR; decrypts
--                to a SignedPcaMaHPCRResponse.
-- @see MaCertificate
SecuredPcaMaHPCRResponse ::= SecuredScmsPDU (WITH COMPONENTS {...,
  content (WITH COMPONENTS {...,
    encryptedData  --
  })
})


-- *************************************************************************
--
--             MA-RA
--
-- *************************************************************************

---
-- @brief This structure contains ScopedBlacklistRequest which contains
--        MaRaBlacklistRequest and is sent by MA to RA. MA signs this message
--        using the private key corresponding to its MaCertificate.
-- @class SignedBlacklistRequest
-- @param content contains ScopedBlacklistRequest that indicates which
--                pseudonym certificates have been revoked by MA.
-- @see MaRaBlacklistRequest, MaCertificate
SignedBlacklistRequest ::= SecuredScmsPDU (WITH COMPONENTS {...,
  content (WITH COMPONENTS {...,
    signedData  (WITH COMPONENTS {...,
      tbsData (WITH COMPONENTS {...,
        payload (WITH COMPONENTS {...,
          data (WITH COMPONENTS {...,
             content (WITH COMPONENTS {
                unsecuredData (CONTAINING ScopedBlacklistRequest)
            })
          })
        }),
        headerInfo (WITH COMPONENTS {...,
          psid (SecurityMgmtPsid),
          generationTime ABSENT,
          expiryTime ABSENT,
          generationLocation ABSENT,
          p2pcdLearningRequest ABSENT,
          missingCrlIdentifier ABSENT,
          encryptionKey ABSENT
        })
      })
    })
  })
})

---
-- @brief This structure contains SignedBlacklistRequest and is sent my MA to
--        RA. MA encrypts the data in this message using encryptionKey in RA's
--        RaCertificate.
-- @class SecuredBlacklistRequest
-- @param content contains encrypted request to update RA's internal blacklist;
--                decrypts to a SignedBlacklistRequest.
-- @see RaCertificate
SecuredBlacklistRequest ::= SecuredScmsPDU (WITH COMPONENTS {...,
  content (WITH COMPONENTS {...,
    encryptedData
  })
})


---
-- @brief This structure contains ScopedBlacklistResponse which contains
--        RaMaBlacklistResponse and is sent by RA to MA. RA signs this message
--        using the private key corresponding to its RaCertificate.
-- @class SignedBlacklistResponse
-- @param content contains ScopedBlacklistResponse that indicates status of
--                revoked pseudonym certificates.
-- @see RaMaBlacklistResponse, RaCertificate
SignedBlacklistResponse ::= SecuredScmsPDU (WITH COMPONENTS {...,
  content (WITH COMPONENTS {...,
    signedData  (WITH COMPONENTS {...,
      tbsData (WITH COMPONENTS {...,
        payload (WITH COMPONENTS {...,
          data (WITH COMPONENTS {...,
             content (WITH COMPONENTS {
                unsecuredData (CONTAINING ScopedBlacklistResponse)
            })
          })
        }),
        headerInfo (WITH COMPONENTS {...,
          psid (SecurityMgmtPsid),
          generationTime ABSENT,
          expiryTime ABSENT,
          generationLocation ABSENT,
          p2pcdLearningRequest ABSENT,
          missingCrlIdentifier ABSENT,
          encryptionKey ABSENT
        })
      })
    })
  })
})

---
-- @brief This structure contains SignedBlacklistResponse and is sent as a
--        response by RA to MA's SecuredBlacklistRequest. RA encrypts the data
--        in this message using encryptionKey in MA's MaCertificate.
-- @class SecuredBlacklistResponse
-- @param content contains encrypted status of revoked pseudonym certificates; 
--                decrypts to a SignedBlacklistResponse.
-- @see MaCertificate
SecuredBlacklistResponse ::= SecuredScmsPDU (WITH COMPONENTS {...,
  content (WITH COMPONENTS {...,
    encryptedData
  })
})


---
-- @brief This structure contains ScopedRseObeIdBlacklistRequest which
--        contains MaRaRseObeIdBlacklistRequest and is sent by MA to RA. MA
--        signs this message using the private key corresponding to its
--        MaCertificate.
-- @class SignedRseObeIdBlacklistRequest
-- @param content contains ScopedRseObeIdBlacklistRequest.
-- @see MaRaRseObeIdBlacklistRequest, MaCertificate
SignedRseObeIdBlacklistRequest ::= SecuredScmsPDU (WITH COMPONENTS {...,
  content (WITH COMPONENTS {...,
    signedData  (WITH COMPONENTS {...,
      tbsData (WITH COMPONENTS {...,
        payload (WITH COMPONENTS {...,
          data (WITH COMPONENTS {...,
             content (WITH COMPONENTS {
                unsecuredData (CONTAINING ScopedRseObeIdBlacklistRequest)
            })
          })
        }),
        headerInfo (WITH COMPONENTS {...,
          psid (SecurityMgmtPsid),
          generationTime ABSENT,
          expiryTime ABSENT,
          generationLocation ABSENT,
          p2pcdLearningRequest ABSENT,
          missingCrlIdentifier ABSENT,
          encryptionKey ABSENT
        })
      })
    })
  })
})

---
-- @brief This structure contains SignedRseObeIdBlacklistRequest and is sent
--        by MA to RA. MA encrypts this message using the encryptionKey in RA's
--        RaCertificate.
-- @class SecuredRseObeIdBlacklistRequest
-- @param content contains the encrypted status report of revoked 
--                identification and application certificates; decrypts to a
--                SignedRseObeIdBlacklistRequest.
-- @see RaCertificate
SecuredRseObeIdBlacklistRequest ::= SecuredScmsPDU (WITH COMPONENTS {...,
  content (WITH COMPONENTS {...,
    encryptedData
  })
})


---
-- @brief This structure contains ScopedBlacklistResponse which contains
--        RaMaBlacklistResponse and is sent by RA to MA. RA signs this message
--        using the private key corresponding to its RaCertificate.
-- @class SignedRseObeIdBlacklistResponse
-- @param content contains ScopedBlacklistResponse that notifies the status of
--                revoked identification certificates and application
--                certificates.
-- @see RaMaBlacklistResponse, RaCertificate
SignedRseObeIdBlacklistResponse ::= SecuredScmsPDU (WITH COMPONENTS {...,
  content (WITH COMPONENTS {...,
    signedData  (WITH COMPONENTS {...,
      tbsData (WITH COMPONENTS {...,
        payload (WITH COMPONENTS {...,
          data (WITH COMPONENTS {...,
             content (WITH COMPONENTS {
                unsecuredData (CONTAINING ScopedBlacklistResponse)
            })
          })
        }),
        headerInfo (WITH COMPONENTS {...,
          psid (SecurityMgmtPsid),
          generationTime ABSENT,
          expiryTime ABSENT,
          generationLocation ABSENT,
          p2pcdLearningRequest ABSENT,
          missingCrlIdentifier ABSENT,
          encryptionKey ABSENT
        })
      })
    })
  })
})

---
-- @brief This structure contains SignedRseObeIdBlacklistResponse and is sent
--        by RA to MA. RA encrypts this message using the encryptionKey in MA's
--        MaCertificate.
-- @class SecuredRseObeIdBlacklistResponse
-- @param content contains encrypted status report of revoked identification
--                and pseudonym certificates; decrypts to a
--                SignedRseObeIdBlacklistResponse.
-- @see MaCertificate
SecuredRseObeIdBlacklistResponse ::= SecuredScmsPDU (WITH COMPONENTS {...,
  content (WITH COMPONENTS {...,
    encryptedData
  })
})


---
-- @brief This structure contains ScopedLCIRequest which contains
--        MaRaLCIRequest and is sent by MA to RA. MA signs this message using
--        the private key corresponding to its MaCertificate.
-- @class SignedLCIRequest
-- @param content contains ScopedLCIRequest.
-- @see MaRaLCIRequest, MaCertificate
SignedLCIRequest ::= SecuredScmsPDU (WITH COMPONENTS {...,
  content (WITH COMPONENTS {...,
    signedData  (WITH COMPONENTS {...,
      tbsData (WITH COMPONENTS {...,
        payload (WITH COMPONENTS {...,
          data (WITH COMPONENTS {...,
             content (WITH COMPONENTS {
                unsecuredData (CONTAINING ScopedLCIRequest)
            })
          })
        }),
        headerInfo (WITH COMPONENTS {...,
          psid (SecurityMgmtPsid),
          generationTime ABSENT,
          expiryTime ABSENT,
          generationLocation ABSENT,
          p2pcdLearningRequest ABSENT,
          missingCrlIdentifier ABSENT,
          encryptionKey ABSENT
        })
      })
    })
  })
})

---
-- @brief This structure contains SignedLCIRequest and is sent by MA to RA. MA
--        encrypts the data in this message using the encryptionKey in RA's
--        RaCertificate.
-- @class SecuredLCIRequest
-- @param content contains encrypted request for linkage chain identifiers;
--                decrypts to a SignedLCIRequest.
-- @see RaCertificate
SecuredLCIRequest ::= SecuredScmsPDU (WITH COMPONENTS {...,
  content (WITH COMPONENTS {...,
    encryptedData  --
  })
})



---
-- @brief This structure contains ScopedLCIResponse which contains
--        RaMaLCIResponse and is sent by RA to MA. RA signs this message using
--        the private key corresponding to its RaCertificate.
-- @class SignedLCIResponse
-- @param content contains ScopedLCIResponse
-- @see RaMaLCIResponse, RaCertificate
SignedLCIResponse ::= SecuredScmsPDU (WITH COMPONENTS {...,
  content (WITH COMPONENTS {...,
    signedData  (WITH COMPONENTS {...,
      tbsData (WITH COMPONENTS {...,
        payload (WITH COMPONENTS {...,
          data (WITH COMPONENTS {...,
             content (WITH COMPONENTS {
                unsecuredData (CONTAINING ScopedLCIResponse)
            })
          })
        }),
        headerInfo (WITH COMPONENTS {...,
          psid (SecurityMgmtPsid),
          generationTime ABSENT,
          expiryTime ABSENT,
          generationLocation ABSENT,
          p2pcdLearningRequest ABSENT,
          missingCrlIdentifier ABSENT,
          encryptionKey ABSENT
        })
      })
    })
  })
})

---
-- @brief This structure contains SignedLCIResponse and is sent by RA to MA.
--        RA signs the data in this message using the encryptionKey in MA's
--        MaCertificate.
-- @class SecuredLCIResponse
-- @param content contains encrypted linkage chain identifiers sent by RA;
--                decrypts to a SignedLCIResponse.
-- @see MaCertificate
SecuredLCIResponse ::= SecuredScmsPDU (WITH COMPONENTS {...,
  content (WITH COMPONENTS {...,
    encryptedData
  })
})


-- *************************************************************************
--
--             PCA-RA
--
-- *************************************************************************



---
-- @brief This structure contains ScopedRaPcaCertificateRequest which contains 
--        RaPcaCertRequestMsg. RA encrypts this message before sending it to 
--        PCA using encryptionKey in PCA's PcaCertificate sent by the ICA
--        during Add PCA stage.
-- @class SecuredRaPcaCertificateRequest
-- @param content contains ScopedRaPcaCertificateRequest and RA's certificate.
-- @see RaPcaCertRequestMsg
SecuredRaPcaCertificateRequest ::= SecuredScmsPDU (WITH COMPONENTS {...,
  content (WITH COMPONENTS {...,
    signedCertificateRequest  (CONTAINING
      SignedCertificateRequest (WITH COMPONENTS {...,
        tbsRequest (ScopedRaPcaCertificateRequest),
        signer (WITH COMPONENTS {
          certificate (SequenceOfCertificate (SIZE(1))
          )
--          certificate (SequenceOfCertificate (SIZE(1)) (CONSTRAINED BY {
--              Certificate(EndEntityEnrollmentPseudonymCertificate)
--          }))
        })
      })
    )
  })
})



---
-- @brief This structure contains ScopedPcaRaCertificateRequestReply which 
--        contains PcaRaCertResponseMsg. PCA encrypts this message before 
--        sending it to RA using the encryptionKey in RA's RaCertificate.
-- @class SecuredPcaRaCertificateRequestReply
-- @param content contains ScopedPcaRaCertificateRequestReply.
-- @see PcaRaCertResponseMsg
SecuredPcaRaCertificateRequestReply ::= SecuredScmsPDU (WITH COMPONENTS {...,
  content (WITH COMPONENTS {...,
    signedData  (WITH COMPONENTS {...,
      tbsData (WITH COMPONENTS {...,
        payload (WITH COMPONENTS {...,
          data (WITH COMPONENTS {...,
             content (WITH COMPONENTS {
                unsecuredData (CONTAINING ScopedPcaRaCertificateRequestReply)
            })
          })
        }),
        headerInfo (WITH COMPONENTS {...,
          psid (SecurityMgmtPsid),
          generationTime ABSENT,
          expiryTime ABSENT,
          generationLocation ABSENT,
          p2pcdLearningRequest ABSENT,
          missingCrlIdentifier ABSENT,
          encryptionKey ABSENT
        })
      })
    })
  })
})


---
-- @brief This structure defines the TbsElectorEndorsement as a scoped version 
--        of the ScmsPDU.
-- @class ScopedElectorEndorsement
-- @param content contains TbsElectorEndorsement
-- @see TbsElectorEndorsement
ScopedElectorEndorsement ::=
  ScmsPDU  (WITH COMPONENTS {...,
    content (WITH COMPONENTS {
      ccm (WITH COMPONENTS {
        tbsElectorEndorsement
      })
    })
 })

---
-- @brief This structure contains ScopedElectorEndorsement which contains
--        TbsElectorEndorsement and is used by Electors to endorse addition of
--        a new Elector to the SCMS. The existing Electors sign their
--        endorsements using their private keys corresponding to their
--        respective ElectorCertificate.
-- @class SignedElectorEndorsement
-- @param content contains ScopedElectorEndorsement.
-- @see TbsElectorEndorsement
SignedElectorEndorsement ::= SecuredScmsPDU (WITH COMPONENTS {...,
  content (WITH COMPONENTS {...,
    signedData  (WITH COMPONENTS {...,
      tbsData (WITH COMPONENTS {...,
        payload (WITH COMPONENTS {...,
         data (WITH COMPONENTS {...,
             content (WITH COMPONENTS {
                unsecuredData (CONTAINING ScopedElectorEndorsement)
            })
          })
        }),
        headerInfo (WITH COMPONENTS {...,
          psid (SecurityMgmtPsid),
          generationTime PRESENT,
          expiryTime ABSENT,
          generationLocation ABSENT,
          p2pcdLearningRequest ABSENT,
          missingCrlIdentifier ABSENT,
          encryptionKey ABSENT
        })
      })
    })
  })
})


-- *************************************************************************
--
--             SSP
--
-- *************************************************************************



---
-- @brief The ScmsSsp is the parent structure that encompasses all Service 
--        Specific Permission (SSP) structures defined in the SCMS.
-- @class ScmsSsp
-- @param elector contains SSP defined for an Elector.
-- @param root contains SSP defined for a Root CA.
-- @param pg contains SSP defined for a Policy Generator (PG).
-- @param ica contains SSP defined for an Intermediate Certification Authority (ICA).
-- @param eca contains SSP defined for an Enrollment Certification Authority (ECA).
-- @param pca contains SSP defined for a Pseudonym Certification Authority (PCA).
-- @param crl contains SSP defined for a Certification Revocation List (CRL).
-- @param dcm contains SSP defined for a Device Configuration Manager (DCM).
-- @param la contains SSP defined for a Linkage Authority (LA).
-- @param lop contains SSP defined for a Location Obscurer Proxy (LOP).
-- @param ma contains SSP defined for a Misbehavior Authority (MA).
-- @param ra contains SSP defined for a Registration Authority (RA).
ScmsSsp ::= CHOICE {
  elector ElectorSsp,
  root RootCaSsp,
  pg   PGSsp,
  ica  IcaSsp,
  eca  EcaSsp,
  pca  PcaSsp,
  crl  CrlSignerSsp,
  dcm  DcmSsp,
  la   LaSsp,
  lop  LopSsp,
  ma   MaSsp,
  ra   RaSsp,
  ...
}

---
-- @brief This structure defines the SSP for an Elector.
-- @class ElectorSsp
-- @param version contains the current version of the data type. The version 
--                specified in this document is version 1, represented by the
--                integer 1.
-- @see Uint8
ElectorSsp ::= SEQUENCE {
  version Uint8(1),
  ...
}

---
-- @brief This structure defines the SSP for a Root CA.
-- @class RootCaSsp
-- @param version contains the current version of the data type. The version 
--                specified in this document is version 1, represented by the
--                integer 1.
-- @see Uint8
RootCaSsp ::= SEQUENCE {
  version Uint8(1),
  ...
}

---
-- @brief This structure defines the SSP for a PG.
-- @class PGSsp
-- @param version contains the current version of the data type. The version 
--                specified in this document is version 1, represented by the
--                integer 1.
-- @see Uint8
PGSsp ::= SEQUENCE {
  version Uint8(1),
  ...
}

---
-- @brief This structure defines the SSP for an ICA.
-- @class IcaSsp
-- @param version contains the current version of the data type. The version 
--                specified in this document is version 1, represented by the
--                integer 1.
-- @see Uint8
IcaSsp ::= SEQUENCE {
  version Uint8(1),
  ...
}

---
-- @brief This structure defines the SSP for an ECA.
-- @class EcaSsp
-- @param version contains the current version of the data type. The version 
--                specified in this document is version 1, represented by the
--                integer 1.
-- @see Uint8
EcaSsp ::= SEQUENCE {
  version Uint8(1),
  ...
}

---
-- @brief This structure defines the SSP for a PCA.
-- @class PcaSsp
-- @param version contains the current version of the data type. The version 
--                specified in this document is version 1, represented by the
--                integer 1.
--                specified in this document is version 1, represented by the
--                integer 1.
-- @see Uint8
PcaSsp ::= SEQUENCE {
  version Uint8(1),
  ...
}

---
-- @brief This structure defines the SSP for a CRL signer.
-- @class CrlSignerSsp
-- @param version contains the current version of the data type. The version 
--                specified in this document is version 1, represented by the
--                integer 1.
-- @see Uint8
CrlSignerSsp ::= SEQUENCE {
  version Uint8(1),
  ...
}

---
-- @brief This structure defines the SSP for a DCM.
-- @class DcmSsp
-- @param version contains the current version of the data type. The version 
--                specified in this document is version 1, represented by the
--                integer 1.
-- @see Uint8
DcmSsp ::= SEQUENCE {
  version Uint8(1),
  ...
}

---
-- @brief This structure defines the SSP for an LA.
-- @class LaSsp
-- @param version contains the current version of the data type. The version 
--                specified in this document is version 1, represented by the
--                integer 1.
-- @see Uint8
LaSsp ::= SEQUENCE {
  version Uint8(1),
  laId Uint16,
  ...
}

---
-- @brief This structure defines the SSP for an LOP.
-- @class LopSsp
-- @param version contains the current version of the data type. The version 
--                specified in this document is version 1, represented by the
--                integer 1.
-- @see Uint8
LopSsp ::= SEQUENCE {
  version Uint8(1),
  ...
}

---
-- @brief This structure defines the SSP for an MA.
-- @class MaSsp
-- @param version contains the current version of the data type. The version 
--                specified in this document is version 1, represented by the
--                integer 1.
-- @see Uint8
MaSsp ::= SEQUENCE {
  version        Uint8(1),
  relevantPsids  SequenceOfPsid,
  ...
}

---
-- @brief This structure defines the SSP for an RA.
-- @class RaSsp
-- @param version contains the current version of the data type. The version 
--                specified in this document is version 1, represented by the
--                integer 1.
-- @see Uint8
RaSsp ::= SEQUENCE {
  version  Uint8(1),
  ...
}



END

eca-ee.asn  Expand source
 release/1.2.1  SCMS/scms-asn
--
--  Copyright 2017 Crash Avoidance Metrics Partner, VSC5 Consortium
--
--  Licensed under the Apache License, Version 2.0 (the "License");
--  you may not use this file except in compliance with the License.
--  You may obtain a copy of the License at
--
--     http://www.apache.org/licenses/LICENSE-2.0
--
--  Unless required by applicable law or agreed to in writing, software
--  distributed under the License is distributed on an "AS IS" BASIS,
--  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
--  See the License for the specific language governing permissions and
--  limitations under the License.
--

-- @namespace Ieee1609Dot2EcaEndEntityInterface
Ieee1609Dot2EcaEndEntityInterface
{iso(1) identified-organization(3) ieee(111)
standards-association-numbered-series-standards(2) wave-stds(1609)
dot2(2) scms(2) interfaces(1) eca-ee (5)}

DEFINITIONS AUTOMATIC TAGS ::= BEGIN

EXPORTS ALL;

IMPORTS

  HashedId8,
  Time32,
  Uint8

FROM IEEE1609dot2BaseTypes {iso(1) identified-organization(3) ieee(111)
	 standards-association-numbered-series-standards(2) wave-stds(1609)
	 dot2(2) base(1) base-types(2)}

  Certificate,
  ImplicitCertificate,
  ToBeSignedCertificate

FROM IEEE1609dot2 {iso(1) identified-organization(3) ieee(111)
	 standards-association-numbered-series-standards(2) wave-stds(1609)
	 dot2(2) base (1) schema (1)}

  EccP256PrivateKeyReconstruction

FROM Ieee1609dot2ScmsBaseTypes {iso(1) identified-organization(3) ieee(111)
     standards-association-numbered-series-standards(2) wave-stds(1609)  dot2(2)
     scms (2) interfaces(1) base-types (2)}

;

---
-- @brief The EcaEndEntityInterfacePDU is the parent message type for messages 
--        sent between Enrollment Certificate Authority (ECA) and End Entities
--        (EE).
-- @class EcaEndEntityInterfacePDU
-- @param eeEcaCertRequest  contains the enrollment certificate request sent
--                          by the EE to the ECA.
-- @param ecaEeCertResponse contains the enrollment certificate response sent
--                          by the ECA to an EE.
EcaEndEntityInterfacePDU::= CHOICE {
    eeEcaCertRequest 	EeEcaCertRequest,
    ecaEeCertResponse 	EcaEeCertResponse,
    ...
}

---
-- @brief This data type is used by the EE to request an enrollment 
--        certificate from the ECA. It is signed using the private key 
--        generated by the EE and the corresponding public key is placed in 
--        verificationKey for use by the ECA to generate the enrollment
--        certificate. All the fields of ToBeSignedCertificate are filled by
--        the EE/DCM, but the ECA may override them.
-- @class EeEcaCertRequest
-- @param version     contains the current version of the data type. The 
--                    version specified in this document is version 1,
--                    represented by the integer 1.
-- @param currentTime contains the time of creation of EeEcaCertRequest.
-- @param tbsData     contains the ToBeSignedCertificate data used by the ECA 
--                    to generate the EE’s enrollment certificate. The 
--                    ToBeSignedCertificate is specified in Section 6.4.8 of
--                    IEEE 1609.2-2016.
-- @see Uint8, Time32, ToBeSignedCertificate
EeEcaCertRequest ::= SEQUENCE {
    version             Uint8(1),
    currentTime         Time32,
    tbsData             ToBeSignedCertificate (WITH COMPONENTS { ...,
      id(WITH COMPONENTS { ...,
        linkageData ABSENT }),
      region PRESENT,
      appPermissions ABSENT,
      certIssuePermissions ABSENT,
      certRequestPermissions PRESENT,
      verifyKeyIndicator (WITH COMPONENTS {
        verificationKey }) }),
    ...
}

---
-- @brief This data type is used by the ECA to respond to an EE’s enrollment 
--        certificate request. Additional bootstrapping information including 
--        the RA's certificate are provided by the DCM in a zipped file.
-- @class EcaEeCertResponse
-- @param version               contains the current version of the data type. 
--                              The version specified in this document is 
--                              version 1, represented by the integer 1.
-- @param requestHash           contains the hash of the original
--                              EeEcaCertRequest message.
-- @param ecaCert               contains the Enrollment Certificate Authority
--                              certificate.
-- @param enrollmentCert        contains the Implicit Certificate structure of 
--                              the enrollment certificate, as specified in
--                              Section 6.4.5 of IEEE 1609.2-2016.
-- @param privKeyReconstruction contains the private key reconstruction value 
--                              required by the EE to transform its private
--                              key into an operational private key.
-- @see Uint8, HashedId8, Certificate, ImplicitCertificate,
--      EccP256PrivateKeyReconstruction
EcaEeCertResponse ::= SEQUENCE {
    version         			Uint8(1),
    requestHash     			HashedId8,
    ecaCert         			Certificate,
    enrollmentCert  			ImplicitCertificate,
    privKeyReconstruction 		EccP256PrivateKeyReconstruction,
    ...
}

END

scms-policy.asn  Expand source
 release/1.2.1  SCMS/scms-asn
-- 
--  Copyright 2017 Crash Avoidance Metrics Partner, VSC5 Consortium
-- 
--  Licensed under the Apache License, Version 2.0 (the "License");
--  you may not use this file except in compliance with the License.
--  You may obtain a copy of the License at
-- 
--     http://www.apache.org/licenses/LICENSE-2.0
-- 
--  Unless required by applicable law or agreed to in writing, software
--  distributed under the License is distributed on an "AS IS" BASIS,
--  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
--  See the License for the specific language governing permissions and
--  limitations under the License.
-- 
-- @namespace Ieee1609dot2ScmsPolicyTypes 
Ieee1609dot2ScmsPolicyTypes {iso(1) identified-organization(3) ieee(111)
standards-association-numbered-series-standards(2) wave-stds(1609)  dot2(2)
scms (2) interfaces(1) policy-types (500)}

DEFINITIONS AUTOMATIC TAGS ::= BEGIN

EXPORTS ALL;

IMPORTS

    Countersignature,
    ExplicitCertificate,
    Ieee1609Dot2Data,
    SequenceOfCertificate

FROM IEEE1609dot2 {iso(1) identified-organization(3) ieee(111)
standards-association-numbered-series-standards(2) wave-stds(1609)
dot2(2) base (1) schema (1)}

    Duration,
    Hostname,
    Opaque,
    Time64,
    Uint8,
    Uint16,
    Uint32,
    Uint64

FROM IEEE1609dot2BaseTypes {iso(1) identified-organization(3) ieee(111)
standards-association-numbered-series-standards(2) wave-stds(1609)
dot2(2) base(1) base-types(2)}

    LaHostnameId,
    PcaHostnameId,
    RaHostnameId

FROM Ieee1609dot2ScmsBaseTypes {iso(1) identified-organization(3) ieee(111)
standards-association-numbered-series-standards(2) wave-stds(1609)  dot2(2)
scms (2) interfaces(1) base-types (2)}

;

---
-- @brief The PolicyFiles structure defines the parent structure for all 
--        policy files (GCCF & LCCF). Each policy file resides in its own file
--        and its signed by one or more components. to ensure the policy is
--        valid.
-- @class PolicyFiles 
-- @param globalPolicyFile contains the global policy file generated by Policy
--                         Generator (PG).
-- @param localPolicyFile  contains the local policy file genrated by a
--                         Registration Authority (RA). Note that RA has to
--                         get this signed by PG before sending to EEs.
PolicyFiles ::= CHOICE {
    globalPolicyFile GlobalPolicyFile,
    localPolicyFile LocalPolicyFile,
    ...
}

---
-- @brief This data type defines the inherent policy file structure created
--        either by PG or RA.
-- @class BasePolicyFile 
-- @param version    defines the version of BasePolicyFile. Currently, it is
--                   denoted by integer 1.
-- @param tbsData    is the policy data that is signed by PG at the scms
--                   protocol level.
-- @param signatures denote the counter signatures that are generated by
--                   auditors of the policy file. Note that PG or RA must
--                   obtain these signatures before sending to any EE.
-- @see Uint8, Countersignature
BasePolicyFile ::= SEQUENCE {
    version Uint8(1),
    tbsData ToBeSignedPolicyData,
    -- countersignatures generated by auditors of the policy file
    signatures SEQUENCE SIZE(1..MAX) OF Countersignature,
    ...
}

---
-- @brief This data type contains the policy file data that is signed by the
--        PG at scms-protocol level.
-- @class ToBeSignedPolicyData 
-- @param policyID denotes the unique identifier for a policy file.
-- @param generationTime is the point of time when a policy file was generated.
-- @param activeTime     is the duration of time for which the policy file is
--                       valid.
-- @param policy         is the policy data for either global, local or custom
--                       file.
-- @see Time64
ToBeSignedPolicyData ::= SEQUENCE {
    policyID OCTET STRING (SIZE (0..32)),
    generationTime Time64,
    activeTime Time64,
    policy Policy,
    ...
}

---
-- @brief This data type is generated by PG and contains global policy data.
-- @class GlobalPolicyFile 
-- @param tbsData is the policy data that is signed by PG at scms-protocol level.
GlobalPolicyFile ::= BasePolicyFile (WITH COMPONENTS {...,
    tbsData( WITH COMPONENTS {...,
        policy(WITH COMPONENTS {...,
            global PRESENT
        })
    })
})

---
-- @brief This data type is generated by an RA and contains local policy data
--        derived from global policy data.
-- @class LocalPolicyFile 
-- @param globalParameters denotes all the values inherited from
--                         GlobalPolicyFile.
-- @param localParameters  denotes all values defined by RA for local policy
--                         file specifically.
LocalPolicyFile ::= SEQUENCE {
    globalParameters BasePolicyFile (WITH COMPONENTS {...,
        tbsData( WITH COMPONENTS {...,
            policy( WITH COMPONENTS {...,
                custom PRESENT
            })
        })
    }),

    localParamters BasePolicyFile (WITH COMPONENTS {...,
        tbsData( WITH COMPONENTS {...,
            policy( WITH COMPONENTS {...,
                local PRESENT
            })
        })
    })
}

---
-- @brief This data type contains policy file data depending on the type of
--        policy file i.e. global, local or custom.
-- @class Policy 
-- @param global denotes global policy data.
-- @param custom denotes custom policy data.
-- @param local denotes local policy data.
Policy ::= CHOICE {
    global  GlobalPolicyData,
    custom  CustomPolicyData,
    local   LocalPolicyData,
    ...
}

---
-- @brief This data type contains global policy data generated by PG.
-- @class GlobalPolicyData 
-- @param temporalSeriesOfScmsVersion                 SCMS Version, default value is 1
-- @param temporalSeriesOfCertChainFileID             File ID number of the current GCCF
-- @param temporalSeriesOfOverdueCrlTolerance         max time to operate without a new
--                                                    CRL, specified in weeks (4 bytes)
-- @param temporalSeriesOfIPeriod                     i-value / i-period; default: 1 week
-- @param temporalSeriesOfMinCertsPerIPeriod          minimum certs per i-period; default: 20
-- @param temporalSeriesOfCertValidityModel           pseudonym cert validity model -
--                                                    "concurrent" or "non-concurrent"
-- @param temporalSeriesOfMaxAvailableCertSupply      max time covered by a certificate
--                                                    batch in years, default: 3 years
-- @param temporalSeriesOfMaxCertRequestAge           maximum time for individual cert
--                                                    request; to remain in aggregator;
--                                                    default: 2 days
-- @param temporalSeriesOfShuffleThreshold            minimum # of individual cert requests
--                                                    before shuffle/send to PCA; default: 1000
-- @param temporalSeriesOfHashOfRequestSize           bytes in "hash of request" between
--                                                    PCA and RA for individual cert requests; default: 32
-- @param temporalSeriesOfMaxGpfGccfRetrievalInterval maximum interval (in hours) before
--                                                    retreiving new GPF or GCCF; default: 1 hour
-- @param temporalSeriesOfRseApplicationCertValidity  validity time for an RSE cert (in hours)
--                                                    Default value is 1 week + 1 hour = 168 hours
-- @param temporalSeriesOfRseApplicationCertOVerlap   RSE application cert overlap; Default value is 1 hour
-- @see Time64
GlobalPolicyData ::= SEQUENCE {
    temporalSeriesOfScmsVersion SEQUENCE {
        initialScmsVersion ScmsVersion DEFAULT 1,
        intervals SEQUENCE SIZE(0..MAX) OF SEQUENCE {
            startTime Time64,
            scmsVersion ScmsVersion
        }
    } OPTIONAL,

    temporalSeriesOfCertChainFileID SEQUENCE {
        initialGlobalCertChainFileID GlobalCertChainFileID,
        intervals SEQUENCE SIZE(0..MAX) OF SEQUENCE {
            startTime Time64,
            globalCertChainFileID GlobalCertChainFileID
        }
    } OPTIONAL,

    temporalSeriesOfOverdueCrlTolerance SEQUENCE {
        initialOverdueCrlTolerance OverdueCrlTolerance,
        intervals SEQUENCE SIZE(0..MAX) OF SEQUENCE {
            startTime Time64,
            overdueCrlTolerance OverdueCrlTolerance
        }
    } OPTIONAL,

    temporalSeriesOfIPeriod SEQUENCE {
        initialIPeriod IPeriod,
        intervals SEQUENCE SIZE(0..MAX) OF SEQUENCE {
            startTime Time64,
            iPeriod IPeriod
        }
    } OPTIONAL,

    temporalSeriesOfMinCertsPerIPeriod SEQUENCE {
        initialMinCertsPerIPeriod MinCertsPerIPeriod DEFAULT 20,
        intervals SEQUENCE SIZE(0..MAX) OF SEQUENCE {
            startTime Time64,
            minCertsPerIPeriod MinCertsPerIPeriod
        }
    } OPTIONAL,

    temporalSeriesOfCertValidityModel SEQUENCE {
        initialCertValidityModel CertValidityModel,
        intervals SEQUENCE SIZE(0..MAX) OF SEQUENCE {
            startTime Time64,
            certValidityModel CertValidityModel
        }
    } OPTIONAL,

    temporalSeriesOfMaxAvailableCertSupply SEQUENCE {
        initialMaxAvailableCertSupply MaxAvailableCertSupply,
        intervals SEQUENCE SIZE(0..MAX) OF SEQUENCE {
            startTime Time64,
            maxAvailableCertSupply MaxAvailableCertSupply
        }
    } OPTIONAL,

    temporalSeriesOfMaxCertRequestAge SEQUENCE {
        initialMaxCertRequestAge MaxCertRequestAge,
        intervals SEQUENCE SIZE(0..MAX) OF SEQUENCE {
            startTime Time64,
            maxCertRequestAge MaxCertRequestAge
        }
    } OPTIONAL,

    temporalSeriesOfShuffleThreshold SEQUENCE {
        initialShuffleThreshold ShuffleThreshold DEFAULT 1000,
        intervals SEQUENCE SIZE(0..MAX) OF SEQUENCE {
            startTime Time64,
            shuffleThreshold ShuffleThreshold
        }
    } OPTIONAL,

    temporalSeriesOfHashOfRequestSize SEQUENCE {
        initialHashOfRequestSize HashOfRequestSize DEFAULT 32,
        intervals SEQUENCE SIZE(0..MAX) OF SEQUENCE {
            startTime Time64,
            hashOfRequestSize HashOfRequestSize
        }
    } OPTIONAL,

    temporalSeriesOfMaxGpfGccfRetrievalInterval SEQUENCE {
        initialMaxGpfGccfRetrievalInterval MaxGpfGccfRetrievalInterval,
        intervals SEQUENCE SIZE(0..MAX) OF SEQUENCE {
	    startTime Time64,
	    maxGpfGccfRetrievalInterval MaxGpfGccfRetrievalInterval
        }
    } OPTIONAL,

    temporalSeriesOfRseApplicationCertValidity SEQUENCE {
        initialRseApplicationCertValidity RseApplicationCertValidity,
        intervals SEQUENCE SIZE(0..MAX) OF SEQUENCE {
            startTime Time64,
            rseApplicationCertValidity RseApplicationCertValidity
        }
    } OPTIONAL,

    temporalSeriesOfRseApplicationCertOVerlap SEQUENCE {
    initialRseApplicationCertOverlap RseApplicationCertOverlap,
        intervals SEQUENCE SIZE(0..MAX) OF SEQUENCE {
            startTime Time64,
            rseApplicationCertOverlap RseApplicationCertOverlap
	}
    } OPTIONAL,	

    ...
}

---
-- @brief This data type defines the current scms version.
-- @class ScmsVersion 
ScmsVersion ::= Uint8                   

---
-- @brief This data type denotes the 16-byte global certificate chain ID.
-- @class GlobalCertChainFileID 
GlobalCertChainFileID ::= Uint16

---
-- @brief This data type denotes the maximum time to operate without a new CRL,
--        specified in weeks (4 bytes)
-- @class OverdueCrlTolerance 
OverdueCrlTolerance ::= Duration        

---
-- @brief This data type denotes the i-value / i-period; default
-- @class IPeriod 
IPeriod ::= Duration                    

---
-- @brief This data type denotes the minimum certs per i-period
-- @class MinCertsPerIPeriod 
MinCertsPerIPeriod ::= Uint8            

---
-- @brief This data type denotes the pseudonym cert validity model - 
--        concurrent" or "non-concurrent"
-- @class CertValidityModel
-- @param concurrent     denotes the certificate can be used with other active
--                       certificates.
-- @param non-concurrent denotes the certificate cannot be used with other
--                       active certificates.
CertValidityModel ::= ENUMERATED {
    concurrent      (1),
    non-concurrent  (2),
    ...
}

---
-- @brief This data type denotes the maximum time covered by a certificate
--        batch in years.
-- @class MaxAvailableCertSupply 
MaxAvailableCertSupply ::= Duration

---
-- @brief This data type denotes the maximum time for individual certificate
--        request.
-- @class MaxCertRequestAge 
MaxCertRequestAge ::= Duration          

---
-- @brief This data type denotes the minimum number of individual certificate
--        requests before shuffle/send to PCA.
-- @class ShuffleThreshold 
ShuffleThreshold ::= Uint32             

---
-- @brief This data type denotes the number of bytes in "has of request"
--        between PCA and RA for indicidaul certificate requests.
-- @class HashOfRequestSize 
HashOfRequestSize ::= Uint8            

---
-- @brief This data type denotes the maximum interval (in hours) before
--        retrieving new GPF and GCCF.
-- @class MaxGpfGccfRetrievalInterval 
MaxGpfGccfRetrievalInterval ::= Duration

---
-- @brief This data type denotes the validity time for an RSE certificate (in
--        hours).
-- @class RseApplicationCertValidity 
RseApplicationCertValidity ::= Duration

---
-- @brief This data type denotes the RSE certificate overlap period (in hours).
-- @class RseApplicationCertOverlap 
RseApplicationCertOverlap ::= Duration

---
-- @brief This type is used by an RA that wants to create a custom version of 
--        the GlobalPolicyData. This structure adds an element with the RA's 
--        ID to differentiate it from a conventional GlobalPolicyFile.  
-- @class CustomPolicyData 
-- @param requestingRaHostname is the 256-bit unique hostname of the RA
--                             requesting custom policy data.
-- @param globalPolicy         is the global policy file data.
-- @see RaHostnameId
CustomPolicyData ::= SEQUENCE {
    requestingRaHostname RaHostnameId OPTIONAL,
    -- Hostname of the RA that customized this policy data
    globalPolicy GlobalPolicyData,
    ...
}

---
-- @brief This data type contains local policy data generated by RA from
--        global policy data derived from GPF of PG.
-- @class LocalPolicyData 
-- @param temporalSeriesOfShuffleThreshold        minimum # of individual cert
--                                                requests before shuffle/send
--                                                to PCA.
-- @param temporalSeriesOfCertsPerIPeriod         certs per i-period.
--                                                overrides global value);
--                                                default: 20
-- @param temporalSeriesOfLaOneHost               LA1 256-bit unique hostname.
-- @param temporalSeriesOfLaTwoHost               LA2 256-bit unique hostname.
-- @param temporalSeriesOfPcaHost                 PCA 256-bit unique hostname.
-- @param temporalSeriesOfRaX509TlsCert           RA TLS certificate for
--                                                connection over HTTP.
-- @param temporalSeriesOfLaX509TlsCert           LA TLS certificate.
-- @param temporalSeriesOfPcaX509TlsCert          PCA TLS certificate.
-- @param temporalSeriesOfSharedKeyUpdateInterval maximum time between changes
--                                                to pre-linkage value enc/dec
--                                                key.
-- @see Time64, LaHostnameId, RaHostnameId, PcaHostnameId
LocalPolicyData ::= SEQUENCE {
    temporalSeriesOfShuffleThreshold SEQUENCE {
        initialShuffleThreshold ShuffleThreshold,
        intervals SEQUENCE SIZE(0..MAX) OF SEQUENCE {
            startTime Time64,
            shuffleThreshold ShuffleThreshold
        }
    } OPTIONAL,
    temporalSeriesOfCertsPerIPeriod SEQUENCE {
        initialCertsPerIPeriod CertsPerIPeriod DEFAULT 20,
        intervals SEQUENCE SIZE(0..MAX) OF SEQUENCE {
            startTime Time64,
            certsPerIPeriod CertsPerIPeriod
        }
    } OPTIONAL,
    temporalSeriesOfLaOneHost SEQUENCE {
        initialLaOneHost LaHostnameId,
        intervals SEQUENCE SIZE(0..MAX) OF SEQUENCE {
            startTime Time64,
            laOneHost LaHostnameId
        }
    } OPTIONAL,
    temporalSeriesOfLaTwoHost SEQUENCE {
        initialLaTwoHost LaHostnameId,
        intervals SEQUENCE SIZE(0..MAX) OF SEQUENCE {
            startTime Time64,
            laTwoHost LaHostnameId
        }
    } OPTIONAL,
    temporalSeriesOfPcaHost SEQUENCE {
        initialPcaHost PcaHostnameId,
        intervals SEQUENCE SIZE(0..MAX) OF SEQUENCE {
            startTime Time64,
            pcaHost PcaHostnameId
        }
    } OPTIONAL,
    temporalSeriesOfRaX509TlsCert SEQUENCE {
        initialRaX509TlsCert X509TlsCert,
        intervals SEQUENCE SIZE(0..MAX) OF SEQUENCE {
            startTime Time64,
            raX509TlsCert X509TlsCert
        }
    } OPTIONAL,
    temporalSeriesOfLaX509TlsCert SEQUENCE {
        initialLaX509TlsCert X509TlsCert,
        intervals SEQUENCE SIZE(0..MAX) OF SEQUENCE {
            startTime Time64,
            laX509TlsCert X509TlsCert
        }
    } OPTIONAL,
    temporalSeriesOfPcaX509TlsCert SEQUENCE {
        initialPcaX509TlsCert X509TlsCert,
        intervals SEQUENCE SIZE(0..MAX) OF SEQUENCE {
            startTime Time64,
            pcaX509TlsCert X509TlsCert
        }
    } OPTIONAL, 
    temporalSeriesOfSharedKeyUpdateInterval SEQUENCE {
        initialSharedKeyUpdateInterval SharedKeyUpdateInterval,
        intervals SEQUENCE SIZE(0..MAX) OF SEQUENCE {
            startTime Time64,
            sharedKeyUpdateInterval SharedKeyUpdateInterval
        }
    } OPTIONAL,
    ...
}

---
-- @brief This data type denotes the certificates per i-period. This overrides
--        the global value.
-- @class CertsPerIPeriod
CertsPerIPeriod ::= Uint8                

---
-- @brief This data type denotes the TLS certificate for secure communication
--        over HTTP.
-- @class X509TlsCert 
X509TlsCert ::= Opaque

---
-- @brief This data type denotes the maximum time between changes to pre
--        linkage value encryption/decryption key.
-- @class SharedKeyUpdateInterval 
SharedKeyUpdateInterval ::= Duration    


END