SCMS PoC software updates & quarterly SCMS PoC release
The next quarterly update of the SCMS software (release 1.2.3) will be deployed to our TEST, QA and PROD stages on Tuesday March 13. All changes are listed in our issue tracker JIRA and will be shown below. There was no update related to certificates, so no need to get new certificates - neither CA nor device certificates.
1) Support for uncompressed ECC points
2) Upgraded Karaf.
3) Fixed shuffler to ignore revoked/superseded devices.
4) Fixed wrong App Cert Validity period, it was adding the overlap hours to the duration. (https://cvcs.samanage.com/incidents.portal?&report_id=9003344 tickets: 1002,1016)
5) Fixed App Cert provisioning continuation cert it was loading any of the previous certificates instead of the most recent one.
6) Added Karaf command to print app cert/device information.
7) Added Enrollment Certificate field verification by ECA and RA on enrollment and provisioning requests. For RA that means that the EE will now get a 500 error (waiting for CAMP to define specific error) instead of thinking the provisioning request was accepted but getting an error when trying to download the certs.
NOTE: it was pointed out to CAMP by Bernhard Mortsell that a number of ASN.1 files produced errors when using the Objective Systems compiler. Our dev team has looked into the ASN files and is making some changes that will be released in a "Software Release 1.2.4" soon. This issue should not impact any developer using the OSS Nokalva tools.
Quick note that Drew Van Duren at Onboard Security discovered that we were missing algorithm outputs in the KDF2 algorithm test vectors. Please find them now in the just updated kdf.txt file and a highlight of the changes in the diff view.
Due to increased requests for help with development issues related to building requests to the SCMS in the right way, we created more test vectors that developers can use as a reference. The following additional folders were created:
- camp-submission-tool: Python scripts to put together the end user requests. It has a README inside.
- java-asn1-manager: This was what we called the MBR builder. Renamed since it is not just for MBRs. It has a README inside.
- sample_requests: These are the encryption/decryption functions sent from Kevin Henry at escrypt. It also has a README inside it.
There are also a couple new python scripts in the root directory of the repository. Please find a diff view of that commit here.
Onboard Security discovered a bug (Samanage ticket #934) in the .info file content. Instead of a text representation of the timestamp it contained a prefix and a decimal representation (e.g. "value Time32 ::= 442516972"). We are working on a hotfix that we are planning to deploy on Friday, Jan 12, to have the .info file to contain only the timestamp in a 8 character hexadecimal string (ASCII) representation (e.g. "1A6045EC" as a hexadecimal representation of 442516972).
Happy new year to all of you!
Changes in Use Case 2 - manual bootstrapping
In a small addition to Use Case 2: OBE Bootstrapping (Manual) we point out the different fields that will be checked rigorously during enrollment in the SCMS PROD environment. Other than in the QA environment where we allow all kinds of values for those fields in order to support testing, in PROD they have to be enforced following the certificate profile as there are production devices using the same Root CA.
Supported V2X Applications & PSID Transfer
We had the first successful PSID transfers from CAMP to other organizations results being reflected in SCMS PoC Supported V2X Applications and https://standards.ieee.org/develop/regauth/psid/public.html.
The following is a summary of updates and changes in this wiki and related documents (e.g. our Git repository at stash.campllc.org). You can find all recently updated pages here and all changes in the respective page history.
SCMS PoC software updates & quarterly SCMS PoC release
The next quarterly update of the SCMS software (release 1.2.2) will be deployed to our TEST, QA and PROD stages November 30. All changes are listed in our issue tracker JIRA and will be shown below. The updated ASN.1 is available via our git repository, in the release/1.2.1 branch. This will be the default branch going forward from Monday on. There was no update related to certificates, so no need to get new certificates - neither CA nor device certificates.
The most important change is SCMS-2795 - Update to latest IEEE 1609.2 ASN.1: we are updating all interfaces to IEEE 1609.2 v4 d8 (please see the pull request linked in the JIRA ticket for detailed diffs of the changes). In case you would want to discuss this, please join one of our next weekly SCMS PoC operation calls (Mondays 1pm-3pm EST - details via your CV pilot site AOR).
For a general diff view of the ASN.1 changes, you could follow this advice: https://stackoverflow.com/a/33653925
SCMS PoC PROD stage online
The SCMS PoC PROD stage was established and is available online since September 29th.
ASN.1 HTML Documentation
We created a HTML based documentation of ASN.1 files hosted in scms-asn to give a better overview about data fields and structures. If you go to https://stash.campllc.org/projects/SCMS/repos/scms-asn/browse/docs/html and click on the "Open" link right next to the index.html file, it will open a new browser tab with the documentation.
Changes in Use Case 2 - manual bootstrapping
There have been several updates in Use Case 2: OBE Bootstrapping (Manual) to add more details to the QA enrollment process, e.g. the explicit requirement to put all enrollment request files in a zip file without a sub-directory in order to support our automated enrollment scripts. We also have added a list of logging requirements for the bootstrapping process, which apply to the PROD environment: the organization responsible for PROD enrollment has to create this log data and keep it ready in case there is a need for revocation of the device later on. Following a request from the SCMS user group we added more detailed examples for an enrollment request, signature creation and encoding.
Supported V2X Applications & PSID Transfer
We have made smaller updates to the list of supported V2X applications and their PSID and SSP values. The most important information is the process that was designed by IEEE 1609.2 and the IEEE RA to transfer ownership of CAMP's CV pilot PSID: CAMP PSID Transfer Process. This process has to be followed, before we will re-assign one of the 16 reserved PSIDs in the list of SCMS PoC Supported V2X Applications and before the SCMS PoC PROD environment will issue certificates with the PSID in question.
Certificate timelines & validity periods
We made some minor corrections in CV Pilot QA+Test Certificate Expiration Timelines to reflect the actual architecture of the SCMS PoC QA stage. In CV Pilot PROD Certificate Expiration Timelines we added detailed information about validity periods of all SCMS PoC component certificates with a final end date of January 1, 2025 (assuming that the SCMS PoC will be operated that long). Please be aware that you cannot go beyond the final date in any of the certificate signing requests you send to the PROD, which is especially important for enrollment certificates that should be valid until the very end of that period.
Global and local policy files
Use Case 18: Provide and Enforce Technical Policies has been update to clarify the documentation of the overall concept. Important point: there is currently only one QA RA and one PROD RA for all SCMS PoC users, which means there is only one local policy file for all as well. Therefore, we do not support changes to the local policy file for a single CV pilot site at the moment.
Elector-based Root Management
Although the SCMS PoC currently does not support Electors and Elector Ballots, we updated Root Management and Revocation Recovery to reflect an upcoming paper publication of the overall SCMS design. It is in the scope of the current SCMS PoC Operations project to introduce electors at a later time.
Certificate Types and Encryption Keys
We added some clarifications about encryption keys in different certificate types in Certificate Types.
The following is a summary of updates and changes in this wiki and related documents (e.g. our Git repository at stash.campllc.org). You can find all recently updated pages here and all changes in the respective page history.
Quarterly SCMS release
The next quarterly update of the SCMS software (release 1.2.1) on our TEST and QA stages will be deployed next Monday, July 24. All changes are listed in our issue tracker JIRA and will be shown below. The updated ASN.1 is available via our git repository, in the release/1.2.1 branch. This will be the default branch going forward from Monday on. There was no update related to certificates, so no need to get new certificates - neither CA nor device certificates.
CAMP SCMS ASN.1 license update
The Crash Avoidance Metrics Partners decided to publish the SCMS ASN.1 under the Apache License version 2.0. This will remove uncertainty around the use of those files in client or server software going forward
Removed duplicated requirements
Use Cases 3, 13, and 19 have been rework a little bit to remove requirements that were previously given in the descriptive texts. All requirements should only be spelled out in the requirements table in each use case.
Changes in RA services documentation
In several RA - Services View documentation pages we clarified some more ASN.1 structure that are expected in requests or send back in responses and linked them to the respective files in our git repository. We also added links to a page with RA error response descriptions.
Changes in Use Case 2 - manual bootstrapping
The current QA stage root certificate is linked now in our Use Case 2: OBE Bootstrapping (Manual). We also added some clarification about ASN.1 types, especially what to expect in the enrollment certificate request response zip file as enrollment.oer (enrollmentCert parameter of SignedEeEnrollmentCertResponse) and enrollment.s (privKeyReconstruction parameter of SignedEeEnrollmentCertResponse).
Added PSIDs in wiki and ASN.1
We finished our collection of PSIDs that we support during the current project and updated the wiki page and respective ASN.1 files (especially scms-base-types.asn and cert-profile.asn)
The following is a summary of updates and changes in this wiki and related documents (e.g. our Git repository at stash.campllc.org)
SCMS PoC CV pilot environments
We added some documentation about SCMS PoC instances that will be provided to CV pilots.
Updated Use Case 2/12 and updated enrollment certificate request
We started documenting the manual enrollment process the SCMS POC Operations will support for CV pilot participants in Use Case 2: OBE Bootstrapping (Manual). Use Case 12 is essentially the same and therefore only references Use Case 2. The documentation is not complete yet, as a workflow tool, where developers (SCMS QA) or device operators (SCMS PROD) need to upload the enrollment certificate request, is not yet available.
During discussions about the manual enrollment process and how to manage it, missing PSIDs in the EE request itself turned out to be a problem, especially for handling magnitudes of requests. Therefore the ASN.1 structure SignedEeEnrollmentCertRequest was changed to include PSIDs and optimized to use the standard IEEE 1609.2 ToBeSignedCertificate structure.
RA - Services View
In several RA - Services View documentation pages we added the service's port to the overview table to make it more prominent. We also clarified which ASN.1 structure are expected or send back in responses.
Certificate Expiration Timelines
We added information about CV Pilot QA+Test Certificate Expiration Timelines in differentiation to the CV Pilot PROD Certificate Expiration Timelines. Both are different from what we recommended during the SCMS POC project due to several reasons. We still recommend the POC expiration timelines for a later national deployment.
A big "thank you" to Jeffrey Bellone and John Harding for organizing, to Jill Herbert and CAMP for hosting, our speakers and to all participates for joining us for a full day of technical SCMS details and a successful enrollment with our SCMS TEST environment. Attached you will find the slides shown during the workshop.
We will use this blog to inform you about changes in the documentation from now on.
Technical editing
Most of the changes in February were due to technical editing / word smithing. Our technical editors Jill Herbert and Steve Kiger helped us to get our documentation to a higher standard of English language 
Linkage Values
There were two small erroneous LA indices in the table at SCP2: Linkage Values (see a comparison of the change: SCP2: Linkage Values) that were corrected.
Validity periods and expiration timelines
Besides the recommended certificate validity, in use and overlapping periods for a later national system that were implemented with the previous SCMS PoC project (PoC Certificate Expiration Timelines) and the production system used in the CV pilots (CV Pilot PROD Certificate Expiration Timelines) we created an overview about the same periods for the QA and (non public) TEST systems: CV Pilot QA+Test Certificate Expiration Timelines.
PSIDs for V2X applications
IEEE 1609 approved our request for additional generic PSIDs to be used in the CV pilots and gave us 16 additional PSIDs that we will add to our QA and PROD ICAs (see CV Pilot Application 1-16 in SCMS PoC Supported V2X Applications - comparison of changes: SCMS PoC Supported V2X Applications). It is important to note that neither CAMP nor the USDOT will give permission to any application to use those PSIDs and would therefore establish some kind of registry: All applications have still to go through the vetting and approval process of IEEE 1609 and IEEE 1609 alone will give permission to use those PSIDs in applications. That means in turn that the SCMS QA and PROD stages will NOT issue any application certificates with those PSIDs until approval was given by IEEE 1609. The only thing that changes with this is that these 16 additional PSIDs will be used in the ICA and PCA certificate so that they can issue respective PSIDs in end-entity certificates without requiring a new CA certificate. That means in turn:
Whenever you plan to introduce a new application to the CV pilot sites that requires a new PSID and you plan to use SCMS certificates for that, you should apply for one of the CV Pilot Application 1-16 PSID at IEEE 1609.
Error Codes
The SCMS PROD stage RA will only return HTTP 500 error codes in case of an error out of security reasons. To better support development the SCMS QA stage will return an additional HTTP header "SCMS-Error-Code" with a more specific error code as listed in Overview of Used Error Codes (comparison of the change: Overview of Used Error Codes). The error message will not be returned to save over-the-air bytes. You can look up the error message according to the returned SCMS-Error-Code at Overview of Used Error Codes#RA-EEErrors.