Vehicles have an estimated life of up to 30 years
EEs may only have connectivity once every three years
Certificate lifetimes affect the security of PKI infrastructures. The longer a public/private key pair is in use, the greater the chances are that the keys can be compromised. As computing power increases and technologies improve over time, cryptanalysis becomes a risk. For these reasons, excessively long-lived CA certificate lifetimes are undesirable.
The below diagram illustrates the calculation of the minimum lifetime of a typical CA certificate.
Some certificate authorities may issue certificates that are not valid until a significant time in the future. Examples of this within the SCMS are pseudonym certificates and rollover enrollment certificates. As a recommendation, the validity lag for these certificates can be up to 3 years. For example, a pseudonym certificate generated (issued) today may have a "Valid from" date that is up to 3 years from now. The below diagram illustrates the impact of the validity lag on the lifetime of the issuing CA certificate.
As additional layers are added to the certificate hierarchy, this process is repeated up to the root CA. When operational factors and the requirement to have the ability to issue new certificates at any time are considered, the required lifetime of each CA certificate in the trust chain is further increased.
It will be necessary to renew the enrollment certificate multiple times for an estimated vehicle lifetime of 30 years. An enrollment certificate lifetime of 6 years greatly reduces security concerns due to certificate longevity, but it requires an automatic renewal mechanism that can accommodate the EEs with infrequent network connectivity. As better and more frequent network connectivity becomes available to the EEs, it may be possible to further reduce these lifetimes.
The below diagram illustrates the impact of issued certificate lifetime, certificate validity lag and operational factors on the PKI hierarchy.
Establishing a fixed schedule for the expiration of elector certificates, root CA certificate(s), intermediate CA certificates and enrollment CA certificates is recommended to reduce operational complexities. For offline CAs, this procedure increases security by minimizing the frequency of required access. Certificates issued in the middle of this fixed schedule, due to revocation or new instances, will expire according to the defined schedule and will have a reduced overall lifetime due to a shorter in-use lifetime.
The following guidelines shall be followed when component certificates are issued mid-sequence:
To ensure the overall integrity of the SCMS, the minimum and maximum lifetime of each certificate type will be defined and enforced by the SCMS manager policy. Operators will have some amount of flexibility in defining the actual certificate lifetimes.
The following table provides the certificate expiration and renewal periods to be used in a SCMS that supports EE enrollment certificate rollover.
The following diagrams illustrate the expiration period of various certificate types. The diagrams show the specific duration of the certificate (valid from and to dates) only and do not account for setup time (request generation, signing ceremony, distribution, etc.). Each section shows the life of a single instance of a component under typical (non-compromised) conditions. If multiple instances exist, they would follow a similar pattern but the specific dates may be shifted within the validity period.