Goals

The goal is to provide a reliable, secure and timely method for certified devices to download credentials. The solution should prevent a certified device (that has not been revoked) from running out of credentials required for critical safety systems to operate to the greatest extent possible.

Background and Strategic Fit

The purpose of this use-case is to provide a defined method that a certified OBE can use to download new batches of credentials. These credentials will be used to certify the device during transmission of critical safety messages, submission of misbehavior reports, and other critical system functions. The download will include:

  1. Files that include batches of certificates (each file holds certificates worth a week)
  2. The .info file that includes the time when the next batch of certificates will be available for download
  3. A local certificate chain file containing all PCA certificate chains required to validate the pseudonym certificates
  4. The local policy file

The step at hand is to top-up pseudonym certificates. It is similar to Step 3.3: Initial Download of Pseudonym Certificates and differences are documented in this section. Also, see Step 3.4: Schedule Generation of Subsequent Batch of Pseudonym Certificates for full details of the process to schedule certificate pre-generation.

Assumptions

Process Steps

The OBE should follow the following steps to download the initial batch of pseudonym certificates. Neither order nor fulfillment of all steps is enforced, but highly recommended.

  1. The OBE checks that, and if necessary waits until, the current time matches or is after the timestamp given in the .info file
  2. The OBE downloads the Local Policy File (LPF) and the Local Certificate Chain File (LCCF), as before in Step 3.1: Request for Pseudonym Certificates
    1. If there is an updated LCCF, the OBE applies all changes to its trust-store (necessary for PCA Certificate Validations)
    2. If there is an updated LPF, the OBE applies those changes
  3. The OBE downloads pseudonym certificate batches
  4. The OBE downloads .info file using the API documented in RA - Download .info File

Error Handling 

  1. The OBE will abandon further interactions with the RA after a certain number of failed communication attempts resulted in critical errors
  2. The OBE will not attempt to execute the certificate provisioning process if it finds itself on the latest CRL (assumes that a willful violator has not compromised the device). The OBE will need to execute the certification/bootstrap process again to exit a revoked state.
  3. The OBE may terminate the certificate batch download process if sufficient storage is not available for subsequent batches

Design Notes

  • See Step 3.3: Initial Download of Pseudonym Certificates for full details of the batch download process. Differences are documented in this section.
  • From the SCMS point of view, the basic process for "top-up" certificate downloads is the same as that used for initial provisioning as detailed in Step 3.3: Initial Download of Pseudonym Certificates. However, this is an incremental download, not a full download of all available certificate files. The number of files downloaded shall be factored in system sizing requirements.
  • From the OBE's point of view, the process is slightly different from the process for initial provisioning
  • See Step 3.4: Schedule Generation of Subsequent Batch of Pseudonym Certificates for full details of the process to schedule certificate pre-generation
  • The RA will record the last time an OBE established a connection. This last connection time will be used to stop pre-generating pseudonym certificates if there is no activity for a period of time.
  • The RA will automatically resume pre-generating pseudonym certificates when an OBE reestablishes a connection. The new certificates will be available for download at the time specified in the .info file.

Diagram showing process to download new pseudonym certificates

Download New Pseudonym Certificates

Not Doing

  • Stopping of pre-generation of pseudonym certificates if an OBE has not contacted the RA for a period of time

Attachments: