SCMS CV Pilots Documentation : Use Case 13: RSE Application Certificate Provisioning

Goals

Provide a bootstrapped RSE with an application certificate that it can use in relevant applications.

Background and Strategic Fit

The application certificate provisioning is the process by which a bootstrapped RSE receives an application certificate. As there are no location privacy or tracking concerns for RSEs, the RA is not required to shuffle the requests (unlike the case of OBEs).

This use case involves the following SCMS components:

• RSE has a valid enrollment certificate
• RSE has root CA, RA and PCA certificates installed
• RSE knows the FQDN of the RA

Design

The following flow chart documents the general flow of steps an RSE needs to carry out in the given order to obtain application certificates. It is not a 100% accurate description of the process. Please refer to the use case's steps and their requirements for a complete description of the process.

At a high level, two steps are relevant towards a RSE:

1. Request RSE Application Certificate
2. Download RSE Application Certificate

Having determined which RA to submit the request to, the RSE creates a request, signs it with the enrollment certificate, encrypts the signed request for the RA and sends it to the LOP/RA. The RA checks to make sure that the certificate request is correct and authorized, then sends back a download location (requestHash) and time (certDLTime). The RA then forwards the certificate request to the PCA. The PCA signs the application certificate, encrypts them for the RSE, signs the encrypted version of the certificate, and returns the encrypted and signed application certificate to the RA. The RA does not remove any of the named signatures or encryptions, adds them to a zip file and stores them for download by the RSE. The RSE starts downloading the zip files at certDLTime.