SCMS CV Pilots Documentation : Use Case 16: RSE Application and OBE Identification Certificate Revocation

Last modified on Feb 09, 2017


RSE Application and OBE Identification certificate revocation will be integrated with the to-be-awarded "Misbehavior Authority Integration" Project as SCMS POC release 2.0.

Background and Strategic Fit

Misbehavior Investigation

Misbehavior investigation works as follows for RSE application certificates and OBE identification certificates (non-pseudonymous certificates without linkage values). Misbehavior investigation is further described in 16.2. RSE Application and OBE Identification Certificate Misbehavior Investigation

Since MA can link certificates based on the revocation identifier field (RIF), MA now inputs the information to its global misbehavior detection algorithm. Note that misbehavior reports involving these types of certificates can be identified and directed (within the MA) to particular misbehavior investigation algorithms, based upon the PSIDs associated with the certificate information included in the misbehavior reports. Note that the considered certificates are not covered by pseudonymous considerations, such that providing the digest of the enrollment certificate does not pose a privacy concern. 

Revocation

Revocation works as follows for the RSE application certificates and OBE identification certificates (non-pseudonymous certificates without linkage values). Revocation is further described in 16.3. RSE Application and OBE Identification Certificate Revocation (CRL, blacklist).

  1. MA-RA:
    1. Using the RIF, the MA instructs the RA to add the enrollment certificate to the blacklist. Further, the MA requests a list of further valid certificates that were issued to the same enrollment certificate (e.g., all non-expired predecessors or successors).
    2. RA adds enrollment certificate to internal blacklist
    3. RA returns a list of all non-expired certificates that were issued to the identified enrollment certificate
  2. The MA adds CertIDs (e.g., CertID8) of all non-expired certificates to the CRL

Note that revocation will be performed for all PSIDs in the reported certificate. Therefore, the CRL does not have to specify PSIDs. Further, certificates will carry all PSIDs associated with the enrollment certificate that was used to request those certificates. This implies that blacklists are not PSID-specific either.

Assumptions 

Non-pseudonymous certificate types - OBE identification certificates and RSE application certificates - integrate an 8-byte revocation identifier field (RIF) that is calculated as follows: 

  • [LSB0-7] of RIF: the eight least significant bytes [LSB0-7] of the SHA-256 hash of the EE's enrollment certificate, i.e., RIF_[LSB0] = hash_of_enrollment_cert[LSB0], RIF_[LSB7] = hash_of_enrollment_cert[LSB7], etc.