Goals
The goal is to provide a reliable, secure, and timely method for certified devices to download OBE identification certificates.
Background and Strategic Fit
The purpose of this use-case is to provide a defined method that a certified OBE can use to download OBE identification certificates. The download will include:
- File(s) X_i.zip that each include one file X_i with a certificate
- A .info file that includes the time when new certificates will be available
- A local certificate chain file containing all PCA certificate chains required to validate the identification certificates, but not the policy file
Assumptions
- The OBE has successfully completed Step 19.1: Request for OBE Identification Certificates
- The RA retrieved the issued certificates from the PCA, zipped, and stored them in a folder for OBE to download
Process Steps
- The OBE downloads the Local Policy File (LPF) and the Local Certificate Chain File (LCCF), as done before in Step 19.1: Request for OBE Identification Certificates
- If there is an updated LCCF, the EE applies all changes to its trust-store (necessary for the PCA Certificate Validations)
- If there is an updated LPF, the EE applies those changes
- The OBE downloads the new OBE identification certificates using the API documented in RA - Download Identification Certificate
- The OBE downloads .info file using the API documented in RA - Download .info File
Error Handling
- The OBE will abandon further interactions with the RA after a certain number of failed communication attempts resulted in critical errors
- The OBE will not attempt to execute the certificate provisioning process if it finds itself on the latest CRL (assumes that a willful violator has not compromised the device). The device will need to execute the certification/bootstrap process again to exit a revoked state.