Assumptions
- The SCMS instance created for the CV Pilots shall be separate from the SCMS PoC instance
- The estimated duration of the CV Pilot project shall be seven years
- All EE-specific CV Pilot certificates shall expire by the end of the estimated project duration
- No component certificates shall have a starting date after the end of the estimated project duration
- The private keys of all component certificates subordinate to the root shall be destroyed at the end of the estimated project duration
- All components subordinate to the ICA have an in-use lifetime that is sufficiently short and requires at least one rollover (renewal) event during the estimated project duration
- PKI hierarchy:
- The ICA, policy generator, CRL generator and MA certificates shall be
issued
directly by the Root CA
- The subtree below ICA is
similar to that of the POC, i.e., it has one instance of all components: ECA, PCA, RA,
and LA, but no DCM. There might be a DCM introduced at a
later
stage.
- The ICA, policy generator, CRL generator and MA certificates shall be
issued
directly by the Root CA
Certificate Lifetime Overview
The following table provides the certificate expiration and renewal periods to be used for CV pilot deployments.
NOTE for certificate example sizes: FQDN range was 14-23 bytes, and at most 2 PSID's (4 bytes each) were used where applicable.
Certificate Type | Issuing CA | Expiration | In Use | Request for Renewal | Start of Validity for Renewal | Number of Concurrently Valid Certificates (In-Use [+ Legacy]) | Example Size in Bytes (Certs are Not Fixed Size) | Notes |
---|---|---|---|---|---|---|---|---|
OBE Enrollment |
ECA |
6 months |
6 months |
anytime |
variable, max 6 months |
1 |
87 |
|
OBE Pseudonym |
PCA |
1 week + 1 hour |
1 week |
Anytime |
1 week |
20 + 20 (for just 1 hour) |
91 |
Limit pseudo cert load to 6 months (520 certs) |
OBE Identification |
PCA |
1 month + 1 hour |
1 month |
Anytime |
1 month |
1 + 1 (for just 1 hour) |
89 |
|
RSE Enrollment |
ECA |
1 year |
1 year |
anytime |
variable, max 1 yr |
1 |
109 |
|
RSE Application |
PCA |
1 week + 1 hour |
1 week |
Anytime |
1 week |
1 + 1 (for just 1 hour) |
|
|
DCM |
ICA |
2 years + 1 week |
2 years |
3 months before end of In-use |
2 years |
1 + 1 (for just 1 week) |
219 |
|
ECA |
ICA |
3 years |
2 years |
3 months before end of In-use |
2 years |
1 + 1 |
150 |
|
RA |
ICA |
2 years + 1 week |
2 years |
3 months before end of In-use |
2 years |
1 + 1 (for just 1 week) |
217 |
|
LA |
ICA |
2 years + 1 week |
2 years |
3 months before end of In-use |
2 years |
1 + 1 (for just 1 week) |
205 |
|
PCA |
ICA |
1.5 years |
1 year |
3 months before end of In-use |
1 year |
1 + 1 (for 6 months) |
216 |
|
ICA |
Root CA |
5 years |
4 years |
3 months before end of In-use |
4 years |
1 + 1 (for 1 yr) |
195 |
|
MA |
Root CA |
2 years + 1 week |
2 years |
3 months before end of In-use |
2 years |
1 + 1 (for just 1 week) |
205 |
|
CRLG |
Root CA |
2 years + 1 week |
2 years |
3 months before end of In-use |
2 years |
1 + 1 (for just 1 week) |
190 |
|
Policy Generator |
Root CA |
2 years + 1 week |
2 years |
3 months before end of In-use |
2 years |
1 + 1 (for just 1 week) |
172 |
|
Root CA |
Self |
9 years |
8 years |
3 months before end of In-use |
8 years |
1 + 1 (for 1 yr) |
211 | |
Elector |
Self |
6 years |
6 years |
3 months before end of In-use |
6 years |
3 (1 per elector) |
166 |
At start, electors are staggered, so first expiration's are 2, 4, 6 yrs - The initial elector certificates have an expiration and "in use" time of 2, 4 and 6 years, respectively; and thereafter 6 years with their renewals. |