Goals
The goal is to revoke an ECA certificate from the SCMS System.
Background and Strategic Fit
The technical component of the SCMS Manager (or a local ICA Manager in cooperation with the TCotSCMSM) determines that an Enrollment Certificate Authority (ECA) needs to be revoked. It contacts the CRLG and instructs it to add the ECA certificate to the CRL.
All components and entities that receive the updated CRL will cease to trust any enrollment certificate issued by the ECA and stop communicating with the ECA. All end-entity devices whose enrollment certificate chains back to the revoked ECA should obtain a new enrollment certificate as soon as possible (the SCMS Manager may set performance requirements for how quickly this must happen).
Procedure
- The local ICA Manager responsible for the revoked ECA must contact all DCMs that are configured to use the revoked component and remove it from their list of trusted ECAs for use in generating enrollment certificates. The ICA manager might reconfigure the DCMs to use a different ECA or stand up a new ECA following the procedures defined in the Add ECA use case.
- The ICA manager must also inform the RA that has the impacted ECA in its list of trusted ECAs and inform it to remove the revoked component. The RA will cease to pre-generate pseudonym certificates for any EE enrolled by that ECA and cease to accept any new requests from EEs certified by that ECA.
- EEs must have a proprietary mechanism to re-enroll in order to recover from the revocation of the ECA that signed their enrollment certificate. Once they are re-enrolled and associated with an RA, each impacted EE will have to request new pseudonym, application, or identification certificates.
Assumptions
- Authorized managers of EEs must provide a trusted (and certified by an agent of the SCMS Manager) method for re-enrolling EEs under their jurisdiction that are impacted by a revoked ECA
- A compromised DCM will require that all ECAs that were used with that DCM shall be revoked. All local ICA Managers will be required to record which ECAs were used in issuing enrollment certificates for every DCM.
- The procedure requires that all DCMs provide a proprietary mechanism (i.e., there are no SCMS messages defined for this step) to remove a revoked ECA from the list of ECAs that they use for enrolling new EEs. Note that a DCM should remove by default an ECA from the list of components that they use upon receipt of the updated CRL listing the ECA as revoked. However, the proprietary mechanism described in the use case assumes that ICA Managers will want a mechanism to remove pro-actively a revoked ECA.
- The procedure requires that all RAs provide a proprietary mechanism (i.e., there are no SCMS messages defined for this step) to remove a revoked ECA from the list of ECAs whose enrollment certificates they will trust. All RAs shall remove by default an ECA from the list of components that they trust as soon as they receive the updated CRL listing the ECA as revoked. However, the proprietary mechanism described in the use case assumes that ICA Managers will want a mechanism to remove pro-actively a revoked ECA.
