OID: {iso(1) identified-organization(3) ieee(111) standards-association-numbered-series-standards(2) wave-stds(1609) dot2(2) extension-standards(255) dot1(1) interfaces(1) aca-ra(4) major-version-3(3) minor-version-2(2)}
This is the parent structure for all structures exchanged between the ACA and the RA. An overview of this structure is as follows:
raAcaCertRequest of type RaAcaCertRequest
contains the request for an authorization
certificate from the RA to the ACA on behalf of the EE.
acaRaCertResponse of type AcaRaCertResponse
contains the ACA's response to RaAcaCertRequest.
AcaRaInterfacePdu ::= CHOICE {
raAcaCertRequest RaAcaCertRequest,
acaRaCertResponse AcaRaCertResponse,
...
}
This structure contains parameters needed to request an individual authorization certificate. An overview of this structure is as follows:
version of type Uint8 (2)
contains the current version of the structure.
generationTime of type Time32
contains the generation time of RaAcaCertRequest.
type of type CertificateType
indicates whether the request is for an explicit or implicit
certificate (see 4.1.1, 4.1.3.3.1).
flags of type RaAcaCertRequestFlags
contains the flags related to the use of the butterfly key
mechanism, and provides the following instructions to the ACA as to how
to generate the response:
linkageInfo of type LinkageInfo OPTIONAL
contains the encrypted prelinkage values needed to
generate the linkage value for the certificate. If linkageInfo is present,
the field tbsCert.id is of type LinkageData, where the iCert field is set
to the actual i-period value and the linkage-value field is set to a dummy
value to be replaced by the ACA with the actual linkage value. The
encrypted prelinkage values are encrypted for the ACA by the LAs.
certEncKey of type PublicEncryptionKey OPTIONAL
is used in combination with flags.cubk to indicate
the type of response that is expected from the ACA. It is as follows:
tbsCert of type ToBeSignedCertificate (WITH COMPONENTS {
...,
cracaId ('000000'H),
crlSeries (0),
appPermissions PRESENT,
certIssuePermissions ABSENT,
certRequestPermissions ABSENT
})
contains parameters of the requested certificate. The
certificate type depends on the field type, as follows:
NOTE:
RaAcaCertRequest ::= SEQUENCE {
version Uint8 (2),
generationTime Time32,
type CertificateType,
flags RaAcaCertRequestFlags,
linkageInfo LinkageInfo OPTIONAL,
certEncKey PublicEncryptionKey OPTIONAL,
tbsCert ToBeSignedCertificate (WITH COMPONENTS {
...,
cracaId ('000000'H),
crlSeries (0),
appPermissions PRESENT,
certIssuePermissions ABSENT,
certRequestPermissions ABSENT
}),
...
}
This structure is used to convey information from the RA to the ACA about operations to be carried out when generating the certificate. For more details see the specification of RaAcaCertRequest. An overview of this structure is as follows: This structure contains parameters needed to generate a linkage value for a given (EE, i, j). An overview of this structure is as follows:
encPlv1 of type EncryptedIndividualPLV
contains the EncryptedIndividualPLV from one of the LAs.
encPlv2 of type EncryptedIndividualPLV
contains the EncryptedIndividualPLV from the other LA.
See Annex F for further discussion of LAs.
LinkageInfo ::= SEQUENCE {
encPlv1 EncryptedIndividualPLV,
encPlv2 EncryptedIndividualPLV,
...
}
This structure contains an individual prelinkage value encrypted by the LA for the ACA using the shared secret key. An overview of this structure is as follows:
version of type Uint8 (2)
contains the current version of the structure.
laId of type LaId
contains the ID of the LA that created the prelinkage value.
See Annex D for further discussion of LA IDs.
encPlv
contains the encrypted individual prelinkage value, that is,
the ciphertext field decrypts to a PreLinkageValue. It contains a pointer
(hash of the shared symmetric key) to the used shared secret encryption key.
NOTE: How the ACA obtains the shared symmetric key and how the RA associates the encPlv1 and encPlv2 with the correct certificate request are outside the scope of this document.
EncryptedIndividualPLV ::= SEQUENCE {
version Uint8 (2),
laId LaId,
encPlv Ieee1609Dot2Data-SymmEncryptedSingleRecipient {
PreLinkageValue
}
}
This structure contains an individual prelinkage value. It is an octet string of length 9 octets.
PreLinkageValue ::= OCTET STRING (SIZE(9))
This structure contains a certificate response by the ACA, encapsulated for consumption by the EE, as well as associated data for consumption by the RA. The response is of form AcaEeCertResponsePlainSpdu, AcaEeCertResponsePrivateSpdu, or AcaEeCertResponseCubkSpdu, and is generated in response to a successful RaAcaCertRequestSpdu. In this structure:
version of type Uint8 (2)
contains the current version of the structure.
generationTime of type Time32
contains the generation time of AcaRaCertResponse.
requestHash of type HashedId8
contains the hash of the corresponding
RaAcaCertRequestSPDU.
acaResponse of type AcaResponse
contains the certificate for the EE in a suitable form
as determined from the corresponding RaAcaCertRequestSPDU.
AcaRaCertResponse ::= SEQUENCE {
version Uint8 (2),
generationTime Time32,
requestHash HashedId8,
acaResponse AcaResponse,
...
}
This structure contains the certificate for the EE in a suitable form as determined from the corresponding RaAcaCertRequestSPDU. In this structure:
plain of type AcaEeCertResponsePlainSpdu
contains the certificate for the EE in plain, that is, without
encryption or signature. This choice is used only when the field
certEncKey is absent and flags.cubk is not set in the corresponding
RaAcaCertRequest.
private of type AcaEeCertResponsePrivateSpdu
contains the certificate for the EE in an encrypted then
signed form to protect the EE's privacy from the RA. This choice is used
only when the field certEncKey is present and flags.cubk is not set in the
corresponding RaAcaCertRequest.
cubk of type AcaEeCertResponseCubkSpdu
contains the certificate for the EE in an encrypted form. This
choice is used only when the field certEncKey is absent and flags.cubk is
set in the corresponding RaAcaCertRequest.
AcaResponse ::= CHOICE {
plain AcaEeCertResponsePlainSpdu,
private AcaEeCertResponsePrivateSpdu,
cubk AcaEeCertResponseCubkSpdu,
...
}