PKI Implementation

This section gives useful information regarding Atos PKI choices of implementation.

Questions

What are the authorities handled by an EA or AA?

EA and AA URLs can be accessed using a standard browser to display the list of supported authorities HashedID8. Example here.

How is the validityPeriod checked and processed?

If the validityPeriod is specified in the request:
- It has to be compliant with (i.e. ending before) the issuing CA validityPeriod (EA for EC and AA for AT)
- It has to be compliant with the value configured in the Profile
  If these 2 conditions are not fulfilled an error is returned
If the validityPeriod is not specified in the request:
- It will be set with a start date now (i.e. request reception date by the CA) and a duration equal to the value configured in the Profile
- If the value configured in the Profile is not compliant with the issuing CA validityPeriod, it will be set with the maximum value compatible with the issuing CA validityPeriod

What time frame is tolerated for the signing of certificate requests?

Requests signed earlier than 10 minutes in the past and later than 3 seconds in the future are rejected.

Are non canonical certificates supported?

No. The certificats produced will be directly in a canonical format, which means the keys are always compressed and the signature is in x-only format.
It also means that all keys involved in ITS requests (even publicKeys in the ETSI TS 102 941 InnerAtRequest sequence and v in the ETSI TS 103 097 EciesP256EncryptedKey sequence, the ephemeral keys for ECIES) should be in compressed form.

Are there IP/HTTP constraints?

The Host header of HTTP requests must contain the domain name associated with the service (for example 0.atos-ea.l0.c-its-pki.eu). We are not able to process a request if the Host value is empty, incorrect or contains only the IP address.
It is not possible to expose PKI services on different IP addresses.
For L0 services, fixed IP addresses cannot be guaranted. FQDN shall be used.

What can be used to renew an EC?

For L0 services, an EC can be requested using either the station's technical key or any valid EC previoulsy delivered to this station.
In addition, any valid EC can be used to request ATs.

In certificate requests, what value should take the field `id` in `CertifiacteSubjectAttributes` sequence?

The field is optional and shall not be used:

For EC request, the ETSI TS 103 097 §7.2.2 specifies that the EC should have a CertificateId set to the chaine name and shall contain a unique name associated to the enrolmenent credential. The PKI will generate this name and so the station cannot request a specific id.
For AT request, the generated AT will not have any id, hence the ITS cannot request any value.