ANNEX I CU.K.Requirements for construction, testing, installation, and inspection

Appendix 11

COMMON SECURITY MECHANISMS U.K.

PART BU.K. SECOND-GENERATION TACHOGRAPH SYSTEM

10.VU- CARD MUTUAL AUTHENTICATION AND SECURE MESSAGINGU.K.

10.2. Mutual Certificate Chain Verification U.K.

10.2.2 VU Certificate Chain Verification by Card U.K.

CSM_162As depicted in Figure 5, verification of the certificate chain of the vehicle unit shall begin with the vehicle unit attempting to set its own public key for use in the tachograph card. If this succeeds, it means that the card successfully verified the VU's certificate chain in the past, and has stored the VU certificate for future reference. In this case, the VU certificate is set for use and the process continues with VU Authentication. If the card does not know the VU certificate, the VU shall successively present the VU.CA certificate to be used for verifying its VU certificate, the VU.CA.EUR certificate to be used for verifying the VU.CA certificate, and possibly the link certificate, in order to find a certificate known or verifiable by the card. If such a certificate is found, the card shall use that certificate to verify the underlying VU certificates presented to it. If successful, the VU shall finally set its public key for use in the tachograph card. If not successful, the VU shall ignore the card.U.K.

Note: There are three ways in which the card may know the VU.CA.EUR certificate: U.K.

—the VU.CA.EUR certificate is the same certificate as the card's own EUR certificate;U.K.

—the VU.CA.EUR certificate precedes the card's own EUR certificate and the card contained this certificate already at issuance (see CSM_91);U.K.

—the VU.CA.EUR certificate succeeds the card's own EUR certificate and the card received a link certificate in the past from another vehicle unit, verified it and stored it for future reference.U.K.