ANNEX I CU.K.Requirements for construction, testing, installation, and inspection
Appendix 11
COMMON SECURITY MECHANISMS U.K.
PART BU.K. SECOND-GENERATION TACHOGRAPH SYSTEM
9.KEYS AND CERTIFICATESU.K.
9.1. Asymmetric Key Pairs and Public Key Certificates U.K.
9.1.6 Equipment Level: External GNSS Facilities U.K.
[CSM_93 One unique ECC key pair shall be generated for each external GNSS facility, designated as EGF_MA. This task is handled by external GNSS facility manufacturers. Whenever an EGF_MA key pair is generated, the party generating th e key shall send the public key to its MSCA in order to obtain a corresponding EGF_MA certificate signed by the MSCA. The private key shall be used only by the external GNSS facility.] U.K.
CSM_94An EGF manufacturer shall choose the strength of an EGF_MA key pair equal to the strength of the MSCA key pair used to sign the corresponding EGF_MA certificate.U.K.
[CSM_95 An external GNSS facility shall use its EGF_MA key pair, consisting of private key EGF_MA.SK and public key EGF_MA.PK, exclusively to perform mutual authentication and session key agreement towards vehicle units, as specified in section 11.4 of this Appendix.] U.K.
CSM_96The validity period of an EGF_MA certificate shall be 15 years.U.K.
CSM_97An external GNSS facility shall not use the private key of its EGF_MA key pair for coupling to a vehicle unit after the corresponding certificate has expired.U.K.
Note: as explained in section 11.3.3, an EGF may potentially use its private key for mutual authentication towards the VU it is already coupled to, even after the corresponding certificate has expired.U.K.
CSM_98The EGF_MA key pair and corresponding certificate of a given external GNSS facility shall not be replaced or renewed in the field once the EGF has been put in operation.U.K.
Note: This requirement does not forbid the possibility of replacing EGF key pairs during a refurbishment or repair in a secure environment controlled by the EGF manufacturer.U.K.
CSM_99When put in operation, an external GNSS facility shall contain the following cryptographic keys and certificates:U.K.
The EGF_MA private key and corresponding certificate
The MSCA_VU-EGF certificate containing the MSCA_VU-EGF.PK public key to be used for verification of the EGF_MA certificate
The EUR certificate containing the EUR.PK public key to be used for verification of the MSCA_VU-EGF certificate
The EUR certificate whose validity period directly precedes the validity period of the EUR certificate to be used to verify the MSCA_VU-EGF certificate, if existing
The link certificate linking these two EUR certificates, if existing