OCAP Use Cases
The UniSoft OCAP Security File Generator generates the various files described in chapter 12 of the MHP specification and chapter 14 of the OCAP specification.
It is targeted at two types of user:
- OCAP application developers who prepare applications for delivery through a broadcast network.
- Certificate authorities that support the Public Key Infrastructure (PKI) associated with the OCAP security framework.
Product Overview
The OCAP Security File Generator provides facilities for five different user roles in the OCAP PKI. We have defined these roles as:
- An Application Developer who, primarily, needs to sign and deliver an application over the broadcast network.
- An Other Application Developer whose application has generated files in persistent storage and needs to grant access to these files to another application.
- A Certificate Authority who produces new certificates in response to requests from users (either Application Developers or other Certificate Authorities) and ensures that appropriate action is taken if any of the keys associated with these certificates is compromised.
- A Root Certificate Authority who manages the self-signed keys that are the trusted source for all certificate chains. This role also includes the role of a Certificate Authority.
- A Device Manufacturer who needs to sign and deliver an updated code image for their receiver implementation.
- A single entity may perform more than one of these roles, for example, a Certificate Authority may also be an Application Developer.
Features for OCAP Application Developers
The main security associated task as an OCAP application developer is to apply a signature to an application which uses capabilities outside the OCAP sand box. Often this application will include a permission file that defines the set of OCAP facilities that the application needs to access.
The OCAP Security File Generator provides facilities for the following steps that you need to take in order to sign applications:
- Key generation - to produce a public/private key pair that you use to sign applications.
- Certificate management - to manage all the certificates that are provided by the certificate authorities who generate your certificates.
- Permission file generation - to create permission files that can include persistent file credentials provided to you by other application developers.
- Application signing - to create the hash files, certificate files and signature files that are specified in the MHP security framework.
- Persistent file credential generation - to create a persistent file credential and the associated certificate files that you can pass to other application developers who need access to the files that your application generates in persistent storage.
Product Features for Device Manufacturers
As an OCAP device manufacturer, your main security associated task is to apply a signature to a code image that will be downloaded to the receiver. The code download file is in PKCS#7 Signed Data format and is always signed by the Manufacturer's Code Validation Certificate. The PKCS#7 file may also contain Manufacturer Certificate Authority certificates, the CableLabs Code Validation Root CA certificate and the CableLabs Code Validation CA certificate. The PKCS#7 file may need to be dual signed by both the Manufacturer and by CableLabs in line with CableLabs security policy
The OCAP Security File Generator provides facilities for the following steps that you need to take in order to sign applications:
- Key generation - to produce a public/private key pair that you use to sign code files.
- Certificate management - to manage all the certificates that are provided by the certificate authorities that generate your certificates.
- Code Download signing - to create the PKCS#7 Signed Data file containing the code image and the certificates specified in the OCAP security framework.
- Code Download dual signing - to add a second (CableLabs) signature to the PKCS#7 Signed Data file already signed by the Device Manufacturer.
Product Features for Certificate Authorities
The main task as a certificate authority is to manage a part of the PKI through the issuing of certificates and maintenance of CRLs associated with your own certificate.
The OCAP Security File Generator provides facilities for the following functions that you need to provide to your users:
- Key generation - to produce a public/private key pair that you use to sign applications.
- Certificate management - to manage all the certificates that are provided by the certificate authorities who generate your certificates and those that you provide to your users.
- Certificate generation - to produce certificates for application developers and subsidiary certificate authorities as and when requested.
- CRL generation - to revoke certificates that you have issued and have since been compromised.
For Root Certificate Authorities
In addition, if you are operating as a Root Certificate Authority, the OCAP Security File Generator provides you with the following capabilities:
- Root certificate generation - to create a self-signed certificate that provides a point of trust for the certificates that it signs.
- RCMM generation - to produce RCMMs for distribution to OCAP receivers.
- RCMM signing - to apply a signature to RCMMs that have been generated by other Root Certificate Authorities