3.2.1 Abstract Data Model

  • Article

HRA MUST store the HCEP-Correlation-Id that it receives in an HCEP request. It MUST use the same HCEP-Correlation-Id in the HCEP response that it generates.

The following is a list of predefined settings that SHOULD<28> be present on the server and SHOULD be initialized by the server administrator:

  • A list of strings that are used to restrict the requests based on the user-agent strings, as specified in section 2.2.2.1, that are present in an HCEP request. If no string in the list is a substring of the user-agent string, the request MUST be discarded. If this list is empty, all user agents SHOULD<29> be allowed.

  • A list of algorithms that are used to restrict the allowed public keys in the certificate request. If the list is empty, all algorithms SHOULD<30> be allowed.

  • A list of algorithms that are used to restrict the allowed signatures in the certificate request. If the list is empty, all algorithms SHOULD<31> be allowed.

  • A list of cryptographic service providers (CSPs) that are used to restrict the CSPs that created the certificate requests. If the list is empty, certificate requests from all CSPs SHOULD<32> be allowed.

  • A setting that specifies the maximum size, in kilobytes, of the HCEP request, including the HTTP headers and the body. If the size of the request is less than the maximum size allowed, the HCEP request SHOULD<33> be allowed.

  • CAToConnect: The connection information of a CA. The fields of the CAToConnect structure are as follows:

    • Name: A null-terminated Unicode string that specifies the Name of the CA.

    • EndPoint: A null-terminated Unicode string that specifies the CA server address. The string can be in the form of an HTTPS URL, a fully qualified domain name (FQDN) of the CA, or an IPv4 address of the CA.

  • remote CA name List: A list of CAToConnect ADM elements (specified in this section 3.2.1) that contains the CAs HRA will attempt to obtain health certificates from. For initialization information about remote CA name List, see section 3.2.3.

  • CAResponseTimeOut: A DWORD containing the timeout interval in seconds for a CA response. Values range between 0x00000000 and 0x0000012C, including 0x00000000 and 0x0000012C.

  • EvaluationTimeOut: A DWORD containing the time the HRA server will wait for the evaluation result in milliseconds.<34>