3.2.5.2 Processing an HCEP Request

After the validation checks are complete, the HRA MUST process the HCEP request as follows:

1. Extract the HCEP-Correlation-Id from the HCEP request, for use when creating the HCEP response.

2. Extract the health certificate request (as specified in section 2.2.1.1) from the HCEP request.

3. Extract the SoH specified in section 2.2.1.4 from the health certificate request by reading the ASN.1 DER–encoded SoH from the health certificate request and decoding it.

4. Obtain the CA name from server settings as specified in the server abstract data model in section 3.2.1.

5. Send the SoH for evaluation to the policy server (handling of the SoH by the policy server is defined in [TNC-IF-TNCCSPBSoH]) and obtain a SoHR (as specified by [TNC-IF-TNCCSPBSoH]).

   Note The specific implementation will define the technology and the protocols used to communicate between the HRA and the policy server.

   • If there is a failure in communication with the policy server or the policy server fails to process the SoH (as, for example, in a case where SoH  is malformed), the HCEP Request processing must be aborted and HRA must respond with an error as specified in section 3.2.4.

6. The specific implementation of the policy server and the HRA must then decide whether the SoH in the HCEP request is compliant with the policy.

7. The HCEP response MUST then be created and sent as specified in section 3.2.5.3.