Interim key-management

2016-12-30 Samtrafikens BoB Metadata is now going into production, and this interim-solution is discontinued.

The purpose of the interim key-management procedures are to provide a temporary Administering Body (AB) function for the early-adapting participants of the Mobile Ticket Specifications. This is not a complete AB as full functionality is not required at this stage. The current API is based upon the same principles as the coming API-specs from the project, but the permanent solution will have more functionality.

The interim solution for key-management is divided into two parts:

The key repository where everyone can fetch the key-list using a public url. The key-list, which is updated every 5 minutes, can be fetched from https://api.mobileticket.se/keylist
The key-management in which a Participant with an assigned PID, via e-mail, can publish or remove public keys.

Key-management

Overview

With the interim key-management mechanism, keys are published to and removed from the key-list via a pre-formatted signed e-mail sent to the AB.

Each Participant (with an assigned PID) can take part in the key-management after a "hand shake" where the Participant physically deliver, to a delegate of the AB, their public component of the key used for signing the key-management e-mails.

The acceptance of the key-management key will be acknowledged with a signed message in return to the Participant.

The keys shall be delivered in a JSON format signed using JWS (RFC 7515) as specified as here.

Key management requests are sent via e-mail to keymanagement@mobileticket.se. After successfully authenticating the contents of the JSON structure contained within the e-mail, key information are subject to a manual check and then imported into the key management system.

After a successful import the system will send a confirmation email to the predefined recipient of the Participant.

All transactions will be logged.