Posts: 1,516
Threads: 16
Joined: Dec 2009
Reputation:
79
Every modem DOCSIS firmware is “signed” with its manufacturer’s CVC and also can be “co-signed” with the DOCSIS or an operator’s CVC. During a secure software download, the CVC at the cable modem firmware has to match with the CVC residing at the modem. The CVC residing at the modem has to initially be downloaded via provisioning.
Knowledge=Power
Posts: 510
Threads: 2
Joined: Nov 2013
Reputation:
15
Pretty sure no one was referring to the signed firmware. Modem certificates which constitute the verification of the modem MAC, serial, et.c... is what people refer to when "certs" are mentioned.
Posts: 1,516
Threads: 16
Joined: Dec 2009
Reputation:
79
The CVC Certificate for the root mac is signed at manufacturing time...the added co-signed firmware by the isp is a second layer of security...it is pushed at provisioning time as I said above...
Knowledge=Power
Posts: 1,516
Threads: 16
Joined: Dec 2009
Reputation:
79
I am not sure I am following, the BPI certificate resides at the time of manufacturing...the CVC signed by the ISP is done at provisioning
Knowledge=Power
Posts: 10
Threads: 2
Joined: Dec 2017
Reputation:
1
03-10-2020, 04:17 PM
(This post was last modified: 03-10-2020, 04:20 PM by 0rko.)
I'm getting a little bit lost?
Do we talk about Certificates for BPI+ Authentication to proof the legitimate of the cable modem MAC-Address during the registration, where in fact the Manufacturer- and CM-Certificate (which contains the CM RSA Public-Key) is a part of the Baseline Privacy Key Management (BPKM)?
OR
Do we talk about the Secure Software Download (SSD), where the ISP of course can Co-Sign the cable modem monolithic firmware, which is also signed by the Manufacturer CVC CA which normally is independent to the the whole BPI+ section. Also it's clear that the Co-Sign-Mechanism is used for the purpose that the ISP can use only ONE CVC Hex-Value for cable modem firmware from different manufacturers. So he can avoid the problem to generate unique cable modem cfg-files for each manufacturer.
For my feeling the thread starter was looking into the BPI+ direction and not for SSD. So I'm not sure why ABMJR started with the Co-Signer topic at all.
Also, I'm aware that the specification and implementations on the cable routers can allow Self-Signed Certificates for the BPI+ procedure. Mostly because of very old Docsis 1.0 to Docsis 1.1 Transition-Fuckups. But the Co-Signer CVC stuff shouldn't nothing to do with this.
But toniou didn't come back into the discussion, so it's wasted time anyway.