Login

ABMJR · 27-09-2020, 02:55 AM

Every modem DOCSIS firmware is “signed” with its manufacturer’s CVC and also can be “co-signed” with the DOCSIS or an operator’s CVC. During a secure software download, the CVC at the cable modem firmware has to match with the CVC residing at the modem. The CVC residing at the modem has to initially be downloaded via provisioning.

neo_ · 27-09-2020, 03:25 PM

Pretty sure no one was referring to the signed firmware. Modem certificates which constitute the verification of the modem MAC, serial, et.c... is what people refer to when "certs" are mentioned.

ABMJR · 28-09-2020, 10:54 PM

The CVC Certificate for the root mac is signed at manufacturing time...the added co-signed firmware by the isp is a second layer of security...it is pushed at provisioning time as I said above...

BTC · 29-09-2020, 12:54 AM

(28-09-2020, 10:54 PM)ABMJR Wrote: The CVC Certificate for the root mac is signed at manufacturing time...the added co-signed firmware by the isp is a second layer of security...it is pushed at provisioning time as I said above...

the problem is we're not talking about the code verification certificate, we're talking about the BPI certificate.

ABMJR · 02-10-2020, 08:16 PM

I am not sure I am following, the BPI certificate resides at the time of manufacturing...the CVC signed by the ISP is done at provisioning

ABMJR · (This post was last modified: 02-10-2020, 09:18 PM by ABMJR.)

CWGuidelines.pdf (Size: 1.22 MB / Downloads: 42)

here is 1 mfc's CA Hitron Technologies Cable Modem Root Certificate Authority

this may help..

BTC · 03-10-2020, 05:30 AM

(02-10-2020, 08:16 PM)ABMJR Wrote: I am not sure I am following, the BPI certificate resides at the time of manufacturing...the CVC signed by the ISP is done at provisioning

That is correct. The problem is that there is some misconception that a CMTS would somehow help with getting BPI certificates, fueled by your mentioning of CVCs which are not related to this at all.

0rko · (This post was last modified: 03-10-2020, 04:20 PM by 0rko.)

I'm getting a little bit lost?

Do we talk about Certificates for BPI+ Authentication to proof the legitimate of the cable modem MAC-Address during the registration, where in fact the Manufacturer- and CM-Certificate (which contains the CM RSA Public-Key) is a part of the Baseline Privacy Key Management (BPKM)?

OR

Do we talk about the Secure Software Download (SSD), where the ISP of course can Co-Sign the cable modem monolithic firmware, which is also signed by the Manufacturer CVC CA which normally is independent to the the whole BPI+ section. Also it's clear that the Co-Sign-Mechanism is used for the purpose that the ISP can use only ONE CVC Hex-Value for cable modem firmware from different manufacturers. So he can avoid the problem to generate unique cable modem cfg-files for each manufacturer.

For my feeling the thread starter was looking into the BPI+ direction and not for SSD. So I'm not sure why ABMJR started with the Co-Signer topic at all.

Also, I'm aware that the specification and implementations on the cable routers can allow Self-Signed Certificates for the BPI+ procedure. Mostly because of very old Docsis 1.0 to Docsis 1.1 Transition-Fuckups. But the Co-Signer CVC stuff shouldn't nothing to do with this.

But toniou didn't come back into the discussion, so it's wasted time anyway.

ABMJR · 06-10-2020, 09:01 PM

i agree

neo_ · 06-10-2020, 11:02 PM

(03-10-2020, 04:17 PM)0rko Wrote: Do we talk about the Secure Software Download (SSD), where the ISP of course can Co-Sign the cable modem monolithic firmware,

(27-09-2020, 03:25 PM)neo_ Wrote: Pretty sure no one was referring to the signed firmware.

Login
Username:
Password:	Lost Password?
	Remember me