<?xmlversion="1.0" encoding="US-ASCII"?> <!-- this is version 5 of this xml2rfc template -->version='1.0' encoding='UTF-8'?> <!DOCTYPE rfc SYSTEM"rfc2629.dtd" [ <!ENTITY rfc2119 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.2119.xml"> <!ENTITY rfc2223 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.2223.xml"> <!ENTITY rfc2578 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.2578.xml"> <!ENTITY rfc2579 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.2579.xml"> <!ENTITY rfc2580 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.2580.xml"> <!ENTITY rfc2629 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.2629.xml"> <!ENTITY rfc3410 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.3410.xml"> <!ENTITY rfc4181 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.4181.xml"> ]> <?rfc toc="yes"?> <?rfc symrefs="yes"?> <?rfc compact="yes"?> <?rfc subcompact="no"?> <?rfc strict="no"?> <?rfc rfcedstyle="yes"?> <?rfc comments="yes"?> <?rfc inline="yes"?> <!--<rfc category="std" docName="draft-v2-tls-cert-ETSI-IEEE.txt" ipr="trust200902">--> <!--<rfc category="info" docName="draft-v2-tls-cert-ETSI-IEEE.txt" ipr="trust200902">-->"rfc2629-xhtml.ent"> <rfc xmlns:xi="http://www.w3.org/2001/XInclude" number="8902" category="exp" docName="draft-msahli-ise-ieee1609-07"ipr="trust200902">ipr="trust200902" obsoletes="" updates="" submissionType="independent" xml:lang="en" tocInclude="true" symRefs="true" sortRefs="true" version="3" > <front><!--<title abbrev="IEEE and IETF Certificate Types for TLS">Transport Layer Security (TLS) Authentication using ETSI TS 103 097 and IEEE 1609.2 certificates</title>--><title abbrev="IEEE and ETSI Certificate Types for TLS"> TLS Authenticationusing ITS certificate</title>Using Intelligent Transport System (ITS) Certificates</title> <seriesInfo name="RFC" value="8902"/> <author fullname="Mounira Msahli"initials="M.M"initials="M" role="editor" surname="Msahli"> <organization> Telecom Paris</organization> <address> <postal> <street/> <city/> <code/><country> France</country><country>France</country> </postal> <email> mounira.msahli@telecom-paris.fr</email> </address> </author> <author fullname="Nancy Cam-Winget"initials="N.C"initials="N" role="editor" surname="Cam-Winget"> <organization> Cisco</organization> <address> <postal> <street/> <city/> <code/><country> USA </country><country>United States of America</country> </postal> <email>ncamwing@cisco.com</email> </address> </author> <author fullname="William Whyte"initials="W.W"initials="W" role="editor" surname="Whyte"> <organization> Qualcomm</organization> <address> <postal> <street/> <city/> <code/><country> USA </country><country>United States of America</country> </postal> <email>wwhyte@qti.qualcomm.com</email> </address> </author> <author fullname="Ahmed Serhrouchni "initials="A.S"initials="A" surname="Serhrouchni"> <organization>Telecom Paris </organization> <address> <postal> <street/> <city/> <code/><country> France<country>France </country> </postal> <email>ahmed.serhrouchni@telecom-paris.fr</email> </address> </author> <author fullname="Houda Labiod"initials="H.L"initials="H" surname="Labiod"> <organization>Telecom Paris </organization> <address> <postal> <street/> <city/> <code/><country> France<country>France </country> </postal> <email>houda.labiod@telecom-paris.fr</email> </address> </author><date/><date month="September" year="2020"/> <workgroup/> <keyword>TLS</keyword> <keyword>Intelligent Transport System (ITS) Certificates</keyword> <keyword>IEEE</keyword> <keyword>ETSI</keyword> <abstract> <t> The IEEE and ETSI have specified a type of end-entitycertificates.certificate. This document defines an experimental change to TLS to support IEEE/ETSI certificate types to authenticate TLS entities. </t> </abstract> </front> <middle> <sectiontitle="Introduction">numbered="true" toc="default"> <name>Introduction</name> <t>The TLS protocol[RFC8446]<xref target="RFC8446"/> allows the use of X.509 certificates andRaw Public Keyraw public keys to authenticate servers and clients. This document describes an experimental extension following the procedures laid out by[RFC7250]<xref target="RFC7250"/> to support use of the certificate format specified by the IEEE in[IEEE1609.2]<xref target="IEEE1609.2"/> and profiled by the European Telecommunications Standards Institute (ETSI) in[TS103097].<xref target="TS103097"/>. These standards specify secure communications in vehicular environments. These certificates are referred to in this document as IntelligentTransportationTransport Systems (ITS) Certificates.</t> <t>The certificate types are optimized for bandwidth and processing time to support delay-sensitiveapplications,applications and also to provide both authentication and authorization information to enable fast access control decisions in ad hoc networkssuch as arefound in IntelligentTransportationTransport Systems (ITS). The standards specify different types ofcertificatecertificates to support a full Public Key Infrastructure (PKI) specification; the certificates to be used in this context are end-entity certificates,i.e.i.e., certificates that have the IEEE 1609.2 appPermissions field present.</t><t> Use<t>Use of ITS certificates is becoming widespread in the ITS setting. ITScommunicationscommunications, inpracticepractice, make heavy use of 10 MHz channels with a typical throughput of 6 Mbps. (The 802.11OCB modulation that gives this throughput is not the one that gives the highest throughput, but it provides for a robust signal over a range up to 300-500 m, which is the "sweet spot" communications range for ITS operations like collision avoidance). The compact nature of ITS certificates as opposed to X.509 certificates makes them appropriate for this setting. </t> <t>The ITS certificates are also suited to theM2Mmachine-to-machine (M2M) ad hoc networksetting,setting because their direct encoding of permissions (seeSecurity Considerations, section 7.4)<xref target="ITS-permissions"/>) allows a receiver to make an immediate accept/deny decision about an incoming message without having to refer to a remote identity and access management server. The EU has committed to the use of ITS certificates in Cooperative IntelligentTransportationTransport Systems deployments. A multi-year project developed a certificate policy for the use of ITS certificates, including a specification of how different root certificates can be trusted across the system (hosted athttps://ec.europa.eu/transport/themes/its/c-its_en,<<eref target="https://ec.europa.eu/transport/themes/its/c-its_en"/>>, direct link athttps://ec.europa.eu/transport/sites/transport/files/c-its_certificate_policy_release_1.pdf).</t><<eref target="https://ec.europa.eu/transport/sites/transport/files/c-its_certificate_policy_release_1.pdf"/>>).</t> <t> The EU has committed funding for the first five years of operation of the top-level Trust List Manager entity, enabling organizations such as motor vehicleOEMsoriginal equipment manufacturers (OEMs) and national road authorities to create rootCAscertificate authorities (CAs) and have them trusted. In the US, the US Department of Transportation (USDOT) published a proposed regulation,whichactive as of late2019, is active2019 though not rapidly progressing,which would requirerequiring all light vehicles in the US to implementV2X communicationsvehicle-to-everything (V2X) communications, including the use of ITS certificates (availablefrom https://www.federalregister.gov/documents/2017/01/12/2016-31059/federal-motor-vehicle-safety-standards-v2v-communications).at <<eref target="https://www.federalregister.gov/documents/2017/01/12/2016-31059/federal-motor-vehicle-safety-standards-v2v-communications"/>>). As of 2019, ITS deployments across the US,EuropeEurope, and Australia were using ITS certificates. Volkswagenhavehas committed to deploying V2X using ITS certificates. New York,TampaTampa, and Wyoming are deploying traffic management systems using ITS certificates. GM deployed V2X intheirthe CadillacCTSesCTS, using ITS certificates.</t> <t> ITS certificates are also used in a number of standards that build on top of the foundational IEEE and ETSI standards, particularly theSAESociety of Automobile Engineers (SAE) J2945/x series of standards for applications and ISO21177,21177 <xref target="ISO21177"/>, which builds a framework for exchanging multiple authentication tokens on top of the TLS variant specified in this document. </t> <sectiontitle="Experiment Overview">numbered="true" toc="default"> <name>Experiment Overview</name> <t>This document describes an experimental extension to the TLS security model. It uses a form of certificate that has not previously been used in the Internet. Systems using this Experimental approach are segregated fromsystemsystems using standard TLS by the use of a newCertificate Typecertificate type value, reserved through IANA (seeSection 9).<xref target="IANA"/>). An implementation of TLS that is not involved in the Experiment will notrecogniserecognize this newCertificate Typecertificate type and will not participate in theexperiment:experiment; TLS sessions will either negotiate the use of existing X.509 certificates or fail to be established. </t> <t>This extension has been encouraged by stakeholders in the Cooperative ITS community in order to supporttheITSuse cases deploymentuse-case deployment, and it is anticipated that its use will be widespread. </t> </section> </section> <sectiontitle="Requirements Terminology"> <t>Thenumbered="true" toc="default"> <name>Requirements Terminology</name> <t> The key words"MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY","<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>", "<bcp14>MAY</bcp14>", and"OPTIONAL""<bcp14>OPTIONAL</bcp14>" in this document are to be interpreted as described inBCP 14 [RFC2119]BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and only when, they appear in all capitals, as shown here. </t> </section> <sectiontitle="Extension Overview">numbered="true" toc="default"> <name>Extension Overview</name> <t> The TLSextensionextensions "client_certificate_type" and "server_certificate_type"[RFC7250]<xref target="RFC7250"/> are used to negotiate the type of Certificate messages used in TLS to authenticate the server and, optionally, the client. Using separateextensionextensions allows for mixed deployments where the client and server can use certificates of different types. It is expected that ITS deployments will see both peers using ITS certificates due to the homogeneity of the ecosystem, but there is no barrier at a technical level that prevents mixed certificate usage. This document defines a new certificate type, 1609Dot2, for usage with TLS 1.3. The updated CertificateType enumeration and corresponding addition to the CertificateEntry structure are shown below. CertificateType values are sent in the "server_certificate_type" and "client_certificate_type"extension,extensions, and the CertificateEntry structures are included in the certificate chain sent in the Certificate message. In the case of TLS 1.3, the"client_certificate_type " SHALL"client_certificate_type" <bcp14>SHALL</bcp14> contain a list of supported certificate types proposed by the client as provided in the figure below:<figure> <artwork></t> <sourcecode> /* Managed by IANA */ enum { X509(0), RawPublicKey(2), 1609Dot2(3), (255) } CertificateType; struct { select (certificate_type) { /* certificate type defined in this document.*/ case 1609Dot2: opaquecert_data<1..2^24-1>;cert_data<1..2^24-1>; /* RawPublicKey defined in RFC 7250*/ case RawPublicKey: opaqueASN.1_subjectPublicKeyInfo<1..2^24-1>;ASN.1_subjectPublicKeyInfo<1..2^24-1>; /* X.509 certificate defined in RFC5246*/8446*/ case X.509: opaquecert_data<1..2^24-1>;cert_data<1..2^24-1>; }; Extensionextensions<0..2^16-1>;extensions<0..2^16-1>; } CertificateEntry;</artwork> </figure></t></sourcecode> <t> As per[RFC7250],<xref target="RFC7250"/>, the server processes the received [endpoint]_certificate_type extension(s) and selects one of the offered certificate types, returning the negotiated value in its EncryptedExtensions (TLS 1.3) message. Note that there is no requirement for the negotiated value to be the same in client_certificate_type and server_certificate_type extensions sent in the same message.</t> </section> <sectiontitle="TLSnumbered="true" toc="default"> <name>TLS Client and ServerHandshake"> <t> Figure 1Handshake</name> <t><xref target="msg_flow"/> shows the handshake message flow for a full TLS 1.3 handshake negotiating both certificate types. </t> <figureanchor="msg_flow" title="Messageanchor="msg_flow"> <name>Message Flow withcertificate type extensionCertificate Type Extension for Full TLS 1.3Handshake"> <artwork>Handshake</name> <artwork name="" type="" align="left" alt=""><![CDATA[ Client Server Key ^ ClientHello Exch | + server_certificate_type* | + client_certificate_type* | + key_share* v + signature_algorithms*-------->--------> ServerHello ^ Key + key_share* v Exch {EncryptedExtensions} ^ Server {+ server_certificate_type*}| Params {+ client_certificate_type*}| {CertificateRequest*} v {Certificate*} ^ {CertificateVerify*} | Auth {Finished} v<-------<------- [Application Data*] ^ {Certificate*} Auth | {CertificateVerify*} v {Finished}-------->--------> [Application Data]<-------><-------> [Application Data] + Indicates noteworthy extensions sent in the previously noted message. * Indicates optional or situation-dependent messages/extensions that are not always sent. {} Indicates messages protected using keys derived from a [sender]_handshake_traffic_secret. [] Indicates messages protected using keys derived from [sender]_application_traffic_secret_N.</artwork> </figure></t>]]></artwork> </figure> <t> In the case of TLS 1.3, in order to negotiate the support of ITS certificate-based authentication, clients and servers include the extension of type "client_certificate_type" and "server_certificate_type" in the extended Client Hello and "EncryptedExtensions".</t> <sectiontitle="Client Hello">numbered="true" toc="default"> <name>Client Hello</name> <t>In order to indicate the support of ITS certificates, a clientMUST<bcp14>MUST</bcp14> include an extension of type "client_certificate_type" or "server_certificate_type" in the extended Client Hello message as described inSection 4.1.2 of TLS 1.3<xreftarget="RFC8446"/>.</t>target="RFC8446" sectionFormat="of" section="4.1.2"/> (TLS 1.3).</t> <t>ForbothTLS 1.3, the rules for when the Client Certificate and CertificateVerify messages appear are as follows:<list style="symbolSSi"> <t> - The</t> <ul spacing="normal"> <li>The client's Certificate message is present if and only if the server sent a CertificateRequestmessage.</t> <t> - Themessage.</li> <li>The client's CertificateVerify message is present if and only if the client's Certificate message is present and contains a non-emptycertificate_list.</t> </list> </t>certificate_list.</li> </ul> <t> For maximum compatibility, all implementationsSHOULD<bcp14>SHOULD</bcp14> be prepared to handle "potentially" extraneous certificates and arbitrary orderings from any TLS version, with the exception of the end-entitycertificatecertificate, whichMUST<bcp14>MUST</bcp14> be first. </t> </section> <sectiontitle="Server Hello">numbered="true" toc="default"> <name>Server Hello</name> <t> When the server receives the Client Hello containing the client_certificate_type extension and/or the server_certificate_type extension, the following scenarios are possible:<list style="symbolSSi"> <t> - If</t> <ul spacing="normal"> <li>If both the client and server indicate support for the ITS certificate type, the serverMAY<bcp14>MAY</bcp14> select the first (most preferred) certificate type from the client's list that is supported by bothpeers </t> <t> - Thepeers.</li> <li>The server does not support any of the proposed certificate types and terminates the session with a fatal alert of type"unsupported_certificate".</t> <t> - The"unsupported_certificate".</li> <li>The server supports the certificate types specified in this document. In this case, itMAY<bcp14>MAY</bcp14> respond with a certificate of this type. ItMAY<bcp14>MAY</bcp14> also include the client_certificate_type extension in Encrypted Extension. Then, the server requests a certificate from the client( via(via the CertificateRequestmessage ) </t> </list> </t>message).</li> </ul> <t>The certificates in the TLS client or server certificate chainMAY<bcp14>MAY</bcp14> be sent as part of the handshake,or MAY<bcp14>MAY</bcp14> besentobtained from an online repository, or might already be known to and cached at the endpoint. If the handshake does not contain all the certificates in the chain, and the endpoint cannot access therepository,repository andthe endpointdoes not already know the certificates from the chain, then itSHALL<bcp14>SHALL</bcp14> reject the otherendpoint’sendpoint's certificate and close the connection. Protocols to support retrieving certificates from a repository are specified inETSI<xref target="ETSI102941"/>.</t>ETSI <xref target="TS102941" format="default"/>.</t> </section> </section> <sectiontitle="Certificate Verification"> <!--<t>#Are there trust anchors, pre-loaded lists, standard verification policies, TOFU approaches, or other regimes for validating these certificates? "best practices" for certificate validation: pki memo, scoopf (Lamia :P), PRESERVE... #</t>-->numbered="true" toc="default"> <name>Certificate Verification</name> <t>Verification of an ITScertificatescertificate or certificate chain is described in section 5.1 of <xreftarget=" IEEE1609.2"/>.target="IEEE1609.2" format="default"/>. In the case of TLS1.31.3, and when the certificate_type is 1609.2, the CertificateVerify contents and processing are different than for the CertificateVerify message specified for other values of certificate_type in[RFC8446].<xref target="RFC8446"/>. In this case, the CertificateVerify message containsaan Ieee1609Dot2Data encoded with Canonical Octet Encoding Rules (OER) <xreftarget="ITU-TX.696"/> -encoded IEEE1609Dot2Datatarget="ITU-TX.696" format="default"/> of type signed as specified in[IEEE1609.2], [IEEE1609.2b],<xref target="IEEE1609.2"/> and <xref target="IEEE1609.2b"/>, where:<list style="symbolSSi"> <t> Payload</t> <ul spacing="normal"> <li>payload contains an extDataHash containing the SHA-256 hash of the data that the signature is calculated over. This is identical to the data that the signature is calculated overitin standard TLS, which is reproduced below forclarity.</t> <t> Provider Service Identifier (Psid)clarity.</li> <li>headerInfo.psid indicates the application activity that the certificate isauthorizing.</t> <t> generationTimeauthorizing.</li> <li>headerInfo.generationTime is the time at which the data structure wasgenerated.</t> <t>PduFunctionalTypegenerated.</li> <li>headerInfo.pduFunctionalType (as specified in[IEEE1609.2b])<xref target="IEEE1609.2b"/>) is present and is set equal to tlsHandshake(1).</t> </list>(1).</li> </ul> <t> All other fields in the headerInfo are omitted. The certificate appPermissions fieldSHALL<bcp14>SHALL</bcp14> be present andSHALL<bcp14>SHALL</bcp14> permit (as defined in[IEEE1609.2])<xref target="IEEE1609.2"/>) signing of PDUs with the PSID indicated in the HeaderInfo of the SignedData. If the application specification for that PSID requires Service Specific Permissions (SSP) for signing a pduFunctionalType of tlsHandshake, this SSPSHALL<bcp14>SHALL</bcp14> also be present. For more details on the use of PSID and SSP, see[IEEE1609.2]<xref target="IEEE1609.2"/>, clauses 5.1.1 and 5.2.3.3.3. All other fields in the headerInfo are omitted.</t> <t>The certificate appPermissions fieldSHALL<bcp14>SHALL</bcp14> be present andSHALL<bcp14>SHALL</bcp14> permit (as defined inIEEE 1609.2)<xref target="IEEE1609.2"/>) signing of PDUs with the PSID indicated in the HeaderInfo of the SignedData. If the application specification for that PSID requires Service Specific Permissions (SSP) for signing a pduFunctionalType of tlsHandshake, this SSPSHALL<bcp14>SHALL</bcp14> also be present.</t> <t>The signature and verification are carried out as specified in[IEEE1609.2].</t><xref target="IEEE1609.2"/>.</t> <t> The input to the hash process is identical to the message input for TLS 1.3, as specified in[RFC8446] section 4.4.3,<xref target="RFC8446" sectionFormat="of" section="4.4.3"/>, consisting of pad, context string,separatorseparator, and content, where content is Transcript-Hash(Handshake Context,Certificate). </t>Certificate).</t> </section> <sectiontitle="Examples">numbered="true" toc="default"> <name>Examples</name> <t>Some of the message-exchange examples are illustrated in Figures2<xref target="msg_fltw" format="counter"/> and3.</t><xref target="msg_fluw" format="counter"/>.</t> <sectiontitle="TLSnumbered="true" toc="default"> <name>TLS Server and TLS ClientuseUse the ITSCertificate">Certificate</name> <t>This section shows an example where the TLS client as well as the TLS server use ITS certificates. In consequence, both the server and the client populate the client_certificate_type and server_certificate_type extension with the IEEE 1609 Dot 2 type as mentioned infigure 2.<xref target="msg_fltw"/>. </t> <figureanchor="msg_fltw" title="TLSanchor="msg_fltw"> <name>TLS Client and TLS ServeruseUse the ITScertificate"> <artwork>Certificate</name> <artwork name="" type="" align="left" alt=""><![CDATA[ Client Server ClientHello, client_certificate_type=1609Dot2, server_certificate_type=1609Dot2,-------->--------> ServerHello, {EncryptedExtensions} {client_certificate_type=1609Dot2} {server_certificate_type=1609Dot2} {CertificateRequest} {Certificate} {CertificateVerify} {Finished} {Certificate}<-------<------- [Application Data] {CertificateVerify} {Finished}-------->--------> [Application Data]<-------><-------> [Application Data]</artwork> </figure></t>]]></artwork> </figure> </section> <sectiontitle="TLSnumbered="true" toc="default"> <name>TLS ClientusesUses the ITScertificateCertificate and TLS ServerusesUses the X.509certificate">Certificate</name> <t> This example shows the TLS authentication, where the TLSClientclient populates the server_certificate_type extension with the X.509 certificate andRaw Public Keyraw public key type as presented infigure 3.<xref target="msg_fluw"/>. The client indicates its ability to receive andtovalidate an X.509 certificate from the server. The server chooses the X.509 certificate to make its authentication with theClient.client. This is applicable in the case ofRaw Public Keya raw public key supported by the server. </t> <figureanchor="msg_fluw" title="TLSanchor="msg_fluw"> <name>TLS ClientusesUses the ITScertificateCertificate and TLS ServerusesUses the X.509certificate"> <artwork>Certificate</name> <artwork name="" type="" align="left" alt=""><![CDATA[ Client Server ClientHello, client_certificate_type=(1609Dot2), server_certificate_type=(1609Dot2, X509,RawPublicKey),----------->-----------> ServerHello, {EncryptedExtensions} {client_certificate_type=1609Dot2} {server_certificate_type=X509} {CertificateRequest} {Certificate} {CertificateVerify} {Finished}<---------<--------- [Application Data] {Finished}--------->---------> [Application Data]<--------><--------> [Application Data]</artwork> </figure></t>]]></artwork> </figure> </section> </section> <sectiontitle="Security Considerations">numbered="true" toc="default"> <name>Security Considerations</name> <t>This section provides an overview of the basic security considerationswhichthat need to be taken into account before implementing the necessary security mechanisms. The security considerations described throughout <xreftarget="RFC8446"/>target="RFC8446" format="default"/> apply here as well.</t> <sectiontitle="Securelynumbered="true" toc="default"> <name>Securely Obtaining Certificates from an OnlineRepository">Repository</name> <t>In particular, the certificates used to establish a secure connectionMAY<bcp14>MAY</bcp14> be obtained from an online repository. An online repository may be used to obtain the CA certificates in the chain of either participant in the secure session. ETSI TS 102 941 <xreftarget="ETSI102941"/>target="TS102941" format="default"/> provides a mechanism that can be used to securely obtain ITS certificates.</t> </section> <sectiontitle="Expirynumbered="true" toc="default"> <name>Expiry ofCertificates">Certificates</name> <t>Conventions around certificate lifetime differ between ITS certificates and X.509 certificates, and inparticularparticular, ITS certificates may be relativelyshort-livedshort lived compared with typical X.509 certificates. A party to a TLS session that accepts ITS certificatesMUST<bcp14>MUST</bcp14> check the expiry time in the received ITS certificate andSHOULD<bcp14>SHOULD</bcp14> terminate a session when the certificate received in the handshake expires. </t> </section> <sectiontitle="Algorithmsnumbered="true" toc="default"> <name>Algorithms and CryptographicStrength">Strength</name> <t> All ITS certificates use public-key cryptographic algorithms with an estimated strength on the order of 128 bits or more, specifically, Elliptic Curve Cryptography (ECC) based on curves with keys of length 256 bits or longer. An implementation of the techniques specified in this documentSHOULD<bcp14>SHOULD</bcp14> require that if X.509 certificates are used by one of the parties to the session, those certificates are associated with cryptographic algorithms with (pre-quantum-computer) strength of at least 128 bits.</t> </section> <sectiontitle="Interpretinganchor="ITS-permissions" numbered="true" toc="default"> <name>Interpreting ITS CertificatePermissions">Permissions</name> <t> ITS certificates in TLS express the certificate holders permissions using two fields: a PSID, also known as an ITS Application Identifier (ITS-AID), which identifies a broad set of application activitieswhichthat provide a context for the certificate holder's permissions, and a Service Specific Permissions (SSP) field associated with that PSID, which identifies which specific application activities the certificate holder is entitled to carry out within the broad set of activities identified by that PSID. For example, SAE <xreftarget="SAEJ29453"/>target="SAEJ29453" format="default"/> uses PSID 0204099 to indicate activities around reporting weather and managing weather response activities, and an SSP that states whether the certificate holder is a Weather Data Management System (WDMS,i.e.i.e., a central road manager), an ordinary vehicle, or a vehicle belonging to a managed road maintenance fleet. For more information about PSIDs, see <xreftarget="IEEE16092"/>target="IEEE1609.12" format="default"/>, and for more information about the development of SSPs, see <xreftarget="SAEJ29455"/></t>target="SAEJ29455" format="default"/>.</t> </section> <sectiontitle="Psidnumbered="true" toc="default"> <name>Psid and Pdufunctionaltype inCertificateVerify">CertificateVerify</name> <t> The CertificateVerify message for TLS 1.3 is an Ieee1609Dot2Data of type signed,signed using an ITS certificate. This certificate maywhere the signature contained in this Ieee1609Dot2Data was generated using an ITS certificate. This certificate may include multiple PSIDs. When a CertificateVerify message of this form is used, the HeaderInfo within the Ieee1609Dot2DataMUST<bcp14>MUST</bcp14> have the pduFunctionalType field present and set to tlsHandshake. The background to this requirement is asfollows. Afollows: an ITS certificate may (depending on the definition of the application associated with its PSID(s)) be used to directly signmessages,messages or to sign TLS CertificateVerify messages, or both. To prevent the possibility that a signature generated in one context could be replayed in a differentcontextcontext, i.e., that a message signature could be replayed as a CertificateVerify, or vice versa, the pduFunctionalType field provides a statement of intent by the signer as to the intended use of the signed message. If the pduFunctionalType field is absent, the message is a directly signed message for the application andMUST NOT<bcp14>MUST NOT</bcp14> be interpreted as a CertificateVerify.</t> <t> Note that each PSID is owned by an owning organization that has sole rights to define activities associated with that PSID. If an application specifier wishes to expand activities associated with an existing PSID (for example, to include activities over a secure session such as specified in this document), that application specifier must negotiate with the PSID owner to have that functionality added to the official specification of activities associated with that PSID.</t> </section> </section> <sectiontitle="Privacy Considerations">numbered="true" toc="default"> <name>Privacy Considerations</name> <t>For privacy considerations in a vehicularenvironmentenvironment, the ITS certificate is used for many reasons:<list style="symbolsi"> <t>In</t> <ul spacing="normal"> <li>In order to address the risk of a personal data leakage, messages exchanged forV2Vvehicle-to-vehicle (V2V) communications are signed using ITS pseudonymcertificates</t> <t>Thecertificates.</li> <li>The purpose of these certificates is to provide privacy and minimize the exchange of privatedata</t> </list> </t>data.</li> </ul> </section> <sectiontitle="IANA Considerations">anchor="IANA" numbered="true" toc="default"> <name>IANA Considerations</name> <t>IANA maintains the "Transport Layer Security (TLS) Extensions" registry with a subregistry called "TLS Certificate Types".</t><t>IANA has<t>Value 3 was previously assignedan entry (value 3)for"1609Dot2" with"1609Dot2” and included a referencesetto draft-tls-certieee1609. IANAis requested to update thathas updated this entry to referencethe RFC number of this document when it is published.</t> <!--<t>IANA is also asked to register two new values in the "TLS ClientCertificateType Identifiers Registry", as follows: <list style="symbols"> <t>TBD</t> <t>TBD</t> </list></t>--> </section> <section anchor="ack" title="Acknowledgements"> <t>The authors wish to thank Adrian Farrel , Eric Rescola , Russ Housley, Ilari Liusvaara and Benjamin Kaduk for their feedback and suggestions on improvingthisdocument. Thanks are due to Sean Turner for his valuable and detailed comments. Special thanks to Panos Kampanakis, Jasja Tijink and Bill Lattin for their guidance and support of the draft.</t>RFC.</t> </section> </middle> <back><references title="Normative References"><references> <name>Normative References</name> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.2119.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8446.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8174.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.7250.xml"/> <reference anchor="TS103097"> <front><title> ETSI TS 103 097 : Intelligent<title>Intelligent Transport Systems (ITS); Security; Security header and certificate formats</title><author surname="ETSI"/> <date year=""/><author> <organization>ETSI </organization> </author> <date>2017</date> </front> <refcontent>ETSI TS 103 097</refcontent> </reference> <referenceanchor="ETSI102941">anchor="TS102941"> <front> <title>ETSI TS 102 941 :Intelligent Transport Systems (ITS); Security; Trust and Privacy Management </title><author surname="ETSI"/><author> <organization>ETSI</organization> </author> <date year="2018"/> </front> <refcontent>ETSI TS 102 941</refcontent> </reference> <reference anchor="IEEE1609.2"> <front> <title>IEEE Standard for Wireless Access in Vehicular Environments--- Security Services for Applications and Management Messages</title><author surname="IEEE"/><author> <organization>IEEE</organization> </author> <date month="March" year="2016"/> </front> <seriesInfo name="DOI" value="10.1109/IEEESTD.2016.7426684"/> <refcontent>IEEE Standard 1609.2-2016</refcontent> </reference> <reference anchor="IEEE1609.2b"> <front> <title> IEEE Standard for Wireless Access in Vehicular Environments--Security Services for Applications and Management Messages - Amendment 2--PDU Functional Types and Encryption Key Management </title><author surname="IEEE"/> <date year="2019"/> </front> </reference> <reference anchor="RFC2119"> <front> <title>Key words for use in RFCs to Indicate Requirement Levels</title> <author initials="S." surname="Bradner"/> <date month="March" year="1997"/> </front> </reference> <reference anchor="RFC8446"> <front> <title>The Transport Layer Security (TLS) Protocol Version 1.3</title> <author initials="E." surname="Rescorla"/> <date month="August" year="2018"/> </front> </reference> <reference anchor="RFC8174"> <front> <title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</title> <author initials="B." surname="Leiba"/> <date month="May" year="2017"/> </front> </reference> <reference anchor="RFC7250"> <front> <title> Using Raw Public Keys in Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS)</title> <author initials="P." surname="Wouters"/> <author initials="H." surname="Tschofenig"/> <author initials="S." surname="Weiler"/> <author initials="T." surname=" Kivinen"/><author> <organization>IEEE</organization> </author> <date month="June"year="2014"/>year="2019"/> </front> <refcontent>IEEE 1609.2b-2019</refcontent> </reference> <reference anchor="ITU-TX.696"> <front><title> Procedures for the operation of object identifier registration authorities: General procedures and top arcs<title>Information technology - ASN.1 encoding rules: Specification ofthe international object identifier treeOctet Encoding Rules (OER) </title><author initials="INTERNATIONAL STANDARD ISO " surname=""/><author> <organization>ITU-T</organization> </author> <datemonth="July" year="2011"/>month="August" year="2015"/> </front> <refcontent>Recommendation ITU-T X.696</refcontent> </reference> <referenceanchor="IEEE16092">anchor="IEEE1609.12"> <front><title> IEEE<title>IEEE Standard for Wireless Access in Vehicular Environments (WAVE) - IdentifierAllocations </title> <author initials="IEEE " surname=""/>Allocations</title> <author> <organization>IEEE</organization> </author> <date month="December" year="2016"/> </front> <refcontent>IEEE 1609.12-2016</refcontent> </reference> <reference anchor="ISO21177"> <front><title> Intelligent<title>Intelligent transport systems--- ITS station security services for secure session establishment and authentication between trusteddevices </title> <author initials="INTERNATIONAL STANDARD ISO " surname=""/>devices</title> <author> <organization>ISO</organization> </author> <datemonth="" year=""/>month="08" year="2019"/> </front> <refcontent>ISO/TS 21177:2019</refcontent> </reference> <reference anchor="SAEJ29453"> <front><title> Requirements<title>Requirements for V2I WeatherApplications </title> <author initials=" SAE " surname=""/>Applications</title> <author> <organization>SAE </organization> </author> <datemonth="" year=""/>month="06" year="2017"/> </front> <refcontent>J2945/3</refcontent> </reference> <reference anchor="SAEJ29455"> <front><title> Service<title>Service Specific Permissions and Security Guidelines for Connected VehicleApplications </title> <author initials=" SAE " surname=""/>Applications</title> <author> <organization>SAE</organization> </author> <datemonth="" year=""/>month="02" year="2020"/> </front> <refcontent>J2945/5_202002</refcontent> </reference> </references> <section anchor="ack" numbered="false" toc="default"> <name>Acknowledgements</name> <t>The authors wish to thank <contact fullname="Adrian Farrel"/>, <contact fullname="Eric Rescola"/>, <contact fullname="Russ Housley"/>, <contact fullname="Ilari Liusvaara"/>, and <contact fullname="Benjamin Kaduk"/> for their feedback and suggestions on improving this document. Thanks are due to <contact fullname="Sean Turner"/> for his valuable and detailed comments. Special thanks to <contact fullname="Panos Kampanakis"/>, <contact fullname="Jasja Tijink"/>, and <contact fullname="Bill Lattin"/> for their guidance and support of the document.</t> </section> </back> </rfc>