[ipwave] Root CA for automobiles

Alexandre Petrescu <alexandre.petrescu@gmail.com> Fri, 05 June 2020 13:51 UTC

Return-Path: <alexandre.petrescu@gmail.com>
X-Original-To: its@ietfa.amsl.com
Delivered-To: its@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 2CAB43A08BE for <its@ietfa.amsl.com>; Fri, 5 Jun 2020 06:51:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.669
X-Spam-Status: No, score=0.669 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_ADSP_CUSTOM_MED=0.001, FORGED_GMAIL_RCVD=1, FREEMAIL_FROM=0.001, NML_ADSP_CUSTOM_MED=0.9, SPF_HELO_NONE=0.001, SPF_SOFTFAIL=0.665, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id wwg3UAmGxfWK for <its@ietfa.amsl.com>; Fri, 5 Jun 2020 06:51:52 -0700 (PDT)
Received: from cirse-smtp-out.extra.cea.fr (cirse-smtp-out.extra.cea.fr []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4CA533A08AF for <its@ietf.org>; Fri, 5 Jun 2020 06:51:52 -0700 (PDT)
Received: from pisaure.intra.cea.fr (pisaure.intra.cea.fr []) by cirse-sys.extra.cea.fr (8.14.7/8.14.7/CEAnet-Internet-out-4.0) with ESMTP id 055DpoQX047311 for <its@ietf.org>; Fri, 5 Jun 2020 15:51:50 +0200
Received: from pisaure.intra.cea.fr (localhost []) by localhost (Postfix) with SMTP id 4ACE6200FB0 for <its@ietf.org>; Fri, 5 Jun 2020 15:51:50 +0200 (CEST)
Received: from muguet2-smtp-out.intra.cea.fr (muguet2-smtp-out.intra.cea.fr []) by pisaure.intra.cea.fr (Postfix) with ESMTP id 41AC4200FAF for <its@ietf.org>; Fri, 5 Jun 2020 15:51:50 +0200 (CEST)
Received: from [] ([]) by muguet2-sys.intra.cea.fr (8.14.7/8.14.7/CEAnet-Internet-out-4.0) with ESMTP id 055DpnBt024756 for <its@ietf.org>; Fri, 5 Jun 2020 15:51:49 +0200
From: Alexandre Petrescu <alexandre.petrescu@gmail.com>
To: IPWAVE WG <its@ietf.org>
References: <e8a25961-5ac9-d35e-77dd-bf86f45cd077@gmail.com>
Message-ID: <f46f4642-0302-fea4-7f06-041891b2809e@gmail.com>
Date: Fri, 5 Jun 2020 15:51:49 +0200
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:68.0) Gecko/20100101 Thunderbird/68.9.0
MIME-Version: 1.0
In-Reply-To: <e8a25961-5ac9-d35e-77dd-bf86f45cd077@gmail.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: fr
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/its/8XneBgXO63eUzWkEIn1Nc7RS8kI>
Subject: [ipwave] Root CA for automobiles
X-BeenThere: its@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IPWAVE - IP Wireless Access in Vehicular Environments WG at IETF <its.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/its>, <mailto:its-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/its/>
List-Post: <mailto:its@ietf.org>
List-Help: <mailto:its-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/its>, <mailto:its-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 05 Jun 2020 13:51:54 -0000


There was some discussion about security for vehicular networks, here in 
the IPWAVE WG.  Security for vehicular networks relies on many things. 
One of the basis is a CA: a Certificate Authority.

I wish I could formulate a few requirements for a CA and PKI for 
vehicular networks like this:

- it should be easy to obtain certificates to use in automobiles.  It
   should be as easy to  obtain a certificate for automobile as it is
   easy to obtain certificates for emails, for servers, for code.
   Ideally, these certificates should be for free, or very low cost.

- a root CA for vehicular networks should be integrated with all the
   other CAs in the Internet, CAs that I can find pre-instaled in a free
   web browser, e.g. firefox.

- people should trust the CAs for vehicular networks.

- I'd add: the root CA for vehicular networks should work fine with
   IPv6, be reachable on IPv6 in the Internet,
   accept IPv6 addresses in its formats,
   use the I-D about TLS, something like

For information, in Europe there was much work and discussion in recent 
years about dedicated CAs and PKIs for vehicular networks.  Pdf 
documents were issued by expert groups; technical demos were performed. 
A webinar is now proposed by Atos with a JRC (a Joint Research Center of 
EC): "C-ITS EU Root CA Webinar June 18th 1pm – 2pm CEST"

In France, the company Idnomic proposed such certificates at a point in 

In Netherlands, a company is based, that is named GloablSign, which is a 
CA, which authenticates the "EU Login" which is "one account, many EU 

In my project we used openssl open source software to make and install a 
CA and certify a few self-driving automobiles, RSUs and traffic lights 
controllers through it, on a virtual private network.  It's easy to do. 
What is difficult is to scale it to the size of the Internet and to 
numerous automobiles.