[ipwave] Root CA for automobiles

Alexandre Petrescu <alexandre.petrescu@gmail.com> Fri, 05 June 2020 13:51 UTC

Return-Path: <alexandre.petrescu@gmail.com>
X-Original-To: its@ietfa.amsl.com
Delivered-To: its@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2CAB43A08BE for <its@ietfa.amsl.com>; Fri, 5 Jun 2020 06:51:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.669
X-Spam-Level:
X-Spam-Status: No, score=0.669 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_ADSP_CUSTOM_MED=0.001, FORGED_GMAIL_RCVD=1, FREEMAIL_FROM=0.001, NML_ADSP_CUSTOM_MED=0.9, SPF_HELO_NONE=0.001, SPF_SOFTFAIL=0.665, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wwg3UAmGxfWK for <its@ietfa.amsl.com>; Fri, 5 Jun 2020 06:51:52 -0700 (PDT)
Received: from cirse-smtp-out.extra.cea.fr (cirse-smtp-out.extra.cea.fr [132.167.192.148]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4CA533A08AF for <its@ietf.org>; Fri, 5 Jun 2020 06:51:52 -0700 (PDT)
Received: from pisaure.intra.cea.fr (pisaure.intra.cea.fr [132.166.88.21]) by cirse-sys.extra.cea.fr (8.14.7/8.14.7/CEAnet-Internet-out-4.0) with ESMTP id 055DpoQX047311 for <its@ietf.org>; Fri, 5 Jun 2020 15:51:50 +0200
Received: from pisaure.intra.cea.fr (localhost [127.0.0.1]) by localhost (Postfix) with SMTP id 4ACE6200FB0 for <its@ietf.org>; Fri, 5 Jun 2020 15:51:50 +0200 (CEST)
Received: from muguet2-smtp-out.intra.cea.fr (muguet2-smtp-out.intra.cea.fr [132.166.192.13]) by pisaure.intra.cea.fr (Postfix) with ESMTP id 41AC4200FAF for <its@ietf.org>; Fri, 5 Jun 2020 15:51:50 +0200 (CEST)
Received: from [10.11.241.174] ([10.11.241.174]) by muguet2-sys.intra.cea.fr (8.14.7/8.14.7/CEAnet-Internet-out-4.0) with ESMTP id 055DpnBt024756 for <its@ietf.org>; Fri, 5 Jun 2020 15:51:49 +0200
From: Alexandre Petrescu <alexandre.petrescu@gmail.com>
To: IPWAVE WG <its@ietf.org>
References: <e8a25961-5ac9-d35e-77dd-bf86f45cd077@gmail.com>
Message-ID: <f46f4642-0302-fea4-7f06-041891b2809e@gmail.com>
Date: Fri, 5 Jun 2020 15:51:49 +0200
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:68.0) Gecko/20100101 Thunderbird/68.9.0
MIME-Version: 1.0
In-Reply-To: <e8a25961-5ac9-d35e-77dd-bf86f45cd077@gmail.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: fr
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/its/8XneBgXO63eUzWkEIn1Nc7RS8kI>
Subject: [ipwave] Root CA for automobiles
X-BeenThere: its@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IPWAVE - IP Wireless Access in Vehicular Environments WG at IETF <its.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/its>, <mailto:its-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/its/>
List-Post: <mailto:its@ietf.org>
List-Help: <mailto:its-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/its>, <mailto:its-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 05 Jun 2020 13:51:54 -0000

Hi, IPWAVErs,

There was some discussion about security for vehicular networks, here in 
the IPWAVE WG.  Security for vehicular networks relies on many things. 
One of the basis is a CA: a Certificate Authority.

I wish I could formulate a few requirements for a CA and PKI for 
vehicular networks like this:

- it should be easy to obtain certificates to use in automobiles.  It
   should be as easy to  obtain a certificate for automobile as it is
   easy to obtain certificates for emails, for servers, for code.
   Ideally, these certificates should be for free, or very low cost.

- a root CA for vehicular networks should be integrated with all the
   other CAs in the Internet, CAs that I can find pre-instaled in a free
   web browser, e.g. firefox.

- people should trust the CAs for vehicular networks.

- I'd add: the root CA for vehicular networks should work fine with
   IPv6, be reachable on IPv6 in the Internet,
   accept IPv6 addresses in its formats,
   use the I-D about TLS, something like
   draft-serhrouchni-tls-certieee1609,
   draft-tls-certieee1609-02.txt,
   draft-msahli-ipwave-extension-ieee1609-03.txt

For information, in Europe there was much work and discussion in recent 
years about dedicated CAs and PKIs for vehicular networks.  Pdf 
documents were issued by expert groups; technical demos were performed. 
A webinar is now proposed by Atos with a JRC (a Joint Research Center of 
EC): "C-ITS EU Root CA Webinar June 18th 1pm – 2pm CEST"
https://ecwacs.webex.com/meet/gmenzel

In France, the company Idnomic proposed such certificates at a point in 
time.

In Netherlands, a company is based, that is named GloablSign, which is a 
CA, which authenticates the "EU Login" which is "one account, many EU 
services".

In my project we used openssl open source software to make and install a 
CA and certify a few self-driving automobiles, RSUs and traffic lights 
controllers through it, on a virtual private network.  It's easy to do. 
What is difficult is to scale it to the size of the Internet and to 
numerous automobiles.

Alex