[ipwave] RFC8902 - TLS with ITS Certificates, EXPERIMENTAL, and the one PKI and one Internet

Alexandre Petrescu <alexandre.petrescu@gmail.com> Thu, 15 April 2021 10:20 UTC

Return-Path: <alexandre.petrescu@gmail.com>
X-Original-To: its@ietfa.amsl.com
Delivered-To: its@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 06FFE3A19C7 for <its@ietfa.amsl.com>; Thu, 15 Apr 2021 03:20:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.649
X-Spam-Status: No, score=0.649 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_ADSP_CUSTOM_MED=0.001, FORGED_GMAIL_RCVD=1, FREEMAIL_FROM=0.001, NML_ADSP_CUSTOM_MED=0.9, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_SOFTFAIL=0.665] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id iJwA0sAnXQmh for <its@ietfa.amsl.com>; Thu, 15 Apr 2021 03:20:19 -0700 (PDT)
Received: from oxalide-smtp-out.extra.cea.fr (oxalide-smtp-out.extra.cea.fr []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 781F13A19C3 for <its@ietf.org>; Thu, 15 Apr 2021 03:20:19 -0700 (PDT)
Received: from pisaure.intra.cea.fr (pisaure.intra.cea.fr []) by oxalide-sys.extra.cea.fr (8.14.7/8.14.7/CEAnet-Internet-out-4.0) with ESMTP id 13FAKGQJ008867 for <its@ietf.org>; Thu, 15 Apr 2021 12:20:16 +0200
Received: from pisaure.intra.cea.fr (localhost []) by localhost (Postfix) with SMTP id C9BD3205C1C for <its@ietf.org>; Thu, 15 Apr 2021 12:20:16 +0200 (CEST)
Received: from muguet2-smtp-out.intra.cea.fr (muguet2-smtp-out.intra.cea.fr []) by pisaure.intra.cea.fr (Postfix) with ESMTP id C0EA1205BD3 for <its@ietf.org>; Thu, 15 Apr 2021 12:20:16 +0200 (CEST)
Received: from [] ([]) by muguet2-sys.intra.cea.fr (8.14.7/8.14.7/CEAnet-Internet-out-4.0) with ESMTP id 13FAKGxo017982 for <its@ietf.org>; Thu, 15 Apr 2021 12:20:16 +0200
To: IPWAVE WG <its@ietf.org>
From: Alexandre Petrescu <alexandre.petrescu@gmail.com>
Message-ID: <acc0f475-7f7b-bfbe-1099-913f0cef4de6@gmail.com>
Date: Thu, 15 Apr 2021 12:20:16 +0200
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.9.1
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: fr
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/its/9m0a1yYOV_bQm5qX6s4DW74bLC0>
Subject: [ipwave] RFC8902 - TLS with ITS Certificates, EXPERIMENTAL, and the one PKI and one Internet
X-BeenThere: its@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IPWAVE - IP Wireless Access in Vehicular Environments WG at IETF <its.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/its>, <mailto:its-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/its/>
List-Post: <mailto:its@ietf.org>
List-Help: <mailto:its-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/its>, <mailto:its-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Apr 2021 10:20:21 -0000


A colleague pointed me to this recently issued RFC 8902 about TLS with 
ITS Certificates.

This RFC is of an EXPERIMENTAL Category.

It might be in agreement with other IEEE standards such as 1609.2.

But I must say that I think it further deepens the discrepancy between 
what is PKI in the Internet and what is the closed PKI for ITS.  That is 
a discrepancy that exists for a long time, and I must share that - IMHO 
- I am surprised that the IETF issues an RFC that further promotes such 
a discrepancy.

This discrepancy is the following: in a few trials I participated, and 
some about I heard of, people use normal PKI with openssl and normal 
certificates in cars, over IP, on cellular links like 4G.  They work 
fine.  The CA is a local CA (not a commercial CA), but the concept _is_ 
compatible with normal CAs.  These dont use the ETSI ITS-specific 
certificates, neither the 1609.2 certificates.

I think there are more such trial deployments using local (but standard, 
openssl PKIs and certificates) than there are trials using ETSI ITS 
certificates or 1609.2 certificates.  The reason is because the former 
is all open source software and freely accessible standards, whereas 
1609.2 are closed documents and ETSI ITS certificate software is not 
integrated in mainline software like openssl.

There are many easily accessible CAs (Certificate Authorities) that are 
integrated in the Internet and in main web browsers, whereas the 
ITS-specific CAs are closed, hard to access and the certificate are 
expensive.  Many strong oppinions maintain that it should stay that way: 
cars PKI different than Internet PKI.

There should be one Internet, and that means one trust, and one PKI.

Everything else should not be done at IETF, I think; hence my comment 
about this particular RFC.

That is my humble oppinion.

I would like to hear other oppinions?  Maybe I miss something...