Re: [ipwave] RFC8902 - TLS with ITS Certificates, EXPERIMENTAL, and the one PKI and one Internet

Alexandre Petrescu <> Fri, 23 April 2021 11:30 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 8A8AD3A19E7 for <>; Fri, 23 Apr 2021 04:30:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.633
X-Spam-Status: No, score=-1.633 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_ADSP_CUSTOM_MED=0.001, FORGED_GMAIL_RCVD=1, FREEMAIL_FROM=0.001, NICE_REPLY_A=-0.001, NML_ADSP_CUSTOM_MED=0.9, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_SOFTFAIL=0.665] autolearn=no autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id JFusudTJXKDT for <>; Fri, 23 Apr 2021 04:30:24 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 430133A19CC for <>; Fri, 23 Apr 2021 04:30:23 -0700 (PDT)
Received: from ( []) by (8.14.7/8.14.7/CEAnet-Internet-out-4.0) with ESMTP id 13NBUKWn012514; Fri, 23 Apr 2021 13:30:20 +0200
Received: from (localhost []) by localhost (Postfix) with SMTP id 905BE206728; Fri, 23 Apr 2021 13:30:20 +0200 (CEST)
Received: from ( []) by (Postfix) with ESMTP id 846CA20178B; Fri, 23 Apr 2021 13:30:20 +0200 (CEST)
Received: from [] ([]) by (8.14.7/8.14.7/CEAnet-Internet-out-4.0) with ESMTP id 13NBUKUD021684; Fri, 23 Apr 2021 13:30:20 +0200
To: Mounira MSAHLI <>,
References: <> <01d601d731e3$140e2ed0$3c2a8c70$> <> <> <> <> <> <>
From: Alexandre Petrescu <>
Message-ID: <>
Date: Fri, 23 Apr 2021 13:30:20 +0200
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.10.0
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: fr
Content-Transfer-Encoding: 7bit
Archived-At: <>
Subject: Re: [ipwave] RFC8902 - TLS with ITS Certificates, EXPERIMENTAL, and the one PKI and one Internet
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IPWAVE - IP Wireless Access in Vehicular Environments WG at IETF <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 23 Apr 2021 11:30:35 -0000


> You mean the certificate authority. You want to sign CAM with 
> certificate authority ?

Sorry, error of saying.

I did not mean the CA to sign the CAM.

I mean the CA signs the certs it gives me, and I sign the CAM with these
certs.  The receiver verifies using the CA they already have in built-in
in their browsers.

(in some OS like Windows, there is also another list of built-in CAs,
which is coupled tightly with that OS's browser; but that is it: a
built-in list of CAs).


>>> This is not reachable on IPv6.
> You mean the web page of the project or the PKI of the project ?

Thanks for the distinction.  That is a perfect distinctor to formulate
in a wish list, or in a list of requirements:

Both the server and the web page of the project should be reachable on IPv6.

I am not sure which protocol is used to communicate with the CA, maybe
OCSP, maybe others.  But these protocols must all be run on IPv6 for a
CA that supports vehicular networks.  If necessary, they could also be
on IPv4.

For the web page: for me personally, if a website of a trust provider is
available on IPv6 it inspires further trust.

But I am also aware that some websites, including Google, have very
strange behaviour with respect to security when on IPv6.  For example,
if I use the SMTP server on IPv6 on Google it some times complains
saying this is a new device, and makes additional cumbersome security
checks.  It is in fact a new protocol that Google knows very well since
long time (they promote IPv6 since long time now).

These are problems that should not appear in vehicular networks, if
addressed well.