IEEE 1609.2.1-2022

$105.63

IEEE Standard for Wireless Access in Vehicular Environments (WAVE) – Certificate Management Interfaces for End Entities

Published By	Publication Date	Number of Pages
IEEE	2022

Guaranteed Safe Checkout

Category: IEEE

If you have any questions, feel free to reach out to our online customer service team by clicking on the bottom right corner. We’re here to assist you 24/7.
Email:[email protected]

Description

Revision Standard – Active. Certificate management protocols are specified in this document to support provisioning and management of digital certificates, as specified in IEEE Std 1609.2(TM), to end entities, that is, an actor that uses digital certificates to authorize application activities

PDF Catalog

PDF Pages	PDF Title
1	IEEE Std 1609.2.1™-2022 Front cover
2	Title page
4	Important Notices and Disclaimers Concerning IEEE Standards Documents Notice and Disclaimer of Liability Concerning the Use of IEEE Standards Documents Translations
5	Official statements Comments on standards Laws and regulations Data privacy Copyrights
6	Photocopies Updating of IEEE Standards documents Errata Patents
7	IMPORTANT NOTICE
8	Participants
9	Introduction
10	Contents
13	1. Overview 1.1 Scope 1.2 Purpose 1.3 Word usage
14	2. Normative references
15	3. Definitions, acronyms, and abbreviations 3.1 Definitions
20	3.2 Acronyms and abbreviations
23	4. Architecture 4.1 Security Credential Management System (SCMS) 4.1.1 General
28	4.1.2 Supported interfaces 4.1.2.1 General 4.1.2.2 ACA–EE interface 4.1.2.3 DC–EE interface
29	4.1.2.4 ECA–EE interface 4.1.2.5 EE–MA interface 4.1.2.6 EE–RA interface 4.1.2.7 EE–SAS interface
30	4.1.3 Types of enrollment certificate 4.1.4 Assumed lifecycle and use cases 4.1.4.1 General
31	4.1.4.2 Initial enrollment certificate request/download
32	4.1.4.3 Use cases authenticated with the enrollment certificate
34	4.1.4.4 Use cases authorized with authorization certificate—Misbehavior report submission 4.1.4.5 Use cases that may be authorized with enrollment certificate or may be unauthorized
35	4.1.5 Misbehavior authorities
36	4.1.6 Composite CRL 4.1.6.1 General 4.1.6.2 CRL download
37	4.1.7 Certificate chain files 4.1.8 Elector and root certificate authority management
39	4.2 Interface approach
40	4.3 System parameters 4.3.1 General 4.3.2 Time period parameters 4.3.2.1 General
41	4.3.2.2 Parameter mapping 4.3.2.3 Parameter usage
42	4.3.2.4 Approaches for smooth transition
45	4.3.3 Session parameters 4.3.4 Web API parameters: generic 4.3.5 Web API parameters: SCMS REST API v3
46	4.3.6 Use case related parameters
48	5. Secure session 5.1 General 5.1.1 General 5.1.2 SCMS component authentication 5.1.3 End entity authentication
49	5.2 Physical security 5.2.1 General 5.2.2 Protocol parameters 5.3 Transport Layer Security (TLS) 5.3.1 Prerequisites 5.3.1.1 General
50	5.3.1.2 SCMS component certificate and certificate acceptance policy 5.3.1.3 Root CA certificate 5.3.1.4 OCSP support 5.3.2 Protocol constraints
51	5.3.3 Protocol options 5.3.4 Protocol parameters 5.4 ISO/TS 21177 5.4.1 Prerequisites 5.4.1.1 General 5.4.1.2 SCMS component certificate and certificate acceptance policy
52	5.4.1.3 Root CA certificate 5.4.2 Protocol constraints 5.4.3 Protocol parameters
53	5.4.4 Client authentication with an enrollment certificate 6. Web API 6.1 General 6.1.1 General 6.1.2 Protocol parameters
54	6.1.3 Hexadecimal encoding of integers 6.2 OAuth 2.0 bearer authorization 6.2.1 General 6.2.2 Protocol flow 6.2.2.1 General
55	6.2.2.2 AT headers 6.2.2.3 AT claims 6.2.2.4 JWKS API
56	6.2.3 OAuth 2.0 AT acceptance policy 6.3 SCMS REST API v3 6.3.1 General 6.3.1.1 Organization of this subclause
57	6.3.1.2 Conventions 6.3.1.3 Protocol parameters
58	6.3.1.4 HTTP headers 6.3.1.5 Error codes
60	6.3.1.6 HTTP options 6.3.1.7 Profiles 6.3.2 ACA–EE interface 6.3.3 DC–EE interface
61	6.3.4 ECA–EE interface 6.3.4.1 General 6.3.4.2 Enrollment certificate request
63	6.3.5 EE–RA interface 6.3.5.1 General 6.3.5.2 Authorization certificate request
66	6.3.5.3 Authorization certificate download
71	6.3.5.4 Successor enrollment certificate request
73	6.3.5.5 Successor enrollment certificate download
75	6.3.5.6 Misbehavior report submission
76	6.3.5.7 CCF including CTL download
78	6.3.5.8 Composite CRL including CTL download
80	6.3.5.9 Individual CA certificate download
82	6.3.5.10 Individual CRL download
84	6.3.5.11 CTL download
86	6.3.5.12 RA certificate download
88	6.3.5.13 MA certificate download
90	6.3.5.14 Certificate management information status download
92	7. Data structures—Abstract Syntax Notation 1 (ASN.1) 7.1 Presentation and encoding 7.2 Data structures from IEEE Std 1609.2 7.2.1 General 7.2.2 BasePublicEncryptionKey 7.2.3 BitmapSsp 7.2.4 BitmapSspRange 7.2.5 Certificate
93	7.2.6 CertificateId 7.2.7 CertificateType 7.2.8 CrlSeries 7.2.9 Duration 7.2.10 EccP256CurvePoint 7.2.11 EccP384CurvePoint 7.2.12 EcdsaP256Signature 7.2.13 EcdsaP384Signature 7.2.14 EncryptedData 7.2.15 GeographicRegion 7.2.16 HashAlgorithm 7.2.17 HashedId3 7.2.18 HashedId8
94	7.2.19 HashedId10 7.2.20 Hostname 7.2.21 Ieee1609Dot2Data 7.2.22 IValue 7.2.23 LaId 7.2.24 LinkageData 7.2.25 PKRecipientInfo 7.2.26 Psid 7.2.27 PsidGroupPermissions 7.2.28 PsidSspRange 7.2.29 PublicEncryptionKey 7.2.30 SecuredCrl 7.2.31 SequenceOfCertificate
95	7.2.32 SequenceOfPsidGroupPermissions 7.2.33 SequenceOfPsidSsp 7.2.34 SignedData 7.2.35 SignerIdentifier 7.2.36 SspRange 7.2.37 SubjectAssurance 7.2.38 Time32 7.2.39 Uint8 7.2.40 Uint16 7.2.41 ValidityPeriod 7.2.42 VerificationKeyIndicator 7.3 SCMS protocol data unit structures 7.3.1 General
96	7.3.2 ScmsPdu 7.3.3 AcaEeInterfacePdu
97	7.3.4 AcaEeCertResponse 7.3.5 AcaLaInterfacePdu 7.3.6 AcaMaInterfacePdu
98	7.3.7 AcaRaInterfacePdu 7.3.8 CertManagementPdu 7.3.9 CompositeCrl 7.3.10 CertificateChain
99	7.3.11 MultiSignedCtl 7.3.12 IEEE-1609-2-1-MSCTL 7.3.13 Ieee1609dot2dot1Ctls
100	7.3.14 Ieee1609dot2dot1MsctlType 7.3.15 FullIeeeTbsCtl
101	7.3.16 CtlSeriesId 7.3.17 CtlSequenceNumber 7.3.18 CtlElectorEntry
102	7.3.19 CtlRootCaEntry 7.3.20 ToBeSignedCtlSignature 7.3.21 CertificateManagementInfoStatus 7.3.22 SequenceOfCtlInfoStatus
103	7.3.23 CtlInfoStatus 7.3.24 SequenceOfCrlInfoStatus 7.3.25 CrlInfoStatus 7.3.26 SequenceOfMaInfoStatus 7.3.27 MaInfoStatus
104	7.3.28 EcaEeInterfacePdu 7.3.29 EeEcaCertRequest
105	7.3.30 EcaEeCertResponse
106	7.3.31 EeMaInterfacePdu 7.3.32 EeRaInterfacePdu 7.3.33 EeRaCertRequest
108	7.3.34 AdditionalParams 7.3.35 ButterflyParamsOriginal 7.3.36 ButterflyExpansion 7.3.37 RaEeCertAck
109	7.3.38 RaEeCertInfo 7.3.39 EeRaDownloadRequest
110	7.3.40 LaMaInterfacePdu 7.3.41 LaRaInterfacePdu 7.3.42 MaRaInterfacePdu 7.3.43 SecurityMgmtPsid 7.3.44 SignedCertificateRequest
111	7.3.45 SignedX509CertificateRequest
112	7.3.46 SignerSelf 7.3.47 SignerSingleCert 7.3.48 SignerSingleX509Cert 7.3.49 SequenceOfX509Certificate 7.3.50 X509Certificate 7.3.51 X509SignerIdentifier
113	7.4 Secured protocol data unit structures 7.4.1 General 7.4.2 AcaEeCertResponseCubkSpdu 7.4.3 AcaEeCertResponsePlainSpdu 7.4.4 AcaEeCertResponsePrivateSpdu
115	7.4.5 CertificateChainSpdu 7.4.6 CertificateManagementInformationStatusSpdu 7.4.7 CompositeCrlSpdu
116	7.4.8 CtlSignatureSpdu 7.4.9 EcaEeCertResponseSpdu 7.4.10 EeEcaCertRequestSpdu
117	7.4.11 EeRa1609Dot2AuthenticatedCertRequestSpdu 7.4.12 EeRaCertRequestSpdu 7.4.13 EeRaDownloadRequestPlainSpdu 7.4.14 EeRaDownloadRequestSpdu
118	7.4.15 EeRaSuccessorEnrollmentCertRequestSpdu 7.4.16 EeRaX509AuthenticatedCertRequestSpdu 7.4.17 MultiSignedCtlSpdu 7.4.18 RaEeCertAckSpdu
119	7.4.19 RaEeCertAndAcpcInfoSpdu 7.4.20 RaEeCertInfoSpdu 7.4.21 RaEeEnrollmentCertAckSpdu
120	7.5 Parameterized types 7.5.1 General 7.5.2 Ieee1609Dot2Data-Encrypted 7.5.3 Ieee1609Dot2Data-EncryptedSigned 7.5.4 Ieee1609Dot2Data-Signed
121	7.5.5 Ieee1609Dot2Data-SignedCertRequest 7.5.6 Ieee1609Dot2Data-SignedEncrypted
122	7.5.7 Ieee1609Dot2Data-SignedEncryptedCertRequest 7.5.8 Ieee1609Dot2Data-SignedX509AuthenticatedCertRequest 7.5.9 Ieee1609Dot2Data-SymmEncryptedSingleRecipient
123	7.5.10 Ieee1609Dot2Data-Unsecured 7.5.11 ScmsPdu-Scoped 7.5.12 ScopedCertificateRequest
124	7.6 Certificate profiles 7.6.1 General 7.6.2 Service specific permissions (SSP) 7.6.2.1 General 7.6.2.2 SecurityMgmtSsp
125	7.6.2.3 AcaSsp 7.6.2.4 CrlSignerSsp 7.6.2.5 DcmSsp 7.6.2.6 EcaSsp 7.6.2.7 EeSsp
126	7.6.2.8 ElectorSsp 7.6.2.9 IcaSsp 7.6.2.10 LaSsp 7.6.2.11 LopSsp 7.6.2.12 MaSsp
127	7.6.2.13 PgSsp 7.6.2.14 RaSsp 7.6.2.15 RootCaSsp 7.6.2.16 DcSsp 7.6.3 Certificate profiles for SCMS components and end entities 7.6.3.1 General
128	7.6.3.2 ACA certificate profile 7.6.3.3 Authorization certificate profile 7.6.3.4 DC certificate profile 7.6.3.5 ECA certificate profile
129	7.6.3.6 Elector certificate profile 7.6.3.7 Enrollment (IEEE 1609.2) certificate profile 7.6.3.8 Enrollment (ITU-T X.509) certificate profile
130	7.6.3.9 MA certificate profile 7.6.3.10 RA certificate profile 8. Data structures—files 8.1 General
131	8.2 Authorization certificate download files 8.2.1 General 8.2.2 Naming convention 8.2.3 File contents 8.2.3.1 Nonbutterfly certificate file contents 8.2.3.2 Butterfly certificate file contents
132	8.2.4 Validity of certificates in zip files 8.2.4.1 General 8.2.4.2 Correspondence between private key and public key
133	8.2.4.3 Certificates generated using ACPC 8.3 Successor enrollment certificate download files 8.3.1 General 8.3.2 Naming convention 8.4 Certificate chain files 8.4.1 General 8.4.2 Naming convention
134	8.5 Composite CRL files 8.5.1 General 8.5.2 Naming convention 8.6 CTL files 8.7 Certificate management information status files 9. Cryptographic constructions 9.1 General 9.1.1 General 9.1.2 Butterfly keys
135	9.1.3 ACPC 9.2 Butterfly keys and SCMS architecture 9.2.1 General
139	9.2.2 Relationship to SCMS reference architecture 9.2.3 Alternatives to butterfly key step
140	9.2.4 Privacy against insiders 9.2.5 Types of butterfly keys
141	9.3 Butterfly key mechanism 9.3.1 General 9.3.1.1 General 9.3.1.2 Caterpillar key generation 9.3.1.3 Cocoon key derivation
142	9.3.1.4 Butterfly key derivation 9.3.2 Notation 9.3.3 Caterpillar keypair generation
143	9.3.3.1 Butterfly expansion functions
144	9.3.4 Cocoon key derivation 9.3.4.1 Cocoon private key derivation 9.3.4.2 Cocoon public key derivation
145	9.3.5 Butterfly key derivation 9.3.5.1 Butterfly private key derivation 9.3.5.2 Butterfly public key derivation
146	9.3.6 Certificate request, and response validity, with butterfly keys 9.3.6.1 General 9.3.6.2 Certificate request without butterfly key mechanism 9.3.6.3 Certificate request using the original butterfly key mechanism
147	9.3.6.4 Certificate request using the unified butterfly key mechanism 9.3.6.5 Certificate request using the compact unified butterfly key mechanism
148	9.4 ACPC and SCMS architecture 9.4.1 General
150	9.4.2 Operations
151	9.4.3 Terminology 9.4.4 ACPC and butterfly keys 9.5 Binary hash tree for ACPC activation codes 9.5.1 Binary hash tree—background
153	9.5.2 Calculating child node values from parent node values 9.5.2.1 Hash function output and APrV/APuV derivation 9.5.2.2 AprvHashCalculationInput 9.5.2.3 AcpcTreeId
154	9.5.2.4 AcpcNodeValue 9.5.3 Use of APrVs and APuVs within certificate generation 9.5.3.1 Butterfly keys
155	9.5.3.2 ACPC without butterfly keys 9.5.4 Encoding of APrVs 9.5.4.1 Data structures and encoding
157	9.5.4.2 Encoding/decoding of binary tree node present/absent information
161	9.5.5 CAM certificate 9.5.5.1 AcpcSsp
162	9.5.5.2 CamSsp 9.5.6 Distribution of APrVs
163	10. Validity conditions for particular SPDUs 10.1 Validity of SignedCertificateRequest 10.1.1 General 10.1.2 Common validity conditions
164	10.1.3 Initial (self-signed) enrollment certificate requests 10.1.4 Successor enrollment certificate requests 10.1.4.1 General
165	10.1.4.2 Consistency between requested and requesting certRequestPermissions 10.1.4.3 Consistency between requested and requesting SspRanges
168	10.1.5 Authorization certificate requests signed by 1609.2 enrollment certificates 10.1.5.1 General
169	10.1.5.2 Authorization certificate requests with butterfly keys 10.1.6 Authorization certificate requests without butterfly keys 10.1.7 Consistency between appPermissions in a request and certRequestPermissions in an IEEE 1609.2 enrollment certificate 10.1.7.1 General 10.1.7.2 Atomic PsidSsp
172	10.1.8 Consistency between an authorization certificate request and an ITU-T X.509 enrollment certificate 10.2 Validity of multisigned CTLs 10.2.1 General 10.2.2 Validity of a CTL 10.2.3 Validity of a CtlSignatureSpdu
173	10.2.4 Requirements for the IEEE 1609.2 security services management entity 10.2.5 Updating the quorum value 11. Extensions and modifications of IEEE Std 1609.2 11.1 General
174	11.2 Extensions and modifications of, and new data structures for, IEEE Std 1609.2 11.2.1 General 11.2.2 Additional cryptographic algorithms 11.2.3 Ieee1609Dot2Content 11.2.4 EccP384CurvePoint 11.2.5 HashedId32
175	11.2.6 HashedId48 11.2.7 Signature 11.2.8 ToBeSignedCertificate
176	11.2.9 PublicVerificationKey 11.3 Identification of encoded data structures by their hash value 11.3.1 General 11.3.2 Canonicalization 11.3.3 Data objects identified by HashedIdX 11.3.3.1 General
177	11.3.3.2 Additional purposes of HashedIdX 11.3.3.3 Whole-certificate hash
178	11.3.3.4 PreSharedKeyRecipientInfo 11.3.3.5 SymmRecipientInfo 11.3.4 PKRecipientInfo 11.3.5 tbsCtlHash in ToBeSignedCtlSignature
179	Annex A (normative) Protocol Implementation Conformance Statement (PICS) proforma A.1 Instructions for completing the PICS proforma
181	A.2 PICS proforma—IEEE Std 1609.2.1
208	Annex B (normative)ASN.1 modules B.1 General B.2 Ieee1609Dot2Dot1AcaEeInterface.asn B.3 Ieee1609Dot2Dot1AcaLaInterface.asn B.4 Ieee1609Dot2Dot1AcaMaInterface.asn
209	B.5 Ieee1609Dot2Dot1AcaRaInterface.asn B.6 Ieee1609Dot2Dot1Acpc.asn B.7 Ieee1609Dot2Dot1CamRaInterface.asn B.8 Ieee1609Dot2Dot1CertManagement.asn B.9 Ieee1609Dot2Dot1EcaEeInterface.asn B.10 Ieee1609Dot2Dot1EeMaInterface.asn
210	B.11 Ieee1609Dot2Dot1EeRaInterface.asn B.12 Ieee1609Dot2Dot1LaMaInterface.asn B.13 Ieee1609Dot2Dot1LaRaInterface.asn B.14 Ieee1609Dot2Dot1MaRaInterface.asn B.15 Ieee1609Dot2Dot1Protocol.asn
211	B.16 Ieee1609Dot2Asn/Ieee1609Dot2.asn B.17 Ieee1609Dot2Asn/Ieee1609Dot2BaseTypes.asn B.18 Ieee1609Dot2Asn/Ieee1609Dot2Crl.asn B.19 Ieee1609Dot2Asn/Ieee1609Dot2CrlBaseTypes.asn B.20 Ieee1609Dot2Asn/Ieee1609Dot2HeaderInfoExtensionBase.asn B.21 Ieee1609Dot2Asn/EtsiTs103097ExtensionModule.asn
212	Annex C (informative)Implementation profiles C.1 General C.2 Profile template
213	C.3 Additional information
214	C.4 Use case specific profile contents
216	Annex D (informative) Intermediate certificate authority (ICA) certificate profile
217	Annex E (informative) Example encodings of certificate profiles E.1 General E.2 Authorization certificate authority (ACA) certificate
218	E.3 Distribution Center (DC) certificate E.4 Enrollment certificate authority (ECA) certificate
220	E.5 Elector certificate E.6 Enrollment certificate
221	E.7 Intermediate certificate authority (ICA) certificate
222	E.8 Misbehavior authority (MA) certificate
223	E.9 Registration authority (RA) certificate
225	Annex F (informative)Privacy-preserving generation of linkage values with two linkage authorities F.1 General F.2 Details of the approach
227	F.3 Properties of the approach
228	F.4 Details that are out of scope
229	Annex G (informative) Authorization certificate authority (ACA)–registration authority (RA) interface G.1 General G.2 AcaRaInterfacePdu G.3 RaAcaCertRequest
231	G.4 RaAcaCertRequestFlags G.5 LinkageInfo G.6 EncryptedIndividualPLV G.7 PreLinkageValue
232	G.8 AcaRaCertResponse G.9 AcaResponse G.10 RaAcaCertRequestSpdu
233	G.11 AcaRaCertResponseSpdu
234	Annex H (informative)Certificate access manager (CAM)–registration authority (RA) interface H.1 General H.2 CamRaInterfacePdu H.3 RaCamBatchRequest H.4 CamRaBatchResponse
235	H.5 CamRaBatchResponse
236	Annex I (informative)Mapping enrollment certificate permissions to authorization certificate permissions I.1 General
237	I.2 ETSI model support
238	Annex J (informative) Root certificate authority (CA) management and failure recovery J.1 Elector replacement
243	J.2 Revoking a root CA certificate
246	J.3 Adding a root CA certificate
252	Annex K (informative) Network communications architecture K.1 General
255	K.2 Location obscurer proxy
256	Annex L (informative) Certificate trust list (CTL) design and electors L.1 Policy assumptions L.2 Comparison of IEEE CTL and ETSI CTL
257	L.3 Comparison of IEEE CTL and Crash Avoidance Metrics Partners LLC (CAMP) elector ballots L.4 Electors across multiple regions and domains
259	Annex M (normative) Registered values for CtlSeriesId and AcpcTreeId M.1 CtlSeriesId M.2 AcpcTreeId
260	Annex N (informative) Bibliography

Additional information

Standard Title	IEEE Standard for Wireless Access in Vehicular Environments (WAVE) – Certificate Management Interfaces for End Entities
Published Code	IEEE
Publication Date	2022

Preview PDF


PDF Format	Searchable	Printable	Preview Now

IEEE 1609.2.1-2022

PDF Catalog

Related products