Security Certificate Exchange (SCX)

Problem Statement

The use of Security Certificates has become an important part of data exchange in the automotive industry. They are used to provide proof of identity of the partners, allow encryption/ decryption/integrity-check of files and ensure non-repudiation of the data exchange.

However, the large number of Security Certificate providers has made it increasingly difficult to properly manage the exchange, validation and installation of these certificates.  

The SCX project team has analysed the business requirements and technical opportunities and developed a recommendation to establish trust between the business partners and enable the automated exchange and renewal of Security Certificates.

Technical Solution

The technical basis for the recommendation is a Trust Service Status List (TSL). Such a list contains details of Security Certificate providers (aka Certificate Authorities, CA) and their status. For the automotive industry, a positive identification is recommended, i.e. the list contains the trustable CAs. The list is being published and updated on the internet and can be easily accessed by enabled software systems. To ensure the integrity of the TSL the list itself has to be signed with a digital signature of the institution creating and maintaining the TSL.  

Business partners, receiving Certificate information from other partners may now automatically check the trustability of the issuing CA.  

All recommended parts of the trust system are based on international standards (namely ISO – International Standardisation Organisation, ETSI – European Telecommunication Standards Institution, RFC -Internet and ITU - International Telecommunication Union standards)

Organisational Solution

1. According to the various security levels that different business processes may require there can be several trust lists, each of them containing details of the issuing CAs complying to the security level’s policy requirements.
   So far, two levels are identified:
1. Basic – The issuing CA is an authenticated business entity and operates a PKI.
2. OFTP2 – The issuing CA is listed in the Basic TSL (i.e. fulfils the basic requirements) and additionally complies with the OFTP2 Security Certificate Policy requirements.
   
2. The industry partners participating in the project (OEM, supplier, solution provider) consider it crucial that the TSL and the related service are provided by a neutral body. They recommend Odette to be this trust guardian and to provide the service to the automotive industry community.
   
3. For operational and administrative purposes it is recommended to establish two bodies:
1. SCX Adminstration – the body which is responsible for running and maintaining the service. The Odette central office should fulfil this role.
2. SCX Committee – the body which deals with exception situations. Especially in the situation where a CA is found to be no longer compliant with the security level, the SCXC shall take decisions on necessary corrective actions on behalf of the automotive community. The committee shall consist mainly of representatives of OEMs and suppliers.
   
4. The service is provided on an open basis. Every interested CA can apply to be listed on Odette TSLs. Odette will do the necessary validation of the existence of the CA. The compliance to the so far defined security levels will be verified by self-assessment of the applying CA.
   
5. The establishment and maintenance is provided as a service for the membership of Odette and the whole automotive community. However, Odette will not take over legal responsibilities.  

Conclusion

With the provision of the trust service Odette strengthens its position as an Organisation of the automotive industry for the automotive industry.  

Acting as a trust guardian Odette provides an essential service to the business partners in the automotive industry. This service is in line with Odette’s mission as ‘business enabler’ for electronic data exchange in the European automotive industry.  

The recommendation enables especially the large scale implementation and use of the OFTP2 file transfer protocol for secure data transfer over the Internet.

Download the document (Authorised Users Only)