Public Key Infrastructure

Any communications system needs to provide a mechanism to allow communicating partners to trust each other. In large systems, this is typically accomplished by cryptographic protection for individual communications, along with cryptographically secured credentials and a centralized credential management system with responsibility for ensuring that credentials are issued only to parties that are entitled to them. Each credential management system typically has a small number of nodes that serve as trust anchors, which can make statements themselves about the trustworthiness of end entity nodes or delegate the ability to make trust statements to other management nodes.

One typical way of instantiating a credential management system is via public key infrastructure (PKI). For the C-ITS world, the operational scope of a PKI system (referred to in the ITS Architecture and C-ITS as a Cooperative ITS Credential Management System, or CCMS) can be considered over three axes:

  1. The geo-spatial area over which CCMS-granted credentials are relevant. This might be a political boundary, but will always be a geographic boundary (though unbound, e.g., all of earth, is possible if unlikely).
  2. The time domain over which the CCMS operates and CCMS-granted credentials are relevant. While credentials of all types have a valid period from time X1 to time X2, a CCMS operating period, the time during which its functionality and interfaces are active, will be from time Y1 to Y2. While X1 cannot by definition be earlier than Y1, it is possible that X2 would be later than Y2 (in the case of a disaster event for example).
  3. The application space in which CCMS-granted credentials are used. A given CCMS might supply credentials for only a limited subset of the applications functional at a particular time in a particular geo-political area.

A typical CCMS will consider users of its credentials, aka 'End Entities', according to the state of their credentials. An end entity will move through life cycle stages as processes are performed on the device, and as credentials are granted to it. The device security lifecycle is independent of device class or capability, though the actual mechanisms for transiting device classes may differ.