Road vehicles — Extended vehicle (ExVe) web services — Part 1: Content and definitions

This document states the minimum requirements, recommendations, permissions and possibilities for ensuring interoperable web services from an accessing party’s perspective. The document: — states requirements on the structure and format of resources; — defines the concept of resource identifiers (direct and correlated); — provides different resource categories (e.g. anonymous, pseudonymized, technical, and personal resources); — provides different approaches on how to bundle shareable resources (e.g. resource group or container); — contains guidelines on how to define the unique resources of an individual application; — defines the entities and roles, necessary for granting an accessing party access to resource owner’s resources; — states requirements on how an accessing party accesses resources, including requirements on how to use the defined and referenced technologies, see Table 1. See Annex A for additional information about roles and responsibilities covered by ISO 20078 series.

Véhicules routiers — Web services du véhicule étendu (ExVe) — Partie 1: Contenu et définitions

General Information

Status
Published
Publication Date
29-Nov-2021
Current Stage
6060 - International Standard published
Start Date
30-Nov-2021
Completion Date
30-Nov-2021
Ref Project

RELATIONS

Buy Standard

Standard
ISO 20078-1:2021 - Road vehicles -- Extended vehicle (ExVe) web services
English language
19 pages
sale 15% off
Preview
sale 15% off
Preview
Draft
ISO/FDIS 20078-1:Version 21-avg-2021 - Road vehicles -- Extended vehicle (ExVe) web services
English language
19 pages
sale 15% off
Preview
sale 15% off
Preview

Standards Content (sample)

INTERNATIONAL ISO
STANDARD 20078-1
Second edition
2021-11
Road vehicles — Extended vehicle
(ExVe) web services —
Part 1:
Content and definitions
Véhicules routiers — Web services du véhicule étendu (ExVe) —
Partie 1: Contenu et définitions
Reference number
ISO 20078-1:2021(E)
© ISO 2021
---------------------- Page: 1 ----------------------
ISO 20078-1:2021(E)
COPYRIGHT PROTECTED DOCUMENT
© ISO 2021

All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may

be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on

the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below

or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
© ISO 2021 – All rights reserved
---------------------- Page: 2 ----------------------
ISO 20078-1:2021(E)
Contents Page

Foreword ........................................................................................................................................................................................................................................iv

Introduction .................................................................................................................................................................................................................................v

1 Scope ................................................................................................................................................................................................................................. 1

2 Normative references ..................................................................................................................................................................................... 1

3 Terms and definitions .................................................................................................................................................................................... 1

3.1 Roles and entities ................................................................................................................................................................................. 1

3.2 Technical concepts and terms ................................................................................................................................................... 3

3.3 Identifiers .................................................................................................................................................................................................... 5

3.4 Credentials ................................................................................................................................................................................................. 6

4 Abbreviated terms ............................................................................................................................................................................................. 6

5 Convention .................................................................................................................................................................................................................. 7

6 Relationship of defined entities ........................................................................................................................................... ................8

6.1 Overview of entities ........................................................................................................................................................................... 8

6.2 Roles and relationships of entities ........................................................................................................................................ 9

7 Identifiers .................................................................................................................................................................................................................... 9

7.1 General ........................................................................................................................................................................................................... 9

7.2 Direct identifiers ................................................................................................................................................................................... 9

7.3 Correlation identifiers ..................................................................................................................................................................... 9

8 Resource categories ......................................................................................................................................................................................10

8.1 General ........................................................................................................................................................................................................ 10

8.2 Anonymous resources .................................................................................................................................................................. 10

8.3 Pseudonymized resources ........................................................................................................................................................ 10

8.4 Technical (vehicle) resources ................................................................................................................................................. 11

8.5 Personal resources ........................................................................................................................................................................... 11

9 Resources ..................................................................................................................................................................................................................12

9.1 Superset of resources .................................................................................................................................................................... 12

9.2 Resource groups ................................................................................................................................................................................. 12

9.3 Resource ....................................................................................................................................................................................................12

9.4 Containers ................................................................................................................................................................................................ 13

9.4.1 Container ................................................................................................................................................................................ 13

9.4.2 Management of containers ..................................................................................................................................... 14

10 Representation ...................................................................................................................................................................................................15

10.1 General ........................................................................................................................................................................................................ 15

10.2 JavaScript Object Notation ........................................................................................................................................................ 16

10.3 Extensible Mark-up Language ............................................................................................................................................... 16

Annex A (informative) Roles and responsibilities covered by the ISO 20078 series ....................................17

Bibliography .............................................................................................................................................................................................................................19

iii
© ISO 2021 – All rights reserved
---------------------- Page: 3 ----------------------
ISO 20078-1:2021(E)
Foreword

ISO (the International Organization for Standardization) is a worldwide federation of national standards

bodies (ISO member bodies). The work of preparing International Standards is normally carried out

through ISO technical committees. Each member body interested in a subject for which a technical

committee has been established has the right to be represented on that committee. International

organizations, governmental and non-governmental, in liaison with ISO, also take part in the work.

ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of

electrotechnical standardization.

The procedures used to develop this document and those intended for its further maintenance are

described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the

different types of ISO documents should be noted. This document was drafted in accordance with the

editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives).

Attention is drawn to the possibility that some of the elements of this document may be the subject of

patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of

any patent rights identified during the development of the document will be in the Introduction and/or

on the ISO list of patent declarations received (see www.iso.org/patents).

Any trade name used in this document is information given for the convenience of users and does not

constitute an endorsement.

For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and

expressions related to conformity assessment, as well as information about ISO's adherence to

the World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT), see

www.iso.org/iso/foreword.html.

This document was prepared by Technical Committee ISO/TC 22, Road vehicles, Subcommittee SC 31,

Data communication.

This second edition cancels and replaces the first edition (ISO 20078-1:2019), which has been technically

revised.
The main changes are as follows:
— revised Clause 3 "Terms and definitions";

— removed the subclause “Key Value List” including related requirements, as it was not used in the

ISO 20078 series;

— added new definitions for request/reply (3.2.10), push (3.2.12) and subscription profile (3.2.13);

— revised the subclause 9.4 "Containers".
A list of all parts in the ISO 20078 series can be found on the ISO website.

Any feedback or questions on this document should be directed to the user’s national standards body. A

complete listing of these bodies can be found at www.iso.org/members.html.
© ISO 2021 – All rights reserved
---------------------- Page: 4 ----------------------
ISO 20078-1:2021(E)
Introduction

This document was developed to address the needs of different parties to access data, aggregated

information and functionalities (resources) from connected vehicles in a standardized, safe and secure

way. A framework is defined for interoperable web services used by several parties via the internet

by adapting current and widely used IT approaches based on OAuth 2.0 and OpenID Connect 1.0 (see

ISO 20078-3).

As personal data protection rights are becoming stronger in several countries, this document also

defines and recommends common methods to handle data protection and data privacy issues when

accessing personalized vehicle data, information or functionalities via web services.

The ISO 20078 series is supported by the fact that vehicle manufacturers (VM) include telematics

support for their vehicles, making vehicle data, information and functionalities available at their VM

backend system. Thus, instead of installing additional third-party telematics equipment in the vehicle

to achieve intended service goals, the already existing infrastructure can be (re)used via interoperable

web services. Such web services allow a third party to (re)use the infrastructure in same manners as

the VM uses it.

NOTE Web service interfaces have been available and have been offered by VMs previous to this document

but lack of standardization over the VMs, especially on authentication and authorization, led to the fact that third

parties accommodate and design for several different VM implementations.

The ISO 20078 series is applicable for any application or service that intends to use web services.

The ISO 20078 series does not cover requirements for specific applications, resource definitions or

XML/JSON schemas. These are described in the specific application or use case; e.g. see ISO 20080

remote diagnostics support.

This document, ISO 20078-1, defines all entities and roles that are used over in the ISO 20078 series.

It standardizes how an offering party defines resources. Depending on resource category, the offering

party uses different kind of identifiers. Such resources can be exposed directly or through containers. It

also describes different ways of representing resources in web services, such as JSON and XML.

ISO 20078-2 defines the usage of a common communication protocol that enables access to resources

(URIs), thereby standardizing how an accessing party can access resources via web services of an

offering party, using Hypertext Transfer Protocol (HTTP) over Transport Layer Security (TLS); i.e.

HTTP secure (HTTPS). The Representational State Transfer (REST) is selected for using a common way

to represent data, aggregated information, and functions (resources).

ISO 20078-3 standardizes the security model of the web services, including different roles and entities

involved in an authorization policy. Three roles are defined: identity provider, authorization provider

and resource provider at the offering party. Additional roles are the accessing party and the resource

owner. The resource owner is in charge of its resources. The role model is defined as a reference

implementation of OAuth 2.0 and OpenID Connect 1.0 compatible frameworks.

ISO/TR 20078-4 summarizes this document, ISO 20078-2, and ISO 20078-3 by logical processes

[4]

for displaying the interaction of all defined roles and entities . The processes of registration,

authentication, and authorization of an accessing party are determined by the requirements set by

previous parts. The processes described include registration between the entities, granting, denying,

ignoring and revoking access as well as container management possibilities.

In this document, entities are defined as the fundamental objects that represent, for example, vehicles,

ECUs, drivers and fleets, and servers at an ExVe backend. Roles are defined as a grouping of entities

and have relationships that allow for an interaction; e.g. the “offering party” (ExVe backend) offers

resources (ECU data) to an “accessing party” (service implementer).
© ISO 2021 – All rights reserved
---------------------- Page: 5 ----------------------
ISO 20078-1:2021(E)
ISO 20078-1 Content TU — vehicle integrated telematics unit
ISO 20078-2 Access LOG — records access, events, failures, and intrusions
ISO 20078-3 Security APP and WEB — application and web services
ISO/TR 20078-4 Control Stakeholders — customer, authorities, VM, third party
Figure 1 — Schematic presentation of the vision of the ISO 20078 series

ExVe web services are comprised of road vehicles combined with the ExVe backend system of the

vehicle manufacturer (the “offering party”), mainly acting as a resource provider. This enables for both

a third party and a vehicle manufacturer, mainly acting as a service/application provider (the “accessing

party”) to access offered resources via the internet; see Figure 1.

The concept of containers is also introduced which allows resource grouping for a single accessing

party purpose. Containers are a recommended solution where (data) privacy by design applies.

Logging (LOG of Figure 1) is an important part of any IT solution. It is, however, not considered within

the scope of the ISO 20078 series due to potentially strong dependencies on certain IT backend

infrastructures.
JSON (recommended) or XML are used for representation of resources (URIs).

The ISO 20078 series defines in general a framework based on the communication and authorization

protocols listed in Table 1. Those technologies can be used for implementation of individual web

services to share resources and, therefore, allow for any service or application implementation on the

accessing party domain.
© ISO 2021 – All rights reserved
---------------------- Page: 6 ----------------------
ISO 20078-1:2021(E)
Table 1 — List of used information technologies
Transport protocol HTTP 1.1 (or later version) over TLS 1.2 (or later version)
Service design RESTful
JSON (recommended)
Data format
XML
Authorization An OAuth 2.0 (or later version) compatible framework

End user authentication An OpenID Connect 1.0 (or later version) compatible framework

vii
© ISO 2021 – All rights reserved
---------------------- Page: 7 ----------------------
INTERNATIONAL STANDARD ISO 20078-1:2021(E)
Road vehicles — Extended vehicle (ExVe) web services —
Part 1:
Content and definitions
1 Scope

This document states the minimum requirements, recommendations, permissions and possibilities for

ensuring interoperable web services from an accessing party’s perspective. The document:

— states requirements on the structure and format of resources;
— defines the concept of resource identifiers (direct and correlated);

— provides different resource categories (e.g. anonymous, pseudonymized, technical, and personal

resources);

— provides different approaches on how to bundle shareable resources (e.g. resource group or

container);

— contains guidelines on how to define the unique resources of an individual application;

— defines the entities and roles, necessary for granting an accessing party access to resource owner’s

resources;

— states requirements on how an accessing party accesses resources, including requirements on how

to use the defined and referenced technologies, see Table 1.

See Annex A for additional information about roles and responsibilities covered by ISO 20078 series.

2 Normative references

The following documents are referred to in the text in such a way that some or all of their content

constitutes requirements of this document. For dated references, only the edition cited applies. For

undated references, the latest edition of the referenced document (including any amendments) applies.

ISO 20078-3, Road vehicles — Extended vehicle (ExVe) web services — Part 3: Security

3 Terms and definitions
For the purposes of this document, the following terms and definitions apply.

ISO and IEC maintain terminology databases for use in standardization at the following addresses:

— ISO Online browsing platform: available at https:// www .iso .org/ obp
— IEC Electropedia: available at https:// www .electropedia .org/
3.1 Roles and entities
3.1.1
vehicle manufacturer
company manufacturing road vehicles
© ISO 2021 – All rights reserved
---------------------- Page: 8 ----------------------
ISO 20078-1:2021(E)
3.1.2
connected vehicle
road vehicle that is enabled for communication over a wide area network (WAN)

Note 1 to entry: A WAN can, for example, be defined as a nationwide mobile phone network with a corresponding

backend (server) architecture.
3.1.3
offering party
entity who provides web services access (3.2.6) to resources (3.2.1)
3.1.4
resource owner
responsible party for the resource(s) (3.2.1)

Note 1 to entry: The resource owner is responsible for granting, denying, and revoking access (3.2.6) to

resource(s).

Note 2 to entry: The responsible resource owner is determined by the concrete resource.

3.1.5
third party

person or body who is not the vehicle manufacturer (3.1.1) or the resource owner (3.1.4)

3.1.6
accessing party
entity which accesses resources (3.2.1) via web services

Note 1 to entry: It is an entity other than the offering party (3.1.3) or the resource owner (3.1.4).

Note 2 to entry: Implements technically and independently an identity, authorization, and a resource provider

(3.1.8)/service provider (3.1.10) that are not within the scope of this document.

Note 3 to entry: The resource provider and service provider can be split into two separate roles at the AP:

resource provider and service provider strongly depend on the individually developed service.

3.1.7
identity provider

entity responsible for authentication (identification) of resource owners (3.1.4), through the use of

credentials

Note 1 to entry: Offering party (3.1.3) confirms the identity of the authenticated resource owner.

Note 2 to entry: There is an identity provider technically mandatory at the offering party, but that identity

provider may reference services exposed by an intermediate body when confirming the identity of a resource

owner in general for some use cases.
3.1.8
resource provider

entity at the offering party (3.1.3) that protects and provides resources (3.2.1)

3.1.9
authorization provider

entity at the offering party (3.1.3) that manages the access (3.2.6) rights to resources (3.2.1) and resource

owner (3.1.4) information

Note 1 to entry: There is an authorization provider technically mandatory at the offering party, but that

authorization provider may reference services exposed by an intermediate body when enforcing the authorization

policy (3.2.7) in general for some use cases.
© ISO 2021 – All rights reserved
---------------------- Page: 9 ----------------------
ISO 20078-1:2021(E)
3.1.10
service provider

vehicle manufacturer (3.1.1) or a third party (3.1.5), providing a service to the vehicle owner based on

the access (3.2.6) to vehicle data and functionalities
3.2 Technical concepts and terms
3.2.1
resource
data, aggregated information or functionalities of the connected vehicle (3.1.2)
Note 1 to entry: resources can be:
— resources (by a RID),
— references to resources,
— resource-related notifications,
— resource owner (3.1.4) information (by a ResourceOwnerID),
— resource and resource owner related information,
— anonymous resources,
— pseudonymized resources,
— vehicle related resources, or
— personal resources,
at the offering party (3.1.3).
3.2.2
resource group
logical set of resources (3.2.1)
3.2.3
superset
set of all unique resources (3.2.1)
3.2.4
container

logical group of resources (3.2.1) defined for a single accessing party (3.1.6) purpose

3.2.5
resource owner profile
information regarding the resource owner (3.1.4)
EXAMPLE Name, address, contact information, and RID.
3.2.6
access

delegated right to an accessing party (3.1.6) to access a resource owner's (3.1.4) resources (3.2.1)

3.2.7
authorization policy
set of rules that define access control to protected resources (3.2.1)
© ISO 2021 – All rights reserved
---------------------- Page: 10 ----------------------
ISO 20078-1:2021(E)
3.2.8
token
sequence of characters representing a verified identity and/or access (3.2.6)

Note 1 to entry: The issuer of the token is responsible for the interpretation and the integrity of the token; for

example, the authorization provider (3.1.9) of the offering party (3.1.3) or in a second example an intermediate

body for the authorization provider of the offering party.

Note 2 to entry: The token is used for securely transmitting verifiable identity and/or authorization information

between involved parties like resource owner (3.1.4), accessing party (3.1.6) and/or offering party.

3.2.9
fleet

group of connected vehicles (3.1.2) associated to a specific resource owner (3.1.4)

3.2.10
request/reply

communication method, where the accessing party (3.1.6) requests resource(s) (3.2.1) and the offering

party (3.1.3) replies
3.2.11
subscription

accessing party (3.1.6) requests the offering party (3.1.3) to push (3.2.12) resources (3.2.1) when certain

conditions are fulfilled

Note 1 to entry: A condition can be a vehicle event, such as a DTC becoming active, or based on a time interval.

3.2.12
push

method used by the offering party (3.1.3) to send resource(s) (3.2.1) to the accessing party (3.1.6)

according to the subscription (3.2.11)

Note 1 to entry: Instead of sending the resource, a reference to the resource can be sent, i.e. a notification. The

accessing party can use the reference to request the resource(s).
3.2.13
subscription profile

URI locations and authorization information making it possible to push (3.2.12) resources (3.2.1) to the

accessing party (3.1.6)
3.2.14
access token

credentials used to access protected resources, issued by the identity provider (3.1.7) or authorization

provider (3.1.9) and consumed by the resource provider (3.1.8)

Note 1 to entry: An access token represents an authorization that is issued to the client and limited by scope and

has a defined expiration time in unix time format (seconds).
Note 2 to entry: An access token may be a digitally signed JWT.
3.2.15
refresh token

credential (string) issued to the client by the identity provider (3.1.7) or the authorization provider

(3.1.9) and used to obtain a new access token (3.2.14) when the currently used AT expires, or to obtain

additional ATs depending on the intended scope of use
© ISO 2021 – All rights reserved
---------------------- Page: 11 ----------------------
ISO 20078-1:2021(E)
3.2.16
bearer token
token (3.2.8) which can be used to get access (3.2.6) to resource(s) (3.2.1)
[10]
Note 1 to entry: Usage of bearer tokens is defined in RFC 6750 .
3.3 Identifiers
3.3.1
identifier
number or a string that is unique within a defined context
[7]
Note 1 to entry: A UUID can be used as an ID.
3.3.2
universally unique identifier
UUID

128-bit value generated in accordance with ISO/IEC 9834-8 and providing unique values between

systems and over time

Note 1 to entry: See Reference [7]. Often represented as a string in hex format, e.g. f81d4fae-7dec-11d0-a765–

00a0c91e6bf6.
3.3.3
ResourceID
RID
ID that identifies a unique resource (3.2.1) at the offering party (3.1.3)
3.3.4
ContainerID
CID
ID that identifies a unique container (3.2.4) at the offering party (3.1.3)
3.3.5
AccessingPartylD
APID

ID that identifies a unique accessing party (3.1.6) at the offering party (3.1.3)

3.3.6
CorrelationID
CoID

ID agreed between the offering party (3.1.3) and the accessing party (3.1.6) to support pseudonymization

of the RIDs or the resourceOwnerIDs (3.3.8)
Note 1 to entry: The definition includes two pseudonymization examples.
3.3.7
SubscriptionID
ID uniquely identifying a subscription (3.2.11) at an offering party (3.1.3)
3.3.8
ResourceOwnerID
ID that identifies a unique resource owner (3.1.4)
3.3.9
VehicleID
ID that identifies uniquely a vehicle (e.g. VIN)
Note 1 to entry: VIN is defined in ISO 3779.
© ISO 2021 – All rights reserved
---------------------- Page: 12 ----------------------
ISO 20078-1:2021(E)
3.4 Credentials
3.4.1
ResourceOwnerCredentials
ROC
credentials shared from a party to the resource owner (3.1.4)
3.4.2
ResourceOwnerCredentialsOP
ROCOP
credentials shared from the offering party (3.1.3) to the resource owner (3.1.4)
3.4.3
ResourceOwnerCredentialsAP
ROCAP

credentials shared from the accessing party (3.1.6) to the resource owner (3.1.4)

3.4.4
AccessingPartyCredentials
APC

credentials shared from the offering party (3.1.3) to the accessing party (3.1.6)

4 Abbreviated terms
AP Accessing Party
APC Accessing Party Credentials
API Application Programming Interface
APID Accessing Party ID
AT Access Token
ROC Resource Owner Credentials
CID Container ID
CoID Correlation ID
ExVe Extended Vehicle
GSM Global System for Mobile Communication
HATEOAS Hypermedia As The Engine Of Application State
HTTP Hypertext Transfer Protocol
HTTPS Hypertext Transfer Protocol Secure
ID Identifier
JSON JavaScript Object Notation
JWS JSON Web Signature (signed JWT)
JWT JSON Web Token
OAuth Open standard for authorization
© ISO 2021 – All rights reserved
---------------------- Page: 13 ----------------------
ISO 20078-1:2021(E)
OBD On-Board Diagnostics
OIDC OpenID Connect
OP Offering Party
OSI Open System Interconnection
REST Representational State Transfer
RID ResourceID
ROC Credentials of a Resource Owner
ROCAP ROC of the Accessing Party
ROCOP ROC of the Offering Party
TLS Transport Layer Security
URI Uniform Resource Identifier
URL Uniform Resource Locator
UUID Universally Unique Identifier
VIN Vehicle Identification Number
VM Vehicle Manufacturer
XML Extensible Mark-up Language
5 Convention

In this document, requirements, recommendations, permissions and possibilities are formalized as

follows:
REQ_NUM Text of the requirement, recommendation, permission or possibility

NUM: reference of the requirement, recommendation, permission or possibility in which:

— REQ the acronym stands for requirement, recommendation, permission, or the possibility,

— NUM is a reference split in 00_00_00 and 99_99_99 denoting section by increasing each number

between 01 and 99. NUM manifests like: XX_YY_ZZ.

EXAMPLE REQ_04_01_01 and REQ_04_02_01 are different denoting different sections and REQ_04_01_01

and REQ_04
...

FINAL
INTERNATIONAL ISO/FDIS
DRAFT
STANDARD 20078-1
ISO/TC 22/SC 31
Road vehicles — Extended vehicle
Secretariat: DIN
(ExVe) web services —
Voting begins on:
2021-08-23
Part 1:
Voting terminates on:
Content and definitions
2021-10-18
RECIPIENTS OF THIS DRAFT ARE INVITED TO
SUBMIT, WITH THEIR COMMENTS, NOTIFICATION
OF ANY RELEVANT PATENT RIGHTS OF WHICH
THEY ARE AWARE AND TO PROVIDE SUPPOR TING
DOCUMENTATION.
IN ADDITION TO THEIR EVALUATION AS
Reference number
BEING ACCEPTABLE FOR INDUSTRIAL, TECHNO-
ISO/FDIS 20078-1:2021(E)
LOGICAL, COMMERCIAL AND USER PURPOSES,
DRAFT INTERNATIONAL STANDARDS MAY ON
OCCASION HAVE TO BE CONSIDERED IN THE
LIGHT OF THEIR POTENTIAL TO BECOME STAN-
DARDS TO WHICH REFERENCE MAY BE MADE IN
NATIONAL REGULATIONS. ISO 2021
---------------------- Page: 1 ----------------------
ISO/FDIS 20078-1:2021(E)
COPYRIGHT PROTECTED DOCUMENT
© ISO 2021

All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may

be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting

on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address

below or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii © ISO 2021 – All rights reserved
---------------------- Page: 2 ----------------------
ISO/FDIS 20078-1:2021(E)
Contents Page

Foreword ........................................................................................................................................................................................................................................iv

Introduction ..................................................................................................................................................................................................................................v

1 Scope ................................................................................................................................................................................................................................. 1

2 Normative references ...................................................................................................................................................................................... 1

3 Terms and definitions ..................................................................................................................................................................................... 1

3.1 Roles and entities .................................................................................................................................................................................. 1

3.2 Technical concepts and terms .................................................................................................................................................... 3

3.3 Identifiers .................................................................................................................................................................................................... 5

3.4 Credentials .................................................................................................................................................................................................. 6

4 Abbreviated terms .............................................................................................................................................................................................. 6

5 Convention .................................................................................................................................................................................................................. 7

6 Relationship of defined entities ........................................................................................................................................................... 8

6.1 Overview of entities ............................................................................................................................................................................ 8

6.2 Roles and relationships of entities ......................................................................................................................................... 9

7 Identifiers .................................................................................................................................................................................................................... 9

7.1 General ........................................................................................................................................................................................................... 9

7.2 Direct identifiers .................................................................................................................................................................................... 9

7.3 Correlation identifiers ...................................................................................................................................................................10

8 Resource categories .......................................................................................................................................................................................10

8.1 General ........................................................................................................................................................................................................10

8.2 Anonymous resources ...................................................................................................................................................................10

8.3 Pseudonymized resources .........................................................................................................................................................10

8.4 Technical (vehicle) resources ..................................................................................................................................................11

8.5 Personal resources ...........................................................................................................................................................................11

9 Resources ..................................................................................................................................................................................................................12

9.1 Superset of resources .....................................................................................................................................................................12

9.2 Resource groups .................................................................................................................................................................................12

9.3 Resource ....................................................................................................................................................................................................12

9.4 Containers ................................................................................................................................................................................................13

9.4.1 Container .............................................................................................................................................................................13

9.4.2 Management of containers ...................................................................................................................................14

10 Representation ....................................................................................................................................................................................................15

10.1 General ........................................................................................................................................................................................................15

10.2 JavaScript Object Notation .........................................................................................................................................................16

10.3 Extensible Mark-up Language ................................................................................................................................................16

Annex A (informative) Roles and responsibilities covered by ISO 20078 series .................................................17

Bibliography .............................................................................................................................................................................................................................19

© ISO 2021 – All rights reserved iii
---------------------- Page: 3 ----------------------
ISO/FDIS 20078-1:2021(E)
Foreword

ISO (the International Organization for Standardization) is a worldwide federation of national standards

bodies (ISO member bodies). The work of preparing International Standards is normally carried out

through ISO technical committees. Each member body interested in a subject for which a technical

committee has been established has the right to be represented on that committee. International

organizations, governmental and non-governmental, in liaison with ISO, also take part in the work.

ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of

electrotechnical standardization.

The procedures used to develop this document and those intended for its further maintenance are

described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the

different types of ISO documents should be noted. This document was drafted in accordance with the

editorial rules of the ISO/IEC Directives, Part 2 (see www .iso .org/ directives).

Attention is drawn to the possibility that some of the elements of this document may be the subject of

patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of

any patent rights identified during the development of the document will be in the Introduction and/or

on the ISO list of patent declarations received (see www .iso .org/ patents).

Any trade name used in this document is information given for the convenience of users and does not

constitute an endorsement.

For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and

expressions related to conformity assessment, as well as information about ISO's adherence to the

World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT), see www .iso .org/

iso/ foreword .html.

This document was prepared by Technical Committee ISO/TC 22, Road vehicles, Subcommittee SC 31,

Data communication.

This second edition cancels and replaces the first edition (ISO 20078-1:2019), which has been technically

revised.
The main changes compared to the previous edition are as follows:
— revised Clause 3 "Terms and definitions";

— removed the subclause “Key Value List” including related requirements, as it was not used in the

ISO 20078 series;

— added new definitions for request/reply (3.2.10), push (3.2.12) and subscription profile (3.2.13);

— revised the subclause 9.4 "Containers".
A list of all parts in the ISO 20078 series can be found on the ISO website.

Any feedback or questions on this document should be directed to the user’s national standards body. A

complete listing of these bodies can be found at www .iso .org/ members .html.
iv © ISO 2021 – All rights reserved
---------------------- Page: 4 ----------------------
ISO/FDIS 20078-1:2021(E)
Introduction

This document was developed to address the needs of different parties to access data, aggregated

information and functionalities (resources) from connected vehicles in a standardized, safe and secure

way. A framework is defined for interoperable web services used by several parties via the internet

by adapting current and widely used IT approaches based on OAuth 2.0 and OpenID Connect 1.0 (see

ISO 20078-3).

As personal data protection rights are becoming stronger in several countries, this document also

defines and recommends common methods to handle data protection and data privacy issues when

accessing personalized vehicle data, information or functionalities via web services.

The ISO 20078 series is supported by the fact that vehicle manufacturers (VM) include telematics

support for their vehicles, making vehicle data, information and functionalities available at their VM

backend system. Thus, instead of installing additional third-party telematics equipment in the vehicle

to achieve intended service goals, the already existing infrastructure can be (re)used via interoperable

web services. Such web services allow a third party to (re)use the infrastructure in same manners as

the VM uses it.

NOTE Web service interfaces have been available and have been offered by VMs previous to this document

but lack of standardization over the VMs, especially on authentication and authorization, led to the fact that third

parties accommodate and design for several different VM implementations.

The ISO 20078 series is applicable for any application or service that intends to use web services.

The ISO 20078 series does not cover requirements for specific applications, resource definitions or

XML/JSON schemas. These are described in the specific application or use case; e.g. see ISO 20080

remote diagnostics support.

This document, ISO 20078-1, defines all entities and roles that are used over in the ISO 20078 series.

It standardizes how an offering party defines resources. Depending on resource category, the offering

party uses different kind of identifiers. Such resources can be exposed directly or through containers. It

also describes different ways of representing resources in web services, such as JSON and XML.

ISO 20078-2 defines the usage of a common communication protocol that enables access to resources

(URIs), thereby standardizing how an accessing party can access resources via web services of an

offering party, using Hypertext Transfer Protocol (HTTP) over Transport Layer Security (TLS); i.e.

HTTP secure (HTTPS). The Representational State Transfer (REST) is selected for using a common way

to represent data, aggregated information, and functions (resources).

ISO 20078-3 standardizes the security model of the web services, including different roles and entities

involved in an authorization policy. Three roles are defined: identity provider, authorization provider

and resource provider at the offering party. Additional roles are the accessing party and the resource

owner. The resource owner is in charge of its resources. The role model is defined as a reference

implementation of OAuth 2.0 and OpenID Connect 1.0 compatible frameworks.

ISO/TR 20078-4 summarizes this document, ISO 20078-2, and ISO 20078-3 by logical processes

[4]

for displaying the interaction of all defined roles and entities . The processes of registration,

authentication, and authorization of an accessing party are determined by the requirements set by

previous parts. The processes described include registration between the entities, granting, denying,

ignoring and revoking access as well as container management possibilities.

In this document, entities are defined as the fundamental objects that represent, for example, vehicles,

ECUs, drivers and fleets, and servers at an ExVe backend. Roles are defined as a grouping of entities

and have relationships that allow for an interaction; e.g. the “offering party” (ExVe backend) offers

resources (ECU data) to an “accessing party” (service implementer).
© ISO 2021 – All rights reserved v
---------------------- Page: 5 ----------------------
ISO/FDIS 20078-1:2021(E)
ISO 20078-1 Content TU — vehicle integrated telematics unit
ISO 20078-2 Access LOG — records access, events, failures, and intrusions
ISO 20078-3 Security APP and WEB — application and web services
ISO/TR 20078-4 Control Stakeholders — customer, authorities, VM, third party
Figure 1 — Schematic presentation of the vision of the ISO 20078 series

ExVe web services are comprised of road vehicles combined with the ExVe backend system of the

vehicle manufacturer (the “offering party”), mainly acting as a resource provider. This enables for both

a third party and a vehicle manufacturer, mainly acting as a service/application provider (the “accessing

party”) to access offered resources via the internet; see Figure 1.

The concept of containers is also introduced which allows resource grouping for a single accessing

party purpose. Containers are a recommended solution where (data) privacy by design applies.

Logging (LOG of Figure 1) is an important part of any IT solution. It is, however, not considered within

the scope of the ISO 20078 series due to potentially strong dependencies on certain IT backend

infrastructures.
JSON (recommended) or XML are used for representation of resources (URIs).

The ISO 20078 series defines in general a framework based on the communication and authorization

protocols listed in Table 1. Those technologies can be used for implementation of individual web

services to share resources and, therefore, allow for any service or application implementation on the

accessing party domain.
vi © ISO 2021 – All rights reserved
---------------------- Page: 6 ----------------------
ISO/FDIS 20078-1:2021(E)
Table 1 — List of used information technologies
Transport protocol HTTP 1.1 (or later version) over TLS 1.2 (or later version)
Service design RESTful
JSON (recommended)
Data format
XML
Authorization An OAuth 2.0 (or later version) compatible framework

End user authentication An OpenID Connect 1.0 (or later version) compatible framework

© ISO 2021 – All rights reserved vii
---------------------- Page: 7 ----------------------
FINAL DRAFT INTERNATIONAL STANDARD ISO/FDIS 20078-1:2021(E)
Road vehicles — Extended vehicle (ExVe) web services —
Part 1:
Content and definitions
1 Scope

This document states the minimum requirements, recommendations, permissions and possibilities for

ensuring interoperable web services from an accessing party’s perspective. The document:

— states requirements on the structure and format of resources;
— defines the concept of resource identifiers (direct and correlated);

— provides different resource categories (e.g. anonymous, pseudonymized, technical, and personal

resources);

— provides different approaches on how to bundle shareable resources (e.g. resource group or

container);

— contains guidelines on how to define the unique resources of an individual application;

— defines the entities and roles, necessary for granting an accessing party access to resource owner’s

resources;

— states requirements on how an accessing party accesses resources, including requirements on how

to use the defined and referenced technologies, see Table 1.

See Annex A for additional information about roles and responsibilities covered by ISO 20078 series.

2 Normative references

The following documents are referred to in the text in such a way that some or all of their content

constitutes requirements of this document. For dated references, only the edition cited applies. For

undated references, the latest edition of the referenced document (including any amendments) applies.

ISO 20078-3, Road vehicles — Extended vehicle (ExVe) web services — Part 3: Security

3 Terms and definitions
For the purposes of this document, the following terms and definitions apply.

ISO and IEC maintain terminological databases for use in standardization at the following addresses:

— ISO Online browsing platform: available at https:// www .iso .org/ obp
— IEC Electropedia: available at http:// www .electropedia .org/
3.1 Roles and entities
3.1.1
vehicle manufacturer
company manufacturing road vehicles
© ISO 2021 – All rights reserved 1
---------------------- Page: 8 ----------------------
ISO/FDIS 20078-1:2021(E)
3.1.2
connected vehicle
road vehicle that is enabled for communication over a wide area network (WAN)

Note 1 to entry: A WAN can, for example, be defined as a nationwide mobile phone network with a corresponding

backend (server) architecture.
3.1.3
offering party
entity who provides web services access (3.2.6) to resources (3.2.1)
3.1.4
resource owner
responsible party for the resource(s) (3.2.1)

Note 1 to entry: The resource owner is responsible for granting, denying, and revoking access (3.2.6) to

resource(s).

Note 2 to entry: The responsible resource owner is determined by the concrete resource.

3.1.5
third party

person or body who is not the vehicle manufacturer (3.1.1) or the resource owner (3.1.4).

3.1.6
accessing party
entity which accesses resources (3.2.1) via web services

Note 1 to entry: It is an entity other than the offering party (3.1.3) or the resource owner (3.1.4).

Note 2 to entry: Implements technically and independently an identity, authorization, and a resource provider

(3.1.8)/service provider (3.1.10) that are not within the scope of this document.

Note 3 to entry: The resource provider and service provider can be split into two separate roles at the AP:

resource provider and service provider strongly depend on the individually developed service.

3.1.7
identity provider

entity responsible for authentication (identification) of resource owners (3.1.4), through the use of

credentials

Note 1 to entry: Offering party (3.1.3) confirms the identity of the authenticated resource owner.

Note 2 to entry: There is an identity provider technically mandatory at the offering party, but that identity

provider may reference services exposed by an intermediate body when confirming the identity of a resource

owner in general for some use cases.
3.1.8
resource provider

entity at the offering party (3.1.3) that protects and provides resources (3.2.1)

3.1.9
authorization provider

entity at the offering party (3.1.3) that manages the access (3.2.6) rights to resources (3.2.1) and resource

owner (3.1.4) information

Note 1 to entry: There is an authorization provider technically mandatory at the offering party, but that

authorization provider may reference services exposed by an intermediate body when enforcing the authorization

policy (3.2.7) in general for some use cases.
2 © ISO 2021 – All rights reserved
---------------------- Page: 9 ----------------------
ISO/FDIS 20078-1:2021(E)
3.1.10
service provider

vehicle manufacturer (3.1.1) or a third party (3.1.5), providing a service to the vehicle owner based on

the access (3.2.6) to vehicle data and functionalities
3.2 Technical concepts and terms
3.2.1
resource
data, aggregated information or functionalities of the connected vehicle (3.1.2)
Note 1 to entry: resources can be:
— resources (by a RID),
— references to resources,
— resource-related notifications,
— resource owner (3.1.4) information (by a ResourceOwnerID),
— resource and resource owner related information,
— anonymous resources,
— pseudonymized resources,
— vehicle related resources, or
— personal resources,
at the offering party (3.1.3).
3.2.2
resource group
logical set of resources (3.2.1)
3.2.3
superset
set of all unique resources (3.2.1)
3.2.4
container

logical group of resources (3.2.1) defined for a single accessing party (3.1.6) purpose

3.2.5
resource owner profile
information regarding the resource owner (3.1.4)
EXAMPLE Name, address, contact information, and RID.
3.2.6
access

delegated right to an accessing party (3.1.6) to access a resource owner's (3.1.4) resources (3.2.1)

3.2.7
authorization policy
set of rules that define access control to protected resources (3.2.1)
© ISO 2021 – All rights reserved 3
---------------------- Page: 10 ----------------------
ISO/FDIS 20078-1:2021(E)
3.2.8
token
sequence of characters representing a verified identity and/or access (3.2.6)

Note 1 to entry: The issuer of the token is responsible for the interpretation and the integrity of the token; for

example, the authorization provider (3.1.9) of the offering party (3.1.3) or in a second example an intermediate

body for the authorization provider of the offering party.

Note 2 to entry: The token is used for securely transmitting verifiable identity and/or authorization information

between involved parties like resource owner (3.1.4), accessing party (3.1.6) and/or offering party.

3.2.9
fleet

group of connected vehicles (3.1.2) associated to a specific resource owner (3.1.4)

3.2.10
request/reply

communication method, where the accessing party (3.1.6) requests resource(s) (3.2.1) and the offering

party (3.1.3) replies
3.2.11
subscription

accessing party (3.1.6) requests the offering party (3.1.3) to push (3.2.12) resources (3.2.1) when certain

conditions are fulfilled

Note 1 to entry: A condition can be a vehicle event, such as a DTC becoming active, or based on a time interval.

3.2.12
push

method used by the offering party (3.1.3) to send resource(s) (3.2.1) to the accessing party (3.1.6)

according to the subscription (3.2.11)

Note 1 to entry: Instead of sending the resource, a reference to the resource can be sent, i.e. a notification. The

accessing party can use the reference to request the resource(s).
3.2.13
subscription profile

URI locations and authorization information making it possible to push (3.2.12) resources (3.2.1) to the

accessing party (3.1.6)
3.2.14
access token

credentials used to access protected resources, issued by the identity provider (3.1.7) or authorization

provider (3.1.9) and consumed by the resource provider (3.1.8)

Note 1 to entry: An access token represents an authorization that is issued to the client and limited by scope and

has a defined expiration time in unix time format (seconds).
Note 2 to entry: An access token may be a digitally signed JWT.
3.2.15
refresh token

credential (string) issued to the client by the identity provider (3.1.7) or the authorization provider

(3.1.9) and used to obtain a new access token (3.2.14) when the currently used AT expires, or to obtain

additional ATs depending on the intended scope of use
4 © ISO 2021 – All rights reserved
---------------------- Page: 11 ----------------------
ISO/FDIS 20078-1:2021(E)
3.2.16
bearer token
token (3.2.8) which can be used to get access (3.2.6) to resource(s) (3.2.1)
[10]
Note 1 to entry: Usage of bearer tokens is defined in RFC 6750 .
3.3 Identifiers
3.3.1
identifier
number or a string that is unique within a defined context
[7]
Note 1 to entry: A UUID can be used as an ID.
3.3.2
universally unique identifier
UUID

128-bit value generated in accordance with ISO/IEC 9834-8 and providing unique values between

systems and over time

Note 1 to entry: See Reference [7]. Often represented as a string in hex format, e.g. f81d4fae-7dec-11d0-a765–

00a0c91e6bf6.
3.3.3
ResourceID
RID
ID that identifies a unique resource (3.2.1) at the offering party (3.1.3)
3.3.4
ContainerID
CID
ID that identifies a unique container (3.2.4) at the offering party (3.1.3)
3.3.5
AccessingPartylD
APID

ID that identifies a unique accessing party (3.1.6) at the offering party (3.1.3)

3.3.6
CorrelationID
CoID

ID agreed between the offering party (3.1.3) and the accessing party (3.1.6) to support pseudonymization

of the RIDs or the resourceOwnerIDs (3.3.8)
Note 1 to entry: The definition includes two pseudonymization examples.
3.3.7
SubscriptionID
ID uniquely identifying a subscription (3.2.11) at an offering party (3.1.3)
3.3.8
ResourceOwnerID
ID that identifies a unique resource owner (3.1.4)
3.3.9
VehicleID
ID that identifies uniquely a vehicle (e.g. VIN)
Note 1 to entry: VIN is defined in ISO 3779.
© ISO 2021 – All rights reserved 5
---------------------- Page: 12 ----------------------
ISO/FDIS 20078-1:2021(E)
3.4 Credentials
3.4.1
ResourceOwnerCredentials
ROC
credentials shared from a party to the resource owner (3.1.4)
3.4.2
ResourceOwnerCredentialsOP
ROCOP
credentials shared from the offering party (3.1.3) to the resource owner (3.1.4)
3.4.3
ResourceOwnerCredentialsAP
ROCAP

credentials shared from the accessing party (3.1.6) to the resource owner (3.1.4)

3.4.4
AccessingPartyCredentials
APC

credentials shared from the offering party (3.1.3) to the accessing party (3.1.6)

4 Abbreviated terms
AP Accessing Party
APC Accessing Party Credentials
API Application Programming Interface
APID Accessing Party ID
AT Access Token
ROC Resource Owner Credentials
CID Container ID
CoID Correlation ID
ExVe Extended Vehicle
GSM Global System for Mobile Communication
HATEOAS Hypermedia As The Engine Of Application State
HTTP Hypertext Transfer Protocol
HTTPS Hypertext Transfer Protocol Secure
ID Identifier
JSON JavaScript Object Notation
JWS JSON Web Signature (signed JWT)
JWT JSON Web Token
OAuth Open standard for authorization
6 © ISO 2021 – All rights reserved
---------------------- Page: 13 ----------------------
ISO/FDIS 20078-1:2021(E)
OBD On-Board Diagnostics
OIDC OpenID Connect
OP Offering Party
OSI Open System Interconnection
REST Representational State Transfer
RID ResourceID
ROC Credentials of a Resource Owner
ROCAP ROC of the Accessing Party
ROCOP ROC of the Offering Party
TLS Transport Layer Security
URI Uniform Resource Identifier
URL Uniform Resource Locator
UUID Universally Unique Identifier
VIN Vehicle Identification Number
VM Vehicle Manufacturer
XML Extensible Mark-up Lang
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.