ISO 20078-3:2019

INTERNATIONAL ISO
STANDARD 20078-3
First edition
2019-05
Road vehicles — Extended vehicle
(ExVe) web services —
Part 3:
Security
Véhicule routiers — Web services du véhicule étendu (ExVe) —
Partie 3: Sécurité
Reference number
ISO 20078-3:2019(E)
©
ISO 2019

---------------------- Page: 1 ----------------------
ISO 20078-3:2019(E)

COPYRIGHT PROTECTED DOCUMENT
© ISO 2019
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting
on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address
below or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Fax: +41 22 749 09 47
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii © ISO 2019 – All rights reserved

---------------------- Page: 2 ----------------------
ISO 20078-3:2019(E)

Contents Page
Foreword .iv
1 Scope . 1
2 Normative references . 1
3 Terms, definitions and abbreviations . 1
4 General . 2
4.1 Processes . 2
4.2 Conditions . 2
5 Basic Communication Flow . 2
5.1 General . 2
5.2 Authentication . 3
5.3 Authorization . 4
5.4 Resource Access . 5
5.5 Separation of duties . 6
5.6 Implementation Related Considerations . 7
Annex A (informative) Reference Implementation using OAuth 2.0 and OpenID Connect 1.0 .9
Bibliography .17
© ISO 2019 – All rights reserved iii

---------------------- Page: 3 ----------------------
ISO 20078-3:2019(E)

Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards
bodies (ISO member bodies). The work of preparing International Standards is normally carried out
through ISO technical committees. Each member body interested in a subject for which a technical
committee has been established has the right to be represented on that committee. International
organizations, governmental and non-governmental, in liaison with ISO, also take part in the work.
ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of
electrotechnical standardization.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the
different types of ISO documents should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2 (see www .iso .org/directives).
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of
any patent rights identified during the development of the document will be in the Introduction and/or
on the ISO list of patent declarations received (see www .iso .org/patents).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and
expressions related to conformity assessment, as well as information about ISO's adherence to the
World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT) see www .iso
.org/iso/foreword .html.
This document was prepared by Technical Committee ISO/TC 22, Road vehicles, Subcommittee SC 31,
Data communication.
Any feedback or questions on this document should be directed to the user’s national standards body. A
complete listing of these bodies can be found at www .iso .org/members .html.
iv © ISO 2019 – All rights reserved

---------------------- Page: 4 ----------------------
INTERNATIONAL STANDARD ISO 20078-3:2019(E)
Road vehicles — Extended vehicle (ExVe) web services —
Part 3:
Security
1 Scope
This document defines how to authenticate users and Accessing Parties on a web services interface. It
also defines how a Resource Owner can delegate Access to its Resources to an Accessing Party. Within
this context, this document also defines the necessary roles and required separation of duties between
these in order to fulfil requirements stated on security, data privacy and data protection.
All conditions and dependencies of the roles are defined towards a reference implementation using
OAuth 2.0 compatible framework and OpenID Connect 1.0 compatible framework.
2 Normative references
The following documents are referred to in the text in such a way that some or all of their content
constitutes requirements of this document. For dated references, only the edition cited applies. For
undated references, the latest edition of the referenced document (including any amendments) applies.
ISO 20078-1, Road vehicles — Extended vehicle (ExVe) ‘web services’ — Content
3 Terms, definitions and abbreviations
For the purposes of this document, the terms, definitions and abbreviations given in ISO 20078-1 and
following apply.
ISO and IEC maintain terminological databases for use in standardization at the following addresses:
— IEC Electropedia: available at http: //www .electropedia .org/
— ISO Online browsing platform: available at https: //www .iso .org/obp
3.1
Identity Token
ID Token
digitally signed JWT and contains claims about the authenticated Resource Owner
3.2
Access Token
AT
digitally signed JWT issued by the Identity Provider or Authorization Provider and consumed by the
Resource Provider
Note 1 to entry: An Access Token represents an authorization that is issued to the client and limited by scope and
has a defined expiration time.
3.3
Refresh Token
RT
credential (string) issued to the Accessing Party by the Identity Provider or the Authorization Provider
and used to obtain a new Access Token when the currently used AT expires, or to obtain additional ATs
depending on the intended scope of use
© ISO 2019 – All rights reserved 1

---------------------- Page: 5 ----------------------
ISO 20078-3:2019(E)

3.4
Authorization Code
intermediate result of a successful Resource Owner authorization process and is used by authorized
clients to obtain Access Tokens and optionally Refresh Tokens
3.5
Claim
asserted information about a certain entity
EXAMPLE ROID, Resource Owner’s first name, last name, address, Connected Vehicle’s capability and/or
other attributes.
3.6
Token Issuer
entity that generates and provides Identity Tokens, Access Tokens, and Refresh Tokens
4 General
4.1 Processes
The following processes are specific to each Offering Party. The definition of these processes is not part
of this document but shall be in place in order to apply this specification.
REQ_04_01_01 The process to register a Resource Owner at the Identity Provider shall be the re-
sponsibility of the Offering Party.
REQ_04_01_02 The process to register an Accessing Party at the Authorization Provider shall be
the responsibility of the Offering Party.
REQ_04_01_03 The process to confirm the technical eligibility of Connected Vehicles and provision
of their associated ExVe Resources shall be the responsibility of the Offering Party.
REQ_04_01_04 The process to verify a Resource Owner’s current and valid ownership of the con-
cerned resource shall be the responsibility of the Offering Party.
4.2 Conditions
REQ_04_02_05 The Offering Party shall be able to restrict or deny the Accessing Party and/or the
Resource Owner Access to the Offering Party’s web services and portals.
NOTE 1 This could be done to, for example, fulfil security and legislation requirements.
REQ_04_02_06 If the Offering Party revokes a granted registration of an Accessing Party, the Offering
Party may delete all Containers created by the Accessing Party, if Containers are used.
NOTE 2 Revocation of the registration can be due to access violation or other misuse of the web services.
5 Basic Communication Flow
5.1 General
This document separates the activities necessary for authentication, authorization and Resource Access
into three distinct communication flows with separate duties (see Figure 1).
2 © ISO 2019 – All rights reserved

---------------------- Page: 6 ----------------------
ISO 20078-3:2019(E)


1 The Resource Owner is authenticated by the Identity Provider.
2 The Resource Owner is granting access to the Accessing Party. The granting is handled by the Authorization
Provider.
3 The Accessing Party is accessing resources from the Resource Provider.
Figure 1 — The roles and the three distinct communication flows
5.2 Authentication
The Identity Provider is responsible for authenticating the Resource Owner and managing the Resource
Owner profile, based on the Resource Owner registration. The Resource Owner credentials are
revealed only to the Identity Provider, and the Identity Provider confirms a successful authentication to
concerned parties. If the Resource Owner has given consent, the Accessing Party will be authorized to
access the Resource Owner's profile (Figure 2).
Figure 2 — Resource Owner Authentication and Access to Resource Owner’s Profile
© ISO 2019 – All rights reserved 3

---------------------- Page: 7 ----------------------
ISO 20078-3:2019(E)

REQ_05_02_01 The Identity Provider shall offer a suitable authentication method and shall perform
the authentication process. After a successful authentication, the Identity Provider
shall confirm the identity of the authenticated Resource Owner.
REQ_05_02_02 The Resource Owner’s credentials shall only need to be known by the Resource
Owner and be possible to be verified by the Identity Provider.
REQ_05_02_03 The Resource Owner’s registration and authentication (at the Identity Provider),
shall be separated from the authorization process to grant access to Resources (via
the Authorization Provider).
REQ_05_02_04 If the Identity Provider is able to expose the Resource Owner’s profile to the Access-
ing Party, it is only the Resource Owner that shall be able to grant or deny access.
5.3 Authorization
The Client Application as a component of the Accessing Party requires Access to Resources on behalf of
the Resource Owner. At the authorization step, the Accessing Party requests authorization to access the
Resources provided by the Resource Provider (Offering Party). The required authorization is requested
at the Authorization Provider, providing the intended scope. By the consent of the Resource Owner, the
Authorization Provider returns a limited authorization to the client application of the Accessing Party.
Using the obtained authorization, the Client Application can access Resources.
Figure 3 — Requesting Access to Resources
REQ_05_03_01 Before accessing the Resource, the Accessing Party shall request Access at the Au-
thorization Provider providing the intended scope.
REQ_05_03_02 The Authorization Provider shall be responsible for the management of the Author-
ization Policy and shall manage all granted Accesses.
REQ_05_03_03 The Authorization Provider shall trust the confirmation of successful authentication
as provided by the Identity Provider.
4 © ISO 2019 – All rights reserved

---------------------- Page: 8 ----------------------
ISO 20078-3:2019(E)

REQ_05_03_04 The Authorization Policy shall be defined by the Offering Party concerning the au-
thorization process.
REQ_05_03_05 The Authorization provider shall be able to verify the relationship between Resource
Owners and their Resources.
REQ_05_03_06 Only the Resource Owner shall be able to grant Access to a Resource.
NOTE The Access is granted to an Accessing Party at the Offering Party.
REQ_05_03_07 Granting Access to resources shall be done either directly or via Containers. The
Offering Party decides if one or both of the granting methods shall be provided to
the Accessing Parties.
REQ_05_03_08 The Resource Owner shall be able to revoke a granted Access to a Resource at any time.
REQ_05_03_09 If Containers are used, the Resource Owner shall be able to revoke a granted Access
to a Containers at any time.
REQ_05_03_10 The Authorization Provider shall ask the Resource Owner for the approval before
providing the authorization to the Accessing Party resulting in a granted Access.
REQ_05_03_11 Upon request the Offering Party shall present a Resource Owner’s granted Accesses
to the Resource Owner.
REQ_05_03_12 The Resource Owner shall be able to deny an Access request to a Resource, or if
Containers are used, to a Container at any time.
REQ_05_03_13 If the Ownership of a Resource or the relationship between the Resource Owner
and the Resource ends, Access to the corresponding Resources, and if Containers
are used, also to Containers, shall be revoked.
REQ_05_03_14 If Containers are used and if a Container is deleted, all Access granted to that Con-
tainer shall be revoked.

5.4 Resource Access
Using the Access, the Accessing Party can access the Resources, hosted by the Resource Provider.
Figure 4 — Access to Resources via the Resource Provider
© ISO 2019 – All rights reserved 5

---------------------- Page: 9 ----------------------
ISO 20078-3:2019(E)

REQ_05_04_01 The Resource Provider shall perform Access control to the Resources according to
the Authorization Policy.
5.5 Separation of duties
Separation of duties concerns the separation of tasks and responsibilities between entities involved in
the authentication, authorization and access to Resources.
Figure 5 — Separation of duties between involved roles
Figure 5 describe the separation of duties between involved roles, where the Offering Party has the
three roles: Identity Provider, Authorization Provider, and Resource Provider.
REQ_05_05_01 The Identity Provider shall not be dependent on the Authorization Policy.
REQ_05_05_02 The Identity Provider shall not influence the Authorization Policy.
REQ_05_05_03 The Identity Provider shall not access the Resources.
REQ_05_05_04 The Authorization Provider shall not access the Resource Owner Profile.
REQ_05_05_05 The Authorization Provider shall only use the unique Resource Owner ID to identify
the resource owner.
NOTE 1 The Resource Owner ID is generated and communicated by the trusted Identity Provider.
REQ_05_05_06 The Authorization Provider shall not have Access to Resources provided by the
Resource Provider.
6 © ISO 2019 – All rights reserved

---------------------- Page: 10 ----------------------
ISO 20078-3:2019(E)

REQ_05_05_07 The Resource Provider shall not access the Resource Owner Profile.
REQ_05_05_08 The Resource Provider shall not know details about the authorization process.
REQ_05_05_09 The Resource Provider trusts the Authorization Provider and shall verify whether the
provided authorization matches the Access control rules defined for the requested
Resources.
REQ_05_05_10 The Resource Owner shall not need to share credentials with the Accessing Party
to enable the Accessing Party to access the Resources.
REQ_05_05_11 The Accessing Party shall only access the Resources with the consent of the Re-
source Owner.
NOTE 2 The requirements stated above do not impose requirements on specific architecture, design or
organizational structure.
Figure 6 shows the major logical components of the involved roles and the associated entities:
Figure 6 — Involved roles and associated entities
5.6 Implementation Related Considerations
The physical implementation and assignment of roles to real parties differs from the logical
representation as shown in Figure 6, and follows the defined requirements as referenced by the
following figure.
© ISO 2019 – All rights reserved 7

---------------------- Page: 11 ----------------------
ISO 20078-3:2019(E)

Figure 7 — Logical representation of involved roles and their entities
in reference to the defined requirements
Additionally, actual implementation often depends on national legal requirements (e.g. handling of
Resource Owner Profile, implemented Resource Owner’s Verification Process etc.) and the required
trusted relationship between involved components especially Identity Provider, Authorization
Provider, and Resource Provider.
REQ_05_06_01 All communication paths between involved entities shall use secured connections.
REQ_05_06_02 The Identity Provider, Authorization Provider, and Resource Provider are responsible
for ensuring that only recent cipher suites are used.
NOTE Changes in the interface are communicated to Accessing Parties within a reasonable notice period.
If the Offering Party encounters an unreliable Accessing Party, the Offering Party can temporarily or
permanently revoke the Accessing Party’s access. This is done in order to protect the Resource Owners.
Examples of circumstances that could trigger this are: insecure smartphone applications, disabled
host verification, data breach of database, forbidden caching or storage of resource data, usage of
discouraged security algorithms.
REQ_05_06_03 It shall be possible to validate the authenticity and integrity of information provided
by the Identity Provider, Authorization Provider and Resource Provider.
REQ_05_06_04 To ensure the interoperability between i
...