Road vehicles -- Extended vehicle (ExVe) web services

This document defines how to authenticate users and Accessing Parties on a web services interface. It also defines how a Resource Owner can delegate Access to its Resources to an Accessing Party. Within this context, this document also defines the necessary roles and required separation of duties between these in order to fulfil requirements stated on security, data privacy and data protection. All conditions and dependencies of the roles are defined towards a reference implementation using OAuth 2.0 compatible framework and OpenID Connect 1.0 compatible framework.

Véhicule routiers -- Web services du véhicule étendu (ExVe)

General Information

Status
Published
Publication Date
29-Apr-2019
Current Stage
6060 - International Standard published
Start Date
02-Apr-2019
Completion Date
30-Apr-2019
Ref Project

Buy Standard

Standard
ISO 20078-3:2019 - Road vehicles -- Extended vehicle (ExVe) web services
English language
17 pages
sale 15% off
Preview
sale 15% off
Preview

Standards Content (sample)

INTERNATIONAL ISO
STANDARD 20078-3
First edition
2019-05
Road vehicles — Extended vehicle
(ExVe) web services —
Part 3:
Security
Véhicule routiers — Web services du véhicule étendu (ExVe) —
Partie 3: Sécurité
Reference number
ISO 20078-3:2019(E)
ISO 2019
---------------------- Page: 1 ----------------------
ISO 20078-3:2019(E)
COPYRIGHT PROTECTED DOCUMENT
© ISO 2019

All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may

be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting

on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address

below or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Fax: +41 22 749 09 47
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii © ISO 2019 – All rights reserved
---------------------- Page: 2 ----------------------
ISO 20078-3:2019(E)
Contents Page

Foreword ........................................................................................................................................................................................................................................iv

1 Scope ................................................................................................................................................................................................................................. 1

2 Normative references ...................................................................................................................................................................................... 1

3 Terms, definitions and abbreviations ............................................................................................................................................ 1

4 General ............................................................................................................................................................................................................................ 2

4.1 Processes ...................................................................................................................................................................................................... 2

4.2 Conditions ................................................................................................................................................................................................... 2

5 Basic Communication Flow ....................................................................................................................................................................... 2

5.1 General ........................................................................................................................................................................................................... 2

5.2 Authentication ......................................................................................................................................................................................... 3

5.3 Authorization ........................................................................................................................................................................................... 4

5.4 Resource Access ..................................................................................................................................................................................... 5

5.5 Separation of duties ............................................................................................................................................................................ 6

5.6 Implementation Related Considerations .......................................................................................................................... 7

Annex A (informative) Reference Implementation using OAuth 2.0 and OpenID Connect 1.0 ................9

Bibliography .............................................................................................................................................................................................................................17

© ISO 2019 – All rights reserved iii
---------------------- Page: 3 ----------------------
ISO 20078-3:2019(E)
Foreword

ISO (the International Organization for Standardization) is a worldwide federation of national standards

bodies (ISO member bodies). The work of preparing International Standards is normally carried out

through ISO technical committees. Each member body interested in a subject for which a technical

committee has been established has the right to be represented on that committee. International

organizations, governmental and non-governmental, in liaison with ISO, also take part in the work.

ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of

electrotechnical standardization.

The procedures used to develop this document and those intended for its further maintenance are

described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the

different types of ISO documents should be noted. This document was drafted in accordance with the

editorial rules of the ISO/IEC Directives, Part 2 (see www .iso .org/directives).

Attention is drawn to the possibility that some of the elements of this document may be the subject of

patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of

any patent rights identified during the development of the document will be in the Introduction and/or

on the ISO list of patent declarations received (see www .iso .org/patents).

Any trade name used in this document is information given for the convenience of users and does not

constitute an endorsement.

For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and

expressions related to conformity assessment, as well as information about ISO's adherence to the

World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT) see www .iso

.org/iso/foreword .html.

This document was prepared by Technical Committee ISO/TC 22, Road vehicles, Subcommittee SC 31,

Data communication.

Any feedback or questions on this document should be directed to the user’s national standards body. A

complete listing of these bodies can be found at www .iso .org/members .html.
iv © ISO 2019 – All rights reserved
---------------------- Page: 4 ----------------------
INTERNATIONAL STANDARD ISO 20078-3:2019(E)
Road vehicles — Extended vehicle (ExVe) web services —
Part 3:
Security
1 Scope

This document defines how to authenticate users and Accessing Parties on a web services interface. It

also defines how a Resource Owner can delegate Access to its Resources to an Accessing Party. Within

this context, this document also defines the necessary roles and required separation of duties between

these in order to fulfil requirements stated on security, data privacy and data protection.

All conditions and dependencies of the roles are defined towards a reference implementation using

OAuth 2.0 compatible framework and OpenID Connect 1.0 compatible framework.
2 Normative references

The following documents are referred to in the text in such a way that some or all of their content

constitutes requirements of this document. For dated references, only the edition cited applies. For

undated references, the latest edition of the referenced document (including any amendments) applies.

ISO 20078-1, Road vehicles — Extended vehicle (ExVe) ‘web services’ — Content
3 Terms, definitions and abbreviations

For the purposes of this document, the terms, definitions and abbreviations given in ISO 20078-1 and

following apply.

ISO and IEC maintain terminological databases for use in standardization at the following addresses:

— IEC Electropedia: available at http: //www .electropedia .org/
— ISO Online browsing platform: available at https: //www .iso .org/obp
3.1
Identity Token
ID Token
digitally signed JWT and contains claims about the authenticated Resource Owner
3.2
Access Token

digitally signed JWT issued by the Identity Provider or Authorization Provider and consumed by the

Resource Provider

Note 1 to entry: An Access Token represents an authorization that is issued to the client and limited by scope and

has a defined expiration time.
3.3
Refresh Token

credential (string) issued to the Accessing Party by the Identity Provider or the Authorization Provider

and used to obtain a new Access Token when the currently used AT expires, or to obtain additional ATs

depending on the intended scope of use
© ISO 2019 – All rights reserved 1
---------------------- Page: 5 ----------------------
ISO 20078-3:2019(E)
3.4
Authorization Code

intermediate result of a successful Resource Owner authorization process and is used by authorized

clients to obtain Access Tokens and optionally Refresh Tokens
3.5
Claim
asserted information about a certain entity

EXAMPLE ROID, Resource Owner’s first name, last name, address, Connected Vehicle’s capability and/or

other attributes.
3.6
Token Issuer

entity that generates and provides Identity Tokens, Access Tokens, and Refresh Tokens

4 General
4.1 Processes

The following processes are specific to each Offering Party. The definition of these processes is not part

of this document but shall be in place in order to apply this specification.

REQ_04_01_01 The process to register a Resource Owner at the Identity Provider shall be the re-

sponsibility of the Offering Party.

REQ_04_01_02 The process to register an Accessing Party at the Authorization Provider shall be

the responsibility of the Offering Party.

REQ_04_01_03 The process to confirm the technical eligibility of Connected Vehicles and provision

of their associated ExVe Resources shall be the responsibility of the Offering Party.

REQ_04_01_04 The process to verify a Resource Owner’s current and valid ownership of the con-

cerned resource shall be the responsibility of the Offering Party.
4.2 Conditions

REQ_04_02_05 The Offering Party shall be able to restrict or deny the Accessing Party and/or the

Resource Owner Access to the Offering Party’s web services and portals.

NOTE 1 This could be done to, for example, fulfil security and legislation requirements.

REQ_04_02_06 If the Offering Party revokes a granted registration of an Accessing Party, the Offering

Party may delete all Containers created by the Accessing Party, if Containers are used.

NOTE 2 Revocation of the registration can be due to access violation or other misuse of the web services.

5 Basic Communication Flow
5.1 General

This document separates the activities necessary for authentication, authorization and Resource Access

into three distinct communication flows with separate duties (see Figure 1).
2 © ISO 2019 – All rights reserved
---------------------- Page: 6 ----------------------
ISO 20078-3:2019(E)
1 The Resource Owner is authenticated by the Identity Provider.

2 The Resource Owner is granting access to the Accessing Party. The granting is handled by the Authorization

Provider.
3 The Accessing Party is accessing resources from the Resource Provider.
Figure 1 — The roles and the three distinct communication flows
5.2 Authentication

The Identity Provider is responsible for authenticating the Resource Owner and managing the Resource

Owner profile, based on the Resource Owner registration. The Resource Owner credentials are

revealed only to the Identity Provider, and the Identity Provider confirms a successful authentication to

concerned parties. If the Resource Owner has given consent, the Accessing Party will be authorized to

access the Resource Owner's profile (Figure 2).
Figure 2 — Resource Owner Authentication and Access to Resource Owner’s Profile
© ISO 2019 – All rights reserved 3
---------------------- Page: 7 ----------------------
ISO 20078-3:2019(E)

REQ_05_02_01 The Identity Provider shall offer a suitable authentication method and shall perform

the authentication process. After a successful authentication, the Identity Provider

shall confirm the identity of the authenticated Resource Owner.

REQ_05_02_02 The Resource Owner’s credentials shall only need to be known by the Resource

Owner and be possible to be verified by the Identity Provider.

REQ_05_02_03 The Resource Owner’s registration and authentication (at the Identity Provider),

shall be separated from the authorization process to grant access to Resources (via

the Authorization Provider).

REQ_05_02_04 If the Identity Provider is able to expose the Resource Owner’s profile to the Access-

ing Party, it is only the Resource Owner that shall be able to grant or deny access.

5.3 Authorization

The Client Application as a component of the Accessing Party requires Access to Resources on behalf of

the Resource Owner. At the authorization step, the Accessing Party requests authorization to access the

Resources provided by the Resource Provider (Offering Party). The required authorization is requested

at the Authorization Provider, providing the intended scope. By the consent of the Resource Owner, the

Authorization Provider returns a limited authorization to the client application of the Accessing Party.

Using the obtained authorization, the Client Application can access Resources.
Figure 3 — Requesting Access to Resources

REQ_05_03_01 Before accessing the Resource, the Accessing Party shall request Access at the Au-

thorization Provider providing the intended scope.

REQ_05_03_02 The Authorization Provider shall be responsible for the management of the Author-

ization Policy and shall manage all granted Accesses.

REQ_05_03_03 The Authorization Provider shall trust the confirmation of successful authentication

as provided by the Identity Provider.
4 © ISO 2019 – All rights reserved
---------------------- Page: 8 ----------------------
ISO 20078-3:2019(E)

REQ_05_03_04 The Authorization Policy shall be defined by the Offering Party concerning the au-

thorization process.

REQ_05_03_05 The Authorization provider shall be able to verify the relationship between Resource

Owners and their Resources.

REQ_05_03_06 Only the Resource Owner shall be able to grant Access to a Resource.

NOTE The Access is granted to an Accessing Party at the Offering Party.

REQ_05_03_07 Granting Access to resources shall be done either directly or via Containers. The

Offering Party decides if one or both of the granting methods shall be provided to

the Accessing Parties.

REQ_05_03_08 The Resource Owner shall be able to revoke a granted Access to a Resource at any time.

REQ_05_03_09 If Containers are used, the Resource Owner shall be able to revoke a granted Access

to a Containers at any time.

REQ_05_03_10 The Authorization Provider shall ask the Resource Owner for the approval before

providing the authorization to the Accessing Party resulting in a granted Access.

REQ_05_03_11 Upon request the Offering Party shall present a Resource Owner’s granted Accesses

to the Resource Owner.

REQ_05_03_12 The Resource Owner shall be able to deny an Access request to a Resource, or if

Containers are used, to a Container at any time.

REQ_05_03_13 If the Ownership of a Resource or the relationship between the Resource Owner

and the Resource ends, Access to the corresponding Resources, and if Containers
are used, also to Containers, shall be revoked.

REQ_05_03_14 If Containers are used and if a Container is deleted, all Access granted to that Con-

tainer shall be revoked.
5.4 Resource Access

Using the Access, the Accessing Party can access the Resources, hosted by the Resource Provider.

Figure 4 — Access to Resources via the Resource Provider
© ISO 2019 – All rights reserved 5
---------------------- Page: 9 ----------------------
ISO 20078-3:2019(E)

REQ_05_04_01 The Resource Provider shall perform Access control to the Resources according to

the Authorization Policy.
5.5 Separation of duties

Separation of duties concerns the separation of tasks and responsibilities between entities involved in

the authentication, authorization and access to Resources.
Figure 5 — Separation of duties between involved roles

Figure 5 describe the separation of duties between involved roles, where the Offering Party has the

three roles: Identity Provider, Authorization Provider, and Resource Provider.

REQ_05_05_01 The Identity Provider shall not be dependent on the Authorization Policy.

REQ_05_05_02 The Identity Provider shall not influence the Authorization Policy.
REQ_05_05_03 The Identity Provider shall not access the Resources.

REQ_05_05_04 The Authorization Provider shall not access the Resource Owner Profile.

REQ_05_05_05 The Authorization Provider shall only use the unique Resource Owner ID to identify

the resource owner.

NOTE 1 The Resource Owner ID is generated and communicated by the trusted Identity Provider.

REQ_05_05_06 The Authorization Provider shall not have Access to Resources provided by the

Resource Provider.
6 © ISO 2019 – All rights reserved
---------------------- Page: 10 ----------------------
ISO 20078-3:2019(E)
REQ_05_05_07 The Resource Provider shall not access the Resource Owner Profile.

REQ_05_05_08 The Resource Provider shall not know details about the authorization process.

REQ_05_05_09 The Resource Provider trusts the Authorization Provider and shall verify whether the

provided authorization matches the Access control rules defined for the requested

Resources.

REQ_05_05_10 The Resource Owner shall not need to share credentials with the Accessing Party

to enable the Accessing Party to access the Resources.

REQ_05_05_11 The Accessing Party shall only access the Resources with the consent of the Re-

source Owner.

NOTE 2 The requirements stated above do not impose requirements on specific architecture, design or

organizational structure.

Figure 6 shows the major logical components of the involved roles and the associated entities:

Figure 6 — Involved roles and associated entities
5.6 Implementation Related Considerations

The physical implementation and assignment of roles to real parties differs from the logical

representation as shown in Figure 6, and follows the defined requirements as referenced by the

following figure.
© ISO 2019 – All rights reserved 7
---------------------- Page: 11 ----------------------
ISO 20078-3:2019(E)
Figure 7 — Logical representation of involved roles and their entities
in reference to the defined requirements

Additionally, actual implementation often depends on national legal requirements (e.g. handling of

Resource Owner Profile, implemented Resource Owner’s Verification Process etc.) and the required

trusted relationship between involved components especially Identity Provider, Authorization

Provider, and Resource Provider.

REQ_05_06_01 All communication paths between involved entities shall use secured connections.

REQ_05_06_02 The Identity Provider, Authorization Provider, and Resource Provider are responsible

for ensuring that only recent cipher suites are used.

NOTE Changes in the interface are communicated to Accessing Parties within a reasonable notice period.

If the Offering Party encounters an unreliable Accessing Party, the Offering Party can temporarily or

permanently revoke the Accessing Party’s access. This is done in order to protect the Resource Owners.

Examples of circumstances that could trigger this are: insecure smartphone applications, disabled

host verification, data breach of database, forbidden caching or storage of resource data, usage of

discouraged security algorithms.

REQ_05_06_03 It shall be possible to validate the authenticity and integrity of information provided

by the Identity Provider, Authorization Provider and Resource Provider.
REQ_05_06_04 To ensure the interoperability between i
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.