Parent Service Package: SU08
< < SU07.1 : SU08.1 : SU09.1 > >

SU08.1: Security and Credentials Management Implementation

This 'implementation' is a holistic view of the SU08 service package, including all Physical Objects, Functional Objects, and Triples associated with the service package. It distinguishes between items that are fundamental to the service and items that are optional. Your specific implementation is likely to include the fundamental items and selected optional items, based on your specific project requirements.

Relevant Regions:

Enterprise
Functional
Physical
Goals and Objectives
Needs and Requirements
Sources
Security
Standards
System Requirements

Enterprise

Development Stage Roles and Relationships
(hide)

Source	Destination	Role/Relationship
Cooperative ITS Credentials Management System Developer	Cooperative ITS Credentials Management System	Develops (hide) An Enterprise creates the target Resource or Document. The Enterprise that engineers a traffic signal controller (ITS Roadway Equipment), or designs a vehicle (Basic Vehicle) or authors a technical standard will have the Develops role.
Cooperative ITS Credentials Management System Developer	ITS Object Developer	Application Interface Specification (hide) The definition of an interface between two application components that operate on two distinct pieces of hardware. The Application Interface Specification is specific to the application in question.
Cooperative ITS Credentials Management System Developer	Other Credentials Management Systems Developer	Application Interface Specification (hide) The definition of an interface between two application components that operate on two distinct pieces of hardware. The Application Interface Specification is specific to the application in question.
Identifier Registry Developer	Cooperative ITS Credentials Management System Developer	Application Interface Specification (hide) The definition of an interface between two application components that operate on two distinct pieces of hardware. The Application Interface Specification is specific to the application in question.
Identifier Registry Developer	Identifier Registry	Develops (hide) An Enterprise creates the target Resource or Document. The Enterprise that engineers a traffic signal controller (ITS Roadway Equipment), or designs a vehicle (Basic Vehicle) or authors a technical standard will have the Develops role.
ITS Object Developer	Cooperative ITS Credentials Management System Developer	Application Interface Specification (hide) The definition of an interface between two application components that operate on two distinct pieces of hardware. The Application Interface Specification is specific to the application in question.
ITS Object Developer	ITS Object	Develops (hide) An Enterprise creates the target Resource or Document. The Enterprise that engineers a traffic signal controller (ITS Roadway Equipment), or designs a vehicle (Basic Vehicle) or authors a technical standard will have the Develops role.
Other Credentials Management Systems Developer	Cooperative ITS Credentials Management System Developer	Application Interface Specification (hide) The definition of an interface between two application components that operate on two distinct pieces of hardware. The Application Interface Specification is specific to the application in question.
Other Credentials Management Systems Developer	Other Credentials Management Systems	Develops (hide) An Enterprise creates the target Resource or Document. The Enterprise that engineers a traffic signal controller (ITS Roadway Equipment), or designs a vehicle (Basic Vehicle) or authors a technical standard will have the Develops role.

Installation Stage Roles and Relationships
(hide)

Source	Destination	Role/Relationship
Cooperative ITS Credentials Management System Installer	Cooperative ITS Credentials Management System	Installs (hide) An Enterprise performs the initial delivery, integration and configuration of the target Resource. This might be a system integrator, a state DOT Enterprise performing its own installation, or a device supplier that performs on-site installation.
Cooperative ITS Credentials Management System Owner	Cooperative ITS Credentials Management System Installer	Installation Agreement (hide) An agreement whereupon one party installs a system on behalf of a second party.
Cooperative ITS Credentials Management System Owner	Cooperative ITS Credentials Management System Verifier	Verification Agreement (hide) An agreement for one party to verify that a system owned by the second party operates according to the system's design.
Identifier Registry Installer	Identifier Registry	Installs (hide) An Enterprise performs the initial delivery, integration and configuration of the target Resource. This might be a system integrator, a state DOT Enterprise performing its own installation, or a device supplier that performs on-site installation.
Identifier Registry Owner	Identifier Registry Installer	Installation Agreement (hide) An agreement whereupon one party installs a system on behalf of a second party.
Identifier Registry Owner	Identifier Registry Verifier	Verification Agreement (hide) An agreement for one party to verify that a system owned by the second party operates according to the system's design.
ITS Object Installer	ITS Object	Installs (hide) An Enterprise performs the initial delivery, integration and configuration of the target Resource. This might be a system integrator, a state DOT Enterprise performing its own installation, or a device supplier that performs on-site installation.
ITS Object Owner	ITS Object Installer	Installation Agreement (hide) An agreement whereupon one party installs a system on behalf of a second party.
ITS Object Owner	ITS Object Verifier	Verification Agreement (hide) An agreement for one party to verify that a system owned by the second party operates according to the system's design.
Other Credentials Management Systems Installer	Other Credentials Management Systems	Installs (hide) An Enterprise performs the initial delivery, integration and configuration of the target Resource. This might be a system integrator, a state DOT Enterprise performing its own installation, or a device supplier that performs on-site installation.
Other Credentials Management Systems Owner	Other Credentials Management Systems Installer	Installation Agreement (hide) An agreement whereupon one party installs a system on behalf of a second party.
Other Credentials Management Systems Owner	Other Credentials Management Systems Verifier	Verification Agreement (hide) An agreement for one party to verify that a system owned by the second party operates according to the system's design.

Operations and Maintenance Stage Roles and Relationships
(hide)

Source	Destination	Role/Relationship
Cooperative ITS Credentials Management System Maintainer	Cooperative ITS Credentials Management System	Maintains (hide) An Enterprise administers the hardware and software that comprise the target Resource. The entity that takes the ‘maintains’ role typically is delegated authority by the entity with the “Owns” or "Manages" roles, depending on the environment. The maintainer interacts with the target Resource so as to keep that Resource in the Operational state.
Cooperative ITS Credentials Management System Manager	Cooperative ITS Credentials Management System	Manages (hide) The Enterprise that is accountable for performing actions with a Resource, typically in support of one of the key operations-related roles (operates, installs, maintains). This authority is typically delegated by the Enterprise with the "Owns" role, and commonly accomplished by delegation to Human E-Objects with the "operates", "installs" or "maintains" roles, depending on the context.
Cooperative ITS Credentials Management System Manager	Credentials Management System Operator	System Usage Agreement (hide) An agreement granting operational use of a system to a Human with the operates role responsible for management of the system.
Cooperative ITS Credentials Management System Owner	Cooperative ITS Credentials Management System Maintainer	System Maintenance Agreement (hide) An agreement for one party to maintain the operational status of a system on behalf of the party with ownership control of the system.
Cooperative ITS Credentials Management System Owner	Cooperative ITS Credentials Management System Manager	Operations Agreement (hide) An agreement where one entity agrees to operate a device or application on behalf of another, device/application controlling entity.
Cooperative ITS Credentials Management System Owner	ITS Object Maintainer	Maintenance Data Exchange Agreement (hide) An agreement that states one entity will provide data related to maintenance of an application component to the other entity.
Cooperative ITS Credentials Management System Owner	ITS Object Owner	Security Credentials License and Usage Agreement (hide) An agreement in which a device owner gains access to security credentials, and agrees to protect and use those credentials in accordance with restrictions and safeguards documented in this agreement.
Cooperative ITS Credentials Management System Owner	ITS Object User	Service Usage Agreement (hide) An agreement between the provider of a service and a user. Stipulates the terms and conditions of service usage.
Cooperative ITS Credentials Management System Owner	Other Credentials Management Systems Maintainer	Maintenance Data Exchange Agreement (hide) An agreement that states one entity will provide data related to maintenance of an application component to the other entity.
Cooperative ITS Credentials Management System Owner	Other Credentials Management Systems Operator	Application Usage Agreement (hide) An agreement in which one entity that controls an application component's use gives the other entity the necessary tools and permission to operate that application or application component.
Cooperative ITS Credentials Management System Owner	Other Credentials Management Systems Owner	Information Exchange Agreement (hide) An agreement to exchange information, which may include data or control information; the exact information to be exchanged may vary from agreement to agreement.
Cooperative ITS Credentials Management System Owner	Other Credentials Management Systems User	Service Usage Agreement (hide) An agreement between the provider of a service and a user. Stipulates the terms and conditions of service usage.
Cooperative ITS Credentials Management System Supplier	Cooperative ITS Credentials Management System Owner	Warranty (hide) A guarantee or promise made by one entity to another, that provides assurance of the functionality and performance of a subsystem.
Credentials Management System Operator	Cooperative ITS Credentials Management System	Operates (hide) A Human that is accountable for performing actions with a Resource, typically in support of one of the key operations-related roles (operates, installs, maintains). This is the person at the console or behind the wheel.
Identifier Registry Maintainer	Identifier Registry	Maintains (hide) An Enterprise administers the hardware and software that comprise the target Resource. The entity that takes the ‘maintains’ role typically is delegated authority by the entity with the “Owns” or "Manages" roles, depending on the environment. The maintainer interacts with the target Resource so as to keep that Resource in the Operational state.
Identifier Registry Manager	Identifier Registry	Manages (hide) The Enterprise that is accountable for performing actions with a Resource, typically in support of one of the key operations-related roles (operates, installs, maintains). This authority is typically delegated by the Enterprise with the "Owns" role, and commonly accomplished by delegation to Human E-Objects with the "operates", "installs" or "maintains" roles, depending on the context.
Identifier Registry Manager	Identifier Registry Operator	System Usage Agreement (hide) An agreement granting operational use of a system to a Human with the operates role responsible for management of the system.
Identifier Registry Operator	Identifier Registry	Operates (hide) A Human that is accountable for performing actions with a Resource, typically in support of one of the key operations-related roles (operates, installs, maintains). This is the person at the console or behind the wheel.
Identifier Registry Owner	Cooperative ITS Credentials Management System Maintainer	Maintenance Data Exchange Agreement (hide) An agreement that states one entity will provide data related to maintenance of an application component to the other entity.
Identifier Registry Owner	Cooperative ITS Credentials Management System Owner	Information Provision Agreement (hide) An agreement where one party agrees to provide information to another party. This is a unidirectional agreement.
Identifier Registry Owner	Cooperative ITS Credentials Management System User	Service Usage Agreement (hide) An agreement between the provider of a service and a user. Stipulates the terms and conditions of service usage.
Identifier Registry Owner	Credentials Management System Operator	Application Usage Agreement (hide) An agreement in which one entity that controls an application component's use gives the other entity the necessary tools and permission to operate that application or application component.
Identifier Registry Owner	Identifier Registry Maintainer	System Maintenance Agreement (hide) An agreement for one party to maintain the operational status of a system on behalf of the party with ownership control of the system.
Identifier Registry Owner	Identifier Registry Manager	Operations Agreement (hide) An agreement where one entity agrees to operate a device or application on behalf of another, device/application controlling entity.
Identifier Registry Supplier	Identifier Registry Owner	Warranty (hide) A guarantee or promise made by one entity to another, that provides assurance of the functionality and performance of a subsystem.
ITS Object Maintainer	ITS Object	Maintains (hide) An Enterprise administers the hardware and software that comprise the target Resource. The entity that takes the ‘maintains’ role typically is delegated authority by the entity with the “Owns” or "Manages" roles, depending on the environment. The maintainer interacts with the target Resource so as to keep that Resource in the Operational state.
ITS Object Manager	ITS Object	Manages (hide) The Enterprise that is accountable for performing actions with a Resource, typically in support of one of the key operations-related roles (operates, installs, maintains). This authority is typically delegated by the Enterprise with the "Owns" role, and commonly accomplished by delegation to Human E-Objects with the "operates", "installs" or "maintains" roles, depending on the context.
ITS Object Owner	Cooperative ITS Credentials Management System Maintainer	Maintenance Data Exchange Agreement (hide) An agreement that states one entity will provide data related to maintenance of an application component to the other entity.
ITS Object Owner	Cooperative ITS Credentials Management System Owner	Expectation of Information Provision (hide) An expectation where one party believes another party will provide it information whenever such information is likely relevant to the recipient.
ITS Object Owner	Cooperative ITS Credentials Management System User	Service Usage Agreement (hide) An agreement between the provider of a service and a user. Stipulates the terms and conditions of service usage.
ITS Object Owner	Credentials Management System Operator	Application Usage Agreement (hide) An agreement in which one entity that controls an application component's use gives the other entity the necessary tools and permission to operate that application or application component.
ITS Object Owner	ITS Object Maintainer	System Maintenance Agreement (hide) An agreement for one party to maintain the operational status of a system on behalf of the party with ownership control of the system.
ITS Object Owner	ITS Object Manager	Operations Agreement (hide) An agreement where one entity agrees to operate a device or application on behalf of another, device/application controlling entity.
ITS Object Supplier	ITS Object Owner	Warranty (hide) A guarantee or promise made by one entity to another, that provides assurance of the functionality and performance of a subsystem.
Other Credentials Management Systems Maintainer	Other Credentials Management Systems	Maintains (hide) An Enterprise administers the hardware and software that comprise the target Resource. The entity that takes the ‘maintains’ role typically is delegated authority by the entity with the “Owns” or "Manages" roles, depending on the environment. The maintainer interacts with the target Resource so as to keep that Resource in the Operational state.
Other Credentials Management Systems Manager	Other Credentials Management Systems	Manages (hide) The Enterprise that is accountable for performing actions with a Resource, typically in support of one of the key operations-related roles (operates, installs, maintains). This authority is typically delegated by the Enterprise with the "Owns" role, and commonly accomplished by delegation to Human E-Objects with the "operates", "installs" or "maintains" roles, depending on the context.
Other Credentials Management Systems Manager	Other Credentials Management Systems Operator	System Usage Agreement (hide) An agreement granting operational use of a system to a Human with the operates role responsible for management of the system.
Other Credentials Management Systems Operator	Other Credentials Management Systems	Operates (hide) A Human that is accountable for performing actions with a Resource, typically in support of one of the key operations-related roles (operates, installs, maintains). This is the person at the console or behind the wheel.
Other Credentials Management Systems Owner	Cooperative ITS Credentials Management System Maintainer	Maintenance Data Exchange Agreement (hide) An agreement that states one entity will provide data related to maintenance of an application component to the other entity.
Other Credentials Management Systems Owner	Cooperative ITS Credentials Management System Owner	Information Exchange Agreement (hide) An agreement to exchange information, which may include data or control information; the exact information to be exchanged may vary from agreement to agreement.
Other Credentials Management Systems Owner	Cooperative ITS Credentials Management System User	Service Usage Agreement (hide) An agreement between the provider of a service and a user. Stipulates the terms and conditions of service usage.
Other Credentials Management Systems Owner	Credentials Management System Operator	Application Usage Agreement (hide) An agreement in which one entity that controls an application component's use gives the other entity the necessary tools and permission to operate that application or application component.
Other Credentials Management Systems Owner	Other Credentials Management Systems Maintainer	System Maintenance Agreement (hide) An agreement for one party to maintain the operational status of a system on behalf of the party with ownership control of the system.
Other Credentials Management Systems Owner	Other Credentials Management Systems Manager	Operations Agreement (hide) An agreement where one entity agrees to operate a device or application on behalf of another, device/application controlling entity.
Other Credentials Management Systems Supplier	Other Credentials Management Systems Owner	Warranty (hide) A guarantee or promise made by one entity to another, that provides assurance of the functionality and performance of a subsystem.

Functional

This service package includes the following Functional View PSpecs:

Physical Object	Functional Object	PSpec Number	PSpec Name
Cooperative ITS Credentials Management System	CCMS Authorization	10.1.3.1	Authorize Connected Vehicle Devices
	CCMS Misbehavior Reporting and Action	10.1.4.1	Identify Misbehaving Connected Vehicle Devices
	CCMS Provisioning	10.1.1	Provision Connected Vehicle Devices
	CCMS Revocation	10.1.4.2	Revoke Connected Vehicle Device Credentials
ITS Object	ITS Management Support	10.6.4.2	Support ITS Object Management
ITS Object	ITS Security Support	10.6.4.3	Support ITS Object Security

Physical

The physical diagram can be viewed in SVG or PNG format and the current format is SVG.
SVG Diagram
PNG Diagram

Display Legend in SVG or PNG

Includes Physical Objects:

Physical Object	Class	Description
Cooperative ITS Credentials Management System	Support	The 'Cooperative ITS Credentials Management System' (CCMS) is a high-level aggregate representation of the interconnected systems that enable trusted communications between mobile devices and other mobile devices, roadside devices, and centers and protect data they handle from unauthorized access. Representing the different interconnected systems that make up a Public Key Infrastructure (PKI), this physical object represents an end user view of the credentials management system with focus on the exchanges between the CCMS and user devices that support the secure distribution, use, and revocation of trust credentials.
Credentials Management System Operator	Support	The 'Credentials Management System Operator' represents the person or people that monitor and manage the Cooperative ITS Credentials Management System. These personnel monitor and manage the secure distribution, use, and revocation of trust credentials.
Identifier Registry	Support	The 'Identifier Registry' maintains identifiers that must be unique to facilitate interoperability in the connected vehicle environment.
ITS Object	ITS	The general 'ITS Object' includes core capabilities common to any class of object.
Other Credentials Management Systems	Support	Representing another Cooperative ITS Credentials Management System (CCMS), 'Other Credentials Management Systems' is intended to provide a source and destination for information exchange between peer credentials management systems. It supports modeling of projects or regions that include multiple interconnected CCMS that manage credentials distribution and management in the connected vehicle environment.

Includes Functional Objects:

Functional Object	Description	Physical Object
CCMS Authorization	'CCMS Authorization' components provide authorization credentials (e.g., pseudonym certificates) to end entities. The end entity applies for and obtains authorization credentials, enabling the end entity to enter the “Operational” state. This function requires an interactive dialog, including at minimum a Certificate Request from the end entity desiring certificates. This request will be checked for validity, with the embedded enrollment certificate checked against an internal blacklist. If all checks are passed, this function will distribute a bundle of linked pseudonym certificates suitable for use by the requesting end entity, with the characteristics and usage rules of those certificates dependent on the operational policies of the CCMS. It also provides the secure provisioning of a given object’s Decryption Key in response to an authorized request from that object. The retrieved Decryption Key will be used by the receiving object to decrypt the “next valid” batch within the set of previously retrieved Security Credential batches.	Cooperative ITS Credentials Management System
CCMS Misbehavior Reporting and Action	'CCMS Misbehavior Reporting and Action' components process misbehavior reports from end entities. Misbehavior reports are analyzed and investigated if warranted. Investigated misbehavior reports are correlated with end entities and systemic issues are identified. If revocation is warranted, this component provides information to Authorization or Revocation components to initiate revocation and/or blacklisting, as appropriate.	Cooperative ITS Credentials Management System
CCMS Provisioning	'CCMS Provisioning' components provide the end entity with material that allows it to enter the 'Unenrolled' state. This consists of root certificates and the crypto material that allows it to communicate securely with the Enrollment components. This function ensures the requesting entity meets requirements for provisioning and provides the certificates and relevant policy information to entities that meet the requirements.	Cooperative ITS Credentials Management System
CCMS Revocation	'CCMS Revocation' components generate the internal blacklist and Certificate Revocation List (CRL) and distribute them to other CCMS components and end entities. Once placed on the CRL, an end entity is in the Unauthorized state. Once placed on the blacklist, an end entity is in the Unenrolled state.	Cooperative ITS Credentials Management System
ITS Management Support	'ITS Management Support' provides management of the ITS Object. This includes management of regulatory information and policies, management of application processes, management of communication system configuration and update management, communications interfaces, protocol-specific techniques to ensure interoperability such as service advertisements, communications congestion management and interference management, local device states and communications information, billing management, fault management, service level and performance monitoring.	ITS Object
ITS Security Support	'ITS Security Support' provides communications and system security functions to the ITS Object, including privacy protection functions. It may include firewall, intrusion management, authentication, authorization, profile management, identity management, cryptographic key management. It may include a hardware security module and security management information base.	ITS Object

Includes Information Flows:

Information Flow	Description
authorization coordination	Sharing of pseudonym certificate policies and end entity enrollments and revocations to support authorization of end entities that are enrolled with another trusted CCMS.
credentials management operator input	User input from the credentials management system operator including requests to monitor current system operation and inputs to affect system operation.
credentials management operator presentation	Presentation of information to the credentials management system operator including current operational status of the credentials management system.
misbehavior analysis coordination	Sharing of misbehavior policy, reports, and analysis results, including suspected and convicted end entities and other information that coordinates misbehavior detection, analysis, and resolution with another CCMS.
misbehavior report	Notification of potential security issues encountered in processing messages, including message authentication or integrity failures, plausibility failures, or other issues appropriate to the CCMS’ misbehavior policies.
revocation coordination	Sharing of revocation policies, Certificate Revocation Lists (CRLs), and internal blacklists, and other information that supports revocation process coordination with another CCMS.
security credential revocations	Certificate Revocation List; lists the certificates whose trust has been revoked by the CCMS.
security credentials	The material used by an end-entity (vehicle, personal device, field device, center system etc.) to ensure privacy, integrity and authenticability of its data transmissions. This includes certificates with associated public and private verifying/signing and decrypting/encrypting keys.
security policy and networking information	Security policy information describing the CCMS’ enrollment, authorization, misbehavior and revocation policies, and communications information related to CCMS components; including contact information and public credentials of those components.
service identifiers	Identifiers assigned to particular services, and the context necessary when and how to use these identifiers.

Goals and Objectives

Associated Planning Factors and Goals

Planning Factor	Goal

Associated Objective Categories

Objective Category

Associated Objectives and Performance Measures

Objective	Performance Measure

Since the mapping between objectives and service packages is not always straight-forward and often situation-dependent, these mappings should only be used as a starting point. Users should do their own analysis to identify the best service packages for their region.

Needs and Requirements

Need		Functional Object	Requirement

Related Sources

Document Name	Version	Publication Date
None

Security

In order to participate in this service package, each physical object should meet or exceed the following security levels.

Physical Object Security
Physical Object	Confidentiality	Integrity	Availability	Security Class
Cooperative ITS Credentials Management System
Identifier Registry
ITS Object
Other Credentials Management Systems

In order to participate in this service package, each information flow triple should meet or exceed the following security levels.

Information Flow Security
Source	Destination	Information Flow	Confidentiality	Integrity	Availability
Source	Destination	Information Flow	Basis	Basis	Basis
Cooperative ITS Credentials Management System	Credentials Management System Operator	credentials management operator presentation	Not Applicable	High	High
Cooperative ITS Credentials Management System	Credentials Management System Operator	credentials management operator presentation	System core flows should have some protection from casual viewing, as otherwise imposters could gain illicit control over core equipment	Backoffice operations flows should generally be correct and available as these are the primary interface between operators and system.	Backoffice operations flows should generally be correct and available as these are the primary interface between operators and system.
Cooperative ITS Credentials Management System	ITS Object	security credential revocations	Low	High	High
Cooperative ITS Credentials Management System	ITS Object	security credential revocations	Revocations should be available to all entities in the C-ITS environment. There may be a point where a third party may learn something they shouldn't by observing this flow, but such a use case has not been defined to date. Thus, LOW.	Revocations must be correct, or one of two potentially disastrous scenarios could occur: an entity with important information becomes untrusted and receivers ignore messages with high potential impact, or an untrustworty transmitter maintains its ability to be listened to, and receivers erroneously react to messages from what should be an untrustworthy source.	It is unlikely that revocations will be sent more than a few times per day. However, when provided the information needs to be delivered, or the receiving party may trust entities that have been revoked and should not trust.
Cooperative ITS Credentials Management System	ITS Object	security credentials	High	High	Moderate
Cooperative ITS Credentials Management System	ITS Object	security credentials	Credentials need to be delivered to their intended target only. Interception and potential use by a third party compromises the C-ITS trust model.	Credentials need to be correct and intact on delivery, or they will not be functional. Without functional credentials, the end entity cannot operate	Credentials will be granted as needed but generally not in real-time; that is, an end entity will request credentials a significant time in advance of actually needing them. Thus, occasional downtime can be managed. For those entities accessing the Credentials Registry through wireless mediums only, the additional uncertainties provided by those mediums reinforce MODERATE availability.
Cooperative ITS Credentials Management System	ITS Object	security policy and networking information	Low	High	High
Cooperative ITS Credentials Management System	ITS Object	security policy and networking information	Policy information is expected to be made generally available to all C-ITS devices. Likely no harm in observation by actors outside of ITS. Certificate policy for example is often openly published.	Policy information must be correct, or end entities may make decisions that lead to them becoming untrusted, which if occuring over a wide scale, would cripple the C-ITS environment.	Policy information distribution must occur prior to an end entity encountering a change in policy. For example, at border crossings.
Cooperative ITS Credentials Management System	Other Credentials Management Systems	authorization coordination	High	High	High
Cooperative ITS Credentials Management System	Other Credentials Management Systems	authorization coordination	Coordination of credentialing and revocation should be maintained between the trust authorities and no one else. Outside observers may learn CCMS behaviors and may gain understanding of the timings between revocation/granting at one authority vs. propogation to another, which may enable attacks.	Coordination of credentialing and revocation needs to be correct at all times, or trust/lack-of-trust may not be correctly propagated and end entities improperly served. Depending on the scale of the integrity/availability failure, this could affect a small or large amount of the C-ITS environment.	Coordination of credentialing and revocation needs to be correct at all times, or trust/lack-of-trust may not be correctly propagated and end entities improperly served. Depending on the scale of the integrity/availability failure, this could affect a small or large amount of the C-ITS environment.
Cooperative ITS Credentials Management System	Other Credentials Management Systems	misbehavior analysis coordination	High	High	High
Cooperative ITS Credentials Management System	Other Credentials Management Systems	misbehavior analysis coordination	Coordination of misbehavior handling should be maintained between the trust authorities and no one else. Outside observers may learn CCMS behaviors related to misbehavior analysis and detection, and devise attacks to exploit that behavior.	Coordination of misbehavior analysis needs to be correct at all times, or trust/lack-of-trust may not be correctly revoked. Depending on the scale of the integrity/availability failure, this could affect a small or large amount of the C-ITS environment.	Coordination of misbehavior analysis needs to be correct at all times, or trust/lack-of-trust may not be correctly revoked. Depending on the scale of the integrity/availability failure, this could affect a small or large amount of the C-ITS environment.
Cooperative ITS Credentials Management System	Other Credentials Management Systems	revocation coordination	High	High	High
Cooperative ITS Credentials Management System	Other Credentials Management Systems	revocation coordination	Coordination of credentialing and revocation should be maintained between the trust authorities and no one else. Outside observers may learn CCMS behaviors and may gain understanding of the timings between revocation/granting at one authority vs. propogation to another, which may enable attacks.	Coordination of credentialing and revocation needs to be correct at all times, or trust/lack-of-trust may not be correctly propagated and end entities improperly served. Depending on the scale of the integrity/availability failure, this could affect a small or large amount of the C-ITS environment.	Coordination of credentialing and revocation needs to be correct at all times, or trust/lack-of-trust may not be correctly propagated and end entities improperly served. Depending on the scale of the integrity/availability failure, this could affect a small or large amount of the C-ITS environment.
Credentials Management System Operator	Cooperative ITS Credentials Management System	credentials management operator input	Not Applicable	High	High
Credentials Management System Operator	Cooperative ITS Credentials Management System	credentials management operator input	System core flows should have some protection from casual viewing, as otherwise imposters could gain illicit control over core equipment	Backoffice operations flows should generally be correct and available as these are the primary interface between operators and system.	Backoffice operations flows should generally be correct and available as these are the primary interface between operators and system.
Identifier Registry	Cooperative ITS Credentials Management System	service identifiers	Low	High	Low
Identifier Registry	Cooperative ITS Credentials Management System	service identifiers	Likely openly published information.	Identifiers are used with associated permissions to determine who/what can perform various activities. A compromise in this information would significantly compromise all of C-ITS that was affected.	Identifiers are expected to be updated infrequently, thus requiring only intermittent connectivity to the CCMS.
ITS Object	Cooperative ITS Credentials Management System	misbehavior report	Moderate	Moderate	Low
ITS Object	Cooperative ITS Credentials Management System	misbehavior report	Misbehavior reports will contain some kind of identification, in many cases pseudonyms, but at some point in the life cycle linkable to a device and device owner. Even if a pseudonym is the reference, the contents of the report should not be openly readable as compromised could be used to further abuse the target, such as by spamming other (false) misbehavior reports, or simply not trusting that party when the actual trust anchor has made no such determination.	Misbheavior reports provide the basic data for misbehavior analysis, the purpose of which is the removal of misbehaving or malfunctioning actors from the C-ITS environment. So naturally the misbehavior report must be correct. This is not HIGH because presumably, multiple reports must be received regarding the same actor in order to process a revocation.	Successful revocation depends on receipt of accurate and timely misbehavior reports. Reports from center-based objects are more likely to be taken with greater weight, and due to the structure of the system, also likely to be less frequent. This makes center-based reports more dependent on availability, so center-based reports receive a MODERATE availability, while those from more frequent generating field sources (RSEs, OBEs, PIDs etc.) LOW availability.
Other Credentials Management Systems	Cooperative ITS Credentials Management System	authorization coordination	High	High	High
Other Credentials Management Systems	Cooperative ITS Credentials Management System	authorization coordination	Coordination of credentialing and revocation should be maintained between the trust authorities and no one else. Outside observers may learn CCMS behaviors and may gain understanding of the timings between revocation/granting at one authority vs. propogation to another, which may enable attacks.	Coordination of credentialing and revocation needs to be correct at all times, or trust/lack-of-trust may not be correctly propagated and end entities improperly served. Depending on the scale of the integrity/availability failure, this could affect a small or large amount of the C-ITS environment.	Coordination of credentialing and revocation needs to be correct at all times, or trust/lack-of-trust may not be correctly propagated and end entities improperly served. Depending on the scale of the integrity/availability failure, this could affect a small or large amount of the C-ITS environment.
Other Credentials Management Systems	Cooperative ITS Credentials Management System	misbehavior analysis coordination	High	High	High
Other Credentials Management Systems	Cooperative ITS Credentials Management System	misbehavior analysis coordination	Coordination of misbehavior handling should be maintained between the trust authorities and no one else. Outside observers may learn CCMS behaviors related to misbehavior analysis and detection, and devise attacks to exploit that behavior.	Coordination of misbehavior analysis needs to be correct at all times, or trust/lack-of-trust may not be correctly revoked. Depending on the scale of the integrity/availability failure, this could affect a small or large amount of the C-ITS environment.	Coordination of misbehavior analysis needs to be correct at all times, or trust/lack-of-trust may not be correctly revoked. Depending on the scale of the integrity/availability failure, this could affect a small or large amount of the C-ITS environment.
Other Credentials Management Systems	Cooperative ITS Credentials Management System	revocation coordination	High	High	High
Other Credentials Management Systems	Cooperative ITS Credentials Management System	revocation coordination	Coordination of credentialing and revocation should be maintained between the trust authorities and no one else. Outside observers may learn CCMS behaviors and may gain understanding of the timings between revocation/granting at one authority vs. propogation to another, which may enable attacks.	Coordination of credentialing and revocation needs to be correct at all times, or trust/lack-of-trust may not be correctly propagated and end entities improperly served. Depending on the scale of the integrity/availability failure, this could affect a small or large amount of the C-ITS environment.	Coordination of credentialing and revocation needs to be correct at all times, or trust/lack-of-trust may not be correctly propagated and end entities improperly served. Depending on the scale of the integrity/availability failure, this could affect a small or large amount of the C-ITS environment.

Standards

The following table lists the standards associated with physical objects in this service package. For standards related to interfaces, see the specific information flow triple pages. These pages can be accessed directly from the SVG diagram(s) located on the Physical tab, by clicking on each information flow line on the diagram.

Name	Title	Physical Object
FIPS 140-2	Security Requirements for Cryptographic Modules	ITS Object
ISO 21217 Architecture	Intelligent transport systems -- Communications access for land mobiles (CALM) -- Architecture	ITS Object

System Requirements

No System Requirements