Service Specific Permissions and Security Guidelines for Connected Vehicle Applications
The SAE J2945/x series of standards define a set of applications that among other things
use messages from the J2735 message set dictionary. Authenticity and integrity of the
communications for these applications are ensured using digital signatures and IEEE
1609.2 digital certificates, which also indicate the permissions of the senders using Provider
Service Identifiers (PSID) and Service Specific Permissions (SSPs). The PSID is associated
with an application specification that unambiguously describes how to build interoperable
instances of that application. The SSP defined in that application specification is the means
by which that application can express state dependent permissions to engage is particular
subsets of the activities specified therein. For any given application in the J2945/x
collection, a complete application specification needs to include a specification of (a) what
a sender is permitted to do when their certificate has no SSP and (b) which fields (or which
field values, or combinations of fields) can be set by a sender only if they have a particular
SSP pattern in their certificate. This document describes SSP patterns for the J2945/x
application specifications that have been published to date. It also establishes principles that
could be used by future application specifiers to (a) specify the syntax of SSPs and (b)
determine which fields and activities should be subject to SSP constraints. It also addresses
the development of SSPs for applications that use regional extensions or for future
expansions of the base J2735 standard.
Rationale: For a specification of an application to be complete, if it uses IEEE 1609.2 certificates, the specification must include a complete and correct specification of Service Specific Permissions. IEEE 1609.2 itself does not provide guidance as to how SSPs should be structured. SAE J2945/2 provides a framework that is maximally flexible, but perhaps at the cost of being too heavyweight, and it was in any case developed with a specific eye on the needs of the J2945/2 applications. There is a need for guidance, both in terms of when an SSP is actually called for and in terms of how the SSP is formatted, to enable other teams working on J2945/x documents to do their work appropriately.
The document will be a standard in which the SSP patterns are normative and the guidance
to future application specifiers will be informative.