A typical TSL contains details of Security Certificate providers (aka Certificate Authorities or CAs) and their status. For the automotive industry, a positive identification is recommended and the Odette TSL will contain the names of the trustable CAs. It will be published and updated on the internet and can be easily accessed by enabled software systems. To ensure the integrity of the TSL, the list itself has to be signed with a digital signature of the institution creating and maintaining it, in this case Odette.

Business partners, receiving Certificate information from other partners may now automatically check the trustworthiness of the issuing CA. All recommended parts of the trust system are based on international standards (namely ISO – International Standardisation Organisation, ETSI – European Telecommunication Standards Institution, IETF - Internet Engineering Task Force (RFCs) and ITU – International Telecommunication Union standards).

According to the various security levels required by different business processes, there can be several trust lists, each of them containing details of the issuing CAs complying with the policy requirements for a particular security level.

So far, two levels have been identified:

1. Basic level – The issuing CA is an authenticated business entity and operates a Public Key Infrastructure (PKI).
   
2. OFTP2 level – The issuing CA is listed in the Basic TSL (i.e. fulfils the basic requirements) and additionally complies with the OFTP2 Security Certificate Policy requirements.

The industry partners participating in the SCX project (OEMs, suppliers and solution providers) consider it absolutely crucial that the TSL and the related service are provided by a neutral body. They recommended Odette to be this trust guardian (or Trust Bridge) and to provide the service to the automotive community. This was fully endorsed by the Odette Board of Directors.

For operational and administrative purposes it was recommended that two bodies be established:

1. SCX Administration – the body which is responsible for running and maintaining the service. The Odette Central Office will fulfil this role.
   
2. SCX Committee – the body which deals with exception situations. This might occur, for example, where a CA is found to be no longer compliant with the security level. The SCX Committee will take decisions on necessary corrective actions on behalf of the Automotive community. The Committee will consist mainly of representatives of OEMs and suppliers.

The service is provided on an open basis. Any interested CA can apply to be listed on the Odette TSLs. Odette will do the necessary validation of the existence of the CA. The compliance to the so far defined security levels will be verified by self-assessment of the applying CA.

The establishment and maintenance is provided for the benefit of the Odette members and the whole Automotive community.

With the provision of the Trust Service Odette strengthens its position as an organisation of the Automotive Industry working for the Automotive Industry. Acting as a trust guardian, Odette provides an essential service to the community which is in line with Odette’s mission as a ‘business enabler’ for electronic data exchange in the European Automotive Industry.

Most importantly, the SCX recommendation and the resulting TSL facilitates the large scale implementation and use of the new OFTP2 file transfer protocol for secure data transfer over the Internet (see separate article).

The Odette Trust Service will go live shortly.

If you want to know more or would like your company to be listed as a trusted CA please contact: info@odette.org