Regarding the EU PKI and trust service framework in general, conformity assessments play a huge role in its ecosystem. That is no wonder– if an organization is to act as a trusted party, they have to prove that somehow, and for the easiest way to do that is to audit their solutions and services against specific legislation, standards etc. Microsec is constantly audited; we have annual conformity assessments against the requirements of ISO 9001, ISO 27001, the eIDAS regulation (augmented with several ETSI norms and specifications, such as ETSI EN 319 401, EN 319 411-x, EN 319 412-x etc.), not to mention the browser vendors’ requirements (i.e., CA/Browser Forum documents, such as the Baseline Requirements, the EV SSL Guidelines and other root store policies) and the site visits of the national supervisory body. However, there are cases, where even these are not enough. For specific “non-trust service” solutions, Microsec orders additional audits. This was the case for example with our e-signature SDK solution, e-Szignó, which has been audited against ISO 15408 (CC), and most recently, the Microsec Cooperative Intelligent Transportation System Credential Management System (CCMS) Vehicle-to-Everything (V2X) PKI service.

V2X essentially means the communication between a vehicle and its surroundings (be those road-side units or other vehicles) in order to ease and increase the security of road traffic. Despite that trust is essential in the context of vehicular communication as well, V2X PKI itself is not a trust service, thus it is out of scope for eIDAS audits. What can be used as its conformity assessment basis then? Well, that depends on the region. There are three common V2X PKI-specific standard sets: one in the US, one in China and the last one in the EU. As Microsec is an EU QTSP and the member of ETSI, we have chosen to audit the solution against the requirements of the EU C-ITS Certificate Policy, also an EU draft delegated act, so the audit scope consisted of the following documents:

• Certificate Policy for Deployment and Operation of European Cooperative Intelligent Transport Systems (C-ITS) Release 1.1 June 2018
• COMMISSION DELEGATED REGULATION (EU) …/… of 13.3.2019 supplementing Directive 2010/40/EU of the European Parliament and of the Council with regard to the deployment and operational use of cooperative intelligent transport systems

The above standards contain provisions in an RFC 3647-like structure about almost all aspects of a corresponding service; these include requirements on physical security, certificate life cycles, technical security, authentication and many more aspects. The audit went smoothly, and followed the planned schedule, thus on 3rd December, we have got the official certificate that is valid until the end of 2023.

Currently, it is very probable that Microsec is the only CCMS V2X PKI provider that has an audit against these requirements, and one of the first providers that ever had one – the only previously audited service that we know of is Volkswagen’s. If you would like to know more about our service, contact our experts at: info@v2x-pki.com or visit the service’s website at https://v2x-pki.com.