This working paper includes draft updates to ICAO Doc 9880 regarding the use of Compressed Certificates.
The working group is invited to review Amendment Proposal and consider approving the change to Doc 9880.
INTRODUCTION One of recommendations of the Honeywell Validation Report is to remove Compressed Certificates from Doc 9880.
discussion This AP proposes using the Spec 42 Certificate profile for the format and content of Compressed Certificates but PER encode them over the air-ground link.
The Honeywell Validation Report recommended removing compressed certificates. The rational for the recommendation is that certain constraints on ATN compressed certificates would prevent them from being generated by commercial Certificate Authorities. The key constraint is that Doc 9880 specifies that extension fields appear in a particular order, which is not an industry standard practice.
The Honeywell Validation Report also recommended that Doc 9880 be updated to use a mechanism in ACARS Message Security (AMS) whereby an aircraft only requests a ground certificate if it does not already have a valid certificate.
Section 4.3.2 of Doc 9880 specifies the format and allowed content in each field of an ATN Compressed Certificate.
126.96.36.199.1 Compressed ATN Certificates shall be Uncompressed ATN Certificates (reference 4.3.1) that are encoded using the basic aligned variant of the Packed Encoding Rules (PER) as specified in ISO/IEC 8825-2.
Remove the remaining sections of 4.3.2
ACTION BY the meeting The ACP WG-M is invited to:
Review the revisions to Doc 9880 identified by the AP in this Working Paper and provide comments and feedback regarding the proposed changes as described.
Because it results in bandwidth savings with PER encoded certificates, the FAA recommends acceptance of these changes and requests endorsement by the Working Group to update Doc 9880 as described in the AP.
With respect to the Honeywell recommendation for the aircraft to signal whether or not it already has a valid certificate, the FAA recommends that this be considered along with the proposal to implement ATN Security in a Secure Dialogue Service or as a separate AP.