Copyright © 2021 W3C® (MIT, ERCIM, Keio, Beihang). W3C liability, trademark and permissive document license rules apply.
The Vehicle Information Service Specification (VISS) is a service for accessing vehicle information, signals from sensors on control units within a vehicle's network. It exposes this information using a hierarchical tree like taxonomy defined in GENIVI Vehicle Signal Specification (VSS). The service provides this information in JSON format. The service may reside in the vehicle for applications needing to analyse a high volume of realtime data or on servers in the internet with information already brought off the vehicle.
This specification describes a second version of VISS which has been implemented and deployed on production vehicles. It adds major new capabilities and improvements to the earlier version. The first version of VISS only supported WebSocket as a transport protocol, the second version is generalized to work across different protocols as some are better suited for different use cases. HTTP is now supported with additional protocols used within the automotive industry being evaluated for inclusion. Subscription capabilities have been improved and access control has been added.
There are two parts to this specification, Core and Transport. This document, the VISS version 2 CORE specification, describes the VISSv2 messaging layer. The companion specifications for the VISSv2 transport protocols detail the mapping of the messaging layer to selected transports. The ontologies based on the VISSv2 core specification are defined in documents for each specific domain (e.g. navigation, media, vehicle data).
This section describes the status of this document at the time of its publication. Other documents may supersede this document. A list of current W3C publications and the latest revision of this technical report can be found in the W3C technical reports index at https://www.w3.org/TR/.
This document was published by the Automotive Working Group as a First Public Working Draft. This document is intended to become a W3C Recommendation.
GitHub Issues are preferred for discussion of this specification.
Publication as a First Public Working Draft does not imply endorsement by the W3C Membership.
This is a draft document and may be updated, replaced or obsoleted by other documents at any time. It is inappropriate to cite this document as other than work in progress.
This document was produced by a group operating under the W3C Patent Policy. W3C maintains a public list of any patent disclosures made in connection with the deliverables of the group; that page also includes instructions for disclosing a patent. An individual who has actual knowledge of a patent which the individual believes contains Essential Claim(s) must disclose the information in accordance with section 6 of the W3C Patent Policy.
This document is governed by the 15 September 2020 W3C Process Document.
This document describes the messaging API for VISS protocol. This includes the messaging layer and set of rules for structuring data. The separation between payload encoding (transport) and messaging API (core) improves adaptability. Extending and describing multiple transport protocols becomes possible.
The messages are exchanged between a server implementation holding the representation of data and a client using the data.
The VISSv2 messaging layer uses a RESTful design for all methods exchanged via the interface (§ 5. Interface).
The VISSv2 data structuring rules (VSS Rule set) are the same through all transport protocols. The basis for structuring data hold by a server is a tree.
As well as sections marked as non-normative, all authoring guidelines, diagrams, examples, and notes in this specification are non-normative. Everything else in this specification is normative.
The key words MAY, MUST, SHALL, and SHOULD in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.
The acronym 'VISSv2' is used to refer to this document, the VISS version 2 specification. The acronym 'VSS' is used to refer to the 'Vehicle Signal Specification' which is hosted by the GENIVI Alliance. The term 'WebSocket' when used in this document, is as defined in the W3C WebSocket API and [RFC6455], the WebSocket Protocol.
The service is intended for use with a tree-like logical taxonomy to represent the vehicle data. An illustrative example of such a tree structure is shown in Figure 1. While it is meant to support conforming taxonomies it was created principally with the Vehicle Signal Specification (VSS) in mind. For more details, see the VSS documentation.
Addressing of elements is done using URIs as defined in [RFC3986].
scheme:authority/path?query
The scheme describes the protocol to use to reach the addressed element.
The authority describes where to reach the server holding and managing the data representation. Scheme and authority are defined within the protocol adaptation.
The path consists a sequence of VSS node names separated by a delimiter. VSS specifies the dot (.) as delimiter,
so that is the recommended choice also in this specification.
However, in HTTP URLs the conventional delimiter is slash (/), therefore this delimiter is also supported.
To exemplify this, the path expression from traversing the nodes Vehicle, Car, Engine, RPM can be "Vehicle.Car.Engine.RPM",
or "Vehicle/Car/Engine/RPM". A mix of delimiters in the same path expression SHOULD be avoided.
The path may contain the wildcard character (*) as a representative for one path segment.
It MUST not be combined with other characters to express the path segment, such as "Vehicle.C*". Multiple wildcards may be used in the same path, such as "Vehicle.Cabin.Door.*.*.IsOpen".
The query contains further information related to the request, see § 7. Filter Request.
This chapter describes the different methods and its arguments that govern the communication between a client and the server.
The transport protocols used to implement these methods MUST implement the Read and Update methods, and MAY implement the Subscribe, Unsubscribe, and Subscription methods.
Purpose: Get one or more values addressed by the given path.
The client MAY have to obtain an authorization token before being able to access the values. If the server is able to satisfy the request it MUST return a success response. If the server is unable to fulfil the request, then the server MUST return an error response.
Arguments, of which path is mandatory:
Success response:
Purpose: Provide altered value to the vehicle signal(s) addressed by the path
The client MAY have to obtain an authorization token before being able to update the vehicle signal(s). If the server is able to satisfy the request it MUST return a success response. If the server is unable to fulfil the request, then the server MUST return an error response.
Arguments, of which path and value are mandatory:
Success response:
Purpose: Get asynchronous messages containing the value(s) addressed by the path. The triggering rules for issuing the notification messages are set by the filter data.
The client MAY have to obtain an authorization token before being able to subscribe to the vehicle signal(s). The server MUST issue a notification if a trigger rule is fulfilled. If the server is able to satisfy the request it MUST return a success response. If the server is unable to fulfil the request, then the server MUST return an error response. If an error occurs during the subscription period, the server SHOULD return an error notification.
Arguments, of which path and filter are mandatory:
Success response:
Purpose: Termination of the subscription period started by a previous subscribe request.
If the server is able to satisfy the request it MUST return a success response, and it MUST stop issuing notifications associated to the subscription handle. If the server is unable to fulfil the request, then the server MUST return an error response.
Arguments, of which subscriptionId is mandatory:
Success response:
Purpose: Asynchronous client notification according to the subscribe request trigger rules.
The server MUST issue a notification message when a triggering rule associated with the subscription is met. If the server cannot fulfill the triggering rules it MUST issue an error notification and terminate the subscription.
Arguments:
The server MUST inform a client about errors ocurring in interactions between the two, whether it is in a synchronous error response to a request message, or an asynchronous error notification message.
The error information has three components - a number, a reason, and a message. The number MUST always be part of the error information, while the reason and message components MAY be a part of it.
Timestamps in transport payloads MUST conform to the ISO8601 standard, using the UTC format with a trailing Z.
Time resolution SHALL at least be seconds, with subsecond resolution as an optional degree of precision when desired.
The time and date format shall be as shown below, where the sub-second data and delimiter is optional.
YYYY-MM-DDTHH:MM:SS.ssssssZ
The exception to this is timestamps within tokens, which MUST conform to Unix time.
Transport protocols supported by this specification MUST make use of TLS as defined in [RFC5246].
The § 8. Access Control Model makes it possible to apply restrictions on the data access for clients that are granted access on the transport protocol level.
In addition to some privacy provisions within the specification itself, the W3C Automotive Working Group is creating an accompanying In-Vehicle Application Best Practices document to provide further considerations for handling of information. These Best Practices go beyond the narrow scope of this specification and addresses several of the concerns for the broader telematics ecosystems it is a part of. These practices include reducing ability to fingerprint an individual or vehicle from its data, providing data use consent, revokation, integrity and use audit accountability.
For some uses, such as when information is only referenced within the vehicle not sent off nor persisting between restarts, there should be little to no privacy concerns.
This specification, unlike its predecessor, has granular access control capabilities to limit what information an application may access. All information sent from a VISS service to client application must be transported over an encrypted protocol to help protect privacy.
For an application to be installed and permitted to run on a vehicle it should have consent from whoever is deemed authoritative for a given jurisdiction and ownership situation. That consent should be revocable. Consent and revoking it are outside the scope of this specification, we expect that to be handled out of band and in some cases by regulations and contractual commitments. Future version of this specification however may provide mechanism for enabling and suspending application authorization to access information.
Filtering is a mechanism to refine a client request, in order to more precisely control what is returned in a response. Filtering can be applied in read requests and in subscribe requests. A request where filtering is applied has the following structure
The paths filter operation is used when a single request is used to retrieve signal data from multiple data points in the VSS tree.
The vsspath shall point to the last node in the tree that is common for the relative paths in the filter op-value, that start off from this node.
If the end point of a path in the filter op-value is a branch, then all leaf nodes in the sub-tree below this branch are addressed.
A path in the filter op-value may contain the wildcard character (*) as a representative for a path segment.
Every path element in an op-value array must address at least one node in the tree, or else an error response is returned.
If the path in the filter op-value ends with one or more wildcards, then only the leaf nodes with path segments matching the number of wildcards are addressed.
Different elements of the op-value array may address the same node, in which case it is the responsibility of the server to resolve this to a singleton in the notifications.
If the op-value contains a single path then it shall not be enclosed with JSON array brackets.
The op-extra key-value pair is not used in paths filter operations.
Examples can be found in the TRANSPORT specification.
The server typically have access only to the latest, most fresh data point representing a signal.
However, it may for various reasons at least temporarily have access to also older data points.
A scenario where this could occur is when a vehicle temporarily loses its connectivity,
maybe because it enters into a tunnel. Assuming that the vehicle detects the loss of connectivity, it may then start to record data.
If recorded, this data may then be accessed using the history op-type.
The vehicle system makes its own decision whether to record any data, and for how long this data will be kept in storage.
The period goes from current time, excluding the current value, and backwards in time.
The number of data points in the response depends on the period size, and the sample frequency.
The latter can not be set by the client, so the client should have some understanding of its value to estimate the amount of data it may receive.
A request for historic data will return a Not found error if historic data is unavailable.
The period must conform to the [ISO8601] duration format, expressed with days, hour, minute, and second data, i. e. "op-value": "PdddDThhHmmMssS".
The number of days shall be less than 999. Only a single period can be expressed.
The op-extra key-value pair is not used in history filter operations.
Examples can be found in the TRANSPORT specification.
The capture filter operation is used when the client want to restrict the amount of data that will be returned. The op-extra key-value pair is used in capture filter operations, as described for the following capture types below.
Metadata requests are used when the client instead of the data associated to VSS node(s) wants to retrieve meta data associated to the VSS node(s).
Two categories of metadata are defined, "static-metadata" and "dynamic-metadata".
The former contains the metadata found in the VSS tree as specified on the VSS repo, while the latter contains metadata that is additional to the referred VSS specification.
The client selects which of the categories that is requested by setting the "op-value" to either "static" or "dynamic".
These requests are sometimes referred to as a signal discovery request.
The "dynamic-metadata" may change over time, which is not the case for the "static-metadata".
If the "op-extra" key value pair is not used, then all metadata that the server can retrieve for the respective category is returned,
while if it used then only the selected metadata as expressed in the "op-extra" is returned.
If the expression contains multiple metadata types, then they are concatenated with a plus sign (+) as delimiter.
For the set of static metadata key names, see the Vehicle Signal Specification.
The set of dynamic metadata keynames are found in the list below. If a corresponding value to a key name is not present, the key-value pair is omitted in the response.
The filtering operations may be used to address multiple tree nodes in one request. This may lead to specific issues in certain situations, as described below.
A request addressing multiple nodes may address both valid nodes, and invalid nodes. The latter case shall lead to a Not found error response message part that contains information about which node, or nodes, that are invalid. The error response shall not contain data from any of the validly addressed nodes.
A response may contain multiple values, due to either that multiple nodes are addressed, or to that multiple values for one signal is returned. These two reasons can be combined, leading to four different cases.
“data”:{“path”:”X”, “dp”:{“value”:”Y”, “ts”:”Z”}}
“data”:{“path”:”X”, “dp”: [{“value”:”Y1”, “ts”:”Z1”}, …, {“value”:”Yn”, “ts”:”Zn”}]}
“data”:[{“path”:”X1”, “dp”:{“value”:”Y1”, “ts”:”Z1”}}, …, {“path”:”Xm”, “dp”:{“value”:”Ym”, “ts”:”Zm”}}]
“data”:[{“path”:”X1”, “dp”:[{“value”:”Y11”, “ts”:”Z11”}, …, {“value”:”Y1n”, “ts”:”Z1n”}]}, …, {“path”:”Xm”, “dp”:[{“value”:”Ym1”, “ts”:”Zm1”}, …, {“value”:”Ymn”, “ts”:”Zmn”}]}]
In the case of a request for multiple values from multiple nodes, the datapoint for different paths may contain single or multiple objects,
as the vehicle system may not have multiple values recorded for all requested signals.
A subscription request must always contain a capture filter operation that describes the trigger event that leads to that the server dispatches an asynchronous notification message. For the capture types "range" or "change", the triggering is dependent on the signal value. When the request addresses multiple signals, the triggering condition shall only be evaluated on one of the signals, which is the first signal in the op-value array of paths. The first path in the array must therefore not contain wildcards to address multiple signals. In this case one of the path addresses in the wildcard expression must be selected as the first array element, which can then be followed by the wildcard expression. The duplicate reference to one signal that this leads to shall be resolved by the server to a singleton in the notifications.
Access control MUST be supported. However, in this chapter only the sections that describe the interactions between the client and the VISSv2 server are normative.
This section is non-normative.
The VISSv2 access control model is inspired by the concepts of OAuth2.0 [RFC6749], but some deviations exist as is described in the following chapters.
Four actors are defined:
Client
An application making protected and authorized resource requests on behalf of its user.
Access Grant server
The server issuing the Access Grant credential after successfully authenticating the client.
Access Token server
The server issuing the access token to the client after successfully validating the request and obtaining authorization.
VISSv2 server
The server hosting the protected resources, capable of accepting and responding to protected resource requests using access tokens.
The abstract protocol flow illustrated in the figure below describes the interaction between the four actors.
This section is non-normative.
Two different flows are described. Which flow to use depends on the capabilities of the client.
If a client is able to run public key cryptographic primitives,
i.e. key pair generation and signatures, and has access to some kind of trusted execution environment where private keys are protected from the regular execution environment,
then it can use the long term flow. Clients that do not have access to these capabilities, or do not want to use them, must select the short term flow.
The advantage of using the long term flow is that the client can be trusted with longer expiry times of access grant tokens.
In the short term flow the client must due to a shorter expiry time contact the access grant server more often to obtain a new access grant token.
A client selects the type of flow by either submitting a public key in the access grant request, or not. The latter leading to an short term flow.
The request shall contain the first three parameters below, the last is optional:
Depending on the kind of proofs included in the request, the client and the server may need to run an interactive protocol to verify them. The protocol may involve also third parties, such as the ecosystem manager or the resource owner. The protocol is out of scope for this specification.
The response shall contain the parameter below:
An error response shall contain the parameter:
The request shall contain at least these two parameters below:
The access token server acts as a Policy Enforcement Point, making decisions on whether to grant access to the protected resource based on the provided access grant token and purpose.
A successful response shall contain the parameter:
This is a VISSv2 request including an access token as described in general in the § 5.1 Methods chapter, and for different transport protocols in the VISSv2 TRANSPORT document.
This is a VISSv2 response as described in general in the § 5.1 Methods chapter, and for different transport protocols in the VISSv2 TRANSPORT document. It does not differ from the response to an unprotected resource request.
This section is non-normative.
The client is an abstract representation of three sub-actors:
This section is non-normative.
The access arant server is in charge of producing access grant tokens to clients.
Depending on the capabilities of the client, the specification supports two types of access grant tokens: Short term and long term access grant tokens.
Long term access grant tokens, are supported for those clients able to run public key cryptographic primitives, i.e. key pair generation and signatures,
and is the recommended choice for clients with access to a trusted execution environment where private keys are protected from the regular execution environment.
The specification also supports short term access grant tokens that require no extra capabilities in the client,
but due to its shorter expiry time it forces the client to contact the access grant server more often before access token server requests for an access token.
The client request shall contain the following:
This section is non-normative.
The client shall after a successful interaction with the access grant server request an access token from the access token server.
The client request shall contain at least these two parameters below.
The VISSv2 server MUST support validation of access tokens. The functionality needed for this is decribed in this chapter. This includes validation of at least the following:
Validation | Read-only | Read-write |
---|---|---|
get set subscribe |
||
Ok | Ok | |
Nok | Ok | |
Ok | Ok |
The access token need to be refreshed periodically, which is controlled by the expiry time. If the access grant token that the client used to obtain the now expired access token is not expired,
then the client can revisit the access token server with this access grant token to obtain a new access token.
If the access grant token is expired, then the client must obtain a new access grant token first, before revisiting the access token server.
For client requests that are not granted due to access control, the VISSv2 server MUST return one of the error codes shown in the table below.
Error Number (Code) | Error Reason | Error Message |
---|---|---|
401 (Unauthorized) | missing_token | One or more of the requested signals are access controlled, an access token must be included in the request. |
406 (Not Acceptable) | invalid_token | A fresh access token must be obtained. |
406 (Not Acceptable) | insufficient_priviledges | The priviledges represented by the access token are not sufficient. |
This section is non-normative.
The resource owner is typically the owner and/or driver of the vehicle. If Consent is required for granting access to the protected resource,
then it should be directed to the resource owner. The process for this is out of scope for this specification.
This section is non-normative.
The Ecosystem manager is the entity responsible for the functionality of the access control system. This typically includes the management of the access grant server,
and the access token server, the Policy documents, and that there is a PKI domain for the other actors to utilize.
This section is non-normative.
The three client sub-actors must provide authentication credentials to the access grant server.
This may be certificates that the sub-actors have obtained from a Certificate Authority that is known by the access grant server.
The interactions related to this are out of scope.
This section is non-normative.
The short term access grant token shall have the following claims in header and payload.
{
"alg": "ES256",
"typ": "JWT"
},
{
"vin": "vehicle-id",
"iat": 1609452095,
"exp": 1609459199,
"clx": "user+app+dev",
"aud": "w3.org/VISSv2",
"jti": "5967e92e-40e8-5f39-892d-cc0da890db1d"
}
Algorithm (alg) shall be set to a valid RSA or ECDSA algorithms according to [RFC7518].
The long term access grant token shall have the following claims in header and payload.
{
"alg": "ES256",
"typ": "JWT"
},
{
"vin": "vehicle-id",
"iat": 1609452095,
"exp": 1609459199,
"clx": "user+app+dev",
"pub": client_pub_key,
"aud": "w3.org/VISSv2",
"jti": "5967e92e-40e8-5f39-892d-cc0da890db1d"
}
Algorithm (alg) shall be set to a valid RSA or ECDSA algorithms according to [RFC7518].
The Access token SHALL have the following claims in header and payload.
{
"alg": "HS256",
"typ": "JWT"
},
{
"iat": 1609452095,
"exp": 1609459199,
"scp": "PurposeX",
"clx": "user+app+dev",
"aud": "w3.org/VISSv2",
"jti": "5967e93f-40f9-5f39-893e-cc0da890db2e"
}
Algorithm (alg) shall be set to any valid algorithms according to [RFC7518].Long term access grant tokens need to be accompanied by a Proof of Possession (PoP) for the private key corresponding to the public key included in the access grant token. This requirement enables a longer validity for this kind of tokens, ranging from a few days to a even a year. By adding the PoP, we prevent an eavesdropper to reuse an access token request, impersonating the client. Without a PoP, the longer the validity of an access grant token, the higher the risk an attacker could intercept and reuse it. PoP for JWT are defined in [RFC7800], but in essence, a PoP enables the requester to proof to the server that it has access to a private key, without disclosing it. Traditionally that would require the server to create a random challenge, or nonce, and ask the client to sign it with its private key. Along with the public key, the server would be able to verify the PoP. This scheme would require an extra step in the protocols, where the client ask for the nonce.
In order to avoid this extra step, the client can generate the nonce itself. The server would need to check that nonces are not reused. Although logging previous nonces at the server side would work for small environments, we propose the use of an incremental nonce in the form of a timestamp. One of the drawbacks of this proposal is that the server has no means to check whether the PoP has been precomputed or not. However, this is irrelevant from the eavesdropper point of view.
In case freshness of the PoP was a critical requirement, we could use a public source of randomness to obtain the nonce, e.g. Leage of Entropy or Interoperable Randomness Beacons. That would provide the server a mean to check freshness of the PoP but on the other hand, it would require the client to access the public source of randomness every time it needs to create a PoP which is against the main design goals for the long term access grant token.
This section is non-normative.
The client actor is characterized by three subactors:
VISSv2 specifies the following minimum set of roles for users:
VISSv2 specifies the following minimum set of roles for applications:
VISSv2 specifies the following minimum set of roles for devices:
This section is non-normative.
The Policy documents are typically owned and created by the ecosystem manager. They need to be handled securely to protect their integrity.
The ecosystem manager shall securely provision them to the access token servers in the access control ecosystem.
A client shall provide a purpose as input to a request for an access token. A list of supported purposes needs to exist for a client to select from.
The ecosystem manager shall therefore provide means for clients to survey the list to find a purpose that fits its use case.
Each entry in the list contains a short description of the purpose, which is what the client shall provide as input to its request for an access token.
There is also a long purpose description, which may be used in the dialogue for consent, if needed. Then there is a list of the client context, i. e. the sub-actor role triplet,
that can be granted this access, and last there is a list of the signals that the client is given access to for this purpose,
with the allowed access mode. The list shall use a JSON format as shown in the example below.
{"purposes":
[{"short": "fuel-status",
"long": "Fuel level and remaining range.",
"contexts":[{"user":"Independent","app":["OEM", "Third party"], "device":"Cloud"}, {"user":"Owner", "app":"Third party", "device":"Nomadic"}, {"user":"Driver", "app":"OEM", "device":"Vehicle"}],
"signal_access":
[{"path": "Vehicle.Powertrain.EnergyStorage.FuelSystem.Level", "access_mode": "read-only"},
{"path": "Vehicle.Powertrain.EnergyStorage.FuelSystem.Range", "access_mode": "read-only"}]
},
{}]
}
The purpose list shall be securely provisioned to the access token server. The protocol for this is out-of-scope.
The access token server must reject all requests for access tokens if it is not in possession of a purpose list.
The scope list contains a list of the VSS tree nodes for which access shall be prohibited, per client context.
This prohibition is regardless of whether the client has a valid access token or not.
The scope list can also be used to limit the node metadata that is returned on a service discovery request.
Each entry in the list contains a list of paths to nodes that should be excluded, and a list of the client contexts, i. e. the sub-actor role triplet,
for which this exclusion should be made.
The scope list may contain an entry for a context with all three Roles set to "Undefined".
The no-access scope of this entry shall then be used for signal discovery requests where no token is included.
The list shall use a JSON format as shown in the example below.
{"scope":
[{"contexts":[ { "user":["Driver", "Passenger"], "app":"Third party", "device":"Vehicle"}, { } ],
"no_access":
["Vehicle.Drivetrain.Transmission.Speed",
"Vehicle.Cabin.Infotainment.Navigation.CurrentLocation.Latitude",
"Vehicle.Cabin.Infotainment.Navigation.CurrentLocation.Longitude"]
},
{}]
}
The scope list shall be securely provisioned to the access token server. The protocol for this is out-of-scope.
The access token server shall not restrict the scope for any client context if it is not in possession of a scope list.
This section is non-normative.
This chapter describes a complementary functionality to the access control model, the ability to apply it selectively to parts of the tree.
It can be used in cases where not all nodes of the tree are believed to require access control,
or read-only is sufficient instead of read-write access control for certain nodes.
This functionality requires that the access token specifies whether the access granted to the client to a signal is read-only, or read-write.
It also requires that the metadata for the node in the VSS tree contains data specifying whether the access control verification should be carried out only for write request,
or for both read and write requests.
The former requirement is realized as described in earlier chapters by that the access token scope claim links to a purpose
where the signals and their respective access mode are found.
The latter requirement is realized by adding to nodes in the VSS tree the key-value pair "validate":'access-control-mode',
where 'access-control-mode' is either the string "write-only", or "read-write".
Referenced in:
Referenced in:
Referenced in:
Referenced in:
Referenced in:
Referenced in:
Referenced in:
Referenced in:
Referenced in:
Referenced in:
Referenced in:
Referenced in:
Referenced in:
Referenced in:
Referenced in: