v0.8.9
- Canonical pubkey registry now multi-curve — Brainpool P-256r1 and P-384r1 accepted for initial enrolment and admin registration.
v0.8.8
- Brainpool curve CHOICE tag now preserved through EC and AT request parsing — enrolment with brainpool-p256r1 and brainpool-p384r1 works.
- keyTag HMAC uses correct CHOICE tag for Brainpool keys — AT request no longer rejected on tag mismatch.
- New debug endpoint POST /v221/ec-request-decode — decrypts and parses EC request, returns JSON with CHOICE tags.
v0.8.7
- SCMS decoder now rejects wire that is not a valid ScmsPdu, preventing silent false-positive decodes.
v0.8.6
- TLM Link Certificate endpoint exposed; serves the link blob when rotation occurs.
v0.8.5
- EaEntry now populates the ITS-Station access URL in its proper slot.
v0.8.4
- Content-type and version mismatches now return encrypted responses with proper codes.
- Client requests with privileged fields rejected.
/capabilitiesdocuments authorization modes.
v0.8.3
- Request handlers reject out-of-window
generationTime(default ±5 min). - EC request idempotency cache: identical bodies return the same EC.
- Delta ECTL endpoint
/getdeltaectl/{hid8}/{seq}.
v0.8.2
/getectlnow servesapplication/octet-streamper CPOC profile.
v0.8.1
- AT and EC fall back to a sensible default validity when the client omits it.
- TLM cert also served at
/gettlmcertificate(no HID8) for blind bootstrap.
v0.8.0
- Wire decoder hardened: signed envelopes, ECIES, AT path.
v0.7.12
- AT proof-of-possession now validated by signature alone; removed brittle byte-exact hash recompute.
v0.7.11
- ECIES decoder accepts all curve-point CHOICE variants (compressed and uncompressed) for the ephemeral key.
- AT response codes propagate the actual validation cause instead of a generic "not the recipient".
v0.7.10
- Signed envelope decoder now accepts external-payload form (used by the AT proof-of-possession).
v0.7.9
- AT request: ecSignature now routed to the EA validator instead of being decrypted at the AA.
v0.7.8
- AT keyTag HMAC input is now the OER-encoded public keys instead of raw bytes.
v0.7.7
- AT response codes aligned with spec enumeration (fix 500 on error paths).
v0.7.6
- PKI signed envelopes now use the correct PSID; previous default was a different service.
v0.7.5
- EC outer signed verified against registered canonical pubkey;
/admin/registeraccepts pubkey. - AT request accepts both simple and outer-PoP variants.
v0.7.4
- EnrolmentRequest: outer signed envelope now verified.
v0.7.3
- JRC L0 profile aliases:
/gettlmcertificate/{hid8}and/getectl/{hid8}withapplication/octet-stream.
v0.7.2
- ECIES p1 (KDF input) aligned with spec:
p1 = SHA-256(recipient certificate).
v0.7.1
- RCA-CTL EA/AA/DC access points now use the configured public base URL.
v0.7.0
- RCA, TLM, EA, AA and MA CertificateIDs aligned with CPOC Protocol Release 3.2 §I.3.2.2 naming format.
- certIssuePermissions emit explicit
bitmapSspRangeper service (CPOC §I.3.7–3.8) instead ofsspRange.all. - AT pool, AA and RCA certIssue extended with PSID 1619 (POIM, TS 103 916) and PSID 145 (MCM, provisional placeholder).
v0.6.0
- Delta CRL endpoint, sequence-based incremental (TS 102 941).
v0.5.0
- Misbehaviour Report envelope parsed end-to-end (TS 103 759).
- Reporter AT pseudonym extracted and recorded; PSID checked against MR Service (1618).
v0.4.0
- AT validity capped at one week for Itss_WithPrivacy (C-ITS CP v3.0).
v0.3.1
- Implicit certificate reconstruction (TS 103 097 v2.1.1 §6 · ECQV).
v0.3.0
- Canonical ITS-AID registry per ETSI TS 102 965 v2.2.1.
- Curve-aware digest dispatch per TS 103 097.
v0.1.x
Initial public launch
- TLM separated from Root CA; ECTL signed by TLM.
- Misbehaviour Authority factory per TS 103 759.
- Multi-curve: NIST P-256, Brainpool P-256r1, Brainpool P-384r1.
- Wire: TS 102 941 Annex C OER · ECIES per IEEE 1609.2, strict.
- Bidirectional secured interop against an independent V2X stack.
What's next
- Misbehaviour report ASR payload decoded (AsrCam / AsrDenm).
- Butterfly key authorization, wire-strict (TS 102 941 v2.2.1).
- Multi-RCA ECTL federation (TLM bridging external CAs).