Regarding UDS (ISO 14229-1:2020), the new service Authentication (0x29) was added to increase the security of ECUs by using PKI certificates. Does this make the use of the SecurityAccess service (0x27) obsolete and not needed in ECUs anymore? Or they must both be present? Can't the Authentication service be used as the sole service that provides security? (I understand that Authentication uses a whitelisting approach and SecurityAccess uses a blacklisting approach) In addition, Authentication service (0x29) has the feature of assigning user roles, and each has a set of access rights (i.e. which services does this user role have access to). Are these access rights encoded within the ECU? Or are they part of the certificates that are being transmitted between the client (a.k.a. Tester) and the server (a.k.a. ECU). So in other words, should the ECU supplier be informed of the user role state machine that decides which user gets what services so that they can encode it into the ECU? Are there any recent github implementations for the 0x29 service?
I have researched different resources (ofcourse after going through the UDS ISO 14229-1:2020 document) including watching guides from VECTOR about these services. Since service 0x29 (Authentication) has only been around for a little over 2 years, it has not been widely used and published about. There were some conflicting statements with what is found in online forums and discussions and what is stated in the UDS standard document regarding how Authentication is implemented in an ECU, and whether or not Security Access 0x27 service is needed if the Authentication service is already there.