-
Notifications
You must be signed in to change notification settings - Fork 6
/
draft-ietf-anima-brski-prm.txt
6328 lines (4334 loc) · 255 KB
/
draft-ietf-anima-brski-prm.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
ANIMA WG S. Fries
Internet-Draft T. Werner
Intended status: Standards Track Siemens
Expires: 22 June 2025 E. Lear
Cisco Systems
M. Richardson
Sandelman Software Works
19 December 2024
BRSKI with Pledge in Responder Mode (BRSKI-PRM)
draft-ietf-anima-brski-prm-15
Abstract
This document defines enhancements to Bootstrapping a Remote Secure
Key Infrastructure (BRSKI, RFC8995) to enable bootstrapping in
domains featuring no or only limited connectivity between a pledge
and the domain registrar. It specifically changes the interaction
model from a pledge-initiated mode, as used in BRSKI, to a pledge-
responding mode, where the pledge is in server role. For this, BRSKI
with Pledge in Responder Mode (BRSKI-PRM) introduces new endpoints
for the Domain Registrar and pledge, and a new component, the
Registrar-Agent, which facilitates the communication between pledge
and registrar during the bootstrapping phase. To establish the trust
relation between pledge and registrar, BRSKI-PRM relies on object
security rather than transport security. The approach defined here
is agnostic to the enrollment protocol that connects the domain
registrar to the Key Infrastructure (e.g., domain CA).
About This Document
This note is to be removed before publishing as an RFC.
Status information for this document may be found at
https://datatracker.ietf.org/doc/draft-ietf-anima-brski-prm/.
Source for this draft and an issue tracker can be found at
https://github.com/anima-wg/anima-brski-prm.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Fries, et al. Expires 22 June 2025 [Page 1]
Internet-Draft BRSKI-PRM December 2024
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on 22 June 2025.
Copyright Notice
Copyright (c) 2024 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/
license-info) in effect on the date of publication of this document.
Please review these documents carefully, as they describe your rights
and restrictions with respect to this document. Code Components
extracted from this document must include Revised BSD License text as
described in Section 4.e of the Trust Legal Provisions and are
provided without warranty as described in the Revised BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 4
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 6
3. Scope of Solution . . . . . . . . . . . . . . . . . . . . . . 8
3.1. Supported Environments and Use Case Examples . . . . . . 8
3.1.1. Building Automation . . . . . . . . . . . . . . . . . 8
3.1.2. Infrastructure Isolation Policy . . . . . . . . . . . 9
3.1.3. Less Operational Security in the Target-Domain . . . 9
3.2. Limitations . . . . . . . . . . . . . . . . . . . . . . . 9
4. Requirements Discussion and Mapping to Solution-Elements . . 9
5. Architecture . . . . . . . . . . . . . . . . . . . . . . . . 11
5.1. Overview . . . . . . . . . . . . . . . . . . . . . . . . 11
5.2. Nomadic Connectivity . . . . . . . . . . . . . . . . . . 15
5.3. Co-located Registrar-Agent and Domain Registrar . . . . . 17
5.4. Agent Proximity Assertion . . . . . . . . . . . . . . . . 18
6. System Components . . . . . . . . . . . . . . . . . . . . . . 18
6.1. Registrar-Agent . . . . . . . . . . . . . . . . . . . . . 19
6.1.1. Discovery of the Registrar . . . . . . . . . . . . . 20
6.1.2. Discovery of the Pledge . . . . . . . . . . . . . . . 21
6.2. Pledge in Responder Mode . . . . . . . . . . . . . . . . 22
6.2.1. Pledge with Combined Functionality . . . . . . . . . 24
Fries, et al. Expires 22 June 2025 [Page 2]
Internet-Draft BRSKI-PRM December 2024
6.3. Domain Registrar . . . . . . . . . . . . . . . . . . . . 24
6.3.1. Domain Registrar with Combined Functionality . . . . 25
6.4. MASA . . . . . . . . . . . . . . . . . . . . . . . . . . 26
7. Exchanges and Artifacts . . . . . . . . . . . . . . . . . . . 26
7.1. Trigger Pledge Voucher-Request . . . . . . . . . . . . . 30
7.1.1. Request Artifact: Pledge Voucher-Request Trigger
(tPVR) . . . . . . . . . . . . . . . . . . . . . . . 32
7.1.2. Response Artifact: Pledge Voucher-Request (PVR) . . . 35
7.2. Trigger Pledge Enroll-Request . . . . . . . . . . . . . . 36
7.2.1. Request Artifact: Pledge Enroll-Request Trigger
(tPER) . . . . . . . . . . . . . . . . . . . . . . . 38
7.2.2. Response Artifact: Pledge Enroll-Request (PER) . . . 39
7.3. Supply PVR to Registrar (including MASA interaction) . . 41
7.3.1. MASA Interaction . . . . . . . . . . . . . . . . . . 44
7.3.2. Supply Voucher to Registrar-Agent . . . . . . . . . . 46
7.3.3. Request Artifact: Pledge Voucher-Request (PVR) . . . 47
7.3.4. Backend Request Artifact: Registrar Voucher-Request
(RVR) . . . . . . . . . . . . . . . . . . . . . . . . 47
7.3.5. Backend Response Artifact: Voucher . . . . . . . . . 49
7.3.6. Response Artifact: Registrar-Countersigned Voucher . 50
7.4. Supply PER to Registrar (including Key Infrastructure
interaction) . . . . . . . . . . . . . . . . . . . . . . 51
7.4.1. Request Artifact: Pledge Enroll-Request (PER) . . . . 54
7.4.2. Response Artifact: Registrar Enroll-Response
(Enroll-Resp) . . . . . . . . . . . . . . . . . . . . 54
7.5. Obtain CA Certificates . . . . . . . . . . . . . . . . . 54
7.5.1. Request (no artifact) . . . . . . . . . . . . . . . . 55
7.5.2. Response Artifact: CA-Certificates (caCerts) . . . . 56
7.6. Supply Voucher to Pledge . . . . . . . . . . . . . . . . 58
7.6.1. Request Artifact: Registrar-Countersigned Voucher . . 60
7.6.2. Response Artifact: Voucher Status (vStatus) . . . . . 60
7.7. Supply CA Certificates to Pledge . . . . . . . . . . . . 63
7.7.1. Request Artifact: CA-Certificates (caCerts) . . . . . 64
7.7.2. Response (no artifact) . . . . . . . . . . . . . . . 64
7.8. Supply Enroll-Response to Pledge . . . . . . . . . . . . 64
7.8.1. Request Artifact: Enroll-Response (Enroll-Resp) . . . 65
7.8.2. Response Artifact: Enroll Status (eStatus) . . . . . 66
7.9. Voucher Status Telemetry (including MASA interaction) . . 68
7.9.1. Request Artifact: Voucher Status (vStatus) . . . . . 69
7.9.2. Response (no artifact) . . . . . . . . . . . . . . . 69
7.10. Enroll Status Telemetry . . . . . . . . . . . . . . . . . 69
7.10.1. Request Artifact: Enroll Status (eStatus) . . . . . 71
7.10.2. Response (no artifact) . . . . . . . . . . . . . . . 71
7.11. Query Pledge Status . . . . . . . . . . . . . . . . . . . 71
7.11.1. Request Artifact: Status Trigger (tStatus) . . . . . 72
7.11.2. Response Artifact: Pledge Status (pStatus) . . . . . 75
8. Logging Considerations . . . . . . . . . . . . . . . . . . . 79
9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 80
Fries, et al. Expires 22 June 2025 [Page 3]
Internet-Draft BRSKI-PRM December 2024
9.1. BRSKI .well-known Registry . . . . . . . . . . . . . . . 80
9.2. DNS Service Names . . . . . . . . . . . . . . . . . . . . 81
10. Privacy Considerations . . . . . . . . . . . . . . . . . . . 81
11. Security Considerations . . . . . . . . . . . . . . . . . . . 82
11.1. Denial of Service (DoS) Attack on Pledge . . . . . . . . 83
11.2. Misuse of acquired PVR and PER by Registrar-Agent . . . 83
11.3. Misuse of Registrar-Agent Credentials . . . . . . . . . 84
11.4. Misuse of DNS-SD with mDNS to obtain list of pledges . . 84
11.5. YANG Module Security Considerations . . . . . . . . . . 85
12. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 85
13. References . . . . . . . . . . . . . . . . . . . . . . . . . 85
13.1. Normative References . . . . . . . . . . . . . . . . . . 85
13.2. Informative References . . . . . . . . . . . . . . . . . 87
Appendix A. Examples . . . . . . . . . . . . . . . . . . . . . . 90
A.1. Example Pledge Voucher-Request (PVR) - from Pledge to
Registrar-Agent . . . . . . . . . . . . . . . . . . . . . 90
A.2. Example Parboiled Registrar Voucher-Request (RVR) - from
Registrar to MASA . . . . . . . . . . . . . . . . . . . . 92
A.3. Example Voucher - from MASA to Pledge, via Registrar and
Registrar-Agent . . . . . . . . . . . . . . . . . . . . . 95
A.4. Example Voucher, MASA issued Voucher with additional
Registrar signature (from MASA to Pledge, via Registrar and
Registrar-Agent) . . . . . . . . . . . . . . . . . . . . 96
Appendix B. HTTP-over-TLS operations between Registrar-Agent and
Pledge . . . . . . . . . . . . . . . . . . . . . . . . . 97
Appendix C. History of Changes [RFC Editor: please delete] . . . 98
Contributors . . . . . . . . . . . . . . . . . . . . . . . . . . 112
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 112
1. Introduction
BRSKI as defined in [RFC8995] specifies a solution for secure zero-
touch (automated) bootstrapping of devices (pledges) in a customer
domain, which may be associated with a specific installation
location. This includes the discovery of the BRSKI registrar in the
customer domain and the exchange of security information necessary to
establish trust between a pledge and the domain.
Security information about the customer domain, specifically the
customer domain certificate, are exchanged and authenticated
utilizing signed data objects, the voucher artifacts as defined in
[RFC8995]. In response to a voucher-request, the Manufacturer
Authorized Signing Authority (MASA) issues the voucher and provides
it via the domain registrar to the pledge.
[I-D.ietf-anima-rfc8366bis] specifies the format of the voucher
artifacts, including the voucher-request artifact.
Fries, et al. Expires 22 June 2025 [Page 4]
Internet-Draft BRSKI-PRM December 2024
For the certificate enrollment of devices, BRSKI relies on EST
[RFC7030] to request and distribute customer domain specific device
certificates. EST in turn relies for the authentication and
authorization of the certification request on the credentials used by
the underlying TLS between the EST client and the EST server.
BRSKI addresses scenarios in which the pledge initiates the
bootstrapping acting as client (referred to as initiator mode by this
document). BRSKI with Pledge in Responder Mode (BRSKI-PRM) defined
in this document allows the pledge to act as server, so that it can
be triggered externally and at a specific time to generate
bootstrapping requests in the customer domain. For this approach,
this document:
* defines additional endpoints for the domain registrar and new
endpoints for the pledge to enable responder mode.
* introduces the Registrar-Agent as new component to facilitate the
communication between the pledge and the domain registrar. The
Registrar-Agent may be implemented as an integrated functionality
of a commissioning tool or be co-located with the domain registrar
itself. BRSKI-PRM supports the identification of the Registrar-
Agent that was performing the bootstrapping allowing for
accountability of the pledges installation, when the Registrar-
Agent is a component used by an installer and not co-located with
the domain registrar.
* specifies additional artifacts for the exchanges between a pledge
acting as server, the Registrar-Agent acting as client, and the
domain registrar acting as server toward the Registrar-Agent.
* allows the application of Registrar-Agent credentials to establish
TLS connections to the domain registrar; these are different from
the pledge IDevID credentials.
* also enables the usage of alternative transports, both IP-based
and non-IP, between the pledge and the domain registrar via the
Registrar-Agent; security is addressed at the application layer
through object security with an additional signature wrapping the
exchanged artifacts.
The term endpoint used in the context of this document is equivalent
to resource in HTTP [RFC9110] and CoAP [RFC7252]; it is not used to
describe a device. Endpoints are accessible via Well-Known URIs
[RFC8615].
Fries, et al. Expires 22 June 2025 [Page 5]
Internet-Draft BRSKI-PRM December 2024
To utilize EST [RFC7030] for enrollment, the domain registrar
performs pre-processing of the wrapping signature before actually
using EST as defined in [RFC7030].
There may be pledges that can support both modes, initiator and
responder mode. In these cases BRSKI-PRM can be combined with BRSKI
as defined in [RFC8995] or BRSKI-AE [I-D.ietf-anima-brski-ae] to
allow for more bootstrapping flexibility.
2. Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in
BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here.
This document relies on the terminology defined in Section 1.2 of
[RFC8995]. The following terms are defined in addition:
authenticated self-contained object: Describes a data object, which
is cryptographically bound to the end entity (EE) certificate.
The binding is assumed to be provided through a digital signature
of the actual object using the corresponding private key of the
certificate.
CA: Certification Authority, issues certificates.
Commissioning tool: Tool to interact with devices to provide
configuration data.
CSR: Certificate Signing Request.
EE: End entity, as defined in [RFC9483]. Typically a device or
service that owns a public-private key pair for which it manages a
public key certificate.
EE certificate: the certificate of the EE signed by its owner (e.g.,
CA). For domain components, the EE certificate is signed by the
domain owner. For the pledge, the EE certificate is either the
IDevID certificate signed by the manufacturer or the LDevID
certificate signed by the domain owner or an application-specific
EE certificate signed by the domain owner.
endpoint: Term equivalent to resource in HTTP [RFC9110] and CoAP
[RFC7252]. Endpoints are accessible via Well-Known URIs
[RFC8615].
Fries, et al. Expires 22 June 2025 [Page 6]
Internet-Draft BRSKI-PRM December 2024
IDevID: An Initial Device Identifier X.509 certificate installed by
the vendor on new equipment. This is a term from 802.1AR
[IEEE-802.1AR].
LDevID: A Local Device Identifier X.509 certificate installed by the
owner of the equipment. This is a term from 802.1AR
[IEEE-802.1AR].
mTLS: mutual Transport Layer Security.
PER: Pledge Enroll-Request is a signature-wrapped CSR, signed by the
pledge that requests enrollment to a domain via the Registrar-
Agent.
POI: Proof-of-Identity, as defined in [RFC5272].
POP: Proof-of-Possession (of a private key), as defined in
[RFC5272].
PVR: Pledge Voucher-Request is a signature-wrapped voucher-request,
signed by the pledge that sends it to the domain registrar via the
Registrar-Agent.
RA: Registration Authority, an optional system component to which a
CA delegates certificate management functions such as
authorization checks. In BRSKI-PRM, this is a functionality of
the domain registrar, as in BRSKI [RFC8995].
RVR: Registrar Voucher-Request is a signature-wrapped voucher-
request, signed by the domain registrar that sends it to the MASA.
For BRSKI-PRM, it contains a copy of the original PVR received
from the pledge.
This document uses the following encoding notations in the given JWS-
signed artifact examples:
BASE64(OCTETS): Denotes the base64 encoding of an octet sequence
using the character set defined in Section 4 of [RFC4648] and
without the inclusion of any line breaks, whitespace, or other
additional characters. Note that the base64 encoding of the empty
octet sequence is the empty string.
BASE64URL(OCTETS): Denotes the base64url encoding of an octet
sequence, per Section 2 of [RFC7515].
UTF8(STRING): Denotes the octet sequence of the UTF-8 [RFC3629]
representation of STRING, per Section 1 of [RFC7515].
Fries, et al. Expires 22 June 2025 [Page 7]
Internet-Draft BRSKI-PRM December 2024
This document includes many examples that would contain many long
sequences of base64-encoded objects with no content directly
comprehensible to a human reader. In order to keep those examples
short, they use the token base64encodedvalue== as a placeholder for
base64 data. The full base64 data is included in the appendices of
this document.
3. Scope of Solution
3.1. Supported Environments and Use Case Examples
BRSKI-PRM is applicable to scenarios where pledges may have no direct
connection to the domain registrar, may have no continuous
connection, or require coordination of the pledge requests to be
provided to a domain registrar.
This can be motivated by pledges deployed in environments not yet
connected to the operational customer domain network, e.g., at a
building construction site, or environments intentionally
disconnected from the Internet, e.g., critical industrial facilities.
Another example is the assembly of electrical cabinets, which are
prepared in advance before the installation at a customer domain.
3.1.1. Building Automation
In building automation a typical use case exists where a detached
building or the basement is equipped with sensors, actuators, and
controllers, but with only limited or no connection to the central
building management system. This limited connectivity may exist
during installation time or also during operation time.
During the installation, for instance, a service technician collects
the device-specific information from the basement network and
provides them to the central building management system. This could
be done using a laptop, common mobile device, or dedicated
commissioning tool to transport the information. The service
technician may successively collect device-specific information in
different parts of the building before connecting to the domain
registrar for bulk bootstrapping.
A domain registrar may be part of the central building management
system and already be operational in the installation network. The
central building management system can then provide operational
parameters for the specific devices in the basement or other detached
areas. These operational parameters may comprise values and settings
required in the operational phase of the sensors/actuators, among
them a certificate issued by the operator to authenticate against
other components and services. These operational parameters are then
Fries, et al. Expires 22 June 2025 [Page 8]
Internet-Draft BRSKI-PRM December 2024
provided to the devices in the basement facilitated by the service
technician's laptop. The Registrar-Agent, defined in this document,
may be run on the technician's laptop to interact with pledges.
3.1.2. Infrastructure Isolation Policy
This refers to any case in which the network infrastructure is
normally isolated from the Internet as a matter of policy, most
likely for security reasons. In such a case, limited access to a
domain registrar may be allowed in carefully controlled short periods
of time, for example when a batch of new devices are deployed, but
prohibited at other times.
3.1.3. Less Operational Security in the Target-Domain
The registration authority (RA) performing the authorization of a
certificate request is a critical PKI component and therefore
requires higher operational security than other components utilizing
the issued certificates. CAs may also require higher security in the
registration procedures. There may be situations in which the
customer domain does not offer enough physical security to operate an
RA/CA and therefore this service is transferred to a backend that
offers a higher level of operational security.
3.2. Limitations
The mechanism described in this document presumes the ability of the
pledge and the Registrar-Agent to communicate with one another. This
may not be possible in constrained environments where, in particular,
power must be conserved. In these situations, it is anticipated that
the transceiver will be powered down most of the time. This presents
a rendezvous problem: the pledge is unavailable for certain periods
of time, and the Registrar-Agent is similarly presumed to be
unavailable for certain periods of time. To overcome this situation,
the pledges may need to be powered on, either manually or by sending
a trigger signal.
4. Requirements Discussion and Mapping to Solution-Elements
Based on the intended target environment described in Section 3.1,
the following requirements are derived to support bootstrapping of
pledges in responder mode (acting as server):
* To facilitate the communication between a pledge in responder mode
and the registrar, additional functionality is needed either on
the registrar or as a stand-alone component. This new
functionality is defined as Registrar-Agent and acts as an agent
of the registrar to trigger the pledge to generate requests for
Fries, et al. Expires 22 June 2025 [Page 9]
Internet-Draft BRSKI-PRM December 2024
voucher and enrollment. These requests are then provided by the
Registrar-Agent to the registrar. This requires the definition of
pledge endpoints to allow interaction with the Registrar-Agent.
* The security of communication between the Registrar-Agent and the
pledge must not rely on Transport Layer Security (TLS) to enable
application of BRSKI-PRM in environments, in which the
communication between the Registrar-Agent and the pledge is done
over other technologies like BTLE or NFC, which may not support
TLS protected communication. In addition, the pledge does not
have a certificate that can easily be verified by [RFC9525]
methods.
* The use of authenticated self-contained objects addresses both,
the TLS challenges and the technology stack challenge.
* By contrast, the Registrar-Agent can be authenticated by the
registrar as a component, acting on behalf of the registrar. In
addition the registrar must be able to verify, which Registrar-
Agent was in direct contact with the pledge.
* It would be inaccurate for the voucher-request and voucher-
response to use the assertion type proximity in the voucher, as
the pledge was not in direct contact with the registrar for
bootstrapping. Therefore, a new assertion type is necessary for
distinguishing assertions the MASA can state.
At least the following properties are required for the voucher and
enrollment processing:
* POI: provides data-origin authentication of an artifact, e.g., a
voucher-request or an Enroll-Request, utilizing an existing
IDevID. Certificate updates may utilize the certificate that is
to be updated.
* POP: proves that an entity possesses and controls the private key
corresponding to the public key contained in the certification
request, typically by adding a signature computed using the
private key to the certification request.
Solution examples based on existing technology are provided with the
focus on existing IETF RFCs:
* Voucher-Requests and Vouchers as used in [RFC8995] already provide
both, POP and POI, through a digital signature to protect the
integrity of the voucher, while the corresponding signing
certificate contains the identity of the signer.
Fries, et al. Expires 22 June 2025 [Page 10]
Internet-Draft BRSKI-PRM December 2024
* Enroll-Requests are data structures containing the information
from a requester for a CA to create a certificate. The
certification request format in BRSKI is PKCS#10 [RFC2986]. In
PKCS#10, the structure is signed to ensure integrity protection
and POP of the private key of the requester that corresponds to
the contained public key. In the application examples, this POP
alone is not sufficient. A POI is also required for the
certification request and therefore the certification request
needs to be additionally bound to the existing pledge IDevID
credential. This binding supports the authorization decision for
the certification request and may be provided directly with the
certification request. While BRSKI uses the binding to TLS,
BRSKI-PRM aims at an additional signature of the PKCS#10 using
existing credentials on the pledge (IDevID). This allows the
process to be independent of the selected transport.
5. Architecture
5.1. Overview
For BRSKI with Pledge in Responder Mode (BRSKI-PRM), the base system
architecture defined in BRSKI [RFC8995] is enhanced to facilitate new
use cases in which the pledge acts as server. The responder mode
allows delegated bootstrapping using a Registrar-Agent instead of a
direct connection between the pledge and the domain registrar.
Necessary enhancements to support authenticated self-contained
objects for certificate enrollment are kept at a minimum to enable
reuse of already defined architecture elements and interactions. The
format of the bootstrapping objects produced or consumed by the
pledge is usually based on JSON Web Signature (JWS) [RFC7515] and
further specified in Section 7 to address the requirements stated in
Section 4 above. In constrained environments, it may be based on
COSE [RFC9052].
An abstract overview of the BRSKI-PRM protocol can be found on slide
8 of [BRSKI-PRM-abstract].
To support mutual trust establishment between the domain registrar
and pledges not directly connected to the customer domain, this
document specifies the exchange of authenticated self-contained
objects with the help of the Registrar-Agent.
This leads to extensions of the logical components in the BRSKI
architecture as shown in Figure 1.
Fries, et al. Expires 22 June 2025 [Page 11]
Internet-Draft BRSKI-PRM December 2024
Note that the Join Proxy is not shown in the figure. In certain
situations the Join Proxy may still be present and could be used by
the Registrar-Agent to connect to the Registrar. For example, a
Registrar-Agent application on a smartphone often can connect to
local Wi-Fi without giving up their cellular network connection
[androidnsd], but only can make link-local connections.
The Registrar-Agent interacts with the pledge to transfer the
required data objects for bootstrapping, which are then also
exchanged between the Registrar-Agent and the domain registrar. The
addition of the Registrar-Agent influences the sequences of the data
exchange between the pledge and the domain registrar described in
[RFC8995]. To enable reuse of BRSKI defined functionality as much as
possible, BRSKI-PRM:
* uses existing endpoints where the required functionality is
provided.
* enhances existing endpoints with new supported media types, e.g.,
for JWS voucher.
* defines new endpoints where additional functionality is required,
e.g., for wrapped certification request, wrapped CA certificates,
and new status information.
Fries, et al. Expires 22 June 2025 [Page 12]
Internet-Draft BRSKI-PRM December 2024
+---------------------------+
..... Drop Ship .....| Vendor Services |
: +---------------+-----------+
: | M anufacturer | |
: | A uthorized | Ownership |
: | S igning | Tracker |
: | A uthority | |
: +---------------+-----------+
: ^
: | BRSKI-
: | MASA
: ...............................|.........
V . v .
+--------+ . +------------+ +-----------+ .
| | . | | | | .
| Pledge | BRSKI- | Registrar- | BRSKI- | Domain | .
| | PRM | Agent | PRM | Registrar | .
| |<------>| |<------>| | .
| | . | EE cert. | | EE cert. | .
| | . +------------+ +-----+-----+ .
| IDevID | . | .
| | . +------------------+-----+ .
+--------+ . | Key Infrastructure | .
. | (e.g., PKI CA) | .
. +------------------------+ .
.........................................
Customer Domain
Figure 1: BRSKI-PRM architecture overview using Registrar-Agent
Figure 1 shows the relations between the following main components:
* Pledge: Is expected to respond with the necessary data objects for
bootstrapping to the Registrar-Agent. The protocol used between
the pledge and the Registrar-Agent is assumed to be HTTP(S) in the
context of this document. Any other protocol can be used as long
as it supports the exchange of the necessary artifacts. This
includes CoAP or protocols to be used over Bluetooth or NFC
connections. A pledge acting as server leads to the following
differences compared to BRSKI [RFC8995]:
- The pledge no longer initiates bootstrapping, but is discovered
and triggered by the Registrar-Agent as defined in
Section 6.1.2.
- The pledge offers additional endpoints as defined in
Section 6.2, so that the Registrar-Agent can request data
required for bootstrapping the pledge.
Fries, et al. Expires 22 June 2025 [Page 13]
Internet-Draft BRSKI-PRM December 2024
- The pledge includes additional data in the PVR, which is
provided and signed by the Registrar-Agent as defined in
Section 7.1. This allows the registrar to identify with which
Registrar-Agent the pledge was in contact (see Section 5.4).
- The artifacts exchanged between the pledge and the registrar
via the Registrar-Agent are authenticated self-contained
objects (i.e., signature-wrapped artifacts).
* Registrar-Agent: Is a new component defined in Section 6.1 that
provides a store and forward communication path to exchange data
objects between the pledge and the domain registrar. This is for
situations in which the domain registrar is not directly reachable
by the pledge, which may be due to a different technology stacks
or due to missing connectivity. A Registrar-Agent acting as
client leads to the following new aspects:
- The order of exchanges in the BRSKI-PRM call flow is different
from that in BRSKI [RFC8995], as the Registrar-Agent can
trigger one or more pledges and collects the PVR and PER
artifacts simultaneously as defined in Section 7. This enables
bulk bootstrapping of several devices.
- There is no trust assumption between the pledge and the
Registrar-Agent as only authenticated self-contained objects
are used, which are transported via the Registrar-Agent and
provided either by the pledge or the domain registrar.
- The trust assumption between the Registrar-Agent and the domain
registrar may be based on EE certificates that are both signed
by the domain owner.
- The Registrar-Agent may be realized as stand-alone component
supporting nomadic activities of a service technician moving
between different installation sites.
- Alternatively, the Registrar-Agent may also be realized as co-
located functionality for a registrar, to support pledges in
responder mode.
* Join Proxy (not shown): Has the same functionality as described in
[RFC8995] if needed. Note that a Registrar-Agent may use a join
proxy to facilitate the TLS connection to the registrar in the
same way that a BRSKI pledge would use a join proxy. This is
useful in cases where the Registrar-Agent does not have full IP
connectivity via the domain network or cases where it has no other
means to locate the registrar on the network.
Fries, et al. Expires 22 June 2025 [Page 14]
Internet-Draft BRSKI-PRM December 2024
* Domain registrar: In general fulfills the same functionality
regarding the bootstrapping of the pledge in a customer domain by
facilitating the communication of the pledge with the MASA service
and the domain key infrastructure (PKI). However, there are also
differences compared to BRSKI [RFC8995]:
- A BRSKI-PRM domain registrar does not interact with a pledge
directly, but through the Registrar-Agent as defined in
Section 7.
- A BRSKI-PRM domain registrar offers additional endpoints as
defined in Section 6.3 to support the signature-wrapped
artifacts used by BRSKI-PRM.
* Vendor services: Encompass MASA and Ownership Tracker and are used
as defined in [RFC8995]. A MASA responsible for pledges that
implement BRSKI-PRM is expected to support BRSKI-PRM extensions:
- The default format for voucher artifacts (incl. voucher-
request) is JWS-signed JSON as defined in
[I-D.ietf-anima-jws-voucher].
- The Agent Proximity Assertion (see Section 5.4) requires
additional validation steps as defined in Section 7.3.1.
5.2. Nomadic Connectivity
In one example instance of the PRM architecture as shown in Figure 2,
there is no connectivity between the location in which the pledge is
installed and the location of the domain registrar. This is often
the case in the aforementioned building automation use case
(Section 3.1.1).
Fries, et al. Expires 22 June 2025 [Page 15]
Internet-Draft BRSKI-PRM December 2024
+---------------------------+
..... Drop Ship .....| Vendor Services |
: +---------------------------+
: ^
........................................ |
. v . |
. +--------+ .-.-.-.-.-.-.-. . |
. | | : Registrar- : . |
. | Pledge |<--------->: Agent : . |
. +--------+ L2 or L3 :-.-.-.-.-.-.-: . |
. connectivity ^ . |
..........................!............. |
Pledge Installation ! |
Location ! Nomadic |
! connectivity |
! |
...........!...................|.........
. v v .
. .-.-.-.-.-.-.-. +-----------+ .
. : Registrar- : | Domain | .
. : Agent :<----->| Registrar | .
. :-.-.-.-.-.-.-: +-----+-----+ .
. | .
. +------------------+-----+ .
. | Key Infrastructure | .
. | (e.g., PKI CA) | .
. +------------------------+ .
.........................................
Customer Domain
Figure 2: Registrar-Agent nomadic connectivity example
PRM enables support of this case through nomadic connectivity of the
Registrar-Agent. To perform enrollment in this setup, multiple round
trips of the Registrar-Agent between the pledge installation location
and the domain registrar are required.
1. Connectivity to domain registrar: preparation tasks for pledge
bootstrapping not part of the BRSKI-PRM protocol definition, like
retrieval of list of pledges to enroll.
2. Connectivity to pledge installation location: retrieve
information about available pledges (IDevID), collect request
objects (i.e., Pledge Voucher-Requests and Pledge Enroll-Requests
using the BRSKI-PRM approach described in Section 7.1 and
Section 7.2).
Fries, et al. Expires 22 June 2025 [Page 16]
Internet-Draft BRSKI-PRM December 2024
3. Connectivity to domain registrar, submit collected request
information of pledges, retrieve response objects (i.e., Voucher
and Enroll-Response) using the BRSKI-PRM approach described in
Section 7.3 and Section 7.4.
4. Connectivity to pledge installation location, provide retrieved
objects to the pledges to enroll pledges and collect status using
the BRSKI-PRM approach described in Section 7.6, Section 7.7, and
Section 7.8.
5. Connectivity to domain registrar, submit Voucher Status and
Enrollment Status using the BRSKI-PRM approach described in
Section 7.9 and Section 7.10.
Variations of this setup include cases where the Registrar-Agent uses
for example WiFi to connect to the pledge installation network, and
mobile network connectivity to connect to the domain registrar. Both
connections may also be possible in a single location at the same
time, based on installation building conditions.
5.3. Co-located Registrar-Agent and Domain Registrar
Compared to [RFC8995] BRSKI, pledges supporting BRSKI-PRM can be
completely passive and only need to react when being requested to
react by a Registrar-Agent. In [RFC8995], pledges instead need to
continuously request enrollment from a domain registrar, which may
result in undesirable communications pattern and possible overload of
a domain registrar.
+---------------------------+
..... Drop Ship .....| Vendor Service |
: +---------------------------+
: ^
: |
: ...............................|.........
: . v .
v . +-------------------------+ .
+--------+ . |.............. | .
| | . |. Registrar- . Domain | .
| Pledge |<------------->|. Agent . Registrar | .
+--------+ L2 or L3 |.............. | .
connectivity +-------------------+-----+ .
. | .
. +------------------+-----+ .
. | Key Infrastructure | .
. +------------------------+ .
.........................................
Customer Domain
Fries, et al. Expires 22 June 2025 [Page 17]
Internet-Draft BRSKI-PRM December 2024
Figure 3: Registrar-Agent integrated into Domain Registrar example
The benefits of BRSKI-PRM can be achieved even without the
operational complexity of standalone Registrar-Agents by integrating
the necessary functionality of the Registrar-Agent as a module into
the domain registrar as shown in Figure 3 so that it can support the
BRSKI-PRM communications to the pledge.
5.4. Agent Proximity Assertion
"Agent proximity" is a statement in the PVR and the voucher that the
registrar communicates via the Registrar-Agent as defined in
Section 7 and not directly to the pledge. It is therefore a
different assertion than "network proximity", which is defined in
Section 3 of [RFC8995]. Hence, [I-D.ietf-anima-rfc8366bis] defines
the additional assertion type agent-proximity. This assertion type
can be verified by the registrar and MASA during BRSKI-PRM voucher-
request processing.
In BRSKI, the pledge verifies POP of the registrar end-entity (EE)
credentials via the TLS handshake and pins that public key as the
proximity-registrar-cert into the voucher request. This allows the
MASA to verify the proximity of the pledge and registrar,
facilitating a decision to assign the pledge to that domain owner.
In BRSKI, the TLS session is considered provisional until the pledge
receives the voucher to verify POI.
In contrast, in BRSKI-PRM the pledge has no direct connection to the
registrar and MUST accept the supplied registrar EE certificate
provisionally until it receives the voucher as described in
Section 7.6 to verify both POP and POI. The provisional registrar EE
certificate is used for the object security along the authenticated
self-contained objects that in BRSKI-PRM replace the direct TLS
connection to the registrar available in BRSKI [RFC8995]. See also
Section 5 of [RFC8995] on "provisional state".
For the Agent Proximity Assertion, the Registrar-Agent EE certificate
and registrar EE certificate must be signed by the same domain owner,
i.e., MUST possess a common domain trust anchor in their certificate
chain. Akin to the Network Proximity Assertion in BRSKI [RFC8995],
the Agent Proximity Assertion provides pledge proximity evidence to
the MASA. But additionally, the Agent Proximity Assertion allows the
domain registrar to be sure that the PVR supplied by the Registrar-
Agent was in fact collected by the Registrar-Agent to which the