-
Notifications
You must be signed in to change notification settings - Fork 4
/
Copy pathconstrained-voucher-14.txt
3976 lines (2698 loc) · 145 KB
/
constrained-voucher-14.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
anima Working Group M. Richardson
Internet-Draft Sandelman Software Works
Updates: 8366, 8995 (if approved) P. van der Stok
Intended status: Standards Track vanderstok consultancy
Expires: 28 April 2022 P. Kampanakis
Cisco Systems
E. Dijk
IoTconsultancy.nl
25 October 2021
Constrained Bootstrapping Remote Secure Key Infrastructure (BRSKI)
draft-ietf-anima-constrained-voucher-14
Abstract
This document defines a protocol to securely assign a Pledge to an
owner and to enroll it into the owner's network. The protocol uses
an artifact that is signed by the Pledge's manufacturer. This
artifact is known as a "voucher".
This document builds upon the work in [RFC8366] and [BRSKI], but
defines an encoding of the voucher in CBOR rather than JSON, and
enables the Pledge to perform its transactions using CoAP rather than
HTTPS.
The use of Raw Public Keys instead of X.509 certificates for security
operations is also explained.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on 28 April 2022.
Richardson, et al. Expires 28 April 2022 [Page 1]
Internet-Draft Constrained BRSKI October 2021
Copyright Notice
Copyright (c) 2021 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/
license-info) in effect on the date of publication of this document.
Please review these documents carefully, as they describe your rights
and restrictions with respect to this document. Code Components
extracted from this document must include Simplified BSD License text
as described in Section 4.e of the Trust Legal Provisions and are
provided without warranty as described in the Simplified BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 4
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 5
3. Requirements Language . . . . . . . . . . . . . . . . . . . . 5
4. Overview of Protocol . . . . . . . . . . . . . . . . . . . . 6
5. Updates to RFC8366 and RFC8995 . . . . . . . . . . . . . . . 7
6. BRSKI-EST Protocol . . . . . . . . . . . . . . . . . . . . . 7
6.1. Registrar and the Server Name Indicator (SNI) . . . . . . 8
6.2. TLS Client Certificates: IDevID authentication . . . . . 9
6.3. Discovery, URIs and Content Formats . . . . . . . . . . . 9
6.3.1. RFC8995 Telemetry Returns . . . . . . . . . . . . . . 12
6.4. Join Proxy options . . . . . . . . . . . . . . . . . . . 12
6.5. Extensions to BRSKI . . . . . . . . . . . . . . . . . . . 12
6.5.1. Discovery . . . . . . . . . . . . . . . . . . . . . . 12
6.5.2. CoAP responses . . . . . . . . . . . . . . . . . . . 13
6.6. Extensions to EST-coaps . . . . . . . . . . . . . . . . . 13
6.6.1. Pledge Extensions . . . . . . . . . . . . . . . . . . 14
6.6.2. EST-client Extensions . . . . . . . . . . . . . . . . 15
6.6.3. Registrar Extensions . . . . . . . . . . . . . . . . 17
6.7. DTLS handshake fragmentation Considerations . . . . . . . 18
7. BRSKI-MASA Protocol . . . . . . . . . . . . . . . . . . . . . 18
7.1. Protocol and Formats . . . . . . . . . . . . . . . . . . 18
7.2. Registrar Voucher Request . . . . . . . . . . . . . . . . 19
7.3. MASA and the Server Name Indicator (SNI) . . . . . . . . 19
7.3.1. Registrar Certificate Requirement . . . . . . . . . . 20
8. Pinning in Voucher Artifacts . . . . . . . . . . . . . . . . 20
8.1. Registrar Identity Selection and Encoding . . . . . . . . 20
8.2. MASA Pinning Policy . . . . . . . . . . . . . . . . . . . 22
8.3. Pinning of Raw Public Keys . . . . . . . . . . . . . . . 23
8.4. Considerations for use of IDevID-Issuer . . . . . . . . . 24
9. Artifacts . . . . . . . . . . . . . . . . . . . . . . . . . . 25
9.1. Voucher Request artifact . . . . . . . . . . . . . . . . 25
9.1.1. Tree Diagram . . . . . . . . . . . . . . . . . . . . 25
Richardson, et al. Expires 28 April 2022 [Page 2]
Internet-Draft Constrained BRSKI October 2021
9.1.2. SID values . . . . . . . . . . . . . . . . . . . . . 26
9.1.3. YANG Module . . . . . . . . . . . . . . . . . . . . . 27
9.1.4. Example voucher request artifact . . . . . . . . . . 31
9.2. Voucher artifact . . . . . . . . . . . . . . . . . . . . 32
9.2.1. Tree Diagram . . . . . . . . . . . . . . . . . . . . 32
9.2.2. SID values . . . . . . . . . . . . . . . . . . . . . 32
9.2.3. YANG Module . . . . . . . . . . . . . . . . . . . . . 33
9.2.4. Example voucher artifacts . . . . . . . . . . . . . . 36
9.3. Signing voucher and voucher-request artifacts with
COSE . . . . . . . . . . . . . . . . . . . . . . . . . . 37
10. Deployment specific Discovery Considerations . . . . . . . . 38
10.1. 6TSCH Deployments . . . . . . . . . . . . . . . . . . . 39
10.2. Generic networks using GRASP . . . . . . . . . . . . . . 39
10.3. Generic networks using mDNS . . . . . . . . . . . . . . 39
10.4. Thread networks using Mesh Link Establishment (MLE) . . 39
10.5. Non-mesh networks using CoAP Discovery . . . . . . . . . 39
11. Design Considerations . . . . . . . . . . . . . . . . . . . . 39
12. Raw Public Key Use Considerations . . . . . . . . . . . . . . 40
12.1. The Registrar Trust Anchor . . . . . . . . . . . . . . . 40
12.2. The Pledge Voucher Request . . . . . . . . . . . . . . . 40
12.3. The Voucher Response . . . . . . . . . . . . . . . . . . 40
13. Security Considerations . . . . . . . . . . . . . . . . . . . 41
13.1. Duplicate serial-numbers . . . . . . . . . . . . . . . . 41
13.2. IDevID security in Pledge . . . . . . . . . . . . . . . 42
13.3. Security of CoAP and UDP protocols . . . . . . . . . . . 42
13.4. Registrar Certificate may be self-signed . . . . . . . . 42
14. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 42
14.1. Resource Type Registry . . . . . . . . . . . . . . . . . 42
14.2. The IETF XML Registry . . . . . . . . . . . . . . . . . 43
14.3. The YANG Module Names Registry . . . . . . . . . . . . . 43
14.4. The RFC SID range assignment sub-registry . . . . . . . 43
14.5. Media Types Registry . . . . . . . . . . . . . . . . . . 44
14.5.1. application/voucher-cose+cbor . . . . . . . . . . . 44
14.6. CoAP Content-Format Registry . . . . . . . . . . . . . . 44
15. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 45
16. Changelog . . . . . . . . . . . . . . . . . . . . . . . . . . 45
17. References . . . . . . . . . . . . . . . . . . . . . . . . . 45
17.1. Normative References . . . . . . . . . . . . . . . . . . 45
17.2. Informative References . . . . . . . . . . . . . . . . . 49
Appendix A. Library support for BRSKI . . . . . . . . . . . . . 51
A.1. OpensSSL . . . . . . . . . . . . . . . . . . . . . . . . 51
A.2. mbedTLS . . . . . . . . . . . . . . . . . . . . . . . . . 52
A.3. wolfSSL . . . . . . . . . . . . . . . . . . . . . . . . . 53
Appendix B. Constrained BRSKI-EST messages . . . . . . . . . . . 53
B.1. enrollstatus . . . . . . . . . . . . . . . . . . . . . . 53
B.2. voucher_status . . . . . . . . . . . . . . . . . . . . . 54
Appendix C. COSE examples . . . . . . . . . . . . . . . . . . . 54
C.1. Pledge, Registrar and MASA keys . . . . . . . . . . . . . 58
Richardson, et al. Expires 28 April 2022 [Page 3]
Internet-Draft Constrained BRSKI October 2021
C.1.1. Pledge private key . . . . . . . . . . . . . . . . . 58
C.1.2. Registrar private key . . . . . . . . . . . . . . . . 58
C.1.3. MASA private key . . . . . . . . . . . . . . . . . . 59
C.2. Pledge, Registrar and MASA certificates . . . . . . . . . 59
C.2.1. Pledge IDevID certificate . . . . . . . . . . . . . . 59
C.2.2. Registrar Certificate . . . . . . . . . . . . . . . . 61
C.2.3. MASA Certificate . . . . . . . . . . . . . . . . . . 63
C.3. COSE signed voucher request from Pledge to Registrar . . 65
C.4. COSE signed voucher request from Registrar to MASA . . . 67
C.5. COSE signed voucher from MASA to Pledge via Registrar . . 69
Contributors . . . . . . . . . . . . . . . . . . . . . . . . . . 70
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 70
1. Introduction
Secure enrollment of new nodes into constrained networks with
constrained nodes presents unique challenges. As explained in
[RFC7228], the networks are challenged and the nodes are constrained
by energy, memory space, and code size.
The Bootstrapping Remote Secure Key Infrastructure (BRSKI) protocol
described in [RFC8995] provides a solution for secure zero-touch
(automated) bootstrap of new (unconfigured) devices. In it, new
devices, such as IoT devices, are called "pledges", and equipped with
a factory-installed Initial Device Identifier (IDevID) (see
[ieee802-1AR]), they are enrolled into a network.
The BRSKI solution described in [RFC8995] was designed to be modular,
and this document describes a version scaled to the constraints of
IoT deployments.
Therefore, this document defines a constrained version of the voucher
artifact (described in [RFC8366]), along with a constrained version
of BRSKI. This constrained-BRSKI protocol makes use of the
constrained CoAP-based version of EST (EST-coaps from
[I-D.ietf-ace-coap-est]) rather than the EST over HTTPS [RFC7030].
In BRSKI, the the [RFC8366] voucher is by default serialized to JSON
with a signature in CMS [RFC5652]. This document defines a new
voucher serialization to CBOR [RFC8949] with a signature in COSE
[I-D.ietf-cose-rfc8152bis-struct].
This COSE-signed CBOR-encoded voucher is transported using secured
CoAP and HTTPS.
Richardson, et al. Expires 28 April 2022 [Page 4]
Internet-Draft Constrained BRSKI October 2021
The CoAP connection (between Pledge and Registrar) is to be protected
by either OSCORE+EDHOC [I-D.ietf-lake-edhoc] or DTLS (CoAPS). The
HTTP connection (between Registrar and MASA) is to be protected using
TLS (HTTPS).
This document specifies a constrained voucher-request artifact based
on Section 3 of [RFC8995], and voucher(-request) transport over CoAP
based on Section 3 of [RFC8995] and on [I-D.ietf-ace-coap-est].
The CBOR definitions for the constrained voucher format are defined
using the mechanism described in [I-D.ietf-core-yang-cbor] using the
SID mechanism explained in [I-D.ietf-core-sid]. As the tooling to
convert YANG documents into a list of SID keys is still in its
infancy, the table of SID values presented here MUST be considered
normative rather than the output of the pyang tool.
There is additional work when the voucher is integrated into the key-
exchange, described in [I-D.selander-ace-ake-authz]. This work is
not in scope for this document.
2. Terminology
The following terms are defined in [RFC8366], and are used
identically as in that document: artifact, domain, imprint, Join
Registrar/Coordinator (JRC), Manufacturer Authorized Signing
Authority (MASA), Pledge, Registrar, Trust of First Use (TOFU), and
Voucher.
The following terms from [RFC8995] are used identically as in that
document: Domain CA, enrollment, IDevID, Join Proxy, LDevID,
manufacturer, nonced, nonceless, PKIX.
The term Pledge Voucher Request, or acronym PVR, is introduced to
refer to the voucher request between the pledge and the Registrar.
The term Registrar Voucher Request, or acronym RVR, is introduced to
refer to the voucher request between the Registrar and the MASA.
3. Requirements Language
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in
BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here.
Richardson, et al. Expires 28 April 2022 [Page 5]
Internet-Draft Constrained BRSKI October 2021
4. Overview of Protocol
[RFC8366] provides for vouchers that assert proximity, that
authenticate the Registrar and that can offer varying levels of anti-
replay protection.
The proximity proof provided for in [RFC8366], is an assertion that
the Pledge and the Registrar are believed to be in close together,
from a network topology point of view. Like in [RFC8995], proximity
shown by making TLS connections between the Pledge and Registrar
using IPv6 Link-Local addresses.
The TLS connection is used to make a Voucher Request. This request
is verified by the an agent of the Pledge's manufacturer, which then
issues a voucher. The voucher provides an authorization statement
from the manufacturer indicating that the Registrar is the intended
owner of the device. The voucher refers to the Registrar through
pinning of the Registrar's identity.
This document does not make any extensions to the semantic meaning of
vouchers, only the encoding has been changed to optimize for
constrained devices and networks. The two main parts of the BRSKI
protocol are named separately in this document: BRSKI-EST for the
protocol between Pledge and Registrar, and BRSKI-MASA for the
protocol between the Registrar and the MASA.
Time-based vouchers are supported in this definition, but given that
constrained devices are extremely unlikely to have accurate time,
their use will be uncommon. Most Pledges using constrained vouchers
will be online during enrollment and will use live nonces to provide
anti-replay protection rather than expiry times.
[RFC8366] defines the voucher artifact, while the Voucher Request
artifact was defined in [RFC8995]. This document defines both a
constrained voucher and a constrained voucher-request. They are
presented in the order "voucher-request", followed by a "voucher"
response as this is the order that they occur in the protocol.
The constrained voucher request MUST be signed by the Pledge. It
signs using the private key associated with its IDevID X.509
certificate, or if an IDevID is not available, then the private key
associated with its manufacturer-installed raw public key (RPK).
Section 12 provides additional details on PKIX-less operations.
The constrained voucher MUST be signed by the MASA.
Richardson, et al. Expires 28 April 2022 [Page 6]
Internet-Draft Constrained BRSKI October 2021
For the constrained voucher request this document defines two
distinct methods for the Pledge to identify the Registrar: using
either the Registrar's X.509 certificate, or using a raw public key
(RPK) of the Registrar.
For the constrained voucher also these two methods are supported to
indicate (pin) a trusted domain identity: using either a pinned
domain X.509 certificate, or a pinned raw public key (RPK).
The BRSKI architectures mandates that the MASA be aware of the
capabilities of the pledge. This is not a hardship as the pledges
are constructed by a manufacturer who also arranges for the MASA to
be aware of the inventory of devices.
The MASA therefore knows if the pledge supports PKIX operations, PKIX
format certificates, or if the pledge is limited to Raw Public Keys
(RPK). Based upon this, the MASA can select which attributes to use
in the voucher for certain operations, like the pinning of the
Registrar identity. This is described in more detail in
Section 9.2.3, Section 8 and Section 8.3 (for RPK specifically).
5. Updates to RFC8366 and RFC8995
This section details the ways in which this document Updates. The
terminology for Updates is taken from [I-D.kuehlewind-update-tag].
This document Updates [RFC8366]. It Extends [RFC8366] by creating a
new serialization format.
This document Updates [RFC8995]. It Amends [RFC8995] by clarifying
how pinning is done, and ???.
6. BRSKI-EST Protocol
This section describes the constrained BRSKI extensions to EST-coaps
[I-D.ietf-ace-coap-est] to transport the voucher between Registrar
and Pledge (optionally via a Join Proxy) over CoAP. The extensions
are targeting low-resource networks with small packets.
The constrained BRSKI-EST protocol described in this section is
between the Pledge and the Registrar only.
Richardson, et al. Expires 28 April 2022 [Page 7]
Internet-Draft Constrained BRSKI October 2021
6.1. Registrar and the Server Name Indicator (SNI)
A DTLS connection is established between the pledge and the
Registrar. As described in Section 5.1 of [RFC8995] the pledge
establishes a TLS connection to the Registrar. This occurs via a
variety of Join Proxy mechanisms described in Section 6.4.
Regardless of the mechanism, the DTLS connection should operate
identically.
This issue affects [RFC8995] as well, and is reported in errata:
https://www.rfc-editor.org/errata/eid6648
As the Registrar is discovered by IP address, and connected via the
Join proxy, the name of the Registrar is not known to the Pledge.
The Pledge will not know what the hostname for the Registrar is, so
the pledge can not do RFC6125 DNS-ID validation on the Registrar's
certificate. That is the purpose of the RFC8366 voucher.
As the Pledge does not know the name of the Registrar, the Pledge
cannot put any reasonable value into the [RFC6066] Server Name
Indicator (SNI). The pledge SHOULD omit the SNI extension as per
Section 9.2 of [RFC8446].
In some cases, particularly when debugging and doing interoperability
testing, a Pledge may be given the hostname of a particular Registrar
to connect to. Such a bypass of the discovery process may result in
the Pledge taking a different path to DTLS connection, and may result
in the SNI being inserted by a library. The Registrar MUST ignore
any SNI seen.
A primary motivation for making the SNI ubiquitous in the public web
is because it allows for multi-tenant hosting of HTTPS sites on a
single (scarce) IPv4 address. This consideration does not apply to
the Registrar because:
* it uses DTLS and CoAP, not HTTPS
* it uses IPv6, often [RFC4193] Unique Local Address, which are
plentiful
* the port number number is discovered, so multiple tenants can be
accomodate via unique port numbers.
As per Section 3.6.1 of [RFC7030], the Registrar certificate MUST
have the Extended Key Usage (EKU) id-kp-cmcRA. This certificate is
also used as a TLS Server Certificate, so it must also have the EKU
id-kp-serverAuth.
Richardson, et al. Expires 28 April 2022 [Page 8]
Internet-Draft Constrained BRSKI October 2021
6.2. TLS Client Certificates: IDevID authentication
As described in Section 5.1 of [RFC8995], the Pledge makes a
connection to the Registrar using TLS Client Certificate for
authentication.
Subsequently the pledge will send a Pledge Voucher Request (PVR).
As explained below in Section 8.1, the "x5bag" may be used in the RVR
to communicate identity of the Registrar to MASA. The Pledge SHOULD
NOT use the x5bag attribute in this way in the PVR. A Registrar that
processes a PVR with an x5bag attribute MUST ignore it, and MUST use
only the TLS Client Certificate extension for authentication of the
Pledge.
A situation where the pledge MAY use the x5bag is for communications
of certificate chains to the MASA. This would arise in some vendor
specific situations involving outsourcing of MASA functionality, or
rekey of IDevID certification authority.
6.3. Discovery, URIs and Content Formats
To keep the protocol messages small the EST-coaps and constrained-
BRSKI URIs are shorter than the respective EST and BRSKI URIs.
The EST-coaps server URIs differ from the EST URIs by replacing the
scheme https by coaps and by specifying shorter resource path names.
Below are some examples; the first two using a discovered short path
name and the last one using the well-known URI of EST which requires
no discovery.
coaps://server.example.com/est/<short-name>
coaps://server.example.com/e/<short-name>
coaps://server.example.com/.well-known/est/<short-name>
Similarly the constrained BRSKI server URIs differ from the BRSKI
URIs by replacing the scheme https by coaps and by specifying shorter
resource path names. Below are some examples; the first two using a
discovered short path name and the last one using the well-known URI
prefix which requires no discovery. This is the same "/.well-known/
brski" prefix as defined in Section 5 of [RFC8995].
coaps://server.example.com/brski/<short-name>
coaps://server.example.com/b/<short-name>
coaps://server.example.com/.well-known/brski/<short-name>
Richardson, et al. Expires 28 April 2022 [Page 9]
Internet-Draft Constrained BRSKI October 2021
Figure 5 in Section 3.2.2 of [RFC7030] enumerates the operations
supported by EST, for which Table 1 in Section 5.1 of
[I-D.ietf-ace-coap-est] enumerates the corresponding EST-coaps short
path names. Similarly, Table 1 provides the mapping from the
supported BRSKI extension URI paths to the constrained-BRSKI URI
paths.
+=================+============================+
| BRSKI resource | constrained-BRSKI resource |
+=================+============================+
| /requestvoucher | /rv |
+-----------------+----------------------------+
| /voucher_status | /vs |
+-----------------+----------------------------+
| /enrollstatus | /es |
+-----------------+----------------------------+
Table 1: BRSKI URI paths mapping to
constrained BRSKI URI paths
Note that /requestvoucher indicated above occurs between the Pledge
and Registrar (in scope of the BRSKI-EST protocol), but it also
occurs between Registrar and MASA. However, as described in
Section 6, this section and above table addresses only the BRSKI-EST
protocol.
Pledges that wish to discover the available BRSKI bootstrap options/
formats, or reduce the size of the CoAP headers by eliminating the
"/.well-known/brski" path, can do a discovery operation using
[RFC6690] Section 4 by sending a discovery query to the Registrar.
For example, if the Registrar supports a short BRSKI URL (/b) and
supports the voucher format "application/voucher-cose+cbor" (TBD3),
and status reporting in both CBOR and JSON formats:
REQ: GET /.well-known/core?rt=brski*
RES: 2.05 Content
Content-Format: 40
Payload:
</b>;rt=brski,
</b/rv>;rt=brski.rv;ct=TBD3,
</b/vs>;rt=brski.vs;ct="50 60",
</b/es>;rt=brski.es;ct="50 60"
The Registrar is under no obligation to provide shorter URLs, and MAY
respond to this query with only the "/.well-known/brski/<short-name>"
end points for the short names as defined in Table 1.
Richardson, et al. Expires 28 April 2022 [Page 10]
Internet-Draft Constrained BRSKI October 2021
Registrars that have implemented shorter URLs MUST also respond in
equivalent ways to the corresponding "/.well-known/brski/<short-
name>" URLs, and MUST NOT distinguish between them. In particular, a
Pledge MAY use the longer and shorter URLs in any combination.
When responding to a discovery request for BRSKI resources, the
server MAY in addition return the full resource paths and the content
types which are supported at those end-points as shown in above
example. This is useful when multiple content types are specified
for a particular resource on the server. The server responds with
only the root path for the BRSKI resource (rt=brski, resource /b in
above example) and no others in case the client queries for only
rt=brski type resources. (So, a query for rt=brski, without the
wildcard character.)
Without discovery, a longer well-known URL can only be used, such as:
REQ: GET /.well-known/brski/rv
while with discovery of shorter URLs, a request such as:
REQ: GET /b/rv
is possible.
The return of multiple content-types in the "ct" attribute allows the
Pledge to choose the most appropriate one. Note that Content-Format
TBD3 ("application/voucher-cose+cbor") is defined in this document.
Content-Format TBD3 MUST be supported by the Registrar for the /rv
resource. If the "ct" attribute is not indicated for the /rv
resource in the link format description, this implies that at least
TBD3 is supported.
Note that this specification allows for voucher-cose+cbor format
requests and vouchers to be transmitted over HTTPS, as well as for
voucher-cms+json and other formats yet to be defined over CoAP. The
burden for this flexibility is places upon the Registrar. The pledge
is expected to support a single format only.
The Pledge and MASA need to support one or more formats (at least
TBD3) for the voucher and for the voucher request. The MASA needs to
support all formats that the Pledge, produced by that manufacturer,
supports.
Section 10 details how the Pledge discovers the Registrar and Join
Proxy in different deployment scenarios.
Richardson, et al. Expires 28 April 2022 [Page 11]
Internet-Draft Constrained BRSKI October 2021
6.3.1. RFC8995 Telemetry Returns
[RFC8995] defines two telemetry returns from the Pledge which are
sent to the Registrar. These are the BRSKI Status Telemetry
[RFC8995], Section 5.7 and the Enrollment Status Telemetry [RFC8995],
Section 5.9.4. These are two POST operations made the by Pledge at
two key steps in the process.
[RFC8995] defines the content of these POST operations in CDDL, which
are serialized as JSON. This document extends the list of acceptable
formats to CBOR as well as JSON, using the rules from [RFC8610].
The existing JSON format is described as CoAP Content-Format 50
("application/json"), and it MAY be supported. The new CBOR format
is described using CoAP Content-Format 60 ("application/cbor") MUST
be supported by the Registrar for both the /vs and /es resources.
6.4. Join Proxy options
TBD; reference other documents.
6.5. Extensions to BRSKI
6.5.1. Discovery
The Pledge discovers an IP address and port number that connects to
the Registrar (possibly via a Join Proxy), and it establishes a DTLS
connection.
No further discovery of hosts or port numbers is required, but a
pledge that can do more than one kind of enrollment (future work
offers protocols other than [I-D.ietf-ace-coap-est]), then a pledge
may need to use CoAP Discovery to determine what other protocols are
available.
A Pledge that only supports the EST-coaps enrollment method SHOULD
NOT use discovery for BRSKI resources. It is more efficient to just
try the supported enrollment method via the well-known BRSKI/EST-
coaps resources. This also avoids the Pledge doing any CoRE Link
Format parsing, which is specified in [I-D.ietf-ace-coap-est],
Section 4.1.
In order to support this, the Registrar MUST support all of the EST
resources at their default ".well-known" locations (on the port
number discovered) as well as any server-specific shorter form that
might also be supported.
Richardson, et al. Expires 28 April 2022 [Page 12]
Internet-Draft Constrained BRSKI October 2021
However, when discovery is being done by the Pledge, it is possible
for the Registrar to return references to resources which are on
different port numbers. The Registrar SHOULD NOT use different ports
numbers by default, because a Pledge that is connected via a Join
Proxy can only access a single UDP port. A Registrar configured to
never use Join Proxies MAY be configured to use multiple port
numbers. Therefore a Registrar MUST host all discoverable BRSKI
resources on the same (UDP) server port that the Pledge's DTLS
connection is using. In addition to avoiding the problem of being
unable to connect to other ports, using the same UDP server port
allows the Pledge to continue to use the same DTLS connection which
is more efficient.
6.5.2. CoAP responses
[RFC8995], Section 5 defines a number of HTTP response codes that the
Registrar is to return when certain conditions occur.
The 401, 403, 404, 406 and 415 response codes map directly to CoAP
codes 4.01, 4.03, 4.04, 4.06 and 4.15.
The 202 Retry process which occurs in the voucher request, is to be
handled in the same way as Section 5.7 of [I-D.ietf-ace-coap-est]
process for Delayed Responses.
6.6. Extensions to EST-coaps
This document extends [I-D.ietf-ace-coap-est], and it inherits the
functions described in that document: specifically, the mandatory
Simple (Re-)Enrollment (/sen and /sren) and Certification Authority
certificates request (/crts). Support for CSR Attributes Request
(/att) and server-side key generation (/skg, /skc) remains optional
for the EST server.
Collecting both [RFC8995] and [RFC7030], [I-D.ietf-ace-coap-est] and
this document results in the following shorter forms of URI paths for
the commonly used resources:
Richardson, et al. Expires 28 April 2022 [Page 13]
Internet-Draft Constrained BRSKI October 2021
+------------------+-------------------+----------------+
| EST + BRSKI | Constrained-BRSKI | Well-known URI +
| | | namespace +
+------------------+-------------------+----------------+
| /requestvoucher | /rv | brski +
| /voucher_status | /vs | brski +
| /csrattrs | /att | est +
| /simpleenroll | /sen | est +
| /cacerts | /crts | est +
| /enrollstatus | /es | brski +
| /simplereenroll | /sren | est +
+------------------+-------------------+----------------+
6.6.1. Pledge Extensions
This section defines extensions to the BRSKI Pledge, which are
applicable during the BRSKI bootstrap procedure. A Pledge that
already is DTLS-connected to either a Join Proxy or Registrar, and
which only supports the EST-coaps enrollment method, SHOULD NOT use
discovery for EST-coaps resources. This is because it is more
efficient to just try its supported enrollment method (e.g. /sen) via
the well-known EST resource on the current DTLS connection. This
avoids an additional round-trip of packets and avoids the Pledge
having to unnecessarily implement CoRE Link Format parsing.
A constrained Pledge SHOULD NOT perform the optional EST "CSR
attributes request" (/att) to minimize network traffic and reduce
code size.
When creating the CSR, the Pledge selects which attributes to
include. One or more Subject Distinguished Name fields MUST be
included. If the Pledge has no specific information on what
attributes/fields are desired in the CSR, it MUST use the Subject
Distinguished Name fields from its IDevID unmodified. The Pledge can
receive such information via the voucher (encoded in a vendor-
specific way) or some other, out-of-band means.
A constrained Pledge MAY use the following optimized EST-coaps
procedure to minimize both network traffic and code size:
1. if the voucher, that validates the current Registrar, contains a
single pinned domain CA certificate, the Pledge provisionally
considers this certificate as the EST trust anchor, in other
words, it provisionally accepts this CA certificate as if it were
the result of "CA certificates request" (/crts) to the Registrar.
Richardson, et al. Expires 28 April 2022 [Page 14]
Internet-Draft Constrained BRSKI October 2021
2. Using this CA certificate as trust anchor it proceeds with EST
simple enrollment (/sen) to obtain its provisionally trusted
LDevID.
3. If the Pledge validates that the trust anchor CA was used to sign
its LDevID, the Pledge accepts the pinned domain CA certificate
as the legitimate trust anchor CA for the Registrar's domain and
accepts the associated LDevID.
4. If the trust anchor CA was NOT used to sign its LDevID, the
Pledge MUST perform an actual "CA certificates request" (/crts)
to the EST server to obtain the EST CA trust anchor(s) since
these differ from the (temporary) pinned domain CA.
5. When doing this /crts request, the Pledge MAY use a CoAP Accept
Option with value TBD287 ("application/pkix-cert") to limit the
number of returned EST CA trust anchors to only one. A
constrained Pledge MAY support only this format in a /crts
response, per Section 5.3 of [I-D.ietf-ace-coap-est].
6. If the Pledge cannot obtain the single CA certificate or the
finally validated CA certificate cannot be chained to the LDevID,
then the Pledge MUST abort the enrollment process and report the
error using the enrollment status telemetry (/es).
Note that even though the Pledge may avoid the initial /crts request,
it SHOULD support retrieval of the trust anchor CA periodically. A
pledge that has an idea of the current time (internally, or via NTP)
SHOULD consider the validity time of the trust anchor CA, and MAY
begin requesting a new trust anchor CA when the CA has 50% of it's
validity time (notAfter - notBefore) left. A pledge that has no idea
of the current time will have no idea if the trust anchor CA has
expired. Such a device SHOULD poll periodically for a new trust
anchor at an interval of approximately 1 month. The Pledge SHOULD
use GET-with-ETag, and servers SHOULD support it.
6.6.2. EST-client Extensions
This section defines extensions to EST-coaps clients, used after the
BRSKI bootstrap procedure is completed. (Note that such client is
not called "Pledge" in this section, since it is already enrolled
into the domain.) A constrained EST-coaps client MAY support only
the Content-Format TBD287 ("application/pkix-cert") in a /crts
response, per Section 5.3 of [I-D.ietf-ace-coap-est].
In this case, it can only store one trust anchor of the domain.
Although this is not an issue in case the domain trust anchor remains
stable, special consideration is needed for cases where the domain
Richardson, et al. Expires 28 April 2022 [Page 15]
Internet-Draft Constrained BRSKI October 2021
trust anchor can change over time. Such a change may happen due to
relocation of the client device to a new domain, or due to key update
of the trust anchor as described in [RFC4210], Section 4.4.
The trust anchor change may happen during EST re-enrollment:
typically, a change of domain CA requires all devices operating under
the old domain CA to acquire a new LDevID issued by the new domain
CA. A client's re-enrollment may be triggered by various events,
such as imminent expiry of its LDevID. How the re-enrollment is
explicitly triggered on the client by a domain entity, such as a
commissioner or a Registrar, is out of scope of this specification.
The mechanism described in [RFC4210], Section 4.4 for Root CA key
update requires four certificates: OldWithOld, OldWithNew,
NewWithOld, and NewWithNew. The OldWithOld certificate is already
stored in the EST client's trust store. The NewWithNew certificate
will be distributed as the single certificate in a /crts response,
during EST re-enrollment. Since the EST client can only accept a
single certificate in a /crts response it implies that the EST client
cannot obtain the certificates OldWithNew and NewWithOld in this way,
to perform the complete verification of the new domain CA. Instead,
the client only verifies the EST server (Registrar) using its old
domain CA certificate in its trust store as detailed below, and based
on this trust in the active and valid DTLS connection it
automatically trusts the new (NewWithNew) domain CA certificate that
the EST server provides in the /crts response.
In this manner, even during rollover of trust anchors, it is possible
to have only a single trust anchor provided in a /crts response.
During the period of the certificate renewal, it is not possible to
create new communication channels between devices with NewCA
certificates devices with OldCA certificates. One option is that
devices should avoid restarting existing DTLS or OSCORE connections
during this interval that new certificates are being deployed. The
recommended period for certificate renewal is 24 hours. For re-
enrollment, the constrained EST-coaps client MUST support the
following EST-coaps procedure, where optional re-enrollment to a new
domain is under control of the Registrar:
1. The client connects with DTLS to the Registrar, and authenticates
with its present domain certificate (LDevID) as usual. The
Registrar authenticates itself with its domain certificate that
is trusted by the client, i.e. it chains to the single trust
anchor that the client has stored. This is the "old" trust
anchor, the one that will be eventually replaced in case the
Registrar decides to re-enroll the client into a new domain.
Richardson, et al. Expires 28 April 2022 [Page 16]
Internet-Draft Constrained BRSKI October 2021
2. The client performs the simple re-enrollment request (/sren) and
upon success it obtains a new LDevID.
3. The client verifies the new LDevID against its (single) existing
domain trust anchor. If it chains successfully, this means the
trust anchor did not change and the client MAY skip retrieving
the current CA certificate using the "CA certificates request"
(/crts). If it does not chain successfully, this means the trust
anchor was changed/updated and the client then MUST retrieve the
new domain trust anchor using the "CA certificates request"
(/crts).
4. If the client retrieved a new trust anchor in step 3, then it
MUST verify that the new trust anchor chains with the new LDevID
it obtained in step 2. If it chains successfully, the client
stores both, accepts the new LDevID and stops using it prior
LDevID. If it does not chain successfully, the client MUST NOT
update its LDevID, it MUST NOT update its (single) domain trust
anchor, and the client MUST abort the enrollment process and
report the error to the Registrar using enrollment status
telemetry (/es).
6.6.3. Registrar Extensions
A Registrar SHOULD host any discoverable EST-coaps resources on the
same (UDP) server port that the Pledge's DTLS initial connection is
using. This avoids the Pledge having to reconnect using DTLS, in
order to proceed with EST enrollment after the BRSKI bootstrap. [TBD
EDNOTE: a Registrar that does host EST resources on another port
won't be able to onboard Pledges that skip the discovery, so not
interoperable. Should we fix this?]
The Content-Format 50 (application/json) MUST be supported and 60
(application/cbor) MUST be supported by the Registrar for the /vs and
/es resources.
Content-Format TBD3 MUST be supported by the Registrar for the /rv
resource.
When a Registrar receives a "CA certificates request" (/crts) request
with a CoAP Accept Option with value TBD287 ("application/pkix-cert")
it SHOULD return only the single CA certificate that is the
envisioned or actual authority for the current, authenticated Pledge
making the request.
If the Pledge included in its request an Accept Option for only the
TBD287 ("application/pkix-cert") Content Format, but the domain has
been configured to operate with multiple CA trust anchors only, then
Richardson, et al. Expires 28 April 2022 [Page 17]
Internet-Draft Constrained BRSKI October 2021
the Registrar returns a 4.06 Not Acceptable error to signal that the
Pledge needs to use the Content Format 281 ("application/pkcs7-mime;
smime-type=certs-only") to retrieve all the certificates.
If the current authenticated client is an EST-coaps client that was
already enrolled in the domain, and the Registrar is configured to
assign this client to a new domain CA trust anchor during the next
EST re-enrollment procedure, then the Registrar MUST respond with the
new domain CA certificate in case the client performs the "CA
Certificates request" (/crts) with an Accept Option for TBD287 only.
This signals the client that a new domain is assigned to it. The
client follows the procedure as defined in Section 6.6.2.
6.7. DTLS handshake fragmentation Considerations
DTLS includes a mechanism to fragment the handshake messages. This
is described in Section 4.4 of [I-D.ietf-tls-dtls13]. The protocol
described in this document will often be used with a Join Proxy
described in [I-D.ietf-anima-constrained-join-proxy]. The Join Proxy
will need some overhead, while the maximum packet sized guaranteed on
802.15.4 networks is 1280 bytes. It is RECOMMENDED that a PMTU of
1024 bytes be assumed for the DTLS handshake. It is unlikely that
any Packet Too Big indications [RFC4443] will be relayed by the Join
Proxy.
During the operation of the constrained BRSKI-EST protocol, the CoAP
Blockwise transfer mechanism will be used when message sizes exceed
the PMTU. A Pledge/EST-client on a constrained network MUST use the
(D)TLS maximum fragment length extension ("max_fragment_length")
defined in Section 4 of [RFC6066] with the maximum fragment length
set to a value of either 2^9 or 2^10.
7. BRSKI-MASA Protocol
This section describes extensions to and clarifications of the BRSKI-
MASA protocol between Registrar and MASA.
7.1. Protocol and Formats
Section 5.4 of [RFC8995] describes a connection between the Registrar
and the MASA as being a normal TLS connection using HTTPS. This
document does not change that. The Registrar MAY use the new format
"application/voucher-cose+cbor" in its voucher request to MASA, or
the existing BRSKI format "application/voucher-cms+json" defined by