Constrained Bootstrapping Remote Secure Key Infrastructure (cBRSKI)

Constrained Bootstrapping Remote Secure Key Infrastructure (cBRSKI) Sandelman Software Works

mcr+ietf@sandelman.ca

vanderstok consultancy

stokcons@kpnmail.nl

Cisco Systems

pkampana@cisco.com

IoTconsultancy.nl

esko.dijk@iotconsultancy.nl

Internet anima Working Group Internet-Draft This document defines the Constrained Bootstrapping Remote Secure Key Infrastructure (cBRSKI) protocol, which provides a solution for secure zero-touch onboarding of resource-constrained (IoT) devices into the network of a domain owner. This protocol is designed for constrained networks, which may have limited data throughput or may experience frequent packet loss. cBRSKI is a variant of the BRSKI protocol, which uses an artifact signed by the device manufacturer called the "voucher" which enables a new device and the owner's network to mutually authenticate. While the BRSKI voucher data is encoded in JSON, cBRSKI uses a compact CBOR-encoded voucher. The BRSKI voucher data definition is extended with new data types that allow for smaller voucher sizes. The Enrollment over Secure Transport (EST) protocol, used in BRSKI, is replaced with EST-over-CoAPS; and HTTPS used in BRSKI is replaced with DTLS-secured CoAP (CoAPS). This document Updates RFC 8995 and RFC 9148. About This Document Status information for this document may be found at . Discussion of this document takes place on the anima Working Group mailing list (), which is archived at . Subscribe at . Source for this draft and an issue tracker can be found at .

Introduction Secure enrollment of new nodes into constrained networks with constrained nodes presents unique challenges. As explained in , such networks may have limited data throughput or may experience frequent packet loss. In addition, its nodes may be constrained by energy availability, memory space, and code size. The Bootstrapping Remote Secure Key Infrastructure (BRSKI) protocol described in provides a solution for secure zero-touch (automated) onboarding of new (unconfigured) devices. In it, these new devices are called "pledges", equipped with a factory-installed Initial Device Identifier (IDevID) (see ). Using the IDevID the pledges are securely enrolled into a network. The BRSKI solution described in was designed to be modular, and this document describes a version scaled to the constraints of IoT deployments. This document uses the constrained voucher and voucher request artifacts defined in for a constrained version of the BRSKI protocol: cBRSKI. The cBRSKI protocol uses the CoAP-based version of EST (EST-coaps from ) rather than the EST over HTTPS . cBRSKI is itself scalable to multiple resource levels through the definition of optional functions. illustrates this. In BRSKI, the voucher data is by default serialized to JSON with a signature in CMS . This document uses the CBOR voucher data serialization, as defined by , and applies a new COSE signature format as defined in . This COSE-signed CBOR-encoded voucher is transported using both secured CoAP and HTTPS. The CoAP connection (between Pledge and Registrar) is to be protected by DTLS (CoAPS). The HTTP connection (between Registrar and MASA) is to be protected using TLS (HTTPS). to define the default cBRSKI protocol, by means of additions to and modifications of regular BRSKI. considers some variations of the protocol, specific to particular deployments or IoT networking technologies. Next in , some considerations for the design and implementation of cBRSKI components are provided. introduces a variant of cBRSKI for the most-constrained Pledges, using Raw Public Keys (RPK). This variant achieves smaller sizes of data objects and avoids doing certain costly PKIX verification operations on the Pledge. provides more details on how a Pledge may discover the various onboarding/enrollment options that a Registrar provides. Implementing these methods is optional for a Pledge.

Terminology The following terms are defined in , and are used identically as in that document: artifact, domain, Join Registrar/Coordinator (JRC), malicious Registrar, Manufacturer Authorized Signing Authority (MASA), Pledge, Registrar, Onboarding, Owner, Voucher Data and Voucher. The protocol described in this document is referred to as cBRSKI, the constrained version of BRSKI which is described in . The following terms from are used identically as in that document: Domain CA, enrollment, IDevID, Join Proxy, LDevID, manufacturer, nonced, nonceless, PKIX. The following terms from are used identically as in that document: Explicit Trust Anchor (TA), Explicit TA database, Third-party TA. The following terms from are used identically as in that document: Confirmable (CON), Acknowledgement (ACK), Endpoint, ETag, Client, Server, Piggybacked Response, resource, Resource Discovery, Content-Format. The term Pledge Voucher Request, or acronym PVR, is introduced to refer to the voucher request between the Pledge and the Registrar. The term Registrar Voucher Request, or acronym RVR, is introduced to refer to the voucher request between the Registrar and the MASA. This document uses the term "PKIX Certificate" or "certificate" to refer to the X.509v3 profile described in . The term "base resource" is defined as a CoAP resource that can be used as a base to append an additional path segment to, where this segment is a short resource name ('short-name') as defined in and . In code examples, the string "<CODE BEGINS>" denotes the start of a code example and "<CODE ENDS>" the end of the code example. "lf added" means that extra linefeed characters were added to an example to make lines fit in this document. The ellipsis ("...") in a CBOR diagnostic notation byte string denotes a further sequence of bytes that is not shown for brevity. This notation is defined in .

Requirements Language The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here.

Overview of Protocol defines a voucher that can assert proximity, authenticates the Registrar, and can offer varying levels of anti-replay protection. The proximity proof provided by a voucher is an assertion that the Pledge and the Registrar are believed to be close together, from a network topology point of view. Similar to BRSKI , proximity is proven by making a DTLS connection between a Pledge and a Registrar. The Pledge initiates this connection using a link-local source address. The secure DTLS connection is then used by the Pledge to send a Pledge Voucher Request (PVR). The Registrar then includes the PVR into its own Registrar Voucher Request (RVR), which is sent to an agent (MASA) of the Pledge's manufacturer. The MASA verifies the PVR and RVR and issues a signed voucher. The voucher provides an authorization statement from the manufacturer indicating that the Registrar is the intended owner of the Pledge. The voucher refers to the Registrar through pinning of the Registrar's identity. After verification of the voucher, the Pledge enrolls into the Registrar's domain by obtaining a certificate using the EST-coaps protocol, suitable for constrained devices. Once the Pledge has obtained its domain identity (LDevID) in this manner, it can use this identity to obtain network access credentials, which are used to join the local IP network. The method to obtain such credentials depends on the particular network technology used and is outside the scope of this document. The two main parts of the BRSKI protocol are named separately in this document: BRSKI-EST () for the protocol between Pledge and Registrar, and BRSKI-MASA () for the protocol between the Registrar and the MASA. Time-based vouchers are supported, but given that constrained devices are unlikely to have accurate time, their use will be uncommon. Most Pledges using constrained vouchers will be online during enrollment and will use live nonces to provide anti-replay protection rather than expiry times. defines the CBOR voucher data encoding for the constrained voucher and the constrained voucher request, which are used by cBRSKI. The constrained voucher request MUST be signed by the Pledge. COSE is used for signing as defined in . It signs using the private key of its IDevID. The constrained voucher MUST be signed by the MASA. Also in this case, COSE is used for signing. For the constrained voucher request (PVR) the default method for the Pledge to identify the Registrar is using the Registrar's full PKIX certificate. But when operating PKIX-less as described in , the Registrar's Raw Public Key (RPK) is used for this. For the constrained voucher the default method to indicate ("pin") a trusted domain identity is the domain's PKIX CA certificate, but when operating PKIX-less instead the RPK of the Registrar is pinned. For certificates, cBRSKI currently uses the X.509 format, like BRSKI. The protocol and data formats are defined such that future extension to other certificate formats is enabled. For example, CBOR-encoded and COSE-signed C509 certificates () may provide data size savings as well as code sharing benefits with CBOR/COSE libraries, when applied to cBRSKI. The BRSKI architecture mandates that the MASA be aware of the capabilities of the Pledge. This is not a drawback as a Pledge is constructed by a manufacturer which also arranges for the MASA to be aware of the inventory of devices. The MASA therefore knows if the Pledge supports PKIX operations, or if it is limited to RPK operations only. Based upon this, the MASA can select which attributes to use in the voucher for certain operations, like the pinning of the Registrar or domain identity.

Updates to RFC 8995 and RFC 9148 This section details the ways in which this document updates other RFCs. This document Updates because it:

clarifies how pinning in vouchers is done (),
clarifies the use of TLS Server Name Indicator (SNI) (, ),
clarifies when new trust anchors should be retrieved by a Pledge (),
clarifies what kinds of Extended Key Usage attributes are appropriate for each certificate (, ),
extends BRSKI with the use of CoAP,
makes some BRSKI messages optional to send if the results can be inferred from other validations (),
extends the BRSKI-EST/BRSKI-MASA protocols (, , ) to carry the new "application/voucher+cose" format.

This document Updates because it:

defines stricter DTLS requirements ()),
details how an EST-coaps client handles certificate renewal and re-enrollment (),
details how an EST-coaps server processes a "CA certificates" request for content-format 287 ("application/pkix-cert") ().
adds enrollment status telemetry to the certificate renewal procedure (),
adds support for the media type "application/multipart-core" for the CA certificates (/crts) resource (),
defines a resource type (rt) attribute value "ace.est" for the EST-coaps base resource ().

BRSKI-EST Protocol This section describes the extensions to both BRSKI and EST-coaps operations between Pledge and Registrar.

DTLS Connection A DTLS connection is established between the Pledge and the Registrar, similar to the TLS connection described in . This may occur via a Join Proxy as described in . Regardless of the Join Proxy presence or particular mechanism used, the DTLS connection should operate identically. The cBRSKI and EST-coaps requests and responses for onboarding are carried over this DTLS connection.

DTLS Version DTLS version 1.3 SHOULD be used in any implementation of this specification. An exception case where DTLS 1.2 MAY be used is in a Pledge that uses a software platform where a DTLS 1.3 client is not available (yet). This may occur for example if a legacy device gets software-upgraded to support cBRSKI. For this reason, a Registrar MUST by default support both DTLS 1.3 and DTLS 1.2 client connections. However, for security reasons the Registrar MAY be administratively configured to support only a particular DTLS version or higher. An EST-coaps server (if present as a separate entity from above Registrar) that implements this specification also MUST support both DTLS 1.3 and DTLS 1.2 client connections by default. However, for security reasons the EST-coaps server MAY be administratively configured to support only a particular DTLS version or higher.

TLS Client Certificates: IDevID authentication As described in , the Pledge makes a connection to the Registrar using a TLS Client Certificate for authentication. This is the Pledge's IDevID certificate. Subsequently the Pledge will send a Pledge Voucher Request (PVR). Further elements of Pledge authentication may be present in the PVR, as detailed in .

DTLS Handshake Fragmentation Considerations DTLS includes a mechanism to fragment handshake messages. This is described in . cBRSKI will often be used with a Join Proxy, described in , which relays each DTLS message to the Registrar. A stateless Join Proxy will need some additional space to wrap each DTLS message inside a Join Proxy UDP message, while the wrapped result needs to fit in the maximum IPv6 MTU guaranteed on 6LoWPAN networks, which is 1280 bytes. For this reason it is RECOMMENDED that a PMTU of 1024 bytes be assumed for the DTLS handshake and appropriate DTLS fragmentation is used. It is unlikely that any ICMPv6 Packet Too Big indications () will be relayed by the Join Proxy back to the Pledge. During the operation of the EST-coaps protocol, the CoAP Block-wise transfer mechanism will be automatically used when message sizes exceed the PMTU. A Pledge/EST-client on a constrained network MUST use the (D)TLS maximum fragment length extension ("max_fragment_length") defined in with the maximum fragment length set to a value of either 2^9 or 2^10, when operating as a DTLS 1.2 client. A Pledge/EST-client operating as DTLS 1.3 client, MUST use the (D)TLS record size limit extensions ("record_size_limit") defined in , with RecordSizeLimit set to a value between 512 and 1024 (inclusive).

Registrar and the Server Name Indicator (SNI) The SNI issue described below affects as well, and is reported in errata: https://www.rfc-editor.org/errata/eid6648 As the Registrar is discovered by IP address, and typically connected via a Join Proxy, the hostname of the Registrar is not known to the Pledge. Therefore, it cannot do DNS-ID validation () on the Registrar's certificate. Instead, it must do validation using the voucher. Without knowing the hostname, the Pledge cannot put any reasonable value into the Server Name Indicator (SNI) extension. Therefore the Pledge SHOULD omit the SNI extension as per . In some cases, particularly while testing BRSKI, a Pledge may be given the hostname of a particular Registrar to connect to directly. Such a bypass of the discovery process may result in the Pledge taking a different code branch to establish a DTLS connection, and may result in the SNI being inserted by a library. For this reason, the Registrar MUST ignore any SNI it receives from a Pledge. A primary motivation for making the SNI ubiquitous in the public web is because it allows for multi-tenant hosting of HTTPS sites on a single (scarce) IPv4 address. This consideration does not apply to the server function in the Registrar because:

it uses DTLS and CoAP, not HTTPS;
it typically uses IPv6, often Unique Local Address, which are plentiful;
the server port number is typically discovered, so multiple tenants can be accommodated via unique UDP port numbers.

Registrar Server Certificate Requirements As per , the Registrar certificate MUST have the Extended Key Usage (EKU) id-kp-cmcRA. This certificate is also used as a TLS Server Certificate, so it MUST also have the EKU id-kp-serverAuth. See for an example of a Registrar certificate with these EKUs set. See for Registrar client certificate requirements.

cBRSKI Join Proxy specifies the details for a stateful or stateless constrained Join Proxy which is equivalent to the BRSKI Proxy defined in . See also for more details on discovery of a Join Proxy by a Pledge, and discovery of a Registrar by a Join Proxy.

Request URIs, Resource Discovery and Content-Formats cBRSKI operates using CoAP over DTLS, with request URIs using the coaps scheme. The Pledge operates in CoAP client role. To keep the protocol messages small the EST-coaps and cBRSKI request URIs are shorter than the respective EST and BRSKI URIs. During the cBRSKI onboarding on an IPv6 network these request URIs have the following form: ]:/.well-known/brski/ coaps://[]:/.well-known/est/ ]]> where <link-local-ipv6> is the discovered link-local IPv6 address of a Join Proxy, and <port> is the discovered port of the Join Proxy that is used to offer the cBRSKI proxy functionality. <short-name> is the short resource name for the cBRSKI and EST-coaps resources. For EST-coaps, defines the CoAP <short-name> resource names. For cBRSKI, this document defines the short resource names based on the long HTTP resource names. See for a summary of these resource names. details how the Pledge discovers a Join Proxy link-local address and port in different deployment scenarios. The request URI formats defined here enable the Pledge to perform onboarding/enrollment without requiring discovery of the available onboarding options, voucher formats, BRSKI/EST resources, enrollment protocols, and so on. This is helpful for the majority of constrained Pledges that would support only a single set of these options. However, for Pledges that do support multiple options, will define discovery methods so that a Pledge can select the optimal set of options for the current onboarding operation. Alternatively, a Pledge could also send CoAP discovery queries () to the Registrar to discover detailed options for onboarding and/or enrollment functions. Supporting these queries is OPTIONAL for both the Pledge and the Registrar. To clarify which options in particular can be discovered, provides an informative overview of what can be discovered and how to discover it. Because a Pledge only has indirect access to the Registrar via a single port on the Join Proxy, the Registrar MUST host all cBRSKI/EST-coaps resources on the same (UDP) server IP address and port. This is the address and port where a Join Proxy would relay DTLS records from the Pledge to. Although the request URI templates include IP address, scheme and port, in practice the CoAP request message sent over the secure DTLS connection only encodes the URI path explicitly. For example, a Pledge that skips resource discovery operations just sends the initial CoAP voucher request as follows: Note that only content-format 836 ("application/voucher+cose") is defined in this document for the payload sent to the voucher request resource (/rv). Content-format 836 MUST be supported by the Registrar for the /rv resource and it MAY support additional formats. The Pledge MAY also indicate in the request the desired format of the (voucher) response, using the Accept Option. An example of using this option in the request is as follows: If the Accept Option is omitted in the request, the response format follows from the request payload format (which is 836). Note that this specification allows for application/voucher+cose format requests and vouchers to be transported over HTTPS, as well as for application/voucher-cms+json and other formats yet to be defined over CoAP. The burden for this flexibility is placed upon the Registrar. A Pledge on constrained hardware is expected to support a single format only. The Pledge and MASA need to support one or more formats (at least format 836) for the voucher and for the voucher request. The MASA needs to support all formats that the Pledge supports.

Status Telemetry Returns defines two telemetry returns from the Pledge which are sent to the Registrar. These are the BRSKI Status Telemetry and the Enrollment Status Telemetry . These are two CoAP POST requests made the by Pledge at two key steps in the process. defines the content of these POST operations in CDDL, which are serialized as JSON. This document extends this with an additional CBOR format, derived using the CDDL rules in . The new CBOR telemetry format has CoAP content-format 60 ("application/cbor") and MUST be supported by the Registrar for both the /vs and /es resources. The existing JSON format has CoAP content-format 50 ("application/json") and MAY also be supported by the Registrar. A Pledge MUST use the new CBOR format to send telemetry messages.

CoAP Resources Table This document inherits EST-coaps functions: specifically, the mandatory Simple (Re-)Enrollment (/sen and /sren) and Certification Authority certificates request (/crts). Support for CSR Attributes Request (/att) and server-side key generation (/skg, /skc) remains optional for the EST-coaps server. summarizes the resources used in cBRSKI. It includes both the short-name cBRSKI resources and the EST-coaps resources. BRSKI/EST resource name mapping to cBRSKI/EST-coaps short resource name

BRSKI + EST name	cBRSKI + EST-coaps <short-name>	Well-known URI namespace	Required for Registrar?
/enrollstatus	/es	brski	MUST
/requestvoucher	/rv	brski	MUST
/voucher_status	/vs	brski	MUST
/cacerts	/crts	est	MUST
/csrattrs	/att	est	MAY
/simpleenroll	/sen	est	MUST
/simplereenroll	/sren	est	MUST
/serverkeygen	/skg	est	MAY
/serverkeygen	/skc	est	MAY

CoAP Responses defines a number of HTTP response codes that the Registrar is to return when certain conditions occur. The 401, 403, 404, 406 and 415 response codes map directly to CoAP codes 4.01, 4.03, 4.04, 4.06 and 4.15 respectively. The 202 Retry process which may occur in the voucher request, is to be handled in the same way as the process for Delayed Responses.

Extensions to EST-coaps This section defines extensions to EST-coaps for Pledges (during initial onboarding), EST-coaps clients (after initial onboarding) and Registrars (that implement an EST-coaps server). Note that a device that is already onboarded is not called "Pledge" in this section: it now acts in the role of an EST-coaps client.

Pledge Enrollment Procedure This section defines optimizations for the EST-coaps protocol as used by a Pledge. These aim to reduce payload sizes and the number of messages (round-trips) required for the initial EST enrollment. A Pledge SHOULD NOT perform the optional EST-coaps "CSR attributes request" (/att). Instead, the Pledge selects the attributes to include in the CSR as specified below. One or more Subject Distinguished Name fields MUST be included in the CSR. If the Pledge has no specific information on what attributes/fields are desired in the CSR, which is the common case, it MUST use the Subject Distinguished Name fields from its IDevID unmodified. Note that a Pledge MAY receive such specific information via the voucher data (encoded in a vendor-specific way, or as defined by a future specification) or via some other, out-of-band means. A Pledge uses the following optimized EST-coaps procedure:

If the voucher, that validates the current Registrar, contains a single pinned domain CA certificate, the Pledge provisionally considers this certificate as the EST trust anchor, as if it were the result of a "CA certificates request" (/crts) to the Registrar.
Using this CA certificate as trust anchor it proceeds with EST simple enrollment (/sen) to obtain a provisionally trusted LDevID certificate.
If the Pledge determines that the pinned domain CA is (1) a root CA certificate and (2) signer of the LDevID certificate, the Pledge accepts the pinned domain CA certificate as the legitimate trust anchor root CA for the Registrar's domain. It also accepts the LDevID certificate as its new LDevID identity. And steps 4 and 5 are skipped.
Otherwise, if the step 3 condition was not met, the Pledge MUST perform a "CA certificates request" (/crts) to the EST server to obtain the full set of EST CA trust anchors. It then MUST attempt to chain the LDevID certificate to one of the CAs in the set.
If the Pledge cannot obtain the set of CA certificates, or it is unable to create the chain as defined in step 4, the Pledge MUST abort the enrollment process and report the error using the enrollment status telemetry (/es).

Renewal of CA certificates An EST-coaps client that has an idea of the current time (internally, or via Network Time Protocol) SHOULD consider the validity time of the trust anchor CA(s), and MAY begin requesting new trust anchor certificates(s) using the /crts request when the CA has 50% of it's validity time (notAfter - notBefore) left. A client without access to the current time cannot decide if trust anchor CA(s) have expired, and SHOULD poll periodically for a new trust anchor certificate(s) using the /crts request at an interval of approximately 1 month. An EST-coaps server SHOULD include the CoAP ETag Option ()in every response to a /crts request, to enable clients to perform low-overhead validation whether their trust anchor CA is still valid. The EST-coaps client SHOULD store the ETag resulting from a /crts response in memory and SHOULD use this value in an ETag Option in its next GET /crts request.

Change of Domain Trust Anchor(s) The domain trust anchor(s) may change over time. Such a change may happen due to relocation of the client device to a new domain, a new subdomain, or due to a key update of a trust anchor as described in . From the client's viewpoint, a trust anchor change happens during EST-coaps re-enrollment: since a change of domain CA requires all devices operating under the old domain CA to acquire a new LDevID certificate issued by the new domain CA. A client's re-enrollment may be triggered by various events, such as an instruction to re-enroll sent by a domain entity, or an imminent expiry of its LDevID certificate, or other. How the re-enrollment is explicitly triggered on the client by a domain entity, such as a commissioner or a Registrar, is out of scope of this specification. The mechanism described in and for root CA key update requires four certificates: OldWithOld, OldWithNew, NewWithOld, and NewWithNew. Of these four, the OldWithOld certificate is already stored in the client's Explicit TA database. The other certificates will be provided to the client in a /crts response, during the EST-coaps re-enrollment procedure.

Re-enrollment Procedure For re-enrollment, the EST-coaps client MUST support the following EST-coaps procedure. During this procedure the EST-coaps server MAY re-enroll the client into a new domain or into a new sub-CA within a larger domain.

The client connects with DTLS to the EST-coaps server, and authenticates with its present domain certificate (LDevID) as usual. The EST-coaps server authenticates itself with its domain RA certificate that is currently trusted by the client, i.e. it chains to a trust anchor CA that the client has stored in its Explicit TA database. This is the OldWithOld trust anchor. The client checks that the server is a Registration Authority (RA) of the domain as required by before proceeding.
The client performs the simple re-enrollment request (/sren) and upon success it obtains a new LDevID certificate.
The client verifies the new LDevID certificate against its Explicit TA database. If the new LDevID chains successfully to a TA, this means trust anchors did not significantly change and the client MAY skip retrieving the current CA certificates using the "CA certificates request" (/crts). If it does not chain successfully, it means trust anchor(s) were changed significantly and the client MUST retrieve the new domain trust anchors using the "CA certificates request" (/crts).
If the client retrieved new trust anchor(s) in step 3, then it MUST verify that the new LDevID certificate it obtained in step 2 chains with the new trust anchor(s). If it chains successfully, the client stores the new trust anchor(s) in its Explicit TA database, accepts the new LDevID certificate and stops using its prior LDevID certificate. If it does not chain successfully, the client MUST NOT update its LDevID certificate, and it MUST NOT update its Explicit TA database, and the client MUST abort the enrollment process and MUST attempt to report the error to the EST-coaps server using enrollment status telemetry (/es).

Note that even though the EST-coaps client may skip the /crts request in step 3 at this time, it SHOULD still support renewal of the trust anchors as detailed in . Note that an EST-coaps server that is also a Registrar will already support the enrollment status telemetry resource (/es) in step 4, while an EST-coaps server that purely implements , and not the present specification, will not support this resource.

Multipart Content-Format for CA certificates (/crts) Resource In EST-coaps the PKCS#7 container format is used for CA certificates distribution. Because the PKCS#7 format is only used as a certificate container and no additional security is applied on the container, it becomes attractive to replace this format by something simpler, on a constrained Pledge: so that additional PKCS#7 code is avoided. Therefore, this document defines a container format using the "application/multipart-core" media type (CoAP content-format 62). This is beneficial since a Pledge necessarily already supports CBOR parsing, so there is little code overhead to support this CBOR-based container format. A Registrar or EST-coaps server MUST support content-format 62 for the /crts resource. The multipart collection MUST contain the individual CA certificates, each encoded as an "application/pkix-cert" (287) representation. Future documents may define other certificate formats: the multipart collection can handle any future types. The order of CA certificates MUST be in the CA hierarchy order starting from the issuer of the client's LDevID first, up to the highest-level domain CA, then optionally followed by any further CA certificates that are not part of this hierarchy. These further CA certificates may be Third-party TAs as defined in . The highest-level domain CA may or may not be a root CA certificate. As an example, for the two-level CA domain PKI of the multipart container will contain two representations: , ] ]]> Encoded as an "application/multipart-core" CBOR array this is (shown in CBOR diagnostic notation): The total number of CA certificates SHOULD be 1, 2 or 3 and not higher to prevent constrained Pledges from running out of memory for the trust anchor storage (Explicit TA database). However if a domain operator can guarantee that any Pledges enrolled in its network can support larger sets of CA certificates, the total number MAY be configured as higher than 3. To facilitate a reliable transfer of large payloads over constrained networks, the server MUST support CoAP Block-wise transfer for the /crts response. The server MUST also support the Size2 Option to provide the total resource length in bytes, when requested by a client. Implementation notes: a client that receives the first block of payload data from the server, can already inspect the total number of CA certificates by decoding the first byte of the payload. In CBOR encoding, the respective first bytes 0x81-0x97 represent an array with length 1-23, respectively. Furthermore, the length in bytes of the first CA certificate can be already determined by decoding the first bytes of the second element, because the CBOR encoding for binary string includes the length of this string. A client that requires an estimate of the total resource size (to be returned as part of the first Block2 response from the server) can use a Size2 Option with value 0 in its request. Knowing the overall progress of the data transfer may be helpful in certain cases, e.g. when a Pledge provides visual progress information on the onboarding progress.

Registrar Extensions Before a Registrar forwards a COSE-signed voucher from MASA to the Pledge, it MUST remove any "x5bag" or "x5chain" unprotected COSE header attributes (which are defined in ). The contents of these unprotected attributes are solely for validation/logging use by the Registrar. Removing these attributes reduces the voucher size on the constrained network path to the Pledge. The content-format 60 ("application/cbor") MUST be supported by the Registrar for the /vs and /es resources. Content-format 836 ("application/voucher+cose") MUST be supported by the Registrar for the /rv resource for CoAP POST requests, both as request payload and as response payload. Content-format 287 ("application/pkix-cert") MUST be supported by the Registrar as a response payload for the /sen and /sren resources. When a Registrar receives a "CA certificates request" (/crts) request with a CoAP Accept Option with value 287 ("application/pkix-cert") it MUST return only the single CA certificate that is the envisioned or actual CA authority for the current, authenticated Pledge making the request. An exception to this rule is when the domain has been configured to operate with multiple CA trust anchors exclusively: then the Registrar returns a 4.06 Not Acceptable error to signal to the client that it needs to request another content-format that supports retrieval of multiple CA certificates.

BRSKI-MASA Protocol This section describes extensions to and clarifications of the BRSKI-MASA protocol between Registrar and MASA.

Protocol and Formats describes a connection between the Registrar and the MASA as being a normal TLS connection using HTTPS. This document does not change that. The MASA only needs to support formats for which it has constructed Pledges that use that format. The Registrar MUST use the same format for the RVR as the Pledge used for its PVR. Specifically, the Registrar MUST use the media type "application/voucher+cose" for its voucher request to MASA, when the Pledge used content-format 836 in the payload of its request to the Registrar. The Registrar indicates the voucher format (by media type) it wants to receive from MASA using the HTTP Accept header. This format MUST be the same as the format of the PVR, so that the Pledge can parse the resulting voucher. At the moment of writing the creation of coaps based MASAs is deemed unrealistic and unnecessary. The use of CoAP for the BRSKI-MASA connection is out of scope but can be the subject of another document. Some consideration was made to specify CoAP support for consistency, but:

the Registrar is not expected to be so constrained that it cannot support HTTPS client connections.
the technology and experience to build Internet-scale HTTPS responders (which the MASA is) is common, while the experience doing the same for CoAP is much less common.
a Registrar is likely to provide onboarding services to both constrained and non-constrained devices. Such a Registrar would need to speak HTTPS anyway.
a manufacturer is likely to offer both constrained and non-constrained devices, so there may in practice be no situation in which the MASA could be CoAP-only. Additionally, as the MASA is intended to be a function that can easily be outsourced to a third-party service provider, reducing the complexity would also seem to reduce the cost of that function.
security-related considerations: see .

Registrar Voucher Request If the PVR contains a proximity assertion, the Registrar MUST propagate this assertion into the RVR by including the "assertion" field with the value "proximity". This conforms to the example in of carrying the assertion forward.

MASA and the Server Name Indicator (SNI) A TLS/HTTPS connection is established between the Registrar and MASA. explains this process, and there are no externally visible changes made by this document. A MASA that supports the unconstrained voucher formats should be able to support constrained voucher formats equally well. There is no requirement that a single MASA be used for both constrained and unconstrained voucher requests: the choice of MASA is determined by the id-mod-MASAURLExtn2016 extension contained in the IDevID, so it can be determined by the manufacturer. The Registrar MUST do DNS-ID checks () on the contents of the certificate provided by the MASA during the TLS handshake. In contrast to the Pledge/Registrar situation, the Registrar always knows the name of the MASA, and MUST always include an Server Name Indicator. The SNI is optional in TLS 1.2, but common. The SNI is considered mandatory with TLS 1.3. The presence of the SNI extension is required by the MASA, in order for the MASA's server to host multiple tenants (for different customers).

Registrar Client Certificate Requirements The Registrar SHOULD use a TLS Client Certificate to authenticate to the MASA per . If the certificate that the Registrar uses is marked as a id-kp-cmcRA certificate, via Extended Key Usage, then it MUST also have the id-kp-clientAuth EKU attribute set. In summary, for typical Registrar use, where a single Registrar certificate is used for both client and server roles, the certificate MUST have an EKU set with at least all of id-kp-cmcRA, id-kp-serverAuth, and id-kp-clientAuth.

Pinning in Voucher Artifacts The voucher is a statement by the MASA for use by the Pledge that provides the identity of the Pledge's owner. This section describes how the owner's identity is determined and how it is specified within the voucher.

Registrar Identity Selection and Encoding describes BRSKI policies for selection of the owner identity. It indicates some of the flexibility enabled for the Registrar, and recommends the Registrar to include only certificates in the voucher request (CMS) signing structure that participate in the certificate chain that is to be pinned. The MASA is expected to evaluate the certificates included in an RVR, forming them into a chain with the Registrar's (signing) identity on one end. Then, it pins a certificate selected from this chain according to its pinning policy (). For instance, for a domain with a two-level certification authority (see ), where the RVR has been signed by "domain Registrar", the RVR includes the chain formed by the domain Registrar EE certificate, the domain Sub-CA certificate, and the domain CA trust anchor certificate. The arrows in the figure indicate the issuing of a certificate, i.e. author of (1) issued (2) and author of (2) issued (3).

Two-Level CA PKI When the Registrar is using a COSE-signed RVR, the COSE_Sign1 object contains a protected and an unprotected header. The Registrar MUST place all the certificates needed by MASA to validate the signature chain for its RVR in an "x5bag" attribute in either the protected or the unprotected header as defined in .

MASA Pinning Policy The MASA, having assembled and verified the certificate chain that signed the RVR then needs to select a certificate to pin. (For the case that only the Registrar's End-Entity certificate is included, only this certificate can be selected and this section does not apply.) The BRSKI policy for pinning by the MASA as described in leaves much flexibility to the manufacturer. The present document adds the following rules to the MASA pinning policy to reduce the network load on the constrained network side:

for a voucher containing a nonce, it SHOULD pin the most specific (lowest-level) CA certificate in the chain.
for a nonceless voucher, it SHOULD pin the least-specific (highest-level) CA certificate in the chain that is allowed under the MASA's policy for this specific domain.

The rationale for 1. is that in case of a voucher with nonce, the voucher is valid only in scope of the present DTLS connection between Pledge and Registrar anyway, so there is no benefit to pin a higher-level CA. By pinning the most specific CA the constrained Pledge can validate its DTLS connection using less crypto operations. The rationale for pinning a CA instead of the Registrar's End-Entity certificate directly is based on the following benefit on constrained networks: the pinned certificate in the voucher can in common cases be re-used as a Domain CA trust anchor during the EST enrollment and during the operational phase that follows after EST enrollment, as explained in . The rationale for 2. follows from the flexible BRSKI trust model for, and purpose of, nonceless vouchers (Sections 5.5.* and 7.4.1 of ). Referring to the example of of a domain with a two-level certification authority, the most specific CA ("Sub-CA") is the identity that is pinned by MASA in a nonced voucher. In case of a nonceless voucher, depending on the trust level, the MASA pins the "Registrar" certificate (low trust in customer), or the "Sub-CA" certificate (in case of medium trust, implying that any Registrar of that sub-domain is acceptable), or even the "domain CA" certificate (in case of high trust in the customer, and possibly a pre-agreed need of the customer to obtain flexible long-lived vouchers).

Pinning of Raw Public Keys (RPK) Specifically for the most-constrained use cases, the pinning of the raw public key (RPK) of the Registrar is also supported in the constrained voucher, instead of a PKIX certificate. This is used by the RPK variant of cBRSKI described in , but it can also be used in the default cBRSKI flow as a means to reduce voucher size. For both cases, if an RPK is pinned, it MUST be the RPK of the Registrar, which equals the public key of the Registrar's EE certificate. When the Pledge is known by MASA to support the RPK variant only, the voucher produced by the MASA pins the RPK of the Registrar in either the "pinned-domain-pubk" or "pinned-domain-pubk-sha256" field of the voucher data. This is described in more detail in and . When the Pledge is known by MASA to support PKIX operations, the "pinned-domain-cert" field present in a voucher normally pins a domain certificate. That can be either the End-Entity certificate of the Registrar, or the certificate of a domain CA, as specified in . However, if the Pledge is known by MASA to also support RPK pinning and the MASA policy intends to pin the Registrar in the voucher (and not a CA), then MASA SHOULD pin the RPK (RPK3 in ) of the Registrar instead of the Registrar's End-Entity certificate to save space in the voucher.

Raw Public Key (RPK) pinning examples

Considerations for use of IDevID-Issuer and define the idevid-issuer attribute for voucher and voucher-request (respectively), but they summarily explain when to use it. The use of idevid-issuer is provided so that the serial-number to which the issued voucher pertains can be relative to the entity that issued the devices' IDevID. In most cases there is a one to one relationship between the trust anchor that signs vouchers (and is trusted by the pledge), and the Certification Authority that signs the IDevID. In that case, the serial-number in the voucher data must refer to the same device as the serial-number that is in the IDevID certificate. However, there are situations where the one to one relationship may be broken. This occurs whenever a manufacturer has a common MASA, but different products (on different assembly lines) are produced with identical serial numbers. A system of serial numbers which is just a simple counter is a good example of this. A system of serial numbers where there is some prefix relating the product type does not fit into this, even if the lower digits are a counter. It is not possible for the Pledge or the Registrar to know which situation applies. The question to be answered is whether or not to include the idevid-issuer in the PVR and the RVR. A second question arises as to what the format of the idevid-issuer contents are. Analysis of the situation shows that the pledge never needs to include the idevid-issuer in it's PVR, because the pledge's IDevID certificate is available to the Registrar, and the Authority Key Identifier is contained within that IDevID certificate. The pledge therefore has no need to repeat this. For the RVR, the Registrar has to examine the pledge's IDevID certificate to discover the serial number to use in the Registrar's Voucher Request (RVR). This is clear in . That section also clarifies that the idevid-issuer is to be included in the RVR. Concerning the Authority Key Identifier, specifies that the entire object i.e. the extnValue OCTET STRING is to be included: comprising the AuthorityKeyIdentifier, SEQUENCE, Choice as well as the OCTET STRING that is the keyIdentifier.

Artifacts The YANG () module and CBOR serialization for the constrained voucher as used by cBRSKI are described in . That document also assigns SID values to YANG elements in accordance with . The present section provides some examples of these artifacts and defines a new signature format for these, using COSE. Compared to the first voucher request definition done in , the constrained voucher request adds the fields proximity-registrar-pubk and proximity-registrar-pubk-sha256. One of these is optionally used to replace the proximity-registrar-cert field, for a smaller voucher request data size - useful for the most constrained cases. The constrained voucher adds the fields pinned-domain-pubk and pinned-domain-pubk-sha256 to pin an RPK. One of these is optionally used instead of the pinned-domain-cert field, for a smaller voucher data size.

Example Artifacts

Example Pledge Voucher Request (PVR) Artifact Below, example voucher data from a constrained voucher request (PVR) from a Pledge to a Registrar is shown in CBOR diagnostic notation. Long CBOR byte strings have been shortened for readability, using the ellipsis ("...") to indicate elided bytes. This notation is defined in . The enum value of the assertion field is 2 for the "proximity" assertion as defined in . The Pledge has included the item proximity-registrar-pubk which carries the public key of the Registrar, instead of including the full Registrar certificate in a proximity-registrar-cert item. This is done to reduce the size of the PVR. Also note that the Pledge did not include the created-on field since it lacks an internal real-time clock and has no knowledge of the current time at the moment of performing the onboarding.

Example Registrar Voucher Request (RVR) Artifact Next, example voucher data from a constrained voucher request (RVR) from a Registrar to a MASA is shown in CBOR diagnostic notation. The Registrar has created this request triggered by the reception of the Pledge voucher request (PVR) of the previous example. Again, long CBOR byte strings have been shortened for readability. Note that the Registrar uses here the string data type for all key names, instead of the more compact SID integer keys. This is fine for any use cases where the network between Registrar and MASA is an unconstrained network where data size is not critical. The constrained voucher request format supports both the string and SID key types, for PVR as well as RVR.

Example Voucher Artifacts Below, an example of constrained voucher data is shown in CBOR diagnostic notation. It was created by a MASA in response to receiving the Registrar Voucher Request (RVR) shown in . The enum value of the assertion field is set to "proximity" (2), to acknowledge to both the Pledge and the Registrar that the proximity of the Pledge to the Registrar is considered proven. While the above example voucher data includes the nonce from the PVR, the next example is for a nonce-less voucher. Instead of a nonce, it includes an expires-on field with the date and time on which the voucher expires. Because the MASA did not verify the proximity of the Pledge and Registrar in this case, the assertion enum field contains a weaker assertion of "verified" (0). This indicates that the MASA verified the domain's ownership of the Pledge via some other means. The voucher is valid for one week. To verify the voucher's validity, the Pledge would either need an internal real-time clock or some external means of obtaining the current time, such as Network Time Protocol (NTP) or a radio time signal receiver.

Signing Voucher and Voucher Request Artifacts with COSE The COSE_Sign1 structure is discussed in . The CBOR object that carries the body, the signature, and the information about the body and signature is called the COSE_Sign1 structure. It is used when only one signature is used on the body. Support for ECDSA with SHA2-256 using curve secp256r1 (aka prime256k1) is RECOMMENDED. Most current low power hardware has support for acceleration of this algorithm. Future hardware designs could omit this in favour of a newer algorithms. This is the ES256 (-7) keytype from Table 1 of . Support for curve secp256k1 is OPTIONAL. Support for EdDSA using Curve 25519 is RECOMMENDED in new designs if hardware support is available. This is keytype EDDSA (-8) from Table 2 of . A "crv" parameter is necessary to specify the Curve, which from Table 18. The 'kty' field MUST be present, and it MUST be 'OKP'. (Table 17) A transition towards EdDSA is occurring in the industry. Some hardware can accelerate only some algorithms with specific curves, other hardware can accelerate any curve, and still other kinds of hardware provide a tool kit for acceleration of any elliptic curve algorithm. In general, the Pledge is expected to support only a single algorithm, while the Registrar, usually not constrained, is expected to support a wide variety of algorithms: both legacy ones and up-and-coming ones via regular software updates. An example of the supported COSE_Sign1 object structure containing a Pledge Voucher Request (PVR) is shown below. The specifies the integers/encoding for the "alg" field. The "alg" field restricts the key usage for verification of this COSE object to a particular cryptographic algorithm.

Signing of Registrar Voucher Request (RVR) A Registrar MUST include a COSE "x5bag" structure in the RVR as explained in . Below, an example Registrar Voucher Request (RVR) is shown that includes the "x5bag" unprotected header parameter (32). The bag contains two certificates in this case. A "kid" (key ID) field is OPTIONAL in the unprotected COSE header parameters map of a COSE object. If present, it identifies the public key of the key pair that was used to sign the COSE message. The value of the key identifier "kid" parameter may be in any format agreed between signer and verifier. Usually a hash of the public key is used to identify the public key; but the choice of key identifier method is vendor-specific. By default, a Registrar does not include a "kid" parameter in the RVR since the signing key is already identified by the signing certificates chain included in the COSE "x5bag" structure. A Registrar nevertheless MAY use a "kid" parameter in its RVR to identify its signing key/identity. The method of generating such "kid" value is vendor-specific and SHOULD be configurable in the Registrar to support commonly used methods. In order to support future business cases and supply chain integrations, a Registrar using the "kid" field MUST be configurable, on a per-manufacturer basis, to select a particular method for generating the "kid" value such that it is compatible with the method that the manufacturer expects. Note that the "kid" field always has a CBOR byte string (bstr) format. In a further example of a signed RVR is shown.

Signing of Pledge Voucher Request (PVR) Like in the RVR, a "kid" (key ID) field is also OPTIONAL in the PVR. It can be used to identify the signing key/identity to the MASA. A Pledge by default SHOULD NOT use a "kid" parameter in its PVR, because its signing key is already identified by the Pledge's unique serial number that is included in the PVR and (by the Registrar) in the RVR. This achieves the smallest possible PVR data size while still enabling the MASA to fully verify the PVR. Still, when required the Pledge MAY use a "kid" parameter in its PVR to help the MASA identify the right public key to verify against. This can occur for example if a Pledge has multiple IDevID identities. The "kid" parameter in this case may be an integer byte identifying one out of N identities present, or it may be a hash of the public key, or anything else the Pledge vendor decides. A Registrar normally SHOULD ignore a "kid" parameter used in a received PVR, as this information is intended for the MASA. In other words, there is no need for the Registrar to verify the contents of this field, but it may include it in an audit log. The example below shows a PVR with the "kid" parameter present as an unprotected header parameter. The Pledge SHOULD NOT use the "x5bag" or "x5chain" COSE header parameters in the PVR. A Registrar that processes a PVR with such a structure MUST ignore it, and MUST use only the TLS Client Certificate extension for authentication of the Pledge. A situation where the Pledge MAY use the "x5bag" or "x5chain" structure is for communication of certificate chains to the MASA. This would arise in some vendor- specific situations involving outsourcing of MASA functionality, or rekeying of the IDevID certification authority. In a further example of a signed PVR is shown.

Signing of Voucher by MASA The MASA SHOULD NOT use a "kid" parameter in the voucher response, because the MASA's signing key is already known to the Pledge. Still, where needed the MASA MAY use a "kid" parameter in the voucher response to help the Pledge identify the right MASA public key to verify against. This can occur for example if a Pledge has multiple IDevID identities. The MASA SHOULD NOT include an "x5bag" or "x5chain" attribute in the protected header of the voucher response, because normally a Pledge already stores the required public key for validation of the signed voucher. The exception case is if the MASA knows that the Pledge doesn't pre-store the MASA's public key used for signing, and thus the MASA needs to provide a certificate or certificate chain that will enable linking the signing identity to a pre-stored Trust Anchor (CA) in the Pledge. This approach is not recommended, because including certificates in the protected "x5bag" or "x5chain" COSE header attributes will significantly increase the size of the voucher which impacts cBRSKI operation on constrained networks. For example, if the MASA signing key is based upon a PKI (see Section 2.3), and the Pledge only pre-stores a manufacturer (root) CA identity in its Trust Store which is not the identity that signs the voucher, then a certificate chain needs to be included with the voucher in order for the Pledge to validate the MASA signing CA's signature by validating the chain up to the CA in its Trust Store. In BRSKI CMS signed vouchers , the CMS structure has a place for such a certificate chain. In the COSE-signed vouchers described in this document, the "x5bag" attribute placed in the COSE protected header parameters is used to contain the needed certificates for the Pledge to form the chain. To signal the complete chain of the MASA's signing identity to the Registrar, the MASA MUST include the complete chain of signing certificates in an "x5bag" attribute in the unprotected header of the voucher. This allows the Registrar to optionally validate the voucher before forwarding it to the Pledge, or to validate it for logging purposes. There is no voucher size impact of including this certificate chain in an unprotected "x5bag" COSE header attribute for constrained networks, because the Registrar will remove this unprotected attribute prior to forwarding the voucher response to the Pledge, as defined in . Note that cBRSKI currently does not support signing the voucher with an RPK for which there is no corresponding certificate at all. If the MASA wants to sign a voucher with an RPK that is not part of any PKIX hierarchy, it creates a single self-signed "placeholder" root CA certificate that uses the designated RPK as the public key. This "placeholder" certificate is then included as the sole certificate in an unprotected "x5bag" header attribute, as defined in the previous paragraph. Below, an example is shown of a COSE-signed voucher as created by MASA. This example shows the common case where a protected "x5bag" (32) attribute is not used, while an unprotected "x5bag" (32) attribute is used to communicate the MASA's signature certificate chain to the Registrar. The bag contains two certificates in this example. One of these is the identity of the signer of the COSE_Sign1 object, whose signature is stored as the last CBOR array element in the below example. In a further example of a signed voucher is shown.

Optional Validation of Voucher by Registrar For a Registrar, validation of the voucher and/or the signature of the voucher is optional, per . However, if a Registrar does perform the validation of the signature chain, communicated in the "x5bag" unprotected COSE header attribute (see )), it MUST validate that one of the below cases hold:

The signature chain is a single self-signed root CA certificate with a correct signature; and the public key in this certificate is also the public key that signed the voucher. This represents the case where a voucher has been effectively signed with an RPK.
The signature chain consists of one or more certificates that can be chained to a known (preconfigured) trust root in the Registrar.

The above validation elements are needed only for cases where (nonceless) vouchers are communicated over potentially unsecure channels to the Registrar. Since the "x5bag" header parameter is not protected by the voucher's COSE signature, it could have been modified in transit.

Extensions to Discovery It is assumed that a Join Proxy () seamlessly provides a relayed DTLS connection between the Pledge and the Registrar. To use a Join Proxy, a Pledge needs to discover it. For Pledge discovery of a Join Proxy, this section extends Section 4.1 of for the cBRSKI case. In general, the Pledge may be one or more hops away from the Registrar, where one hop means the Registrar is a direct link-local neighbor of the Pledge. The case of one hop away can be considered as a degenerate case, because a Join Proxy is not really needed then. The degenerate case would be unusual in constrained wireless network deployments, because a Registrar would typically not have a wireless network interface of the type used by constrained devices. Rather, it would have a high-speed network interface. Nevertheless, the situation where the Registrar is one hop away from the Pledge could occur in various cases like wired IoT networks or in wireless constrained networks where the Pledge is in radio range of a 6LoWPAN Border Router (6LBR) and the 6LBR happens to host a Registrar. In order to support the degenerate case, the Registrar SHOULD announce itself as if it were a Join Proxy -- though it would actually announce its real (stateful) Registrar CoAPS endpoint. No actual Join Proxy functionality is then required on the Registrar. That way, a Pledge only needs to discover a Join Proxy, regardless of whether it is one or more than one hop away from a relevant Registrar. It first discovers the link-local address and the UDP join-port of a Join Proxy. The Pledge then follows the cBRSKI procedure of initiating a DTLS connection using the link-local address and join-port of the Join Proxy. Once enrolled, a Pledge itself may function as a Join Proxy. The decision whether or not to provide this functionality depends upon many factors and is out of scope for this document. Such a decision might depend upon the amount of energy available to the device, the network bandwidth available, as well as CPU and memory availability. The process by which a Pledge discovers the Join Proxy, and how a Join Proxy discovers the location of the Registrar, are the subject of the remainder of this section. Further details on both these topics are provided in .

Discovery Operations by a Pledge The Pledge must discover the address/port and optionally the protocol with which to communicate. The present document only defines coaps (CoAP over DTLS) as the default protocol for cBRSKI, therefore protocol discovery is out of scope. For the discovery method, this section only defines unsecured CoAP discovery per as the default method. This uses CoRE Link Format payloads. briefly mentions other methods that apply to specific deployment types or technologies. Details about these deployment-specific methods, or yet other methods, new payload formats, or more elaborate CoAP-based methods, may be defined in future documents such as . The more elaborate methods for example may include discovering only Join Proxies that support a particular desired onboarding protocol, voucher format, or cBRSKI variant. Note that identifying the format of the voucher request and the voucher is currently not a required part of the Pledge's discovery operation. It is assumed that all Registrars support all relevant voucher(-request) formats, while the Pledge only supports a single format. A Pledge that makes a voucher request to a Registrar that does not support that format will receive a CoAP 4.06 Not Acceptable status code and the onboarding attempt will fail. Using CoAP discovery, a Pledge can discover a Join Proxy by sending a link-local multicast discovery message to the All CoAP Nodes address FF02::FD. Zero, one, or multiple Join Proxies may respond. The handling of multiple responses and absence of responses cases follow the guidelines of . The discovery message is a CoAP GET request on the URI path "/.well-known/core" using a URI query "rt=brski.jp". This resource type (rt) is defined in .

Examples Below, a typical example is provided showing the Pledge's CoAP request and the Join Proxy's CoAP response. The Join Proxy responds with a link-local source address, which is the same address as indicated in the URI-reference element () in the discovery response payload. The Join Proxy has a dedicated port 8485 open for DTLS connections of Pledges. ;rt=brski.jp ]]> The next example shows a Join Proxy that uses the default CoAPS port 5684 for DTLS connections of Pledges. In this case, the Join Proxy host is not using port 5684 for any other purposes, so it has the port available exclusively for accepting DTLS connections of Pledges. ;rt=brski.jp ]]> In the following example, two Join Proxies respond to the multicast query. The Join Proxies each use a slightly different CoRE Link Format 'rt' value encoding. While the first encoding is more compact, both encodings are allowed per . The Pledge may now select one of the two Join Proxies for initiating its DTLS connection. ;rt=brski.jp RES: 2.05 Content ;rt="brski.jp" ]]>

Discovery Operations by a Join Proxy A Join Proxy needs to discover a Registrar, either at the moment it needs to relay data (of a Pledge) towards the Registrar, or prior to that moment. For example, it may start Registrar discovery as soon as it is requested to be enabled in a Join Proxy role. It may periodically redo this discovery, or periodically or on-demand check that the Registrar is still available in the network at the discovered IP address. Further details on CoAP discovery of the Registrar by a Join Proxy are provided in .

Deployment-specific Discovery Considerations This section details how discovery of a Join Proxy is done by the Pledge in specific deployment scenarios. Future work such as may define more details on discovery operations in the specific deployments listed here.

6TiSCH Deployments In 6TiSCH networks, the Constrained Join Proxy (CoJP) mechanism is used as described in . Such networks are expected to use for key management. This is the subject of future work. The IEEE 802.15.4 Enhanced Beacon has been extended in to allow for discovery of a 6TiSCH-compliant Join Proxy.

IP networks using GRASP In IP networks that support GRASP , a Pledge can discover a Join Proxy by listening for GRASP messages. GRASP supports mesh networks, and can also be used over unencrypted Wi-Fi. Details of GRASP discovery of constrained Join Proxies are out of scope of this document and may be defined in future work.

IP networks using mDNS defines a mechanism for the Pledge to discover a Join Proxy by sending mDNS queries. This mechanism can be used on any IP network which does not have another recommended mechanism. It can be used over unencrypted Wi-Fi. This mechanism does support link-local Join Proxy discovery in mesh networks. However, it does not support Registrar discovery by Join Proxies in mesh networks, because the Registrar is typically not reachable by link-local communication in that case. For this, another mechanism is needed, which is out of scope of this document and may be defined in future work. A Pledge uses an mDNS PTR query for the name "_brski-proxy._udp.local." to discover link-local constrained Join Proxies. The label "_udp" here indicates a query for cBRSKI constrained Join Proxies, as opposed to "_tcp" defined in which is for discovering BRSKI Proxies.

Thread Networks using Mesh Link Establishment (MLE) Thread is a wireless mesh network protocol based on 6LoWPAN and other IETF protocols. In Thread, a new device discovers potential Thread networks and Thread nodes to join by using the Mesh Link Establishment (MLE) protocol. MLE uses the UDP port number 19788. The new device sends discovery requests on different IEEE 802.15.4 radio channels, to which Thread nodes (if any present) respond with a discovery response containing information about their respective network. The MLE discovery response message contains UDP port information to signal the new device which UDP port to use for its DTLS connection to the Join Proxy function. The link-local IPv6 source address of the MLE response message indicates the address of the Join Proxy. Once a suitable Thread node is selected as its Join Proxy, the new device initiates a DTLS transport-layer secured connection to the network's commissioning application, over a link-local single radio hop to the selected Join Proxy. This link is not yet secured at the radio/MAC link layer: link-layer security will be set up once the new device is approved by the commissioning application to join the Thread network, and it gets provisioned with network access credentials. A Thread node that is capable to act as a Join Proxy will only enable this role if the network-wide configuration data indicates that new device commissioning is allowed.

Design and Implementation Considerations

Voucher Format and Encoding The design considerations for vouchers from apply. Specifically for CBOR encoding of voucher data, one key difference with JSON encoding is that the names of the leaves in the YANG definition do not affect the size of the resulting CBOR, as the SID () translation process assigns integers to the names. To obtain the lowest code size and RAM use on the Pledge, it is recommended that a Pledge is designed to only process/generate these SID integers and not the lengthy strings. The MASA in that case is required to generate the voucher data for that Pledge using only SID integers. Yet, this MASA implementation MUST still support both SID integers and strings, to be able to process the field names in the RVR.

CoAP Usage A successful POST request to the Registrar's telemetry resources (/vs, /es) returns a 2.04 Changed response with empty payload. A CoAP client sending a request should be aware that the server, even in case of an empty payload, may use either a piggybacked CoAP response (for example ACK with code 2.04) but may also respond with a separate CoAP response. This is first an ACK message with code 0.0 that acknowledges the reception of the request. It is followed by a CON message with a code 2.04 response in a separate CoAP message. See for details.

Use of cBRSKI with HTTPS This specification contains two major extensions to : a constrained voucher format (COSE), and a constrained transfer protocol (CoAP). On constrained networks with constrained devices, it make senses to use both together. However, this document does not mandate that this be the only way. A given constrained device design and software may be re-used for multiple device models, such as a model having only an IEEE 802.15.4 radio, or a model having only an IEEE 802.11 (Wi-Fi) radio, or a model having both these radios. A manufacturer of such device models may wish to have code only for the use of the constrained voucher format (COSE), and use it on all supported radios including the IEEE 802.11 radio. For this radio, the software stack to support HTTP/TLS may be already integrated into the radio module hence it is attractive for the manufacturer to reuse this. This type of approach is supported by this document. In the case that HTTPS is used, the regular long resource names are used, together with the new "application/voucher+cose" media type described in this document. For status telemetry requests, the format and requirements defined in remain unchanged. Other combinations are possible, but they are not enumerated here. New work such as provides new formats that may be usable over a number of different transports. In general, sending larger payloads over constrained networks makes less sense, while sending smaller payloads over unconstrained networks is perfectly acceptable. The Pledge will in most cases support a single voucher format, which it uses without negotiation i.e. without discovery of formats supported. The Registrar, being unconstrained, is expected to support all voucher formats. There will be cases where a Registrar does not support a new format that a new Pledge uses, and this is an unfortunate situation that will result in lack of interoperation. The responsibility for supporting new formats is on the Registrar.

Raw Public Key Variant

Introduction and Scope This section introduces a cBRSKI variant to further reduce the data volume and complexity of the cBRSKI onboarding. The use of a raw public key (RPK) in the pinning process can significantly reduce the number of bytes sent over the wire and the number of round trips, and reduce the code footprint in a Pledge. But it comes with a few significant operational limitations. One simplification that comes with RPK use is that a Pledge can avoid doing PKIX operations, such as certificate chain validation.

DTLS Connection and Registrar Trust Anchor When the Pledge first connects to the Registrar, the connection to the Registrar is provisional, as explained in . The Registrar normally provides its public key in a TLSServerCertificate, and the Pledge uses that to validate that integrity of the DTLS connection, but it does not validate the identity of the provided certificate. As the TLSServerCertificate object is never verified directly by the Pledge, sending it can be considered superfluous. So instead of using a (TLSServer)Certificate of type X509 (see ), a RawPublicKey object (as defined by ) is used. A Registrar operating in a mixed environment can determine whether to send a PKIX certificate chain or a Raw Public Key to the Pledge: this is signaled by the Pledge. In the case the Pledge needs an RPK, it includes the server_certificate_type of RawPublicKey. This is shown in . The Pledge MUST send a client_certificate_type of X509 (not an RPK), so that the Registrar can properly identify the Pledge and distill the MASA URI information from its IDevID certificate.

The Pledge Voucher Request The Pledge puts the Registrar's public key into the proximity-registrar-pubk field of the Pledge Voucher Request (PVR). (The proximity-registrar-pubk-sha256 can alternatively be used for efficiency, if the 32-bytes of a SHA256 hash turns out to be smaller than a typical ECDSA key.) As the format of this pubk field is identical to the TLS RawPublicKey data object, no manipulation at all is needed to insert this field into the PVR. This approach reduces the size of the PVR significantly, compared to including the full certificate.

The Voucher Response A returned voucher will have a pinned-domain-pubk field with the identical key as was found in the proximity-registrar-pubk field above, as well as being identical to the Registrar's RPK in the currently active DTLS connection. (Or alternatively the MASA may include the pinned-domain-pubk-sha256 field if it knows the Pledge supports this field.) Validation of this key by the Pledge is what takes the DTLS connection out of the provisional state; see for more details. The received voucher needs to be validated by the Pledge. The Pledge needs to have a public key to validate the signature from the MASA on the voucher. The MASA's public key counterpart of the (private) MASA signing key MUST be already installed in the Pledge at manufacturing time. Otherwise, the Pledge cannot validate the voucher's signature.

The Enrollment Phase A Pledge that does not support PKIX operations cannot use EST to enroll; it has to use another method for enrollment without certificates and the Registrar has to support this method also. For example, an enrollment process that records an RPK owned by the Pledge as a legitimate entity that is part of the domain. It is possible that the Pledge will not enroll after obtaining a valid voucher, but instead will do only a network join operation (see for example ). How the Pledge discovers this method and details of such enrollment methods are out of scope of this document.

Security Considerations

Duplicate Serial Numbers In the absense of correct use of idevid-issuer by the Registrar as detailed in , it would be possible for a malicious Registrar to use an unauthorized voucher for a device. This would apply only to the case where a Manufacturer Authorized Signing Authority (MASA) is trusted by different products from the same manufacturer, and the manufacturer has duplicated serial numbers as a result of a merger, acquisition or mis-management. For example, imagine the same manufacturer makes light bulbs as well as gas centrifuges, and said manufacturer does not uniquely allocate product serial numbers. This attack only works for nonceless vouchers. The attacker has obtained a light bulb which happens to have the same serial-number as an operational gas centrifuge which it wishes to obtain access to. The attacker performs a normal BRSKI onboarding for the light bulb, but then uses the resulting voucher to onboard the gas centrifuge. The attack requires that the gas centrifuge be returned to a state where it is willing to perform a new onboarding operation. This attack is prevented by the mechanism of having the Registrar include the idevid-issuer in the RVR, and the MASA including it in the resulting voucher. The idevid-issuer is not included by default: a MASA needs to be aware if there are parts of the organization which duplicates serial numbers, and if so, include it.

IDevID Security in the Pledge The security of this protocol depends upon the Pledge identifying itself to the Registrar using its manufacturer installed certificate: the IDevID certificate. Associated with this certificate is the IDevID private key, known only to the Pledge. Disclosure of this private key to an attacker would permit the attacker to impersonate the Pledge towards the Registrar, probably gaining access credentials to that Registrar's network. If the IDevID private key disclosure is known to the manufacturer, there is little recourse other than recall of the relevant part numbers. The process for communicating this recall would be within the BRSKI-MASA protocol. Neither this specification nor provides for consultation of a Certification Revocation List (CRL) or Open Certificate Status Protocol (OCSP) by a Registrar when evaluating an IDevID certificate. However, the BRSKI-MASA protocol submits the IDevID from the Registrar to the manufacturer's MASA and a manufacturer would have an opportunity to decline to issue a voucher for a device which they believe has become compromised. It may be difficult for a manufacturer to determine when an IDevID private key has been disclosed. Two situations present themselves: in the first situation a compromised private key might be reused in a counterfeit device, which is sold to another customer. This would present itself as an onboarding of the same device in two different networks. The manufacturer may become suspicious seeing two voucher requests for the same device from different Registrars. Such activity could be indistinguishable from a device which has been resold from one operator to another, or re-deployed by an operator from one location to another. In the second situation, an attacker having compromised the IDevID private key of a device might then install malware into the same device and attempt to return it to service. The device, now blank, would go through a second onboarding process with the original Registrar. Such a Registrar could notice that the device has been "factory reset" and alert the operator to this situation. One remedy against the presence of malware is through the use of Remote Attestation such as described in . Future work will need to specify a background-check Attestation flow as part of the voucher-request/voucher-response process. Attestation may still require access to a private key (e.g. IDevID private key) in order to sign Evidence, so a primary goal should be to keep any private key safe within the Pledge. In larger, more expensive, systems there is budget (power, space, and bill of materials) to include more specific defenses for a private key. For instance, this includes putting the IDevID private key in a Trusted Platform Module (TPM), or use of Trusted Execution Environments (TEE) for access to the key. On smaller IoT devices, the cost and power budget for an extra part is often prohibitive. It is becoming more and more common for CPUs to have an internal set of one-time fuses that can be programmed (often they are "burnt" by a laser) at the factory. This section of memory is only accessible in some privileged CPU state. The use of this kind of CPU is appropriate as it provides significant resistance against key disclosure even when the device can be disassembled by an attacker. In a number of industry verticals, there is increasing concern about counterfeit parts. These may be look-alike parts created in a different factory, or parts which are created in the same factory during an illegal night-shift, but which are not subject to the appropriate level of quality control. The use of a manufacturer-signed IDevID certificate provides for discovery of the pedigree of each part, and this often justifies the cost of the security measures associated with storing the private key.

Security of the BRSKI-MASA Protocol explains why no CoAPS version of the BRSKI-MASA protocol is specified. The connection from the Registrar to the MASA continues to be HTTPS as in . This choice enables the BRSKI-MASA protocol, which operates over the open Internet, to be secured using standard solutions that are commonly used for HTTPS over the Internet. The use of UDP protocols across the Internet is sometimes fraught with security challenges. Denial-of-service attacks against UDP based protocols are trivial as there is no three-way handshake as done for TCP. The three-way handshake of TCP guarantees that the node sending the connection request is reachable using the origin IP address. While DTLS contains an option to do a stateless challenge -- a process actually stronger than that done by TCP -- it is not yet common for this mechanism to be available in hardware at multigigabit speeds. Also, in many enterprise networks outgoing UDP connections can be treated as suspicious, which could effectively block CoAP connections for some firewall configurations. Reducing the complexity of MASA (i.e. less protocols supported) also reduces its potential attack surface, which is relevant since the MASA is 24/7 exposed on the Internet and accepting (untrusted) incoming connections.

Registrar Certificate May Be Self-signed The provisional (D)TLS connection formed by the Pledge with the Registrar does not authenticate the Registrar's identity. This Registrar's identity is validated by the voucher that is issued by the MASA, signed with a trust anchor that was built-in to the Pledge. The Registrar may therefore use any certificate, including a self-signed one. The only restrictions on the certificate is that it MUST have EKU bits set as detailed in and .

Use of RPK Alternatives to proximity-registrar-cert In two compact alternative fields for proximity-registrar-cert are defined that include an RPK: proximity-registrar-pubk and proximity-registrar-pubk-sha256. The Pledge can use these fields in its PVR to identify the Registrar based on its public key only. Since the full certificate of the proximate Registrar is not included, use of these fields by a Pledge implies that a Registrar could insert another certificate with the same public key identity into the RVR. For example, an older or a newer version of its certificate. The MASA will not be able to detect such act by the Registrar. But since any 'other' certificate the Registrar could insert in this way still encodes its identity the additional risk of using the RPK alternatives is negligible. When a Registrar sees a PVR that uses one of proximity-registrar-pubk or proximity-registrar-pubk-sha256 fields, this implies the Registrar must include the certificate identified by these fields into its RVR. Otherwise, the MASA is unable to verify proximity. This requirement is already implied by the "MUST" requirement in .

IANA Considerations

Resource Type Link Target Attribute Values Registry Additions to the "Resource Type (rt=) Link Target Attribute Values" IANA registry, within the "CoRE Parameters" registry group are specified below. Reference: [This RFC] Resource Type (rt) link target attribute values for cBRSKI and EST-coaps

Value	Description
brski	Base resource of all Bootstrapping Remote Secure Key Infrastructure (cBRSKI) resources
brski.rv	cBRSKI request voucher resource
brski.vs	cBRSKI voucher status telemetry resource
brski.es	cBRSKI enrollment status telemetry resource
ace.est	Base resource of all Enrollment over Secure Transport CoAPS (EST-coaps) resources

Note that the resource type "brski" identifies a base resource in a resource hierarchy on a CoAP server, where its sub-resources each have one of the resource types "brski." as defined by this specification. Similarly, the resource type "ace.est" identifies a base resource in a resource hierarchy, where its sub-resources each have one of the resource types "ace.est." as defined by .

Media Types Registry This section registers the media type "application/voucher+cose" in the "Media Types" IANA registry. This media type is used to indicate that the content is a CBOR voucher or voucher request signed with a COSE_Sign1 structure as defined in this document.

application/voucher+cose

CoAP Content-Formats Registry IANA has allocated ID 836 from the "CoAP Content-Formats" registry as shown below.

Update to BRSKI Well-known URIs Registry This section updates the "BRSKI Well-Known URIs" IANA registry of the Bootstrapping Remote Secure Key Infrastructures (BRSKI) Parameters Registry group, by adding a new column "Short URI". The contents of this field MUST be specified for any newly registered URI as follows: Short URI: A short name for the "URI" resource that can be used by a client in a CoAP request to a BRSKI Registrar. In case the "URI" resource is only used between Registrar and MASA, the value "N/A" is registered denoting that a short name is not applicable. The contents of the registry including the new column are as follows: Update of the BRSKI Well-Known URIs Registry

URI	Short URI	Description	Reference
requestvoucher	rv	Request voucher: Pledge to Registrar, and Registrar to MASA	, [This RFC]
voucher_status	vs	Voucher status telemetry: Pledge to Registrar	, [This RFC]
requestauditlog	N/A	Request audit log: Registrar to MASA
enrollstatus	es	Enrollment status telemetry: Pledge to Registrar	, [This RFC]

Structured Syntax Suffixes Registry This section registers the "+cose" suffix in the "Structured Syntax Suffixes" IANA Registry based on the procedure.

Acknowledgements We are very grateful to for explaining COSE/CMS choices and for correcting early versions of the COSE_Sign1 objects. did extensive work on _pyang_ to extend it to support the SID allocation process, and this document was among its first users. , , , , and provided review feedback. The BRSKI design team has met on many Tuesdays and Thursdays for document review. The team includes the authors and: , , , , and . , and provided review feedback on the registration of the +cose structured syntax suffix.

Changelog -27: Clarify x5bag for storing signing chain and Registrar removes unprotected x5bag/x5chain (#324, #323, #230). Clarify RPK use with "placeholder" certificate. Merged the very similar BRSKI-MASA security considerations sections (#312). Require CBOR format for Pledge's/EST-client's telemetry (#309, #317). Removed figure captions from code examples for consistency (#315). Add base resource type (rt) for "ace.est" and related terminology (#314). Update IEEE 802.1AR reference to 2018 version (#313). Editorial updates. -26: Updated I-D/RFC references to newer versions. Corrected "sub-registry" term to official "registry", in IANA section. Explicitly imported terminology from . Corrected "router" term in Thread/MLE section, with clarifications, and reference fix. Moved references between "Informative" and "Normative" based on what's required to implement all the optional features. Removal of some lingering legacy text. Editorial improvements, bugfixes and typo corrections. -25: Moved all software/library support info into Appendix A and added "open source" section; Removed use of formal Extends/Amends Update-tags (#303, #304); Moved Section 14 to Appendix E (#302); Editorial improvements. -24: Rephrased well-known URL requirement in 14.1 (#292, #293); Added paragraph on future certificate formats like C509 (#281, #294); Add formal specification for CoAP discovery of Join Proxy by Pledge, instead of only showing examples (#296, #300); Enable mDNS discovery of Join Proxy by Pledge (also in mesh networks) and list service name to use (#297, #299); Add requirement to support content-format 287 in /sen and /sren response (#295, #298). -23:
Removed Update tag for RFC 8366 (#285, #288); Introduced cBRSKI acronym (#284, #286); Added Update tag for RFC 9148 (#283, #289); Keep CoAP discovery as only mechanism and refer to future discovery work (#279, #282, #290); Introduce formal CBOR diagnostics ellipsis elision syntax (#281, #287); Support for multi-tier CAs by introducing multipart-core /crts format (#275, #291); Terminology updated for consistency with RFC 8366-bis (#274, #280); Rename voucher media type to application/voucher+cose and register +cose SSS (#264, #277); Editorial changes including section restructuring. -22:
Streamlined text to focus mostly on the default flow, with optional functions moved to their own sections (#269, #273); For DTLS 1.3 client, use the record_size_limit extensions RFC 8449 (#270); Editorial updates; Reference rfc6125bis updated to RFC 9525. -11 to -21:
(For change details see GitHub issues https://github.com/anima-wg/constrained-voucher/issues , related Pull Requests and commits.) -10:
Design considerations extended; Examples made consistent. -08:
Examples for cose_sign1 are completed and improved. -06:
New SID values assigned; regenerated examples. -04:
voucher and request-voucher MUST be signed; examples for signed request are added in appendix; IANA SID registration is updated; SID values in examples are aligned; signed cms examples aligned with new SIDs. -03:
Examples are inverted. -02:
Example of requestvoucher with unsigned appllication/cbor is added; attributes of voucher "refined" to optional; CBOR serialization of vouchers improved; Discovery port numbers are specified. -01:
application/json is optional, application/cbor is compulsory; Cms and cose mediatypes are introduced. -00:
Initial version.

References Normative References Unique Local IPv6 Unicast Addresses This document defines an IPv6 unicast address format that is globally unique and is intended for local communications, usually inside of a site. These addresses are not expected to be routable on the global Internet. [STANDARDS-TRACK] Internet X.509 Public Key Infrastructure Certificate Management Protocol (CMP) This document describes the Internet X.509 Public Key Infrastructure (PKI) Certificate Management Protocol (CMP). Protocol messages are defined for X.509v3 certificate creation and management. CMP provides on-line interactions between PKI components, including an exchange between a Certification Authority (CA) and a client system. [STANDARDS-TRACK] Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile This memo profiles the X.509 v3 certificate and X.509 v2 certificate revocation list (CRL) for use in the Internet. An overview of this approach and model is provided as an introduction. The X.509 v3 certificate format is described in detail, with additional information regarding the format and semantics of Internet name forms. Standard certificate extensions are described and two Internet-specific extensions are defined. A set of required certificate extensions is specified. The X.509 v2 CRL format is described in detail along with standard and Internet-specific extensions. An algorithm for X.509 certification path validation is described. An ASN.1 module and examples are provided in the appendices. [STANDARDS-TRACK] Transport Layer Security (TLS) Extensions: Extension Definitions This document provides specifications for existing TLS extensions. It is a companion document for RFC 5246, "The Transport Layer Security (TLS) Protocol Version 1.2". The extensions specified are server_name, max_fragment_length, client_certificate_url, trusted_ca_keys, truncated_hmac, and status_request. [STANDARDS-TRACK] Datagram Transport Layer Security Version 1.2 This document specifies version 1.2 of the Datagram Transport Layer Security (DTLS) protocol. The DTLS protocol provides communications privacy for datagram protocols. The protocol allows client/server applications to communicate in a way that is designed to prevent eavesdropping, tampering, or message forgery. The DTLS protocol is based on the Transport Layer Security (TLS) protocol and provides equivalent security guarantees. Datagram semantics of the underlying transport are preserved by the DTLS protocol. This document updates DTLS 1.0 to work with TLS version 1.2. [STANDARDS-TRACK] Constrained RESTful Environments (CoRE) Link Format This specification defines Web Linking using a link format for use by constrained web servers to describe hosted resources, their attributes, and other relationships between links. Based on the HTTP Link Header field defined in RFC 5988, the Constrained RESTful Environments (CoRE) Link Format is carried as a payload and is assigned an Internet media type. "RESTful" refers to the Representational State Transfer (REST) architecture. A well-known URI is defined as a default entry point for requesting the links hosted by a server. [STANDARDS-TRACK] Multicast DNS As networked devices become smaller, more portable, and more ubiquitous, the ability to operate with less configured infrastructure is increasingly important. In particular, the ability to look up DNS resource record data types (including, but not limited to, host names) in the absence of a conventional managed DNS server is useful. Multicast DNS (mDNS) provides the ability to perform DNS-like operations on the local link in the absence of any conventional Unicast DNS server. In addition, Multicast DNS designates a portion of the DNS namespace to be free for local use, without the need to pay any annual fee, and without the need to set up delegations or otherwise configure a conventional DNS server to answer for those names. The primary benefits of Multicast DNS names are that (i) they require little or no administration or configuration to set them up, (ii) they work when no infrastructure is present, and (iii) they work during infrastructure failures. Using Raw Public Keys in Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS) This document specifies a new certificate type and two TLS extensions for exchanging raw public keys in Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS). The new certificate type allows raw public keys to be used for authentication. The Constrained Application Protocol (CoAP) The Constrained Application Protocol (CoAP) is a specialized web transfer protocol for use with constrained nodes and constrained (e.g., low-power, lossy) networks. The nodes often have 8-bit microcontrollers with small amounts of ROM and RAM, while constrained networks such as IPv6 over Low-Power Wireless Personal Area Networks (6LoWPANs) often have high packet error rates and a typical throughput of 10s of kbit/s. The protocol is designed for machine- to-machine (M2M) applications such as smart energy and building automation. CoAP provides a request/response interaction model between application endpoints, supports built-in discovery of services and resources, and includes key concepts of the Web such as URIs and Internet media types. CoAP is designed to easily interface with HTTP for integration with the Web while meeting specialized requirements such as multicast support, very low overhead, and simplicity for constrained environments. Block-Wise Transfers in the Constrained Application Protocol (CoAP) The Constrained Application Protocol (CoAP) is a RESTful transfer protocol for constrained nodes and networks. Basic CoAP messages work well for small payloads from sensors and actuators; however, applications will need to transfer larger payloads occasionally -- for instance, for firmware updates. In contrast to HTTP, where TCP does the grunt work of segmenting and resequencing, CoAP is based on datagram transports such as UDP or Datagram Transport Layer Security (DTLS). These transports only offer fragmentation, which is even more problematic in constrained nodes and networks, limiting the maximum size of resource representations that can practically be transferred. Instead of relying on IP fragmentation, this specification extends basic CoAP with a pair of "Block" options for transferring multiple blocks of information from a resource representation in multiple request-response pairs. In many important cases, the Block options enable a server to be truly stateless: the server can handle each block transfer separately, with no need for a connection setup or other server-side memory of previous block transfers. Essentially, the Block options provide a minimal way to transfer larger representations in a block-wise fashion. A CoAP implementation that does not support these options generally is limited in the size of the representations that can be exchanged, so there is an expectation that the Block options will be widely used in CoAP implementations. Therefore, this specification updates RFC 7252. A Voucher Artifact for Bootstrapping Protocols Watsen Networks Sandelman Software Cisco Systems Futurewei Technologies Inc. Huawei This document defines a strategy to securely assign a Pledge to an owner using an artifact signed, directly or indirectly, by the Pledge's manufacturer. This artifact is known as a "voucher". This document defines an artifact format as a YANG-defined JSON or CBOR document that has been signed using a variety of cryptographic systems. The voucher artifact is normally generated by the Pledge's manufacturer (i.e., the Manufacturer Authorized Signing Authority (MASA)). This document updates RFC8366, includes a number of desired extensions into the YANG. The voucher request defined in RFC8995 is also now included in this document, as well as other YANG extensions needed for variants of BRSKI/RFC8995. The Transport Layer Security (TLS) Protocol Version 1.3 This document specifies version 1.3 of the Transport Layer Security (TLS) protocol. TLS allows client/server applications to communicate over the Internet in a way that is designed to prevent eavesdropping, tampering, and message forgery. This document updates RFCs 5705 and 6066, and obsoletes RFCs 5077, 5246, and 6961. This document also specifies new requirements for TLS 1.2 implementations. Record Size Limit Extension for TLS An extension to Transport Layer Security (TLS) is defined that allows endpoints to negotiate the maximum size of protected records that each will send the other. This replaces the maximum fragment length extension defined in RFC 6066. Concise Data Definition Language (CDDL): A Notational Convention to Express Concise Binary Object Representation (CBOR) and JSON Data Structures This document proposes a notational convention to express Concise Binary Object Representation (CBOR) data structures (RFC 7049). Its main goal is to provide an easy and unambiguous way to express structures for protocol messages and data formats that use CBOR or JSON. Multipart Content-Format for the Constrained Application Protocol (CoAP) This memo defines application/multipart-core, an application-independent media type that can be used to combine representations of zero or more different media types (each with a Constrained Application Protocol (CoAP) Content-Format identifier) into a single representation, with minimal framing overhead. Concise Binary Object Representation (CBOR) The Concise Binary Object Representation (CBOR) is a data format whose design goals include the possibility of extremely small code size, fairly small message size, and extensibility without the need for version negotiation. These design goals make it different from earlier binary serializations such as ASN.1 and MessagePack. This document obsoletes RFC 7049, providing editorial improvements, new details, and errata fixes while keeping full compatibility with the interchange format of RFC 7049. It does not create a new version of the format. Bootstrapping Remote Secure Key Infrastructure (BRSKI) This document specifies automated bootstrapping of an Autonomic Control Plane. To do this, a Secure Key Infrastructure is bootstrapped. This is done using manufacturer-installed X.509 certificates, in combination with a manufacturer's authorizing service, both online and offline. We call this process the Bootstrapping Remote Secure Key Infrastructure (BRSKI) protocol. Bootstrapping a new device can occur when using a routable address and a cloud service, only link-local connectivity, or limited/disconnected networks. Support for deployment models with less stringent security requirements is included. Bootstrapping is complete when the cryptographic identity of the new key infrastructure is successfully deployed to the device. The established secure connection can be used to deploy a locally issued certificate to the device as well. Constrained Join Protocol (CoJP) for 6TiSCH This document describes the minimal framework required for a new device, called a "pledge", to securely join a 6TiSCH (IPv6 over the Time-Slotted Channel Hopping mode of IEEE 802.15.4) network. The framework requires that the pledge and the JRC (Join Registrar/Coordinator, a central entity), share a symmetric key. How this key is provisioned is out of scope of this document. Through a single CoAP (Constrained Application Protocol) request-response exchange secured by OSCORE (Object Security for Constrained RESTful Environments), the pledge requests admission into the network, and the JRC configures it with link-layer keying material and other parameters. The JRC may at any time update the parameters through another request-response exchange secured by OSCORE. This specification defines the Constrained Join Protocol and its CBOR (Concise Binary Object Representation) data structures, and it describes how to configure the rest of the 6TiSCH communication stack for this join process to occur in a secure manner. Additional security mechanisms may be added on top of this minimal framework. Encapsulation of 6TiSCH Join and Enrollment Information Elements In the Time-Slotted Channel Hopping (TSCH) mode of IEEE Std 802.15.4, opportunities for broadcasts are limited to specific times and specific channels. Routers in a TSCH network transmit Enhanced Beacon (EB) frames to announce the presence of the network. This document provides a mechanism by which additional information critical for new nodes (pledges) and long-sleeping nodes may be carried within the EB in order to conserve use of broadcast opportunities. CBOR Object Signing and Encryption (COSE): Structures and Process Concise Binary Object Representation (CBOR) is a data format designed for small code size and small message size. There is a need to be able to define basic security services for this data format. This document defines the CBOR Object Signing and Encryption (COSE) protocol. This specification describes how to create and process signatures, message authentication codes, and encryption using CBOR for serialization. This specification additionally describes how to represent cryptographic keys using CBOR. This document, along with RFC 9053, obsoletes RFC 8152. The Datagram Transport Layer Security (DTLS) Protocol Version 1.3 This document specifies version 1.3 of the Datagram Transport Layer Security (DTLS) protocol. DTLS 1.3 allows client/server applications to communicate over the Internet in a way that is designed to prevent eavesdropping, tampering, and message forgery. The DTLS 1.3 protocol is based on the Transport Layer Security (TLS) 1.3 protocol and provides equivalent security guarantees with the exception of order protection / non-replayability. Datagram semantics of the underlying transport are preserved by the DTLS protocol. This document obsoletes RFC 6347. EST-coaps: Enrollment over Secure Transport with the Secure Constrained Application Protocol Enrollment over Secure Transport (EST) is used as a certificate provisioning protocol over HTTPS. Low-resource devices often use the lightweight Constrained Application Protocol (CoAP) for message exchanges. This document defines how to transport EST payloads over secure CoAP (EST-coaps), which allows constrained devices to use existing EST functionality for provisioning certificates. CBOR Object Signing and Encryption (COSE): Header Parameters for Carrying and Referencing X.509 Certificates The CBOR Object Signing and Encryption (COSE) message structure uses references to keys in general. For some algorithms, additional properties are defined that carry parameters relating to keys as needed. The COSE Key structure is used for transporting keys outside of COSE messages. This document extends the way that keys can be identified and transported by providing attributes that refer to or contain X.509 certificates. Service Identity in TLS Many application technologies enable secure communication between two entities by means of Transport Layer Security (TLS) with Internet Public Key Infrastructure using X.509 (PKIX) certificates. This document specifies procedures for representing and verifying the identity of application services in such interactions. This document obsoletes RFC 6125. IEEE 802.1AR Secure Device Identity IEEE Standards Association Key words for use in RFCs to Indicate Requirement Levels In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings. Informative References Internet Control Message Protocol (ICMPv6) for the Internet Protocol Version 6 (IPv6) Specification This document describes the format of a set of control messages used in ICMPv6 (Internet Control Message Protocol). ICMPv6 is the Internet Control Message Protocol for Internet Protocol version 6 (IPv6). [STANDARDS-TRACK] Cryptographic Message Syntax (CMS) This document describes the Cryptographic Message Syntax (CMS). This syntax is used to digitally sign, digest, authenticate, or encrypt arbitrary message content. [STANDARDS-TRACK] Compression Format for IPv6 Datagrams over IEEE 802.15.4-Based Networks This document updates RFC 4944, "Transmission of IPv6 Packets over IEEE 802.15.4 Networks". This document specifies an IPv6 header compression format for IPv6 packet delivery in Low Power Wireless Personal Area Networks (6LoWPANs). The compression format relies on shared context to allow compression of arbitrary prefixes. How the information is maintained in that shared context is out of scope. This document specifies compression of multicast addresses and a framework for compressing next headers. UDP header compression is specified within this framework. [STANDARDS-TRACK] Media Type Specifications and Registration Procedures This document defines procedures for the specification and registration of media types for use in HTTP, MIME, and other Internet protocols. This memo documents an Internet Best Current Practice. Enrollment over Secure Transport This document profiles certificate enrollment for clients using Certificate Management over CMS (CMC) messages over a secure transport. This profile, called Enrollment over Secure Transport (EST), describes a simple, yet functional, certificate management protocol targeting Public Key Infrastructure (PKI) clients that need to acquire client certificates and associated Certification Authority (CA) certificates. It also supports client-generated public/private key pairs as well as key pairs generated by the CA. Terminology for Constrained-Node Networks The Internet Protocol Suite is increasingly used on small devices with severe constraints on power, memory, and processing resources, creating constrained-node networks. This document provides a number of basic terms that have been useful in the standardization work for constrained-node networks. The YANG 1.1 Data Modeling Language YANG is a data modeling language used to model configuration data, state data, Remote Procedure Calls, and notifications for network management protocols. This document describes the syntax and semantics of version 1.1 of the YANG language. YANG version 1.1 is a maintenance release of the YANG language, addressing ambiguities and defects in the original specification. There are a small number of backward incompatibilities from YANG version 1. This document also specifies the YANG mappings to the Network Configuration Protocol (NETCONF). A Voucher Artifact for Bootstrapping Protocols This document defines a strategy to securely assign a pledge to an owner using an artifact signed, directly or indirectly, by the pledge's manufacturer. This artifact is known as a "voucher". This document defines an artifact format as a YANG-defined JSON document that has been signed using a Cryptographic Message Syntax (CMS) structure. Other YANG-derived formats are possible. The voucher artifact is normally generated by the pledge's manufacturer (i.e., the Manufacturer Authorized Signing Authority (MASA)). This document only defines the voucher artifact, leaving it to other documents to describe specialized protocols for accessing it. GeneRic Autonomic Signaling Protocol (GRASP) This document specifies the GeneRic Autonomic Signaling Protocol (GRASP), which enables autonomic nodes and Autonomic Service Agents to dynamically discover peers, to synchronize state with each other, and to negotiate parameter settings with each other. GRASP depends on an external security environment that is described elsewhere. The technical objectives and parameters for specific application scenarios are to be described in separate documents. Appendices briefly discuss requirements for the protocol and existing protocols with comparable features. CBOR Object Signing and Encryption (COSE): Initial Algorithms Concise Binary Object Representation (CBOR) is a data format designed for small code size and small message size. There is a need to be able to define basic security services for this data format. This document defines a set of algorithms that can be used with the CBOR Object Signing and Encryption (COSE) protocol (RFC 9052). This document, along with RFC 9052, obsoletes RFC 8152. Remote ATtestation procedureS (RATS) Architecture In network protocol exchanges, it is often useful for one end of a communication to know whether the other end is in an intended operating state. This document provides an architectural overview of the entities involved that make such tests possible through the process of generating, conveying, and evaluating evidentiary Claims. It provides a model that is neutral toward processor architectures, the content of Claims, and protocols. Ephemeral Diffie-Hellman Over COSE (EDHOC) This document specifies Ephemeral Diffie-Hellman Over COSE (EDHOC), a very compact and lightweight authenticated Diffie-Hellman key exchange with ephemeral keys. EDHOC provides mutual authentication, forward secrecy, and identity protection. EDHOC is intended for usage in constrained scenarios, and a main use case is to establish an Object Security for Constrained RESTful Environments (OSCORE) security context. By reusing CBOR Object Signing and Encryption (COSE) for cryptography, Concise Binary Object Representation (CBOR) for encoding, and Constrained Application Protocol (CoAP) for transport, the additional code size can be kept very low. YANG Schema Item iDentifier (YANG SID) YANG Schema Item iDentifiers (YANG SIDs) are globally unique 63-bit unsigned integers used to identify YANG items. SIDs provide a more compact method for identifying those YANG items that can be used efficiently, notably in constrained environments (RFC 7228). This document defines the semantics, registration processes, and assignment processes for YANG SIDs for IETF-managed YANG modules. To enable the implementation of these processes, this document also defines a file format used to persist and publish assigned YANG SIDs. Mesh Link Establishment Silicon Labs This document defines the mesh link establishment (MLE) protocol for establishing and configuring secure radio links in IEEE 802.15.4 radio mesh networks. MLE extends IEEE 802.15.4 for use in multihop mesh networks by adding three capabilities: 1) dynamically configuring and securing radio connections between neighboring devices, 2) enabling network-wide changes to shared radio parameters, and 3) allowing the determination of radio link quality prior to configuration. MLE operates below the routing layer, insulating it from the details of configuring, securing, and maintaining individual radio links within a larger mesh network. Operational Considerations for Voucher infrastructure for BRSKI MASA Sandelman Software Works Huawei Technologies This document describes a number of operational modes that a BRSKI Manufacturer Authorized Signing Authority (MASA) may take on. Each mode is defined, and then each mode is given a relevance within an over applicability of what kind of organization the MASA is deployed into. This document does not change any protocol mechanisms. Join Proxy for Bootstrapping of Constrained Network Elements Sandelman Software Works vanderstok consultancy Cisco Systems IoTconsultancy.nl This document extends the constrained Bootstrapping Remote Secure Key Infrastructures (cBRSKI) onboarding protocol by adding a new network function, the constrained Join Proxy. This function can be implemented by a constrained node [RFC7228]. The goal of the Join Proxy is to help new constrained nodes ("Pledges") securely onboard into a new IP network using the cBRSKI protocol. It acts as a circuit proxy for User Datagram Protocol (UDP) packets that carry the onboarding messages. The solution is extendible to support other UDP-based onboarding protocols as well. The Join Proxy functionality is designed for use in constrained networks [RFC7228], including IPv6 over Low-Power Wireless Personal Area Networks (6LoWPAN) [RFC4944] based mesh networks in which the onboarding authority server ("Registrar") may be multiple IP hops away from a Pledge. Despite this distance, the Pledge only needs to use link-local UDP communication to complete cBRSKI onboarding. Two modes of Join Proxy operation are defined, stateless and stateful, to allow implementers to make different trade-offs regarding resource usage, implementation complexity and security. JWS signed Voucher Artifacts for Bootstrapping Protocols Siemens AG Sandelman Software Works This document introduces a variant of the RFC8366 voucher artifact in which CMS is replaced by the JSON Object Signing and Encryption (JOSE) mechanism described in RFC7515. This supports deployments in which JOSE is preferred over CMS. In addition to specifying the format, the "application/voucher-jws+json" media type is registered and examples are provided. CBOR Extended Diagnostic Notation (EDN) Universität Bremen TZI This document formalizes and consolidates the definition of the Extended Diagnostic Notation (EDN) of the Concise Binary Object Representation (CBOR), addressing implementer experience. Replacing EDN's previous informal descriptions, it updates RFC 8949, obsoleting its Section 8, and RFC 8610, obsoleting its Appendix G. It also specifies and uses registry-based extension points, using one to support text representations of epoch-based dates/times and of IP addresses and prefixes. // (This cref will be removed by the RFC editor:) The present // revision (–16) addresses the first half of the WGLC comments, // except for the issues around the specific way how to best achieve // pluggable ABNF grammars for application-extensions. It is // intended for use as a reference document for the mid-WGLC CBOR WG // interim meeting on 2025-01-08. BRSKI discovery and variations Futurewei USA IoTconsultancy.nl This document specifies how BRSKI entities, such as registrars, proxies, pledges or others that are acting as responders, can be discovered and selected by BRSKI entities acting as initiators, especially in the face of variations in the protocols that can introduce non-interoperability when not equally supported by both responder and initiator. CBOR Encoded X.509 Certificates (C509 Certificates) Ericsson AB Ericsson AB RISE AB RISE AB Nexus Group This document specifies a CBOR encoding of X.509 certificates. The resulting certificates are called C509 Certificates. The CBOR encoding supports a large subset of RFC 5280 and all certificates compatible with the RFC 7925, IEEE 802.1AR (DevID), CNSA, RPKI, GSMA eUICC, and CA/Browser Forum Baseline Requirements profiles. When used to re-encode DER encoded X.509 certificates, the CBOR encoding can in many cases reduce the size of RFC 7925 profiled certificates with over 50% while also significantly reducing memory and code size compared to ASN.1. The CBOR encoded structure can alternatively be signed directly ("natively signed"), which does not require re- encoding for the signature to be verified. The TLSA selectors registry defined in RFC 6698 is extended to include CBOR certificates. The document also specifies C509 Certificate Signing Requests, C509 COSE headers, a C509 TLS certificate type, and a C509 file format. CBOR Object Signing and Encryption (COSE) registry group Thread Group website

Software and Library Support for cBRSKI This appendix lists software and security libraries that may be useful for implementing cBRSKI functionality.

Open Source cBRSKI Implementations There are a few ongoing open source projects to support cBRSKI development and testing. These include:

OpenThread Registrar (OT Registrar) - a cBRSKI Registrar, test MASA server, and test Pledge written in Java.
Link: https://github.com/EskoDijk/ot-registrar
OpenThread CCM (pre-alpha) - a cBRSKI Pledge and Join Proxy for OpenThread-based IoT nodes, written in C/C++.
Link: https://github.com/EskoDijk/openthread/pull/7
OpenThread Network Simulator v2 (OTNS2) - a CLI + GUI simulator for OpenThread IoT nodes in 6LoWPAN mesh networks, able to accurately simulate cBRSKI Pledges onboarding (pre-alpha functionality) to a Thread mesh network via an OT Registrar.
Link: https://github.com/EskoDijk/ot-ns/pull/165
Fountain - a BRSKI/6TiSCH Registrar with support for COSE-signed vouchers, written in Ruby.
Link: https://github.com/AnimaGUS-minerva/fountain

Security Library Support For the implementation of BRSKI/cBRSKI, the use of a software library to manipulate PKIX certificates, establish secure (D)TLS connections, and use crypto algorithms is often beneficial. Two C-based examples are OpenSSL and mbedtls. Others more targeted to specific platforms or languages exist. It is important to realize that the library interfaces differ significantly between libraries. Libraries do not support all known crypto algorithms. Before deciding on a library, it is important to look at their supported crypto algorithms and the roadmap for future support. Apart from availability, the library footprint, and the required execution cycles should be investigated beforehand. The handling of certificates usually includes the checking of a certificate chain. In some libraries, chains are constructed and verified on the basis of a set of certificates, the trust anchor (usually a self signed root CA), and the target certificate. In other libraries, the chain must be constructed beforehand and obey ordering criteria. Verification always includes the checking of the signatures. Less frequent is the checking the validity of the dates or checking the existence of a revoked certificate in the chain against a set of revoked certificates. Checking the chain on the consistency of the certificate extensions which specify the use of the certificate usually needs to be programmed explicitly. A library can be used to construct a (D)TLS connection. It is useful to realize that differences between (D)TLS implementations will occur due to the differences in the certificate checks supported by the library. On top of that, checks between client and server certificates enforced by (D)TLS are not always helpful for a BRSKI implementation. For example, the certificates of Pledge and Registrar are usually not related when the BRSKI protocol is started. It must be verified that checks on the relation between client and server certificates do not hamper a succeful DTLS connection establishment.

OpensSSL Example Code From OpenSSL's apps/verify.c : X509 *x = NULL; int i = 0, ret = 0; X509_STORE_CTX *csc; STACK_OF(X509) *chain = NULL; int num_untrusted; x = load_cert(file, "certificate file"); if (x == NULL) goto end; csc = X509_STORE_CTX_new(); if (csc == NULL) { BIO_printf(bio_err, "error %s: X.509 store context" "allocation failed\n", (file == NULL) ? "stdin" : file); goto end; } X509_STORE_set_flags(ctx, vflags); if (!X509_STORE_CTX_init(csc, ctx, x, uchain)) { X509_STORE_CTX_free(csc); BIO_printf(bio_err, "error %s: X.509 store context" "initialization failed\n", (file == NULL) ? "stdin" : file); goto end; } if (tchain != NULL) X509_STORE_CTX_set0_trusted_stack(csc, tchain); if (crls != NULL) X509_STORE_CTX_set0_crls(csc, crls); i = X509_verify_cert(csc); X509_STORE_CTX_free(csc);

]]>


        
          mbedTLS Example Code
          
mbedtls_x509_crt cert;
mbedtls_x509_crt caCert;
uint32_t         certVerifyResultFlags;
// ...
int result = mbedtls_x509_crt_verify(&cert, &caCert, NULL, NULL,
                             &certVerifyResultFlags, NULL, NULL);


]]>


      
        Generating Certificates with OpenSSL
        This informative appendix shows example Bash shell scripts to generate test PKIX certificates for the Pledge IDevID, the Registrar and the MASA.
The shell scripts cannot be run stand-alone because they depend on input files which are not all included in this appendix. Nevertheless,
these scripts may provide guidance on how OpenSSL can be configured for generating cBRSKI certificates.
        The scripts were tested with OpenSSL 3.0.2. Older versions may not work -- OpenSSL 1.1.1 for example does not support all extensions used.
        
#!/bin/bash
# File: create-cert-Pledge.sh
# Create new cert for: Pledge IDevID

# days certificate is valid - try to get close to the 802.1AR 
# specified 9999-12-31 end date.
SECONDS1=`date +%s` # time now
SECONDS2=`date --date="9999-12-31 23:59:59Z" +%s` # target end time
let VALIDITY="(${SECONDS2}-${SECONDS1})/(24*3600)"
echo "Using validity param -days ${VALIDITY}"

NAME=pledge

# create csr for device
# conform to 802.1AR guidelines, using only CN + serialNumber when 
# manufacturer is already present as CA.
# CN is not even mandatory, but just good practice.
openssl req -new -key keys/privkey_pledge.pem -out $NAME.csr -subj \
             "/CN=Stok IoT sensor Y-42/serialNumber=JADA123456789"

# sign csr - it uses faketime only to get endtime to 23:59:59Z
faketime '23:59:59Z' \
openssl x509 -set_serial 32429 -CAform PEM -CA output/masa_ca.pem \
  -CAkey keys/privkey_masa_ca.pem -extfile x509v3.ext -extensions \
  pledge_ext -req -in $NAME.csr -out output/$NAME.pem \
  -days $VALIDITY -sha256

# Note: alternative method using 'ca' command. Currently 
# doesn't work without 'country' subject field.
# openssl ca -rand_serial -enddate 99991231235959Z -certform PEM \
#  -cert output/masa_ca.pem -keyfile keys/privkey_masa_ca.pem \
#  -extfile x509v3.ext -extensions pledge_ext -in $NAME.csr \ 
#  -out $NAME.pem -outdir output

# delete temp files
rm -f $NAME.csr

# convert to .der format
openssl x509 -in output/$NAME.pem -inform PEM -out output/$NAME.der \
             -outform DER


]]>
        
# File: x509v3.ext
# This file contains all X509v3 extension definitions for OpenSSL
# certificate generation. Each certificate has its own _ext 
# section below.

[ req ]
prompt = no

[ masa_ca_ext ]
subjectAltName=email:info@masa.stok.nl
keyUsage = critical,digitalSignature, keyCertSign, cRLSign
basicConstraints = critical,CA:TRUE,pathlen:3
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid

[ pledge_ext ]
keyUsage = critical,digitalSignature, nonRepudiation, \
           keyEncipherment, dataEncipherment
# basicConstraints for a non-CA cert MAY be marked either 
# non-critical or critical.
basicConstraints = CA:FALSE
# Don't include subjectKeyIdentifier (SKI) - see 802.1AR-2018
subjectKeyIdentifier = none
authorityKeyIdentifier=keyid
# Include the MASA URI
1.3.6.1.5.5.7.1.32 = ASN1:IA5STRING:masa.stok.nl

[ domain_ca_ext ]
subjectAltName=email:help@custom-er.example.com
keyUsage = critical, keyCertSign, digitalSignature, cRLSign
basicConstraints=critical,CA:TRUE
# RFC 5280 4.2.1.1 : AKI MAY be omitted, and MUST be non-critical; 
# SKI MUST be non-critical
subjectKeyIdentifier=hash

[ registrar_ext ]
keyUsage = critical, digitalSignature, nonRepudiation, \
           keyEncipherment, dataEncipherment
basicConstraints=CA:FALSE
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid
# Set Registrar 'RA' flag along with TLS client/server usage
#  see draft-ietf-anima-constrained-voucher#section-7.3
#  see tools.ietf.org/html/rfc6402#section-2.10
#  see www.openssl.org/docs/man1.1.1/man5/x509v3_config.html
extendedKeyUsage = critical,1.3.6.1.5.5.7.3.28, serverAuth, \
                   clientAuth


]]>
        
#!/bin/bash
# File: create-cert-Registrar.sh
# Create new cert for: Registrar in a company domain

# days certificate is valid
VALIDITY=1095

# cert filename
NAME=registrar

# create csr
openssl req -new -key keys/privkey_registrar.pem -out $NAME.csr \
 -subj "/CN=Custom-ER Registrar/OU=Office dept/O=Custom-ER, Inc./\
L=Ottowa/ST=ON/C=CA"

# sign csr
openssl x509 -set_serial 0xC3F62149B2E30E3E -CAform PEM -CA \
 output/domain_ca.pem -extfile x509v3.ext -extensions registrar_ext \
 -req -in $NAME.csr -CAkey keys/privkey_domain_ca.pem \
 -out output/$NAME.pem -days $VALIDITY -sha256

# delete temp files
rm -f $NAME.csr

# convert to .der format
openssl x509 -in output/$NAME.pem -inform PEM -out output/$NAME.der \
             -outform DER


]]>
        
#!/bin/bash
# File: create-cert-MASA.sh
# Create new cert for: MASA CA, self-signed CA certificate

# days certificate is valid
VALIDITY=3650

NAME=masa_ca

# create csr
openssl req -new -key keys/privkey_masa_ca.pem -out $NAME.csr \
            -subj "/CN=masa.stok.nl/O=vanderstok/L=Helmond/C=NL"

# sign csr
mkdir output >& /dev/null
openssl x509 -set_serial 0xE39CDA17E1386A0A  -extfile x509v3.ext \
 -extensions masa_ca_ext -req -in $NAME.csr \
 -signkey keys/privkey_masa_ca.pem -out output/$NAME.pem \
 -days $VALIDITY -sha256

# delete temp files
rm -f $NAME.csr

# convert to .der format
openssl x509 -in output/$NAME.pem -inform PEM -out output/$NAME.der \
             -outform DER


]]>


    
      cBRSKI Message Examples
      This appendix extends the EST-coaps message examples from Appendix A of  with cBRSKI messages.
The CoAP headers are only fully worked out for the first example, enrollstatus.
      
        enrollstatus
        A coaps enrollstatus message from Pledge to Registrar can be as follows:
        
]]>
        The corresponding CoAP header fields for this request are shown below.
        
        The Uri-Host and Uri-Port Options are omitted because they coincide with the transport protocol (UDP) destination address and port respectively.
        The above binary CBOR enrollstatus payload looks as follows in CBOR diagnostic notation, for the case of enrollment success:
        
        Alternatively the payload could look as follows in case of enrollment failure, using the reason field to describe the failure:
        
        "
  }
]]>
        To indicate successful reception of the enrollmentstatus telemetry report, a response from the Registrar may then be:
        
        Which in case of a piggybacked response has the following CoAP header fields:
        
      
      
        voucher_status
        A coaps voucher_status message from Pledge to Registrar can be as follows:
        
        The request payload above is binary CBOR but represented here in hexadecimal for readability. Below is the equivalent CBOR diagnostic format.
        
        A success response without payload will then be sent by the Registrar back to the Pledge to indicate reception of the telemetry report:
        
      
    
    
      COSE-signed Voucher (Request) Examples
      This appendix provides examples of COSE-signed voucher requests and vouchers. First, the used test keys and PKIX certificates are described, followed by examples of
a constrained PVR, RVR and voucher.
      
        Pledge, Registrar and MASA Keys
        This section documents the public and private keys used for all examples in this appendix. These keys are not used in any
production system, and must only be used for testing purposes.
        
          Pledge IDevID Private Key
          
          
        
        
          Registrar Private Key
          
          
        
        
          MASA Private Key
          
          
        
      
      
        Pledge, Registrar, Domain CA and MASA Certificates
        All keys and PKIX certificates used for the examples have been generated with OpenSSL - see  for more details on certificate generation.
Below the certificates are listed that accompany the keys shown above. Each certificate description is followed by the hexadecimal representation of the X.509 ASN.1 DER encoded certificate.
This representation can be for example decoded using an online ASN.1 decoder.
        
          Pledge IDevID Certificate
          
          Below is the hexadecimal representation of the binary X.509 DER-encoded certificate:
          
        
        
          Registrar Certificate
          
          Below is the hexadecimal representation of the binary X.509 DER-encoded certificate:
          
        
        
          Domain CA Certificate
          The Domain CA certificate is the CA of the owner's domain. It has signed the Registrar (RA) certificate.
          
          Below is the hexadecimal representation of the binary X.509 DER-encoded certificate:
          
        
        
          MASA Certificate
          The MASA CA certificate is the CA that signed the Pledge's IDevID certificate.
          
          Below is the hexadecimal representation of the binary X.509 DER-encoded certificate:
          
        
      
      
        COSE-signed Pledge Voucher Request (PVR)
        In this example, the voucher request (PVR) has been signed by the Pledge using the IDevID private key of ,
and has been sent to the link-local constrained Join Proxy (JP) over CoAPS to JP's join port. The join port happens to
use the default CoAPS UDP port 5684.
        
]]>
        When the Join Proxy receives the DTLS handshake messages from the Pledge, it will relay these messages to the Registrar.
The payload signed_voucher_request is shown as hexadecimal dump (with lf added) below:
        
        The representation of signed_pvr in CBOR diagnostic format (with lf added) is:
        
        The COSE payload is the PVR voucher data, encoded as a CBOR byte string. The diagnostic representation of it is shown below:
        
        The Pledge uses the "proximity" (key '1', SID 2502, enum value 2) assertion together with an included
proximity-registrar-pubk field (key '12', SID 2513) to inform MASA about its proximity to the specific Registrar.
      
      
        COSE-signed Registrar Voucher Request (RVR)
        In this example the Registrar's voucher request has been signed by the JRC (Registrar) using the private key from
.  Contained within this voucher request is the voucher request PVR that was made by the Pledge to JRC.
Note that the RVR uses the HTTPS protocol (not CoAP) and corresponding long URI path names as defined in .
The Content-Type and Accept headers indicate the constrained voucher format that is defined in the present document.
Because the Pledge used this format in the PVR, the JRC must also use this format in the RVR.
        
]]>
        The payload signed_rvr is shown as hexadecimal dump (with lf added):
        
        The representation of signed_rvr in CBOR diagnostic format (with lf added) is:
        
      
      
        COSE-signed Voucher from MASA
        The resulting voucher is created by the MASA and returned to the Registrar:
        
]]>
        The Registrar then returns the voucher to the Pledge:
        
]]>
        It is signed by the MASA's private key (see ) and can be
verified by the Pledge using the MASA's public key that it stores.
        Below is the binary signed_voucher, encoded in hexadecimal (with lf added):
        
        The representation of signed_voucher in CBOR diagnostic format (with lf added) is:
        
        In the above, the third element in the array is the voucher data encoded as a CBOR byte string.
When decoded, it can be represented by the following CBOR diagnostic notation:
        
        The largest element in the voucher is identified by key 8, which decodes to SID 2459 (pinned-domain-cert).
It contains the complete PKIX (DER-encoded X.509v3) certificate of the Registrar's domain CA. This certificate is
shown in .
      
    
    
      Pledge Device Class Profiles
      cBRSKI allows implementers to select between various functional options for the Pledge,
yielding different code size footprints and different requirements on Pledge hardware.
Thus for each product type an optimal trade-off between functionality, development/maintenance cost and hardware cost can be made.
      This appendix illustrates different selection outcomes by means of defining different example "profiles" of constrained Pledges. In the following
subsections, these profiles are defined and a comparison is provided.
      
        Minimal Pledge
        The Minimal Pledge profile (Min) aims to reduce code size and hardware cost to a minimum. This comes with some severe functional restrictions, in particular:
        
          
            No support for EST re-enrollment: whenever this would be needed, a factory reset followed by a new onboarding process is required.
          
          
            No support for change of Registrar: for this case, a factory reset followed by a new onboarding process is required.
          
        
        This profile would be appropriate for single-use devices which must be replaced rather than re-deployed.
That might  include medical devices, but also sensors used during construction, such as concrete temperature  sensors.
      
      
        Typical Pledge
        The Typical Pledge profile (Typ) aims to support a typical cBRSKI feature set including EST re-enrollment support and Registrar changes.
      
      
        Full-featured Pledge
        The Full-featured Pledge profile (Full) illustrates a Pledge category that supports multiple onboarding methods, hardware real-time clock, BRSKI/EST resource discovery, and
CSR Attributes request/response. It also supports most of the optional features defined in this specification.
      
      
        Comparison Chart of Pledge Classes
        The below table specifies the functions implemented in the three example Pledge classes Min (), Typ () and Full ().
        
          
            
              Functions Implemented
              Min
              Typ
              Full
            
          
          
            
              
                General
               
               
               
            
            
              Support cBRSKI onboarding
              Y
              Y
              Y
            
            
              Support other onboarding method(s)
              -
              -
              Y
            
            
              Real-time clock and cert time checks
              -
              -
              Y
            
            
              
                cBRSKI
               
               
               
            
            
              CoAP discovery for rt=brski*
              -
              -
              Y
            
            
              Support pinned Registrar public key (RPK)
              Y
              -
              Y
            
            
              Support pinned Registrar certificate
              -
              Y
              Y
            
            
              Support pinned Domain CA
              -
              Y
              Y
            
            
              
                EST-coaps
               
               
               
            
            
              Explicit TA database size (#certs)
              0
              3
              8
            
            
              CoAP discovery for rt=ace.est*
              -
              -
              Y
            
            
              GET /att and response parsing
              -
              -
              Y
            
            
              GET /crts format 62 (multiple CA certs)
              -
              Y
              Y
            
            
              GET /crts format 281 (multiple CA certs)
              -
              -
              Y
            
            
              ETag handling support for GET /crts
              -
              Y
              Y
            
            
              Re-enrollment supported
              - (*)
              Y
              Y
            
            
              
                 optimized procedure
              Y
              Y
              -
            
            
              Pro-active re-enrollment at own initiative
              -
              -
              Y
            
            
              Periodic trust anchor retrieval GET /crts
              - (*)
              Y
              Y
            
            
              Supports change of Registrar identity
              - (*)
              Y
              Y
            
          
        
        Notes: (*) means only possible via a factory-reset followed by a new cBRSKI onboarding procedure.
      
    
    
      Pledge Discovery of Onboarding and Enrollment Options
      The discovery functionality described in this section is informative only:
it derives from the normative CoRE documents ,  and from .
In typical cases, for a constrained Pledge that only supports a single onboarding and enrollment method, this functionality is not needed.
      Note that the full-featured Pledge class defined in  does support CoAP discovery functionality.
      
        Pledge Discovery Query for All cBRSKI Resources
        A Pledge that wishes to discover the available cBRSKI onboarding options/formats can do a discovery
operation using CoAP discovery per  and . It first sends a CoAP discovery query to the Registrar over the secured DTLS connection.
The Registrar then responds with a CoRE Link Format payload containing the requested resources, if any.
        For example, if the Registrar supports a cBRSKI base resource "/b" in addition to the longer "/.well-known/brski" base
resource, and supports only the voucher format "application/voucher+cose" (836), and status reporting in both
CBOR (60) and JSON (50) formats, a CoAP resource discovery request and response may look as follows:
        ;rt=brski,
  ;rt=brski.rv;ct=836,
  ;rt=brski.vs;ct="50 60",
  ;rt=brski.es;ct="50 60"
]]>
        In this case, the Registrar returns only the shorter URI paths matching the query filter, which are located under the
"/b" base resource. The "/.well-known/brski" based URI paths are not returned, as these are assumed to be well-known
(i.e. mandatory to support for a Registrar that offers this functionality under "/b".)
        The Registrar is however under no obligation to provide the shorter URLs under "/b", and may respond to this query with
only the "/.well-known/brski/<short-name>" resources for the short names as defined in
, if these resources are not hosted anywhere else. This case is shown in the below interaction:
        ;rt=brski,
  ;rt=brski.rv;ct=836,
  ;rt=brski.vs;ct="50 60",
  ;rt=brski.es;ct="50 60"
]]>
        When responding to a discovery request for cBRSKI resources, the Registrar may return the full resource paths for all
 <short-name> resources and the content-formats supported by these resources (using ct attributes) as shown in the above examples.
This is useful when multiple content-formats are supported for a particular resource on the Registrar and the discovering Pledge also supports multiple.
        Registrars that have implemented any cBRSKI or EST-coaps URI paths outside of "/.well-known" must process a request on
the corresponding "/.well-known/brski/<short-name>" or "/.well-known/est/<short-name>" URI paths identically.
In particular, a Pledge may use the longer (well-known) and shorter URI paths in any combination.
        A Registrar may also be implemented without support for the (optional) CoAP discovery.
In that case, it may for example return a 4.04 Not Found as shown in the example below, in case the Registrar does not
host the resource "/.well-known/core" at all.
In such case, the Pledge cannot discover any onboarding/enrollment options and so it has to rely on the default cBRSKI
options and has to use the "/.well-known/..." resources.
        
      
      
        Pledge Discovery Query for the cBRSKI Base Resource
        In case the client queries for only rt=brski type resources, the Registrar responds with only the base path for the cBRSKI
resources (rt=brski, resource /b in earlier examples) and no others.
(So, the query is "rt=brski", without the wildcard character.)
This is shown in the below example.
The Pledge in this case requests only the cBRSKI base resource of type rt=brski to check if cBRSKI is supported by the
Registrar and if a shorter-length cBRSKI base resource path is supported or not.
In this case, the Pledge is not interested to check what voucher request formats, or status telemetry formats --
other than the mandatory default formats -- are supported.
The compact response below then shows that the Registrar indeed supports a cBRSKI resource at /b:
        ;rt=brski
]]>
        The Pledge can now start using any of the cBRSKI resources /b/<short-name> in a next CoAP request to the Registrar.
In above example, again the well-known resource present under /.well-known/brski is not returned because this is
assumed to be well-known to the Pledge and mandatory to support for a Registrar that offers this functionality under "/b".
        As a follow-up example, the Pledge can now start the onboarding by sending its PVR:
        
      
      
        Usage of ct Attribute
        The return of multiple content-formats in the "ct" attribute by the Registrar allows the Pledge to choose the most appropriate one for a particular operation, and allows extension with new voucher formats.
Note that only content-format 836 ("application/voucher+cose") is defined in this document for the voucher request resource (/rv), both as request payload and as response payload.
If the "ct" attribute is not indicated for the /rv resource in the CoRE link format description, this implies that at least format 836 is supported and maybe more.
        Note that this specification allows for application/voucher+cose payloads to be transmitted over HTTPS, as well as for
application/voucher-cms+json and other formats yet to be defined over CoAP.
The burden for this flexibility is placed upon the Registrar.
A Pledge on constrained hardware is expected to support a single format only.
        The Pledge needs to support one or more formats for the PVR and resulting voucher.
The MASA needs to support all formats that the associated Pledges use.
        In the below example, a Pledge queries specifically for the brski.rv resource type to learn what voucher formats are supported:
        ;rt=brski.rv;ct="836 65123 65124"
]]>
        The Registrar returns 3 supported voucher formats: 836, 65123, and 65124.
The first is the mandatory "application/voucher+cose". The other two are numbers from the Experimental Use number range
of the CoAP Content-Formats sub-registry, which are used as mere examples. The Pledge can now make a selection between the supported formats.
        Note that if the Registrar only supports the default content-formats for each cBRSKI resource as specified by this document,
it may omit the ct attributes in the discovery query response.
For example as in the following interaction:
        ;rt=brski,
  ;rt=brski.rv,
  ;rt=brski.vs,
  ;rt=brski.es
]]>
      
      
        EST-coaps Resource Discovery
        The Pledge can also use CoAP discovery to identify enrollment options, for example enrollment using EST-coaps or other methods.
The below example shows a Pledge that wants to identify EST-coaps enrollment options by sending a discovery query.
This is done either before or after the voucher has been validated.
        ;rt=ace.est.crts;ct="62 281 287",
  ;rt=ace.est.sen;ct="281 287",
  ;rt=ace.est.sren;ct="281 287",
  ;rt=ace.est.att,
  ;rt=ace.est.skg,
  ;rt=ace.est.skc
]]>
        The response from the Registrar indicates that EST-coaps enrollment (/sen) and re-enrollment (/sren) is supported,
with a choice of two content-formats for the response payload:
either a PKCS#7 container with a single LDevID certificate ("application/pkcs7-mime;smime-type=certs-only", content-format 281)
which is the BRSKI  encoding, or just a single LDevID certificate ("application/pkix-cert", content-format 287)
which is the default cBRSKI encoding.
        For the EST "cacerts" resource (/crts) there are three content-formats supported:
an application/multipart-core container (62) per , a PKCS#7 container with all CA certificates (287),
or a single (most relevant) CA certificate (281).
        The Pledge can now send a CoAP request to one of the discovered resources, with the Accept Option to indicate
which return payload content-format the Pledge wants to receive.

Functions Implemented	Min	Typ	Full
General
Support cBRSKI onboarding	Y	Y	Y
Support other onboarding method(s)	-	-	Y
Real-time clock and cert time checks	-	-	Y
cBRSKI
CoAP discovery for rt=brski*	-	-	Y
Support pinned Registrar public key (RPK)	Y	-	Y
Support pinned Registrar certificate	-	Y	Y
Support pinned Domain CA	-	Y	Y
EST-coaps
Explicit TA database size (#certs)	0	3	8
CoAP discovery for rt=ace.est*	-	-	Y
GET /att and response parsing	-	-	Y
GET /crts format 62 (multiple CA certs)	-	Y	Y
GET /crts format 281 (multiple CA certs)	-	-	Y
ETag handling support for GET /crts	-	Y	Y
Re-enrollment supported	- (*)	Y	Y
optimized procedure	Y	Y	-
Pro-active re-enrollment at own initiative	-	-	Y
Periodic trust anchor retrieval GET /crts	- (*)	Y	Y
Supports change of Registrar identity	- (*)	Y	Y