]> JWS signed Voucher Artifacts for Bootstrapping Protocols Siemens AG
thomas-werner@siemens.com
Sandelman Software Works
mcr+ietf@sandelman.ca
Internet anima Working Group Internet-Draft defines a digital artifact called voucher as a YANG-defined JSON document that is signed using a Cryptographic Message Syntax (CMS) structure. This document introduces a variant of the voucher artifact in which CMS is replaced by the JSON Object Signing and Encryption (JOSE) mechanism described in to support deployments in which JOSE is preferred over CMS. In addition to explaining how the format is created, the "application/voucher-jws+json" media type is registered and examples are provided.
Introduction "A Voucher Artifact for Bootstrapping Protocols" defines a YANG-based data structure used in "Bootstrapping Remote Secure Key Infrastructure" and "Secure Zero Touch Provisioning" to transfer ownership of a device from a manufacturer to a new owner (site domain). That document provides a serialization of the voucher to JSON with a signature according to the Cryptographic Message Syntax (CMS) . The resulting voucher artifact has the media type "application/voucher-cms+json". provides a serialization of the voucher to CBOR with the signature format of COSE and the media type "application/voucher-cose+cbor". This document provides a serialization of the voucher to JSON with the signature in form of JSON Web Signature (JWS) and the media type "application/voucher-jws+json". The encoding specified in this document is used by and may be more handy for use cases requiring signed JSON objects. This document does not extend the YANG definition of . With the availability of different encoded vouchers, it is up to an industry specific application statement to indicate/decide which voucher signature format is to be used. There is no provision across the different voucher signature formats that a receiver could safely recognize which format it uses unless additional context is provided. For example, provides this context via the media type for the voucher artifact. This document utilizes the optional "typ" (Type) Header Parameter of JWS to provide information about the signed object. This document should be considered an update to in the category of "See Also" as per . TODO: double check with RFC8366bis
Terminology The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here.
Voucher Artifact with JSON Web Signature defines the following serializations for JWS:
  1. "JWS Compact Serialization" in
  2. "JWS JSON Serialization" in - "General JWS JSON Serialization Syntax" in
    - "Flattened JWS JSON Serialization Syntax" in
This document makes use of the "General JWS JSON Serialization Syntax" to support multiple signatures, as already supported by for CMS-signed vouchers. The voucher data structure consists of a nested map, the outer map of which is: This outer map is considered the JWS Payload as described in . A "JWS JSON Serialization Overview" is given in and more details on the JWS serializations in .
Voucher Representation in General JWS JSON Serialization Syntax The following figure gives an overview of the Voucher representation in "General JWS JSON Serialization Syntax":
Voucher Representation in General JWS JSON Serialization Syntax
JWS Payload of Voucher in General JWS JSON Serialization The following figure depicts the decoded JWS Payload in JSON syntax:
Decoded JWS Payload in JSON Syntax
JWS Protected Header of Voucher in General JWS JSON Serialization The standard header parameters "typ" and "alg" as described in are utilized in the protected header. The "alg" header MUST contain the algorithm type used to create the signature, e.g., "ES256". The "typ" header SHOULD contain the value "TODO: voucher-jws+json", if present. If X.509 (PKIX) certificates are used, then the "x5c" parameter defined in SHOULD be used to contain the certificate and chain. Vouchers will often need all certificates in the chain, including what would be considered the trust anchor certificate, because intermediate devices (such as the Registrar) may need to audit the artifact, or end systems may need to pin a trust anchor for future operations. Note, a trust anchor SHOULD be provided differently to be trusted. This is consistent with . The following figure gives the decoded JWS Protected Header in JSON syntax:
JWS Protected Header in JSON Syntax
Privacy Considerations The Voucher Request reveals the IDevID of the component (Pledge) that is in the process of bootstrapping. This request occurs via HTTP-over-TLS, however, for the Pledge-to-Registrar TLS connection, the Pledge is provisinally accepting the Registrar server certificate. Hence it is subject to disclosure by a Dolev-Yao attacker (a "malicious messenger"), as explained in . The use of a JWS header brings no new privacy considerations.
Security Considerations The issues of how vouchers are used in a system is addressed in . This document does not change any of those issues, it just changes the signature technology used for voucher request and response artifacts. deals with voucher use in Secure Zero Touch Provisioning, for which this document also makes no changes to security.
IANA Considerations
Media-Type Registry This section registers the "application/voucher-jws+json" in the "Media Types" registry.
application/voucher-jws+json
Acknowledgments We would like to thank the various reviewers for their input, in particular Steffen Fries, Ingo Wenda, ...TODO Support in PoC implementations Hong Rui Li and He Peng Jia, ...TODO [RFC Editor: please delete] TODO: ...
Changelog [RFC Editor: please delete]
  • Added adoption call comments from Toerless. Changed from [RFCxxxx] to [THING] style for some key references.
  • Updated references "I-D.ietf-anima-brski-async-enroll" switched to "I-D.ietf-anima-brski-prm"
  • Switch from "JWS Compact Serialization" to "General JWS JSON Serialization", as focus is now on "General JWS JSON Serialization"
  • Include Voucher representation in "General JWS JSON Serialization" syntax
  • Include examples A1, A2, A3 using "General JWS JSON Serialization"
  • Added optional "typ": "voucher-jws+json" header parameter to JWS objects
  • Examples folded according to RFC8792, Single Backslash rule
  • Restructuring and clean-up, preparation for WGLC
  • Included feedback from shepherd review
-- back
Examples These examples are folded according to Single Backslash rule.
Example Pledge Voucher Request - PVR (from Pledge to Registrar) The following is an example request sent from a Pledge to the Registrar, in "General JWS JSON Serialization".
Example Pledge Voucher Request - PVR
Example Parboiled Registrar Voucher Request - RVR (from Registrar to MASA) The term parboiled refers to food which is partially cooked. In , the term refers to a Pledge voucher-request (PVR) which has been received by the Registrar, and then has been processed by the Registrar ("cooked"), and is now being forwarded to the MASA. The following is an example Registrar voucher-request (RVR) sent from the Registrar to the MASA, in "General JWS JSON Serialization". Note that the previous PVR can be seen in the payload as "prior-signed-voucher-request".
Example Parboiled Registrar Voucher Request - RVR
Example Voucher Response (from MASA to Pledge, via Registrar) The following is an example voucher response from MASA to Pledge via Registrar, in "General JWS JSON Serialization".
Example Voucher Response
References Normative References Bootstrapping Remote Secure Key Infrastructure (BRSKI) This document specifies automated bootstrapping of an Autonomic Control Plane. To do this, a Secure Key Infrastructure is bootstrapped. This is done using manufacturer-installed X.509 certificates, in combination with a manufacturer's authorizing service, both online and offline. We call this process the Bootstrapping Remote Secure Key Infrastructure (BRSKI) protocol. Bootstrapping a new device can occur when using a routable address and a cloud service, only link-local connectivity, or limited/disconnected networks. Support for deployment models with less stringent security requirements is included. Bootstrapping is complete when the cryptographic identity of the new key infrastructure is successfully deployed to the device. The established secure connection can be used to deploy a locally issued certificate to the device as well. Secure Zero Touch Provisioning (SZTP) This document presents a technique to securely provision a networking device when it is booting in a factory-default state. Variations in the solution enable it to be used on both public and private networks. The provisioning steps are able to update the boot image, commit an initial configuration, and execute arbitrary scripts to address auxiliary needs. The updated device is subsequently able to establish secure connections with other systems. For instance, a device may establish NETCONF (RFC 6241) and/or RESTCONF (RFC 8040) connections with deployment-specific network management systems. A Voucher Artifact for Bootstrapping Protocols This document defines a strategy to securely assign a pledge to an owner using an artifact signed, directly or indirectly, by the pledge's manufacturer. This artifact is known as a "voucher". This document defines an artifact format as a YANG-defined JSON document that has been signed using a Cryptographic Message Syntax (CMS) structure. Other YANG-derived formats are possible. The voucher artifact is normally generated by the pledge's manufacturer (i.e., the Manufacturer Authorized Signing Authority (MASA)). This document only defines the voucher artifact, leaving it to other documents to describe specialized protocols for accessing it. JSON Web Signature (JWS) JSON Web Signature (JWS) represents content secured with digital signatures or Message Authentication Codes (MACs) using JSON-based data structures. Cryptographic algorithms and identifiers for use with this specification are described in the separate JSON Web Algorithms (JWA) specification and an IANA registry defined by that specification. Related encryption capabilities are described in the separate JSON Web Encryption (JWE) specification. The JavaScript Object Notation (JSON) Data Interchange Format JavaScript Object Notation (JSON) is a lightweight, text-based, language-independent data interchange format. It was derived from the ECMAScript Programming Language Standard. JSON defines a small set of formatting rules for the portable representation of structured data. This document removes inconsistencies with other specifications of JSON, repairs specification errors, and offers experience-based interoperability guidance. Key words for use in RFCs to Indicate Requirement Levels In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings. Informative References Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile This memo profiles the X.509 v3 certificate and X.509 v2 certificate revocation list (CRL) for use in the Internet. An overview of this approach and model is provided as an introduction. The X.509 v3 certificate format is described in detail, with additional information regarding the format and semantics of Internet name forms. Standard certificate extensions are described and two Internet-specific extensions are defined. A set of required certificate extensions is specified. The X.509 v2 CRL format is described in detail along with standard and Internet-specific extensions. An algorithm for X.509 certification path validation is described. An ASN.1 module and examples are provided in the appendices. [STANDARDS-TRACK] Cryptographic Message Syntax (CMS) This document describes the Cryptographic Message Syntax (CMS). This syntax is used to digitally sign, digest, authenticate, or encrypt arbitrary message content. [STANDARDS-TRACK] Concise Binary Object Representation (CBOR) The Concise Binary Object Representation (CBOR) is a data format whose design goals include the possibility of extremely small code size, fairly small message size, and extensibility without the need for version negotiation. These design goals make it different from earlier binary serializations such as ASN.1 and MessagePack. This document obsoletes RFC 7049, providing editorial improvements, new details, and errata fixes while keeping full compatibility with the interchange format of RFC 7049. It does not create a new version of the format. Handling Long Lines in Content of Internet-Drafts and RFCs This document defines two strategies for handling long lines in width-bounded text content. One strategy, called the "single backslash" strategy, is based on the historical use of a single backslash ('\') character to indicate where line-folding has occurred, with the continuation occurring with the first character that is not a space character (' ') on the next line. The second strategy, called the "double backslash" strategy, extends the first strategy by adding a second backslash character to identify where the continuation begins and is thereby able to handle cases not supported by the first strategy. Both strategies use a self-describing header enabling automated reconstitution of the original content. CBOR Object Signing and Encryption (COSE) and JSON Object Signing and Encryption (JOSE) Registrations for Web Authentication (WebAuthn) Algorithms The W3C Web Authentication (WebAuthn) specification and the FIDO Alliance FIDO2 Client to Authenticator Protocol (CTAP) specification use CBOR Object Signing and Encryption (COSE) algorithm identifiers. This specification registers the following algorithms (which are used by WebAuthn and CTAP implementations) in the IANA "COSE Algorithms" registry: RSASSA-PKCS1-v1_5 using SHA-256, SHA-384, SHA-512, and SHA-1; and Elliptic Curve Digital Signature Algorithm (ECDSA) using the secp256k1 curve and SHA-256. It registers the secp256k1 elliptic curve in the IANA "COSE Elliptic Curves" registry. Also, for use with JSON Object Signing and Encryption (JOSE), it registers the algorithm ECDSA using the secp256k1 curve and SHA-256 in the IANA "JSON Web Signature and Encryption Algorithms" registry and the secp256k1 elliptic curve in the IANA "JSON Web Key Elliptic Curve" registry. can an on-path attacker drop traffic? n.d. Constrained Bootstrapping Remote Secure Key Infrastructure (BRSKI) Sandelman Software Works vanderstok consultancy Cisco Systems IoTconsultancy.nl This document defines the Constrained Bootstrapping Remote Secure Key Infrastructure (Constrained BRSKI) protocol, which provides a solution for secure zero-touch bootstrapping of resource-constrained (IoT) devices into the network of a domain owner. This protocol is designed for constrained networks, which may have limited data throughput or may experience frequent packet loss. Constrained BRSKI is a variant of the BRSKI protocol, which uses an artifact signed by the device manufacturer called the "voucher" which enables a new device and the owner's network to mutually authenticate. While the BRSKI voucher is typically encoded in JSON, Constrained BRSKI defines a compact CBOR-encoded voucher. The BRSKI voucher is extended with new data types that allow for smaller voucher sizes. The Enrollment over Secure Transport (EST) protocol, used in BRSKI, is replaced with EST-over-CoAPS; and HTTPS used in BRSKI is replaced with CoAPS. This document Updates RFC 8366 and RFC 8995. BRSKI with Pledge in Responder Mode (BRSKI-PRM) Siemens AG Siemens AG Cisco Systems Sandelman Software Works This document defines enhancements to bootstrapping a remote secure key infrastructure (BRSKI, RFC8995) to facilitate bootstrapping in domains featuring no or only time limited connectivity between a pledge and the domain registrar. It specifically targets situations in which the interaction model changes from a pledge-initiated-mode, as used in BRSKI, to a pledge-responding-mode as described in this document. To support the pledge-responding mode, BRSKI-PRM introduces a new component, the registrar-agent, which facilitates the communication between pledge and registrar during the bootstrapping phase. To establish the trust relation between pledge and domain registrar, BRSKI-PRM relies on object security rather than transport security. The approach defined here is agnostic with respect to the underlying enrollment protocol which connects the pledge and the domain registrar to the Domain CA. Definition of new tags for relations between RFCs Ericsson Kaloom An RFC can include a tag called "Updates" which can be used to link a new RFC to an existing RFC. On publication of such an RFC, the existing RFC will include an additional metadata tag called "Updated by" which provides a link to the new RFC. However, this tag pair is not well-defined and therefore it is currently used for multiple different purposes, which leads to confusion about the actual meaning of this tag and inconsistency in its use. This document recommends the discontinuation of the use of the updates/updated by tag pair, and instead proposes three new tag pairs that have well-defined meanings and use cases.
Contributors Futurewei Technologies Inc.
tte+ietf@cs.fau.de
esko.dijk@iotconsultancy.nl
Siemens AG
steffen.fries@siemens.com