]> Siemens AG

thomas-werner@siemens.com

Sandelman Software Works

mcr+ietf@sandelman.ca

Internet anima Working Group Internet-Draft I-D.draft-ietf-anima-rfc8366bis defines a digital artifact called voucher as a YANG-defined JSON document that is signed using a Cryptographic Message Syntax (CMS) structure. This document introduces a variant of the voucher artifact in which CMS is replaced by the JSON Object Signing and Encryption (JOSE) mechanism described in RFC7515 to support deployments in which JOSE is preferred over CMS. In addition to explaining how the format is created, the "application/voucher-jws+json" media type is registered and examples are provided.

Introduction "A Voucher Artifact for Bootstrapping Protocols" defines a YANG-based data structure used in "Bootstrapping Remote Secure Key Infrastructure" and "Secure Zero Touch Provisioning" to transfer ownership of a device from a manufacturer to a new owner (customer or operational domain). That document provides a serialization of the voucher data to JSON with cryptographic signing according to the Cryptographic Message Syntax (CMS) . The resulting voucher artifact has the media type "application/voucher-cms+json". This document provides cryptographic signing of the JSON Voucher Data in form of JSON Web Signature (JWS) and the media type "application/voucher-jws+json". The encoding specified in this document is used by and may be more handy for use cases already using Javascript Object Signing and Encryption (JOSE). This document should be considered as enhancement of ,
as it provides a new voucher form with media type "application/voucher-jws+json" and the related serialization. It does not extend the YANG definition of . Another example of an enhancement of is . It provides the serialization of voucher data to CBOR , with the signature in form of COSE and the media type "application/voucher-cose+cbor". With the availability of different encoded vouchers, it is up to an industry specific application statement to indicate/decide which voucher signature format is to be used. There is no provision across the different voucher signature formats that a receiver could safely recognize which format it uses unless additional context is provided. For example, provides this context via the media type for the voucher artifact. This document utilizes the optional "typ" (Type) Header Parameter of JWS to provide information about the signed object.

Terminology The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here. This document uses the following terms:

JSON Voucher Data:

An unsigned JSON representation of the voucher data.

JWS Voucher:

A JWS structure signing the JSON Voucher Data.

Voucher:

A short form for voucher artifact and refers to the signed statement from Manufacturer Authorized Signing Authority (MASA) service that indicates to a Pledge the cryptographic identity of the domain it should trust, per .

Voucher Data:

The raw (serialized) representation of "ietf-voucher" YANG module without any enclosing signature, per .

MASA (Manufacturer Authorized Signing Authority): The entity that, for the purpose of this document, issues and signs the vouchers for a manufacturer's pledges. In some onboarding protocols, the MASA may have an Internet presence and be integral to the onboarding process, whereas in other protocols the MASA may be an offline service that has no active role in the onboarding process, per . Pledge: The prospective component attempting to find and securely join a domain. When shipped or in factory reset mode, it only trusts authorized representatives of the manufacturer, per . Registrar: A representative of the domain that is configured, perhaps autonomically, to decide whether a new device is allowed to join the domain, per . This document uses the following encoding notations:

BASE64URL(OCTETS):

Denotes the base64url encoding of OCTETS, per .

UTF8(STRING):

Denotes the octets of the UTF-8 representation of STRING, per .

Voucher Artifact with JSON Web Signature defines the following serializations for JWS:

1. "JWS Compact Serialization" in
2. "JWS JSON Serialization" in
   • "General JWS JSON Serialization Syntax" in
   • "Flattened JWS JSON Serialization Syntax" in

A "JWS JSON Serialization Overview" is given in and more details on the JWS serializations in . This document makes use of "General JWS JSON Serialization Syntax" of to support multiple signatures, as already supported by for CMS-signed vouchers. Note, "JWS Compact Serialization" is limited to one signature.

Voucher Representation in General JWS JSON Serialization Syntax JWS voucher artifacts MUST use the "General JWS JSON Serialization Syntax" defined in . The following figure summarizes the serialization of JWS voucher artifacts:

Voucher Representation in General JWS JSON Serialization Syntax (JWS Voucher)

The JSON Voucher Data MUST be UTF-8 encoded to become the octet-based JWS Payload defined in . The JWS Payload is further base64url-encoded to become the string value of the "payload" member as described in . The octets of the UTF-8 representation of the JWS Protected Header are base64url-encoded to become the string value of the "protected" member. The generated JWS Signature is base64url-encoded to become the string value of the "signature" member.

JSON Voucher Data The JSON Voucher Data is an unsigned JSON document that conforms with the data model described by the ietf-voucher YANG module defined in and is encoded using the rules defined in . The following figure provides an example of JSON Voucher Data:

JSON Voucher Data Example

JWS Protected Header The JWS Protected Header defined in uses the standard header parameters "alg", "typ", and "x5c". The "alg" parameter MUST contain the algorithm type used to create the signature, e.g., "ES256" as defined in . If present, the "typ" parameter SHOULD contain the value "voucher-jws+json" as defined in . If X.509 (PKIX) certificates are used, the "x5c" parameter SHOULD contain the base64-encoded (not base64url-encoded) X.509 v3 (DER) certificate and chain as defined in . Implementation Note: base64-encoded values opposed to base64url-encoded values may contain slashes ('/'). JSON optionally allows escaping these with backslashes ('\'). Hence, depending on the JSON parser/serializer implementation used, they may or may not be included. JWS Voucher parsers must be prepared accordingly to extract certificates correctly. To validate voucher signatures all certificates of the certificate chain are required up to the trust anchor. Note, to establish trust the trust anchor SHOULD be provided out-of-band upfront. This is consistent with . The following figure gives an example of a JWS Protected Header:

JWS Protected Header Example

JWS Signature The JWS Signature is generated over the JWS Protected Header and the JWS Payload (= UTF-8 encoded JSON Voucher Data) as described in .

Privacy Considerations The Pledge Voucher Request (PVR) reveals the IDevID of the component (Pledge) that is in the process of bootstrapping. A PVR is transported via HTTP-over-TLS. However, for the Pledge-to-Registrar TLS connection a Pledge provisionally accepts the Registrar server certificate during the TLS server authentication. Hence it is subject to disclosure by a Dolev-Yao attacker (a "malicious messenger") , as explained in . The use of a JWS header brings no new privacy considerations.

Security Considerations The issues of how vouchers are used in a system is addressed in . This document does not change any of those issues, it just changes the signature technology used for voucher request and response artifacts. deals with voucher use in Secure Zero Touch Provisioning, for which this document also makes no changes to security.

IANA Considerations

Media-Type Registry This section registers the "application/voucher-jws+json" in the "Media Types" registry.

application/voucher-jws+json

Acknowledgments We would like to thank the various reviewers for their input, in particular Steffen Fries, Ingo Wenda, Esko Dijk and Toerless Eckert. Thanks for the supporting PoC implementations to Hong Rui Li and He Peng Jia.

Examples These examples are folded according to Single Backslash rule.

Example Pledge Voucher Request - PVR (from Pledge to Registrar) The following is an example request sent from a Pledge to the Registrar, in "General JWS JSON Serialization".

Example Pledge Voucher Request - PVR

Example Parboiled Registrar Voucher Request - RVR (from Registrar to MASA) The term parboiled refers to food which is partially cooked. In , the term refers to a Pledge-Voucher-Request (PVR) which has been received by the Registrar, and then has been processed by the Registrar ("cooked"), and is now being forwarded to the MASA. The following is an example Registrar voucher-request (RVR) sent from the Registrar to the MASA, in "General JWS JSON Serialization". Note that the previous PVR can be seen in the payload as "prior-signed-voucher-request".

Example Parboiled Registrar Voucher Request - RVR

Example Voucher Response (from MASA to Pledge, via Registrar) The following is an example voucher response from MASA to Pledge via Registrar, in "General JWS JSON Serialization".

Example Voucher Response

References Normative References This document specifies automated bootstrapping of an Autonomic Control Plane. To do this, a Secure Key Infrastructure is bootstrapped. This is done using manufacturer-installed X.509 certificates, in combination with a manufacturer's authorizing service, both online and offline. We call this process the Bootstrapping Remote Secure Key Infrastructure (BRSKI) protocol. Bootstrapping a new device can occur when using a routable address and a cloud service, only link-local connectivity, or limited/disconnected networks. Support for deployment models with less stringent security requirements is included. Bootstrapping is complete when the cryptographic identity of the new key infrastructure is successfully deployed to the device. The established secure connection can be used to deploy a locally issued certificate to the device as well. Watsen Networks Sandelman Software Cisco Systems Futurewei Technologies Inc. Huawei This document defines a strategy to securely assign a pledge to an owner using an artifact signed, directly or indirectly, by the pledge's manufacturer. This artifact is known as a "voucher". This document defines an artifact format as a YANG-defined JSON or CBOR document that has been signed using a variety of cryptographic systems. The voucher artifact is normally generated by the pledge's manufacturer (i.e., the Manufacturer Authorized Signing Authority (MASA)). This document updates RFC8366, merging a number of extensions into the YANG. The RFC8995 voucher request is also merged into this document. This memo profiles the X.509 v3 certificate and X.509 v2 certificate revocation list (CRL) for use in the Internet. An overview of this approach and model is provided as an introduction. The X.509 v3 certificate format is described in detail, with additional information regarding the format and semantics of Internet name forms. Standard certificate extensions are described and two Internet-specific extensions are defined. A set of required certificate extensions is specified. The X.509 v2 CRL format is described in detail along with standard and Internet-specific extensions. An algorithm for X.509 certification path validation is described. An ASN.1 module and examples are provided in the appendices. [STANDARDS-TRACK] JSON Web Signature (JWS) represents content secured with digital signatures or Message Authentication Codes (MACs) using JSON-based data structures. Cryptographic algorithms and identifiers for use with this specification are described in the separate JSON Web Algorithms (JWA) specification and an IANA registry defined by that specification. Related encryption capabilities are described in the separate JSON Web Encryption (JWE) specification. JavaScript Object Notation (JSON) is a lightweight, text-based, language-independent data interchange format. It was derived from the ECMAScript Programming Language Standard. JSON defines a small set of formatting rules for the portable representation of structured data. This document removes inconsistencies with other specifications of JSON, repairs specification errors, and offers experience-based interoperability guidance. In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings. Informative References This document presents a technique to securely provision a networking device when it is booting in a factory-default state. Variations in the solution enable it to be used on both public and private networks. The provisioning steps are able to update the boot image, commit an initial configuration, and execute arbitrary scripts to address auxiliary needs. The updated device is subsequently able to establish secure connections with other systems. For instance, a device may establish NETCONF (RFC 6241) and/or RESTCONF (RFC 8040) connections with deployment-specific network management systems. ISO/IEC 10646-1 defines a large character set called the Universal Character Set (UCS) which encompasses most of the world's writing systems. The originally proposed encodings of the UCS, however, were not compatible with many current applications and protocols, and this has led to the development of UTF-8, the object of this memo. UTF-8 has the characteristic of preserving the full US-ASCII range, providing compatibility with file systems, parsers and other software that rely on US-ASCII values but are transparent to other values. This memo obsoletes and replaces RFC 2279. This document describes the Cryptographic Message Syntax (CMS). This syntax is used to digitally sign, digest, authenticate, or encrypt arbitrary message content. [STANDARDS-TRACK] YANG is a data modeling language used to model configuration data, state data, Remote Procedure Calls, and notifications for network management protocols. This document describes the syntax and semantics of version 1.1 of the YANG language. YANG version 1.1 is a maintenance release of the YANG language, addressing ambiguities and defects in the original specification. There are a small number of backward incompatibilities from YANG version 1. This document also specifies the YANG mappings to the Network Configuration Protocol (NETCONF). This document defines encoding rules for representing configuration data, state data, parameters of Remote Procedure Call (RPC) operations or actions, and notifications defined using YANG as JavaScript Object Notation (JSON) text. This document defines a strategy to securely assign a pledge to an owner using an artifact signed, directly or indirectly, by the pledge's manufacturer. This artifact is known as a "voucher". This document defines an artifact format as a YANG-defined JSON document that has been signed using a Cryptographic Message Syntax (CMS) structure. Other YANG-derived formats are possible. The voucher artifact is normally generated by the pledge's manufacturer (i.e., the Manufacturer Authorized Signing Authority (MASA)). This document only defines the voucher artifact, leaving it to other documents to describe specialized protocols for accessing it. This document defines two strategies for handling long lines in width-bounded text content. One strategy, called the "single backslash" strategy, is based on the historical use of a single backslash ('\') character to indicate where line-folding has occurred, with the continuation occurring with the first character that is not a space character (' ') on the next line. The second strategy, called the "double backslash" strategy, extends the first strategy by adding a second backslash character to identify where the continuation begins and is thereby able to handle cases not supported by the first strategy. Both strategies use a self-describing header enabling automated reconstitution of the original content. The W3C Web Authentication (WebAuthn) specification and the FIDO Alliance FIDO2 Client to Authenticator Protocol (CTAP) specification use CBOR Object Signing and Encryption (COSE) algorithm identifiers. This specification registers the following algorithms (which are used by WebAuthn and CTAP implementations) in the IANA "COSE Algorithms" registry: RSASSA-PKCS1-v1_5 using SHA-256, SHA-384, SHA-512, and SHA-1; and Elliptic Curve Digital Signature Algorithm (ECDSA) using the secp256k1 curve and SHA-256. It registers the secp256k1 elliptic curve in the IANA "COSE Elliptic Curves" registry. Also, for use with JSON Object Signing and Encryption (JOSE), it registers the algorithm ECDSA using the secp256k1 curve and SHA-256 in the IANA "JSON Web Signature and Encryption Algorithms" registry and the secp256k1 elliptic curve in the IANA "JSON Web Key Elliptic Curve" registry. The Concise Binary Object Representation (CBOR) is a data format whose design goals include the possibility of extremely small code size, fairly small message size, and extensibility without the need for version negotiation. These design goals make it different from earlier binary serializations such as ASN.1 and MessagePack. This document obsoletes RFC 7049, providing editorial improvements, new details, and errata fixes while keeping full compatibility with the interchange format of RFC 7049. It does not create a new version of the format. n.d. Siemens AG Siemens AG Cisco Systems Sandelman Software Works This document defines enhancements to Bootstrapping a Remote Secure Key Infrastructure (BRSKI, RFC8995) to enable bootstrapping in domains featuring no or only limited connectivity between a pledge and the domain registrar. It specifically changes the interaction model from a pledge-initiated mode, as used in BRSKI, to a pledge- responding mode, where the pledge is in server role. For this, BRSKI with Pledge in Responder Mode (BRSKI-PRM) introduces new endpoints for the Domain Registrar and pledge, and a new component, the Registrar-Agent, which facilitates the communication between pledge and registrar during the bootstrapping phase. To establish the trust relation between pledge and registrar, BRSKI-PRM relies on object security rather than transport security. The approach defined here is agnostic to the enrollment protocol that connects the domain registrar to the Key Infrastructure (e.g., domain CA). Sandelman Software Works vanderstok consultancy Cisco Systems IoTconsultancy.nl This document defines the Constrained Bootstrapping Remote Secure Key Infrastructure (cBRSKI) protocol, which provides a solution for secure zero-touch onboarding of resource-constrained (IoT) devices into the network of a domain owner. This protocol is designed for constrained networks, which may have limited data throughput or may experience frequent packet loss. cBRSKI is a variant of the BRSKI protocol, which uses an artifact signed by the device manufacturer called the "voucher" which enables a new device and the owner's network to mutually authenticate. While the BRSKI voucher data is encoded in JSON, cBRSKI uses a compact CBOR-encoded voucher. The BRSKI voucher data definition is extended with new data types that allow for smaller voucher sizes. The Enrollment over Secure Transport (EST) protocol, used in BRSKI, is replaced with EST-over- CoAPS; and HTTPS used in BRSKI is replaced with DTLS-secured CoAP (CoAPS). This document Updates RFC 8995 and RFC 9148.

Contributors Futurewei Technologies Inc.

tte+ietf@cs.fau.de

esko.dijk@iotconsultancy.nl

Siemens AG

steffen.fries@siemens.com