[Anima] Re: Shepherd review draft-ietf-anima-constrained-voucher-30 / Limit scope to onboarding
Esko Dijk <esko.dijk@iotconsultancy.nl> Fri, 03 July 2026 10:57 UTC
Return-Path: <esko.dijk@iotconsultancy.nl>
X-Original-To: anima@mail2.ietf.org
Delivered-To: anima@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 3FD5A10D8AF5A; Fri, 3 Jul 2026 03:57:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1783076225; bh=zFs0u2oJLzmsofmlmvdxWif2zEeoVDW6e3ViuAxRx9M=; h=Date:Subject:To:References:From:In-Reply-To; b=hhc9UrfAI2YupmNBTKh1vdfZbprjxGHX3SZ4jtBfJuX9phXZi59+gTfGEI1fW+MCO lfEYiiGmI7UbOt7IoXonW0Ze5wttce17Ok/4ZL4RnE0lWqeXnM5guBkqejyk2imWQs kAHlWulRC/2gsVDzqoN86ZH4ZcsAdJPcxvMPiHB4=
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -1.599
X-Spam-Level:
X-Spam-Status: No, score=-1.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_INVALID=0.1, DKIM_SIGNED=0.1, HTML_MESSAGE=0.001, HTML_TAG_BALANCE_BODY=0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=fail (2048-bit key) reason="fail (body has been altered)" header.d=iotconsultancy.nl
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rifaqyv90-K6; Fri, 3 Jul 2026 03:57:01 -0700 (PDT)
Received: from dane.soverin.net (dane.soverin.net [IPv6:2a10:de80:1:4091:b9e9:2218:0:1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id EB4FC10D8AA69; Fri, 3 Jul 2026 03:53:53 -0700 (PDT)
Received: from smtp.soverin.net (unknown [10.10.4.100]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by dane.soverin.net (Postfix) with ESMTPS id 4gs9bb2XF9z6F; Fri, 03 Jul 2026 10:53:47 +0000 (UTC)
Received: from smtp.soverin.net (smtp.soverin.net [10.10.4.100]) by soverin.net (Postfix) with ESMTPSA id 4gs9bZ0ZqTzJc; Fri, 3 Jul 2026 10:53:46 +0000 (UTC)
Authentication-Results: smtp.soverin.net; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=iotconsultancy.nl header.i=@iotconsultancy.nl header.a=rsa-sha256 header.s=soverin1 header.b=aVFxfUpV; dkim-atps=neutral
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=iotconsultancy.nl; s=soverin1; t=1783076026; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=kv9c1CMMSd8IFw+N6G4n0TtzNNYne7eV1GJGDexSaSY=; b=aVFxfUpVJ9llqmYE7sNBrc1noODzKpMqo7BbItM/itbWvqGX15NncSi9f3EUKI32ZXbgom m9TwekrlmqJ4lUqY188jamOiyvSMdQ6a3lEyJWdbe9hGPIFi0miESPFb/oiNhGY05A25zs n5lryCWm1EbCW6QHN+YsjeTtgofcJtN+M9ZDFwFG08Cv1yXZJoARss4dh7lCQqZwvUI2eU rvce74O/UOOSMiiTJiO0pW2Z/tAbyd2MmsODnGr6gyfEhxRb0RWJqZJeX9TiwPxEFi0yHl bd0byo9UtNKA54xXJgO9VbkwhBLIKbr0N8W/bn1DR6TVNSB+TiyznrnLXeuwYQ==
X-CM-Envelope: MS4xfF3Xh6/GxGyyZiObvpRUh8/lDvaHbCZRg6Kj5wUq0QFPhpxOCPVFdQIq4oeWRdEXWmzRcBSdF8lvgXXY9s5P1ESkXNA2jBTEMk+kKjLqTg+Jw8LZ/zeS SZB6FLnAaKO3lLrnt2Y4uSpmUPogz10D61RZssY6InujtwLMqJRu86o9c9KTnSnVSCT6X2VXwSJumHPboYAT0D9ZfS1k/jtjTyUVD0uJzkTc3GPNi548L2xI R87eSOvFQG3vxWMFYR9p9wWL1oOO3gUp6dWLRx4pIkZlgBQfzo/q4Y/oqfUSIsKw
X-Soverin-Id: 019f279c-f690-74ce-a2af-b4df7146b579
Content-Type: multipart/alternative; boundary="------------LnzzXP0PXvOhQ660YkZh0aRB"
Message-ID: <f28ef3d7-b5c7-4477-a47a-aa0346030eff@iotconsultancy.nl>
Date: Fri, 03 Jul 2026 12:53:45 +0200
MIME-Version: 1.0
To: Toerless Eckert <tte@cs.fau.de>, anima@ietf.org, draft-ietf-anima-constrained-voucher@ietf.org
References: <aio0sLYp55oQgEW0@faui48e.informatik.uni-erlangen.de>
Content-Language: en-US
From: Esko Dijk <esko.dijk@iotconsultancy.nl>
Organization: IoTconsultancy.nl
In-Reply-To: <aio0sLYp55oQgEW0@faui48e.informatik.uni-erlangen.de>
X-Spampanel-Class: ham
Message-ID-Hash: ED7U6QWADXPVQ3M5M4Z5VCQB2GW7YZSJ
X-Message-ID-Hash: ED7U6QWADXPVQ3M5M4Z5VCQB2GW7YZSJ
X-MailFrom: esko.dijk@iotconsultancy.nl
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-anima.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [Anima] Re: Shepherd review draft-ietf-anima-constrained-voucher-30 / Limit scope to onboarding
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/2ZfLPNaLEYm0_2VEbz95miZMnUU>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Owner: <mailto:anima-owner@ietf.org>
List-Post: <mailto:anima@ietf.org>
List-Subscribe: <mailto:anima-join@ietf.org>
List-Unsubscribe: <mailto:anima-leave@ietf.org>
Hi Toerless, (WG,) While processing your review I noticed some of the specification around trust anchor (CA) renewal and LDevID (certificate) renewal was not fully specified yet; and some issues for IoT devices also related to their access to reliable clock time. To avoid scope creep and addition of lots of text the authors propose to focus the cBRSKI draft on the onboarding phase. Certificate and trust anchor renewal is then left to "standard EST procedures", while acknowledging that various improvements to this process would be possible for IoT devices, which could be written up in a new document. Such a new document might be in scope of a WG like ACE, or maybe ANIMA. As an idea: we might still keep an Appendix (informative) with a description of the renewal issues, if we want. best regards Esko On 6/11/26 06:08, Toerless Eckert wrote: > Dear Authors > > As shepherd for this document, i wanted to provide a shepherd review for > the document before hopefully we can pass it on soon to the AD and close > the WGLC successfully. > > Overall, i am very happy with the document. I specifically like that it is > not - as many RTG standards RFC - tersely focussed on not trying to write a > single sentence more than what is needed to just line up all sentences with > RFC2119 language. Instead, there are a lot of explanations coming obviously > from experienced programmer background - who also has enough security expertise > to help developers wanting to implement cBRSKI to do so. And i think specifically > on this topic going above and beyond standard RTG-terseness is very important, > because security is traditionally a badly understood topic in IoT development. > > There is a range hopefully useful and mostly minor or nit level issues which would > be great to get fixed, but overall, there is really only one big structural issue > that may incur some editorial pain, and that is: > > - For every text in this document, is it clear whether it only applies to cBRSKI, > or also to BRSKI ? > > Maybe as one idea how to solve this most easily, and abusing the same syntax from > RFC8993: Simply go through all sections and mark those that also apply to BRSKI > in the title with something like (*) - and then in the intrudoction explain that. > But that still leaves the problem of explaining what actual "Updates" versus just > maybe better explanations are in this document. > > Cheers & thanks a lot for the hard work on this document. This is very comprehensive. > > Toerless > > 1 > 2 > 3 > 4 > 5 anima Working Group M. Richardson > 6 Internet-Draft Sandelman Software Works > 7 Updates: 8995, 9148 (if approved) P. van der Stok > 8 Intended status: Standards Track vanderstok consultancy > 9 Expires: 31 August 2026 P. Kampanakis > 10 Cisco Systems > 11 E. Dijk > 12 IoTconsultancy.nl > 13 27 February 2026 > 14 > 15 > 16 Constrained Bootstrapping Remote Secure Key Infrastructure (cBRSKI) > 17 draft-ietf-anima-constrained-voucher-30 > 18 > 19 Abstract > 20 > 21 This document defines the Constrained Bootstrapping Remote Secure Key > 22 Infrastructure (cBRSKI) protocol, which provides a solution for > 23 secure zero-touch onboarding of resource-constrained (IoT) devices > 24 into the network of a domain owner. This protocol is designed for > 25 constrained networks, which may have limited data throughput or may > 26 experience frequent packet loss. cBRSKI is a variant of the BRSKI > 27 protocol, which uses an artifact signed by the device manufacturer > > minor: > > Suggest to replace "cBRSKI is a variant of the BRSKI protocol" as follows: cBRSKI is re-using the architecture introduced in > RFC8995 (BRSKI) with different protocols. Explanation: "BRSKI protocol" can either mean RFC8995 or "all the possible variations > of protocols we can ever come up with roughly the BRSKI architecture". But it can not > mean both. I think so far we have established it to mean "BRSKI protocol = RFC8995". > Hence we should be very careful in how we use "BRSKI protocol". > > nit: > > "which uses" - unclear if the following refers to cBRSKI or BRSKI (or both). > > Suggest: Full stop before this, and "cBRSKI like BRSKI uses an artifact ...". > > 28 called the "voucher" which enables a new device and the owner's > 29 network to mutually authenticate. While the BRSKI voucher data is > 30 encoded in JSON, cBRSKI uses a compact CBOR-encoded voucher. The > 31 BRSKI voucher data definition is extended with new data types that > 32 allow for smaller voucher sizes. The Enrollment over Secure > 33 Transport (EST) protocol, used in BRSKI, is replaced with EST-over- > 34 CoAPS; and HTTPS used in BRSKI is replaced with DTLS-secured CoAP > 35 (CoAPS). This document Updates RFC 8995 and RFC 9148. > > Nice. > > 36 > 37 About This Document > 38 > 39 This note is to be removed before publishing as an RFC. > 40 > 41 Status information for this document may be found at > 42 https://datatracker.ietf.org/doc/draft-ietf-anima-constrained- > 43 voucher/. > 44 > 45 Discussion of this document takes place on the anima Working Group > 46 mailing list (mailto:anima@ietf.org), which is archived at > 47 https://mailarchive.ietf.org/arch/browse/anima/. Subscribe at > 48 https://www.ietf.org/mailman/listinfo/anima/. > 49 > 50 Source for this draft and an issue tracker can be found at > 51 https://github.com/anima-wg/constrained-voucher. > 52 > 53 > 54 > 55 > 56 Richardson, et al. Expires 31 August 2026 [Page 1] > 57 > 58 Internet-Draft Constrained BRSKI (cBRSKI) February 2026 > 59 > 60 > 61 Status of This Memo > 62 > 63 This Internet-Draft is submitted in full conformance with the > 64 provisions of BCP 78 and BCP 79. > 65 > 66 Internet-Drafts are working documents of the Internet Engineering > 67 Task Force (IETF). Note that other groups may also distribute > 68 working documents as Internet-Drafts. The list of current Internet- > 69 Drafts is athttps://datatracker.ietf.org/drafts/current/. > 70 > 71 Internet-Drafts are draft documents valid for a maximum of six months > 72 and may be updated, replaced, or obsoleted by other documents at any > 73 time. It is inappropriate to use Internet-Drafts as reference > 74 material or to cite them other than as "work in progress." > 75 > 76 This Internet-Draft will expire on 31 August 2026. > 77 > 78 Copyright Notice > 79 > 80 Copyright (c) 2026 IETF Trust and the persons identified as the > 81 document authors. All rights reserved. > 82 > 83 This document is subject to BCP 78 and the IETF Trust's Legal > 84 Provisions Relating to IETF Documents (https://trustee.ietf.org/ > 85 license-info) in effect on the date of publication of this document. > 86 Please review these documents carefully, as they describe your rights > 87 and restrictions with respect to this document. Code Components > 88 extracted from this document must include Revised BSD License text as > 89 described in Section 4.e of the Trust Legal Provisions and are > 90 provided without warranty as described in the Revised BSD License. > 91 > 92 Table of Contents > 93 > 94 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 5 > 95 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 6 > 96 3. Requirements Language . . . . . . . . . . . . . . . . . . . . 7 > 97 4. Overview of Protocol . . . . . . . . . . . . . . . . . . . . 7 > 98 5. Updates to RFC 8995 and RFC 9148 . . . . . . . . . . . . . . 9 > 99 6. BRSKI-EST Protocol . . . . . . . . . . . . . . . . . . . . . 10 > 100 6.1. DTLS Connection . . . . . . . . . . . . . . . . . . . . . 10 > 101 6.1.1. DTLS Version . . . . . . . . . . . . . . . . . . . . 10 > 102 6.1.2. TLS Client Certificates: IDevID authentication . . . 10 > 103 6.1.3. DTLS Handshake Fragmentation Considerations . . . . . 11 > 104 6.1.4. Registrar and the Server Name Indicator (SNI) . . . . 11 > 105 6.1.5. Registrar Server Certificate Requirements . . . . . . 12 > 106 6.2. cBRSKI Join Proxy . . . . . . . . . . . . . . . . . . . . 12 > 107 6.3. Request URIs, Resource Discovery and Content-Formats . . 12 > 108 6.3.1. Status Telemetry Returns . . . . . . . . . . . . . . 14 > 109 > 110 > 111 > 112 Richardson, et al. Expires 31 August 2026 [Page 2] > 113 > 114 Internet-Draft Constrained BRSKI (cBRSKI) February 2026 > 115 > 116 > 117 6.3.2. CoAP Resources Table . . . . . . . . . . . . . . . . 15 > 118 6.3.3. CoAP Uri-Path Abbreviation . . . . . . . . . . . . . 15 > 119 6.4. CoAP Responses . . . . . . . . . . . . . . . . . . . . . 15 > 120 6.5. Extensions to EST-coaps . . . . . . . . . . . . . . . . . 16 > 121 6.5.1. Pledge Enrollment Procedure . . . . . . . . . . . . . 16 > 122 6.5.2. Renewal of CA certificates . . . . . . . . . . . . . 17 > 123 6.5.3. Change of Domain Trust Anchor(s) . . . . . . . . . . 17 > 124 6.5.4. Re-enrollment Procedure . . . . . . . . . . . . . . . 18 > 125 6.5.5. Multipart Content-Format for CA certificates (/crts) > 126 Resource . . . . . . . . . . . . . . . . . . . . . . 19 > 127 6.6. Registrar Extensions . . . . . . . . . . . . . . . . . . 20 > 128 7. BRSKI-MASA Protocol . . . . . . . . . . . . . . . . . . . . . 21 > 129 7.1. Protocol and Formats . . . . . . . . . . . . . . . . . . 21 > 130 7.2. Registrar Voucher Request . . . . . . . . . . . . . . . . 22 > 131 7.3. MASA and the Server Name Indicator (SNI) . . . . . . . . 22 > 132 7.4. Registrar Client Certificate Requirements . . . . . . . . 23 > 133 8. Pinning in Voucher Artifacts . . . . . . . . . . . . . . . . 23 > 134 8.1. Registrar Identity Selection and Encoding . . . . . . . . 23 > 135 8.2. MASA Pinning Policy . . . . . . . . . . . . . . . . . . . 24 > 136 8.3. Pinning of Raw Public Keys (RPK) . . . . . . . . . . . . 25 > 137 9. Artifacts . . . . . . . . . . . . . . . . . . . . . . . . . . 26 > 138 9.1. Example Artifacts . . . . . . . . . . . . . . . . . . . . 27 > 139 9.1.1. Example Pledge Voucher Request (PVR) Artifact . . . . 27 > 140 9.1.2. Example Registrar Voucher Request (RVR) Artifact . . 27 > 141 9.1.3. Example Voucher Artifacts . . . . . . . . . . . . . . 28 > 142 9.2. Signing Voucher and Voucher Request Artifacts with > 143 COSE . . . . . . . . . . . . . . . . . . . . . . . . . . 29 > 144 9.2.1. Signing of Registrar Voucher Request (RVR) . . . . . 30 > 145 9.2.2. Signing of Pledge Voucher Request (PVR) . . . . . . . 31 > 146 9.2.3. Signing of Voucher by MASA . . . . . . . . . . . . . 32 > 147 9.2.4. Optional Validation of Voucher by Registrar . . . . . 34 > 148 9.2.5. Additional Information in the COSE Header . . . . . . 34 > 149 10. Extensions to Discovery . . . . . . . . . . . . . . . . . . . 35 > 150 10.1. Discovery Operations by a Pledge . . . . . . . . . . . . 36 > 151 10.1.1. Examples . . . . . . . . . . . . . . . . . . . . . . 37 > 152 10.2. Discovery Operations by a Join Proxy . . . . . . . . . . 39 > 153 11. Deployment-specific Discovery Considerations . . . . . . . . 39 > 154 11.1. 6TiSCH Deployments . . . . . . . . . . . . . . . . . . . 39 > 155 11.2. IP networks using GRASP . . . . . . . . . . . . . . . . 39 > 156 11.3. IP networks using mDNS . . . . . . . . . . . . . . . . . 40 > 157 11.4. Thread Networks using Mesh Link Establishment (MLE) . . 40 > 158 12. Design and Implementation Considerations . . . . . . . . . . 41 > 159 12.1. Voucher Format and Encoding . . . . . . . . . . . . . . 41 > 160 12.2. CoAP Usage . . . . . . . . . . . . . . . . . . . . . . . 41 > 161 12.3. Use of cBRSKI with HTTPS . . . . . . . . . . . . . . . . 41 > 162 13. Raw Public Key Variant . . . . . . . . . . . . . . . . . . . 42 > 163 13.1. Introduction and Scope . . . . . . . . . . . . . . . . . 42 > 164 13.2. DTLS Connection and Registrar Trust Anchor . . . . . . . 42 > 165 > 166 > 167 > 168 Richardson, et al. Expires 31 August 2026 [Page 3] > 169 > 170 Internet-Draft Constrained BRSKI (cBRSKI) February 2026 > 171 > 172 > 173 13.3. The Pledge Voucher Request . . . . . . . . . . . . . . . 43 > 174 13.4. The Voucher Response . . . . . . . . . . . . . . . . . . 43 > 175 13.5. The Enrollment Phase . . . . . . . . . . . . . . . . . . 44 > 176 14. Security Considerations . . . . . . . . . . . . . . . . . . . 44 > 177 14.1. Duplicate Serial Numbers . . . . . . . . . . . . . . . . 44 > 178 14.2. IDevID Security in the Pledge . . . . . . . . . . . . . 45 > 179 14.3. Security of the BRSKI-MASA Protocol . . . . . . . . . . 46 > 180 14.4. Registrar Certificate May Be Self-signed . . . . . . . . 47 > 181 14.5. Use of RPK Alternatives to 'proximity-registrar-cert' . 47 > 182 15. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 48 > 183 15.1. Resource Type Link Target Attribute Values Registry . . 48 > 184 15.2. Media Types Registry . . . . . . . . . . . . . . . . . . 48 > 185 15.2.1. application/voucher+cose . . . . . . . . . . . . . . 48 > 186 15.2.2. Interoperability Considerations for application/ > 187 voucher+cose . . . . . . . . . . . . . . . . . . . . 49 > 188 15.3. CoAP Content-Formats Registry . . . . . . . . . . . . . 50 > 189 15.4. Update to BRSKI Well-Known URIs Registry . . . . . . . . 50 > 190 15.5. Structured Syntax Suffixes Registry . . . . . . . . . . 51 > 191 16. References . . . . . . . . . . . . . . . . . . . . . . . . . 52 > 192 16.1. Normative References . . . . . . . . . . . . . . . . . . 52 > 193 16.2. Informative References . . . . . . . . . . . . . . . . . 56 > 194 Appendix A. Software and Library Support for cBRSKI . . . . . . 58 > 195 A.1. Open Source cBRSKI Implementations . . . . . . . . . . . 58 > 196 A.2. Security Library Support . . . . . . . . . . . . . . . . 59 > 197 A.2.1. OpensSSL Example Code . . . . . . . . . . . . . . . . 60 > 198 A.2.2. mbedTLS Example Code . . . . . . . . . . . . . . . . 61 > 199 A.3. Generating Certificates with OpenSSL . . . . . . . . . . 61 > 200 Appendix B. cBRSKI Message Examples . . . . . . . . . . . . . . 65 > 201 B.1. enrollstatus . . . . . . . . . . . . . . . . . . . . . . 65 > 202 B.2. voucher_status . . . . . . . . . . . . . . . . . . . . . 67 > 203 Appendix C. COSE-signed Voucher (Request) Examples . . . . . . . 68 > 204 C.1. Pledge, Registrar and MASA Keys . . . . . . . . . . . . . 68 > 205 C.1.1. Pledge IDevID Private Key . . . . . . . . . . . . . . 68 > 206 C.1.2. Registrar Private Key . . . . . . . . . . . . . . . . 68 > 207 C.1.3. MASA Private Key . . . . . . . . . . . . . . . . . . 69 > 208 C.2. Pledge, Registrar, Domain CA and MASA Certificates . . . 69 > 209 C.2.1. Pledge IDevID Certificate . . . . . . . . . . . . . . 69 > 210 C.2.2. Registrar Certificate . . . . . . . . . . . . . . . . 71 > 211 C.2.3. Domain CA Certificate . . . . . . . . . . . . . . . . 73 > 212 C.2.4. MASA Certificate . . . . . . . . . . . . . . . . . . 75 > 213 C.3. COSE-signed Pledge Voucher Request (PVR) . . . . . . . . 77 > 214 C.4. COSE-signed Registrar Voucher Request (RVR) . . . . . . . 78 > 215 C.5. COSE-signed Voucher from MASA . . . . . . . . . . . . . . 81 > 216 Appendix D. Pledge Device Class Profiles . . . . . . . . . . . . 83 > 217 D.1. Minimal Pledge . . . . . . . . . . . . . . . . . . . . . 83 > 218 D.2. Typical Pledge . . . . . . . . . . . . . . . . . . . . . 83 > 219 D.3. Full-featured Pledge . . . . . . . . . . . . . . . . . . 84 > 220 D.4. Comparison Chart of Pledge Classes . . . . . . . . . . . 84 > 221 > 222 > 223 > 224 Richardson, et al. Expires 31 August 2026 [Page 4] > 225 > 226 Internet-Draft Constrained BRSKI (cBRSKI) February 2026 > 227 > 228 > 229 Appendix E. Pledge Discovery of Onboarding and Enrollment > 230 Options . . . . . . . . . . . . . . . . . . . . . . . . . 86 > 231 E.1. Pledge Discovery Query for All cBRSKI Resources . . . . . 86 > 232 E.2. Pledge Discovery Query for the cBRSKI Base Resource . . . 88 > 233 E.3. Usage of ct Attribute . . . . . . . . . . . . . . . . . . 88 > 234 E.4. EST-coaps Resource Discovery . . . . . . . . . . . . . . 89 > 235 Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 90 > 236 Changelog . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91 > 237 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 93 > 238 > 239 1. Introduction > 240 > 241 Secure enrollment of new nodes into constrained networks with > 242 constrained nodes presents unique challenges. As explained in > 243 [RFC7228], such networks may have limited data throughput or may > > nit: > > mind to add at least a section to the rfc7228 reference? > > 244 experience frequent packet loss. In addition, its nodes may be > 245 constrained by energy availability, memory space, and code size. > 246 > 247 The Bootstrapping Remote Secure Key Infrastructure (BRSKI) protocol > 248 described in [RFC8995] provides a solution for secure zero-touch > 249 (automated) onboarding of new (unconfigured) devices. These new > 250 devices are called "Pledges", equipped with a factory-installed > 251 Initial Device Identifier (IDevID) (see [ieee802-1AR]). Using the > 252 IDevID, a Pledge is securely enrolled into a network. > 253 > 254 The BRSKI solution described in [RFC8995] was designed to be modular, > 255 and this document describes a version scaled to the constraints of > > nit: replace "version" with "version of that solution" > > 256 IoT deployments. This document uses the constrained voucher and > 257 voucher request artifacts defined in [RFC8366bis] for a constrained > 258 version of the BRSKI protocol: cBRSKI. The cBRSKI protocol uses the > > nit: "version of the BRSKI protocol" -> "variation of the BRSKI solution" > > 259 CoAP-based version of EST (EST-coaps from [RFC9148]) rather than the > 260 EST over HTTPS [RFC7030]. cBRSKI is itself scalable to multiple > 261 resource levels through the definition of optional functions. > 262 Appendix D illustrates this. > 263 > 264 In BRSKI, the [RFC8366bis] voucher data is by default serialized to > 265 JSON with a signature in CMS [RFC5652]. cBRSKI uses the CBOR > 266 [RFC8949] voucher data serialization defined by [RFC8366bis], and > 267 applies a new COSE [RFC9052] signature format as defined in > 268 Section 9. > 269 > 270 This COSE-signed CBOR-encoded voucher is transported using both > 271 secured CoAP [RFC7252] and HTTPS. The CoAP connection (between > > nit: append after HTTP: "depending on the communicating entities:" > > 272 Pledge and Registrar) is to be protected by DTLS (CoAPS). The HTTP > 273 connection (between Registrar and MASA) is to be protected using TLS > 274 (HTTPS). > 275 > 276 > 277 > 278 > 279 > 280 Richardson, et al. Expires 31 August 2026 [Page 5] > 281 > 282 Internet-Draft Constrained BRSKI (cBRSKI) February 2026 > 283 > 284 > 285 Section 4 to Section 10 define the default cBRSKI protocol, by means > 286 of additions to and modifications of regular BRSKI. Section 11 > > minor: > > Implies too much relationship between cBRSKI protocol and BRSKI (protocol) (remember above > concerns about difference BRSKI protocol versus architecture/solution. > > suggested replacement: > > Section 4 to Section 10 specify the default cBRSKI protocol. Readers are expected > to understand RFC8995 as this specification does not repeat the unchanged > principles of operations established through RFC8995. > > followed by new paragraph. > > > 286 Section 11 > 287 considers some variations of the protocol, specific to particular > 288 deployments or IoT networking technologies. Next in Section 12, some > 289 considerations for the design and implementation of cBRSKI components > 290 are provided. > 291 > 292 Section 13 introduces a variant of cBRSKI for the most-constrained > 293 Pledges, using Raw Public Keys (RPK). This variant achieves smaller > 294 sizes of data objects and avoids doing certain costly PKIX > 295 verification operations on the Pledge. > 296 > 297 Appendix E provides more details on how a Pledge may discover the > 298 various onboarding/enrollment options that a Registrar provides. > 299 Implementing these methods is optional for a Pledge. > > minor: > > There should to be a paragraph summarizing how this document updates proper (non cBRSKI) > implementations (aka: proper RFC8995 protocol) given how it has the update flag for RFC8995. > > Likewise there should be a paragraph doing the same for rfc9148. > > 300 > 301 2. Terminology > 302 > 303 The following terms are defined in [RFC8366bis], and are used > 304 identically as in that document: Artifact, Attribute, Domain, Join > 305 Registrar and Coordinator (JRC), Malicious Registrar, Manufacturer > 306 Authorized Signing Authority (MASA), Pledge, Registrar, Onboarding, > 307 Owner, Voucher Data, Voucher Request and Voucher. > 308 > 309 The protocol described in this document is referred to as cBRSKI, the > 310 constrained version of BRSKI [RFC8995]. > > nit: > > s/version/variation/ > > 311 > 312 The following terms from [RFC8995] are used identically as in that > 313 document: Domain CA, enrollment, IDevID, Join Proxy, LDevID, > 314 manufacturer, nonced, nonceless, PKIX. > 315 > 316 The following terms from [RFC7030] are used identically as in that > 317 document: Explicit Trust Anchor (TA), Explicit TA database, Third- > 318 party TA. > 319 > 320 The following terms from [RFC7252] are used identically as in that > 321 document: Confirmable (CON), Acknowledgement (ACK), Endpoint, ETag, > 322 Client, Server, Piggybacked Response, resource, Resource Discovery, > 323 Content-Format. > 324 > 325 The term Pledge Voucher Request, or acronym PVR, is introduced to > > nit: > > "or" -> "and its"... "are introduced" > > reason: text is introducing both, hence i think syntactically "and" is correct. > > 326 refer to the voucher request between the Pledge and the Registrar. > 327 > 328 The term Registrar Voucher Request, or acronym RVR, is introduced to > 329 refer to the voucher request between the Registrar and the MASA. > > nit: likewise > > 330 > 331 The terms "PKIX Certificate" and "certificate" both refer to the > 332 X.509v3 profile described in [RFC5280]. > 333 > 334 > 335 > 336 Richardson, et al. Expires 31 August 2026 [Page 6] > 337 > 338 Internet-Draft Constrained BRSKI (cBRSKI) February 2026 > 339 > 340 > 341 The term "base resource" is defined as a CoAP resource that can be > 342 used as a base to append an additional path segment to, where this > 343 segment is a short resource name ('short-name') as defined in > 344 Section 6.3 and Table 1. > > sorry: > > Forgot: > > I am by the way skipping "define on first use" checks, but hereby reminding authors > that it's good to check for that. Alas, there still doesn't seem to be a good automated > way for that... *sigh* > > 345 > 346 In code examples, the string "<CODE BEGINS>" denotes the start of a > 347 code example and "<CODE ENDS>" the end of the code example. "lf > 348 added" means that extra linefeed characters were added to an example > 349 to make lines fit in this document. > 350 > 351 The ellipsis ("...") in a CBOR diagnostic notation byte string > 352 denotes a further sequence of bytes that is not shown for brevity. > 353 This notation is defined in [I-D.ietf-cbor-edn-literals]. > > great terminology section! > > 354 > 355 3. Requirements Language > 356 > 357 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", > 358 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and > 359 "OPTIONAL" in this document are to be interpreted as described in > 360 BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all > 361 capitals, as shown here. > 362 > 363 4. Overview of Protocol > 364 > 365 [RFC8366bis] defines a voucher that can assert proximity, > 366 authenticates the Registrar, and can offer varying levels of anti- > 367 replay protection. The proximity proof provided by a voucher is an > 368 assertion that the Pledge and the Registrar are believed to be close > 369 together, from a network topology point of view. Similar to BRSKI > 370 [RFC8995], proximity is proven by making a DTLS connection between a > 371 Pledge and a Registrar. The Pledge initiates this connection using a > 372 link-local source address. > > nit: > > This text starts with explaining stuff about [RFC8366bis] and then throws in > BRSKI and cBRSKI. Likewise DTLS is thrown in when i think it's not beneficial. > After all, we would still use DTLS even if we had a setup where a pledge discovery > a non-link-local connection. > > Simply replace sentenc "Similar to BRSKI ..." with The proximity assertion is raised when the Pledge is making the > connection to the registrar using link-local addresses. And then > upfront the following paragraph with moving over to cBRSKI: Where > BRSKI [RFC8995] uses TLS connections from Pledge to registrar, cBRSKI > uses DTLS. This secure ... 373 374 The secure DTLS connection is then > used by the Pledge to send a 375 Pledge Voucher Request (PVR). The > Registrar then includes the PVR 376 into its own Registrar Voucher > Request (RVR), which is sent to an 377 agent (MASA) of the Pledge's > manufacturer. The MASA verifies the PVR 378 and RVR and issues a > signed voucher. The voucher provides an 379 authorization statement > from the manufacturer indicating that the 380 Registrar is the > intended owner of the Pledge. The voucher refers to 381 the Registrar > through pinning of the Registrar's identity. nit: I am still uneasy > referring to the voucher pinning without explanation because it > behaves differently than classical web certificate pinning. I'd rather > explain our functionality and not introduce the term pinning here: "The voucher refers.." -> The voucher also includes an identity of the owner, such > as a certificate which the Pledge can then use to authenticate the owner. > > 382 > 383 > 384 > 385 > 386 > 387 > 388 > 389 > 390 > 391 > 392 Richardson, et al. Expires 31 August 2026 [Page 7] > 393 > 394 Internet-Draft Constrained BRSKI (cBRSKI) February 2026 > 395 > 396 > nit: > > I'd frontent the following paragraph with: > > This MASA communication is necessary because the only trust anchors that a Pledges > software can have are those installed by the manufacturer, simply because the role > as Pledge assumes that nobody but the manufacturer ever had to touch it. Therefore the > voucher can only be signed by such an agent trusted by the manufacturer. > > 397 After verification of the voucher, the Pledge enrolls into the > 398 Registrar's domain by obtaining a certificate using the EST-coaps > > nit: > > would move mentioning of LDevID here: > > "a certtificate called the LDevID" > > 399 [RFC9148] protocol, suitable for constrained devices. Once the > 400 Pledge has obtained its domain identity (LDevID) in this manner, it > 401 can use this identity to obtain network access credentials, which are > 402 used to join the local IP network. The method to obtain such > 403 credentials depends on the particular network technology used and is > 404 outside the scope of this document. > > nit: > > >From "Once the Pledge" on: I would try to explain these benefits but also limitations of > the scope of cBRSKI stronger: While the LDevID can serve as an > identity of the Pledge in the domain of the owner for any type of > communication, the fact that cBRSKI only required link-local > communications up to this point specifically allows pledges to use > cBRSKI to join a domain in which allocation of (non link-local) > addresses needs authentication and/or where (non link-local) > communication is secured in any form. Note that these mechanisms are > outside the scope of this document 405 406 The two main parts of the > BRSKI protocol are named separately in this 407 document: BRSKI-EST > (Section 6) for the protocol between Pledge and 408 Registrar, and > BRSKI-MASA (Section 7) for the protocol between the 409 Registrar and > the MASA. 410 411 Time-based vouchers are supported, but given that > constrained devices 412 are unlikely to have accurate time, their use > will be uncommon. Most 413 Pledges using constrained vouchers will be > online during enrollment 414 and will use live nonces to provide > anti-replay protection rather 415 than expiry times. nit: Start with the "Most" sentence, then add "for offline enrollment, anti-replay > protection can be achieved via time-based voucher..." > > And given how that then leaves the question about offline enrollment for > constrained devices without clocks, maybe add sentence that BRSKI such as > those specified in PRM could close this gap but are currently not specified > for constrained BRSKI. > > 416 > 417 [RFC8366bis] defines the CBOR voucher data encoding for the > > nit: > > "also defines" - as you're circling back to RFC8366 > > 418 constrained voucher and the constrained voucher request, which are > 419 used by cBRSKI. > 420 > 421 The constrained voucher request MUST be signed by the Pledge. COSE > 422 [RFC9052] is used for signing as defined in Section 9.2. It signs > 423 using the private key of its IDevID. The constrained voucher MUST be > 424 signed by the MASA. Also in this case, COSE is used for signing. > > nit: > > Can you check if the normative requirements can go reasonably into later parts > of the document. Its a weird to have them here. Then replace by "must" here. > > 425 > 426 For the constrained voucher request (PVR) the default method for the > 427 Pledge to identify the Registrar is using the Registrar's full PKIX > 428 certificate. But when operating PKIX-less as described in > 429 Section 13, the Registrar's Raw Public Key (RPK) is used for this. > 430 > 431 For the constrained voucher the default method to indicate ("pin") a > 432 trusted domain identity is the domain's PKIX CA certificate, but when > 433 operating PKIX-less instead the RPK of the Registrar is pinned. > 434 > 435 For certificates, cBRSKI currently uses the X.509 format, like BRSKI. > > nit: > > Do you want to add some explanation such as "While X.509 is not the most > constrained friendly encoding, at the time of writing this document, no single > better alternatives has appeared. Therefore... > > 436 The protocol and data formats are defined such that future extension > 437 to other certificate formats is enabled. For example, CBOR-encoded > 438 and COSE-signed C509 certificates ([I-D.ietf-cose-cbor-encoded-cert]) > 439 may provide data size savings as well as code sharing benefits with > 440 CBOR/COSE libraries, when applied to cBRSKI. > 441 > 442 The BRSKI architecture mandates that the MASA be aware of the > 443 capabilities of the Pledge. This is not a drawback as a Pledge is > > nit: > "capabilities of the Pledge to construct the appropriate voucher" > > 444 constructed by a manufacturer which also arranges for the MASA to be > 445 > 446 > 447 > 448 Richardson, et al. Expires 31 August 2026 [Page 8] > 449 > 450 Internet-Draft Constrained BRSKI (cBRSKI) February 2026 > 451 > 452 > 453 aware of the inventory of devices. The MASA therefore knows if the > 454 Pledge supports PKIX operations, or if it is limited to RPK > 455 operations only. Based upon this, the MASA can select which > 456 attributes to use in the voucher for certain operations, like the > 457 pinning of the Registrar or domain identity. > 458 > 459 5. Updates to RFC 8995 and RFC 9148 > > nit: rename to "Changes to existing RFC" and then subsections "Updates to RFC8995" and > "Updates to RFC9148" > 460 > 461 This section details the ways in which this document updates other > 462 RFCs. > > 463 > 464 This document Updates [RFC8995] because it: > > major: At this point in time, the text and explanations in this section make it > very hard to justify both the "update to rfc8995" as well as "update to rfc9148" > > While i am not sure i 100% understand the rules for "update" or whether they are even so well specified into these details: - A "clarifies" itself does not justify an update. Worst case, that's just an informational > optional addendum, not an update. > > - If you can come up with specific examples of how a well-meaning possible implementation > of either of these RFC could have resulted in something that is not allowed anymore > under this rfc-to-be, then those cases should be explicitly summarized in these > update sections. That's the minimum IMHO to call for "update". > > - More annoyingly to implementers, they are right now on their own because if in any > situation existing text of either of these RFC looks like it's being in contradiction > with this new "clarifying" text, then the implementer may assume that that older > RFC text is to be ignored. BUT: explicit instructions to the same would be much > stronger justifying an "update": > > - Ideally, each text that is meant to "update" an older RFC should explicitly state > exactly which text of the updated RFC it replaces (think removing the old text), and/or > amends "insert the following text at exactly the following location of the original RFC. > > - If it is hard to come up with very simple replace/insert rules for the new text, then > i would suggest to simply copy the respective section(s) from the original RFC into > this RFC and modify it accordingly with the new goals/text. That way, you come up with > a simple "this section replaces section foobar of rfc8995", but you may also make > it potentially a lot easier to read this drafts new text. > > - Are there any current or future possible implementations of RFC8995 and/or RFC9148 > WIHOUT considerations for constrained vouchers that would need to change under the > new text ? Thats the strongest argument for "update" and should be explained as the > first item in either of these update sections. And if there is anything like this, > how does it impact interoperability with implementations of BRSKI only against RFC8995 > (without these changes). Given how few implementations of BRSKI there may be, we can > i think even be quite "adventorous" if those changes are seen as important enhancements. > > So, in summary maybe consider grouping into three types: > > 1. Changes for non-constrained cases. These are core updateso > > 2. Better text that could help to avoid misinterpretations of prior RFC > > 3. Extensions: these are not updates per-se and should be called out as such, > but by calling them out, i think it's fine to keep them in the "update" section here. > > 465 > 466 * clarifies how pinning in vouchers is done (Section 8), > > > 467 > 468 * clarifies the use of TLS Server Name Indicator (SNI) > 469 (Section 6.1.4, Section 7.3), > 470 > 471 * clarifies when new trust anchors should be retrieved by a Pledge > 472 (Section 6.5.1), > 473 > 474 * clarifies what kinds of Extended Key Usage attributes are > 475 appropriate for each certificate (Section 6.1.5, Section 7.4), > 476 > 477 * extends BRSKI with the use of CoAP, > > minor: CoAP is explicitly out of scope for RFC8995, so this extension is not > an update to rfc8995 but an extension. > > 478 > 479 * makes some BRSKI messages optional to send if the results can be > 480 inferred from other validations (Section 6.5), > 481 > 482 * extends the BRSKI-EST/BRSKI-MASA protocols (Section 6, Section 7, > 483 Section 9.2) to carry the new application/voucher+cose format. > 484 > 485 This document Updates [RFC9148] because it: > 486 > 487 * defines stricter DTLS requirements (Section 6.1)), > > nit: quick one sentence example of the most likely previously implemented option (under 9148 > rules) that would need to be different under this docs rule. Would be nice. > > 488 > 489 * details how an EST-coaps client handles certificate renewal and > 490 re-enrollment (Section 6.5), > 491 > 492 * details how an EST-coaps server processes a "CA certificates" > 493 request for content-format 287 (application/pkix-cert) > 494 (Section 6.6). > 495 > 496 * adds enrollment status telemetry to the certificate renewal > 497 procedure (Section 6.5.4), > 498 > 499 * adds support for the media type application/multipart-core for the > 500 CA certificates (/crts) resource (Section 6.5.5), > > 501 > 502 > 503 > 504 Richardson, et al. Expires 31 August 2026 [Page 9] > 505 > 506 Internet-Draft Constrained BRSKI (cBRSKI) February 2026 > 507 > 508 > 509 * defines a resource type ('rt') attribute value "ace.est" for the > 510 EST-coaps base resource (Section 15.1). > 511 > 512 6. BRSKI-EST Protocol > 513 > 514 This section describes the extensions to both BRSKI [RFC8995] and > 515 EST-coaps [RFC9148] operations between Pledge and Registrar. > 516 > 517 6.1. DTLS Connection > 518 > 519 A DTLS connection is established between the Pledge and the > 520 Registrar, similar to the TLS connection described in Section 5.1 of > 521 [RFC8995]. This may occur via a Join Proxy as described in > 522 Section 6.2. Regardless of the Join Proxy presence or particular > 523 mechanism used, the DTLS connection should operate identically. The > 524 cBRSKI and EST-coaps requests and responses for onboarding are > 525 carried over this DTLS connection. > 526 > 527 6.1.1. DTLS Version > 528 > 529 DTLS version 1.3 [RFC9147] SHOULD be used in any implementation of > 530 this specification. An exception case where DTLS 1.2 [RFC6347] MAY > 531 be used is in a Pledge that uses a software platform where a DTLS 1.3 > 532 client is not available (yet). This may occur for example if a > 533 legacy device gets software-upgraded to support cBRSKI. For this > 534 reason, a Registrar MUST by default support both DTLS 1.3 and DTLS > 535 1.2 client connections. However, for security reasons the Registrar > 536 MAY be administratively configured to support only a particular DTLS > 537 version or higher. > > Nice! Lets hope this goes through. It does make a good case with sufficient > explanation to the SME. Hopefully IESG gets that. > > 538 > 539 An EST-coaps server [RFC9148] (if present as a separate entity from > 540 above Registrar) that implements this specification also MUST support > 541 both DTLS 1.3 and DTLS 1.2 client connections by default. However, > 542 for security reasons the EST-coaps server MAY be administratively > 543 configured to support only a particular DTLS version or higher. > > major: If 6.1.1 says for registrar to MUST support DTLS 1.3, how then do we > justify the support need for DTLS 1.2 - given how we only have connections from > those 1.3 registrars ? > > 544 > 545 6.1.2. TLS Client Certificates: IDevID authentication > 546 > 547 As described in Section 5.1 of [RFC8995], the Pledge makes a > 548 connection to the Registrar using a TLS Client Certificate for > 549 authentication. This is the Pledge's IDevID certificate. > 550 > 551 Subsequently the Pledge will send a Pledge Voucher Request (PVR). > 552 Further elements of Pledge authentication may be present in the PVR, > 553 as detailed in Section 9.2. > 554 > 555 > 556 > 557 > 558 > 559 > 560 Richardson, et al. Expires 31 August 2026 [Page 10] > 561 > 562 Internet-Draft Constrained BRSKI (cBRSKI) February 2026 > 563 > 564 > 565 6.1.3. DTLS Handshake Fragmentation Considerations > 566 > 567 DTLS includes a mechanism to fragment handshake messages. This is > 568 described in Section 4.4 of [RFC9147]. cBRSKI will often be used with > 569 a Join Proxy, described in Section 6.2, which relays each DTLS > 570 message to the Registrar. A stateless Join Proxy will need some > 571 additional space to wrap each DTLS message inside a Join Proxy UDP > 572 message, while the wrapped result needs to fit in the maximum IPv6 > 573 MTU guaranteed on 6LoWPAN [RFC6282] networks, which is 1280 bytes. > 574 > 575 For this reason it is RECOMMENDED that a PMTU of 1024 bytes be > 576 assumed for the DTLS handshake and appropriate DTLS fragmentation is > 577 used. It is unlikely that any ICMPv6 Packet Too Big indications > 578 ([RFC4443]) will be relayed by the Join Proxy back to the Pledge. > 579 > 580 During the operation of the EST-coaps protocol, the CoAP Block-wise > 581 transfer mechanism [RFC7959] will be automatically used when message > 582 sizes exceed the PMTU. A Pledge/EST-client on a constrained network > 583 MUST use the (D)TLS maximum fragment length extension > 584 ('max_fragment_length') defined in Section 4 of [RFC6066] with the > 585 maximum fragment length set to a value of either 2^9 or 2^10, when > 586 operating as a DTLS 1.2 client. > 587 > 588 A Pledge/EST-client operating as DTLS 1.3 client, MUST use the (D)TLS > 589 record size limit extensions ('record_size_limit') defined in > 590 Section 4 of [RFC8449], with RecordSizeLimit set to a value between > 591 512 and 1024 (inclusive). > 592 > 593 6.1.4. Registrar and the Server Name Indicator (SNI) > 594 > > major: > > I think in our last call discussing this, we figured that this section should > explain that > > a) The core (and maybe only discussed) reason to mention for explicitly NOT using SNI is > to allow for (c) BRSKI implementations on pledge and registrars to always be > able to operate in the presence of (c)BRSKI proxies, even if not initially > considered by an implementation or deployment. And whenever a proxy is used, > then the pledge can not know the right hostname of the registrar that is picked > by the proxy potentially from a list of multiple registrars. > > b) the way (c)BRSKI uses (d)TLS is an application profile of (d)TLS and is hence > overriding the requirement for SNI in so far as that it overrides (d)TLS > requirements to use SNI and replaces them with the requirement to ignore > SNI on the responder if inserted. > > I will refer to this major point is in the followin paragraphs for further suggestions > > 595 The SNI issue described below affects [RFC8995] as well, and is > 596 reported in errata:https://www.rfc-editor.org/errata/eid6648 > 597 (https://www.rfc-editor.org/errata/eid6648) > > major: > > The big open question is whether you want to write this section to indicate it > applies only to cBRSKI or also to BRSKI. If you write it to also claim that it > applies to BRSKI, then this section would become a resolution to the mentioned > RFC8995 errata and this document would become an update to RFC8995. If you do > so, then keep the above paragraph and explain how this paragraph applies to BRSKI > and cBRSKI and add appropriate text to an "update to RFC8995" section pointing > to this section. > > If you want to have less work, then write this text only applies to cBRSKI and > you can remove the paragraph referring to that errata. Less work. > > Authors choice. As a contributor, it would be nice if this document would do > this update to RFC8995 and use this section to resolve that errata. > > 598 > 599 As the Registrar is discovered by IP address, and typically connected > 600 via a Join Proxy, the hostname of the Registrar is not known to the > 601 Pledge. Therefore, it cannot do DNS-ID validation ([RFC9525]) on the > 602 Registrar's certificate. Instead, it must do validation using the > 603 voucher. > 604 > 605 Without knowing the hostname, the Pledge cannot put any reasonable > 606 value into the [RFC6066] Server Name Indicator (SNI) extension. > > minor: > > Would suggest to remove that explanation. Future discovery mechanisms could discover hostnames, > but they would happen in the proxy, and not the pledge. Also, the DNS-ID validation > is i think totally unrelated to the problem at hand. Instead just use the justification/ > explanation of above a). > > 607 Therefore the Pledge SHOULD omit the SNI extension as per Section 9.2 > 608 of [RFC8446]. > > mainor: > > Change text according to the justification of a) and the approach of b). MUST seems > also feasible becauseof approach b). > > > 609 > 610 In some cases, particularly while testing BRSKI, a Pledge may be > 611 given the hostname of a particular Registrar to connect to directly. > 612 Such a bypass of the discovery process may result in the Pledge > 613 > 614 > 615 > 616 Richardson, et al. Expires 31 August 2026 [Page 11] > 617 > 618 Internet-Draft Constrained BRSKI (cBRSKI) February 2026 > 619 > 620 > 621 taking a different code branch to establish a DTLS connection, and > 622 may result in the SNI being inserted by a library. For this reason, > 623 the Registrar MUST ignore any SNI it receives from a Pledge. > > Fine. > > 624 > 625 A primary motivation for making the SNI ubiquitous in the public web > 626 is because it allows for multi-tenant hosting of HTTPS sites on a > 627 single (scarce) IPv4 address. This consideration does not apply to > 628 the server function in the Registrar because: > 629 > 630 * it uses DTLS and CoAP, not HTTPS; > 631 > 632 * it typically uses IPv6, often [RFC4193] Unique Local Address, > 633 which are plentiful; > 634 > 635 * the server port number is typically discovered, so multiple > 636 tenants can be accommodated via unique UDP port numbers. > > minor: > > That text needs to be rewritten: > > If the choice is to make this about cBRSKI and BRSKI, then the cBRSKI justification > (CoAP) is not relevant anymore. > > I would phrase it as follows: > > By explicitly not using SNI, (c)BRSKI does not allow hosting multiple domain name > services on the same IPv4 address and port number. > > The desire to support > this model is primarily driven by the use case in which humans enter domain names > into applications such as browsers where remembering additional port numbers > is highly undesirable. Given how (c)BRSKI registrars are intended to be automatically > discovered, this benefit of SNI is considered insignificant if not irrelevant. > > [The following of course only when this text is written to also apply to BRSKI] > > Additionally, use of only port 443 for HTTPS may be beneficial in environments where > firewalls are blocking off other ports because of the firewall administrators (misguided) > hope that only more trustworthy services are using port 443. These conditions > may impact the use of Internet (cloud) based (c)BRSKI registrars > (see I-D.ietf-anima-brski-cloud). It is thus RECOMMENDED to use only port 443 > for cloud based BRKI registrars. No cBRSKI variation of such cloud registrar service > has currently been defined. > > 637 > 638 6.1.5. Registrar Server Certificate Requirements > 639 > 640 As per Section 3.6.1 of [RFC7030], the Registrar certificate MUST > 641 have the Extended Key Usage (EKU) id-kp-cmcRA. > > 641 This certificate is > 642 also used as a TLS Server Certificate, so it MUST also have the EKU > 643 id-kp-serverAuth. > > minor: > > Any reference for the id-kp-serverAuth ? Please ad. > > > 644 > 645 See Appendix C.2.2 for an example of a Registrar certificate with > 646 these EKUs set. See Section 7.4 for Registrar client certificate > 647 requirements. > 648 > 649 6.2. cBRSKI Join Proxy > 650 > 651 [I-D.ietf-anima-constrained-join-proxy] specifies the details for a > 652 stateful or stateless constrained Join Proxy which is equivalent to > 653 the BRSKI Proxy defined in [RFC8995], Section 4. See also Section 10 > 654 for more details on discovery of a Join Proxy by a Pledge, and > 655 discovery of a Registrar by a Join Proxy. > 656 > 657 6.3. Request URIs, Resource Discovery and Content-Formats > 658 > 659 cBRSKI operates using CoAP over DTLS, with request URIs using the > 660 coaps scheme. The Pledge operates in CoAP client role. To keep the > 661 protocol messages small the EST-coaps and cBRSKI request URIs are > ^ ", " > > Run a better spell checker that finds stuff like this please. > > 662 shorter than the respective EST and BRSKI URIs. > 663 > 664 During the cBRSKI onboarding on an IPv6 network these request URIs > 665 have the following form: > 666 > 667 coaps://[<link-local-ipv6>]:<port>/.well-known/brski/<short-name> > 668 coaps://[<link-local-ipv6>]:<port>/.well-known/est/<short-name> > 669 > 670 > 671 > 672 Richardson, et al. Expires 31 August 2026 [Page 12] > 673 > 674 Internet-Draft Constrained BRSKI (cBRSKI) February 2026 > 675 > 676 > 677 where <link-local-ipv6> is the discovered link-local IPv6 address of > 678 a Join Proxy, and <port> is the discovered port of the Join Proxy > 679 that is used to offer the cBRSKI proxy functionality. > > minor: > > Is there any reason to exclude the option to use IPv4 ? I have no strong opinions, > but if cBRSKI is meant to only specify IPv6 (even though it should work fine for > IPv4 IMHO), then it would be very good to explain and justify this early on in the > document. > > In addition, you should in the beginning of the text specify what "IP" means in > this document. There is still a wild mix of RFC where one side uses IP to mean > just IPv4 (as historic RFCs did) and other RFCs mean it to indicate IPv4 and/or IPv6. > I am not aware though of any RFC where IP mean only IPv6. You can do that, but > you need to specify this in the beginning of the RFC. > > 680 > 681 <short-name> is the short resource name for the cBRSKI and EST-coaps > 682 resources. For EST-coaps, Section 5.1 of [RFC9148] defines the CoAP > 683 <short-name> resource names. For cBRSKI, this document defines the > 684 short resource names based on the [RFC8995] long HTTP resource names. > 685 See Table 1 for a summary of these resource names. > 686 > 687 Section 11 details how the Pledge discovers a Join Proxy link-local > 688 address and port in different deployment scenarios. > 689 > 690 The request URI formats defined here enable the Pledge to perform > 691 onboarding/enrollment without requiring discovery of the available > 692 onboarding options, voucher formats, BRSKI/EST resources, enrollment > 693 protocols, and so on. This is helpful for the majority of > 694 constrained Pledges that would support only a single set of these > 695 options. However, for Pledges that do support multiple options, > 696 [I-D.ietf-anima-brski-discovery] will define discovery methods so > 697 that a Pledge can select the optimal set of options for the current > 698 onboarding operation. > > minor: > > I think this is not correctly explained. > > The request URI formats as well as their request and response formats > specified here are the default formats for cBRSKI. Whenever a pledge > is looking for just a 'cBRSKI' Registrar (or Proxy), then it is expected > to support these format. These formats are choosen as the best choice > for the mayority of pledges. > > Variations of cBRSKI with other onboarding options such as other voucher > formats or enrolment protocols other than EST need to be discovered by more > flexible discovery mechanisms and not every Registrar may support them. > See [I-D.ietf-anima-brski-discovery] for discovery options including the > ability to only support other than these default options - when needed. > > 699 > 700 Alternatively, a Pledge could also send CoAP discovery queries > 701 (Section 7 of [RFC7252]) to the Registrar to discover detailed > 702 options for onboarding and/or enrollment functions. Supporting these > 703 queries is OPTIONAL for both the Pledge and the Registrar. To > 704 clarify which options in particular can be discovered, Appendix E > 705 provides an informative overview of what can be discovered and how to > 706 discover it. > > nit: > > Maybe append: When using CoAP discovery queries to the Registrar, it may not > support the desired options and the pledge needs to poll multiple registrars > before finding one that supports them. The mechanisms of > [I-D.ietf-anima-brski-discovery] avoid such issues. > > > 707 > 708 Because a Pledge only has indirect access to the Registrar via a > 709 single port on the Join Proxy, the Registrar MUST host all cBRSKI/ > 710 EST-coaps resources on the same (UDP) server IP address and port. > 711 This is the address and port where a Join Proxy would relay DTLS > 712 records from the Pledge to. > > minor: > > I think the even stronger (and primary) justification is > > Because a Pledge using cBRSKI > only builds a single DTLS secure connection (potentially via a Proxy) to > a Registrar, the Registrar MUST host all cBRSKI and EST-coaps ... > > This requirement also eliminates the need to discover (and potentially proxy) > additional connections for EST-coaps DTLS connections. > > aka: suggest to use that text. > > 713 > 714 Although the request URI templates include IP address, scheme and > 715 port, in practice the CoAP request message sent over the secure DTLS > 716 connection only encodes the URI path explicitly. For example, a > 717 Pledge that skips resource discovery operations just sends the > 718 initial CoAP voucher request as follows: > 719 > 720 REQ: POST /.well-known/brski/rv > 721 Content-Format: 836 (application/voucher+cose) > 722 Payload : (COSE-signed Pledge Voucher Request, PVR) > 723 > > minor: > > Is there ever a case where the IP address field would be signaled in CoAP ? > And when that's done, doesn't the Registrar need to ignore the IP address because > it belongs to the proxy ? If so, it would be good to be explained. Unless > you explicitly want to specify that level of detail only in constrained proxy > spec.. > > 724 > 725 > 726 > 727 > 728 Richardson, et al. Expires 31 August 2026 [Page 13] > 729 > 730 Internet-Draft Constrained BRSKI (cBRSKI) February 2026 > 731 > 732 > 733 Note that only content-format 836 (application/voucher+cose) is > 734 defined in this document for the payload sent to the voucher request > 735 resource (/rv). Content-format 836 MUST be supported by the > 736 Registrar for the /rv resource and it MAY support additional formats. > 737 The Pledge MAY also indicate in the request the desired format of the > 738 (voucher) response, using the Accept Option. An example of using > 739 this option in the request is as follows: > 740 > 741 REQ: POST /.well-known/brski/rv > 742 Content-Format: 836 (application/voucher+cose) > 743 Accept : 836 (application/voucher+cose) > 744 Payload : (COSE-signed Pledge Voucher Request, PVR) > 745 > 746 If the Accept Option is omitted in the request, the response format > 747 follows from the request payload format (which is 836). > 748 > 749 Note that this specification allows for application/voucher+cose > 750 format requests and vouchers to be transported over HTTPS, as well as > 751 for application/voucher-cms+json and other formats yet to be defined > 752 over CoAP. The burden for this flexibility is placed upon the > 753 Registrar. A Pledge on constrained hardware is expected to support a > 754 single format only. > > minor: > > I don't think this paragraph specifies this correctly. Or sells it well. > > A pledge that only supports a different variation from the > > Note that application/voucher+cose format requests and vouchers can also be transported > over HTTPS, and application/voucher-cms+json and other formats yet to be defined > can be transported over CoAP. Any such variation may be more beneficial for a > specific type of pleges, for example because of the ability to reuse pre-existing > software modules implementing these options, and when this is the case, a pledge > may want to implement only such an option. > > This flexibility of BRSKI makes it possible to optimize it for different type of pledges > - at the expense of Registrars having to support multiple options. The use of any such > variations is outside the scope of this specification. Discovery of Registrars > supporting specific options is covered in [I-D.ietf-anima-brski-discovery]. > > > Aka: > > This text should silently imply that there may be the need for additional specifications > for any such variations - we're never quite sure if there will be a need or not - until > someone actually implements and tests! > > 755 > 756 The Pledge and MASA need to support one or more formats (at least > 757 format 836) for the voucher and for the voucher request. The MASA > 758 needs to support all formats that the Pledge supports. > > minor: > > I think that also needs to be refactored into what this spec normtively requires, > and text over variations, which is just informational. For example: > > Like Pledge and Registrar, the MASA also MUST support format 836. > > Any variations supported by Pledges also need to be supported by their MASA. > > 759 > 760 6.3.1. Status Telemetry Returns > 761 > 762 [RFC8995] defines two telemetry returns from the Pledge which are > 763 sent to the Registrar. These are the BRSKI Status Telemetry > 764 [RFC8995], Section 5.7 and the Enrollment Status Telemetry [RFC8995], > 765 Section 5.9.4. These are two CoAP POST requests made the by Pledge > 766 at two key steps in the process. > 767 > 768 [RFC8995] defines the content of these POST operations in CDDL, which > 769 are serialized as JSON. This document extends this with an > 770 additional CBOR format, derived using the CDDL rules in [RFC8610]. > > minor: > > s/This document extends this with/For use with CoAPS, this document replaces this with/ > > 771 > 772 The new CBOR telemetry format has CoAP content-format 60 > 773 (application/cbor) and MUST be supported by the Registrar for both > 774 the /vs and /es resources. The existing JSON format has CoAP > 775 content-format 50 (application/json) and MAY also be supported by the > 776 Registrar. A Pledge MUST use the new CBOR format to send telemetry > 777 messages. > > minor: > > Do we really need the freedom for content-format 50 ? When would this ever happen ? > What's the benefit ? > > Seems its just a redundant option asking for interop trouble. > > 778 > 779 > 780 > 781 > 782 > 783 > 784 Richardson, et al. Expires 31 August 2026 [Page 14] > 785 > 786 Internet-Draft Constrained BRSKI (cBRSKI) February 2026 > 787 > 788 > 789 6.3.2. CoAP Resources Table > 790 > 791 cBRSKI inherits EST-coaps [RFC9148] functions: specifically, the > 792 mandatory Simple (Re-)Enrollment (/sen and /sren) and Certification > 793 Authority certificates request (/crts). Support for CSR Attributes > 794 Request (/att) and server-side key generation (/skg, /skc) remains > 795 optional for the EST-coaps server. > 796 > 797 Table 1 summarizes the resources used in cBRSKI. It includes both > 798 the short-name cBRSKI resources and the EST-coaps resources. > 799 > 800 +=================+====================+===============+============+ > 801 | BRSKI + EST | cBRSKI + EST-coaps | Well-known | Required | > 802 | name | <short-name> | URI | for | > 803 | | | namespace | Registrar? | > 804 +=================+====================+===============+============+ > 805 | /enrollstatus | /es | brski | MUST | > 806 +-----------------+--------------------+---------------+------------+ > 807 | /requestvoucher | /rv | brski | MUST | > 808 +-----------------+--------------------+---------------+------------+ > 809 | /voucher_status | /vs | brski | MUST | > 810 +-----------------+--------------------+---------------+------------+ > 811 | /cacerts | /crts | est | MUST | > 812 +-----------------+--------------------+---------------+------------+ > 813 | /csrattrs | /att | est | MAY | > 814 +-----------------+--------------------+---------------+------------+ > 815 | /simpleenroll | /sen | est | MUST | > 816 +-----------------+--------------------+---------------+------------+ > 817 | /simplereenroll | /sren | est | MUST | > 818 +-----------------+--------------------+---------------+------------+ > 819 | /serverkeygen | /skg | est | MAY | > 820 +-----------------+--------------------+---------------+------------+ > 821 | /serverkeygen | /skc | est | MAY | > 822 +-----------------+--------------------+---------------+------------+ > 823 > 824 Table 1: BRSKI/EST resource name mapping to cBRSKI/EST-coaps > 825 short resource name > 826 > 827 6.3.3. CoAP Uri-Path Abbreviation > 828 > 829 To minimize the size of CoAP request packets on constrained networks, > 830 the CoAP Uri-Path-Abbrev Option defined in > 831 [I-D.ietf-core-uri-path-abbrev] MUST be supported by the Registrar. > 832 > 833 6.4. CoAP Responses > 834 > 835 [RFC8995], Section 5 defines a number of HTTP response codes that the > 836 Registrar is to return when certain conditions occur. > 837 > 838 > 839 > 840 Richardson, et al. Expires 31 August 2026 [Page 15] > 841 > 842 Internet-Draft Constrained BRSKI (cBRSKI) February 2026 > 843 > 844 > 845 The 401, 403, 404, 406 and 415 response codes map directly to CoAP > 846 codes 4.01, 4.03, 4.04, 4.06 and 4.15 respectively. > 847 > 848 The 202 Retry process which may occur in the voucher request, is to > 849 be handled in the same way as the Section 5.7 of [RFC9148] process > 850 for Delayed Responses. > 851 > 852 6.5. Extensions to EST-coaps > 853 > 854 This section defines extensions to EST-coaps for Pledges (during > 855 initial onboarding), EST-coaps clients (after initial onboarding) and > 856 Registrars (that implement an EST-coaps server). Note that a device > 857 that is already onboarded is not called "Pledge" in this section: it > 858 now acts in the role of an EST-coaps client. > 859 > 860 6.5.1. Pledge Enrollment Procedure > 861 > 862 This section defines optimizations for the EST-coaps protocol as used > 863 by a Pledge. These aim to reduce payload sizes and the number of > ^^^^^^ > > nit: in 6.5 you just said you wanted to call it EST-coaps client... > > maybe go back to 6.5 and loosen up the text by saying that this section _also_ > uses the term EST-coaps client for the Pledge. > > 864 messages (round-trips) required for the initial EST enrollment. > 865 > 866 A Pledge SHOULD NOT perform the optional EST-coaps "CSR attributes > 867 request" (/att). Instead, the Pledge selects the attributes to > > minor: > > Add an explanation, even if just forward pointer to why not perform CSR attributes. > > 868 include in the CSR as specified below. > 869 > 870 One or more Subject Distinguished Name fields MUST be included in the > 871 CSR. If the Pledge has no specific information on what attributes/ > 872 fields are desired in the CSR, which is the common case, it MUST use > 873 the Subject Distinguished Name fields from its IDevID unmodified. > 874 Note that a Pledge MAY receive such specific information via the > 875 voucher data (encoded in a vendor-specific way, or as defined by a > 876 future specification) or via some other, out-of-band means. > 877 > 878 A Pledge uses the following optimized EST-coaps procedure: > 879 > 880 1. If the voucher, that validates the current Registrar, contains a > 881 single pinned domain CA certificate, the Pledge provisionally > 882 considers this certificate as the EST trust anchor, as if it were > 883 the result of a "CA certificates request" (/crts) to the > 884 Registrar. > 885 > 886 2. Using this CA certificate as trust anchor it proceeds with EST > 887 simple enrollment (/sen) to obtain a provisionally trusted LDevID > 888 certificate. > 889 > 890 3. If the Pledge determines that the pinned domain CA is (1) a root > 891 CA certificate and (2) signer of the LDevID certificate, the > 892 Pledge accepts the pinned domain CA certificate as the legitimate > 893 > 894 > 895 > 896 Richardson, et al. Expires 31 August 2026 [Page 16] > 897 > 898 Internet-Draft Constrained BRSKI (cBRSKI) February 2026 > 899 > 900 > 901 trust anchor root CA for the Registrar's domain. It also accepts > 902 the LDevID certificate as its new LDevID identity. And steps 4 > 903 and 5 are skipped. > 904 > 905 4. Otherwise, if the step 3 condition was not met, the Pledge MUST > 906 perform a "CA certificates request" (/crts) to the EST server to > 907 obtain the full set of EST CA trust anchors. It then MUST > 908 attempt to chain the LDevID certificate to one of the CAs in the > 909 set. > 910 > 911 5. If the Pledge cannot obtain the set of CA certificates, or it is > 912 unable to create the chain as defined in step 4, the Pledge MUST > 913 abort the enrollment process and report the error using the > 914 enrollment status telemetry (/es). > 915 > 916 6.5.2. Renewal of CA certificates > 917 > 918 An EST-coaps client that has an idea of the current time (internally, > 919 or via Network Time Protocol) SHOULD consider the validity time of > > minor: > > via network clock synchronization such as (but not limited to) NTP > > NTP is a well-known RFC-editor abbreviation, so no need to expand or provide reference > > 920 the trust anchor CA(s), and MAY begin requesting new trust anchor > 921 certificates(s) using the /crts request when the CA has 50% of it's > 922 validity time (notAfter - notBefore) left. A client without access > 923 to the current time cannot decide if trust anchor CA(s) have expired, > 924 and SHOULD poll periodically for a new trust anchor certificate(s) > 925 using the /crts request at an interval of approximately 1 month. An > > minor: > > If the pledge has no idea of clock, not even when operating then it also does > not have an idea of what 1 month is.... Unless change that to something like > "1 month of some pledge measured operating time including but not limited to uptime". > > nit: > > maybe new pararaph before the following > > mayor: > > The problem of clockless pledges does not only apply to the renewal of the CA > certificates, but also to its own LDevID. So it would be useful to > structure this text so that this clocking stuff is not just inside the section 6.5.2 > > > 926 EST-coaps server SHOULD include the CoAP ETag Option ([RFC7252], > 927 Section 5.10.6)in every response to a /crts request, to enable > 928 clients to perform low-overhead validation whether their trust anchor > 929 CA is still valid. The EST-coaps client SHOULD store the ETag > 930 resulting from a /crts response in memory and SHOULD use this value > 931 in an ETag Option in its next GET /crts request. > 932 > 933 6.5.3. Change of Domain Trust Anchor(s) > 934 > 935 The domain trust anchor(s) may change over time. Such a change may > 936 happen due to relocation of the client device to a new domain, a new > 937 subdomain, or due to a key update of a trust anchor as described in > 938 [RFC4210], Section 4.4. > 939 > 940 From the client's viewpoint, a trust anchor change happens during > 941 EST-coaps re-enrollment: since a change of domain CA requires all > 942 devices operating under the old domain CA to acquire a new LDevID > 943 certificate issued by the new domain CA. A client's re-enrollment > 944 may be triggered by various events, such as an instruction to re- > 945 enroll sent by a domain entity, or an imminent expiry of its LDevID > 946 certificate, or other. How the re-enrollment is explicitly triggered > 947 on the client by a domain entity, such as a commissioner or a > 948 Registrar, is out of scope of this specification. > > minor: > > It would be nice to keep two things apart and describe them also that way. > > a) This spec should be completely sufficient for the pledge to do the right > thing to get its LDevID and trust anchors updated before they expire or > whenever som other error makes it obvious to the pledge to get them updated. > No "outside of scope" problems here! > > b) Any additional options for change in trust anchors or LDevID - which may > depend on out-of-scope additional components such as special triggers. > > 949 > 950 > 951 > 952 Richardson, et al. Expires 31 August 2026 [Page 17] > 953 > 954 Internet-Draft Constrained BRSKI (cBRSKI) February 2026 > 955 > 956 > 957 The mechanism described in [RFC7030], Section 4.1.3 and [RFC4210], > 958 Section 4.4 for root CA key update requires four certificates: > 959 OldWithOld, OldWithNew, NewWithOld, and NewWithNew. Of these four, > 960 the OldWithOld certificate is already stored in the client's Explicit > 961 TA database. The other certificates will be provided to the client > 962 in a /crts response, during the EST-coaps re-enrollment procedure. > 963 > 964 6.5.4. Re-enrollment Procedure > > minor: > > If i am not mistaken, we only talk about Re-enrollment when the client identifies > itself with something else, but not the existing LDevID. Otherwise we are talking > about Certificate renewal/rekeying. Rekeying is the same as renewal, except that > the client also creates a new key-pair for the new certificate. Whether or not > that is necessary/desirable is i think within these fully automated cBRSKI procedure > solely responsiblity of the pledge implementation. > > But in any case, call this section something like LDevID Renewal/Rekeying - and > when you discuss procedure for when the existing LDevID does not work for > Renewal/Rekeying, then call it Re-Enrollment. > > And i think all of this would logically look better if it comes before the > more complex (and less often happening) CA cert change section (reorder). > > 965 > 966 For re-enrollment, the EST-coaps client MUST support the following > 967 EST-coaps procedure. During this procedure the EST-coaps server MAY > 968 re-enroll the client into a new domain or into a new sub-CA within a > 969 larger domain. > 970 > 971 1. The client connects with DTLS to the EST-coaps server, and > 972 authenticates with its present domain certificate (LDevID) as > 973 usual. The EST-coaps server authenticates itself with its domain > 974 RA certificate that is currently trusted by the client, i.e. it > 975 chains to a trust anchor CA that the client has stored in its > 976 Explicit TA database. This is the OldWithOld trust anchor. The > 977 client checks that the server is a Registration Authority (RA) of > 978 the domain as required by Section 3.6.1 of [RFC7030] before > 979 proceeding. > 980 > 981 2. The client performs the simple re-enrollment request (/sren) and > 982 upon success it obtains a new LDevID certificate. > 983 > 984 3. The client verifies the new LDevID certificate against its > 985 Explicit TA database. If the new LDevID chains successfully to a > 986 TA, this means trust anchors did not significantly change and the > 987 client MAY skip retrieving the current CA certificates using the > 988 "CA certificates request" (/crts). If it does not chain > 989 successfully, it means trust anchor(s) were changed significantly > 990 and the client MUST retrieve the new domain trust anchors using > 991 the "CA certificates request" (/crts). > 992 > 993 4. If the client retrieved new trust anchor(s) in step 3, then it > 994 MUST verify that the new LDevID certificate it obtained in step 2 > 995 chains with the new trust anchor(s). If it chains successfully, > 996 the client stores the new trust anchor(s) in its Explicit TA > 997 database, accepts the new LDevID certificate and stops using its > 998 prior LDevID certificate. If it does not chain successfully, the > 999 client MUST NOT update its LDevID certificate, and it MUST NOT > 1000 update its Explicit TA database, and the client MUST abort the > 1001 enrollment process and MUST attempt to report the error to the > 1002 EST-coaps server using enrollment status telemetry (/es). > 1003 > 1004 > 1005 > 1006 > 1007 > 1008 Richardson, et al. Expires 31 August 2026 [Page 18] > 1009 > 1010 Internet-Draft Constrained BRSKI (cBRSKI) February 2026 > 1011 > 1012 > 1013 Note that even though the EST-coaps client may skip the /crts request > 1014 in step 3 at this time, it SHOULD still support renewal of the trust > 1015 anchors as detailed in Section 6.5.2. > 1016 > 1017 Note that an EST-coaps server that is also a Registrar will already > 1018 support the enrollment status telemetry resource (/es) in step 4, > 1019 while an EST-coaps server that purely implements [RFC9148], and not > 1020 the present specification, will not support this resource. > > minor: > > I may have missed it, but before this paragraph you did not talk about a > pure EST-coaps server that is not also a registrar - but only used renewal or > re-enrollment. Or how to discover them. In RFC8994 i explicitly wanted to support > that option so i even specified discovery options for that. > > Not sure what you find important enough to specify here, but it should be clear. > For example, that the procedures mandated to be supported by Pledges only > include renewal/re-enrolment (LdevID and CA certificates) from Registrars - to > avoid additional discovery mechanism needs. And also put that type of discussion > further towards the beginning of this whole "Cert lifecycle requirements". > > 1021 > 1022 6.5.5. Multipart Content-Format for CA certificates (/crts) Resource > 1023 > 1024 In EST-coaps [RFC9148] the PKCS#7 container format is used for CA > 1025 certificates distribution. Because the PKCS#7 format is only used as > 1026 a certificate container and no additional security is applied on the > 1027 container, it becomes attractive to replace this format by something > 1028 simpler, on a constrained Pledge: so that additional PKCS#7 code is > 1029 avoided. Therefore, this document defines a container format using > 1030 the [RFC8710] application/multipart-core media type (CoAP content- > 1031 format 62). This is beneficial since a Pledge necessarily already > 1032 supports CBOR parsing, so there is little code overhead to support > 1033 this CBOR-based container format. > 1034 > 1035 A Registrar or EST-coaps server MUST support content-format 62 for > 1036 the /crts resource. The multipart collection MUST contain the > 1037 individual CA certificates, each encoded as an application/pkix-cert > 1038 (287) representation. Future documents may define other certificate > 1039 formats: the multipart collection can handle any future types. The > 1040 order of CA certificates MUST be in the CA hierarchy order starting > 1041 from the issuer of the client's LDevID first, up to the highest-level > 1042 domain CA, then optionally followed by any further CA certificates > 1043 that are not part of this hierarchy. These further CA certificates > 1044 may be Third-party TAs as defined in [RFC7030]. The highest-level > 1045 domain CA may or may not be a root CA certificate. > 1046 > 1047 As an example, for the two-level CA domain PKI of Figure 1 the > 1048 multipart container will contain two representations: > 1049 > 1050 [ <domain sub-CA cert (2)> , <domain CA cert (1)> ] > 1051 > 1052 Encoded as an application/multipart-core CBOR array this is (shown in > 1053 CBOR diagnostic notation): > 1054 > 1055 [ 287, h'3082' ... 'd713', 287, h'3082' ... 'a034' ] > 1056 > 1057 The total number of CA certificates SHOULD be 1, 2 or 3 and not > 1058 higher to prevent constrained Pledges from running out of memory for > 1059 the trust anchor storage (Explicit TA database). However if a domain > 1060 operator can guarantee that any Pledges enrolled in its network can > 1061 > 1062 > 1063 > 1064 Richardson, et al. Expires 31 August 2026 [Page 19] > 1065 > 1066 Internet-Draft Constrained BRSKI (cBRSKI) February 2026 > 1067 > 1068 > 1069 support larger sets of CA certificates, the total number MAY be > 1070 configured as higher than 3. To facilitate a reliable transfer of > 1071 large payloads over constrained networks, the server MUST support > 1072 CoAP Block-wise transfer for the /crts response. The server MUST > 1073 also support the Size2 Option [RFC7959] to provide the total resource > 1074 length in bytes, when requested by a client. > 1075 > 1076 Implementation notes: a client that receives the first block of > 1077 payload data from the server, can already inspect the total number of > 1078 CA certificates by decoding the first byte of the payload. In CBOR > 1079 encoding, the respective first bytes 0x81-0x97 represent an array > 1080 with length 1-23, respectively. Furthermore, the length in bytes of > 1081 the first CA certificate can be already determined by decoding the > 1082 first bytes of the second element, because the CBOR encoding for > 1083 binary string includes the length of this string. A client that > 1084 requires an estimate of the total resource size (to be returned as > 1085 part of the first Block2 response from the server) can use a Size2 > 1086 Option with value 0 in its request. Knowing the overall progress of > 1087 the data transfer may be helpful in certain cases, e.g. when a Pledge > 1088 provides visual progress information on the onboarding progress. > 1089 > 1090 6.6. Registrar Extensions > 1091 > 1092 Before a Registrar forwards a COSE-signed voucher from MASA to the > 1093 Pledge, it MUST remove any 'x5bag' or 'x5chain' unprotected COSE > 1094 header attributes (which are defined in [RFC9360]). The contents of > 1095 these unprotected attributes are solely for validation/logging use by > 1096 the Registrar. Removing these attributes reduces the voucher size on > 1097 the constrained network path to the Pledge. > 1098 > 1099 The content-format 60 (application/cbor) MUST be supported by the > 1100 Registrar for the /vs and /es resources. > 1101 > 1102 Content-format 836 (application/voucher+cose) MUST be supported by > 1103 the Registrar for the /rv resource for CoAP POST requests, both as > 1104 request payload and as response payload. > 1105 > 1106 Content-format 287 (application/pkix-cert) MUST be supported by the > 1107 Registrar as a response payload for the /sen and /sren resources. > 1108 > 1109 > 1110 > 1111 > 1112 > 1113 > 1114 > 1115 > 1116 > 1117 > 1118 > 1119 > 1120 Richardson, et al. Expires 31 August 2026 [Page 20] > 1121 > 1122 Internet-Draft Constrained BRSKI (cBRSKI) February 2026 > 1123 > 1124 > 1125 When a Registrar receives a "CA certificates request" (/crts) request > 1126 with a CoAP Accept Option with value 287 (application/pkix-cert) it > 1127 MUST return only the single CA certificate that is the envisioned or > 1128 actual CA authority for the current, authenticated Pledge making the > 1129 request. An exception to this rule is when the domain has been > 1130 configured to operate with multiple CA trust anchors exclusively: > 1131 then the Registrar returns a 4.06 Not Acceptable error to signal to > 1132 the client that it needs to request another content-format that > 1133 supports retrieval of multiple CA certificates. > 1134 > 1135 7. BRSKI-MASA Protocol > 1136 > 1137 This section describes extensions to and clarifications of the BRSKI- > 1138 MASA protocol between Registrar and MASA. > 1139 > 1140 7.1. Protocol and Formats > 1141 > 1142 Section 5.4 of [RFC8995] describes a connection between the Registrar > 1143 and the MASA as being a normal TLS connection using HTTPS. This > 1144 document does not change that. > 1145 > 1146 The MASA only needs to support formats for which it has constructed > > nit: > how about "supports Pledges" instead of "has constructed Pledges". > Nobody knows if a Masa really is the same company as a manufacturer... > > 1147 Pledges that use that format. > 1148 > 1149 The Registrar MUST use the same format for the RVR as the Pledge used > 1150 for its PVR. Specifically, the Registrar MUST use the media type > 1151 application/voucher+cose for its voucher request to MASA, when the > 1152 Pledge used content-format 836 in the payload of its request to the > 1153 Registrar. > 1154 > 1155 The Registrar indicates the voucher format (by media type) it wants > 1156 to receive from MASA using the HTTP Accept header. This format MUST > 1157 be the same as the format of the PVR, so that the Pledge can parse > 1158 the resulting voucher. > 1159 > 1160 At the moment of writing the creation of CoAPS based MASAs is deemed > 1161 unrealistic and unnecessary. The use of CoAP for the BRSKI-MASA > 1162 connection is out of scope but can be the subject of another > 1163 document. Some consideration was made to specify CoAP support for > 1164 consistency, but: > 1165 > 1166 * the Registrar is not expected to be so constrained that it cannot > > nit: is expected not to be so constrained > > 1167 support HTTPS client connections. > 1168 > 1169 * the technology and experience to build Internet-scale HTTPS > 1170 responders (which the MASA is) is common, while the experience > 1171 doing the same for CoAP is much less common. > > nit: CoAPS > 1172 > 1173 > 1174 > 1175 > 1176 Richardson, et al. Expires 31 August 2026 [Page 21] > 1177 > 1178 Internet-Draft Constrained BRSKI (cBRSKI) February 2026 > 1179 > 1180 > 1181 * a Registrar is likely to provide onboarding services to both > 1182 constrained and non-constrained devices. Such a Registrar would > 1183 need to speak HTTPS anyway. > 1184 > 1185 * a manufacturer is likely to offer both constrained and non- > 1186 constrained devices, so there may in practice be no situation in > 1187 which the MASA could be CoAP-only. Additionally, as the MASA is > 1188 intended to be a function that can easily be outsourced to a > 1189 third-party service provider, reducing the complexity would also > 1190 seem to reduce the cost of that function. > 1191 > 1192 * security-related considerations: see Section 14.3. > > All fine! > > 1193 > 1194 7.2. Registrar Voucher Request > 1195 > 1196 If the PVR contains a proximity assertion, the Registrar MUST > 1197 propagate this assertion into the RVR by including the 'assertion' > 1198 attribute with the value "proximity". This conforms to the example > 1199 in Section 3.3 of [RFC8995] of carrying the assertion forward. > 1200 > 1201 7.3. MASA and the Server Name Indicator (SNI) > 1202 > 1203 A TLS/HTTPS connection is established between the Registrar and MASA. > 1204 > 1205 Section 5.4 of [RFC8995] explains this process, and there are no > 1206 externally visible changes made by this document. A MASA that > 1207 supports the unconstrained voucher formats should be able to support > 1208 constrained voucher formats equally well. > 1209 > 1210 There is no requirement that a single MASA be used for both > 1211 constrained and unconstrained voucher requests: the choice of MASA is > 1212 determined by the id-mod-MASAURLExtn2016 extension contained in the > 1213 IDevID, so it can be determined by the manufacturer. > 1214 > 1215 The Registrar MUST do DNS-ID checks ([RFC9525]) on the contents of > 1216 the certificate provided by the MASA during the TLS handshake. > > minor: > > How about adding: > > To support MASA across non Internet networks where DNS-ID is not a desirable > or available dependency, Registrar MAY also support other forms of authenticating the > MASA certificate provided during TLS handshake. > > 1217 > 1218 In contrast to the Pledge/Registrar situation, the Registrar always > 1219 knows the name of the MASA, and MUST always include an [RFC6066] > 1220 Server Name Indicator. The SNI is optional in TLS 1.2, but common. > 1221 The SNI is considered mandatory with TLS 1.3. > 1222 > 1223 The presence of the SNI extension is required by the MASA, in order > 1224 for the MASA's server to host multiple tenants (for different > 1225 customers). > > minor: would remove "for different customers" because it could be different > services (same customer). But would add > > "and to recognize possible DNS errors (such as misconfigurations)". > > E.g.: when Registrar get DNS error, connects to an IP address that doesn't even > belong to the DNS-ID it wanted to connect to, then only SNI allows server to > recognize that problem. And useful to remember that because when someone doesn't > need multi-tenancy, they may think SNI is useless. It's not. > > 1226 > 1227 > 1228 > 1229 > 1230 > 1231 > 1232 Richardson, et al. Expires 31 August 2026 [Page 22] > 1233 > 1234 Internet-Draft Constrained BRSKI (cBRSKI) February 2026 > 1235 > 1236 > 1237 7.4. Registrar Client Certificate Requirements > 1238 > 1239 The Registrar SHOULD use a TLS Client Certificate to authenticate to > 1240 the MASA per Section 5.4.1 of [RFC8995]. If the certificate that the > 1241 Registrar uses is marked as a id-kp-cmcRA certificate, via Extended > 1242 Key Usage, then it MUST also have the id-kp-clientAuth EKU attribute > 1243 set. > 1244 > 1245 In summary, for typical Registrar use, where a single Registrar > 1246 certificate is used for both client and server roles, the certificate > 1247 MUST have an EKU set with at least all of id-kp-cmcRA, id-kp- > 1248 serverAuth, and id-kp-clientAuth. > 1249 > 1250 8. Pinning in Voucher Artifacts > 1251 > 1252 The voucher is a statement by the MASA for use by the Pledge that > 1253 provides the identity of the Pledge's owner. This section describes > 1254 how the owner's identity is determined and how it is specified within > 1255 the voucher. > > Nit: That is a nice statement but does not mention at all how it relates to pinning. > Suggest text that does. For example: > > Vouchers allow to carry one certificate of the owner in the so-called > 'pinned-domain-certificate' field. Pledges can use this certificate as the trust > anchor for the owner, eliminating the need for further PKI communications in > many cases. This section describes that mechanism. > > minor Q: Normal 'pinning' does actually pin the public key, not the certificate. Do > we describe this in RFC8995 or here ? I think not. Should we ? > > 1256 > 1257 8.1. Registrar Identity Selection and Encoding > 1258 > 1259 Section 5.5 of [RFC8995] describes BRSKI policies for selection of > 1260 the owner identity. It indicates some of the flexibility enabled for > 1261 the Registrar, and recommends the Registrar to include only > 1262 certificates in the voucher request (CMS) signing structure that > > nit: > > next paragraph uses term RVR, here you use "voucher request". Pick one for > consistency. > > 1263 participate in the certificate chain that is to be pinned. > 1264 > 1265 The MASA is expected to evaluate the certificates included in an RVR, > 1266 forming them into a chain with the Registrar's (signing) identity on > 1267 one end. Then, it pins a certificate selected from this chain > 1268 according to its pinning policy (Section 8.2). > 1269 > 1270 For instance, for a domain with a two-level certification authority > 1271 (see Figure 1), where the RVR has been signed by "domain Registrar", > 1272 the RVR includes the chain formed by the domain Registrar EE > 1273 certificate, the domain Sub-CA certificate, and the domain CA trust > 1274 anchor certificate. The arrows in the figure indicate the issuing of > 1275 a certificate, i.e. author of (1) issued (2) and author of (2) issued > 1276 (3). > > nit: introduce the paragraph with something like "the following example will > be used as a reference for explanations and speciications in the following > sections" - that's helpful to make readers understand why this is here. > 1277 > 1278 > 1279 > 1280 > 1281 > 1282 > 1283 > 1284 > 1285 > 1286 > 1287 > 1288 Richardson, et al. Expires 31 August 2026 [Page 23] > 1289 > 1290 Internet-Draft Constrained BRSKI (cBRSKI) February 2026 > 1291 > 1292 > 1293 .------------------. > 1294 | domain CA (1) | > 1295 | trust anchor | > 1296 '------------------' > 1297 | > 1298 v > 1299 .------------. > 1300 | domain (2) | > 1301 | Sub-CA | > 1302 '------------' > 1303 | > 1304 v > 1305 .----------------. > 1306 | domain | > 1307 | Registrar (3) | > 1308 | EE certificate | > 1309 '----------------' > 1310 > 1311 Figure 1: Two-Level CA PKI > 1312 > 1313 When the Registrar is using a COSE-signed RVR, the COSE_Sign1 object > 1314 contains a protected and an unprotected header. The Registrar MUST > 1315 place all the certificates needed by MASA to validate the signature > 1316 chain for its RVR in an 'x5bag' attribute in either the protected or > 1317 the unprotected header as defined in Section 2 of [RFC9360]. > > nit: even just as a single paragraph now this is not BRSKI+cBRSKI > explanation but new functionality. Break up 8.1, make this paragraph > separate section , e.g.: Registrar Certificate(s) COSE Encoding" or the like > > 1318 > 1319 8.2. MASA Pinning Policy > 1320 > 1321 The MASA, having assembled and verified the certificate chain that > 1322 signed the RVR then needs to select a certificate to pin. (For the > 1323 case that only the Registrar's End-Entity certificate is included, > 1324 only this certificate can be selected and this section does not > 1325 apply.) The BRSKI policy for pinning by the MASA as described in > 1326 Section 5.5.2 of [RFC8995] leaves much flexibility to the > 1327 manufacturer. > 1328 > 1329 The present document adds the following rules to the MASA pinning > 1330 policy to reduce the network load on the constrained network side: > > nit: how is network load reduced ? Minimum voucher size ? something else ? > Add an explanation for the claim. > > 1331 > 1332 1. for a voucher containing a nonce, it SHOULD pin the most specific > 1333 (lowest-level) CA certificate in the chain. > 1334 > 1335 2. for a nonceless voucher, it SHOULD pin the least-specific > 1336 (highest-level) CA certificate in the chain that is allowed under > 1337 the MASA's policy for this specific domain. > 1338 > 1339 > 1340 > 1341 > 1342 > 1343 > 1344 Richardson, et al. Expires 31 August 2026 [Page 24] > 1345 > 1346 Internet-Draft Constrained BRSKI (cBRSKI) February 2026 > 1347 > 1348 > 1349 The rationale for 1. is that in case of a voucher with nonce, the > 1350 voucher is valid only in scope of the present DTLS connection between > 1351 Pledge and Registrar anyway, so there is no benefit to pin a higher- > 1352 level CA. By pinning the most specific CA the constrained Pledge can > 1353 validate its DTLS connection using less crypto operations. The > 1354 rationale for pinning a CA instead of the Registrar's End-Entity > 1355 certificate directly is based on the following benefit on constrained > 1356 networks: the pinned certificate in the voucher can in common cases > 1357 be re-used as a Domain CA trust anchor during the EST enrollment and > 1358 during the operational phase that follows after EST enrollment, as > 1359 explained in Section 6.5.1. > 1360 > 1361 The rationale for 2. follows from the flexible BRSKI trust model for, > 1362 and purpose of, nonceless vouchers (Sections 5.5.* and 7.4.1 of > 1363 [RFC8995]). > 1364 > 1365 Referring to the example of Figure 1 of a domain with a two-level > 1366 certification authority, the most specific CA ("Sub-CA") is the > 1367 identity that is pinned by MASA in a nonced voucher. > 1368 > 1369 In case of a nonceless voucher, depending on the trust level, the > 1370 MASA pins the "Registrar" certificate (low trust in customer), or the > 1371 "Sub-CA" certificate (in case of medium trust, implying that any > 1372 Registrar of that sub-domain is acceptable), or even the "domain CA" > 1373 certificate (in case of high trust in the customer, and possibly a > 1374 pre-agreed need of the customer to obtain flexible long-lived > 1375 vouchers). > 1376 > 1377 8.3. Pinning of Raw Public Keys (RPK) > 1378 > 1379 Specifically for the most-constrained use cases, the pinning of the > 1380 raw public key (RPK) of the Registrar is also supported in the > 1381 constrained voucher, instead of a PKIX certificate. This is used by > 1382 the RPK variant of cBRSKI described in Section 13, but it can also be > 1383 used in the default cBRSKI flow as a means to reduce voucher size. > 1384 > 1385 For both cases, if an RPK is pinned, it MUST be the RPK of the > 1386 Registrar, which equals the public key of the Registrar's EE > 1387 certificate. > 1388 > 1389 When the Pledge is known by MASA to support the RPK variant only, the > 1390 voucher produced by the MASA pins the RPK of the Registrar in either > 1391 the 'pinned-domain-pubk' or 'pinned-domain-pubk-sha256' attribute of > 1392 the voucher data. This is described in more detail in [RFC8366bis] > 1393 and Section 13. > 1394 > 1395 > 1396 > 1397 > 1398 > 1399 > 1400 Richardson, et al. Expires 31 August 2026 [Page 25] > 1401 > 1402 Internet-Draft Constrained BRSKI (cBRSKI) February 2026 > 1403 > 1404 > 1405 When the Pledge is known by MASA to support PKIX operations, the > 1406 'pinned-domain-cert' attribute present in a voucher normally pins a > 1407 domain certificate. That can be either the End-Entity certificate of > 1408 the Registrar, or the certificate of a domain CA, as specified in > 1409 Section 8.2. However, if the Pledge is known by MASA to also support > 1410 RPK pinning and the MASA policy intends to pin the Registrar in the > 1411 voucher (and not a CA), then MASA SHOULD pin the RPK (RPK3 in > 1412 Figure 2) of the Registrar instead of the Registrar's End-Entity > 1413 certificate to save space in the voucher. > 1414 > 1415 .-------------. > 1416 .------------. | private | > 1417 | pub-CA (1) | | root-CA (1) | > 1418 '------------' '-------------' > 1419 | | > 1420 v .-------------. v > 1421 .------------. | private | .------------. > 1422 | sub-CA (2) | | root-CA (1) | | sub-CA (2) | > 1423 '------------' '-------------' '------------' > 1424 | | | > 1425 v v v > 1426 .--------------. .--------------. .--------------. > 1427 | Registrar(3) | | Registrar(3) | | Registrar(3) | > 1428 | RPK3 | | RPK3 | | RPK3 | > 1429 '--------------' '--------------' '--------------' > 1430 > 1431 Figure 2: Raw Public Key (RPK) pinning examples > 1432 > 1433 9. Artifacts > 1434 > 1435 The YANG ([RFC7950]) module and CBOR serialization for the > 1436 constrained voucher as used by cBRSKI are described in [RFC8366bis]. > 1437 That document also assigns SID values to YANG elements in accordance > > nit: values (as required for CBOR encoding) > > Yes, maybe everybody should know this already... maybe not... > > 1438 with [RFC9254] and [RFC9595]. The present section provides some > 1439 examples of these artifacts and defines a new signature format for > 1440 these, using COSE. > 1441 > 1442 Compared to the first voucher request definition done in [RFC8995], > 1443 the constrained voucher request adds the attributes 'proximity- > 1444 registrar-pubk' and 'proximity-registrar-pubk-sha256'. One of these > 1445 is optionally used to replace the 'proximity-registrar-cert' > 1446 attribute, for a smaller voucher request data size - useful for the > 1447 most constrained cases. > 1448 > 1449 The constrained voucher adds the attributes 'pinned-domain-pubk' and > 1450 'pinned-domain-pubk-sha256' to pin an RPK. One of these is > 1451 optionally used instead of the 'pinned-domain-cert' attribute, for a > 1452 smaller voucher data size. > 1453 > 1454 > 1455 > 1456 Richardson, et al. Expires 31 August 2026 [Page 26] > 1457 > 1458 Internet-Draft Constrained BRSKI (cBRSKI) February 2026 > 1459 > 1460 > 1461 9.1. Example Artifacts > 1462 > 1463 9.1.1. Example Pledge Voucher Request (PVR) Artifact > 1464 > 1465 Below, example voucher data from a constrained voucher request (PVR) > 1466 from a Pledge to a Registrar is shown in CBOR diagnostic notation. > 1467 Long CBOR byte strings have been shortened for readability, using the > 1468 ellipsis ("...") to indicate elided bytes. This notation is defined > 1469 in [I-D.ietf-cbor-edn-literals]. The enum value of the assertion > 1470 attribute is 2 for the 'proximity' assertion as defined in > 1471 Section 8.3 of [RFC8366bis]. > 1472 > 1473 { > 1474 2501: { / SID=2501,ietf-voucher-request:voucher|voucher / > 1475 1: 2, / SID=2502, assertion 2 = "proximity"/ > 1476 7: h'831D5198A6CA2C7F', / SID=2508, nonce / > 1477 12: h'30593013' ... '9A54', / SID=2513, proximity-registrar-pubk / > 1478 13: "JADA123456789" / SID=2514, serial-number / > 1479 } > 1480 } > > nit: might be helpful to add a small paragraph explaining how this is delta-encoded, > that the receiver knows it is delta encoded from the context of being an encoded > YANG, and that hence 1,7,12,13 map to e.g.: 2501+1, 2501+7, ... > > 1481 > 1482 The Pledge has included the attribute 'proximity-registrar-pubk' > 1483 which carries the public key of the Registrar, instead of including > 1484 the full Registrar certificate in a 'proximity-registrar-cert' > 1485 attribute. This is done to reduce the size of the PVR. Also note > 1486 that the Pledge did not include the 'created-on' attribute since it > 1487 lacks an internal real-time clock and has no knowledge of the current > 1488 time at the moment of performing the onboarding. > 1489 > 1490 9.1.2. Example Registrar Voucher Request (RVR) Artifact > 1491 > 1492 Next, example voucher data from a constrained voucher request (RVR) > 1493 from a Registrar to a MASA is shown in CBOR diagnostic notation. The > 1494 Registrar has created this request triggered by the reception of the > 1495 Pledge voucher request (PVR) of the previous example. Again, long > 1496 CBOR byte strings have been shortened for readability. > 1497 > 1498 { > 1499 "ietf-voucher-request:voucher": { > 1500 "assertion": 2, > 1501 "created-on": "2022-12-05T19:19:19.536Z", > 1502 "nonce": h'831D5198A6CA2C7F', > 1503 "idevid-issuer": h'04183016' ... '1736C3E0', > 1504 "serial-number": "JADA123456789", > 1505 "prior-signed-voucher-request": h'A11909' ... '373839' > 1506 } > 1507 } > 1508 > 1509 > 1510 > 1511 > 1512 Richardson, et al. Expires 31 August 2026 [Page 27] > 1513 > 1514 Internet-Draft Constrained BRSKI (cBRSKI) February 2026 > 1515 > 1516 > 1517 Note that the Registrar uses here the string data type for all key > 1518 names, instead of the more compact SID integer keys. This is fine > 1519 for any use cases where the network between Registrar and MASA is an > 1520 unconstrained network where data size is not critical. The > 1521 constrained voucher request format supports both the string and SID > 1522 key types, for PVR as well as RVR. > > minor: should there be some requirement that registrar/MASA MUSTsupport both, > but Pledges only need to support one, and replies to the pledge should use > the same encoding style as was received in request from the pledge ? > > 1523 > 1524 9.1.3. Example Voucher Artifacts > 1525 > 1526 Below, an example of constrained voucher data is shown in CBOR > 1527 diagnostic notation. It was created by a MASA in response to > 1528 receiving the Registrar Voucher Request (RVR) shown in Section 9.1.2. > 1529 The enum value of the 'assertion' attribute is set to "proximity" > 1530 (2), to acknowledge to both the Pledge and the Registrar that the > 1531 proximity of the Pledge to the Registrar is considered proven. > 1532 > 1533 { > 1534 2451: { / SID = 2451,ietf-voucher:voucher|voucher / > 1535 1: 2, / SID = 2452, assertion "proximity" / > 1536 2: "2022-12-05T19:19:23Z", / SID = 2453, created-on / > 1537 3: false, / SID = 2454, domain-cert-revocation-checks / > 1538 7: h'831D5198A6CA2C7F', / SID = 2508, nonce / > 1539 8: h'308201' ... '8CFF', / SID = 2459, pinned-domain-cert / > 1540 11: "JADA123456789" / SID = 2462, serial-number / > 1541 } > 1542 } > 1543 > 1544 While the above example voucher data includes the nonce from the PVR, > 1545 the next example is for a nonce-less voucher. Instead of a nonce, it > 1546 includes an 'expires-on' attribute with the date and time on which > 1547 the voucher expires. Because the MASA did not verify the proximity > 1548 of the Pledge and Registrar in this case, the 'assertion' attribute > 1549 contains a weaker assertion of "verified" (0). This indicates that > 1550 the MASA verified the domain's ownership of the Pledge via some other > 1551 means. > 1552 > 1553 { > 1554 2451: { / SID = 2451,ietf-voucher:voucher|voucher / > 1555 1: 0, / SID = 2452, assertion "verified" / > 1556 2: "2022-12-06T10:15:32Z", / SID = 2453, created-on / > 1557 3: false, / SID = 2454, domain-cert-revocation-checks / > 1558 4: "2022-12-13T10:15:32Z", / SID = 2455, expires-on / > 1559 8: h'308201F8' ... 'FF', / SID = 2459, pinned-domain-cert / > 1560 11: "JADA123456789" / SID = 2462, serial-number / > 1561 } > 1562 } > 1563 > 1564 > 1565 > 1566 > 1567 > 1568 Richardson, et al. Expires 31 August 2026 [Page 28] > 1569 > 1570 Internet-Draft Constrained BRSKI (cBRSKI) February 2026 > 1571 > 1572 > 1573 The voucher is valid for one week. To verify the voucher's validity, > 1574 the Pledge would either need an internal real-time clock or some > 1575 external means of obtaining the current time, such as Network Time > 1576 Protocol (NTP) or a radio time signal receiver. > 1577 > 1578 9.2. Signing Voucher and Voucher Request Artifacts with COSE > 1579 > 1580 The COSE_Sign1 structure is discussed in Section 4.2 of [RFC9052]. > 1581 The CBOR object that carries the body, the signature, and the > 1582 information about the body and signature is called the COSE_Sign1 > 1583 structure. It is used when only one signature is used on the body. > 1584 > 1585 Support for ECDSA with SHA2-256 using curve secp256r1 (aka > 1586 prime256k1) is RECOMMENDED. Most current low power hardware has > 1587 support for acceleration of this algorithm. Future hardware designs > 1588 could omit this in favour of a newer algorithms. This is the ES256 > 1589 (-7) keytype from Table 1 of [RFC9053]. Support for curve secp256k1 > 1590 is OPTIONAL. > 1591 > 1592 Support for EdDSA using Curve 25519 is RECOMMENDED in new designs if > 1593 hardware support is available. This is keytype EDDSA (-8) from > 1594 Table 2 of [RFC9053]. A 'crv' parameter is necessary to specify the > 1595 Curve, for example value Ed25519 (6) from Table 18 of [RFC9053]. The > 1596 'kty' field MUST be present, and it MUST be "OKP" (Table 17 of > 1597 [RFC9053]). > 1598 > 1599 A transition towards EdDSA is occurring in the industry. Some > 1600 hardware can accelerate only some algorithms with specific curves, > 1601 other hardware can accelerate any curve, and still other kinds of > 1602 hardware provide a tool kit for acceleration of any elliptic curve > 1603 algorithm. > 1604 > 1605 In general, the Pledge is expected to support only a single > 1606 algorithm, while the Registrar, usually not constrained, is expected > 1607 to support a wide variety of algorithms: both legacy ones and up-and- > 1608 coming ones via regular software updates. > 1609 > 1610 An example of the supported COSE_Sign1 object structure containing a > 1611 Pledge Voucher Request (PVR) is shown below. > 1612 > 1613 > 1614 > 1615 > 1616 > 1617 > 1618 > 1619 > 1620 > 1621 > 1622 > 1623 > 1624 Richardson, et al. Expires 31 August 2026 [Page 29] > 1625 > 1626 Internet-Draft Constrained BRSKI (cBRSKI) February 2026 > 1627 > 1628 > 1629 18( / tag for COSE_Sign1 / > 1630 [ > 1631 h'A10126', / protected COSE header encoding: {1: -7} / > 1632 / which means { "alg": ES256 } / > 1633 {}, / unprotected COSE header parameters / > 1634 h'A119' ... '3839', / PVR payload wrapped in CBOR byte string / > 1635 h'4567' ... '1234' / PVR binary Sign1 signature / > 1636 ] > 1637 ) > 1638 > 1639 The [COSE-registry] specifies the integers/encoding for the 'alg' > 1640 field. The 'alg' field restricts the key usage for verification of > 1641 this COSE object to a particular cryptographic algorithm. > 1642 > 1643 9.2.1. Signing of Registrar Voucher Request (RVR) > 1644 > 1645 A Registrar MUST include a COSE 'x5bag' structure in the RVR as > 1646 explained in Section 8.1. Below, an example Registrar Voucher > 1647 Request (RVR) is shown that includes the 'x5bag' unprotected header > 1648 parameter (32). The bag contains two certificates in this case. > 1649 > 1650 18( / tag for COSE_Sign1 / > 1651 [ > 1652 h'A10126', / protected COSE header encoding: {1: -7} / > 1653 / which means { "alg": ES256 } / > 1654 { / unprotected COSE header/ > 1655 32: [h'308202' ... '20AE', h'308201' ... '8CFF'] / x5bag / > 1656 }, > 1657 h'A178' ... '7FED', / RVR payload wrapped in CBOR byte string / > 1658 h'E1B7' ... '2925' / RVR binary Sign1 signature / > 1659 ] > 1660 ) > 1661 > 1662 Besides storing the Registrar's own RVR-signing certificate chain > 1663 (per Section 8.1), the Registrar MUST include in the same 'x5bag' > 1664 structure all the certificates that the Pledge used to identify > 1665 itself in the Pledge/Registrar DTLS handshake, including the End- > 1666 Entity (IDevID) certificate and all CAs up to the root CA. This > 1667 serves two purposes: > 1668 > 1669 1. A MASA that does not store the IDevIDs for all Pledges and their > 1670 related sub-CAs is still able to reconstruct the certificate > 1671 chain for a given Pledge and validate the Pledge's signature on > 1672 the PVR based purely on the root CA of the Pledge's manufacturer > 1673 that the MASA is storing. > 1674 > 1675 > 1676 > 1677 > 1678 > 1679 > 1680 Richardson, et al. Expires 31 August 2026 [Page 30] > 1681 > 1682 Internet-Draft Constrained BRSKI (cBRSKI) February 2026 > 1683 > 1684 > 1685 2. Diagnostic/debugging purposes: since the PVR's COSE signature > 1686 does not store any certificates related to the signer, but only > 1687 the signature itself, it can be useful for the MASA to log or > 1688 inspect the Pledge's certificate chain in case the onboarding > 1689 attempt fails. Having the complete signing certificate chain at > 1690 hand facilitates finding the root cause of the problem and helps > 1691 in the communication with the customer. > 1692 > 1693 A 'kid' (key ID) field is OPTIONAL in the unprotected COSE header > 1694 parameters map of a COSE object. If present, it identifies the > 1695 public key of the key pair that was used to sign the COSE message. > 1696 The value of the key identifier 'kid' parameter may be in any format > 1697 agreed between signer and verifier. Usually a hash of the public key > 1698 is used to identify the public key; but the choice of key identifier > 1699 method is vendor-specific. > 1700 > 1701 By default, a Registrar does not include a 'kid' parameter in the RVR > 1702 since the signing key is already identified by the signing > 1703 certificates chain included in the COSE 'x5bag' structure. A > 1704 Registrar nevertheless MAY use a 'kid' parameter in its RVR to > 1705 identify its signing key/identity. > 1706 > 1707 The method of generating such 'kid' value is vendor-specific and > 1708 SHOULD be configurable in the Registrar to support commonly used > 1709 methods. In order to support future business cases and supply chain > 1710 integrations, a Registrar using the 'kid' field MUST be configurable, > 1711 on a per-manufacturer basis, to select a particular method for > 1712 generating the 'kid' value such that it is compatible with the method > 1713 that the manufacturer expects. Note that the 'kid' field always has > 1714 a CBOR byte string (bstr) format. > 1715 > 1716 In Appendix C.4 a further example of a signed RVR is shown. > 1717 > 1718 9.2.2. Signing of Pledge Voucher Request (PVR) > 1719 > 1720 Like in the RVR, a 'kid' (key ID) field is also OPTIONAL in the PVR. > 1721 It can be used to identify the signing key/identity to the MASA. > 1722 > 1723 A Pledge by default SHOULD NOT use a 'kid' parameter in its PVR, > 1724 because its signing key is already identified by the Pledge's unique > 1725 serial number that is included in the PVR and (by the Registrar) in > 1726 the RVR. This achieves the smallest possible PVR data size while > 1727 still enabling the MASA to fully verify the PVR. Still, when > 1728 required the Pledge MAY use a 'kid' parameter in its PVR to help the > 1729 MASA identify the right public key to verify against. This can occur > 1730 for example if a Pledge has multiple IDevID identities. The 'kid' > 1731 parameter in this case may be an integer byte identifying one out of > 1732 N identities present, or it may be a hash of the public key, or > 1733 > 1734 > 1735 > 1736 Richardson, et al. Expires 31 August 2026 [Page 31] > 1737 > 1738 Internet-Draft Constrained BRSKI (cBRSKI) February 2026 > 1739 > 1740 > 1741 anything else the Pledge vendor decides. A Registrar normally SHOULD > 1742 ignore a 'kid' parameter used in a received PVR, as this information > 1743 is intended for the MASA. In other words, there is no need for the > 1744 Registrar to verify the contents of this field, but it may include it > 1745 in an audit log. > 1746 > 1747 The example below shows a PVR with 'kid' present as an unprotected > 1748 header parameter. > 1749 > 1750 18( / tag for COSE_Sign1 / > 1751 [ > 1752 h'A10126', / protected COSE header encoding: {1: -7} / > 1753 / which means { "alg": ES256 } / > 1754 { > 1755 4: h'59AB3E' / COSE "kid" header parameter / > 1756 }, > 1757 h'A119' ... '3839', / PVR payload wrapped in CBOR byte string / > 1758 h'5678' ... '7890' / PVR binary Sign1 signature / > 1759 ] > 1760 ) > 1761 > 1762 The Pledge SHOULD NOT use the 'x5bag' or 'x5chain' COSE header > 1763 parameters in the PVR. A Registrar that processes a PVR with such a > 1764 structure MUST ignore it, and MUST use only the TLS Client > 1765 Certificate extension for authentication of the Pledge. > 1766 > 1767 A situation where the Pledge MAY use the 'x5bag' or 'x5chain' > 1768 structure is for communication of certificate chains to the MASA. > 1769 This would arise in some vendor- specific situations involving > 1770 outsourcing of MASA functionality, or rekeying of the IDevID > 1771 certification authority. > 1772 > 1773 In Appendix C.3 a further example of a signed PVR is shown. > 1774 > 1775 9.2.3. Signing of Voucher by MASA > 1776 > 1777 The MASA SHOULD NOT use a 'kid' parameter in the voucher response, > 1778 because the MASA's signing key is already known to the Pledge. > 1779 Still, where needed the MASA MAY use a 'kid' parameter in the voucher > 1780 response to help the Pledge identify the right MASA public key to > 1781 verify against. This can occur for example if a Pledge has multiple > 1782 IDevID identities. > 1783 > 1784 The MASA SHOULD NOT include an 'x5bag' or 'x5chain' attribute in the > 1785 protected header of the voucher response, because normally a Pledge > 1786 already stores the required public key for validation of the signed > 1787 voucher. The exception case is if the MASA knows that the Pledge > 1788 doesn't pre-store the MASA's public key used for signing, and thus > 1789 > 1790 > 1791 > 1792 Richardson, et al. Expires 31 August 2026 [Page 32] > 1793 > 1794 Internet-Draft Constrained BRSKI (cBRSKI) February 2026 > 1795 > 1796 > 1797 the MASA needs to provide a certificate or certificate chain that > 1798 will enable linking the signing identity to a pre-stored Trust Anchor > 1799 (CA) in the Pledge. This approach is not recommended, because > 1800 including certificates in the protected 'x5bag' or 'x5chain' COSE > 1801 header parameters will significantly increase the size of the voucher > 1802 which impacts cBRSKI operation on constrained networks. > 1803 > 1804 For example, if the MASA signing key is based upon a PKI (see > 1805 [I-D.richardson-anima-masa-considerations] Section 2.3), and the > 1806 Pledge only pre-stores a manufacturer (root) CA identity in its Trust > 1807 Store which is not the identity that signs the voucher, then a > 1808 certificate chain needs to be included with the voucher in order for > 1809 the Pledge to validate the MASA signing CA's signature by validating > 1810 the chain up to the CA in its Trust Store. In BRSKI CMS signed > 1811 vouchers [RFC8995], the CMS structure has a place for such a > 1812 certificate chain. In cBRSKI COSE-signed vouchers, the 'x5bag' > 1813 attribute [RFC9360] placed in the COSE protected header parameters is > 1814 used to contain the needed certificates for the Pledge to form the > 1815 chain. > 1816 > 1817 To signal the complete chain of the MASA's signing identity to the > 1818 Registrar, the MASA MUST include the complete chain of signing > 1819 certificates in an 'x5bag' attribute in the unprotected header of the > 1820 voucher. This allows the Registrar to optionally validate the > 1821 voucher before forwarding it to the Pledge, or to validate it for > 1822 logging purposes. There is no voucher size impact of including this > 1823 certificate chain in an unprotected 'x5bag' COSE header parameter for > 1824 constrained networks, because the Registrar will remove this > 1825 unprotected attribute prior to forwarding the voucher response to the > 1826 Pledge, as defined in Section 6.6. > 1827 > 1828 Note that cBRSKI currently does not support signing the voucher with > 1829 an RPK for which there is no corresponding certificate at all. If > 1830 the MASA wants to sign a voucher with an RPK that is not part of any > 1831 PKIX hierarchy, it creates a single self-signed "placeholder" root CA > 1832 certificate that uses the designated RPK as the public key. This > 1833 "placeholder" certificate is then included as the sole certificate in > 1834 an unprotected 'x5bag' header parameter, as defined in the previous > 1835 paragraph. > 1836 > 1837 Below, an example is shown of a COSE-signed voucher as created by > 1838 MASA. This example shows the common case where a protected 'x5bag' > 1839 (32) attribute is not used, while an unprotected 'x5bag' (32) > 1840 attribute is used to communicate the MASA's signature certificate > 1841 chain to the Registrar. The bag contains two certificates in this > 1842 example. One of these is the identity of the signer of the > 1843 COSE_Sign1 object, whose signature is stored as the last CBOR array > 1844 element in the below example. > 1845 > 1846 > 1847 > 1848 Richardson, et al. Expires 31 August 2026 [Page 33] > 1849 > 1850 Internet-Draft Constrained BRSKI (cBRSKI) February 2026 > 1851 > 1852 > 1853 18( / tag for COSE_Sign1 / > 1854 [ > 1855 h'A10126', / protected COSE header encoding: {1: -7} / > 1856 / which means { "alg": ES256 } / > 1857 { / unprotected COSE header parameters / > 1858 32: [h'308202' ... '20AE', h'308201' ... '8CFF'] / x5bag / > 1859 }, > 1860 h'A119' ... '3839', / voucher payload wrapped in CBOR byte str / > 1861 h'2A2C' ... '7FBF' / voucher binary Sign1 signature by MASA / > 1862 ] > 1863 ) > 1864 > 1865 In Appendix C.5 a further example of a signed voucher is shown. > 1866 > 1867 9.2.4. Optional Validation of Voucher by Registrar > 1868 > 1869 For a Registrar, validation of the voucher and/or the signature of > 1870 the voucher is optional, per Section 5.6 of [RFC8995]. However, if a > 1871 Registrar does perform the validation of the signature chain, > 1872 communicated in the 'x5bag' unprotected COSE header parameter (see > 1873 Section 9.2.3)), it MUST validate that one of the below cases hold: > 1874 > 1875 1. The signature chain is a single self-signed root CA certificate > 1876 with a correct signature; and the public key in this certificate > 1877 is also the public key that signed the voucher. This represents > 1878 the case where a voucher has been effectively signed with an RPK. > 1879 > 1880 2. The signature chain consists of one or more certificates that can > 1881 be chained to a known (preconfigured) trust root in the > 1882 Registrar. > 1883 > 1884 The above validation elements are needed only for cases where > 1885 (nonceless) vouchers are communicated over potentially unsecure > 1886 channels to the Registrar. Since the 'x5bag' header parameter is not > 1887 protected by the voucher's COSE signature, it could have been > 1888 modified in transit. > 1889 > 1890 9.2.5. Additional Information in the COSE Header > 1891 > 1892 The COSE header of the signed voucher can contain COSE header > 1893 parameters with additional information, to be used by the Pledge. > 1894 This information is additional to, and separate from, the voucher > 1895 data defined by [RFC8366bis]. > 1896 > 1897 An example of how this additional information can be used is adding a > 1898 CBOR Web Token (CWT, [RFC8392]) claim in the COSE header as defined > 1899 by [RFC9597], to encode the COSE signing time as an integer value in > 1900 an 'iat' (Issued At) CWT claim. This information in an integer > 1901 > 1902 > 1903 > 1904 Richardson, et al. Expires 31 August 2026 [Page 34] > 1905 > 1906 Internet-Draft Constrained BRSKI (cBRSKI) February 2026 > 1907 > 1908 > 1909 format may be useful for a Pledge that does not have date/time > 1910 parsing functions, so it is unable to parse the date/time string > 1911 value contained in the voucher. Many other types of CWT claims can > 1912 be included in a voucher in the same way, as needed for particular > 1913 use cases. > 1914 > 1915 Such additional information can also be included in a COSE header of > 1916 a voucher request by a Pledge, to be used by the MASA. > 1917 > 1918 10. Extensions to Discovery > 1919 > 1920 It is assumed that a Join Proxy (Section 6.2) seamlessly provides a > 1921 relayed DTLS connection between the Pledge and the Registrar. To use > 1922 a Join Proxy, a Pledge needs to discover it. For Pledge discovery of > 1923 a Join Proxy, this section extends Section 4.1 of [RFC8995] for the > 1924 cBRSKI case. > 1925 > 1926 In general, the Pledge may be one or more hops away from the > 1927 Registrar, where one hop means the Registrar is a direct link-local > 1928 neighbor of the Pledge. The case of one hop away can be considered > 1929 as a degenerate case, because a Join Proxy is not really needed then. > 1930 > 1931 The degenerate case would be unusual in constrained wireless network > 1932 deployments, because a Registrar would typically not have a wireless > 1933 network interface of the type used by constrained devices. Rather, > 1934 it would have a high-speed network interface. Nevertheless, the > 1935 situation where the Registrar is one hop away from the Pledge could > 1936 occur in various cases like wired IoT networks or in wireless > 1937 constrained networks where the Pledge is in radio range of a 6LoWPAN > 1938 Border Router (6LBR) ([RFC6775])and the 6LBR happens to host a > 1939 Registrar. > 1940 > 1941 In order to support the degenerate case, the Registrar SHOULD > 1942 announce itself as if it were a Join Proxy -- though it would > 1943 actually announce its real (stateful) Registrar CoAPS endpoint. No > 1944 actual Join Proxy functionality is then required on the Registrar. > 1945 > 1946 That way, a Pledge only needs to discover a Join Proxy, regardless of > 1947 whether it is one or more than one hop away from a relevant > 1948 Registrar. It first discovers the link-local address and the UDP > 1949 join-port of a Join Proxy. The Pledge then follows the cBRSKI > 1950 procedure of initiating a DTLS connection using the link-local > 1951 address and join-port of the Join Proxy. > 1952 > 1953 > 1954 > 1955 > 1956 > 1957 > 1958 > 1959 > 1960 Richardson, et al. Expires 31 August 2026 [Page 35] > 1961 > 1962 Internet-Draft Constrained BRSKI (cBRSKI) February 2026 > 1963 > 1964 > 1965 Once enrolled, a Pledge itself may function as a Join Proxy. The > 1966 decision whether or not to provide this functionality depends upon > 1967 many factors and is out of scope for this document. Such a decision > 1968 might depend upon the amount of energy available to the device, the > 1969 network bandwidth available, as well as CPU and memory availability. > 1970 > 1971 The process by which a Pledge discovers the Join Proxy, and how a > 1972 Join Proxy discovers the location of the Registrar, are the subject > 1973 of the remainder of this section. Further details on both these > 1974 topics are provided in [I-D.ietf-anima-constrained-join-proxy]. > 1975 > 1976 10.1. Discovery Operations by a Pledge > 1977 > 1978 The Pledge must discover the address/port and optionally the protocol > 1979 with which to communicate. The present document only defines coaps > 1980 (CoAP over DTLS) as the default protocol for cBRSKI, therefore > 1981 protocol discovery is out of scope. > 1982 > 1983 For the discovery method, this section only defines unsecured CoAP > 1984 discovery per Section 7 of [RFC7252] as the default method. This > 1985 uses CoRE Link Format [RFC6690] payloads. > 1986 > 1987 Section 11 briefly mentions other methods that apply to specific > 1988 deployment types or technologies. Details about these deployment- > 1989 specific methods, or yet other methods, new payload formats, or more > 1990 elaborate CoAP-based methods, may be defined in future documents such > 1991 as [I-D.ietf-anima-brski-discovery]. The more elaborate methods for > 1992 example may include discovering only Join Proxies that support a > 1993 particular desired onboarding protocol, voucher format, or cBRSKI > 1994 variant. > 1995 > 1996 Note that identifying the format of the voucher request and the > 1997 voucher is currently not a required part of the Pledge's discovery > 1998 operation. It is assumed that all Registrars support all relevant > 1999 voucher(-request) formats, while the Pledge only supports a single > 2000 format. A Pledge that makes a voucher request to a Registrar that > 2001 does not support that format will receive a CoAP 4.06 Not Acceptable > 2002 status code and the onboarding attempt will fail. > 2003 > 2004 Using CoAP discovery, a Pledge can discover a Join Proxy by sending a > 2005 link-local multicast discovery message to the All CoAP Nodes address > 2006 FF02::FD. Zero, one, or multiple Join Proxies may respond. The > 2007 handling of multiple responses and absence of responses cases follow > 2008 the guidelines of Section 4 of [RFC8995]. The discovery message is a > 2009 CoAP GET request on the URI path /.well-known/core using a URI query > 2010 "rt=brski.jp". This resource type ('rt') is defined in Section 8.1 > 2011 of [I-D.ietf-anima-constrained-join-proxy]. > 2012 > 2013 > 2014 > 2015 > 2016 Richardson, et al. Expires 31 August 2026 [Page 36] > 2017 > 2018 Internet-Draft Constrained BRSKI (cBRSKI) February 2026 > 2019 > 2020 > 2021 Responding Join Proxies return a CoRE Link Format document with one > 2022 or more links. Each link indicates one CoAPS endpoint that offers > 2023 cBRSKI Join Proxy functionality. Formally, each link indicates a > 2024 CoAP root resource (/) tagged with the "brski.jp" type, hosted on a > 2025 CoAPS endpoint. > 2026 > 2027 In case a Pledge selects a particular Join Proxy for cBRSKI > 2028 onboarding, it MUST use the link-local source address of the Join > 2029 Proxy's discovery response as the destination IP address for its > 2030 subsequent onboarding attempt. This implies that the UTF-8 encoded > 2031 link-local address literal that appears in the host subcomponent of > 2032 each returned link is not used for determining the destination IP > 2033 address of the onboarding attempt. > 2034 > 2035 10.1.1. Examples > 2036 > 2037 Below, a typical example is provided showing the Pledge's CoAP > 2038 request and the Join Proxy's CoAP response. The Join Proxy responds > 2039 with a link-local source address, which is the same address as > 2040 indicated in the URI-reference element ([RFC6690]) in the link in the > 2041 discovery response payload. The Join Proxy has a dedicated UDP port > 2042 8485 open for DTLS connections of Pledges: > 2043 > 2044 REQ: GETcoap://[ff02::fd]/.well-known/core?rt=brski.jp > 2045 > 2046 RES: 2.05 Content > 2047 Content-Format: 40 (application/link-format) > 2048 Payload: > 2049 <coaps://[fe80::c78:e3c4:58a0:a4ad]:8485>;rt=brski.jp > 2050 > 2051 Note that the Pledge would use the port number from the link in this > 2052 response, but not the IPv6 literal in the host subcomponent > 2053 ([fe80::c78:e3c4:58a0:a4ad]), as defined by the above discovery > 2054 operation steps. > 2055 > 2056 The next example shows a Join Proxy that uses the default CoAPS port > 2057 5684 for DTLS connections of Pledges. In this case, the Join Proxy > 2058 host is not using port 5684 for any other purposes, so it has the > 2059 port available exclusively for accepting DTLS connections of Pledges. > 2060 > 2061 REQ: GETcoap://[ff02::fd]/.well-known/core?rt=brski.jp > 2062 > 2063 RES: 2.05 Content > 2064 Content-Format: 40 (application/link-format) > 2065 Payload: > 2066 <coaps://[fe80::c78:e3c4:58a0:a4ad]>;rt=brski.jp > 2067 > 2068 > 2069 > 2070 > 2071 > 2072 Richardson, et al. Expires 31 August 2026 [Page 37] > 2073 > 2074 Internet-Draft Constrained BRSKI (cBRSKI) February 2026 > 2075 > 2076 > 2077 In the following example, two Join Proxies respond to the multicast > 2078 query. The Join Proxies each use a slightly different CoRE Link > 2079 Format 'rt' value encoding. While the first encoding is more > 2080 compact, both encodings are allowed per [RFC6690]. The Pledge may > 2081 now select one of the two Join Proxies for initiating its DTLS > 2082 connection. > 2083 > 2084 REQ: GETcoap://[ff02::fd]/.well-known/core?rt=brski* > 2085 > 2086 RES: 2.05 Content > 2087 Content-Format: 40 (application/link-format) > 2088 Payload: > 2089 <coaps://[fe80::c78:e3c4:58a0:a4ad]:8485>;rt=brski.jp > 2090 > 2091 RES: 2.05 Content > 2092 Content-Format: 40 (application/link-format) > 2093 Payload: > 2094 <coaps://[fe80::d359:3813:f382:3b23]:63245>;rt="brski.jp" > 2095 > 2096 In the final example, a single Join Proxy host responds with two > 2097 distinct cBRSKI endpoints. The Pledge may now select one of the two > 2098 CoAP endpoints for initiating its DTLS connection. > 2099 > 2100 REQ: GETcoap://[ff02::fd]/.well-known/core?rt=brski* > 2101 > 2102 RES: 2.05 Content > 2103 Content-Format: 40 (application/link-format) > 2104 Payload: > 2105 <coaps://[fe80::d359:3813:f382:3b23]:61616>;rt=brski.jp > 2106 <coaps://[fe80::d359:3813:f382:3b23]:61617>;rt=brski.jp; > 2107 var="c509 v2" > > minor: maybe use some var that is consistent with brski-discovery unless > there is reason not to ? e.g.: var="est-tls prm-jose cmp" > 2108 > 2109 The first endpoint on port 61616 supports only the cBRSKI protocol as > 2110 defined by this document. The second endpoint, on port 61617, > 2111 supports the same cBRSKI protocol as well as additional variations or > 2112 extensions. In this example, these variations/extensions are encoded > 2113 using string values in a single attribute 'var'. This information > 2114 may be also encoded using other attributes defined by a future > 2115 specification. > 2116 > 2117 A Pledge not aware of these variations can safely ignore these > 2118 values, because the base cBRSKI protocol is supported by both > 2119 endpoints, as indicated by the resource type ('rt'). If however a > 2120 Pledge is aware of these variations, it can select the endpoint with > 2121 the variation it prefers, in case multiple options are discovered. > 2122 The use of attributes with a single base resource type allows future > 2123 extensibility of cBRSKI, and enables the Join Proxies to support > 2124 cBRSKI variants that are unknown to them. > 2125 > 2126 > 2127 > 2128 Richardson, et al. Expires 31 August 2026 [Page 38] > 2129 > 2130 Internet-Draft Constrained BRSKI (cBRSKI) February 2026 > 2131 > 2132 > 2133 10.2. Discovery Operations by a Join Proxy > 2134 > 2135 A Join Proxy needs to discover a Registrar, either at the moment it > 2136 needs to relay data (of a Pledge) towards the Registrar, or prior to > 2137 that moment. For example, it may start Registrar discovery as soon > 2138 as it is requested to be enabled in a Join Proxy role. It may > 2139 periodically redo this discovery, or periodically or on-demand check > 2140 that the Registrar is still available in the network at the > 2141 discovered IP address. > 2142 > 2143 As shown in the final example in Section 10.1.1, a Join Proxy can > 2144 discover multiple Registrars in its network and present these options > 2145 to the Pledge. Each of these Registrars may support specific > 2146 variations/extensions of cBRSKI - which may be defined in future > 2147 documents. It is up to the administrator of the network how many > 2148 Registrars are enabled. > > nit: would be good to explain that registrars supporting different variations > need to be offered by the proxy via different coap endpoints? (port?) so that upon > traffic from a proxy to that endpoint/port the proxy knows which registrar to pass > the messages on to. > > 2149 > 2150 Further details on CoAP discovery of the Registrar by a Join Proxy > 2151 are provided in Section 5.1.1 of > 2152 [I-D.ietf-anima-constrained-join-proxy]. > 2153 > 2154 11. Deployment-specific Discovery Considerations > 2155 > 2156 This section details how discovery of a Join Proxy is done by the > 2157 Pledge in specific deployment scenarios. Future work such as > 2158 [I-D.ietf-anima-brski-discovery] may define more details on discovery > 2159 operations in the specific deployments listed here. > 2160 > 2161 11.1. 6TiSCH Deployments > 2162 > 2163 In 6TiSCH networks, the Constrained Join Protocol (CoJP) is used as > 2164 described in [RFC9031]. Such networks are expected to use EDHOC > 2165 [RFC9528] for key management, which is out of scope of this document. > 2166 The IEEE 802.15.4 Enhanced Beacon has been extended in [RFC9032] to > 2167 allow for discovery of a 6TiSCH-compliant Join Proxy. > 2168 > 2169 11.2. IP networks using GRASP > 2170 > 2171 In IP networks that support GRASP [RFC8990], a Pledge can discover a > 2172 Join Proxy by listening for GRASP messages. GRASP supports mesh > 2173 networks, and can also be used over unencrypted Wi-Fi. > 2174 > 2175 Details of GRASP discovery of constrained Join Proxies are out of > 2176 scope of this document and may be defined in future work. > 2177 > 2178 > 2179 > 2180 > 2181 > 2182 > 2183 > 2184 Richardson, et al. Expires 31 August 2026 [Page 39] > 2185 > 2186 Internet-Draft Constrained BRSKI (cBRSKI) February 2026 > 2187 > 2188 > 2189 11.3. IP networks using mDNS > 2190 > 2191 [RFC8995] defines a mechanism for the Pledge to discover a Join Proxy > 2192 by sending mDNS [RFC6762] queries. This mechanism can be used on any > 2193 IP network which does not have another recommended mechanism. It can > 2194 be used over unencrypted Wi-Fi. This mechanism does support link- > 2195 local Join Proxy discovery in mesh networks. However, it does not > 2196 support Registrar discovery by Join Proxies in mesh networks, because > 2197 the Registrar is typically not reachable by link-local communication > 2198 in that case. For this, another mechanism is needed, which is out of > 2199 scope of this document and may be defined in future work. > 2200 > 2201 A Pledge uses an mDNS PTR query for the name "_brski- > 2202 proxy._udp.local." to discover link-local constrained Join Proxies. > 2203 The label "_udp" here indicates a query for cBRSKI constrained Join > 2204 Proxies, as opposed to "_tcp" defined in [RFC8995] which is for > 2205 discovering BRSKI Proxies. > 2206 > 2207 11.4. Thread Networks using Mesh Link Establishment (MLE) > 2208 > 2209 Thread [Thread] is a wireless mesh network protocol based on 6LoWPAN > 2210 [RFC6282] and other IETF protocols. In Thread, a new device > 2211 discovers potential Thread networks and Thread nodes to join by using > 2212 the Mesh Link Establishment (MLE) > 2213 [I-D.ietf-6lo-mesh-link-establishment] protocol. MLE uses the UDP > 2214 port number 19788. > 2215 > 2216 The new device sends discovery requests on different IEEE 802.15.4 > 2217 radio channels, to which Thread nodes (if any present) respond with a > 2218 discovery response containing information about their respective > 2219 network. The MLE discovery response message contains UDP port > 2220 information to signal the new device which UDP port to use for its > 2221 DTLS connection to the Join Proxy function. The link-local IPv6 > 2222 source address of the MLE response message indicates the address of > 2223 the Join Proxy. > 2224 > 2225 Once a suitable Thread node is selected as its Join Proxy, the new > 2226 device initiates a DTLS transport-layer secured connection to the > 2227 network's commissioning application, over a link-local single radio > 2228 hop to the selected Join Proxy. This link is not yet secured at the > 2229 radio/MAC link layer: link-layer security will be set up once the new > 2230 device is approved by the commissioning application to join the > 2231 Thread network, and it gets provisioned with network access > 2232 credentials. > 2233 > 2234 A Thread node that is capable to act as a Join Proxy will only enable > 2235 this role if the network-wide configuration data indicates that new > 2236 device commissioning is allowed. > 2237 > 2238 > 2239 > 2240 Richardson, et al. Expires 31 August 2026 [Page 40] > 2241 > 2242 Internet-Draft Constrained BRSKI (cBRSKI) February 2026 > 2243 > 2244 > 2245 12. Design and Implementation Considerations > 2246 > 2247 12.1. Voucher Format and Encoding > 2248 > 2249 The design considerations for vouchers from Section 10 of > 2250 [RFC8366bis] apply. Specifically for CBOR encoding of voucher data, > 2251 one key difference with JSON encoding is that the names of the leaves > 2252 in the YANG definition do not affect the size of the resulting CBOR, > 2253 if the SID ([RFC9254], [RFC9595]) translation process is used that > 2254 assigns integers to the names. > 2255 > 2256 To obtain the lowest code size and RAM use on the Pledge, it is > 2257 recommended that a Pledge is designed to only process/generate these > 2258 SID integers and not the lengthy strings. The MASA in that case is > 2259 required to generate the voucher data for that Pledge using only SID > 2260 integers. Yet, this MASA MUST still support both SID integers and > 2261 strings, to be able to process attribute (string) names in the RVR > 2262 which the Registrar may use. > 2263 > 2264 12.2. CoAP Usage > 2265 > 2266 A successful POST request to the Registrar's telemetry resources > 2267 (/vs, /es) returns a 2.04 Changed response with empty payload. > 2268 > 2269 A CoAP client sending a request should be aware that the server, even > 2270 in case of an empty payload, may use either a piggybacked CoAP > 2271 response (for example ACK with code 2.04) but may also respond with a > 2272 separate CoAP response. This is first an ACK message with code 0.0 > 2273 that acknowledges the reception of the request. It is followed by a > 2274 CON message with a code 2.04 response in a separate CoAP message. > 2275 See [RFC7252] for details. > 2276 > 2277 12.3. Use of cBRSKI with HTTPS > 2278 > 2279 This specification contains two major extensions to [RFC8995]: a > 2280 constrained voucher format (COSE), and a constrained transfer > 2281 protocol (CoAP). > 2282 > 2283 On constrained networks with constrained devices, it make senses to > 2284 use both together. However, this document does not mandate that this > 2285 be the only way. > 2286 > 2287 A given constrained device design and software may be re-used for > 2288 multiple device models, such as a model having only an IEEE 802.15.4 > 2289 radio, or a model having only an IEEE 802.11 (Wi-Fi) radio, or a > 2290 model having both these radios. A manufacturer of such device models > 2291 may wish to have code only for the use of the constrained voucher > 2292 format (COSE), and use it on all supported radios including the IEEE > 2293 > 2294 > 2295 > 2296 Richardson, et al. Expires 31 August 2026 [Page 41] > 2297 > 2298 Internet-Draft Constrained BRSKI (cBRSKI) February 2026 > 2299 > 2300 > 2301 802.11 radio. For this radio, the software stack to support HTTP/TLS > 2302 may be already integrated into the radio module hence it is > 2303 attractive for the manufacturer to reuse this. This type of approach > 2304 is supported by this document. In the case that HTTPS is used, the > 2305 regular long [RFC8995] resource names are used, together with the new > 2306 application/voucher+cose media type described in this document. For > 2307 status telemetry requests, the format and requirements defined in > 2308 Section 6.3.1 remain unchanged. > 2309 > 2310 Other combinations are possible, but they are not enumerated here. > 2311 New work such as [I-D.ietf-anima-jws-voucher] provides new formats > 2312 that may be usable over a number of different transports. In > 2313 general, sending larger payloads over constrained networks makes less > 2314 sense, while sending smaller payloads over unconstrained networks is > 2315 perfectly acceptable. > 2316 > 2317 The Pledge will in most cases support a single voucher format, which > 2318 it uses without negotiation i.e. without discovery of formats > 2319 supported. The Registrar, being unconstrained, is expected to > 2320 support all voucher formats. There will be cases where a Registrar > 2321 does not support a new format that a new Pledge uses, and this is an > 2322 unfortunate situation that will result in lack of interoperation. > 2323 > 2324 The responsibility for supporting new formats is on the Registrar. > 2325 > 2326 13. Raw Public Key Variant > 2327 > 2328 13.1. Introduction and Scope > 2329 > 2330 This section introduces a cBRSKI variant to further reduce the data > 2331 volume and complexity of the cBRSKI onboarding. The use of a raw > 2332 public key (RPK) in the pinning process can significantly reduce the > 2333 number of bytes sent over the wire and the number of round trips, and > 2334 reduce the code footprint in a Pledge. But it comes with a few > 2335 significant operational limitations. > 2336 > 2337 One simplification that comes with RPK use is that a Pledge can avoid > 2338 doing PKIX operations, such as certificate chain validation. > 2339 > 2340 13.2. DTLS Connection and Registrar Trust Anchor > 2341 > 2342 When the Pledge first connects to the Registrar, the connection to > 2343 the Registrar is provisional, as explained in Section 5.6.2 of > 2344 [RFC8995]. The Registrar normally provides its public key in a > 2345 TLSServerCertificate, and the Pledge uses that to validate that > 2346 integrity of the DTLS connection, but it does not validate the > 2347 identity of the provided certificate. > 2348 > 2349 > 2350 > 2351 > 2352 Richardson, et al. Expires 31 August 2026 [Page 42] > 2353 > 2354 Internet-Draft Constrained BRSKI (cBRSKI) February 2026 > 2355 > 2356 > 2357 As the TLSServerCertificate object is never verified directly by the > 2358 Pledge, sending it can be considered superfluous. So instead of > 2359 using a (TLSServer)Certificate of type X509 (see Section 4.4.2 of > 2360 [RFC8446]), a RawPublicKey object (as defined by [RFC7250]) is used. > 2361 > 2362 A Registrar operating in a mixed environment can determine whether to > 2363 send a PKIX certificate chain or a Raw Public Key to the Pledge: this > 2364 is signaled by the Pledge. In the case the Pledge needs an RPK, it > 2365 includes the server_certificate_type of RawPublicKey. This is shown > 2366 in Section 5 of [RFC7250]. > 2367 > 2368 The Pledge MUST send a client_certificate_type of X509 (not an RPK), > 2369 so that the Registrar can properly identify the Pledge and distill > 2370 the MASA URI information from its IDevID certificate. > 2371 > 2372 13.3. The Pledge Voucher Request > 2373 > 2374 The Pledge puts the Registrar's public key into the 'proximity- > 2375 registrar-pubk' attribute of the Pledge Voucher Request (PVR). The > 2376 'proximity-registrar-pubk-sha256' can alternatively be used for > 2377 efficiency, if the 32-bytes of a SHA256 hash turns out to be smaller > 2378 than a typical ECDSA key. > 2379 > 2380 As the format of the 'proximity-registrar-pubk' attribute is > 2381 identical to the TLS RawPublicKey data object, no manipulation at all > 2382 is needed to insert this attribute into the PVR. This approach > 2383 reduces the size of the PVR significantly, compared to including the > 2384 full certificate. > 2385 > 2386 13.4. The Voucher Response > 2387 > 2388 A returned voucher will have a 'pinned-domain-pubk' attribute with > 2389 the identical key as was found in the 'proximity-registrar-pubk' > 2390 attribute above, as well as being identical to the Registrar's RPK in > 2391 the currently active DTLS connection. (Or alternatively the MASA may > 2392 include the 'pinned-domain-pubk-sha256' attribute if it knows the > 2393 Pledge supports this attribute.) > 2394 > 2395 Validation of this key by the Pledge is what takes the DTLS > 2396 connection out of the provisional state; see Section 5.6.2 of > 2397 [RFC8995] for more details. > 2398 > 2399 The received voucher needs to be validated by the Pledge. The Pledge > 2400 needs to have a public key to validate the signature from the MASA on > 2401 the voucher. > 2402 > 2403 > 2404 > 2405 > 2406 > 2407 > 2408 Richardson, et al. Expires 31 August 2026 [Page 43] > 2409 > 2410 Internet-Draft Constrained BRSKI (cBRSKI) February 2026 > 2411 > 2412 > 2413 The MASA's public key counterpart of the (private) MASA signing key > 2414 MUST be already installed in the Pledge at manufacturing time. > 2415 Otherwise, the Pledge cannot validate the voucher's signature. > 2416 > 2417 13.5. The Enrollment Phase > 2418 > 2419 A Pledge that does not support PKIX operations cannot use EST to > 2420 enroll; it has to use another method for enrollment without > 2421 certificates and the Registrar has to support this method also. For > 2422 example, an enrollment process that records an RPK owned by the > 2423 Pledge as a legitimate entity that is part of the domain. > 2424 > 2425 It is possible that the Pledge will not enroll after obtaining a > 2426 valid voucher, but instead will do only a network join operation (see > 2427 for example [RFC9031]). How the Pledge discovers this method and > 2428 details of such enrollment methods are out of scope of this document. > 2429 > 2430 14. Security Considerations > 2431 > 2432 14.1. Duplicate Serial Numbers > > minor: > > As fun as this section of duplicate serial numbers is, i would suggest to remove > it unless you can find a much more persuasive plausibility for it to ever happen. > > Right now it sounds like its totally impossble. And starting a security section with > something like that... if you really want to keep it, move it all the way to the end > of the security section. > > There is an argument to be made for the need to have good serial number management, > i guess. > > There was the fun story back in the 80th when i was doing mandatory military > service in Germany and the folks in supply management told me that the armed services > had a simple number space for everything you could order, so if you just made a mistake > of one digit, you might not get a delivery of one block of offiece paper but instead > you could receive a battle ship. > > I always remember this annoyance when i see examples of certs where the serial number > is really just a numeric number. Instead of a structured string consisting of at > least a product type string (PID) followed by an actual unit serial number. But > i still can not find a good reference for this format. Cisco uses it. Huawei seemingly > not. I am happy to have more advertisement of that type of serial number types > in certs. But of course, the issues you get when you do not have this are > IMHO primarily operational issues, not security issues. But most often it is > perfectly fine to do policies on accepting products into a domain based on > pattern matches against cert serial numbers that just match on PID, not unit serial > number field. So if you like to have something like that, maybe thats section > "Operational Considerations". Else we can put it into our operational considerations > draft. > > But no... right now drawing a blank re. actual security attack issues here. > > 2433 > 2434 If a manufacturer sold products with duplicated serial numbers, that > 2435 use the same MASA CA as their root of trust, a customer of one of > 2436 these products can potentially perform an attack where it uses a > 2437 voucher created for product 1 to onboard product 2. This attack only > 2438 works for nonceless vouchers. > 2439 > 2440 Note that such a situation could only arise due to manufacturer mis- > 2441 management or oversight. > 2442 > 2443 For example, imagine the same manufacturer makes light bulbs as well > 2444 as gas centrifuges, and said manufacturer does not uniquely allocate > 2445 product serial numbers. The attacker has obtained a light bulb which > 2446 happens to have the same serial number as an operational gas > 2447 centrifuge which it wishes to obtain access to. The attacker > 2448 performs a normal BRSKI onboarding for the light bulb, but then uses > 2449 the resulting nonceless voucher to onboard the gas centrifuge. The > 2450 attack requires that the gas centrifuge be returned to a state where > 2451 it is willing to perform a new onboarding operation. For example, a > 2452 factory reset. > 2453 > 2454 This attack is normally prevented by the mechanisms of using > 2455 different trust root CAs for different product lines, and/or using > 2456 unique serial numbers within a single MASA CA scope. > 2457 > 2458 > 2459 > 2460 > 2461 > 2462 > 2463 > 2464 Richardson, et al. Expires 31 August 2026 [Page 44] > 2465 > 2466 Internet-Draft Constrained BRSKI (cBRSKI) February 2026 > 2467 > 2468 > 2469 Section 6.2 of [RFC8366bis] discusses cases of duplicated serial > 2470 numbers in products across different CAs and the role of the 'idevid- > 2471 issuer' attribute in the RVR and in the voucher to disambiguate these > 2472 products. > 2473 > 2474 14.2. IDevID Security in the Pledge > 2475 > 2476 The security of this protocol depends upon the Pledge identifying > 2477 itself to the Registrar using its manufacturer installed certificate: > 2478 the IDevID certificate. Associated with this certificate is the > 2479 IDevID private key, known only to the Pledge. Disclosure of this > 2480 private key to an attacker would permit the attacker to impersonate > 2481 the Pledge towards the Registrar, probably gaining access credentials > 2482 to that Registrar's network. > > mayor: > > Quite in the opposite to the prior section, it would be very good to frontent > this section with a section describing the IMHO most fundamental issue, also > well suited to cBRSKI: > > Pledge LDevID as network credentials > > The most significant security issue is in understanding and selecting the right > hardware security for IDevID and LDevID storage and software security in > the pledge that can access IDevID and LDevID. > > When LDevID is only used to authenticate pledges in (end-to-end) application > layer communications, then the required level of security can often the > fairly minimal because impairing an IoT device such as a temperature sensor > can only attack application behavior. Which may be dramatic or not. One may cause > A fire alert and sprinkler damaging a warehouse by impersonating such a sensor, > likely from the convenience of a remote location for example. Even when impairment > itself (earlier) may have required physical access. > > However, an even broader set of attacks may be possible when the LDevID > is also used as a credential to access the network itself, especially if on that > network not all communications is also end-to-end secured separately, and therefore > network access can additionally (to above described application layer impersnation) > also enable much broader attack scenarios against such non-end-to-end secured > communication or observation of other traffic to determine further exploitation options > or DoS attacks. > > In summary: cBRSKI has the opportunity of bringing automated trust infrastructures > via LDevID into many areas where there was no good security now, especially in > many IoT environments, but LDevID alone is not sufficient for better security, it > is just a pre-requisite. End-to-end authentication for all communications is the > most important requirement to minimize broad attacks, and as soon as LDevID are > used for network layer security (without ubiquitous use of end-to-end security too), > it is important to ensure an appropriate layer of hardening of devices is done, > specifically TPM type containment of private keys and secure software loading to > prohibit or minimize impairment by malicious software. > > Something like this if the authors like it ;-)) > > 2483 > 2484 If the IDevID private key disclosure is known to the manufacturer, > 2485 there is little recourse other than recall of the relevant part > 2486 numbers. The process for communicating this recall would be within > 2487 the BRSKI-MASA protocol. Neither this specification nor [RFC8995] > 2488 provides for consultation of a Certification Revocation List (CRL) or > 2489 Open Certificate Status Protocol (OCSP) by a Registrar when > 2490 evaluating an IDevID certificate. However, the BRSKI-MASA protocol > 2491 submits the IDevID from the Registrar to the manufacturer's MASA and > 2492 a manufacturer would have an opportunity to decline to issue a > 2493 voucher for a device which they believe has become compromised. > 2494 > 2495 It may be difficult for a manufacturer to determine when an IDevID > 2496 private key has been disclosed. Two situations present themselves: > 2497 in the first situation a compromised private key might be reused in a > 2498 counterfeit device, which is sold to another customer. This would > 2499 present itself as an onboarding of the same device in two different > 2500 networks. The manufacturer may become suspicious seeing two voucher > 2501 requests for the same device from different Registrars. Such > 2502 activity could be indistinguishable from a device which has been > 2503 resold from one operator to another, or re-deployed by an operator > 2504 from one location to another. > 2505 > 2506 > 2507 > 2508 > 2509 > 2510 > 2511 > 2512 > 2513 > 2514 > 2515 > 2516 > 2517 > 2518 > 2519 > 2520 Richardson, et al. Expires 31 August 2026 [Page 45] > 2521 > 2522 Internet-Draft Constrained BRSKI (cBRSKI) February 2026 > 2523 > 2524 > 2525 In the second situation, an attacker having compromised the IDevID > 2526 private key of a device might then install malware into the same > 2527 device and attempt to return it to service. The device, now blank, > 2528 would go through a second onboarding process with the original > 2529 Registrar. Such a Registrar could notice that the device has been > 2530 "factory reset" and alert the operator to this situation. One remedy > 2531 against the presence of malware is through the use of Remote > 2532 Attestation such as described in [RFC9334]. Future work will need to > 2533 specify a background-check Attestation flow as part of the voucher > 2534 request/response process. Attestation may still require access to a > 2535 private key (e.g. IDevID private key) in order to sign Evidence, so a > 2536 primary goal should be to keep any private key safe within the > 2537 Pledge. > 2538 > 2539 In larger, more expensive, systems there is budget (power, space, and > 2540 bill of materials) to include more specific defenses for a private > 2541 key. For instance, this includes putting the IDevID private key in a > 2542 Trusted Platform Module (TPM), or use of Trusted Execution > 2543 Environments (TEE) for access to the key. On smaller IoT devices, > 2544 the cost and power budget for an extra part is often prohibitive. > 2545 > 2546 It is becoming more and more common for CPUs to have an internal set > 2547 of one-time fuses that can be programmed (often they are "burnt" by a > 2548 laser) at the factory. This section of memory is only accessible in > 2549 some privileged CPU state. The use of this kind of CPU is > 2550 appropriate as it provides significant resistance against key > 2551 disclosure even when the device can be disassembled by an attacker. > 2552 > 2553 In a number of industry verticals, there is increasing concern about > 2554 counterfeit parts. These may be look-alike parts created in a > 2555 different factory, or parts which are created in the same factory > 2556 during an illegal night-shift, but which are not subject to the > 2557 appropriate level of quality control. The use of a manufacturer- > 2558 signed IDevID certificate provides for discovery of the pedigree of > 2559 each part, and this often justifies the cost of the security measures > 2560 associated with storing the private key. > 2561 > 2562 14.3. Security of the BRSKI-MASA Protocol > 2563 > 2564 Section 7.1 explains why no CoAPS version of the BRSKI-MASA protocol > 2565 is specified. The connection from the Registrar to the MASA > 2566 continues to be HTTPS as in [RFC8995]. > 2567 > 2568 This choice enables the BRSKI-MASA protocol, which operates over the > 2569 open Internet, to be secured using standard solutions that are > 2570 commonly used for HTTPS over the Internet. The use of UDP protocols > 2571 across the Internet is sometimes fraught with security challenges. > 2572 Denial-of-service attacks against UDP based protocols are trivial as > 2573 > 2574 > 2575 > 2576 Richardson, et al. Expires 31 August 2026 [Page 46] > 2577 > 2578 Internet-Draft Constrained BRSKI (cBRSKI) February 2026 > 2579 > 2580 > 2581 there is no three-way handshake as done for TCP. The three-way > 2582 handshake of TCP guarantees that the node sending the connection > 2583 request is reachable using the origin IP address. While DTLS > 2584 contains an option to do a stateless challenge -- a process actually > 2585 stronger than that done by TCP -- it is not yet common for this > 2586 mechanism to be available in hardware at multigigabit speeds. > > minor: > > No MASA needs multigigabit speeds, so the missing argument is that > it may be a lot more difficult to get competitive cloud service pricing for running > a MASA service if the MASA requires such uncommon protocols, because cloud services > will preferentially treat application that they know can best be hardware optimized > so as to not exhaust more resources as other services. > > 2587 > 2588 Also, in many enterprise networks outgoing UDP connections can be > 2589 treated as suspicious, which could effectively block CoAP connections > 2590 for some firewall configurations. Reducing the complexity of MASA > 2591 (i.e. less protocols supported) also reduces its potential attack > 2592 surface, which is relevant since the MASA is 24/7 exposed on the > 2593 Internet and accepting (untrusted) incoming connections. > 2594 > 2595 14.4. Registrar Certificate May Be Self-signed > 2596 > 2597 The provisional (D)TLS connection formed by the Pledge with the > 2598 Registrar does not authenticate the Registrar's identity. This > 2599 Registrar's identity is validated by the [RFC8366bis] voucher that is > 2600 issued by the MASA, signed with a trust anchor that was built-in to > 2601 the Pledge. > 2602 > 2603 The Registrar may therefore use any certificate, including a self- > 2604 signed one. The only restrictions on the certificate is that it MUST > 2605 have EKU bits set as detailed in Section 6.1.5 and Section 7.4. > 2606 > 2607 14.5. Use of RPK Alternatives to 'proximity-registrar-cert' > 2608 > 2609 In Section 9 of [RFC8366bis] two compact alternative attributes for > 2610 'proximity-registrar-cert' are defined that include an RPK: > 2611 'proximity-registrar-pubk' and 'proximity-registrar-pubk-sha256'. > 2612 The Pledge can use these attributes in its PVR to identify the > 2613 Registrar based on its public key only. Since the full certificate > 2614 of the proximate Registrar is not included, use of these attributes > 2615 by a Pledge implies that a Registrar could insert another certificate > 2616 with the same public key identity into the RVR. For example, an > 2617 older or a newer version of its certificate. The MASA will not be > 2618 able to detect such act by the Registrar. But since any certificate > 2619 the Registrar could insert in this way still encodes its own identity > 2620 the additional risk of using the RPK alternatives is negligible. > 2621 > 2622 When a Registrar sees a PVR that uses one of 'proximity-registrar- > 2623 pubk' or 'proximity-registrar-pubk-sha256' attributes, this implies > 2624 the Registrar must include the certificate identified by these > 2625 attributes into its RVR. Otherwise, the MASA is unable to verify > 2626 proximity. This requirement is already implied by the "MUST" > 2627 requirement in Section 8.1. > 2628 > 2629 > 2630 > 2631 > 2632 Richardson, et al. Expires 31 August 2026 [Page 47] > 2633 > 2634 Internet-Draft Constrained BRSKI (cBRSKI) February 2026 > 2635 > 2636 > 2637 15. IANA Considerations > 2638 > 2639 15.1. Resource Type Link Target Attribute Values Registry > 2640 > 2641 Additions to the "Resource Type (rt=) Link Target Attribute Values" > 2642 IANA registry, within the "CoRE Parameters" registry group are > 2643 specified below. > 2644 > 2645 Reference: [This RFC] > 2646 > 2647 +==========+==============================================+ > 2648 | Value | Description | > 2649 +==========+==============================================+ > 2650 | brski | Base resource of all Bootstrapping Remote | > 2651 | | Secure Key Infrastructure (cBRSKI) resources | > 2652 +----------+----------------------------------------------+ > 2653 | brski.rv | cBRSKI request voucher resource | > 2654 +----------+----------------------------------------------+ > 2655 | brski.vs | cBRSKI voucher status telemetry resource | > 2656 +----------+----------------------------------------------+ > 2657 | brski.es | cBRSKI enrollment status telemetry resource | > 2658 +----------+----------------------------------------------+ > 2659 | ace.est | Base resource of all Enrollment over Secure | > 2660 | | Transport CoAPS (EST-coaps) resources | > 2661 +----------+----------------------------------------------+ > 2662 > 2663 Table 2: Resource Type (rt) link target attribute > 2664 values for cBRSKI and EST- coaps > 2665 > 2666 Note that the resource type "brski" identifies a base resource in a > 2667 resource hierarchy on a CoAP server, where its sub-resources each > 2668 have one of the resource types "brski.*" as defined by this > 2669 specification. Similarly, the resource type "ace.est" identifies a > 2670 base resource in a resource hierarchy, where its sub-resources each > 2671 have one of the resource types "ace.est.*" as defined by [RFC9148]. > 2672 > 2673 15.2. Media Types Registry > 2674 > 2675 This section registers the media type application/voucher+cose in the > 2676 "Media Types" IANA registry. This media type is used to indicate > 2677 that the content is a CBOR voucher or voucher request signed with a > 2678 COSE_Sign1 structure [RFC9052] as defined in this document. > 2679 > 2680 15.2.1. application/voucher+cose > 2681 > 2682 > 2683 > 2684 > 2685 > 2686 > 2687 > 2688 Richardson, et al. Expires 31 August 2026 [Page 48] > 2689 > 2690 Internet-Draft Constrained BRSKI (cBRSKI) February 2026 > 2691 > 2692 > 2693 Type name: application > 2694 Subtype name: voucher+cose > 2695 Required parameters: N/A > 2696 Optional parameters: N/A > 2697 Encoding considerations: binary (CBOR) > 2698 Security considerations: Section 14 of [This RFC], and Section 12 > 2699 of [RFC 9052] for the COSE_Sign1 structured that is used. > 2700 Interoperability considerations: Section 15.2.2 of [This RFC] > 2701 Published specification: [This RFC] > 2702 Applications that use this media type: cBRSKI/ANIMA, 6TiSCH, and > 2703 other zero-touch onboarding systems > 2704 Fragment identifier considerations: N/A > 2705 Additional information: > 2706 Deprecated alias names for this type: N/A > 2707 Magic number(s): N/A > 2708 File extension(s): .vch > 2709 Macintosh file type code(s): N/A > 2710 Person & email address to contact for further information: IETF > 2711 ANIMA Working Group (anima@ietf.org) or IETF Operations and > 2712 Management Area Working Group (opsawg@ietf.org) > 2713 Intended usage: COMMON > 2714 Restrictions on usage: N/A > 2715 Author: ANIMA WG > 2716 Change controller: IETF > 2717 Provisional registration? (standards tree only): NO > 2718 > 2719 15.2.2. Interoperability Considerations for application/voucher+cose > 2720 > 2721 The media type defined here does not have any parameter to indicate > 2722 whether names are used, or SID integers are used, or both can be > 2723 mixed within a voucher data item. In absence of any specific further > 2724 knowledge about this, a mixed use of SID integers and names MUST be > 2725 assumed, which is equivalent to the application/yang-data+cbor media > 2726 type ([RFC9254]) without the optional 'id' parameter. > 2727 > 2728 Furthermore, > 2729 > 2730 * a Registrar assumes that mixed SIDs/names MAY be present in a > 2731 received PVR or voucher; > 2732 > 2733 * a MASA assumes that mixed SIDs/names MAY be present in a received > 2734 RVR; > 2735 > 2736 * a Pledge assumes, depending on its implementation, that SIDs are > 2737 present only, or names are present only, or mixed SIDs/names are > 2738 present in a received voucher. > 2739 > 2740 > 2741 > 2742 > 2743 > 2744 Richardson, et al. Expires 31 August 2026 [Page 49] > 2745 > 2746 Internet-Draft Constrained BRSKI (cBRSKI) February 2026 > 2747 > 2748 > 2749 Because the MASA and Pledge are under control (either directly or by > 2750 contract) of the same manufacturer, they can be co-developed > 2751 regarding the type of identifiers produced and identifiers consumed > 2752 in order to guarantee interoperability. > 2753 > 2754 15.3. CoAP Content-Formats Registry > 2755 > 2756 IANA has allocated ID 836 from the "CoAP Content-Formats" registry as > 2757 shown below. > 2758 > 2759 +==========================+==========+=====+============+ > 2760 | Media type | Encoding | ID | Reference | > 2761 +==========================+==========+=====+============+ > 2762 | application/voucher+cose | - | 836 | [This RFC] | > 2763 +--------------------------+----------+-----+------------+ > 2764 > 2765 Table 3: Additions to the IANA CoAP Content-Formats > 2766 Registry > 2767 > 2768 15.4. Update to BRSKI Well-Known URIs Registry > 2769 > 2770 This section updates the "BRSKI Well-Known URIs" IANA registry of the > 2771 Bootstrapping Remote Secure Key Infrastructures (BRSKI) Parameters > 2772 Registry group, by adding a new column "Short Path Segment", > 2773 clarifying existing "Description" values, and renaming the column > 2774 "URI" to "Path Segment". > 2775 > 2776 The new "Short Path Segment" entry denotes a shorter alternative to > 2777 Path Segment for the resource that can be used by a client in a CoAP > 2778 request on a well-known BRSKI resource. A value "N/A" can be 2779 registered to denote that there is no short path segment > defined. 2780 2781 The contents of the registry with these changes > applied are as 2782 follows: 2783 2784 2785 2786 2787 2788 2789 2790 > 2791 2792 2793 2794 2795 2796 2797 2798 2799 2800 Richardson, et al. > Expires 31 August 2026 [Page 50] 2801 2802 Internet-Draft > Constrained BRSKI (cBRSKI) February 2026 2803 2804 2805 > +=================+============+=======================+============+ > 2806 | Path Segment | Short | Description | Reference | 2807 | | Path > | | | 2808 | | Segment | | | 2809 > +=================+============+=======================+============+ > 2810 | requestvoucher | rv | Request voucher: | [RFC8995], | 2811 | | > | Pledge to Registrar, | [This RFC] | 2812 | | | and Registrar to MASA > | | 2813 > +-----------------+------------+-----------------------+------------+ > 2814 | voucher_status | vs | Voucher status | [RFC8995], | 2815 | | | > telemetry: Pledge to | [This RFC] | 2816 | | | Registrar | | 2817 > +-----------------+------------+-----------------------+------------+ > 2818 | requestauditlog | N/A | Request audit log: | [RFC8995] | 2819 | > | | Registrar to MASA | | 2820 > +-----------------+------------+-----------------------+------------+ > 2821 | enrollstatus | es | Enrollment status | [RFC8995], | 2822 | | | > telemetry: Pledge to | [This RFC] | 2823 | | | Registrar | | 2824 > +-----------------+------------+-----------------------+------------+ > 2825 2826 Table 4: Update of the IANA BRSKI Well-Known URIs Registry > 2827 2828 15.5. Structured Syntax Suffixes Registry 2829 2830 This > section registers the "+cose" suffix in the "Structured Syntax > 2831 Suffixes" IANA Registry based on the [RFC6838] procedure. > 2832 > 2833 > 2834 > 2835 > 2836 > 2837 > 2838 > 2839 > 2840 > 2841 > 2842 > 2843 > 2844 > 2845 > 2846 > 2847 > 2848 > 2849 > 2850 > 2851 > 2852 > 2853 > 2854 > 2855 > 2856 Richardson, et al. Expires 31 August 2026 [Page 51] > 2857 > 2858 Internet-Draft Constrained BRSKI (cBRSKI) February 2026 > 2859 > 2860 > 2861 Name: CBOR Object Signing and Encryption (COSE) object > 2862 +suffix: +cose > 2863 References: the application/cose media type [RFC9052] > 2864 Encoding considerations: binary (CBOR) > 2865 Interoperability considerations: > 2866 the application/cose media type has an optional parameter > 2867 "cose-type". Any new media type that uses the +cose suffix > 2868 and allows use of this parameter MUST specify this > 2869 explicitly, per Section 4.3 of [RFC6838]. If the parameter > 2870 "cose-type" is allowed, its usage MUST be identical to the > 2871 usage defined for the application/cose media type in > 2872 Section 2 of [RFC9052]. > 2873 A COSE processor handling a media type foo+cose and which > 2874 does not know the specific type "foo" SHOULD use the > 2875 cose-type COSE tag, if present, or cose-type parameter, if > 2876 present, to determine the specific COSE object type during > 2877 processing. If the specific type cannot be determined, > 2878 it MUST assume only the generic COSE object structure and > 2879 it MUST NOT perform security-critical operations using the > 2880 COSE object. > 2881 Fragment identifier considerations: N/A > 2882 Security considerations: see [RFC9052] > 2883 Contact: > 2884 IETF COSE Working Group (cose@ietf.org) or > 2885 IESG (iesg@ietf.org) > 2886 Author/Change controller: > 2887 IETF ANIMA Working Group (anima@ietf.org) > 2888 IESG has change control over this registration. > 2889 > > EOR - End Of Review > > 2890 16. References > 2891 > 2892 16.1. Normative References > 2893 > 2894 [I-D.ietf-anima-constrained-join-proxy] > 2895 Dijk, E., Richardson, M., Van der Stok, P., and P. > 2896 Kampanakis, "Join Proxy for Bootstrapping of Constrained > 2897 Network Elements", Work in Progress, Internet-Draft, > 2898 draft-ietf-anima-constrained-join-proxy-18, 19 October > 2899 2025,<https://datatracker.ietf.org/doc/html/draft-ietf- 2900 > anima-constrained-join-proxy-18>. > 2901 > 2902 [I-D.ietf-core-uri-path-abbrev] > 2903 Amsüss, C. and M. Richardson, "URI-Path abbreviation in > 2904 CoAP", Work in Progress, Internet-Draft, draft-ietf-core- > 2905 uri-path-abbrev-02, 20 October 2025, > 2906 <https://datatracker.ietf.org/doc/html/draft-ietf-core- 2907 > uri-path-abbrev-02>. > 2908 > 2909 > 2910 > 2911 > 2912 Richardson, et al. Expires 31 August 2026 [Page 52] > 2913 > 2914 Internet-Draft Constrained BRSKI (cBRSKI) February 2026 > 2915 > 2916 > 2917 [ieee802-1AR] > 2918 "IEEE 802.1AR Secure Device Identity", IEEE Standards > 2919 Association, 2018, > 2920 <https://standards.ieee.org/ieee/802.1AR/6995/>. > 2921 > 2922 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate > 2923 Requirement Levels", BCP 14, RFC 2119, > 2924 DOI 10.17487/RFC2119, March 1997, > 2925 <https://www.rfc-editor.org/rfc/rfc2119>. > 2926 > 2927 [RFC4193] Hinden, R. and B. Haberman, "Unique Local IPv6 Unicast > 2928 Addresses", RFC 4193, DOI 10.17487/RFC4193, October 2005, > 2929 <https://www.rfc-editor.org/rfc/rfc4193>. > 2930 > 2931 [RFC4210] Adams, C., Farrell, S., Kause, T., and T. Mononen, > 2932 "Internet X.509 Public Key Infrastructure Certificate > 2933 Management Protocol (CMP)", RFC 4210, > 2934 DOI 10.17487/RFC4210, September 2005, > 2935 <https://www.rfc-editor.org/rfc/rfc4210>. > 2936 > 2937 [RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., > 2938 Housley, R., and W. Polk, "Internet X.509 Public Key > 2939 Infrastructure Certificate and Certificate Revocation List > 2940 (CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008, > 2941 <https://www.rfc-editor.org/rfc/rfc5280>. > 2942 > 2943 [RFC6066] Eastlake 3rd, D., "Transport Layer Security (TLS) > 2944 Extensions: Extension Definitions", RFC 6066, > 2945 DOI 10.17487/RFC6066, January 2011, > 2946 <https://www.rfc-editor.org/rfc/rfc6066>. > 2947 > 2948 [RFC6347] Rescorla, E. and N. Modadugu, "Datagram Transport Layer > 2949 Security Version 1.2", RFC 6347, DOI 10.17487/RFC6347, > 2950 January 2012,<https://www.rfc-editor.org/rfc/rfc6347>. > 2951 > 2952 [RFC6690] Shelby, Z., "Constrained RESTful Environments (CoRE) Link > 2953 Format", RFC 6690, DOI 10.17487/RFC6690, August 2012, > 2954 <https://www.rfc-editor.org/rfc/rfc6690>. > 2955 > 2956 [RFC6762] Cheshire, S. and M. Krochmal, "Multicast DNS", RFC 6762, > 2957 DOI 10.17487/RFC6762, February 2013, > 2958 <https://www.rfc-editor.org/rfc/rfc6762>. > 2959 > 2960 [RFC7030] Pritikin, M., Ed., Yee, P., Ed., and D. Harkins, Ed., > 2961 "Enrollment over Secure Transport", RFC 7030, > 2962 DOI 10.17487/RFC7030, October 2013, > 2963 <https://www.rfc-editor.org/rfc/rfc7030>. > 2964 > 2965 > 2966 > 2967 > 2968 Richardson, et al. Expires 31 August 2026 [Page 53] > 2969 > 2970 Internet-Draft Constrained BRSKI (cBRSKI) February 2026 > 2971 > 2972 > 2973 [RFC7250] Wouters, P., Ed., Tschofenig, H., Ed., Gilmore, J., > 2974 Weiler, S., and T. Kivinen, "Using Raw Public Keys in > 2975 Transport Layer Security (TLS) and Datagram Transport > 2976 Layer Security (DTLS)", RFC 7250, DOI 10.17487/RFC7250, > 2977 June 2014,<https://www.rfc-editor.org/rfc/rfc7250>. > 2978 > 2979 [RFC7252] Shelby, Z., Hartke, K., and C. Bormann, "The Constrained > 2980 Application Protocol (CoAP)", RFC 7252, > 2981 DOI 10.17487/RFC7252, June 2014, > 2982 <https://www.rfc-editor.org/rfc/rfc7252>. > 2983 > 2984 [RFC7959] Bormann, C. and Z. Shelby, Ed., "Block-Wise Transfers in > 2985 the Constrained Application Protocol (CoAP)", RFC 7959, > 2986 DOI 10.17487/RFC7959, August 2016, > 2987 <https://www.rfc-editor.org/rfc/rfc7959>. > 2988 > 2989 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC > 2990 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, > 2991 May 2017,<https://www.rfc-editor.org/rfc/rfc8174>. > 2992 > 2993 [RFC8366bis] > 2994 Watsen, K., Richardson, M., Dijk, E., Eckert, T. T., and > 2995 Q. Ma, "A Voucher Artifact for Bootstrapping Protocols", > 2996 Work in Progress, Internet-Draft, draft-ietf-anima- > 2997 rfc8366bis-27, 26 February 2026, > 2998 <https://datatracker.ietf.org/doc/html/draft-ietf-anima- 2999 > rfc8366bis-27>. > 3000 > 3001 [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol > 3002 Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, > 3003 <https://www.rfc-editor.org/rfc/rfc8446>. > 3004 > 3005 [RFC8449] Thomson, M., "Record Size Limit Extension for TLS", > 3006 RFC 8449, DOI 10.17487/RFC8449, August 2018, > 3007 <https://www.rfc-editor.org/rfc/rfc8449>. > 3008 > 3009 [RFC8610] Birkholz, H., Vigano, C., and C. Bormann, "Concise Data > 3010 Definition Language (CDDL): A Notational Convention to > 3011 Express Concise Binary Object Representation (CBOR) and > 3012 JSON Data Structures", RFC 8610, DOI 10.17487/RFC8610, > 3013 June 2019,<https://www.rfc-editor.org/rfc/rfc8610>. > 3014 > 3015 [RFC8710] Fossati, T., Hartke, K., and C. Bormann, "Multipart > 3016 Content-Format for the Constrained Application Protocol > 3017 (CoAP)", RFC 8710, DOI 10.17487/RFC8710, February 2020, > 3018 <https://www.rfc-editor.org/rfc/rfc8710>. > 3019 > 3020 > 3021 > 3022 > 3023 > 3024 Richardson, et al. Expires 31 August 2026 [Page 54] > 3025 > 3026 Internet-Draft Constrained BRSKI (cBRSKI) February 2026 > 3027 > 3028 > 3029 [RFC8949] Bormann, C. and P. Hoffman, "Concise Binary Object > 3030 Representation (CBOR)", STD 94, RFC 8949, > 3031 DOI 10.17487/RFC8949, December 2020, > 3032 <https://www.rfc-editor.org/rfc/rfc8949>. > 3033 > 3034 [RFC8995] Pritikin, M., Richardson, M., Eckert, T., Behringer, M., > 3035 and K. Watsen, "Bootstrapping Remote Secure Key > 3036 Infrastructure (BRSKI)", RFC 8995, DOI 10.17487/RFC8995, > 3037 May 2021,<https://www.rfc-editor.org/rfc/rfc8995>. > 3038 > 3039 [RFC9031] Vučinić, M., Ed., Simon, J., Pister, K., and M. > 3040 Richardson, "Constrained Join Protocol (CoJP) for 6TiSCH", > 3041 RFC 9031, DOI 10.17487/RFC9031, May 2021, > 3042 <https://www.rfc-editor.org/rfc/rfc9031>. > 3043 > 3044 [RFC9032] Dujovne, D., Ed. and M. Richardson, "Encapsulation of > 3045 6TiSCH Join and Enrollment Information Elements", > 3046 RFC 9032, DOI 10.17487/RFC9032, May 2021, > 3047 <https://www.rfc-editor.org/rfc/rfc9032>. > 3048 > 3049 [RFC9052] Schaad, J., "CBOR Object Signing and Encryption (COSE): > 3050 Structures and Process", STD 96, RFC 9052, > 3051 DOI 10.17487/RFC9052, August 2022, > 3052 <https://www.rfc-editor.org/rfc/rfc9052>. > 3053 > 3054 [RFC9053] Schaad, J., "CBOR Object Signing and Encryption (COSE): > 3055 Initial Algorithms", RFC 9053, DOI 10.17487/RFC9053, > 3056 August 2022,<https://www.rfc-editor.org/rfc/rfc9053>. > 3057 > 3058 [RFC9147] Rescorla, E., Tschofenig, H., and N. Modadugu, "The > 3059 Datagram Transport Layer Security (DTLS) Protocol Version > 3060 1.3", RFC 9147, DOI 10.17487/RFC9147, April 2022, > 3061 <https://www.rfc-editor.org/rfc/rfc9147>. > 3062 > 3063 [RFC9148] van der Stok, P., Kampanakis, P., Richardson, M., and S. > 3064 Raza, "EST-coaps: Enrollment over Secure Transport with > 3065 the Secure Constrained Application Protocol", RFC 9148, > 3066 DOI 10.17487/RFC9148, April 2022, > 3067 <https://www.rfc-editor.org/rfc/rfc9148>. > 3068 > 3069 [RFC9254] Veillette, M., Ed., Petrov, I., Ed., Pelov, A., Bormann, > 3070 C., and M. Richardson, "Encoding of Data Modeled with YANG > 3071 in the Concise Binary Object Representation (CBOR)", > 3072 RFC 9254, DOI 10.17487/RFC9254, July 2022, > 3073 <https://www.rfc-editor.org/rfc/rfc9254>. > 3074 > 3075 > 3076 > 3077 > 3078 > 3079 > 3080 Richardson, et al. Expires 31 August 2026 [Page 55] > 3081 > 3082 Internet-Draft Constrained BRSKI (cBRSKI) February 2026 > 3083 > 3084 > 3085 [RFC9360] Schaad, J., "CBOR Object Signing and Encryption (COSE): > 3086 Header Parameters for Carrying and Referencing X.509 > 3087 Certificates", RFC 9360, DOI 10.17487/RFC9360, February > 3088 2023,<https://www.rfc-editor.org/rfc/rfc9360>. > 3089 > 3090 [RFC9525] Saint-Andre, P. and R. Salz, "Service Identity in TLS", > 3091 RFC 9525, DOI 10.17487/RFC9525, November 2023, > 3092 <https://www.rfc-editor.org/rfc/rfc9525>. > 3093 > 3094 16.2. Informative References > 3095 > 3096 [COSE-registry] > 3097 IANA, "CBOR Object Signing and Encryption (COSE) registry > 3098 group", 11 January 2017, > 3099 <https://www.iana.org/assignments/cose/cose.xhtml>. > 3100 > 3101 [I-D.ietf-6lo-mesh-link-establishment] > 3102 Kelsey, R., "Mesh Link Establishment", Work in Progress, > 3103 Internet-Draft, draft-ietf-6lo-mesh-link-establishment-00, > 3104 1 December 2015,<https://datatracker.ietf.org/doc/html/ 3105 > draft-ietf-6lo-mesh-link-establishment-00>. > 3106 > 3107 [I-D.ietf-anima-brski-discovery] > 3108 Eckert, T. T. and E. Dijk, "BRSKI discovery and > 3109 variations", Work in Progress, Internet-Draft, draft-ietf- > 3110 anima-brski-discovery-09, 20 October 2025, > 3111 <https://datatracker.ietf.org/doc/html/draft-ietf-anima- 3112 > brski-discovery-09>. > 3113 > 3114 [I-D.ietf-anima-jws-voucher] > 3115 Werner, T. and M. Richardson, "JWS signed Voucher > 3116 Artifacts for Bootstrapping Protocols", Work in Progress, > 3117 Internet-Draft, draft-ietf-anima-jws-voucher-16, 15 > 3118 January 2025,<https://datatracker.ietf.org/doc/html/ 3119 > draft-ietf-anima-jws-voucher-16>. > 3120 > 3121 [I-D.ietf-cbor-edn-literals] > 3122 Bormann, C., "CBOR Extended Diagnostic Notation (EDN)", > 3123 Work in Progress, Internet-Draft, draft-ietf-cbor-edn- > 3124 literals-19, 16 October 2025, > 3125 <https://datatracker.ietf.org/doc/html/draft-ietf-cbor- 3126 > edn-literals-19>. > 3127 > 3128 > 3129 > 3130 > 3131 > 3132 > 3133 > 3134 > 3135 > 3136 Richardson, et al. Expires 31 August 2026 [Page 56] > 3137 > 3138 Internet-Draft Constrained BRSKI (cBRSKI) February 2026 > 3139 > 3140 > 3141 [I-D.ietf-cose-cbor-encoded-cert] > 3142 Mattsson, J. P., Selander, G., Raza, S., Höglund, J., and > 3143 M. Furuhed, "CBOR Encoded X.509 Certificates (C509 > 3144 Certificates)", Work in Progress, Internet-Draft, draft- > 3145 ietf-cose-cbor-encoded-cert-16, 25 January 2026, > 3146 <https://datatracker.ietf.org/doc/html/draft-ietf-cose- 3147 > cbor-encoded-cert-16>. > 3148 > 3149 [I-D.richardson-anima-masa-considerations] > 3150 Richardson, M. and W. Pan, "Operational Considerations for > 3151 Voucher infrastructure for BRSKI MASA", Work in Progress, > 3152 Internet-Draft, draft-richardson-anima-masa- > 3153 considerations-09, 22 January 2025, > 3154 <https://datatracker.ietf.org/doc/html/draft-richardson- 3155 > anima-masa-considerations-09>. > 3156 > 3157 [RFC4443] Conta, A., Deering, S., and M. Gupta, Ed., "Internet > 3158 Control Message Protocol (ICMPv6) for the Internet > 3159 Protocol Version 6 (IPv6) Specification", STD 89, > 3160 RFC 4443, DOI 10.17487/RFC4443, March 2006, > 3161 <https://www.rfc-editor.org/rfc/rfc4443>. > 3162 > 3163 [RFC5652] Housley, R., "Cryptographic Message Syntax (CMS)", STD 70, > 3164 RFC 5652, DOI 10.17487/RFC5652, September 2009, > 3165 <https://www.rfc-editor.org/rfc/rfc5652>. > 3166 > 3167 [RFC6282] Hui, J., Ed. and P. Thubert, "Compression Format for IPv6 > 3168 Datagrams over IEEE 802.15.4-Based Networks", RFC 6282, > 3169 DOI 10.17487/RFC6282, September 2011, > 3170 <https://www.rfc-editor.org/rfc/rfc6282>. > 3171 > 3172 [RFC6775] Shelby, Z., Ed., Chakrabarti, S., Nordmark, E., and C. > 3173 Bormann, "Neighbor Discovery Optimization for IPv6 over > 3174 Low-Power Wireless Personal Area Networks (6LoWPANs)", > 3175 RFC 6775, DOI 10.17487/RFC6775, November 2012, > 3176 <https://www.rfc-editor.org/rfc/rfc6775>. > 3177 > 3178 [RFC6838] Freed, N., Klensin, J., and T. Hansen, "Media Type > 3179 Specifications and Registration Procedures", BCP 13, > 3180 RFC 6838, DOI 10.17487/RFC6838, January 2013, > 3181 <https://www.rfc-editor.org/rfc/rfc6838>. > 3182 > 3183 [RFC7228] Bormann, C., Ersue, M., and A. Keranen, "Terminology for > 3184 Constrained-Node Networks", RFC 7228, > 3185 DOI 10.17487/RFC7228, May 2014, > 3186 <https://www.rfc-editor.org/rfc/rfc7228>. > 3187 > 3188 > 3189 > 3190 > 3191 > 3192 Richardson, et al. Expires 31 August 2026 [Page 57] > 3193 > 3194 Internet-Draft Constrained BRSKI (cBRSKI) February 2026 > 3195 > 3196 > 3197 [RFC7950] Bjorklund, M., Ed., "The YANG 1.1 Data Modeling Language", > 3198 RFC 7950, DOI 10.17487/RFC7950, August 2016, > 3199 <https://www.rfc-editor.org/rfc/rfc7950>. > 3200 > 3201 [RFC8392] Jones, M., Wahlstroem, E., Erdtman, S., and H. Tschofenig, > 3202 "CBOR Web Token (CWT)", RFC 8392, DOI 10.17487/RFC8392, > 3203 May 2018,<https://www.rfc-editor.org/rfc/rfc8392>. > 3204 > 3205 [RFC8990] Bormann, C., Carpenter, B., Ed., and B. Liu, Ed., "GeneRic > 3206 Autonomic Signaling Protocol (GRASP)", RFC 8990, > 3207 DOI 10.17487/RFC8990, May 2021, > 3208 <https://www.rfc-editor.org/rfc/rfc8990>. > 3209 > 3210 [RFC9334] Birkholz, H., Thaler, D., Richardson, M., Smith, N., and > 3211 W. Pan, "Remote ATtestation procedureS (RATS) > 3212 Architecture", RFC 9334, DOI 10.17487/RFC9334, January > 3213 2023,<https://www.rfc-editor.org/rfc/rfc9334>. > 3214 > 3215 [RFC9528] Selander, G., Preuß Mattsson, J., and F. Palombini, > 3216 "Ephemeral Diffie-Hellman Over COSE (EDHOC)", RFC 9528, > 3217 DOI 10.17487/RFC9528, March 2024, > 3218 <https://www.rfc-editor.org/rfc/rfc9528>. > 3219 > 3220 [RFC9595] Veillette, M., Ed., Pelov, A., Ed., Petrov, I., Ed., > 3221 Bormann, C., and M. Richardson, "YANG Schema Item > 3222 iDentifier (YANG SID)", RFC 9595, DOI 10.17487/RFC9595, > 3223 July 2024,<https://www.rfc-editor.org/rfc/rfc9595>. > 3224 > 3225 [RFC9597] Looker, T. and M.B. Jones, "CBOR Web Token (CWT) Claims in > 3226 COSE Headers", RFC 9597, DOI 10.17487/RFC9597, June 2024, > 3227 <https://www.rfc-editor.org/rfc/rfc9597>. > 3228 > 3229 [Thread] Thread Group, Inc, "Thread Group website", February 2026, > 3230 <https://www.threadgroup.org/>. > 3231 > 3232 Appendix A. Software and Library Support for cBRSKI > 3233 > 3234 This appendix lists software and security libraries that may be > 3235 useful for implementing cBRSKI functionality. > 3236 > 3237 A.1. Open Source cBRSKI Implementations > 3238 > 3239 There are a few ongoing open source projects to support cBRSKI > 3240 development and testing. These include: > 3241 > 3242 * OpenThread Registrar (OT Registrar) - a cBRSKI Registrar, test > 3243 MASA server, and test Pledge written in Java. Link > 3244 (https://github.com/EskoDijk/ot-registrar) > 3245 > 3246 > 3247 > 3248 Richardson, et al. Expires 31 August 2026 [Page 58] > 3249 > 3250 Internet-Draft Constrained BRSKI (cBRSKI) February 2026 > 3251 > 3252 > 3253 * OpenThread CCM (pre-alpha) - a cBRSKI Pledge and Join Proxy for > 3254 OpenThread-based IoT nodes, written in C/C++. OpenThread nodes > 3255 implement the [Thread] protocol. Link > 3256 (https://github.com/EskoDijk/openthread/pull/7) > 3257 > 3258 * OpenThread Network Simulator v2 (OTNS2) - a CLI + GUI simulator > 3259 for OpenThread IoT nodes in 6LoWPAN [RFC6282] mesh networks, able > 3260 to accurately simulate cBRSKI Pledges onboarding (pre-alpha > 3261 functionality) to a Thread mesh network via an OT Registrar. Link > 3262 (https://github.com/EskoDijk/ot-ns/pull/165) > 3263 > 3264 * Fountain - a BRSKI/6TiSCH Registrar with support for COSE-signed > 3265 vouchers, written in Ruby. Link (https://github.com/AnimaGUS- > 3266 minerva/fountain) > 3267 > 3268 A.2. Security Library Support > 3269 > 3270 For the implementation of BRSKI/cBRSKI, the use of a software library > 3271 to manipulate PKIX certificates, establish secure (D)TLS connections, > 3272 and use crypto algorithms is often beneficial. Two C-based examples > 3273 are OpenSSL and mbedtls. Others more targeted to specific platforms > 3274 or languages exist. It is important to realize that the library > 3275 interfaces differ significantly between libraries. > 3276 > 3277 Libraries do not support all known crypto algorithms. Before > 3278 deciding on a library, it is important to look at their supported > 3279 crypto algorithms and the roadmap for future support. Apart from > 3280 availability, the library footprint, and the required execution > 3281 cycles should be investigated beforehand. > 3282 > 3283 The handling of certificates usually includes the checking of a > 3284 certificate chain. In some libraries, chains are constructed and > 3285 verified on the basis of a set of certificates, the trust anchor > 3286 (usually a self signed root CA), and the target certificate. In > 3287 other libraries, the chain must be constructed beforehand and obey > 3288 ordering criteria. Verification always includes the checking of the > 3289 signatures. Less frequent is the checking the validity of the dates > 3290 or checking the existence of a revoked certificate in the chain > 3291 against a set of revoked certificates. Checking the chain on the > 3292 consistency of the certificate extensions which specify the use of > 3293 the certificate usually needs to be programmed explicitly. > 3294 > 3295 A library can be used to construct a (D)TLS connection. It is useful > 3296 to realize that differences between (D)TLS implementations will occur > 3297 due to the differences in the certificate checks supported by the > 3298 library. On top of that, checks between client and server > 3299 certificates enforced by (D)TLS are not always helpful for a BRSKI > 3300 implementation. For example, the certificates of Pledge and > 3301 > 3302 > 3303 > 3304 Richardson, et al. Expires 31 August 2026 [Page 59] > 3305 > 3306 Internet-Draft Constrained BRSKI (cBRSKI) February 2026 > 3307 > 3308 > 3309 Registrar are usually not related when the BRSKI protocol is started. > 3310 It must be verified that checks on the relation between client and > 3311 server certificates do not hamper a succeful DTLS connection > 3312 establishment. > 3313 > 3314 A.2.1. OpensSSL Example Code > 3315 > 3316 From OpenSSL's apps/verify.c : > 3317 > 3318 <CODE BEGINS> > 3319 X509 *x = NULL; > 3320 int i = 0, ret = 0; > 3321 X509_STORE_CTX *csc; > 3322 STACK_OF(X509) *chain = NULL; > 3323 int num_untrusted; > 3324 > 3325 x = load_cert(file, "certificate file"); > 3326 if (x == NULL) > 3327 goto end; > 3328 > 3329 csc = X509_STORE_CTX_new(); > 3330 if (csc == NULL) { > 3331 BIO_printf(bio_err, "error %s: X.509 store context" > 3332 "allocation failed\n", > 3333 (file == NULL) ? "stdin" : file); > 3334 goto end; > 3335 } > 3336 > 3337 X509_STORE_set_flags(ctx, vflags); > 3338 if (!X509_STORE_CTX_init(csc, ctx, x, uchain)) { > 3339 X509_STORE_CTX_free(csc); > 3340 BIO_printf(bio_err, > 3341 "error %s: X.509 store context" > 3342 "initialization failed\n", > 3343 (file == NULL) ? "stdin" : file); > 3344 goto end; > 3345 } > 3346 if (tchain != NULL) > 3347 X509_STORE_CTX_set0_trusted_stack(csc, tchain); > 3348 if (crls != NULL) > 3349 X509_STORE_CTX_set0_crls(csc, crls); > 3350 > 3351 i = X509_verify_cert(csc); > 3352 X509_STORE_CTX_free(csc); > 3353 > 3354 <CODE ENDS> > 3355 > 3356 > 3357 > 3358 > 3359 > 3360 Richardson, et al. Expires 31 August 2026 [Page 60] > 3361 > 3362 Internet-Draft Constrained BRSKI (cBRSKI) February 2026 > 3363 > 3364 > 3365 A.2.2. mbedTLS Example Code > 3366 > 3367 <CODE BEGINS> > 3368 mbedtls_x509_crt cert; > 3369 mbedtls_x509_crt caCert; > 3370 uint32_t certVerifyResultFlags; > 3371 // ... > 3372 int result = mbedtls_x509_crt_verify(&cert, &caCert, NULL, NULL, > 3373 &certVerifyResultFlags, NULL, NULL); > 3374 > 3375 <CODE ENDS> > 3376 > 3377 A.3. Generating Certificates with OpenSSL > 3378 > 3379 This informative appendix shows example Bash shell scripts to > 3380 generate test PKIX certificates for the Pledge IDevID, the Registrar > 3381 and the MASA. The shell scripts cannot be run stand-alone because > 3382 they depend on input files which are not all included in this > 3383 appendix. Nevertheless, these scripts may provide guidance on how > 3384 OpenSSL can be configured for generating cBRSKI certificates. > 3385 > 3386 The scripts were tested with OpenSSL 3.0.2. Older versions may not > 3387 work -- OpenSSL 1.1.1 for example does not support all extensions > 3388 used. > 3389 > 3390 > 3391 > 3392 > 3393 > 3394 > 3395 > 3396 > 3397 > 3398 > 3399 > 3400 > 3401 > 3402 > 3403 > 3404 > 3405 > 3406 > 3407 > 3408 > 3409 > 3410 > 3411 > 3412 > 3413 > 3414 > 3415 > 3416 Richardson, et al. Expires 31 August 2026 [Page 61] > 3417 > 3418 Internet-Draft Constrained BRSKI (cBRSKI) February 2026 > 3419 > 3420 > 3421 <CODE BEGINS> > 3422 #!/bin/bash > 3423 # File: create-cert-Pledge.sh > 3424 # Create new cert for: Pledge IDevID > 3425 > 3426 # days certificate is valid - try to get close to the 802.1AR > 3427 # specified 9999-12-31 end date. > 3428 SECONDS1=`date +%s` # time now > 3429 SECONDS2=`date --date="9999-12-31 23:59:59Z" +%s` # target end time > 3430 let VALIDITY="(${SECONDS2}-${SECONDS1})/(24*3600)" > 3431 echo "Using validity param -days ${VALIDITY}" > 3432 > 3433 NAME=pledge > 3434 > 3435 # create csr for device > 3436 # conform to 802.1AR guidelines, using only CN + serialNumber when > 3437 # manufacturer is already present as CA. > 3438 # CN is not even mandatory, but just good practice. > 3439 openssl req -new -key keys/privkey_pledge.pem -out $NAME.csr -subj \ > 3440 "/CN=Stok IoT sensor Y-42/serialNumber=JADA123456789" > 3441 > 3442 # sign csr - it uses faketime only to get endtime to 23:59:59Z > 3443 faketime '23:59:59Z' \ > 3444 openssl x509 -set_serial 32429 -CAform PEM -CA output/masa_ca.pem \ > 3445 -CAkey keys/privkey_masa_ca.pem -extfile x509v3.ext -extensions \ > 3446 pledge_ext -req -in $NAME.csr -out output/$NAME.pem \ > 3447 -days $VALIDITY -sha256 > 3448 > 3449 # Note: alternative method using 'ca' command. Currently > 3450 # doesn't work without 'country' subject field. > 3451 # openssl ca -rand_serial -enddate 99991231235959Z -certform PEM \ > 3452 # -cert output/masa_ca.pem -keyfile keys/privkey_masa_ca.pem \ > 3453 # -extfile x509v3.ext -extensions pledge_ext -in $NAME.csr \ > 3454 # -out $NAME.pem -outdir output > 3455 > 3456 # delete temp files > 3457 rm -f $NAME.csr > 3458 > 3459 # convert to .der format > 3460 openssl x509 -in output/$NAME.pem -inform PEM -out output/$NAME.der \ > 3461 -outform DER > 3462 > 3463 <CODE ENDS> > 3464 > 3465 > 3466 > 3467 > 3468 > 3469 > 3470 > 3471 > 3472 Richardson, et al. Expires 31 August 2026 [Page 62] > 3473 > 3474 Internet-Draft Constrained BRSKI (cBRSKI) February 2026 > 3475 > 3476 > 3477 <CODE BEGINS> > 3478 # File: x509v3.ext > 3479 # This file contains all X509v3 extension definitions for OpenSSL > 3480 # certificate generation. Each certificate has its own _ext > 3481 # section below. > 3482 > 3483 [ req ] > 3484 prompt = no > 3485 > 3486 [ masa_ca_ext ] > 3487 subjectAltName=email:info@masa.stok.nl > 3488 keyUsage = critical,digitalSignature, keyCertSign, cRLSign > 3489 basicConstraints = critical,CA:TRUE,pathlen:3 > 3490 subjectKeyIdentifier=hash > 3491 authorityKeyIdentifier=keyid > 3492 > 3493 [ pledge_ext ] > 3494 keyUsage = critical,digitalSignature, nonRepudiation, \ > 3495 keyEncipherment, dataEncipherment > 3496 # basicConstraints for a non-CA cert MAY be marked either > 3497 # non-critical or critical. > 3498 basicConstraints =CA:FALSE > 3499 # Don't include subjectKeyIdentifier (SKI) - see 802.1AR-2018 > 3500 subjectKeyIdentifier = none > 3501 authorityKeyIdentifier=keyid > 3502 # Include the MASA URI > 3503 1.3.6.1.5.5.7.1.32 =ASN1:IA5STRING:masa.stok.nl > 3504 > 3505 [ domain_ca_ext ] > 3506 subjectAltName=email:help@custom-er.example.com > 3507 keyUsage = critical, keyCertSign, digitalSignature, cRLSign > 3508 basicConstraints=critical,CA:TRUE > 3509 # RFC 5280 4.2.1.1 : AKI MAY be omitted, and MUST be non-critical; > 3510 # SKI MUST be non-critical > 3511 subjectKeyIdentifier=hash > 3512 > 3513 [ registrar_ext ] > 3514 keyUsage = critical, digitalSignature, nonRepudiation, \ > 3515 keyEncipherment, dataEncipherment > 3516 basicConstraints=CA:FALSE > 3517 subjectKeyIdentifier=hash > 3518 authorityKeyIdentifier=keyid > 3519 # Set Registrar 'RA' flag along with TLS client/server usage > 3520 # see draft-ietf-anima-constrained-voucher#section-7.3 > 3521 # see tools.ietf.org/html/rfc6402#section-2.10 > 3522 # seewww.openssl.org/docs/man1.1.1/man5/x509v3_config.html > 3523 extendedKeyUsage = critical,1.3.6.1.5.5.7.3.28, serverAuth, \ > 3524 clientAuth > 3525 > 3526 > 3527 > 3528 Richardson, et al. Expires 31 August 2026 [Page 63] > 3529 > 3530 Internet-Draft Constrained BRSKI (cBRSKI) February 2026 > 3531 > 3532 > 3533 <CODE ENDS> > 3534 > 3535 <CODE BEGINS> > 3536 #!/bin/bash > 3537 # File: create-cert-Registrar.sh > 3538 # Create new cert for: Registrar in a company domain > 3539 > 3540 # days certificate is valid > 3541 VALIDITY=1095 > 3542 > 3543 # cert filename > 3544 NAME=registrar > 3545 > 3546 # create csr > 3547 openssl req -new -key keys/privkey_registrar.pem -out $NAME.csr \ > 3548 -subj "/CN=Custom-ER Registrar/OU=Office dept/O=Custom-ER, Inc./\ > 3549 L=Ottowa/ST=ON/C=CA" > 3550 > 3551 # sign csr > 3552 openssl x509 -set_serial 0xC3F62149B2E30E3E -CAform PEM -CA \ > 3553 output/domain_ca.pem -extfile x509v3.ext -extensions registrar_ext \ > 3554 -req -in $NAME.csr -CAkey keys/privkey_domain_ca.pem \ > 3555 -out output/$NAME.pem -days $VALIDITY -sha256 > 3556 > 3557 # delete temp files > 3558 rm -f $NAME.csr > 3559 > 3560 # convert to .der format > 3561 openssl x509 -in output/$NAME.pem -inform PEM -out output/$NAME.der \ > 3562 -outform DER > 3563 > 3564 <CODE ENDS> > 3565 > 3566 > 3567 > 3568 > 3569 > 3570 > 3571 > 3572 > 3573 > 3574 > 3575 > 3576 > 3577 > 3578 > 3579 > 3580 > 3581 > 3582 > 3583 > 3584 Richardson, et al. Expires 31 August 2026 [Page 64] > 3585 > 3586 Internet-Draft Constrained BRSKI (cBRSKI) February 2026 > 3587 > 3588 > 3589 <CODE BEGINS> > 3590 #!/bin/bash > 3591 # File: create-cert-MASA.sh > 3592 # Create new cert for: MASA CA, self-signed CA certificate > 3593 > 3594 # days certificate is valid > 3595 VALIDITY=3650 > 3596 > 3597 NAME=masa_ca > 3598 > 3599 # create csr > 3600 openssl req -new -key keys/privkey_masa_ca.pem -out $NAME.csr \ > 3601 -subj "/CN=masa.stok.nl/O=vanderstok/L=Helmond/C=NL" > 3602 > 3603 # sign csr > 3604 mkdir output >& /dev/null > 3605 openssl x509 -set_serial 0xE39CDA17E1386A0A -extfile x509v3.ext \ > 3606 -extensions masa_ca_ext -req -in $NAME.csr \ > 3607 -signkey keys/privkey_masa_ca.pem -out output/$NAME.pem \ > 3608 -days $VALIDITY -sha256 > 3609 > 3610 # delete temp files > 3611 rm -f $NAME.csr > 3612 > 3613 # convert to .der format > 3614 openssl x509 -in output/$NAME.pem -inform PEM -out output/$NAME.der \ > 3615 -outform DER > 3616 > 3617 <CODE ENDS> > 3618 > 3619 Appendix B. cBRSKI Message Examples > 3620 > 3621 This appendix extends the EST-coaps message examples from Appendix A > 3622 of [RFC9148] with cBRSKI messages. The CoAP headers are only fully > 3623 worked out for the first example, enrollstatus. > 3624 > 3625 B.1. enrollstatus > 3626 > 3627 A coaps enrollstatus message from Pledge to Registrar can be as > 3628 follows: > 3629 > 3630 REQ: POST /b/es > 3631 Content-Format: 60 (application/cbor) > 3632 Payload: <binary CBOR encoding of an enrollstatus map> > 3633 > 3634 The corresponding CoAP header fields for this request are shown > 3635 below. > 3636 > 3637 > 3638 > 3639 > 3640 Richardson, et al. Expires 31 August 2026 [Page 65] > 3641 > 3642 Internet-Draft Constrained BRSKI (cBRSKI) February 2026 > 3643 > 3644 > 3645 Ver = 1 > 3646 T = 0 (CON) > 3647 TKL = 1 > 3648 Code = 0x02 (0.02 is POST method) > 3649 Message ID = 0xab0f > 3650 Token = 0x4d > 3651 Options > 3652 Option (Uri-Path) > 3653 Option Delta = 0xb (option nr = 11) > 3654 Option Length = 0x1 > 3655 Option Value = "b" > 3656 Option (Uri-Path) > 3657 Option Delta = 0x0 (option nr = 11) > 3658 Option Length = 0x2 > 3659 Option Value = "es" > 3660 Option (Content-Format) > 3661 Option Delta = 0x1 (option nr = 12) > 3662 Option Length = 0x1 > 3663 Option Value = 60 (application/cbor) > 3664 Payload Marker = 0xFF > 3665 Payload = A26776657273696F6E0166737461747573F5 (18 bytes binary) > 3666 > 3667 The Uri-Host and Uri-Port Options are omitted because they coincide > 3668 with the transport protocol (UDP) destination address and port > 3669 respectively. > 3670 > 3671 The above binary CBOR enrollstatus payload looks as follows in CBOR > 3672 diagnostic notation, for the case of enrollment success: > 3673 > 3674 { > 3675 "version": 1, > 3676 "status": true > 3677 } > 3678 > 3679 Alternatively the payload could look as follows in case of enrollment > 3680 failure, using the 'reason' map item value to describe the failure: > 3681 > 3682 Payload = A36776657273696F6E0166737461747573F466726561736F6E782A3C > 3683 496E666F726D61746976652068756D616E207265616461626C652065 > 3684 72726F72206D6573736167653E (69 bytes binary) > 3685 > 3686 { > 3687 "version": 1, > 3688 "status": false, > 3689 "reason": "<Informative human readable error message>" > 3690 } > 3691 > 3692 > 3693 > 3694 > 3695 > 3696 Richardson, et al. Expires 31 August 2026 [Page 66] > 3697 > 3698 Internet-Draft Constrained BRSKI (cBRSKI) February 2026 > 3699 > 3700 > 3701 To indicate successful reception of the enrollmentstatus telemetry > 3702 report, a response from the Registrar may then be: > 3703 > 3704 2.04 Changed > 3705 > 3706 Which in case of a piggybacked response has the following CoAP header > 3707 fields: > 3708 > 3709 Ver=1 > 3710 T=2 (ACK) > 3711 TKL=1 > 3712 Code = 0x44 (2.04 Changed) > 3713 Message ID = 0xab0f > 3714 Token = 0x4d > 3715 > 3716 B.2. voucher_status > 3717 > 3718 A coaps voucher_status message from Pledge to Registrar can be as > 3719 follows: > 3720 > 3721 REQ: POST /.well-known/brski/vs > 3722 Content-Format: 60 (application/cbor) > 3723 Payload: > 3724 A46776657273696F6E0166737461747573F466726561736F6E7828496E66 > 3725 6F726D61746976652068756D616E2D7265616461626C65206572726F7220 > 3726 6D6573736167656E726561736F6E2D636F6E74657874A100764164646974 > 3727 696F6E616C20696E666F726D6174696F6E > 3728 > 3729 The request payload above is binary CBOR but represented here in > 3730 hexadecimal for readability. Below is the equivalent CBOR diagnostic > 3731 format. > 3732 > 3733 { > 3734 "version": 1, > 3735 "status": false, > 3736 "reason": "Informative human-readable error message", > 3737 "reason-context": { 0: "Additional information" } > 3738 } > 3739 > 3740 A success response without payload will then be sent by the Registrar > 3741 back to the Pledge to indicate reception of the telemetry report: > 3742 > 3743 RES: 2.04 Changed > 3744 > 3745 > 3746 > 3747 > 3748 > 3749 > 3750 > 3751 > 3752 Richardson, et al. Expires 31 August 2026 [Page 67] > 3753 > 3754 Internet-Draft Constrained BRSKI (cBRSKI) February 2026 > 3755 > 3756 > 3757 Appendix C. COSE-signed Voucher (Request) Examples > 3758 > 3759 This appendix provides examples of COSE-signed voucher requests and > 3760 vouchers. First, the used test keys and PKIX certificates are > 3761 described, followed by examples of a constrained PVR, RVR and > 3762 voucher. > 3763 > 3764 C.1. Pledge, Registrar and MASA Keys > 3765 > 3766 This section documents the public and private keys used for all > 3767 examples in this appendix. These keys are not used in any production > 3768 system, and must only be used for testing purposes. > 3769 > 3770 C.1.1. Pledge IDevID Private Key > 3771 > 3772 -----BEGIN EC PRIVATE KEY----- > 3773 MHcCAQEEIMv+C4dbzeyrEH20qkpFlWIH2FFACGZv9kW7rNWtSlYtoAoGCCqGSM49 > 3774 AwEHoUQDQgAESH6OUiYFRhfIgWl4GG8jHoj8a+8rf6t5s1mZ/4SePlKom39GQ34p > 3775 VYryJ9aHmboLLfz69bzICQFKbkoQ5oaiew== > 3776 -----END EC PRIVATE KEY----- > 3777 > 3778 Private-Key: (256 bit) > 3779 priv: > 3780 cb:fe:0b:87:5b:cd:ec:ab:10:7d:b4:aa:4a:45:95: > 3781 62:07:d8:51:40:08:66:6f:f6:45:bb:ac:d5:ad:4a: > 3782 56:2d > 3783 pub: > 3784 04:48:7e:8e:52:26:05:46:17:c8:81:69:78:18:6f: > 3785 23:1e:88:fc:6b:ef:2b:7f:ab:79:b3:59:99:ff:84: > 3786 9e:3e:52:a8:9b:7f:46:43:7e:29:55:8a:f2:27:d6: > 3787 87:99:ba:0b:2d:fc:fa:f5:bc:c8:09:01:4a:6e:4a: > 3788 10:e6:86:a2:7b > 3789 ASN1 OID: prime256v1 > 3790 NIST CURVE: P-256 > 3791 > 3792 C.1.2. Registrar Private Key > 3793 > 3794 -----BEGIN PRIVATE KEY----- > 3795 MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgYJ/MP0dWA9BkYd4W > 3796 s6oRY62hDddaEmrAVm5dtAXE/UGhRANCAAQgMIVb6EaRCz7LFcr4Vy0+tWW9xlSh > 3797 Xvr27euqi54WCMXJEMk6IIaPyFBNNw8bJvqXWfZ5g7t4hj7amsvqUST2 > 3798 -----END PRIVATE KEY----- > 3799 > 3800 > 3801 > 3802 > 3803 > 3804 > 3805 > 3806 > 3807 > 3808 Richardson, et al. Expires 31 August 2026 [Page 68] > 3809 > 3810 Internet-Draft Constrained BRSKI (cBRSKI) February 2026 > 3811 > 3812 > 3813 Private-Key: (256 bit) > 3814 priv: > 3815 60:9f:cc:3f:47:56:03:d0:64:61:de:16:b3:aa:11: > 3816 63:ad:a1:0d:d7:5a:12:6a:c0:56:6e:5d:b4:05:c4: > 3817 fd:41 > 3818 pub: > 3819 04:20:30:85:5b:e8:46:91:0b:3e:cb:15:ca:f8:57: > 3820 2d:3e:b5:65:bd:c6:54:a1:5e:fa:f6:ed:eb:aa:8b: > 3821 9e:16:08:c5:c9:10:c9:3a:20:86:8f:c8:50:4d:37: > 3822 0f:1b:26:fa:97:59:f6:79:83:bb:78:86:3e:da:9a: > 3823 cb:ea:51:24:f6 > 3824 ASN1 OID: prime256v1 > 3825 NIST CURVE: P-256 > 3826 > 3827 C.1.3. MASA Private Key > 3828 > 3829 -----BEGIN PRIVATE KEY----- > 3830 MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgrbJ1oU+HIJ2SWYAk > 3831 DkBTL+YNPxQG+gwsMsZB94N8mZ2hRANCAASS9NVlWJdztwNY81yPlH2UODYWhlYA > 3832 ZfsqnEPSFZKnq8mq8gF78ZVbYi6q2FEg8kkORY/rpIU/X7SQsRuD+wMW > 3833 -----END PRIVATE KEY----- > 3834 > 3835 Private-Key: (256 bit) > 3836 priv: > 3837 ad:b2:75:a1:4f:87:20:9d:92:59:80:24:0e:40:53: > 3838 2f:e6:0d:3f:14:06:fa:0c:2c:32:c6:41:f7:83:7c: > 3839 99:9d > 3840 pub: > 3841 04:92:f4:d5:65:58:97:73:b7:03:58:f3:5c:8f:94: > 3842 7d:94:38:36:16:86:56:00:65:fb:2a:9c:43:d2:15: > 3843 92:a7:ab:c9:aa:f2:01:7b:f1:95:5b:62:2e:aa:d8: > 3844 51:20:f2:49:0e:45:8f:eb:a4:85:3f:5f:b4:90:b1: > 3845 1b:83:fb:03:16 > 3846 ASN1 OID: prime256v1 > 3847 NIST CURVE: P-256 > 3848 > 3849 C.2. Pledge, Registrar, Domain CA and MASA Certificates > 3850 > 3851 All keys and PKIX certificates used for the examples have been > 3852 generated with OpenSSL - see Appendix A.3 for more details on > 3853 certificate generation. Below the certificates are listed that > 3854 accompany the keys shown above. Each certificate description is > 3855 followed by the hexadecimal representation of the X.509 ASN.1 DER > 3856 encoded certificate. This representation can be for example decoded > 3857 using an online ASN.1 decoder. > 3858 > 3859 C.2.1. Pledge IDevID Certificate > 3860 > 3861 > 3862 > 3863 > 3864 Richardson, et al. Expires 31 August 2026 [Page 69] > 3865 > 3866 Internet-Draft Constrained BRSKI (cBRSKI) February 2026 > 3867 > 3868 > 3869 Certificate: > 3870 Data: > 3871 Version: 3 (0x2) > 3872 Serial Number: 32429 (0x7ead) > 3873 Signature Algorithm: ecdsa-with-SHA256 > 3874 Issuer: CN = masa.stok.nl, O = vanderstok, L = Helmond, > 3875 C = NL > 3876 Validity > 3877 Not Before: Dec 9 12:50:47 2022 GMT > 3878 Not After : Dec 31 12:50:47 9999 GMT > 3879 Subject: CN = Stok IoT sensor Y-42, serialNumber = JADA123456789 > 3880 Subject Public Key Info: > 3881 Public Key Algorithm: id-ecPublicKey > 3882 Public-Key: (256 bit) > 3883 pub: > 3884 04:48:7e:8e:52:26:05:46:17:c8:81:69:78:18:6f: > 3885 23:1e:88:fc:6b:ef:2b:7f:ab:79:b3:59:99:ff:84: > 3886 9e:3e:52:a8:9b:7f:46:43:7e:29:55:8a:f2:27:d6: > 3887 87:99:ba:0b:2d:fc:fa:f5:bc:c8:09:01:4a:6e:4a: > 3888 10:e6:86:a2:7b > 3889 ASN1 OID: prime256v1 > 3890 NIST CURVE: P-256 > 3891 X509v3 extensions: > 3892 X509v3 Key Usage: critical > 3893 Digital Signature, Non Repudiation, Key Encipherment, > 3894 Data Encipherment > 3895 X509v3 Basic Constraints: > 3896 CA:FALSE > 3897 X509v3 Authority Key Identifier: > 3898 CB:8D:98:CA:74:C5:1B:58:DD:E7:AC:EF:86:9A:94:43:A8:D6:66:A6 > 3899 1.3.6.1.5.5.7.1.32: > 3900 hl=2 l= 12 prim: IA5STRING :masa.stok.nl > 3901 > 3902 Signature Algorithm: ecdsa-with-SHA256 > 3903 Signature Value: > 3904 30:45:02:20:4d:89:90:7e:03:fb:52:56:42:0c:3f:c1:b1:f1: > 3905 47:b5:b3:93:65:45:2e:be:50:db:67:85:8f:23:89:a2:3f:9e: > 3906 02:21:00:95:33:69:d1:c6:db:f0:f1:f6:52:24:59:d3:0a:95: > 3907 4e:b2:f4:96:a1:31:3c:7b:d9:2f:28:b3:29:71:bb:60:df > 3908 > 3909 Below is the hexadecimal representation of the binary X.509 DER- > 3910 encoded certificate: > 3911 > 3912 > 3913 > 3914 > 3915 > 3916 > 3917 > 3918 > 3919 > 3920 Richardson, et al. Expires 31 August 2026 [Page 70] > 3921 > 3922 Internet-Draft Constrained BRSKI (cBRSKI) February 2026 > 3923 > 3924 > 3925 308201CE30820174A00302010202027EAD300A06082A8648CE3D040302304B31 > 3926 15301306035504030C0C6D6173612E73746F6B2E6E6C31133011060355040A0C > 3927 0A76616E64657273746F6B3110300E06035504070C0748656C6D6F6E64310B30 > 3928 09060355040613024E4C3020170D3232313230393132353034375A180F393939 > 3929 39313233313132353034375A3037311D301B06035504030C1453746F6B20496F > 3930 542073656E736F7220592D3432311630140603550405130D4A41444131323334 > 3931 35363738393059301306072A8648CE3D020106082A8648CE3D03010703420004 > 3932 487E8E5226054617C8816978186F231E88FC6BEF2B7FAB79B35999FF849E3E52 > 3933 A89B7F46437E29558AF227D68799BA0B2DFCFAF5BCC809014A6E4A10E686A27B > 3934 A35A3058300E0603551D0F0101FF0404030204F030090603551D130402300030 > 3935 1F0603551D23041830168014CB8D98CA74C51B58DDE7ACEF869A9443A8D666A6 > 3936 301A06082B06010505070120040E160C6D6173612E73746F6B2E6E6C300A0608 > 3937 2A8648CE3D040302034800304502204D89907E03FB5256420C3FC1B1F147B5B3 > 3938 9365452EBE50DB67858F2389A23F9E022100953369D1C6DBF0F1F6522459D30A > 3939 954EB2F496A1313C7BD92F28B32971BB60DF > 3940 > 3941 C.2.2. Registrar Certificate > 3942 > 3943 > 3944 > 3945 > 3946 > 3947 > 3948 > 3949 > 3950 > 3951 > 3952 > 3953 > 3954 > 3955 > 3956 > 3957 > 3958 > 3959 > 3960 > 3961 > 3962 > 3963 > 3964 > 3965 > 3966 > 3967 > 3968 > 3969 > 3970 > 3971 > 3972 > 3973 > 3974 > 3975 > 3976 Richardson, et al. Expires 31 August 2026 [Page 71] > 3977 > 3978 Internet-Draft Constrained BRSKI (cBRSKI) February 2026 > 3979 > 3980 > 3981 Certificate: > 3982 Data: > 3983 Version: 3 (0x2) > 3984 Serial Number: > 3985 c3:f6:21:49:b2:e3:0e:3e > 3986 Signature Algorithm: ecdsa-with-SHA256 > 3987 Issuer: CN = Custom-ER Global CA, OU = IT, O = "Custom-ER, Inc.", > 3988 L = San Jose, ST = CA, C = US > 3989 Validity > 3990 Not Before: Dec 9 12:50:47 2022 GMT > 3991 Not After : Dec 8 12:50:47 2025 GMT > 3992 Subject: CN = Custom-ER Registrar, OU = Office dept, O = "Custom-ER, > 3993 Inc.", L = Ottowa, ST = ON, C = CA > 3994 Subject Public Key Info: > 3995 Public Key Algorithm: id-ecPublicKey > 3996 Public-Key: (256 bit) > 3997 pub: > 3998 04:20:30:85:5b:e8:46:91:0b:3e:cb:15:ca:f8:57: > 3999 2d:3e:b5:65:bd:c6:54:a1:5e:fa:f6:ed:eb:aa:8b: > 4000 9e:16:08:c5:c9:10:c9:3a:20:86:8f:c8:50:4d:37: > 4001 0f:1b:26:fa:97:59:f6:79:83:bb:78:86:3e:da:9a: > 4002 cb:ea:51:24:f6 > 4003 ASN1 OID: prime256v1 > 4004 NIST CURVE: P-256 > 4005 X509v3 extensions: > 4006 X509v3 Key Usage: critical > 4007 Digital Signature, Non Repudiation, Key Encipherment, > 4008 Data Encipherment > 4009 X509v3 Basic Constraints: > 4010 CA:FALSE > 4011 X509v3 Subject Key Identifier: > 4012 C9:08:0B:38:7D:8D:D8:5B:3A:59:E7:EC:10:0B:86:63:93:A9:CA:4C > 4013 X509v3 Authority Key Identifier: > 4014 92:EA:76:40:40:4A:8F:AB:4F:27:0B:F3:BC:37:9D:86:CD:72:80:F8 > 4015 X509v3 Extended Key Usage: critical > 4016 CMC Registration Authority, TLS Web Server Authentication, > 4017 TLS Web Client Authentication > 4018 Signature Algorithm: ecdsa-with-SHA256 > 4019 Signature Value: > 4020 30:45:02:21:00:d8:4a:7c:69:2f:f9:58:6e:82:22:87:18:f6: > 4021 3b:c3:05:f0:ae:b8:ae:ec:42:78:82:38:79:81:2a:5d:15:61: > 4022 64:02:20:08:f2:3c:13:69:13:b0:2c:e2:63:09:d5:99:4f:eb: > 4023 75:70:af:af:ed:98:cd:f1:12:11:c0:37:f7:18:4d:c1:9d > 4024 > 4025 Below is the hexadecimal representation of the binary X.509 DER- > 4026 encoded certificate: > 4027 > 4028 > 4029 > 4030 > 4031 > 4032 Richardson, et al. Expires 31 August 2026 [Page 72] > 4033 > 4034 Internet-Draft Constrained BRSKI (cBRSKI) February 2026 > 4035 > 4036 > 4037 3082026D30820213A003020102020900C3F62149B2E30E3E300A06082A8648CE > 4038 3D0403023072311C301A06035504030C13437573746F6D2D455220476C6F6261 > 4039 6C204341310B3009060355040B0C02495431183016060355040A0C0F43757374 > 4040 6F6D2D45522C20496E632E3111300F06035504070C0853616E204A6F7365310B > 4041 300906035504080C024341310B3009060355040613025553301E170D32323132 > 4042 30393132353034375A170D3235313230383132353034375A3079311C301A0603 > 4043 5504030C13437573746F6D2D4552205265676973747261723114301206035504 > 4044 0B0C0B4F6666696365206465707431183016060355040A0C0F437573746F6D2D > 4045 45522C20496E632E310F300D06035504070C064F74746F7761310B3009060355 > 4046 04080C024F4E310B30090603550406130243413059301306072A8648CE3D0201 > 4047 06082A8648CE3D030107034200042030855BE846910B3ECB15CAF8572D3EB565 > 4048 BDC654A15EFAF6EDEBAA8B9E1608C5C910C93A20868FC8504D370F1B26FA9759 > 4049 F67983BB78863EDA9ACBEA5124F6A3818A308187300E0603551D0F0101FF0404 > 4050 030204F030090603551D1304023000301D0603551D0E04160414C9080B387D8D > 4051 D85B3A59E7EC100B866393A9CA4C301F0603551D2304183016801492EA764040 > 4052 4A8FAB4F270BF3BC379D86CD7280F8302A0603551D250101FF0420301E06082B > 4053 0601050507031C06082B0601050507030106082B06010505070302300A06082A > 4054 8648CE3D0403020348003045022100D84A7C692FF9586E82228718F63BC305F0 > 4055 AEB8AEEC4278823879812A5D156164022008F23C136913B02CE26309D5994FEB > 4056 7570AFAFED98CDF11211C037F7184DC19D > 4057 > 4058 C.2.3. Domain CA Certificate > 4059 > 4060 The Domain CA certificate is the CA of the owner's domain. It has > 4061 signed the Registrar (RA) certificate. > 4062 > 4063 > 4064 > 4065 > 4066 > 4067 > 4068 > 4069 > 4070 > 4071 > 4072 > 4073 > 4074 > 4075 > 4076 > 4077 > 4078 > 4079 > 4080 > 4081 > 4082 > 4083 > 4084 > 4085 > 4086 > 4087 > 4088 Richardson, et al. Expires 31 August 2026 [Page 73] > 4089 > 4090 Internet-Draft Constrained BRSKI (cBRSKI) February 2026 > 4091 > 4092 > 4093 Certificate: > 4094 Data: > 4095 Version: 3 (0x2) > 4096 Serial Number: 3092288576548618702 (0x2aea0413a42dc1ce) > 4097 Signature Algorithm: ecdsa-with-SHA256 > 4098 Issuer: CN = Custom-ER Global CA, OU = IT, O = "Custom-ER, Inc.", > 4099 L = San Jose, ST = CA, C = US > 4100 Validity > 4101 Not Before: Dec 9 12:50:47 2022 GMT > 4102 Not After : Dec 6 12:50:47 2032 GMT > 4103 Subject: CN = Custom-ER Global CA, OU = IT, O = "Custom-ER, Inc.", > 4104 L = San Jose, ST = CA, C = US > 4105 Subject Public Key Info: > 4106 Public Key Algorithm: id-ecPublicKey > 4107 Public-Key: (256 bit) > 4108 pub: > 4109 04:97:b1:ed:96:91:64:93:09:85:bb:b8:ac:9a:2a: > 4110 f9:45:5c:df:ee:a4:b1:1d:e2:e7:9d:06:8b:fa:80: > 4111 39:26:b4:00:52:51:b3:4f:1c:08:15:a4:cb:e0:3f: > 4112 bd:1b:bc:b6:35:f6:43:1a:22:de:78:65:3b:87:b9: > 4113 95:37:ec:e1:6c > 4114 ASN1 OID: prime256v1 > 4115 NIST CURVE: P-256 > 4116 X509v3 extensions: > 4117 X509v3 Subject Alternative Name: > 4118 email:help@custom-er.example.com > 4119 X509v3 Key Usage: critical > 4120 Digital Signature, Certificate Sign, CRL Sign > 4121 X509v3 Basic Constraints: critical > 4122 CA:TRUE > 4123 X509v3 Subject Key Identifier: > 4124 92:EA:76:40:40:4A:8F:AB:4F:27:0B:F3:BC:37:9D:86:CD:72:80:F8 > 4125 Signature Algorithm: ecdsa-with-SHA256 > 4126 Signature Value: > 4127 30:44:02:20:66:15:df:c3:70:11:f6:73:78:d8:fd:1c:2a:3f: > 4128 bd:d1:3f:51:f6:b6:6f:2d:7c:e2:7a:13:18:21:bb:70:f0:c0: > 4129 02:20:69:86:d8:d2:28:b2:92:6e:23:9e:19:0b:8f:18:25:c9: > 4130 c1:4c:67:95:ff:a0:b3:24:bd:4d:ac:2e:cb:68:d7:13 > 4131 > 4132 Below is the hexadecimal representation of the binary X.509 DER- > 4133 encoded certificate: > 4134 > 4135 > 4136 > 4137 > 4138 > 4139 > 4140 > 4141 > 4142 > 4143 > 4144 Richardson, et al. Expires 31 August 2026 [Page 74] > 4145 > 4146 Internet-Draft Constrained BRSKI (cBRSKI) February 2026 > 4147 > 4148 > 4149 30820242308201E9A00302010202082AEA0413A42DC1CE300A06082A8648CE3D > 4150 0403023072311C301A06035504030C13437573746F6D2D455220476C6F62616C > 4151 204341310B3009060355040B0C02495431183016060355040A0C0F437573746F > 4152 6D2D45522C20496E632E3111300F06035504070C0853616E204A6F7365310B30 > 4153 0906035504080C024341310B3009060355040613025553301E170D3232313230 > 4154 393132353034375A170D3332313230363132353034375A3072311C301A060355 > 4155 04030C13437573746F6D2D455220476C6F62616C204341310B3009060355040B > 4156 0C02495431183016060355040A0C0F437573746F6D2D45522C20496E632E3111 > 4157 300F06035504070C0853616E204A6F7365310B300906035504080C024341310B > 4158 30090603550406130255533059301306072A8648CE3D020106082A8648CE3D03 > 4159 01070342000497B1ED969164930985BBB8AC9A2AF9455CDFEEA4B11DE2E79D06 > 4160 8BFA803926B4005251B34F1C0815A4CBE03FBD1BBCB635F6431A22DE78653B87 > 4161 B99537ECE16CA369306730250603551D11041E301C811A68656C704063757374 > 4162 6F6D2D65722E6578616D706C652E636F6D300E0603551D0F0101FF0404030201 > 4163 86300F0603551D130101FF040530030101FF301D0603551D0E0416041492EA76 > 4164 40404A8FAB4F270BF3BC379D86CD7280F8300A06082A8648CE3D040302034700 > 4165 304402206615DFC37011F67378D8FD1C2A3FBDD13F51F6B66F2D7CE27A131821 > 4166 BB70F0C002206986D8D228B2926E239E190B8F1825C9C14C6795FFA0B324BD4D > 4167 AC2ECB68D713 > 4168 > 4169 C.2.4. MASA Certificate > 4170 > 4171 The MASA CA certificate is the CA that signed the Pledge's IDevID > 4172 certificate. > 4173 > 4174 > 4175 > 4176 > 4177 > 4178 > 4179 > 4180 > 4181 > 4182 > 4183 > 4184 > 4185 > 4186 > 4187 > 4188 > 4189 > 4190 > 4191 > 4192 > 4193 > 4194 > 4195 > 4196 > 4197 > 4198 > 4199 > 4200 Richardson, et al. Expires 31 August 2026 [Page 75] > 4201 > 4202 Internet-Draft Constrained BRSKI (cBRSKI) February 2026 > 4203 > 4204 > 4205 Certificate: > 4206 Data: > 4207 Version: 3 (0x2) > 4208 Serial Number: > 4209 e3:9c:da:17:e1:38:6a:0a > 4210 Signature Algorithm: ecdsa-with-SHA256 > 4211 Issuer: CN = masa.stok.nl, O = vanderstok, L = Helmond, > 4212 C = NL > 4213 Validity > 4214 Not Before: Dec 9 12:50:47 2022 GMT > 4215 Not After : Dec 6 12:50:47 2032 GMT > 4216 Subject: CN = masa.stok.nl, O = vanderstok, L = Helmond, > 4217 C = NL > 4218 Subject Public Key Info: > 4219 Public Key Algorithm: id-ecPublicKey > 4220 Public-Key: (256 bit) > 4221 pub: > 4222 04:92:f4:d5:65:58:97:73:b7:03:58:f3:5c:8f:94: > 4223 7d:94:38:36:16:86:56:00:65:fb:2a:9c:43:d2:15: > 4224 92:a7:ab:c9:aa:f2:01:7b:f1:95:5b:62:2e:aa:d8: > 4225 51:20:f2:49:0e:45:8f:eb:a4:85:3f:5f:b4:90:b1: > 4226 1b:83:fb:03:16 > 4227 ASN1 OID: prime256v1 > 4228 NIST CURVE: P-256 > 4229 X509v3 extensions: > 4230 X509v3 Subject Alternative Name: > 4231 email:info@masa.stok.nl > 4232 X509v3 Key Usage: critical > 4233 Digital Signature, Certificate Sign, CRL Sign > 4234 X509v3 Basic Constraints: critical > 4235 CA:TRUE,pathlen:3 > 4236 X509v3 Subject Key Identifier: > 4237 CB:8D:98:CA:74:C5:1B:58:DD:E7:AC:EF:86:9A:94:43:A8:D6:66:A6 > 4238 Signature Algorithm: ecdsa-with-SHA256 > 4239 Signature Value: > 4240 30:46:02:21:00:94:3f:a5:26:51:68:16:38:5b:78:9a:d8:c3: > 4241 af:8e:49:28:22:60:56:26:43:4a:14:98:3e:e1:e4:81:ad:ca: > 4242 1b:02:21:00:ba:4d:aa:fd:fa:68:42:74:03:2b:a8:41:6b:e2: > 4243 90:0c:9e:7b:b8:c0:9c:f7:0e:3f:b4:36:8a:b3:9c:3e:31:0e > 4244 > 4245 Below is the hexadecimal representation of the binary X.509 DER- > 4246 encoded certificate: > 4247 > 4248 > 4249 > 4250 > 4251 > 4252 > 4253 > 4254 > 4255 > 4256 Richardson, et al. Expires 31 August 2026 [Page 76] > 4257 > 4258 Internet-Draft Constrained BRSKI (cBRSKI) February 2026 > 4259 > 4260 > 4261 308201F130820196A003020102020900E39CDA17E1386A0A300A06082A8648CE > 4262 3D040302304B3115301306035504030C0C6D6173612E73746F6B2E6E6C311330 > 4263 11060355040A0C0A76616E64657273746F6B3110300E06035504070C0748656C > 4264 6D6F6E64310B3009060355040613024E4C301E170D3232313230393132353034 > 4265 375A170D3332313230363132353034375A304B3115301306035504030C0C6D61 > 4266 73612E73746F6B2E6E6C31133011060355040A0C0A76616E64657273746F6B31 > 4267 10300E06035504070C0748656C6D6F6E64310B3009060355040613024E4C3059 > 4268 301306072A8648CE3D020106082A8648CE3D0301070342000492F4D565589773 > 4269 B70358F35C8F947D9438361686560065FB2A9C43D21592A7ABC9AAF2017BF195 > 4270 5B622EAAD85120F2490E458FEBA4853F5FB490B11B83FB0316A3633061301C06 > 4271 03551D11041530138111696E666F406D6173612E73746F6B2E6E6C300E060355 > 4272 1D0F0101FF04040302018630120603551D130101FF040830060101FF02010330 > 4273 1D0603551D0E04160414CB8D98CA74C51B58DDE7ACEF869A9443A8D666A6300A > 4274 06082A8648CE3D0403020349003046022100943FA526516816385B789AD8C3AF > 4275 8E492822605626434A14983EE1E481ADCA1B022100BA4DAAFDFA684274032BA8 > 4276 416BE2900C9E7BB8C09CF70E3FB4368AB39C3E310E > 4277 > 4278 C.3. COSE-signed Pledge Voucher Request (PVR) > 4279 > 4280 In this example, the voucher request (PVR) has been signed by the > 4281 Pledge using the IDevID private key of Appendix C.1.1, and has been > 4282 sent to the link-local constrained Join Proxy (JP) over CoAPS to JP's > 4283 join port. The join port happens to use the default CoAPS UDP port > 4284 5684. > 4285 > 4286 REQ: POST coaps://[JP-link-local-address]/b/rv > 4287 Content-Format: 836 (application/voucher+cose) > 4288 Payload: <signed_pvr> > 4289 > 4290 When the Join Proxy receives the DTLS handshake messages from the > 4291 Pledge, it will relay these messages to the Registrar. The payload > 4292 signed_voucher_request is shown as hexadecimal dump (with lf added) > 4293 below: > 4294 > 4295 D28443A10126A0587EA11909C5A40102074823BFBBC9C2BCF2130C585B305930 > 4296 1306072A8648CE3D020106082A8648CE3D030107034200042030855BE846910B > 4297 3ECB15CAF8572D3EB565BDC654A15EFAF6EDEBAA8B9E1608C5C910C93A20868F > 4298 C8504D370F1B26FA9759F67983BB78863EDA9ACBEA5124F60D6D4A4144413132 > 4299 33343536373839584068987DE8B007F4E9416610BBE2D48E1D7EA1032092B8BF > 4300 CE611421950F45B22F17E214820C07E777ADF86175E25D3205568404C25FCEEC > 4301 1B817C7861A6104B3D > 4302 > 4303 The representation of signed_pvr in CBOR diagnostic format (with lf > 4304 added) is: > 4305 > 4306 > 4307 > 4308 > 4309 > 4310 > 4311 > 4312 Richardson, et al. Expires 31 August 2026 [Page 77] > 4313 > 4314 Internet-Draft Constrained BRSKI (cBRSKI) February 2026 > 4315 > 4316 > 4317 18([h'A10126', {}, h'A11909C5A40102074823BFBBC9C2BCF2130C585B3059301 > 4318 306072A8648CE3D020106082A8648CE3D030107034200042030855BE846910B3ECB1 > 4319 5CAF8572D3EB565BDC654A15EFAF6EDEBAA8B9E1608C5C910C93A20868FC8504D370 > 4320 F1B26FA9759F67983BB78863EDA9ACBEA5124F60D6D4A41444131323334353637383 > 4321 9', h'68987DE8B007F4E9416610BBE2D48E1D7EA1032092B8BFCE611421950F45B2 > 4322 2F17E214820C07E777ADF86175E25D3205568404C25FCEEC1B817C7861A6104B3D'] > 4323 ) > 4324 > 4325 The COSE payload is the PVR voucher data, encoded as a CBOR byte > 4326 string. The diagnostic representation of it is shown below: > 4327 > 4328 {2501: {1: 2, 7: h'23BFBBC9C2BCF213', 12: h'3059301306072A8648CE3D02 > 4329 0106082A8648CE3D030107034200042030855BE846910B3ECB15CAF8572D3EB565BD > 4330 C654A15EFAF6EDEBAA8B9E1608C5C910C93A20868FC8504D370F1B26FA9759F67983 > 4331 BB78863EDA9ACBEA5124F6', 13: "JADA123456789"}} > 4332 > 4333 The Pledge uses the 'proximity' (key '1', SID 2502, enum value 2) > 4334 assertion together with an included 'proximity-registrar-pubk' > 4335 attribute (key '12', SID 2513) to inform MASA about its proximity to > 4336 the specific Registrar. > 4337 > 4338 C.4. COSE-signed Registrar Voucher Request (RVR) > 4339 > 4340 In this example the Registrar's voucher request has been signed by > 4341 the JRC (Registrar) using the private key from Appendix C.1.2. > 4342 Contained within this voucher request is the voucher request PVR that > 4343 was made by the Pledge to JRC. Note that the RVR uses the HTTPS > 4344 protocol (not CoAP) and corresponding long URI path names as defined > 4345 in [RFC8995]. The Content-Type and Accept headers indicate the > 4346 constrained voucher format that is defined in the present document. > 4347 Because the Pledge used this format in the PVR, the JRC must also use > 4348 this format in the RVR. > 4349 > 4350 REQ: POSThttps://masa.stok.nl/.well-known/brski/requestvoucher > 4351 Content-Type: application/voucher+cose > 4352 Accept: application/voucher+cose > 4353 Body: <signed_rvr> > 4354 > 4355 The payload signed_rvr is shown as hexadecimal dump (with lf added): > 4356 > 4357 D28443A10126A11820825902843082028030820225A003020102020900C3F621 > 4358 49B2E30E3E300A06082A8648CE3D0403023072311C301A06035504030C134375 > 4359 73746F6D2D455220476C6F62616C204341310B3009060355040B0C0249543118 > 4360 3016060355040A0C0F437573746F6D2D45522C20496E632E3111300F06035504 > 4361 070C0853616E204A6F7365310B300906035504080C024341310B300906035504 > 4362 0613025553301E170D3232313230363131333735395A170D3235313230353131 > 4363 333735395A30818D3131302F06035504030C28437573746F6D2D455220436F6D > 4364 6D65726369616C204275696C64696E6773205265676973747261723113301106 > 4365 > 4366 > 4367 > 4368 Richardson, et al. Expires 31 August 2026 [Page 78] > 4369 > 4370 Internet-Draft Constrained BRSKI (cBRSKI) February 2026 > 4371 > 4372 > 4373 0355040B0C0A4F6666696365206F707331183016060355040A0C0F437573746F > 4374 6D2D45522C20496E632E310F300D06035504070C064F74746F7761310B300906 > 4375 035504080C024F4E310B30090603550406130243413059301306072A8648CE3D > 4376 020106082A8648CE3D030107034200042030855BE846910B3ECB15CAF8572D3E > 4377 B565BDC654A15EFAF6EDEBAA8B9E1608C5C910C93A20868FC8504D370F1B26FA > 4378 9759F67983BB78863EDA9ACBEA5124F6A3818730818430090603551D13040230 > 4379 00300B0603551D0F0404030204F0301D0603551D0E04160414C9080B387D8DD8 > 4380 5B3A59E7EC100B866393A9CA4C301F0603551D2304183016801492EA7640404A > 4381 8FAB4F270BF3BC379D86CD7280F8302A0603551D250101FF0420301E06082B06 > 4382 01050507031C06082B0601050507030106082B06010505070302300A06082A86 > 4383 48CE3D040302034900304602210091A2033692EB81503D53505FFC8DA326B1EE > 4384 7DEA96F29174F0B3341A07812201022100FF7339288108B712F418530A18025A > 4385 895408CC45E0BB678B46FBAB37DDB4D36B59024730820243308201E9A0030201 > 4386 0202082AEA0413A42DC1CE300A06082A8648CE3D0403023072311C301A060355 > 4387 04030C13437573746F6D2D455220476C6F62616C204341310B3009060355040B > 4388 0C02495431183016060355040A0C0F437573746F6D2D45522C20496E632E3111 > 4389 300F06035504070C0853616E204A6F7365310B300906035504080C024341310B > 4390 3009060355040613025553301E170D3232313230363131333735395A170D3332 > 4391 313230333131333735395A3072311C301A06035504030C13437573746F6D2D45 > 4392 5220476C6F62616C204341310B3009060355040B0C0249543118301606035504 > 4393 0A0C0F437573746F6D2D45522C20496E632E3111300F06035504070C0853616E > 4394 204A6F7365310B300906035504080C024341310B300906035504061302555330 > 4395 59301306072A8648CE3D020106082A8648CE3D0301070342000497B1ED969164 > 4396 930985BBB8AC9A2AF9455CDFEEA4B11DE2E79D068BFA803926B4005251B34F1C > 4397 0815A4CBE03FBD1BBCB635F6431A22DE78653B87B99537ECE16CA3693067300F > 4398 0603551D130101FF040530030101FF30250603551D11041E301C811A68656C70 > 4399 40637573746F6D2D65722E6578616D706C652E636F6D300E0603551D0F0101FF > 4400 040403020186301D0603551D0E0416041492EA7640404A8FAB4F270BF3BC379D > 4401 86CD7280F8300A06082A8648CE3D0403020348003045022100D6D813B390BD3A > 4402 7B4E85424BCB1ED933AD1E981F2817B59083DD6EC1C5E3FADF02202CEE440619 > 4403 2BC767E98D7CFAE044C6807481AD8564A7D569DCA3D1CDF1E5E843590124A119 > 4404 09C5A60102027818323032322D31322D30365432303A30343A31352E3735345A > 4405 05581A041830168014CB8D98CA74C51B58DDE7ACEF869A9443A8D666A6074823 > 4406 BFBBC9C2BCF2130958C9D28443A10126A0587EA11909C5A40102074823BFBBC9 > 4407 C2BCF2130C585B3059301306072A8648CE3D020106082A8648CE3D0301070342 > 4408 00042030855BE846910B3ECB15CAF8572D3EB565BDC654A15EFAF6EDEBAA8B9E > 4409 1608C5C910C93A20868FC8504D370F1B26FA9759F67983BB78863EDA9ACBEA51 > 4410 24F60D6D4A414441313233343536373839584068987DE8B007F4E9416610BBE2 > 4411 D48E1D7EA1032092B8BFCE611421950F45B22F17E214820C07E777ADF86175E2 > 4412 5D3205568404C25FCEEC1B817C7861A6104B3D0D6D4A41444131323334353637 > 4413 38395840B1DD40B10787437588AEAC9036899191C16CCDBECA31C197855CCB6B > 4414 BA142D709FE329CBC3F76297D6063ACB6759EAB98E96EA4C4AA2135AA48A247B > 4415 AC1D6A3F > 4416 > 4417 The representation of signed_rvr in CBOR diagnostic format (with lf > 4418 added) is: > 4419 > 4420 > 4421 > 4422 > 4423 > 4424 Richardson, et al. Expires 31 August 2026 [Page 79] > 4425 > 4426 Internet-Draft Constrained BRSKI (cBRSKI) February 2026 > 4427 > 4428 > 4429 18([h'A10126', {32: [h'3082028030820225A003020102020900C3F62149B2E30 > 4430 E3E300A06082A8648CE3D0403023072311C301A06035504030C13437573746F6D2D4 > 4431 55220476C6F62616C204341310B3009060355040B0C02495431183016060355040A0 > 4432 C0F437573746F6D2D45522C20496E632E3111300F06035504070C0853616E204A6F7 > 4433 365310B300906035504080C024341310B3009060355040613025553301E170D32323 > 4434 13230363131333735395A170D3235313230353131333735395A30818D3131302F060 > 4435 35504030C28437573746F6D2D455220436F6D6D65726369616C204275696C64696E6 > 4436 7732052656769737472617231133011060355040B0C0A4F6666696365206F7073311 > 4437 83016060355040A0C0F437573746F6D2D45522C20496E632E310F300D06035504070 > 4438 C064F74746F7761310B300906035504080C024F4E310B30090603550406130243413 > 4439 059301306072A8648CE3D020106082A8648CE3D030107034200042030855BE846910 > 4440 B3ECB15CAF8572D3EB565BDC654A15EFAF6EDEBAA8B9E1608C5C910C93A20868FC85 > 4441 04D370F1B26FA9759F67983BB78863EDA9ACBEA5124F6A3818730818430090603551 > 4442 D1304023000300B0603551D0F0404030204F0301D0603551D0E04160414C9080B387 > 4443 D8DD85B3A59E7EC100B866393A9CA4C301F0603551D2304183016801492EA7640404 > 4444 A8FAB4F270BF3BC379D86CD7280F8302A0603551D250101FF0420301E06082B06010 > 4445 50507031C06082B0601050507030106082B06010505070302300A06082A8648CE3D0 > 4446 40302034900304602210091A2033692EB81503D53505FFC8DA326B1EE7DEA96F2917 > 4447 4F0B3341A07812201022100FF7339288108B712F418530A18025A895408CC45E0BB6 > 4448 78B46FBAB37DDB4D36B', h'30820243308201E9A00302010202082AEA0413A42DC1 > 4449 CE300A06082A8648CE3D0403023072311C301A06035504030C13437573746F6D2D45 > 4450 5220476C6F62616C204341310B3009060355040B0C02495431183016060355040A0C > 4451 0F437573746F6D2D45522C20496E632E3111300F06035504070C0853616E204A6F73 > 4452 65310B300906035504080C024341310B3009060355040613025553301E170D323231 > 4453 3230363131333735395A170D3332313230333131333735395A3072311C301A060355 > 4454 04030C13437573746F6D2D455220476C6F62616C204341310B3009060355040B0C02 > 4455 495431183016060355040A0C0F437573746F6D2D45522C20496E632E3111300F0603 > 4456 5504070C0853616E204A6F7365310B300906035504080C024341310B300906035504 > 4457 06130255533059301306072A8648CE3D020106082A8648CE3D0301070342000497B1 > 4458 ED969164930985BBB8AC9A2AF9455CDFEEA4B11DE2E79D068BFA803926B4005251B3 > 4459 4F1C0815A4CBE03FBD1BBCB635F6431A22DE78653B87B99537ECE16CA3693067300F > 4460 0603551D130101FF040530030101FF30250603551D11041E301C811A68656C704063 > 4461 7573746F6D2D65722E6578616D706C652E636F6D300E0603551D0F0101FF04040302 > 4462 0186301D0603551D0E0416041492EA7640404A8FAB4F270BF3BC379D86CD7280F830 > 4463 0A06082A8648CE3D0403020348003045022100D6D813B390BD3A7B4E85424BCB1ED9 > 4464 33AD1E981F2817B59083DD6EC1C5E3FADF02202CEE4406192BC767E98D7CFAE044C6 > 4465 807481AD8564A7D569DCA3D1CDF1E5E843']}, h'A11909C5A601020278183230323 > 4466 22D31322D30365432303A30343A31352E3735345A05581A041830168014CB8D98CA7 > 4467 4C51B58DDE7ACEF869A9443A8D666A6074823BFBBC9C2BCF2130958C9D28443A1012 > 4468 6A0587EA11909C5A40102074823BFBBC9C2BCF2130C585B3059301306072A8648CE3 > 4469 D020106082A8648CE3D030107034200042030855BE846910B3ECB15CAF8572D3EB56 > 4470 5BDC654A15EFAF6EDEBAA8B9E1608C5C910C93A20868FC8504D370F1B26FA9759F67 > 4471 983BB78863EDA9ACBEA5124F60D6D4A414441313233343536373839584068987DE8B > 4472 007F4E9416610BBE2D48E1D7EA1032092B8BFCE611421950F45B22F17E214820C07E > 4473 777ADF86175E25D3205568404C25FCEEC1B817C7861A6104B3D0D6D4A41444131323 > 4474 3343536373839', h'B1DD40B10787437588AEAC9036899191C16CCDBECA31C19785 > 4475 5CCB6BBA142D709FE329CBC3F76297D6063ACB6759EAB98E96EA4C4AA2135AA48A24 > 4476 7BAC1D6A3F']) > 4477 > 4478 > 4479 > 4480 Richardson, et al. Expires 31 August 2026 [Page 80] > 4481 > 4482 Internet-Draft Constrained BRSKI (cBRSKI) February 2026 > 4483 > 4484 > 4485 C.5. COSE-signed Voucher from MASA > 4486 > 4487 The resulting voucher is created by the MASA and returned to the > 4488 Registrar: > 4489 > 4490 RES: 200 OK > 4491 Content-Type: application/voucher+cose > 4492 Body: <signed_voucher> > 4493 > 4494 The Registrar then returns the voucher to the Pledge: > 4495 > 4496 RES: 2.04 Changed > 4497 Content-Format: 836 (application/voucher+cose) > 4498 Payload: <signed_voucher> > 4499 > 4500 It is signed by the MASA's private key (see Appendix C.1.3) and can > 4501 be verified by the Pledge using the MASA's public key that it stores. > 4502 > 4503 Below is the binary signed_voucher, encoded in hexadecimal (with lf > 4504 added): > 4505 > 4506 D28443A10126A0590288A1190993A60102027818323032322D31322D30365432 > 4507 303A32333A33302E3730385A03F4074857EED786AD4049070859024730820243 > 4508 308201E9A00302010202082AEA0413A42DC1CE300A06082A8648CE3D04030230 > 4509 72311C301A06035504030C13437573746F6D2D455220476C6F62616C20434131 > 4510 0B3009060355040B0C02495431183016060355040A0C0F437573746F6D2D4552 > 4511 2C20496E632E3111300F06035504070C0853616E204A6F7365310B3009060355 > 4512 04080C024341310B3009060355040613025553301E170D323231323036313133 > 4513 3735395A170D3332313230333131333735395A3072311C301A06035504030C13 > 4514 437573746F6D2D455220476C6F62616C204341310B3009060355040B0C024954 > 4515 31183016060355040A0C0F437573746F6D2D45522C20496E632E3111300F0603 > 4516 5504070C0853616E204A6F7365310B300906035504080C024341310B30090603 > 4517 550406130255533059301306072A8648CE3D020106082A8648CE3D0301070342 > 4518 000497B1ED969164930985BBB8AC9A2AF9455CDFEEA4B11DE2E79D068BFA8039 > 4519 26B4005251B34F1C0815A4CBE03FBD1BBCB635F6431A22DE78653B87B99537EC > 4520 E16CA3693067300F0603551D130101FF040530030101FF30250603551D11041E > 4521 301C811A68656C7040637573746F6D2D65722E6578616D706C652E636F6D300E > 4522 0603551D0F0101FF040403020186301D0603551D0E0416041492EA7640404A8F > 4523 AB4F270BF3BC379D86CD7280F8300A06082A8648CE3D04030203480030450221 > 4524 00D6D813B390BD3A7B4E85424BCB1ED933AD1E981F2817B59083DD6EC1C5E3FA > 4525 DF02202CEE4406192BC767E98D7CFAE044C6807481AD8564A7D569DCA3D1CDF1 > 4526 E5E8430B6D4A4144413132333435363738395840DF31B21A6AD3F5AC7F4C8B02 > 4527 6F551BD28FBCE62330D3E262AC170F6BFEDDBA5F2E8FBAA2CAACFED9E8614EAC > 4528 5BF2450DADC53AC29DFA30E8787A1400B2E7C832 > 4529 > 4530 The representation of signed_voucher in CBOR diagnostic format (with > 4531 lf added) is: > 4532 > 4533 > 4534 > 4535 > 4536 Richardson, et al. Expires 31 August 2026 [Page 81] > 4537 > 4538 Internet-Draft Constrained BRSKI (cBRSKI) February 2026 > 4539 > 4540 > 4541 18([h'A10126', {}, h'A1190993A60102027818323032322D31322D30365432303 > 4542 A32333A33302E3730385A03F4074857EED786AD4049070859024730820243308201E > 4543 9A00302010202082AEA0413A42DC1CE300A06082A8648CE3D0403023072311C301A0 > 4544 6035504030C13437573746F6D2D455220476C6F62616C204341310B3009060355040 > 4545 B0C02495431183016060355040A0C0F437573746F6D2D45522C20496E632E3111300 > 4546 F06035504070C0853616E204A6F7365310B300906035504080C024341310B3009060 > 4547 355040613025553301E170D3232313230363131333735395A170D333231323033313 > 4548 1333735395A3072311C301A06035504030C13437573746F6D2D455220476C6F62616 > 4549 C204341310B3009060355040B0C02495431183016060355040A0C0F437573746F6D2 > 4550 D45522C20496E632E3111300F06035504070C0853616E204A6F7365310B300906035 > 4551 504080C024341310B30090603550406130255533059301306072A8648CE3D0201060 > 4552 82A8648CE3D0301070342000497B1ED969164930985BBB8AC9A2AF9455CDFEEA4B11 > 4553 DE2E79D068BFA803926B4005251B34F1C0815A4CBE03FBD1BBCB635F6431A22DE786 > 4554 53B87B99537ECE16CA3693067300F0603551D130101FF040530030101FF302506035 > 4555 51D11041E301C811A68656C7040637573746F6D2D65722E6578616D706C652E636F6 > 4556 D300E0603551D0F0101FF040403020186301D0603551D0E0416041492EA7640404A8 > 4557 FAB4F270BF3BC379D86CD7280F8300A06082A8648CE3D0403020348003045022100D > 4558 6D813B390BD3A7B4E85424BCB1ED933AD1E981F2817B59083DD6EC1C5E3FADF02202 > 4559 CEE4406192BC767E98D7CFAE044C6807481AD8564A7D569DCA3D1CDF1E5E8430B6D4 > 4560 A414441313233343536373839', h'DF31B21A6AD3F5AC7F4C8B026F551BD28FBCE6 > 4561 2330D3E262AC170F6BFEDDBA5F2E8FBAA2CAACFED9E8614EAC5BF2450DADC53AC29D > 4562 FA30E8787A1400B2E7C832']) > 4563 > 4564 In the above, the third element in the array is the voucher data > 4565 encoded as a CBOR byte string. When decoded, it can be represented > 4566 by the following CBOR diagnostic notation: > 4567 > 4568 {2451: {1: 2, 2: "2022-12-06T20:23:30.708Z", 3: false, 7: h'57EED786 > 4569 AD404907', 8: h'30820243308201E9A00302010202082AEA0413A42DC1CE300A06 > 4570 082A8648CE3D0403023072311C301A06035504030C13437573746F6D2D455220476C > 4571 6F62616C204341310B3009060355040B0C02495431183016060355040A0C0F437573 > 4572 746F6D2D45522C20496E632E3111300F06035504070C0853616E204A6F7365310B30 > 4573 0906035504080C024341310B3009060355040613025553301E170D32323132303631 > 4574 31333735395A170D3332313230333131333735395A3072311C301A06035504030C13 > 4575 437573746F6D2D455220476C6F62616C204341310B3009060355040B0C0249543118 > 4576 3016060355040A0C0F437573746F6D2D45522C20496E632E3111300F06035504070C > 4577 0853616E204A6F7365310B300906035504080C024341310B30090603550406130255 > 4578 533059301306072A8648CE3D020106082A8648CE3D0301070342000497B1ED969164 > 4579 930985BBB8AC9A2AF9455CDFEEA4B11DE2E79D068BFA803926B4005251B34F1C0815 > 4580 A4CBE03FBD1BBCB635F6431A22DE78653B87B99537ECE16CA3693067300F0603551D > 4581 130101FF040530030101FF30250603551D11041E301C811A68656C7040637573746F > 4582 6D2D65722E6578616D706C652E636F6D300E0603551D0F0101FF040403020186301D > 4583 0603551D0E0416041492EA7640404A8FAB4F270BF3BC379D86CD7280F8300A06082A > 4584 8648CE3D0403020348003045022100D6D813B390BD3A7B4E85424BCB1ED933AD1E98 > 4585 1F2817B59083DD6EC1C5E3FADF02202CEE4406192BC767E98D7CFAE044C6807481AD > 4586 8564A7D569DCA3D1CDF1E5E843', 11: "JADA123456789"}} > 4587 > 4588 > 4589 > 4590 > 4591 > 4592 Richardson, et al. Expires 31 August 2026 [Page 82] > 4593 > 4594 Internet-Draft Constrained BRSKI (cBRSKI) February 2026 > 4595 > 4596 > 4597 The largest element in the voucher is identified by key 8, which > 4598 decodes to SID 2459 (pinned-domain-cert) based on the delta encoding > 4599 defined by [RFC9254]. It contains the complete PKIX (DER-encoded > 4600 X.509v3) certificate of the Registrar's domain CA. This certificate > 4601 is shown in Appendix C.2.3. > 4602 > 4603 Appendix D. Pledge Device Class Profiles > 4604 > 4605 cBRSKI allows implementers to select between various functional > 4606 options for the Pledge, yielding different code size footprints and > 4607 different requirements on Pledge hardware. Thus for each product > 4608 type an optimal trade-off between functionality, development/ > 4609 maintenance cost and hardware cost can be made. > 4610 > 4611 This appendix illustrates different selection outcomes by means of > 4612 defining different example "profiles" of constrained Pledges. In the > 4613 following subsections, these profiles are defined and a comparison is > 4614 provided. > 4615 > 4616 D.1. Minimal Pledge > 4617 > 4618 The Minimal Pledge profile (Min) aims to reduce code size and > 4619 hardware cost to a minimum. This comes with some severe functional > 4620 restrictions, in particular: > 4621 > 4622 * No support for EST re-enrollment: whenever this would be needed, a > 4623 factory reset followed by a new onboarding process is required. > 4624 > 4625 * No support for change of Registrar: for this case, a factory reset > 4626 followed by a new onboarding process is required. > 4627 > 4628 This profile would be appropriate for single-use devices which must > 4629 be replaced rather than re-deployed. That might include medical > 4630 devices, but also sensors used during construction, such as concrete > 4631 temperature sensors. > 4632 > 4633 D.2. Typical Pledge > 4634 > 4635 The Typical Pledge profile (Typ) aims to support a typical cBRSKI > 4636 feature set including EST re-enrollment support and Registrar > 4637 changes. > 4638 > 4639 > 4640 > 4641 > 4642 > 4643 > 4644 > 4645 > 4646 > 4647 > 4648 Richardson, et al. Expires 31 August 2026 [Page 83] > 4649 > 4650 Internet-Draft Constrained BRSKI (cBRSKI) February 2026 > 4651 > 4652 > 4653 D.3. Full-featured Pledge > 4654 > 4655 The Full-featured Pledge profile (Full) illustrates a Pledge category > 4656 that supports multiple onboarding methods, hardware real-time clock, > 4657 BRSKI/EST resource discovery, and CSR Attributes request/response. > 4658 It also supports most of the optional features defined in this > 4659 specification. > 4660 > 4661 D.4. Comparison Chart of Pledge Classes > 4662 > 4663 The below table specifies the functions implemented in the three > 4664 example Pledge classes Min (Appendix D.1), Typ (Appendix D.2) and > 4665 Full (Appendix D.3). > 4666 > 4667 > 4668 > 4669 > 4670 > 4671 > 4672 > 4673 > 4674 > 4675 > 4676 > 4677 > 4678 > 4679 > 4680 > 4681 > 4682 > 4683 > 4684 > 4685 > 4686 > 4687 > 4688 > 4689 > 4690 > 4691 > 4692 > 4693 > 4694 > 4695 > 4696 > 4697 > 4698 > 4699 > 4700 > 4701 > 4702 > 4703 > 4704 Richardson, et al. Expires 31 August 2026 [Page 84] > 4705 > 4706 Internet-Draft Constrained BRSKI (cBRSKI) February 2026 > 4707 > 4708 > 4709 +============================================+=======+=====+======+ > 4710 | Functions Implemented | Min | Typ | Full | > 4711 +============================================+=======+=====+======+ > 4712 | *General* | | | | > 4713 +--------------------------------------------+-------+-----+------+ > 4714 | Support cBRSKI onboarding | Y | Y | Y | > 4715 +--------------------------------------------+-------+-----+------+ > 4716 | Support other onboarding method(s) | - | - | Y | > 4717 +--------------------------------------------+-------+-----+------+ > 4718 | Real-time clock and cert time checks | - | - | Y | > 4719 +--------------------------------------------+-------+-----+------+ > 4720 | *cBRSKI* | | | | > 4721 +--------------------------------------------+-------+-----+------+ > 4722 | CoAP discovery for rt=brski* | - | - | Y | > 4723 +--------------------------------------------+-------+-----+------+ > 4724 | Support pinned Registrar public key (RPK) | Y | - | Y | > 4725 +--------------------------------------------+-------+-----+------+ > 4726 | Support pinned Registrar certificate | - | Y | Y | > 4727 +--------------------------------------------+-------+-----+------+ > 4728 | Support pinned Domain CA | - | Y | Y | > 4729 +--------------------------------------------+-------+-----+------+ > 4730 | *EST-coaps* | | | | > 4731 +--------------------------------------------+-------+-----+------+ > 4732 | Explicit TA database size (#certs) | 0 | 3 | 8 | > 4733 +--------------------------------------------+-------+-----+------+ > 4734 | CoAP discovery for rt=ace.est* | - | - | Y | > 4735 +--------------------------------------------+-------+-----+------+ > 4736 | GET /att and response parsing | - | - | Y | > 4737 +--------------------------------------------+-------+-----+------+ > 4738 | GET /crts format 62 (multiple CA certs) | - | Y | Y | > 4739 +--------------------------------------------+-------+-----+------+ > 4740 | GET /crts format 281 (multiple CA certs) | - | - | Y | > 4741 +--------------------------------------------+-------+-----+------+ > 4742 | ETag handling support for GET /crts | - | Y | Y | > 4743 +--------------------------------------------+-------+-----+------+ > 4744 | Re-enrollment supported | - (*) | Y | Y | > 4745 +--------------------------------------------+-------+-----+------+ > 4746 | Section 6.5.1 optimized procedure | Y | Y | - | > 4747 +--------------------------------------------+-------+-----+------+ > 4748 | Pro-active re-enrollment at own initiative | - | - | Y | > 4749 +--------------------------------------------+-------+-----+------+ > 4750 | Periodic trust anchor retrieval GET /crts | - (*) | Y | Y | > 4751 +--------------------------------------------+-------+-----+------+ > 4752 | Supports change of Registrar identity | - (*) | Y | Y | > 4753 +--------------------------------------------+-------+-----+------+ > 4754 > 4755 Table 5: Comparison Chart of Pledge Classes Min, Typ and Full > 4756 > 4757 > 4758 > 4759 > 4760 Richardson, et al. Expires 31 August 2026 [Page 85] > 4761 > 4762 Internet-Draft Constrained BRSKI (cBRSKI) February 2026 > 4763 > 4764 > 4765 Notes: (*) means only possible via a factory-reset followed by a new > 4766 cBRSKI onboarding procedure. > 4767 > 4768 Appendix E. Pledge Discovery of Onboarding and Enrollment Options > 4769 > 4770 The discovery functionality described in this section is informative > 4771 only: it derives from the normative CoRE documents [RFC6690], > 4772 [RFC7252] and from [RFC9148]. In typical cases, for a constrained > 4773 Pledge that only supports a single onboarding and enrollment method, > 4774 this functionality is not needed. > 4775 > 4776 Note that the full-featured Pledge class defined in Appendix D.3 does > 4777 support CoAP discovery functionality. > 4778 > 4779 E.1. Pledge Discovery Query for All cBRSKI Resources > 4780 > 4781 A Pledge that wishes to discover the available cBRSKI onboarding > 4782 options/formats can do a discovery operation using CoAP discovery per > 4783 Section 7 of [RFC7252] and Section 4 of [RFC6690]. It first sends a > 4784 CoAP discovery query to the Registrar over the secured DTLS > 4785 connection. The Registrar then responds with a CoRE Link Format > 4786 payload containing the requested resources, if any. > 4787 > 4788 For example, if the Registrar supports a cBRSKI base resource /b in > 4789 addition to the longer /.well-known/brski base resource, and supports > 4790 only the voucher format application/voucher+cose (836), and status > 4791 reporting in both CBOR (60) and JSON (50) formats, a CoAP resource > 4792 discovery request and response may look as follows: > 4793 > 4794 REQ: GET /.well-known/core?rt=brski* > 4795 > 4796 RES: 2.05 Content > 4797 Content-Format: 40 (application/link-format) > 4798 Payload: > 4799 </b>;rt=brski, > 4800 </b/rv>;rt=brski.rv;ct=836, > 4801 </b/vs>;rt=brski.vs;ct="50 60", > 4802 </b/es>;rt=brski.es;ct="50 60" > 4803 > 4804 In this case, the Registrar returns only the shorter URI paths > 4805 matching the query filter, which are located under the /b base > 4806 resource. The /.well-known/brski based URI paths are not returned, > 4807 as these are assumed to be well-known (i.e. mandatory to support for > 4808 a Registrar that offers this functionality under /b.) > 4809 > 4810 > 4811 > 4812 > 4813 > 4814 > 4815 > 4816 Richardson, et al. Expires 31 August 2026 [Page 86] > 4817 > 4818 Internet-Draft Constrained BRSKI (cBRSKI) February 2026 > 4819 > 4820 > 4821 The Registrar is however under no obligation to provide the shorter > 4822 URLs under /b, and may respond to this query with only the /.well- > 4823 known/brski/\<short-name\> resources for the short names as defined > 4824 in Table 1, if these resources are not hosted anywhere else. This > 4825 case is shown in the below interaction: > 4826 > 4827 REQ: GET /.well-known/core?rt=brski* > 4828 > 4829 RES: 2.05 Content > 4830 Content-Format: 40 (application/link-format) > 4831 Payload: > 4832 </.well-known/brski>;rt=brski, > 4833 </.well-known/brski/rv>;rt=brski.rv;ct=836, > 4834 </.well-known/brski/vs>;rt=brski.vs;ct="50 60", > 4835 </.well-known/brski/es>;rt=brski.es;ct="50 60" > 4836 > 4837 When responding to a discovery request for cBRSKI resources, the > 4838 Registrar may return the full resource paths for all <short-name> > 4839 resources and the content-formats supported by these resources (using > 4840 ct attributes) as shown in the above examples. This is useful when > 4841 multiple content-formats are supported for a particular resource on > 4842 the Registrar and the discovering Pledge also supports multiple. > 4843 > 4844 Registrars that have implemented any cBRSKI or EST-coaps URI paths > 4845 outside of /.well-known must process a request on the corresponding > 4846 /.well-known/brski/\<short-name\> or /.well-known/est/\<short-name\> > 4847 URI paths identically. In particular, a Pledge may use the longer > 4848 (well-known) and shorter URI paths in any combination. > 4849 > 4850 A Registrar may also be implemented without support for the > 4851 (optional) CoAP discovery. In that case, it may for example return a > 4852 4.04 Not Found as shown in the example below, in case the Registrar > 4853 does not host the resource /.well-known/core at all. In such case, > 4854 the Pledge cannot discover any onboarding/enrollment options and so > 4855 it has to rely on the default cBRSKI resources under /.well-known/ > 4856 brski/... and /.well-known/est/.... > 4857 > 4858 REQ: GET /.well-known/core?rt=brski* > 4859 > 4860 RES: 4.04 Not Found > 4861 > 4862 > 4863 > 4864 > 4865 > 4866 > 4867 > 4868 > 4869 > 4870 > 4871 > 4872 Richardson, et al. Expires 31 August 2026 [Page 87] > 4873 > 4874 Internet-Draft Constrained BRSKI (cBRSKI) February 2026 > 4875 > 4876 > 4877 E.2. Pledge Discovery Query for the cBRSKI Base Resource > 4878 > 4879 In case the client queries for only rt=brski type resources, the > 4880 Registrar responds with only the base path for the cBRSKI resources > 4881 (rt=brski, resource /b in earlier examples) and no others. (So, the > 4882 query is "rt=brski", without the wildcard character.) This is shown > 4883 in the below example. The Pledge in this case requests only the > 4884 cBRSKI base resource of type rt=brski to check if cBRSKI is supported > 4885 by the Registrar and if a shorter-length cBRSKI base resource path is > 4886 supported or not. In this case, the Pledge is not interested to > 4887 check what voucher request formats, or status telemetry formats -- > 4888 other than the mandatory default formats -- are supported. The > 4889 compact response below then shows that the Registrar indeed supports > 4890 a cBRSKI resource at /b: > 4891 > 4892 REQ: GET /.well-known/core?rt=brski > 4893 > 4894 RES: 2.05 Content > 4895 Content-Format: 40 (application/link-format) > 4896 Payload: > 4897 </b>;rt=brski > 4898 > 4899 The Pledge can now start using any of the cBRSKI resources > 4900 /b/\<short-name\> in a next CoAP request to the Registrar. In above > 4901 example, again the well-known resource present under /.well-known/ > 4902 brski is not returned because this is assumed to be well-known to the > 4903 Pledge and mandatory to support for a Registrar that offers this > 4904 functionality under /b. > 4905 > 4906 As a follow-up example, the Pledge can now start the onboarding by > 4907 sending its PVR: > 4908 > 4909 REQ: POST /b/rv > 4910 Content-Format: 836 (application/voucher+cose) > 4911 Accept: 836 (application/voucher+cose) > 4912 Payload: <binary COSE-signed PVR> > 4913 > 4914 E.3. Usage of ct Attribute > 4915 > 4916 The return of multiple content-formats in the 'ct' link format > 4917 attribute by the Registrar allows the Pledge to choose the most > 4918 appropriate one for a particular operation, and allows extension with > 4919 new voucher formats. Note that only content-format 836 (application/ > 4920 voucher+cose) is defined in this document for the voucher request > 4921 resource (/rv), both as request payload and as response payload. If > 4922 the 'ct' attribute is not indicated for the /rv resource in the CoRE > 4923 Link Format description, this implies that at least format 836 is > 4924 supported and maybe more. > 4925 > 4926 > 4927 > 4928 Richardson, et al. Expires 31 August 2026 [Page 88] > 4929 > 4930 Internet-Draft Constrained BRSKI (cBRSKI) February 2026 > 4931 > 4932 > 4933 Note that this specification allows for application/voucher+cose > 4934 payloads to be transmitted over HTTPS, as well as for application/ > 4935 voucher-cms+json and other formats yet to be defined over CoAP. The > 4936 burden for this flexibility is placed upon the Registrar. A Pledge > 4937 on constrained hardware is expected to support a single format only. > 4938 > 4939 The Pledge needs to support one or more formats for the PVR and > 4940 resulting voucher. The MASA needs to support all formats that the > 4941 associated Pledges use. > 4942 > 4943 In the below example, a Pledge queries specifically for the brski.rv > 4944 resource type to learn what voucher formats are supported: > 4945 > 4946 REQ: GET /.well-known/core?rt=brski.rv > 4947 > 4948 RES: 2.05 Content > 4949 Content-Format: 40 (application/link-format) > 4950 Payload: > 4951 </b/rv>;rt=brski.rv;ct="836 65123 65124" > 4952 > 4953 The Registrar returns 3 supported voucher formats: 836, 65123, and > 4954 65124. The first is the mandatory application/voucher+cose. The > 4955 other two are numbers from the Experimental Use number range of the > 4956 CoAP Content-Formats sub-registry, which are used as mere examples. > 4957 The Pledge can now make a selection between the supported formats. > 4958 > 4959 Note that if the Registrar only supports the default content-formats > 4960 for each cBRSKI resource as specified by this document, it may omit > 4961 the ct attributes in the discovery query response. For example as in > 4962 the following interaction: > 4963 > 4964 REQ: GET /.well-known/core?rt=brski* > 4965 > 4966 RES: 2.05 Content > 4967 Content-Format: 40 (application/link-format) > 4968 Payload: > 4969 </b>;rt=brski, > 4970 </b/rv>;rt=brski.rv, > 4971 </b/vs>;rt=brski.vs, > 4972 </b/es>;rt=brski.es > 4973 > 4974 E.4. EST-coaps Resource Discovery > 4975 > 4976 The Pledge can also use CoAP discovery to identify enrollment > 4977 options, for example enrollment using EST-coaps or other methods. > 4978 The below example shows a Pledge that wants to identify EST-coaps > 4979 enrollment options by sending a discovery query. This is done either > 4980 before or after the voucher has been validated. > 4981 > 4982 > 4983 > 4984 Richardson, et al. Expires 31 August 2026 [Page 89] > 4985 > 4986 Internet-Draft Constrained BRSKI (cBRSKI) February 2026 > 4987 > 4988 > 4989 REQ: GET /.well-known/core?rt=ace.est* > 4990 > 4991 RES: 2.05 Content > 4992 Content-Format: 40 (application/link-format) > 4993 Payload: > 4994 </e/crts>;rt=ace.est.crts;ct="62 281 287", > 4995 </e/sen>;rt=ace.est.sen;ct="281 287", > 4996 </e/sren>;rt=ace.est.sren;ct="281 287", > 4997 </e/att>;rt=ace.est.att, > 4998 </e/skg>;rt=ace.est.skg, > 4999 </e/skc>;rt=ace.est.skc > 5000 > 5001 The response from the Registrar indicates that EST-coaps enrollment > 5002 (/sen) and re-enrollment (/sren) is supported, with a choice of two > 5003 content-formats for the response payload: either a PKCS#7 container > 5004 with a single LDevID certificate (application/pkcs7-mime;smime- > 5005 type=certs-only, content-format 281) which is the BRSKI [RFC8995] > 5006 encoding, or just a single LDevID certificate (application/pkix-cert, > 5007 content-format 287) which is the default cBRSKI encoding. > 5008 > 5009 For the EST cacerts resource (/crts) there are three content-formats > 5010 supported: an application/multipart-core container (62) per > 5011 Section 6.5.5, a PKCS#7 container with all CA certificates (287), or > 5012 a single (most relevant) CA certificate (281). > 5013 > 5014 The Pledge can now send a CoAP request to one of the discovered > 5015 resources, with the Accept Option to indicate which return payload > 5016 content-format the Pledge wants to receive. > 5017 > 5018 Acknowledgements > 5019 > 5020 We are very grateful to Jim Schaad for explaining COSE/CMS choices > 5021 and for correcting early versions of the COSE_Sign1 objects. > 5022 > 5023 Michel Veillette did extensive work on _pyang_ to extend it to > 5024 support the SID allocation process, and this document was among its > 5025 first users. > 5026 > 5027 Russ Housley , Daniel Franke , Henk Birkholtz , Kathleen Moriarty , > 5028 Xufeng Liu and Karl Moberg provided review feedback. > 5029 > 5030 The BRSKI design team has met on many Tuesdays and Thursdays for > 5031 document review. The team includes the authors and: Aurelio > 5032 Schellenbaum , David von Oheimb , Steffen Fries , Thomas Werner , > 5033 Bill Atwood and Toerless Eckert . > 5034 > 5035 Darrel Miller , Orie Steele and Manu Sporny provided review feedback > 5036 on the registration of the +cose structured syntax suffix. > 5037 > 5038 > 5039 > 5040 Richardson, et al. Expires 31 August 2026 [Page 90] > 5041 > 5042 Internet-Draft Constrained BRSKI (cBRSKI) February 2026 > 5043 > 5044 > 5045 Carsten Bormann suggested the use of CBOR Web Token (CWT) claims in > 5046 the voucher's COSE header. > 5047 > 5048 Changelog > 5049 > 5050 -30: Require Pledge's DTLS cert chain to be included in RVR 'x5bag' > 5051 (#343). Add support for CoAP Uri-Path-Abbrev Option (#336). Move > 5052 'idevid-issuer' clarification text to draft-8366bis. Update the > 5053 duplicate serial number attack to focus only on the case where the > 5054 attack could be successful (equal CAs). Update section references > 5055 draft-ietf-anima-8366bis to latest version. Remove reference to the > 5056 to-be-deprecated RFC 8366. Align terms and notation with draft-ietf- > 5057 anima-8366bis. Editorial (wording) updates. > 5058 > 5059 -29: Clarify that each brski.jp link indicates a root resource (/) > 5060 (#335). Clarify that Pledge uses IP link-local address of JP's > 5061 discovery response, instead of the UTF-8 encoded IP address literal > 5062 (#334). Add example of Join Proxy offering multiple Registrars > 5063 (endpoints) (#333). Updated CoAP request/response formatting of > 5064 examples. Updated acknowledgements (#331). Editorial updates. > 5065 > 5066 -28: Cleanup of normative/informative references, setting each to > 5067 right category. Bugfix and clarification in text around EdDSA Curve > 5068 selection. Added section on additional information in COSE header > 5069 with 'iat' CWT timestamp example. Updates to BRSKI Well-Known URIs > 5070 registry, including a rename of the "URI" column (#326). Unify COSE > 5071 header parameters terminology (#330). Text formatting and editorial > 5072 updates. > 5073 > 5074 -27: Clarify x5bag for storing signing chain and Registrar removes > 5075 unprotected x5bag/x5chain (#324, #323, #230). Clarify RPK use with > 5076 "placeholder" certificate. Merged the very similar BRSKI-MASA > 5077 security considerations sections (#312). Require CBOR format for > 5078 Pledge's/EST-client's telemetry (#309, #317). Removed figure > 5079 captions from code examples for consistency (#315). Add base > 5080 resource type (rt) for "ace.est" and related terminology (#314). > 5081 Update IEEE 802.1AR reference to 2018 version (#313). Editorial > 5082 updates. > 5083 > 5084 -26: Updated I-D/RFC references to newer versions. Corrected "sub- > 5085 registry" term to official "registry", in IANA section. Explicitly > 5086 imported terminology from [RFC7252]. Corrected "router" term in > 5087 Thread/MLE section, with clarifications, and [Thread] reference fix. > 5088 Moved references between "Informative" and "Normative" based on > 5089 what's required to implement all the optional features. Removal of > 5090 some lingering legacy text. Editorial improvements, bugfixes and > 5091 typo corrections. > 5092 > 5093 > 5094 > 5095 > 5096 Richardson, et al. Expires 31 August 2026 [Page 91] > 5097 > 5098 Internet-Draft Constrained BRSKI (cBRSKI) February 2026 > 5099 > 5100 > 5101 -25: Moved all software/library support info into Appendix A and > 5102 added "open source" section; Removed use of formal Extends/Amends > 5103 Update-tags (#303, #304); Moved Section 14 to Appendix E (#302); > 5104 Editorial improvements. > 5105 > 5106 -24: Rephrased well-known URL requirement in 14.1 (#292, #293); Added > 5107 paragraph on future certificate formats like C509 (#281, #294); Add > 5108 formal specification for CoAP discovery of Join Proxy by Pledge, > 5109 instead of only showing examples (#296, #300); Enable mDNS discovery > 5110 of Join Proxy by Pledge (also in mesh networks) and list service name > 5111 to use (#297, #299); Add requirement to support content-format 287 in > 5112 /sen and /sren response (#295, #298). > 5113 > 5114 -23: Removed Update tag for RFC 8366 (#285, #288); Introduced cBRSKI > 5115 acronym (#284, #286); Added Update tag for RFC 9148 (#283, #289); > 5116 Keep CoAP discovery as only mechanism and refer to future discovery > 5117 work (#279, #282, #290); Introduce formal CBOR diagnostics ellipsis > 5118 elision syntax (#281, #287); Support for multi-tier CAs by > 5119 introducing multipart-core /crts format (#275, #291); Terminology > 5120 updated for consistency with RFC 8366-bis (#274, #280); Rename > 5121 voucher media type to application/voucher+cose and register +cose SSS > 5122 (#264, #277); Editorial changes including section restructuring. > 5123 > 5124 -22: Streamlined text to focus mostly on the default flow, with > 5125 optional functions moved to their own sections (#269, #273); For DTLS > 5126 1.3 client, use the record_size_limit extensions RFC 8449 (#270); > 5127 Editorial updates; Reference rfc6125bis updated to RFC 9525. > 5128 > 5129 -11 to -21: (For change details see GitHub issueshttps://github.com/ > 5130 anima-wg/constrained-voucher/issues , related Pull Requests and > 5131 commits.) > 5132 > 5133 -10: Design considerations extended; Examples made consistent. > 5134 > 5135 -08: Examples for cose_sign1 are completed and improved. > 5136 > 5137 -06: New SID values assigned; regenerated examples. > 5138 > 5139 -04: voucher and request-voucher MUST be signed; examples for signed > 5140 request are added in appendix; IANA SID registration is updated; SID > 5141 values in examples are aligned; signed cms examples aligned with new > 5142 SIDs. > 5143 > 5144 -03: Examples are inverted. > 5145 > 5146 > 5147 > 5148 > 5149 > 5150 > 5151 > 5152 Richardson, et al. Expires 31 August 2026 [Page 92] > 5153 > 5154 Internet-Draft Constrained BRSKI (cBRSKI) February 2026 > 5155 > 5156 > 5157 -02: Example of requestvoucher with unsigned application/cbor is > 5158 added; attributes of voucher "refined" to optional; CBOR > 5159 serialization of vouchers improved; Discovery port numbers are > 5160 specified. > 5161 > 5162 -01: application/json is optional, application/cbor is compulsory; > 5163 Cms and cose mediatypes are introduced. > 5164 > 5165 -00: Initial version. > 5166 > 5167 Authors' Addresses > 5168 > 5169 Michael Richardson > 5170 Sandelman Software Works > 5171 Email:mcr+ietf@sandelman.ca > 5172 > 5173 > 5174 Peter van der Stok > 5175 vanderstok consultancy > 5176 Email:stokcons@kpnmail.nl > 5177 > 5178 > 5179 Panos Kampanakis > 5180 Cisco Systems > 5181 Email:pkampana@cisco.com > 5182 > 5183 > 5184 Esko Dijk > 5185 IoTconsultancy.nl > 5186 Email:esko.dijk@iotconsultancy.nl > 5187 > 5188 > 5189 > 5190 > 5191 > 5192 > 5193 > 5194 > 5195 > 5196 > 5197 > 5198 > 5199 > 5200 > 5201 > 5202 > 5203 > 5204 > 5205 > 5206 > 5207 > 5208 Richardson, et al. Expires 31 August 2026 [Page 93] > > _______________________________________________ > Anima mailing list --anima@ietf.org > To unsubscribe send an email toanima-leave@ietf.org -- *IoTconsultancy.nl* | Email/Teams: esko.dijk@iotconsultancy.nl | +31 6 2385 8339