DRIP RegistriesAX Enterprize, LLC4947 Commercial DriveYorkvilleNY13495USAadam.wiethuechter@axenterprize.comAX Enterprize, LLC4947 Commercial DriveYorkvilleNY13495USAstu.card@axenterprize.comHTT ConsultingOak ParkMI48237USArgm@labs.htt-consult.com
Internet
drip Working GroupInternet-DraftTODOIntroductionTODOTerminologyRequired TerminologyThe key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here.DefinitionsSee for common DRIP terms.
HDA:
Hierarchial HIT Domain Authority. The 16 bit field identifying the HIT Domain Authority under a RAA.
HID:
Hierarchy ID. The 32 bit field providing the HIT Hierarchy ID.
RAA:
Registered Assigning Authority. The 16 bit field identifying the Hierarchical HIT Assigning Authority.
Claims, Assertions, Attestations & CertificatesThis section introduces the terms "Claims", "Assertions", "Attestations", and "Certificates" as used in DRIP. In DRIP certificate has a different context compared with security certificates and Public Key Infrastructure used in X.509.Claims:
A claim in DRIP is a predicate (e.g., "X is Y", "X has property Y", and most importantly "X owns Y" or "X is owned by Y").
Assertions:
An assertion in DRIP is a set of claims. This definition is borrowed from JWT and CWT .
Attestations:
An attestation in DRIP is a signed assertion. The signer may be the claimant or a related party with stake in the assertion(s). Under DRIP this is normally used when an entity asserts a relationship with another entity, along with other information, and the asserting entity signs the assertion, thereby making it an attestation.
Certificates:
A certificate in DRIP is an attestation, strictly over identity information, signed by a third party. This third party should be one with no stake in the attestation(s) its signing over.
DRIP Attestations & CertificatesAttestation StructureAll Attestations and Certificates under DRIP share the following format:Attestor Identity InformationThis can be any one of the following:
None
Attestor HHIT: 16-bytes
Attestor SelfAttestation: 120-bytes
A specific definition of an Attestation or Certificate defines which of these are used.Two Attestation's remove this field: MutualAttestation and LinkAttestation as their definition clearly states that the signer is the second party with their HHIT or SelfAttestation already embedded in the Attestation Data.Attestation DataThe data being attested to. It can be one of the following forms:
Claims
Assertions
Attestations
This field is variable length with no limit and specific definitions of an Attestation or Certificate indicate the fields, size and ordering.Expiration TimestampTODOSigning TimestampTODOSignatureTODOAttestationsSelf-Attestation (SA-xx)The only attestation to use a claim (the Host Identity) in the Attestation Data with the HHIT acting as the Attestor Identity Information.Attestation (A-xy)(Editors Note: blurb here?)Concise Attestation (CA-xy)In constrained environments and when there is the guarantee of being able to lookup the HHITs to obtain HIs this attestation can be used.Mutual Attestation (MA-xy)An attestation that perform a sign over an existing Attestation where the signer is the second party of the embedded attestation.This Attestation is one of two that does not fill in the Attestor Identity Information () as the data is already present in the Attestation Data () in the form of Y's SelfAttestation.The unique size of this attestation (384-bytes) allows for easy detection and subsequent decoding without issue.Link Attestation (LA-xy)An attestations that perform a sign over an existing ConciseAttestation where the signer is the second party of the embedded attestation.This Attestation is one of two that does not fill in the Attestor Identity Information () as the data is already present in the Attestation Data () in the form of Y's HHIT.The unique size of this attestation (176-bytes) allows for easy detection and subsequent decoding without issue.Broadcast Attestation (BA-xy)Required by DRIP Authentication Formats for Broadcast RID (Editor Note: add link to draft here) to satisfy GEN-1 and GEN-3.CertificatesIn DRIP certificates are signed by a third party that has no stake in the claims/assertions/attestations being attested to.It is analogous to a third party in legal system that signs a document as a "witness" and bears no responsibility in the document.Attestation Certificate (AC-zxy)Concise Certificate (CC-zxy)Link Certificate (LC-zxy)Mutual Certificate (MC-zxy)RegistriesClassesUnder DRIP there 3 classes of registries, with specific variants in each.RootThis is a special registry holding the RAA value of 0 and HDA value of 0. It delegates out RAA values only to registries that wish to act as an RAA.(Editors Note: we contemplate this is ICAO running this server or federation of them)Registered Assigning AuthoritiesTODOHold RAA values of 2+ and HDA value of 0.Most are contemplated to be Civil Aviation Authorities (CAAs) then delegate HDAs to manage their NAS.ICAO Registry of Manufacturer's (IRM)A special registry that hands out HDA values to participating Manufacturer's that hold an ICAO Manufacturer Code used in ANSI CTA2063-A Serial Numbers.It is holds the RAA value of 1 and HDA value of 0.(Editors Note: we contemplate this is ICAO running this server or federation of them)Hierarchial HIT Domain AuthoritiesManufacturer's Registry of Aircraft (MRA)A registry run by a manufacturer of UAS systems that participate in Remote ID. Stores UAS Serial Numbers under a specific ICAO Manufacturer Code (assigned to the manufacturer by ICAO).A DET can be encoded into a Serial Number (Editor Note: link to -uas-rid) and when done so this registry would hold a mapping from the Serial Number to the DET and its artifacts.Hold RAA values of 1 and HDA value of 1+.Remote ID Registries (RIDR)Registry that holds the binding between a UAS Session ID (for DRIP the DET) and the UA Serial Number. The Serial Number MUST have its access protected to allow only authorized parties to obtain. The Serial Number SHOULD be encrypted in a way the authorized party can decrypt.As part of the UTM system they also hold a binding between a UAS ID (Serial Number or Session ID) and an Operational Intent.(Editors Note: these are contemplated to be part of a USS as a function or a standalone SDSP in the UTM system)Hold RAA values of 2+ and HDA value of 1+.Federation(Editors Note: Due to nature of HHIT we could have multiple registries with same RAA/HDA pairings running and being federated together. How do we handle this?)DRIP Fully Qualified Domain NamesUnder DRIP there are a number of FQDN forms used to allow lookups to take place.Serial NumberDET(Editors Note: do we want to convert HDA/RAA to int or leave as hex?)(Editors Note: DNS is case-sensitive in my experience, do we do all upper case?)(Editors Note: do we support condensed ipv6 forms? - instinct is no as dns case-sensitive so it would be considered a different fqdn entirely)Supported DNS RecordsDRIP requires a number of resource records, some specific to certain registries to function.HIP RRAll registries will have their own DET associated with them and their respective DNS server will hold a HIP RR that is pointed to by their DET FQDN.MRA and RIDR servers will also have HIP RRs for their registered parties (aircraft and operators).CERT RRMost attestations can be placed into DNS. An exception to this is the AttestationCertificate made during Session ID registration.NS RRAlong with their associated "glue" record (A/AAAA) supports the traversal in DNS across the tree.
<mfr.remoteid.aero> on Root points to specific DET FQDN of IRM
<icao_mfr_code>.mfr.remoteid.aero on IRM points to specific DET FQDN of MRA
<raa_value>.det.remoteid.aero on Root pointing to DET FQDN of matching RAA
<hda_value>.<raa_value>.det.remoteid.aero on RAA Registry pointing to DET FQDN of matching HDA
AAAA RRDRIP requires the use of IPv6.Registry Operations(Editors Note: General processing instructions here?)As a general rule the following processing performed for any registration operation:
Verify SelfAttestation of registering party
Populate DNS with required/optional records
Populate Database with PII and other info
Generate and return required/optional Attestations
Registering an RAASpecifically handled by the Root Registry ().InputsRequired:
SelfAttestation of RAA
IP Address of RAA
DNS EntriesRequired on Root:NS RR = <raa_value>.det.remoteid.aero NS <raa_det_fqdn>AAAA RR = <raa_det_fqdn> AAAA ...CERT RR = ???Required on RAA:HIP RR = <raa_det_fqdn> HIP ...CERT RR = ???Database EntriesOutputsRegistering an IRMSpecifically handled by the Root Registry ().InputsRequired:
Self-Attestation of IRM
IP Address of IRM
DNS EntriesRequired on Root:NS RR = mfr.remoteid.aero NS <irm_det_fqdn>NS RR = 1.det.remoteid.aero NS <irm_det_fqdn>AAAA RR = <irm_det_fqdn> AAAA ...CERT RR = ???Required on IRM:HIP RR = <irm_det_fqdn> HIP ...CERT RR = ???Database EntriesOutputsRequired:
Attestation: Root on IRM
Registering an HDASpecifically handled by an RAA ().InputsRequired:
Self-Attestation of HDA
IP Address of HDA
DNS EntriesRequired on RAA:NS RR = <hda_value>.<raa_value>.det.remoteid.aero NS <hda_det_fqdn>AAAA RR = <hda_det_fqdn> AAAA ...CERT RR = ???Required on HDA:HIP RR = <hda_det_fqdn> HIP ...Database EntriesOutputsRegistering an MRASpecifically handled by the IRM Registry ().InputsRequired:
ICAO Manufacturer Code
Self-Attestation of MRA
IP Address of MRA
DNS EntriesRequired on IRM:NS RR = <icao_mfr_code>.mfr.remoteid.aero NS <mra_det_fqdn>NS RR = <hda_value>.1.det.remoteid.aero NS <mra_det_fqdn>AAAA RR = <mra_det_fqdn> AAAA ...CERT RR = ???Required on MRA:HIP RR = <mra_det_fqdn> HIP ...CERT RR = ???Database Entries(HDA value, MRA Details)OutputsRequired:
Attestation: IRM on MRA
Registering a Serial NumberSpecifically handled by a MRA ().InputsRequired:
Serial Number
Aircraft Metadata
Optional:
SelfAttestation: Aircraft on Aircraft (if DET encoded)
DNS EntriesRequired on MRA:A/AAAA with Serial Number FQDN ()Optional on MRA:HIP RR of Aircraft with DET FQDN () (<sn_det_fqdn> HIP ...)CERT RRs of SelfAttestation and BroadcastAttestationDatabase Entries(Serial Number, [DET], Metadata, [SelfAttestation])OutputsOptional:
BroadcastAttestation: Mfr on Aircraft
Registering an OperatorSpecifically handled by a RIDR ().InputsRequired:
SelfAttestation: Operator on Operator
Operator PII
Optional: TODODNS EntriesOptional on RIDR:HIP RR of OperatorCERT RRs SelfAttestation of Operator, A-roDatabase EntriesTODOOutputsRequired:
Attestation (A-ro) - using SA-rr and SA-oo
Optional:
ConciseAttestation (CA-ro) - using SA-oo
BroadcastAttestation (BA-ro) - using SA-oo
Registering a Session IDSpecifically handled by a RIDR ().InputsRequired:
Attestation: Registry on Operator
Attestation: Operator on Aircraft
UAS Serial Number
Optional:
ConciseAttestation: Operator on Aircraft
MutualAttestation: Operator on Aircraft
LinkAttestation: Operator on Aircraft
Operational Intent ID (GUFI)
DNS EntriesRequired on RIDR:HIP RR of Aircraft with DET FQDN () (<session_det_fqdn> HIP ...)CERT RRs for SelfAttestation of Aircraft, BroadcastAttestationDatabase Entries(Session ID, Serial Number, GUFI, A-oa, BA-ra, AC-roa)OutputsRequired:
BroadcastAttestation (BA-ra) - generated using the embedded SA-aa from A-oa
AttestationCertificate (AC-roa) - using A-oa
Optional:
MutualCertificate (MC-roa) - using MA-oa
ConciseCertificate (CC-roa) - using CA-oa
LinkCertificate (LC-roa) - using LA-oa
BroadcastAttestation's of parent Registries in chain
ProvisioningUnder DRIP UAS RID a special provisioning procedure is required to properly generate and distribute the certificates and attestations to all parties in the USS/UTM ecosystem using DRIP RID.Keypairs are expected to be generated on the device hardware it will be used on. Due to hardware limitations (see ) and connectivity it is acceptable under DRIP RID to generate keypairs for the Aircraft on Operator devices and later securely inject them into the Aircraft (as defined in ). The methods to securely inject and store keypair information in a "secure element" of the Aircraft is out of scope of this document.Overview of TransactionsIn DRIP, each Operator MUST generate a Host Identity of the Operator (HIo) and derived Hierarchical HIT of the Operator (HHITo). These are registered with a Private Information Registry along with whatever Operator data (inc. PII) is required by the cognizant CAA and the registry. In response, the Operator will obtain an attestation from the Registry, Attestation: Registry on Operator (A-ro), signed with the Host Identity of the Registry private key (HIr(priv)) proving such registration.An Operator may now claim one or more UA.
An Operator MUST generate a Host Identity of the Aircraft (HIa) and derived Hierarchical HIT of the Aircraft (HHITa)
Create an attestation from the Operator on the Aircraft (A-oa) signed with the Host Identity of the Operator private key (HIo(priv)) to associate the UA with its Operator
Register them with a Private Information Registry along with whatever UAS data is required by the cognizant CAA and Registry
Obtain an attestation from the Registry on the Operator and Aircraft ("AC-roa") signed with the HIr(priv) proving such registration
And obtain a broadcast attestation from the Registry on the Aircraft (BA-ra) signed with HIr(priv) proving UA registration in that specific registry while preserving Operator privacy.
The operator then MUST provision the UA with HIa, HIa(priv), HHITa and B-Ara.
UA engaging in Broadcast RID MUST use HIa(priv) to sign Authentication Messages and MUST periodically broadcast BA-ra.
UAS engaging in Network RID MUST use HIa(priv) to sign Authentication Messages.
Observers MUST use HIa from received BA-ra to verify received Broadcast RID Authentication messages.
Observers without Internet connectivity MAY use BA-ra to identify the trust class of the UAS based on known registry vetting.
Observers with Internet connectivity MAY use HHITa to perform lookups in the Public Information Registry and MAY then query the Private Information Registry which MUST enforce AAA policy on Operator PII and other sensitive information
HHIT DelegationUnder the FAA , it is expecting that IDs for UAS are assigned by the UTM and are generally one-time use. The methods for this however are unspecified leaving two options.
1
The entity generates its own HHIT, discovering and using thr RAA and HDA for the target Registry. The method for discovering a Registry's RAA and HDA is out of scope here. This allows for the device to generate an HHIT to send to the Registry to be accepted (thus generating the required Host Identity Claim) or denied.
2
The entity sends to the Registry its HI for it to be hashed and result in the HHIT. The Registry would then either accept (returning the HHIT to the device) or deny this pairing.
In either case the Registry must decide on if the HI/HHIT pairing is valid. This in its simplest form is checking the current Registry for a collision on the HHIT.Upon accepting a HI/HHIT pair the Registry MUST populate the required the DNS serving the HDA with the HIP RR and other relevant RR types (such as TXT and CERT). The Registry MUST also generate the appropriate Attestation for the given operation.If the Registry denied the HI/HHIT pair, because there was a HHIT collision or any other reason, the Registry MUST signal back to the device being provisioned that a new HI needs to be generated.Registry(Editor Note: this should break down the individual registrations between Root/RAA, RAA/HDA and their special variants).DRIP UAS RID defines two levels of hierarchy maintained by the Registration Assigning Authority (RAA) and HHIT Domain Authority (HDA). The authors anticipate that an RAA is owned and operated by a regional CAA (or a delegated party by an CAA in a specific airspace region) with HDAs being contracted out. As such a chain of trust for registries is required to ensure trustworthiness is not compromised. More information on the registries can be found in .Both the RAA and HDA generate their own keypairs and self-signed attestations (SelfAttestation: RAA on RAA and SelfAttestation: HDA on HDA respectively). The HDA sends to the RAA its self-signed attestation to be added into the RAA DNS.The RAA confirms the attestation received is valid and that no HHIT collisions occur before added a HIP RR to its DNS for the new HDA. An Attestation: RAA on HDA (A-rh) is sent as a confirmation that provisioning was successful.The HDA is now a valid "Registry" and uses its keypair and SelfAttestation: HDA on HDA (SA-hh) with all provisioning requests from downstream.ManufacturerDuring the initial configuration and production at the factory the Aircraft MUST be configured to have a serial number. ASTM defines this to be an ANSI/CTA-2063A. Under DRIP a HHIT can be encoded as such to be able to convert back and forth between them. This is out of scope for this document. TODO: link from UAS RID document.Under DRIP the Manufacturer SHOULD be using HHITs and have their own keypair and SA-mm (SelfAttestation: Manufacturer on Manufacturer). (Ed. Note: some words on aircraft keypair and certs here?).SelfAttestation: Aircraft 0 on Aircraft 0 (SA-a0a0) is extracted by the manufacturer and sent to their Certificate Authority (CA) to be verified and added. A resulting attestation (Attestation: Manufacturer on Aircraft 0 [A-ma0]) SHOULD be a DRIP Attestation - however this could be a X.509 certificate binding the serial number to the manufacturer.OperatorThe Operator generates a keypair and HHIT as specified in DRIP UAS RID. A self-signed attestation (Attestation: Operator on Operator [SA-oo]) is generated and sent to the desired Registry (HDA). Other relevant information and possibly personally identifiable information needed may also be required to be sent to the Registry (all over a secure channel - the method of which is out of scope for this document).The Registry cross checks any personally identifiable information as required. Certificate: Operator on Operator is verified (both using the expiration timestamp and signature). The HHIT is searched in the Registries database to confirm that no collision occurs. A new attestation is generated (Attestation: Registry on Operator) and sent securely back to the Operator. Optionally the HHIT/HI pairing can be added to the Registries DNS in to form of a HIP Resource Record (RR). Other RRs, such as CERT and TXT, may also be used to hold public information.With the receipt of Attestation: Registry on Operator (A-ro) the provisioning of an Operator is complete.AircraftStandard ProvisioningUnder standard provisioning the Aircraft has its own connectivity to the Registry, the method which is out of scope for this document.Through mechanisms not specified in this document the Aircraft should have methods to instruct the Aircraft onboard systems to generate a keypair and certificate. This certificate is chained to the factory provisioned certificate (SelfAttestation: Aircraft 0 on Aircraft 0 [SA-a0a0]). This new attestation (Attestation: Aircraft 0 on Aircraft N [A-a0aN]) is securely extracted by the Operator.With A-a0aN the sub-attestation (SelfAttestation: Aircraft N on Aircraft N [SA-aNaN]) is used by the Operator to generate Attestation: Operator on Aircraft N (A-oaN). This along with Attestation: Registry on Operator (A-ro) is sent to the Registry.On the Registry, A-ro is verified and used as confirmation that the Operator is already registered. A-oaN also undergoes a validation check and used to generate a token to return to the Operator to continue provisioning.Upon receipt of this token, the Operator injects it into the Aircraft and its used to form a secure connection to the Registry. The Aircraft then sends Attestation: Manufacturer on Aircraft 0 (A-ma0) and Attestation: Aircraft 0 to Aircraft N (A-a0aN).The Registry uses Attestation: Manufacturer on Aircraft 0 (with an external database if supported) to confirm the validity of the Aircraft. Attestation: Aircraft 0 on Aircraft N is correlated with Attestation: Operator on Aircraft N and Attestation: Manufacturer on Aircraft 0 to see the chain of ownership. The new HHIT tied to Aircraft N is then checked for collisions in the HDA. With the information the Registry generates two items: AttestationCertificate: Registry on Operator on Aircraft N (AC-roaN) and BroadcastAttestation: Registry on Aircraft N (BA-raN). A HIP RR (and other RR types as needed) are generated and inserted into the HDA.AC-roaN is sent via a secure channel back to the Operator to be stored. ABA-raN is sent to the Aircraft to be used in Broadcast RID as specified in (Editors Note: add link to -auth-formats).Operator Assisted ProvisioningThis provisioning scheme is for when the Aircraft is unable to connect to the Registry itself or does not have the hardware required to generate keypairs and certificates.To start the Operator generates on behalf of the Aircraft a new keypair and Attestation: Aircraft N on Aircraft N (SA-aNaN). This keypair and certificate are injected into the Aircraft for it to generate Attestation: Aircraft 0 on Aircraft N (A-a0aN). After injecting the keypair and certificate, the Operator MUST destroy all copies of the keypair.Attestation: Manufacturer on Aircraft 0 (A-ma0) and Attestation: Aircraft 0 on Aircraft N (A-a0aN) is extracted by the Operator and the following data items are sent to the Registry; Attestation: Registry on Operator (A-ro), Attestation: Manufacturer on Aircraft 0 (A-ma0), Attestation: Aircraft 0 on Aircraft N (A-a0aN), Attestation: Operator on Aircraft N (A-oaN).On the Registry validation checks are done on all attestations as per the previous sections. Once complete then the Registry checks for a HHIT collision, adding to the HDA if clear and generates AttestationCertificate: Registry on Operator on Aircraft N (AC-roaN) and BroadcastAttestation: Registry on Aircraft N (BA-raN). Both are sent back to the Operator.The Operator securely inject BA-raN and securely stores AC-roaN of Aircraft N.Initial ProvisioningA special form of provisioning is used when the Aircraft is first sold to an Operator. Instead of generating a new keypair, the built in keypair and certificate done by the Manufacturer is used to provision and register the aircraft to the owner.For this either Standard or Operator Assisted methods can be used.Security ConsiderationsTODOReferencesNormative ReferencesStandard Specification for Remote ID and TrackingKey words for use in RFCs to Indicate Requirement LevelsIn many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.Ambiguity of Uppercase vs Lowercase in RFC 2119 Key WordsRFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.Informative ReferencesJSON Web Token (JWT)JSON Web Token (JWT) is a compact, URL-safe means of representing claims to be transferred between two parties. The claims in a JWT are encoded as a JSON object that is used as the payload of a JSON Web Signature (JWS) structure or as the plaintext of a JSON Web Encryption (JWE) structure, enabling the claims to be digitally signed or integrity protected with a Message Authentication Code (MAC) and/or encrypted.CBOR Web Token (CWT)CBOR Web Token (CWT) is a compact means of representing claims to be transferred between two parties. The claims in a CWT are encoded in the Concise Binary Object Representation (CBOR), and CBOR Object Signing and Encryption (COSE) is used for added application-layer security protection. A claim is a piece of information asserted about a subject and is represented as a name/value pair consisting of a claim name and a claim value. CWT is derived from JSON Web Token (JWT) but uses CBOR rather than JSON.Drone Remote Identification Protocol (DRIP) RequirementsAX EnterprizeAX EnterprizeHTT ConsultingLinköping University This document defines terminology and requirements for Drone Remote
Identification Protocol (DRIP) Working Group solutions to support
Unmanned Aircraft System Remote Identification and tracking (UAS RID)
for security, safety, and other purposes (e.g., initiation of
identity based network sessions supporting UAS applications). DRIP
will facilitate use of existing Internet resources to support RID and
to enable enhanced related services, and will enable online and
offline verification that RID information is trustworthy.
UAS Remote IDHTT ConsultingAX EnterprizeAX EnterprizeLinköping University This document describes the use of Hierarchical Host Identity Tags
(HHITs) as a self-asserting and thereby trustable Identifier for use
as the UAS Remote ID. HHITs include explicit hierarchy to provide
Registrar discovery for 3rd-party ID attestation.
Hierarchical HIT RegistriesHTT ConsultingAX EnterprizeAX Enterprize This document describes using the registration protocol and
registries to support hierarchical HITs (HHITs). New and existing
HIP parameters are used to communicate Registry Policies and data
about the HHIT device and the Registries. Further Registries are
expected to provide RVS services for registered HHIT devices.
Notice of Proposed Rule Making on Remote Identification of Unmanned Aircraft Systems