idnits 2.17.1 draft-ietf-anima-jws-voucher-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- == The 'Updates: ' line in the draft header should list only the _numbers_ of the RFCs which will be updated by this document (if approved); it should not include the word 'RFC' in the list. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (25 July 2021) is 978 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Missing Reference: 'RFCxxxx' is mentioned on line 238, but not defined == Missing Reference: 'THING' is mentioned on line 238, but not defined == Outdated reference: A later version (-05) exists of draft-ietf-anima-brski-async-enroll-03 == Outdated reference: A later version (-24) exists of draft-ietf-anima-constrained-voucher-12 Summary: 0 errors (**), 0 flaws (~~), 6 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 anima Working Group M. Richardson 3 Internet-Draft Sandelman Software Works 4 Updates: RFC8366 (if approved) T. Werner 5 Intended status: Standards Track Siemens 6 Expires: 26 January 2022 25 July 2021 8 JWS signed Voucher Artifacts for Bootstrapping Protocols 9 draft-ietf-anima-jws-voucher-00 11 Abstract 13 RFC8366 defines a digital artifact called voucher as a YANG-defined 14 JSON document that has been signed using a Cryptographic Message 15 Syntax (CMS) structure. This memo introduces a variant of the 16 voucher structure in which CMS is replaced by the JSON Object Signing 17 and Encryption (JOSE) mechanism described in RFC7515 to better 18 support use-cases in which JOSE is preferred over CMS. 20 In addition to explaining how the format is created, MIME types are 21 registered and examples are provided. 23 Status of This Memo 25 This Internet-Draft is submitted in full conformance with the 26 provisions of BCP 78 and BCP 79. 28 Internet-Drafts are working documents of the Internet Engineering 29 Task Force (IETF). Note that other groups may also distribute 30 working documents as Internet-Drafts. The list of current Internet- 31 Drafts is at https://datatracker.ietf.org/drafts/current/. 33 Internet-Drafts are draft documents valid for a maximum of six months 34 and may be updated, replaced, or obsoleted by other documents at any 35 time. It is inappropriate to use Internet-Drafts as reference 36 material or to cite them other than as "work in progress." 38 This Internet-Draft will expire on 26 January 2022. 40 Copyright Notice 42 Copyright (c) 2021 IETF Trust and the persons identified as the 43 document authors. All rights reserved. 45 This document is subject to BCP 78 and the IETF Trust's Legal 46 Provisions Relating to IETF Documents (https://trustee.ietf.org/ 47 license-info) in effect on the date of publication of this document. 48 Please review these documents carefully, as they describe your rights 49 and restrictions with respect to this document. Code Components 50 extracted from this document must include Simplified BSD License text 51 as described in Section 4.e of the Trust Legal Provisions and are 52 provided without warranty as described in the Simplified BSD License. 54 Table of Contents 56 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 57 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 58 3. JSON Web Signatures . . . . . . . . . . . . . . . . . . . . . 3 59 3.1. Unprotected Header . . . . . . . . . . . . . . . . . . . 4 60 3.2. Protected Header . . . . . . . . . . . . . . . . . . . . 4 61 4. Privacy Considerations . . . . . . . . . . . . . . . . . . . 4 62 5. Security Considerations . . . . . . . . . . . . . . . . . . . 5 63 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 5 64 6.1. Media-Type Registry . . . . . . . . . . . . . . . . . . . 5 65 6.1.1. application/voucher-jws+json . . . . . . . . . . . . 5 66 7. Changelog . . . . . . . . . . . . . . . . . . . . . . . . . . 5 67 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 6 68 8.1. Normative References . . . . . . . . . . . . . . . . . . 6 69 8.2. Informative References . . . . . . . . . . . . . . . . . 6 70 Appendix A. Examples . . . . . . . . . . . . . . . . . . . . . . 8 71 A.1. Example Voucher Request (from Pledge to Registrar) . . . 8 72 A.2. Example Parboiled Voucher Request (from Registrar to 73 MASA) . . . . . . . . . . . . . . . . . . . . . . . . . . 9 74 A.3. Example Voucher Result (from MASA to Pledge, via 75 Registrar) . . . . . . . . . . . . . . . . . . . . . . . 13 76 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 16 78 1. Introduction 80 "A Voucher Artifact for Bootstrapping Protocols", [RFC8366] describes 81 a voucher artifact used in "Bootstrapping Remote Secure Key 82 Infrastructure" [BRSKI] and "Secure Zero Touch Provisioning" [SZTP] 83 to transfer ownership of a device to from a manufacturer to an owner. 84 That document defines the base YANG module, and also the initial 85 serialization to JSON [RFC8259], with a signature provided by 86 [RFC5652]. 88 Other work, [I-D.ietf-anima-constrained-voucher] provides a mapping 89 of the YANG to CBOR [RFC8949] with a signature format of COSE 90 [RFC8812]. 92 This document provides an equivalent mapping of JSON format with the 93 signature format in JOSE format [RFC7515]. The encoding specified in 94 this document is required for [I-D.ietf-anima-brski-async-enroll] and 95 may be required and/or preferred in other use-cases, for example when 96 JOSE is already used in other parts of the use-case, but CMS is not. 98 This document does not extend the YANG definition of [RFC8366] at 99 all, but accepts that other efforts such as 100 [I-D.richardson-anima-voucher-delegation], 101 [I-D.friel-anima-brski-cloud], and 102 [I-D.ietf-anima-brski-async-enroll] do. This document supports 103 signing any of the extended schemas defined in those documents and 104 any new documents that may appear after this one. 106 With the availability of different encoded vouchers, it is up to an 107 industry specific application statement to indicate/decide which 108 voucher format is to be used. There is no provision across the 109 different voucher formats that a receiver could safely recognize 110 which format it uses unless additional context is provided. For 111 example, [BRSKI] provides this context via the MIME-Type for the 112 voucher payload. 114 This document should be considered an Update to [RFC8366] in the 115 category of "See Also" as per [I-D.kuehlewind-update-tag]. 117 2. Terminology 119 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 120 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 121 "OPTIONAL" in this document are to be interpreted as described in 122 BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all 123 capitals, as shown here. 125 3. JSON Web Signatures 127 [RFC7515] defines two serializations: the JWS Compact Serialization 128 and the JWS JSON Serialization. The two serializations are mostly 129 equivalent, and the JWS Compact Serialization (JWT) format has better 130 library support in web frameworks, so this document restricts itself 131 to that choice. 133 The [RFC8366] JSON structure consists of a nested map, the outer part 134 of which is: 136 { "ietf-voucher:voucher" : { some inner items }} 138 this is considered the JSON payload as described in [RFC7515] section 139 3. 141 The JSON Compact Serialization is explained in section 3.1 or section 142 7.1, and works out to: 144 BASE64URL(UTF8(JWS Protected Header)) || '.' || 145 BASE64URL(JWS Payload) || '.' || 146 BASE64URL(JWS Signature) 148 Note that this results in a long base64 content (with two 149 interspersed dots). When using HTTPS, the voucher is transmitted in 150 base64 format, even though HTTP can accommodate binary content. This 151 is done to be most convenient for available JWT libraries, and for 152 humans who are debugging. 154 There are a number of attributes. They are: 156 3.1. Unprotected Header 158 There is no unprotected header in the Compact Serialization format. 160 3.2. Protected Header 162 The standard "typ" and "alg" values described in [RFC7515] are 163 expected in the protected headers. 165 It remains to be determined (XXX), what values, if any, should go 166 into the "typ" header, as in the [BRSKI] use cases, there are 167 additional HTTP MIME type headers to indicate content types. 169 The "alg" should contain the algorithm type such as "ES256". 171 If PKIX [RFC5280] format certificates are used then the [RFC7515] 172 section 4.1.6 "x5c" certificate chain SHOULD be used to contain the 173 certificate and chain. Vouchers will often need all certificates in 174 the chain, including what would be considered the trust anchor 175 certificate because intermediate devices (such as the Registrar) may 176 need to audit the artifact, or end systems may need to pin a trust 177 anchor for future operations. This is consistent with [BRSKI] 178 section 5.5.2. 180 4. Privacy Considerations 182 The Voucher Request reveals the IDevID of the system that is on- 183 boarding. 185 This request occurs over HTTPS, however the Pledge to Registrar 186 transaction is over a provisional TLS session, and it is subject to 187 disclosure via by a Dolev-Yao attacker (a "malicious 188 messenger")[onpath]. This is explained in [BRSKI] section 10.2. 190 The use of a JWS header brings no new privacy considerations. 192 5. Security Considerations 194 The issues of how [RFC8366] vouchers are used in a [BRSKI] system is 195 addressed in section 11 of that document. This document does not 196 change any of those issues, it just changes the signature technology 197 used for vouchers and voucher requests. 199 [SZTP] section 9 deals with voucher use in Secure Zero Touch 200 Provisioning, and this document also makes no changes to security. 202 6. IANA Considerations 204 6.1. Media-Type Registry 206 This section registers the 'application/voucher-jws+json' in the 207 "Media Types" registry. 209 6.1.1. application/voucher-jws+json 211 Type name: application 212 Subtype name: voucher-jwt+json 213 Required parameters: none 214 Optional parameters: none 215 Encoding considerations: JWS+JSON vouchers are JOSE objects 216 signed with one signer. 217 Security considerations: See Security Considerations, Section 218 Interoperability considerations: The format is designed to be 219 broadly interoperable. 220 Published specification: THIS RFC. 221 Applications that use this media type: ANIMA, 6tisch, and other 222 zero-touch imprinting systems 223 Additional information: 224 Magic number(s): None 225 File extension(s): .vjj 226 Macintosh file type code(s): none 227 Person & email address to contact for further information: IETF 228 ANIMA WG 229 Intended usage: LIMITED 230 Restrictions on usage: NONE 231 Author: ANIMA WG 232 Change controller: IETF 233 Provisional registration? (standards tree only): NO 235 7. Changelog 237 * Added adoption call comments from Toerless. Changed from 238 [RFCxxxx] to [THING] style for some key references. 240 8. References 242 8.1. Normative References 244 [BRSKI] Pritikin, M., Richardson, M., Eckert, T., Behringer, M., 245 and K. Watsen, "Bootstrapping Remote Secure Key 246 Infrastructure (BRSKI)", RFC 8995, DOI 10.17487/RFC8995, 247 May 2021, . 249 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 250 Requirement Levels", BCP 14, RFC 2119, 251 DOI 10.17487/RFC2119, March 1997, 252 . 254 [RFC7515] Jones, M., Bradley, J., and N. Sakimura, "JSON Web 255 Signature (JWS)", RFC 7515, DOI 10.17487/RFC7515, May 256 2015, . 258 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 259 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 260 May 2017, . 262 [RFC8259] Bray, T., Ed., "The JavaScript Object Notation (JSON) Data 263 Interchange Format", STD 90, RFC 8259, 264 DOI 10.17487/RFC8259, December 2017, 265 . 267 [RFC8366] Watsen, K., Richardson, M., Pritikin, M., and T. Eckert, 268 "A Voucher Artifact for Bootstrapping Protocols", 269 RFC 8366, DOI 10.17487/RFC8366, May 2018, 270 . 272 [SZTP] Watsen, K., Farrer, I., and M. Abrahamsson, "Secure Zero 273 Touch Provisioning (SZTP)", RFC 8572, 274 DOI 10.17487/RFC8572, April 2019, 275 . 277 8.2. Informative References 279 [I-D.friel-anima-brski-cloud] 280 Friel, O., Shekh-Yusef, R., and M. Richardson, "BRSKI 281 Cloud Registrar", Work in Progress, Internet-Draft, draft- 282 friel-anima-brski-cloud-04, 6 April 2021, 283 . 286 [I-D.ietf-anima-brski-async-enroll] 287 Fries, S., Brockhaus, H., Lear, E., and T. Werner, 288 "Support of asynchronous Enrollment in BRSKI (BRSKI-AE)", 289 Work in Progress, Internet-Draft, draft-ietf-anima-brski- 290 async-enroll-03, 24 June 2021, 291 . 294 [I-D.ietf-anima-constrained-voucher] 295 Richardson, M., Stok, P. V. D., Kampanakis, P., and E. 296 Dijk, "Constrained Voucher Artifacts for Bootstrapping 297 Protocols", Work in Progress, Internet-Draft, draft-ietf- 298 anima-constrained-voucher-12, 11 July 2021, 299 . 302 [I-D.kuehlewind-update-tag] 303 Kuehlewind, M. and S. Krishnan, "Definition of new tags 304 for relations between RFCs", Work in Progress, Internet- 305 Draft, draft-kuehlewind-update-tag-04, 12 July 2021, 306 . 309 [I-D.richardson-anima-voucher-delegation] 310 Richardson, M. and W. Pan, "Delegated Authority for 311 Bootstrap Voucher Artifacts", Work in Progress, Internet- 312 Draft, draft-richardson-anima-voucher-delegation-03, 22 313 March 2021, . 316 [onpath] "can an on-path attacker drop traffic?", n.d., 317 . 320 [RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., 321 Housley, R., and W. Polk, "Internet X.509 Public Key 322 Infrastructure Certificate and Certificate Revocation List 323 (CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008, 324 . 326 [RFC5652] Housley, R., "Cryptographic Message Syntax (CMS)", STD 70, 327 RFC 5652, DOI 10.17487/RFC5652, September 2009, 328 . 330 [RFC8792] Watsen, K., Auerswald, E., Farrel, A., and Q. Wu, 331 "Handling Long Lines in Content of Internet-Drafts and 332 RFCs", RFC 8792, DOI 10.17487/RFC8792, June 2020, 333 . 335 [RFC8812] Jones, M., "CBOR Object Signing and Encryption (COSE) and 336 JSON Object Signing and Encryption (JOSE) Registrations 337 for Web Authentication (WebAuthn) Algorithms", RFC 8812, 338 DOI 10.17487/RFC8812, August 2020, 339 . 341 [RFC8949] Bormann, C. and P. Hoffman, "Concise Binary Object 342 Representation (CBOR)", STD 94, RFC 8949, 343 DOI 10.17487/RFC8949, December 2020, 344 . 346 Appendix A. Examples 348 These examples are folded according to [RFC8792] Single Backslash 349 rule. 351 A.1. Example Voucher Request (from Pledge to Registrar) 353 The following is an example request sent from a Pledge to the 354 Registrar. This example is from the Siemens reference Registrar 355 system. 357 file "voucher_request_01.b64" 358 eyJhbGciOiAiRVMyNTYiLCAieDVjIjogWyJNSUlCMmpDQ0FZQ2dBd0lCQWd\ 359 R0FXZWdkY1NMTUFvR0NDcUdTTTQ5QkFNQ01EMHhDekFKQmdOVkJBWVRBa0Z\ 360 TVJVd0V3WURWUVFLREF4S2FXNW5TbWx1WjBOdmNuQXhGekFWQmdOVkJBTU1\ 361 a3BwYm1kS2FXNW5WR1Z6ZEVOQk1DQVhEVEU0TVRJeE1qQXpNamcxTVZvWUR\ 362 azVPVGt4TWpNeE1qTTFPVFU1V2pCU01Rc3dDUVlEVlFRR0V3SkJVVEVWTUJ\ 363 R0ExVUVDZ3dNU21sdVowcHBibWREYjNKd01STXdFUVlEVlFRRkV3b3dNVEl\ 364 TkRVMk56ZzVNUmN3RlFZRFZRUUREQTVLYVc1blNtbHVaMFJsZG1salpUQlp\ 365 Qk1HQnlxR1NNNDlBZ0VHQ0NxR1NNNDlBd0VIQTBJQUJNVkdHOFo1cGpmNWp\ 366 bnlyVXJYeVoxa1BncUJlM05YdTFkVEFEZStyL3Y2SnpJSGwzNTVJZ2NIQzN\ 367 eHBpYnFKTS9iV1JhRXlqcWNDSmo0akprb3dDdWpWVEJUTUN3R0NTc0dBUVF\ 368 Z3U1U0FnUWZEQjF0WVhOaExYUmxjM1F1YzJsbGJXVnVjeTFpZEM1dVpYUTZ\ 369 VFEwTXpBVEJnTlZIU1VFRERBS0JnZ3JCZ0VGQlFjREFqQU9CZ05WSFE4QkF\ 370 OEVCQU1DQjRBd0NnWUlLb1pJemowRUF3SURTQUF3UlFJZ1d0UHpJSVhZMml\ 371 UlhKdEV4S0VoaFpkYTRYK0VwbFpvbUVJMnpBMGRzam9DSVFDM0pwUW1SWE1\ 372 bi9wNEJ1OWl6aWk5MmVjbFR4NC9PNHJsbTdNeUxxa2hkQT09Il19.eyJpZX\ 373 mLXZvdWNoZXItcmVxdWVzdDp2b3VjaGVyIjogeyJjcmVhdGVkLW9uIjogIj\ 374 wMjAtMTAtMjJUMDI6Mzc6MzkuMDAwWiIsICJub25jZSI6ICJlRHMrKy9GdU\ 375 IR1VuUnhOM0UxNENRPT0iLCAic2VyaWFsLW51bWJlciI6ICIwMTIzNDU2Nz\ 376 5In19.Vj9pyo43KDEq0e5tokwHpNhVM0uUkLCatwNQxfsCKH8GRQ2iTT2fq\ 377 39k40M-7S-vheDHHuBHFSWb502EPwkdA 378 380 It contains the following three parts: 382 Header: 384 file "voucher_request_01-header.b64" 385 { 386 "alg": "ES256", 387 "x5c": [ 388 "MIIB2jCCAYCgAwIBAgIGAWegdcSLMAoGCCqGSM49BAMCMD0xCzAJBg\ 389 VBAYTAkFRMRUwEwYDVQQKDAxKaW5nSmluZ0NvcnAxFzAVBgNVBAMMDkppbm\ 390 KaW5nVGVzdENBMCAXDTE4MTIxMjAzMjg1MVoYDzk5OTkxMjMxMjM1OTU5Wj\ 391 SMQswCQYDVQQGEwJBUTEVMBMGA1UECgwMSmluZ0ppbmdDb3JwMRMwEQYDVQ\ 392 FEwowMTIzNDU2Nzg5MRcwFQYDVQQDDA5KaW5nSmluZ0RldmljZTBZMBMGBy\ 393 GSM49AgEGCCqGSM49AwEHA0IABMVGG8Z5pjf5jXnyrUrXyZ1kPgqBe3NXu1\ 394 TADe+r/v6JzIHl355IgcHC3axpibqJM/bWRaEyjqcCJj4jJkowCujVTBTMC\ 395 GCSsGAQQBgu5SAgQfDB1tYXNhLXRlc3Quc2llbWVucy1idC5uZXQ6OTQ0Mz\ 396 TBgNVHSUEDDAKBggrBgEFBQcDAjAOBgNVHQ8BAf8EBAMCB4AwCgYIKoZIzj\ 397 EAwIDSAAwRQIgWtPzIIXY2ixRXJtExKEhhZda4X+EplZomEI2zA0dsjoCIQ\ 398 3JpQmRXMGn/p4Bu9izii92eclTx4/O4rlm7MyLqkhdA==" 399 ] 400 } 401 403 Payload: 405 file "voucher_request_01-payload.b64" 406 { 407 "ietf-voucher-request:voucher": { 408 "created-on": "2020-10-22T02:37:39.000Z", 409 "nonce": "eDs++/FuDHGUnRxN3E14CQ==", 410 "serial-number": "0123456789" 411 } 412 } 413 415 Signature: 417 file "voucher_request_01-signature.b64" 418 Vj9pyo43KDEq0e5tokwHpNhVM0uUkLCatwNQxfsCKH8GRQ2iTT2fqD39k40\ 419 -7S-vheDHHuBHFSWb502EPwkdA 420 422 A.2. Example Parboiled Voucher Request (from Registrar to MASA) 424 The term parboiled refers to food which is partially cooked. In 425 [BRSKI], the term refers to a voucher-request which has been received 426 by the Registrar, and then has been processed by the Registrar 427 ("cooked"), and is now being forwarded to the MASA. 429 The following is an example request sent from the Registrar to the 430 MASA. This example is from the Siemens reference Registrar system. 431 Note that the previous voucher request can be seen in the payload as 432 "prior-signed-voucher-request". 434 file "parboiled_voucher_request_01.b64" 435 eyJhbGciOiJFUzI1NiIsIng1YyI6WyJNSUlCb3pDQ0FVcWdBd0lCQWdJR0F\ 436 MGVMdUlGTUFvR0NDcUdTTTQ5QkFNQ01EVXhFekFSQmdOVkJBb01DazE1UW5\ 437 emFXNWxjM014RFRBTEJnTlZCQWNNQkZOcGRHVXhEekFOQmdOVkJBTU1CbFJ\ 438 YzNSRFFUQWVGdzB4T1RBNU1URXdNak0zTXpKYUZ3MHlPVEE1TVRFd01qTTN\ 439 ekphTUZReEV6QVJCZ05WQkFvTUNrMTVRblZ6YVc1bGMzTXhEVEFMQmdOVkJ\ 440 Y01CRk5wZEdVeExqQXNCZ05WQkFNTUpWSmxaMmx6ZEhKaGNpQldiM1ZqYUd\ 441 eUlGSmxjWFZsYzNRZ1UybG5ibWx1WnlCTFpYa3dXVEFUQmdjcWhrak9QUUl\ 442 QmdncWhrak9QUU1CQndOQ0FBVDZ4VnZBdnFUejFaVWl1TldoWHBRc2thUHk\ 443 QUhIUUx3WGlKMGlFTHQ2dU5QYW5BTjBRbldNWU8vMENERWpJa0JRb2J3OFl\ 444 cWp0eEpIVlNHVGo5S09veWN3SlRBVEJnTlZIU1VFRERBS0JnZ3JCZ0VGQlF\ 445 REhEQU9CZ05WSFE4QkFmOEVCQU1DQjRBd0NnWUlLb1pJemowRUF3SURSd0F\ 446 UkFJZ1lyMkxmcW9hQ0tERjRSQWNNbUppK05DWnFkU2l1VnVnSVNBN09oS1J\ 447 M1lDSUR4blBNTW5wWEFNVHJQSnVQV3ljZUVSMTFQeEhPbiswQ3BTSGkycWd\ 448 V1giLCJNSUlCcERDQ0FVbWdBd0lCQWdJR0FXMGVMdUgrTUFvR0NDcUdTTTQ\ 449 QkFNQ01EVXhFekFSQmdOVkJBb01DazE1UW5WemFXNWxjM014RFRBTEJnTlZ\ 450 QWNNQkZOcGRHVXhEekFOQmdOVkJBTU1CbFJsYzNSRFFUQWVGdzB4T1RBNU1\ 451 RXdNak0zTXpKYUZ3MHlPVEE1TVRFd01qTTNNekphTURVeEV6QVJCZ05WQkF\ 452 TUNrMTVRblZ6YVc1bGMzTXhEVEFMQmdOVkJBY01CRk5wZEdVeER6QU5CZ05\ 453 QkFNTUJsUmxjM1JEUVRCWk1CTUdCeXFHU000OUFnRUdDQ3FHU000OUF3RUh\ 454 MElBQk9rdmtUSHU4UWxUM0ZISjFVYUk3K1dzSE9iMFVTM1NBTHRHNXd1S1F\ 455 amlleDA2L1NjWTVQSmlidmdIVEIrRi9RVGpnZWxIR3kxWUtwd2NOTWNzU3l\ 456 alJUQkRNQklHQTFVZEV3RUIvd1FJTUFZQkFmOENBUUV3RGdZRFZSMFBBUUg\ 457 QkFRREFnSUVNQjBHQTFVZERnUVdCQlRvWklNelFkc0Qvai8rZ1gvN2NCSnV\ 458 SC9YbWpBS0JnZ3Foa2pPUFFRREFnTkpBREJHQWlFQXR4UTMrSUxHQlBJdFN\ 459 NGI5V1hoWE51aHFTUDZIK2IvTEMvZlZZRGpRNm9DSVFERzJ1UkNIbFZxM3l\ 460 QjU4VFhNVWJ6SDgrT2xoV1V2T2xSRDNWRXFEZGNRdz09Il19.eyJpZXRmLX\ 461 vdWNoZXItcmVxdWVzdDp2b3VjaGVyIjp7InNlcmlhbC1udW1iZXIiOiIwMT\ 462 zNDU2Nzg5Iiwibm9uY2UiOiJlRHMrKy9GdURIR1VuUnhOM0UxNENRPT0iLC\ 463 wcmlvci1zaWduZWQtdm91Y2hlci1yZXF1ZXN0IjoiZXlKaGJHY2lPaUFpUl\ 464 NeU5UWWlMQ0FpZURWaklqb2dXeUpOU1VsQ01tcERRMEZaUTJkQmQwbENRV2\ 465 KUjBGWFpXZGtZMU5NVFVGdlIwTkRjVWRUVFRRNVFrRk5RMDFFTUhoRGVrRk\ 466 RbWRPVmtKQldWUkJhMFpTVFZKVmQwVjNXVVJXVVZGTFJFRjRTMkZYTlc1VG\ 467 XeDFXakJPZG1OdVFYaEdla0ZXUW1kT1ZrSkJUVTFFYTNCd1ltMWtTMkZYTl\ 468 1V1IxWjZaRVZPUWsxRFFWaEVWRVUwVFZSSmVFMXFRWHBOYW1jeFRWWnZXVV\ 469 2YXpWUFZHdDRUV3BOZUUxcVRURlBWRlUxVjJwQ1UwMVJjM2REVVZsRVZsRl\ 470 SMFYzU2tKVlZFVldUVUpOUjBFeFZVVkRaM2ROVTIxc2RWb3djSEJpYldSRV\ 471 qTktkMDFTVFhkRlVWbEVWbEZSUmtWM2IzZE5WRWw2VGtSVk1rNTZaelZOVW\ 472 OM1JsRlpSRlpSVVVSRVFUVkxZVmMxYmxOdGJIVmFNRkpzWkcxc2FscFVRbH\ 473 OUWsxSFFubHhSMU5OTkRsQlowVkhRME54UjFOTk5EbEJkMFZJUVRCSlFVSk\ 474 Wa2RIT0ZvMWNHcG1OV3BZYm5seVZYSlllVm94YTFCbmNVSmxNMDVZZFRGa1\ 475 FRkVaU3R5TDNZMlNucEpTR3d6TlRWSloyTklRek5oZUhCcFluRktUUzlpVj\ 476 KaFJYbHFjV05EU21vMGFrcHJiM2REZFdwV1ZFSlVUVU4zUjBOVGMwZEJVVk\ 477 DWjNVMVUwRm5VV1pFUWpGMFdWaE9hRXhZVW14ak0xRjFZekpzYkdKWFZuVm\ 478 lVEZwWkVNMWRWcFlVVFpQVkZFd1RYcEJWRUpuVGxaSVUxVkZSRVJCUzBKbl\ 479 zSkNaMFZHUWxGalJFRnFRVTlDWjA1V1NGRTRRa0ZtT0VWQ1FVMURRalJCZD\ 480 ObldVbExiMXBKZW1vd1JVRjNTVVJUUVVGM1VsRkpaMWQwVUhwSlNWaFpNbW\ 481 0VWxoS2RFVjRTMFZvYUZwa1lUUllLMFZ3YkZwdmJVVkpNbnBCTUdSemFtOU\ 482 TVkZETTBwd1VXMVNXRTFIYmk5d05FSjFPV2w2YVdrNU1tVmpiRlI0TkM5UE\ 483 ISnNiVGROZVV4eGEyaGtRVDA5SWwxOS5leUpwWlhSbUxYWnZkV05vWlhJdG\ 484 tVnhkV1Z6ZERwMmIzVmphR1Z5SWpvZ2V5SmpjbVZoZEdWa0xXOXVJam9nSW\ 485 Jd01qQXRNVEF0TWpKVU1ESTZNemM2TXprdU1EQXdXaUlzSUNKdWIyNWpaU0\ 486 2SUNKbFJITXJLeTlHZFVSSVIxVnVVbmhPTTBVeE5FTlJQVDBpTENBaWMyVn\ 487 hV0ZzTFc1MWJXSmxjaUk2SUNJd01USXpORFUyTnpnNUluMTkuVmo5cHlvND\ 488 LREVxMGU1dG9rd0hwTmhWTTB1VWtMQ2F0d05ReGZzQ0tIOEdSUTJpVFQyZn\ 489 EMzlrNDBNLTdTLXZoZURISHVCSEZTV2I1MDJFUHdrZEEiLCJjcmVhdGVkLW\ 490 uIjoiMjAyMC0xMC0yMlQwMjozNzozOS4yMzVaIn19.S3BRYIKHbsqwQEZsB\ 491 J1COIVAxO2NPEc5oo_BnXK_JkQfStTIeHFCALdv5MzYdTu9myJO1muaSFEI\ 492 _NFMSFjA 493 495 It contains the following three parts: 497 Header: 499 file "parboiled_voucher_request_01-header.b64" 500 { 501 "alg": "ES256", 502 "x5c": [ 503 "MIIBozCCAUqgAwIBAgIGAW0eLuIFMAoGCCqGSM49BAMCMDUxEzARBg\ 504 VBAoMCk15QnVzaW5lc3MxDTALBgNVBAcMBFNpdGUxDzANBgNVBAMMBlRlc3\ 505 DQTAeFw0xOTA5MTEwMjM3MzJaFw0yOTA5MTEwMjM3MzJaMFQxEzARBgNVBA\ 506 MCk15QnVzaW5lc3MxDTALBgNVBAcMBFNpdGUxLjAsBgNVBAMMJVJlZ2lzdH\ 507 hciBWb3VjaGVyIFJlcXVlc3QgU2lnbmluZyBLZXkwWTATBgcqhkjOPQIBBg\ 508 qhkjOPQMBBwNCAAT6xVvAvqTz1ZUiuNWhXpQskaPy7AHHQLwXiJ0iELt6uN\ 509 anAN0QnWMYO/0CDEjIkBQobw8YKqjtxJHVSGTj9KOoycwJTATBgNVHSUEDD\ 510 KBggrBgEFBQcDHDAOBgNVHQ8BAf8EBAMCB4AwCgYIKoZIzj0EAwIDRwAwRA\ 511 gYr2LfqoaCKDF4RAcMmJi+NCZqdSiuVugISA7OhKRq3YCIDxnPMMnpXAMTr\ 512 JuPWyceER11PxHOn+0CpSHi2qgpWX", 513 "MIIBpDCCAUmgAwIBAgIGAW0eLuH+MAoGCCqGSM49BAMCMDUxEzARBg\ 514 VBAoMCk15QnVzaW5lc3MxDTALBgNVBAcMBFNpdGUxDzANBgNVBAMMBlRlc3\ 515 DQTAeFw0xOTA5MTEwMjM3MzJaFw0yOTA5MTEwMjM3MzJaMDUxEzARBgNVBA\ 516 MCk15QnVzaW5lc3MxDTALBgNVBAcMBFNpdGUxDzANBgNVBAMMBlRlc3RDQT\ 517 ZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABOkvkTHu8QlT3FHJ1UaI7+WsHO\ 518 0US3SALtG5wuKQDjiex06/ScY5PJibvgHTB+F/QTjgelHGy1YKpwcNMcsSy\ 519 jRTBDMBIGA1UdEwEB/wQIMAYBAf8CAQEwDgYDVR0PAQH/BAQDAgIEMB0GA1\ 520 dDgQWBBToZIMzQdsD/j/+gX/7cBJucH/XmjAKBggqhkjOPQQDAgNJADBGAi\ 521 AtxQ3+ILGBPItSh4b9WXhXNuhqSP6H+b/LC/fVYDjQ6oCIQDG2uRCHlVq3y\ 522 B58TXMUbzH8+OlhWUvOlRD3VEqDdcQw==" 523 ] 524 } 525 527 Payload: 529 file "parboiled_voucher_request_01-payload.b64" 530 { 531 "ietf-voucher-request:voucher": { 532 "serial-number": "0123456789", 533 "nonce": "eDs++/FuDHGUnRxN3E14CQ==", 534 "prior-signed-voucher-request": "eyJhbGciOiAiRVMyNTYiLC\ 535 ieDVjIjogWyJNSUlCMmpDQ0FZQ2dBd0lCQWdJR0FXZWdkY1NMTUFvR0NDcU\ 536 TTTQ5QkFNQ01EMHhDekFKQmdOVkJBWVRBa0ZSTVJVd0V3WURWUVFLREF4S2\ 537 XNW5TbWx1WjBOdmNuQXhGekFWQmdOVkJBTU1Ea3BwYm1kS2FXNW5WR1Z6ZE\ 538 OQk1DQVhEVEU0TVRJeE1qQXpNamcxTVZvWUR6azVPVGt4TWpNeE1qTTFPVF\ 539 1V2pCU01Rc3dDUVlEVlFRR0V3SkJVVEVWTUJNR0ExVUVDZ3dNU21sdVowcH\ 540 ibWREYjNKd01STXdFUVlEVlFRRkV3b3dNVEl6TkRVMk56ZzVNUmN3RlFZRF\ 541 RUUREQTVLYVc1blNtbHVaMFJsZG1salpUQlpNQk1HQnlxR1NNNDlBZ0VHQ0\ 542 xR1NNNDlBd0VIQTBJQUJNVkdHOFo1cGpmNWpYbnlyVXJYeVoxa1BncUJlM0\ 543 YdTFkVEFEZStyL3Y2SnpJSGwzNTVJZ2NIQzNheHBpYnFKTS9iV1JhRXlqcW\ 544 DSmo0akprb3dDdWpWVEJUTUN3R0NTc0dBUVFCZ3U1U0FnUWZEQjF0WVhOaE\ 545 YUmxjM1F1YzJsbGJXVnVjeTFpZEM1dVpYUTZPVFEwTXpBVEJnTlZIU1VFRE\ 546 BS0JnZ3JCZ0VGQlFjREFqQU9CZ05WSFE4QkFmOEVCQU1DQjRBd0NnWUlLb1\ 547 JemowRUF3SURTQUF3UlFJZ1d0UHpJSVhZMml4UlhKdEV4S0VoaFpkYTRYK0\ 548 wbFpvbUVJMnpBMGRzam9DSVFDM0pwUW1SWE1Hbi9wNEJ1OWl6aWk5MmVjbF\ 549 4NC9PNHJsbTdNeUxxa2hkQT09Il19.eyJpZXRmLXZvdWNoZXItcmVxdWVzd\ 550 p2b3VjaGVyIjogeyJjcmVhdGVkLW9uIjogIjIwMjAtMTAtMjJUMDI6Mzc6M\ 551 kuMDAwWiIsICJub25jZSI6ICJlRHMrKy9GdURIR1VuUnhOM0UxNENRPT0iL\ 552 Aic2VyaWFsLW51bWJlciI6ICIwMTIzNDU2Nzg5In19.Vj9pyo43KDEq0e5t\ 553 kwHpNhVM0uUkLCatwNQxfsCKH8GRQ2iTT2fqD39k40M-7S-vheDHHuBHFSW\ 554 502EPwkdA", 555 "created-on": "2020-10-22T02:37:39.235Z" 556 } 557 } 558 560 Signature: 562 file "parboiled_voucher_request_01-signature.b64" 563 S3BRYIKHbsqwQEZsBgJ1COIVAxO2NPEc5oo_BnXK_JkQfStTIeHFCALdv5M\ 564 YdTu9myJO1muaSFEIu_NFMSFjA 565 567 A.3. Example Voucher Result (from MASA to Pledge, via Registrar) 569 The following is an example voucher sent from the Registrar to the 570 MASA. This example is from the Siemens reference MASA system. 572 file "voucher_01.b64" 573 eyJhbGciOiJFUzI1NiIsIng1YyI6WyJNSUlCa3pDQ0FUaWdBd0lCQWdJR0F\ 574 RkJqQ2tZTUFvR0NDcUdTTTQ5QkFNQ01EMHhDekFKQmdOVkJBWVRBa0ZSTVJ\ 575 d0V3WURWUVFLREF4S2FXNW5TbWx1WjBOdmNuQXhGekFWQmdOVkJBTU1Ea3B\ 576 Ym1kS2FXNW5WR1Z6ZEVOQk1CNFhEVEU0TURFeU9URXdOVEkwTUZvWERUSTR\ 577 REV5T1RFd05USTBNRm93VHpFTE1Ba0dBMVVFQmhNQ1FWRXhGVEFUQmdOVkJ\ 578 b01ERXBwYm1kS2FXNW5RMjl5Y0RFcE1DY0dBMVVFQXd3Z1NtbHVaMHBwYm1\ 579 RGIzSndJRlp2ZFdOb1pYSWdVMmxuYm1sdVp5QkxaWGt3V1RBVEJnY3Foa2p\ 580 UFFJQkJnZ3Foa2pPUFFNQkJ3TkNBQVNDNmJlTEFtZXExVnc2aVFyUnM4UjB\ 581 Vys0YjFHV3lkbVdzMkdBTUZXd2JpdGYybklYSDNPcUhLVnU4czJSdmlCR05\ 582 dk9LR0JISHRCZGlGRVpadmI3b3hJd0VEQU9CZ05WSFE4QkFmOEVCQU1DQjR\ 583 d0NnWUlLb1pJemowRUF3SURTUUF3UmdJaEFJNFBZYnh0c3NIUDJWSHgvdHp\ 584 b1EvU3N5ZEwzMERRSU5FdGNOOW1DVFhQQWlFQXZJYjNvK0ZPM0JUbmNMRnN\ 585 SlpSQWtkN3pPdXNuLy9aS09hRUtic1ZEaVU9Il19.eyJpZXRmLXZvdWNoZX\ 586 6dm91Y2hlciI6eyJhc3NlcnRpb24iOiJsb2dnZWQiLCJzZXJpYWwtbnVtYm\ 587 yIjoiMDEyMzQ1Njc4OSIsIm5vbmNlIjoiZURzKysvRnVESEdVblJ4TjNFMT\ 588 DUT09IiwiY3JlYXRlZC1vbiI6IjIwMjAtMTAtMjJUMDI6Mzc6MzkuOTIxWi\ 589 sInBpbm5lZC1kb21haW4tY2VydCI6Ik1JSUJwRENDQVVtZ0F3SUJBZ0lHQV\ 590 wZUx1SCtNQW9HQ0NxR1NNNDlCQU1DTURVeEV6QVJCZ05WQkFvTUNrMTVRbl\ 591 6YVc1bGMzTXhEVEFMQmdOVkJBY01CRk5wZEdVeER6QU5CZ05WQkFNTUJsUm\ 592 jM1JEUVRBZUZ3MHhPVEE1TVRFd01qTTNNekphRncweU9UQTVNVEV3TWpNM0\ 593 6SmFNRFV4RXpBUkJnTlZCQW9NQ2sxNVFuVnphVzVsYzNNeERUQUxCZ05WQk\ 594 jTUJGTnBkR1V4RHpBTkJnTlZCQU1NQmxSbGMzUkRRVEJaTUJNR0J5cUdTTT\ 595 5QWdFR0NDcUdTTTQ5QXdFSEEwSUFCT2t2a1RIdThRbFQzRkhKMVVhSTcrV3\ 596 IT2IwVVMzU0FMdEc1d3VLUURqaWV4MDYvU2NZNVBKaWJ2Z0hUQitGL1FUam\ 597 lbEhHeTFZS3B3Y05NY3NTeWFqUlRCRE1CSUdBMVVkRXdFQi93UUlNQVlCQW\ 598 4Q0FRRXdEZ1lEVlIwUEFRSC9CQVFEQWdJRU1CMEdBMVVkRGdRV0JCVG9aSU\ 599 6UWRzRC9qLytnWC83Y0JKdWNIL1htakFLQmdncWhrak9QUVFEQWdOSkFEQk\ 600 BaUVBdHhRMytJTEdCUEl0U2g0YjlXWGhYTnVocVNQNkgrYi9MQy9mVllEal\ 601 2b0NJUURHMnVSQ0hsVnEzeWhCNThUWE1VYnpIOCtPbGhXVXZPbFJEM1ZFcU\ 602 kY1F3PT0ifX0.u1iO_VB6xIhE8QuhKDGgCxkzsnR20IoL0p6qYKpYBDtgkR\ 603 2ykDO_QFjk7W8P5ATW-CQnWlJ3ILSeiwMf9nI0g 604 606 It contains the following three parts: 608 Header: 610 file "voucher_01-header.b64" 611 { 612 "alg": "ES256", 613 "x5c": [ 614 "MIIBkzCCATigAwIBAgIGAWFBjCkYMAoGCCqGSM49BAMCMD0xCzAJBg\ 615 VBAYTAkFRMRUwEwYDVQQKDAxKaW5nSmluZ0NvcnAxFzAVBgNVBAMMDkppbm\ 616 KaW5nVGVzdENBMB4XDTE4MDEyOTEwNTI0MFoXDTI4MDEyOTEwNTI0MFowTz\ 617 LMAkGA1UEBhMCQVExFTATBgNVBAoMDEppbmdKaW5nQ29ycDEpMCcGA1UEAw\ 618 gSmluZ0ppbmdDb3JwIFZvdWNoZXIgU2lnbmluZyBLZXkwWTATBgcqhkjOPQ\ 619 BBggqhkjOPQMBBwNCAASC6beLAmeq1Vw6iQrRs8R0ZW+4b1GWydmWs2GAMF\ 620 wbitf2nIXH3OqHKVu8s2RviBGNivOKGBHHtBdiFEZZvb7oxIwEDAOBgNVHQ\ 621 BAf8EBAMCB4AwCgYIKoZIzj0EAwIDSQAwRgIhAI4PYbxtssHP2VHx/tzUoQ\ 622 SsydL30DQINEtcN9mCTXPAiEAvIb3o+FO3BTncLFsaJZRAkd7zOusn//ZKO\ 623 EKbsVDiU=" 624 ] 625 } 626 628 Payload: 630 file "voucher_01-payload.b64" 631 { 632 "ietf-voucher:voucher": { 633 "assertion": "logged", 634 "serial-number": "0123456789", 635 "nonce": "eDs++/FuDHGUnRxN3E14CQ==", 636 "created-on": "2020-10-22T02:37:39.921Z", 637 "pinned-domain-cert": "MIIBpDCCAUmgAwIBAgIGAW0eLuH+MAoG\ 638 CqGSM49BAMCMDUxEzARBgNVBAoMCk15QnVzaW5lc3MxDTALBgNVBAcMBFNp\ 639 GUxDzANBgNVBAMMBlRlc3RDQTAeFw0xOTA5MTEwMjM3MzJaFw0yOTA5MTEw\ 640 jM3MzJaMDUxEzARBgNVBAoMCk15QnVzaW5lc3MxDTALBgNVBAcMBFNpdGUx\ 641 zANBgNVBAMMBlRlc3RDQTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABOkv\ 642 THu8QlT3FHJ1UaI7+WsHOb0US3SALtG5wuKQDjiex06/ScY5PJibvgHTB+F\ 643 QTjgelHGy1YKpwcNMcsSyajRTBDMBIGA1UdEwEB/wQIMAYBAf8CAQEwDgYD\ 644 R0PAQH/BAQDAgIEMB0GA1UdDgQWBBToZIMzQdsD/j/+gX/7cBJucH/XmjAK\ 645 ggqhkjOPQQDAgNJADBGAiEAtxQ3+ILGBPItSh4b9WXhXNuhqSP6H+b/LC/f\ 646 YDjQ6oCIQDG2uRCHlVq3yhB58TXMUbzH8+OlhWUvOlRD3VEqDdcQw==" 647 } 648 } 649 651 Signature: 653 file "voucher_01-signature.b64" 654 u1iO_VB6xIhE8QuhKDGgCxkzsnR20IoL0p6qYKpYBDtgkRT2ykDO_QFjk7W\ 655 P5ATW-CQnWlJ3ILSeiwMf9nI0g 656 658 Authors' Addresses 660 Michael Richardson 661 Sandelman Software Works 663 Email: mcr+ietf@sandelman.ca 665 Thomas Werner 666 Siemens 668 Email: thomas-werner@siemens.com