idnits 2.17.1 

draft-richardson-anima-jose-voucher-00.txt:

  Checking boilerplate required by RFC 5378 and the IETF Trust (see
  https://trustee.ietf.org/license-info):
  ----------------------------------------------------------------------------

     No issues found here.

  Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
  ----------------------------------------------------------------------------

     No issues found here.

  Checking nits according to https://www.ietf.org/id-info/checklist :
  ----------------------------------------------------------------------------

     No issues found here.

  Miscellaneous warnings:
  ----------------------------------------------------------------------------

  == The copyright year in the IETF Trust and authors Copyright Line does not
     match the current year

  -- The document date (22 December 2020) is 1222 days in the past.  Is this
     intentional?


  Checking references for intended status: Proposed Standard
  ----------------------------------------------------------------------------

     (See RFCs 3967 and 4897 for information about using normative references
     to lower-maturity documents in RFCs)

  == Outdated reference: A later version (-04) exists of
     draft-friel-anima-brski-cloud-03

  == Outdated reference: A later version (-05) exists of
     draft-ietf-anima-brski-async-enroll-00

  == Outdated reference: A later version (-24) exists of
     draft-ietf-anima-constrained-voucher-09

  == Outdated reference: A later version (-03) exists of
     draft-richardson-anima-voucher-delegation-02


     Summary: 0 errors (**), 0 flaws (~~), 5 warnings (==), 1 comment (--).

     Run idnits with the --verbose option for more detailed information about
     the items above.
--------------------------------------------------------------------------------


2	anima Working Group                                        M. Richardson
3	Internet-Draft                                  Sandelman Software Works
4	Intended status: Standards Track                               T. Werner
5	Expires: 25 June 2021                                            Siemens
6	                                                        22 December 2020

8	       JOSE signed Voucher Artifacts for Bootstrapping Protocols
9	                 draft-richardson-anima-jose-voucher-00

11	Abstract

13	   This document describes a serialiation of the RFC8366 voucher format
14	   to a JSON format is then signed using the JSON Object Signing and
15	   Encryption mechanism described in RFC7515.

17	   In addition to explaining how the format is created, MIME types are
18	   registered and examples are provided.

20	Status of This Memo

22	   This Internet-Draft is submitted in full conformance with the
23	   provisions of BCP 78 and BCP 79.

25	   Internet-Drafts are working documents of the Internet Engineering
26	   Task Force (IETF).  Note that other groups may also distribute
27	   working documents as Internet-Drafts.  The list of current Internet-
28	   Drafts is at https://datatracker.ietf.org/drafts/current/.

30	   Internet-Drafts are draft documents valid for a maximum of six months
31	   and may be updated, replaced, or obsoleted by other documents at any
32	   time.  It is inappropriate to use Internet-Drafts as reference
33	   material or to cite them other than as "work in progress."

35	   This Internet-Draft will expire on 25 June 2021.

37	Copyright Notice

39	   Copyright (c) 2020 IETF Trust and the persons identified as the
40	   document authors.  All rights reserved.

42	   This document is subject to BCP 78 and the IETF Trust's Legal
43	   Provisions Relating to IETF Documents (https://trustee.ietf.org/
44	   license-info) in effect on the date of publication of this document.
45	   Please review these documents carefully, as they describe your rights
46	   and restrictions with respect to this document.  Code Components
47	   extracted from this document must include Simplified BSD License text
48	   as described in Section 4.e of the Trust Legal Provisions and are
49	   provided without warranty as described in the Simplified BSD License.

51	Table of Contents

53	   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
54	   2.  Terminology . . . . . . . . . . . . . . . . . . . . . . . . .   3
55	   3.  JSON Web Signatures . . . . . . . . . . . . . . . . . . . . .   3
56	     3.1.  Unprotected Header  . . . . . . . . . . . . . . . . . . .   4
57	     3.2.  Protected Header  . . . . . . . . . . . . . . . . . . . .   4
58	   4.  Privacy Considerations  . . . . . . . . . . . . . . . . . . .   4
59	   5.  Security Considerations . . . . . . . . . . . . . . . . . . .   4
60	   6.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .   4
61	     6.1.  Media-Type Registry . . . . . . . . . . . . . . . . . . .   4
62	       6.1.1.  application/voucher-jose+json . . . . . . . . . . . .   4
63	   7.  Acknowledgements  . . . . . . . . . . . . . . . . . . . . . .   5
64	   8.  Changelog . . . . . . . . . . . . . . . . . . . . . . . . . .   5
65	   9.  References  . . . . . . . . . . . . . . . . . . . . . . . . .   5
66	     9.1.  Normative References  . . . . . . . . . . . . . . . . . .   5
67	     9.2.  Informative References  . . . . . . . . . . . . . . . . .   6
68	   Appendix A.  Examples . . . . . . . . . . . . . . . . . . . . . .   7
69	     A.1.  Example Voucher Request (from Pledge to Registrar)  . . .   7
70	     A.2.  Example Parboiled Voucher Request (from Registrar to
71	           MASA) . . . . . . . . . . . . . . . . . . . . . . . . . .   9
72	     A.3.  Example Voucher Result (from MASA to Pledge, via
73	           Registrar)  . . . . . . . . . . . . . . . . . . . . . . .  12
74	   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .  15

76	1.  Introduction

78	   [RFC8366] describes a voucher artifact used in [BRSKI] and [RFC8572]
79	   to transfer ownership of a device to from a manufacturer to an owner.
80	   That document defines the base YANG module, and also the initial
81	   serialization to JSON [RFC8259], with a signature provided by
82	   [RFC5652].

84	   Other work, [I-D.ietf-anima-constrained-voucher] provides a mapping
85	   of the YANG to CBOR [RFC8949] with a signature format of COSE
86	   [RFC8812].

88	   This document provides an equivalent mapping of JSON format with the
89	   signature format in JOSE format [RFC7515].

91	   This document does not extend the YANG definition of [RFC8366] at
92	   all, but accepts that other efforts such as
93	   [I-D.richardson-anima-voucher-delegation],
94	   [I-D.friel-anima-brski-cloud], and
95	   [I-D.ietf-anima-brski-async-enroll] do.  This document supports
96	   signing any of the extended schemas defined in those documents and
97	   any new documents that may appear after this one.

99	2.  Terminology

101	   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
102	   "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
103	   "OPTIONAL" in this document are to be interpreted as described in
104	   BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
105	   capitals, as shown here.

107	3.  JSON Web Signatures

109	   [RFC7515] defines two serializations: the JWS Compact Serialization
110	   and the JWS JSON Serialization.  This document restricts itself to
111	   the JWS Compact Serialization (JWT) format.

113	   The [RFC8366] JSON structure consists of a nested map, the outer part
114	   of which is:

116	   { "ietf-voucher:voucher" : { ..some items }}

118	   this is considered the JSON payload as described in [RFC7515] section
119	   3.

121	   The JSON Compact Serialization is examplained in section 3.1 or
122	   section 7.1, and works out to:

124	         BASE64URL(UTF8(JWS Protected Header)) || '.' ||
125	         BASE64URL(JWS Payload) || '.' ||
126	         BASE64URL(JWS Signature)

128	   Note that this results in a long base64 content (with two
129	   interspersed dots).  The content is transmitted within the HTTPS
130	   session in this base64 format, even though HTTP can accomodate binary
131	   content.  This is done to be most convenient for available JWT
132	   libraries, and for humans who are debugging.

134	   There are a number of attributes.  They are:

136	3.1.  Unprotected Header

138	   There is no unprotected header in the Compact Serialization format.

140	3.2.  Protected Header

142	   The standard "typ" and "alg" values described in [RFC7515] are
143	   expected in the protected headers.

145	   It is unclear what values, if any, should go into the "typ" header,
146	   as in the [BRSKI] use cases, there are additional HTTP MIME type
147	   headers to indicate content types.

149	   The "alg" should contain the algorithm type such as "ES256".

151	   If PKIX [RFC5280] format certificates are used then the [RFC7515]
152	   section 4.1.6 "x5c" certificate chain SHOULD be used to contain the
153	   certificate and chain.  Vouchers will often need all certificates in
154	   the chain, including what would be considered the trust anchor
155	   certificate because intermediate devices (such as the Registrar) may
156	   need to audit the artifact, or end systems may need to pin a trust
157	   anchor for future operations.

159	4.  Privacy Considerations

161	   The Voucher Request reveals the IDevID of the system that is
162	   onboarding.

164	   This request occurs over HTTPS, however the Pledge to Registrar
165	   transaction is over a provisional TLS session, and it is subject to
166	   disclosure via by a Dolev-Yao attacker (a "malicious
167	   messenger")[onpath].  This is explained in [BRSKI] section 10.2.

169	5.  Security Considerations

171	   The issues of how [RFC8366] vouchers are used in a [BRSKI] system is
172	   addressed in

174	6.  IANA Considerations

176	6.1.  Media-Type Registry

178	   This section registers the the 'application/voucher-jwt+json' in the
179	   "Media Types" registry.

181	6.1.1.  application/voucher-jose+json
182	   Type name:  application
183	   Subtype name:  voucher-jwt+json
184	   Required parameters:  none
185	   Optional parameters:  none
186	   Encoding considerations:  JWT+JSON vouchers are JOSE objects
187	                             signed with one signer.
188	   Security considerations:  See Security Considerations, Section
189	   Interoperability considerations:  The format is designed to be
190	     broadly interoperable.
191	   Published specification:  THIS RFC.
192	   Applications that use this media type:  ANIMA, 6tisch, and other
193	     zero-touch imprinting systems
194	   Additional information:
195	     Magic number(s):  None
196	     File extension(s):  .vjj
197	     Macintosh file type code(s):  none
198	   Person & email address to contact for further information:  IETF
199	     ANIMA WG
200	   Intended usage:  LIMITED
201	   Restrictions on usage:  NONE
202	   Author:  ANIMA WG
203	   Change controller:  IETF
204	   Provisional registration? (standards tree only):  NO

206	7.  Acknowledgements

208	   Your name here.

210	8.  Changelog

212	9.  References

214	9.1.  Normative References

216	   [BRSKI]    Pritikin, M., Richardson, M., Eckert, T., Behringer, M.,
217	              and K. Watsen, "Bootstrapping Remote Secure Key
218	              Infrastructures (BRSKI)", Work in Progress, Internet-
219	              Draft, draft-ietf-anima-bootstrapping-keyinfra-45, 11
220	              November 2020, <http://www.ietf.org/internet-drafts/draft-
221	              ietf-anima-bootstrapping-keyinfra-45.txt>.

223	   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
224	              Requirement Levels", BCP 14, RFC 2119,
225	              DOI 10.17487/RFC2119, March 1997,
226	              <https://www.rfc-editor.org/info/rfc2119>.

228	   [RFC7515]  Jones, M., Bradley, J., and N. Sakimura, "JSON Web
229	              Signature (JWS)", RFC 7515, DOI 10.17487/RFC7515, May
230	              2015, <https://www.rfc-editor.org/info/rfc7515>.

232	   [RFC8174]  Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
233	              2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
234	              May 2017, <https://www.rfc-editor.org/info/rfc8174>.

236	   [RFC8259]  Bray, T., Ed., "The JavaScript Object Notation (JSON) Data
237	              Interchange Format", STD 90, RFC 8259,
238	              DOI 10.17487/RFC8259, December 2017,
239	              <https://www.rfc-editor.org/info/rfc8259>.

241	   [RFC8366]  Watsen, K., Richardson, M., Pritikin, M., and T. Eckert,
242	              "A Voucher Artifact for Bootstrapping Protocols",
243	              RFC 8366, DOI 10.17487/RFC8366, May 2018,
244	              <https://www.rfc-editor.org/info/rfc8366>.

246	   [RFC8812]  Jones, M., "CBOR Object Signing and Encryption (COSE) and
247	              JSON Object Signing and Encryption (JOSE) Registrations
248	              for Web Authentication (WebAuthn) Algorithms", RFC 8812,
249	              DOI 10.17487/RFC8812, August 2020,
250	              <https://www.rfc-editor.org/info/rfc8812>.

252	9.2.  Informative References

254	   [I-D.friel-anima-brski-cloud]
255	              Friel, O., Shekh-Yusef, R., and M. Richardson, "BRSKI
256	              Cloud Registrar", Work in Progress, Internet-Draft, draft-
257	              friel-anima-brski-cloud-03, 24 September 2020,
258	              <http://www.ietf.org/internet-drafts/draft-friel-anima-
259	              brski-cloud-03.txt>.

261	   [I-D.ietf-anima-brski-async-enroll]
262	              Fries, S., Brockhaus, H., and E. Lear, "Support of
263	              asynchronous Enrollment in BRSKI (BRSKI-AE)", Work in
264	              Progress, Internet-Draft, draft-ietf-anima-brski-async-
265	              enroll-00, 10 July 2020, <http://www.ietf.org/internet-
266	              drafts/draft-ietf-anima-brski-async-enroll-00.txt>.

268	   [I-D.ietf-anima-constrained-voucher]
269	              Richardson, M., Stok, P., and P. Kampanakis, "Constrained
270	              Voucher Artifacts for Bootstrapping Protocols", Work in
271	              Progress, Internet-Draft, draft-ietf-anima-constrained-
272	              voucher-09, 2 November 2020, <http://www.ietf.org/
273	              internet-drafts/draft-ietf-anima-constrained-voucher-
274	              09.txt>.

276	   [I-D.richardson-anima-voucher-delegation]
277	              Richardson, M. and J. Yang, "Delegated Authority for
278	              Bootstrap Voucher Artifacts", Work in Progress, Internet-
279	              Draft, draft-richardson-anima-voucher-delegation-02, 18
280	              September 2020, <http://www.ietf.org/internet-drafts/
281	              draft-richardson-anima-voucher-delegation-02.txt>.

283	   [onpath]   "can an on-path attacker drop traffic?", n.d.,
284	              <https://mailarchive.ietf.org/arch/msg/saag/
285	              m1r9uo4xYznOcf85Eyk0Rhut598/>.

287	   [RFC5280]  Cooper, D., Santesson, S., Farrell, S., Boeyen, S.,
288	              Housley, R., and W. Polk, "Internet X.509 Public Key
289	              Infrastructure Certificate and Certificate Revocation List
290	              (CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008,
291	              <https://www.rfc-editor.org/info/rfc5280>.

293	   [RFC5652]  Housley, R., "Cryptographic Message Syntax (CMS)", STD 70,
294	              RFC 5652, DOI 10.17487/RFC5652, September 2009,
295	              <https://www.rfc-editor.org/info/rfc5652>.

297	   [RFC8572]  Watsen, K., Farrer, I., and M. Abrahamsson, "Secure Zero
298	              Touch Provisioning (SZTP)", RFC 8572,
299	              DOI 10.17487/RFC8572, April 2019,
300	              <https://www.rfc-editor.org/info/rfc8572>.

302	   [RFC8792]  Watsen, K., Auerswald, E., Farrel, A., and Q. Wu,
303	              "Handling Long Lines in Content of Internet-Drafts and
304	              RFCs", RFC 8792, DOI 10.17487/RFC8792, June 2020,
305	              <https://www.rfc-editor.org/info/rfc8792>.

307	   [RFC8949]  Bormann, C. and P. Hoffman, "Concise Binary Object
308	              Representation (CBOR)", STD 94, RFC 8949,
309	              DOI 10.17487/RFC8949, December 2020,
310	              <https://www.rfc-editor.org/info/rfc8949>.

312	Appendix A.  Examples

314	   These examples are folded according to [RFC8792] Single Backslash
315	   rule.

317	A.1.  Example Voucher Request (from Pledge to Registrar)

319	   The following is an example request sent from a Pledge to the
320	   Registrar.  This example is from the Siemens reference Registrar
321	   system.

323	   <CODE BEGINS> file "voucher_request_01.b64"
324	   eyJhbGciOiAiRVMyNTYiLCAieDVjIjogWyJNSUlCMmpDQ0FZQ2dBd0lCQWd\
325	   R0FXZWdkY1NMTUFvR0NDcUdTTTQ5QkFNQ01EMHhDekFKQmdOVkJBWVRBa0Z\
326	   TVJVd0V3WURWUVFLREF4S2FXNW5TbWx1WjBOdmNuQXhGekFWQmdOVkJBTU1\
327	   a3BwYm1kS2FXNW5WR1Z6ZEVOQk1DQVhEVEU0TVRJeE1qQXpNamcxTVZvWUR\
328	   azVPVGt4TWpNeE1qTTFPVFU1V2pCU01Rc3dDUVlEVlFRR0V3SkJVVEVWTUJ\
329	   R0ExVUVDZ3dNU21sdVowcHBibWREYjNKd01STXdFUVlEVlFRRkV3b3dNVEl\
330	   TkRVMk56ZzVNUmN3RlFZRFZRUUREQTVLYVc1blNtbHVaMFJsZG1salpUQlp\
331	   Qk1HQnlxR1NNNDlBZ0VHQ0NxR1NNNDlBd0VIQTBJQUJNVkdHOFo1cGpmNWp\
332	   bnlyVXJYeVoxa1BncUJlM05YdTFkVEFEZStyL3Y2SnpJSGwzNTVJZ2NIQzN\
333	   eHBpYnFKTS9iV1JhRXlqcWNDSmo0akprb3dDdWpWVEJUTUN3R0NTc0dBUVF\
334	   Z3U1U0FnUWZEQjF0WVhOaExYUmxjM1F1YzJsbGJXVnVjeTFpZEM1dVpYUTZ\
335	   VFEwTXpBVEJnTlZIU1VFRERBS0JnZ3JCZ0VGQlFjREFqQU9CZ05WSFE4QkF\
336	   OEVCQU1DQjRBd0NnWUlLb1pJemowRUF3SURTQUF3UlFJZ1d0UHpJSVhZMml\
337	   UlhKdEV4S0VoaFpkYTRYK0VwbFpvbUVJMnpBMGRzam9DSVFDM0pwUW1SWE1\
338	   bi9wNEJ1OWl6aWk5MmVjbFR4NC9PNHJsbTdNeUxxa2hkQT09Il19.eyJpZX\
339	   mLXZvdWNoZXItcmVxdWVzdDp2b3VjaGVyIjogeyJjcmVhdGVkLW9uIjogIj\
340	   wMjAtMTAtMjJUMDI6Mzc6MzkuMDAwWiIsICJub25jZSI6ICJlRHMrKy9GdU\
341	   IR1VuUnhOM0UxNENRPT0iLCAic2VyaWFsLW51bWJlciI6ICIwMTIzNDU2Nz\
342	   5In19.Vj9pyo43KDEq0e5tokwHpNhVM0uUkLCatwNQxfsCKH8GRQ2iTT2fq\
343	   39k40M-7S-vheDHHuBHFSWb502EPwkdA
344	   <CODE ENDS>

346	   It contains the following three parts:

348	   Header:

350	   <CODE BEGINS> file "voucher_request_01-header.b64"
351	   {
352	     "alg": "ES256",
353	     "x5c": [
354	       "MIIB2jCCAYCgAwIBAgIGAWegdcSLMAoGCCqGSM49BAMCMD0xCzAJBg\
355	   VBAYTAkFRMRUwEwYDVQQKDAxKaW5nSmluZ0NvcnAxFzAVBgNVBAMMDkppbm\
356	   KaW5nVGVzdENBMCAXDTE4MTIxMjAzMjg1MVoYDzk5OTkxMjMxMjM1OTU5Wj\
357	   SMQswCQYDVQQGEwJBUTEVMBMGA1UECgwMSmluZ0ppbmdDb3JwMRMwEQYDVQ\
358	   FEwowMTIzNDU2Nzg5MRcwFQYDVQQDDA5KaW5nSmluZ0RldmljZTBZMBMGBy\
359	   GSM49AgEGCCqGSM49AwEHA0IABMVGG8Z5pjf5jXnyrUrXyZ1kPgqBe3NXu1\
360	   TADe+r/v6JzIHl355IgcHC3axpibqJM/bWRaEyjqcCJj4jJkowCujVTBTMC\
361	   GCSsGAQQBgu5SAgQfDB1tYXNhLXRlc3Quc2llbWVucy1idC5uZXQ6OTQ0Mz\
362	   TBgNVHSUEDDAKBggrBgEFBQcDAjAOBgNVHQ8BAf8EBAMCB4AwCgYIKoZIzj\
363	   EAwIDSAAwRQIgWtPzIIXY2ixRXJtExKEhhZda4X+EplZomEI2zA0dsjoCIQ\
364	   3JpQmRXMGn/p4Bu9izii92eclTx4/O4rlm7MyLqkhdA=="
365	     ]
366	   }
367	   <CODE ENDS>

369	   Payload:

371	   <CODE BEGINS> file "voucher_request_01-payload.b64"
372	   {
373	     "ietf-voucher-request:voucher": {
374	       "created-on": "2020-10-22T02:37:39.000Z",
375	       "nonce": "eDs++/FuDHGUnRxN3E14CQ==",
376	       "serial-number": "0123456789"
377	     }
378	   }
379	   <CODE ENDS>

381	   Signature:

383	   <CODE BEGINS> file "voucher_request_01-signature.b64"
384	   Vj9pyo43KDEq0e5tokwHpNhVM0uUkLCatwNQxfsCKH8GRQ2iTT2fqD39k40\
385	   -7S-vheDHHuBHFSWb502EPwkdA
386	   <CODE ENDS>

388	A.2.  Example Parboiled Voucher Request (from Registrar to MASA)

390	   The following is an example request sent from the Registrar to the
391	   MASA.  This example is from the Siemens reference Registrar system.
392	   Note that the previous voucher request can be seen in the payload as
393	   "prior-signed-voucher-request".

395	   <CODE BEGINS> file "parboiled_voucher_request_01.b64"
396	   eyJhbGciOiJFUzI1NiIsIng1YyI6WyJNSUlCb3pDQ0FVcWdBd0lCQWdJR0F\
397	   MGVMdUlGTUFvR0NDcUdTTTQ5QkFNQ01EVXhFekFSQmdOVkJBb01DazE1UW5\
398	   emFXNWxjM014RFRBTEJnTlZCQWNNQkZOcGRHVXhEekFOQmdOVkJBTU1CbFJ\
399	   YzNSRFFUQWVGdzB4T1RBNU1URXdNak0zTXpKYUZ3MHlPVEE1TVRFd01qTTN\
400	   ekphTUZReEV6QVJCZ05WQkFvTUNrMTVRblZ6YVc1bGMzTXhEVEFMQmdOVkJ\
401	   Y01CRk5wZEdVeExqQXNCZ05WQkFNTUpWSmxaMmx6ZEhKaGNpQldiM1ZqYUd\
402	   eUlGSmxjWFZsYzNRZ1UybG5ibWx1WnlCTFpYa3dXVEFUQmdjcWhrak9QUUl\
403	   QmdncWhrak9QUU1CQndOQ0FBVDZ4VnZBdnFUejFaVWl1TldoWHBRc2thUHk\
404	   QUhIUUx3WGlKMGlFTHQ2dU5QYW5BTjBRbldNWU8vMENERWpJa0JRb2J3OFl\
405	   cWp0eEpIVlNHVGo5S09veWN3SlRBVEJnTlZIU1VFRERBS0JnZ3JCZ0VGQlF\
406	   REhEQU9CZ05WSFE4QkFmOEVCQU1DQjRBd0NnWUlLb1pJemowRUF3SURSd0F\
407	   UkFJZ1lyMkxmcW9hQ0tERjRSQWNNbUppK05DWnFkU2l1VnVnSVNBN09oS1J\
408	   M1lDSUR4blBNTW5wWEFNVHJQSnVQV3ljZUVSMTFQeEhPbiswQ3BTSGkycWd\
409	   V1giLCJNSUlCcERDQ0FVbWdBd0lCQWdJR0FXMGVMdUgrTUFvR0NDcUdTTTQ\
410	   QkFNQ01EVXhFekFSQmdOVkJBb01DazE1UW5WemFXNWxjM014RFRBTEJnTlZ\
411	   QWNNQkZOcGRHVXhEekFOQmdOVkJBTU1CbFJsYzNSRFFUQWVGdzB4T1RBNU1\
412	   RXdNak0zTXpKYUZ3MHlPVEE1TVRFd01qTTNNekphTURVeEV6QVJCZ05WQkF\
413	   TUNrMTVRblZ6YVc1bGMzTXhEVEFMQmdOVkJBY01CRk5wZEdVeER6QU5CZ05\
414	   QkFNTUJsUmxjM1JEUVRCWk1CTUdCeXFHU000OUFnRUdDQ3FHU000OUF3RUh\
415	   MElBQk9rdmtUSHU4UWxUM0ZISjFVYUk3K1dzSE9iMFVTM1NBTHRHNXd1S1F\
416	   amlleDA2L1NjWTVQSmlidmdIVEIrRi9RVGpnZWxIR3kxWUtwd2NOTWNzU3l\
417	   alJUQkRNQklHQTFVZEV3RUIvd1FJTUFZQkFmOENBUUV3RGdZRFZSMFBBUUg\
418	   QkFRREFnSUVNQjBHQTFVZERnUVdCQlRvWklNelFkc0Qvai8rZ1gvN2NCSnV\
419	   SC9YbWpBS0JnZ3Foa2pPUFFRREFnTkpBREJHQWlFQXR4UTMrSUxHQlBJdFN\
420	   NGI5V1hoWE51aHFTUDZIK2IvTEMvZlZZRGpRNm9DSVFERzJ1UkNIbFZxM3l\
421	   QjU4VFhNVWJ6SDgrT2xoV1V2T2xSRDNWRXFEZGNRdz09Il19.eyJpZXRmLX\
422	   vdWNoZXItcmVxdWVzdDp2b3VjaGVyIjp7InNlcmlhbC1udW1iZXIiOiIwMT\
423	   zNDU2Nzg5Iiwibm9uY2UiOiJlRHMrKy9GdURIR1VuUnhOM0UxNENRPT0iLC\
424	   wcmlvci1zaWduZWQtdm91Y2hlci1yZXF1ZXN0IjoiZXlKaGJHY2lPaUFpUl\
425	   NeU5UWWlMQ0FpZURWaklqb2dXeUpOU1VsQ01tcERRMEZaUTJkQmQwbENRV2\
426	   KUjBGWFpXZGtZMU5NVFVGdlIwTkRjVWRUVFRRNVFrRk5RMDFFTUhoRGVrRk\
427	   RbWRPVmtKQldWUkJhMFpTVFZKVmQwVjNXVVJXVVZGTFJFRjRTMkZYTlc1VG\
428	   XeDFXakJPZG1OdVFYaEdla0ZXUW1kT1ZrSkJUVTFFYTNCd1ltMWtTMkZYTl\
429	   1V1IxWjZaRVZPUWsxRFFWaEVWRVUwVFZSSmVFMXFRWHBOYW1jeFRWWnZXVV\
430	   2YXpWUFZHdDRUV3BOZUUxcVRURlBWRlUxVjJwQ1UwMVJjM2REVVZsRVZsRl\
431	   SMFYzU2tKVlZFVldUVUpOUjBFeFZVVkRaM2ROVTIxc2RWb3djSEJpYldSRV\
432	   qTktkMDFTVFhkRlVWbEVWbEZSUmtWM2IzZE5WRWw2VGtSVk1rNTZaelZOVW\
433	   OM1JsRlpSRlpSVVVSRVFUVkxZVmMxYmxOdGJIVmFNRkpzWkcxc2FscFVRbH\
434	   OUWsxSFFubHhSMU5OTkRsQlowVkhRME54UjFOTk5EbEJkMFZJUVRCSlFVSk\
435	   Wa2RIT0ZvMWNHcG1OV3BZYm5seVZYSlllVm94YTFCbmNVSmxNMDVZZFRGa1\
436	   FRkVaU3R5TDNZMlNucEpTR3d6TlRWSloyTklRek5oZUhCcFluRktUUzlpVj\
437	   KaFJYbHFjV05EU21vMGFrcHJiM2REZFdwV1ZFSlVUVU4zUjBOVGMwZEJVVk\
438	   DWjNVMVUwRm5VV1pFUWpGMFdWaE9hRXhZVW14ak0xRjFZekpzYkdKWFZuVm\
439	   lVEZwWkVNMWRWcFlVVFpQVkZFd1RYcEJWRUpuVGxaSVUxVkZSRVJCUzBKbl\
440	   zSkNaMFZHUWxGalJFRnFRVTlDWjA1V1NGRTRRa0ZtT0VWQ1FVMURRalJCZD\
441	   ObldVbExiMXBKZW1vd1JVRjNTVVJUUVVGM1VsRkpaMWQwVUhwSlNWaFpNbW\
442	   0VWxoS2RFVjRTMFZvYUZwa1lUUllLMFZ3YkZwdmJVVkpNbnBCTUdSemFtOU\
443	   TVkZETTBwd1VXMVNXRTFIYmk5d05FSjFPV2w2YVdrNU1tVmpiRlI0TkM5UE\
444	   ISnNiVGROZVV4eGEyaGtRVDA5SWwxOS5leUpwWlhSbUxYWnZkV05vWlhJdG\
445	   tVnhkV1Z6ZERwMmIzVmphR1Z5SWpvZ2V5SmpjbVZoZEdWa0xXOXVJam9nSW\
446	   Jd01qQXRNVEF0TWpKVU1ESTZNemM2TXprdU1EQXdXaUlzSUNKdWIyNWpaU0\
447	   2SUNKbFJITXJLeTlHZFVSSVIxVnVVbmhPTTBVeE5FTlJQVDBpTENBaWMyVn\
448	   hV0ZzTFc1MWJXSmxjaUk2SUNJd01USXpORFUyTnpnNUluMTkuVmo5cHlvND\
449	   LREVxMGU1dG9rd0hwTmhWTTB1VWtMQ2F0d05ReGZzQ0tIOEdSUTJpVFQyZn\
450	   EMzlrNDBNLTdTLXZoZURISHVCSEZTV2I1MDJFUHdrZEEiLCJjcmVhdGVkLW\
451	   uIjoiMjAyMC0xMC0yMlQwMjozNzozOS4yMzVaIn19.S3BRYIKHbsqwQEZsB\
452	   J1COIVAxO2NPEc5oo_BnXK_JkQfStTIeHFCALdv5MzYdTu9myJO1muaSFEI\
453	   _NFMSFjA
454	   <CODE ENDS>

456	   It contains the following three parts:

458	   Header:

460	   <CODE BEGINS> file "parboiled_voucher_request_01-header.b64"
461	   {
462	     "alg": "ES256",
463	     "x5c": [
464	       "MIIBozCCAUqgAwIBAgIGAW0eLuIFMAoGCCqGSM49BAMCMDUxEzARBg\
465	   VBAoMCk15QnVzaW5lc3MxDTALBgNVBAcMBFNpdGUxDzANBgNVBAMMBlRlc3\
466	   DQTAeFw0xOTA5MTEwMjM3MzJaFw0yOTA5MTEwMjM3MzJaMFQxEzARBgNVBA\
467	   MCk15QnVzaW5lc3MxDTALBgNVBAcMBFNpdGUxLjAsBgNVBAMMJVJlZ2lzdH\
468	   hciBWb3VjaGVyIFJlcXVlc3QgU2lnbmluZyBLZXkwWTATBgcqhkjOPQIBBg\
469	   qhkjOPQMBBwNCAAT6xVvAvqTz1ZUiuNWhXpQskaPy7AHHQLwXiJ0iELt6uN\
470	   anAN0QnWMYO/0CDEjIkBQobw8YKqjtxJHVSGTj9KOoycwJTATBgNVHSUEDD\
471	   KBggrBgEFBQcDHDAOBgNVHQ8BAf8EBAMCB4AwCgYIKoZIzj0EAwIDRwAwRA\
472	   gYr2LfqoaCKDF4RAcMmJi+NCZqdSiuVugISA7OhKRq3YCIDxnPMMnpXAMTr\
473	   JuPWyceER11PxHOn+0CpSHi2qgpWX",
474	       "MIIBpDCCAUmgAwIBAgIGAW0eLuH+MAoGCCqGSM49BAMCMDUxEzARBg\
475	   VBAoMCk15QnVzaW5lc3MxDTALBgNVBAcMBFNpdGUxDzANBgNVBAMMBlRlc3\
476	   DQTAeFw0xOTA5MTEwMjM3MzJaFw0yOTA5MTEwMjM3MzJaMDUxEzARBgNVBA\
477	   MCk15QnVzaW5lc3MxDTALBgNVBAcMBFNpdGUxDzANBgNVBAMMBlRlc3RDQT\
478	   ZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABOkvkTHu8QlT3FHJ1UaI7+WsHO\
479	   0US3SALtG5wuKQDjiex06/ScY5PJibvgHTB+F/QTjgelHGy1YKpwcNMcsSy\
480	   jRTBDMBIGA1UdEwEB/wQIMAYBAf8CAQEwDgYDVR0PAQH/BAQDAgIEMB0GA1\
481	   dDgQWBBToZIMzQdsD/j/+gX/7cBJucH/XmjAKBggqhkjOPQQDAgNJADBGAi\
482	   AtxQ3+ILGBPItSh4b9WXhXNuhqSP6H+b/LC/fVYDjQ6oCIQDG2uRCHlVq3y\
483	   B58TXMUbzH8+OlhWUvOlRD3VEqDdcQw=="
484	     ]
485	   }
486	   <CODE ENDS>

488	   Payload:

490	   <CODE BEGINS> file "parboiled_voucher_request_01-payload.b64"
491	   {
492	     "ietf-voucher-request:voucher": {
493	       "serial-number": "0123456789",
494	       "nonce": "eDs++/FuDHGUnRxN3E14CQ==",
495	       "prior-signed-voucher-request": "eyJhbGciOiAiRVMyNTYiLC\
496	   ieDVjIjogWyJNSUlCMmpDQ0FZQ2dBd0lCQWdJR0FXZWdkY1NMTUFvR0NDcU\
497	   TTTQ5QkFNQ01EMHhDekFKQmdOVkJBWVRBa0ZSTVJVd0V3WURWUVFLREF4S2\
498	   XNW5TbWx1WjBOdmNuQXhGekFWQmdOVkJBTU1Ea3BwYm1kS2FXNW5WR1Z6ZE\
499	   OQk1DQVhEVEU0TVRJeE1qQXpNamcxTVZvWUR6azVPVGt4TWpNeE1qTTFPVF\
500	   1V2pCU01Rc3dDUVlEVlFRR0V3SkJVVEVWTUJNR0ExVUVDZ3dNU21sdVowcH\
501	   ibWREYjNKd01STXdFUVlEVlFRRkV3b3dNVEl6TkRVMk56ZzVNUmN3RlFZRF\
502	   RUUREQTVLYVc1blNtbHVaMFJsZG1salpUQlpNQk1HQnlxR1NNNDlBZ0VHQ0\
503	   xR1NNNDlBd0VIQTBJQUJNVkdHOFo1cGpmNWpYbnlyVXJYeVoxa1BncUJlM0\
504	   YdTFkVEFEZStyL3Y2SnpJSGwzNTVJZ2NIQzNheHBpYnFKTS9iV1JhRXlqcW\
505	   DSmo0akprb3dDdWpWVEJUTUN3R0NTc0dBUVFCZ3U1U0FnUWZEQjF0WVhOaE\
506	   YUmxjM1F1YzJsbGJXVnVjeTFpZEM1dVpYUTZPVFEwTXpBVEJnTlZIU1VFRE\
507	   BS0JnZ3JCZ0VGQlFjREFqQU9CZ05WSFE4QkFmOEVCQU1DQjRBd0NnWUlLb1\
508	   JemowRUF3SURTQUF3UlFJZ1d0UHpJSVhZMml4UlhKdEV4S0VoaFpkYTRYK0\
509	   wbFpvbUVJMnpBMGRzam9DSVFDM0pwUW1SWE1Hbi9wNEJ1OWl6aWk5MmVjbF\
510	   4NC9PNHJsbTdNeUxxa2hkQT09Il19.eyJpZXRmLXZvdWNoZXItcmVxdWVzd\
511	   p2b3VjaGVyIjogeyJjcmVhdGVkLW9uIjogIjIwMjAtMTAtMjJUMDI6Mzc6M\
512	   kuMDAwWiIsICJub25jZSI6ICJlRHMrKy9GdURIR1VuUnhOM0UxNENRPT0iL\
513	   Aic2VyaWFsLW51bWJlciI6ICIwMTIzNDU2Nzg5In19.Vj9pyo43KDEq0e5t\
514	   kwHpNhVM0uUkLCatwNQxfsCKH8GRQ2iTT2fqD39k40M-7S-vheDHHuBHFSW\
515	   502EPwkdA",
516	       "created-on": "2020-10-22T02:37:39.235Z"
517	     }
518	   }
519	   <CODE ENDS>

521	   Signature:

523	   <CODE BEGINS> file "parboiled_voucher_request_01-signature.b64"
524	   S3BRYIKHbsqwQEZsBgJ1COIVAxO2NPEc5oo_BnXK_JkQfStTIeHFCALdv5M\
525	   YdTu9myJO1muaSFEIu_NFMSFjA
526	   <CODE ENDS>

528	A.3.  Example Voucher Result (from MASA to Pledge, via Registrar)

530	   The following is an example voucher sent from the Registrar to the
531	   MASA.  This example is from the Siemens reference MASA system.

533	   <CODE BEGINS> file "voucher_01.b64"
534	   eyJhbGciOiJFUzI1NiIsIng1YyI6WyJNSUlCa3pDQ0FUaWdBd0lCQWdJR0F\
535	   RkJqQ2tZTUFvR0NDcUdTTTQ5QkFNQ01EMHhDekFKQmdOVkJBWVRBa0ZSTVJ\
536	   d0V3WURWUVFLREF4S2FXNW5TbWx1WjBOdmNuQXhGekFWQmdOVkJBTU1Ea3B\
537	   Ym1kS2FXNW5WR1Z6ZEVOQk1CNFhEVEU0TURFeU9URXdOVEkwTUZvWERUSTR\
538	   REV5T1RFd05USTBNRm93VHpFTE1Ba0dBMVVFQmhNQ1FWRXhGVEFUQmdOVkJ\
539	   b01ERXBwYm1kS2FXNW5RMjl5Y0RFcE1DY0dBMVVFQXd3Z1NtbHVaMHBwYm1\
540	   RGIzSndJRlp2ZFdOb1pYSWdVMmxuYm1sdVp5QkxaWGt3V1RBVEJnY3Foa2p\
541	   UFFJQkJnZ3Foa2pPUFFNQkJ3TkNBQVNDNmJlTEFtZXExVnc2aVFyUnM4UjB\
542	   Vys0YjFHV3lkbVdzMkdBTUZXd2JpdGYybklYSDNPcUhLVnU4czJSdmlCR05\
543	   dk9LR0JISHRCZGlGRVpadmI3b3hJd0VEQU9CZ05WSFE4QkFmOEVCQU1DQjR\
544	   d0NnWUlLb1pJemowRUF3SURTUUF3UmdJaEFJNFBZYnh0c3NIUDJWSHgvdHp\
545	   b1EvU3N5ZEwzMERRSU5FdGNOOW1DVFhQQWlFQXZJYjNvK0ZPM0JUbmNMRnN\
546	   SlpSQWtkN3pPdXNuLy9aS09hRUtic1ZEaVU9Il19.eyJpZXRmLXZvdWNoZX\
547	   6dm91Y2hlciI6eyJhc3NlcnRpb24iOiJsb2dnZWQiLCJzZXJpYWwtbnVtYm\
548	   yIjoiMDEyMzQ1Njc4OSIsIm5vbmNlIjoiZURzKysvRnVESEdVblJ4TjNFMT\
549	   DUT09IiwiY3JlYXRlZC1vbiI6IjIwMjAtMTAtMjJUMDI6Mzc6MzkuOTIxWi\
550	   sInBpbm5lZC1kb21haW4tY2VydCI6Ik1JSUJwRENDQVVtZ0F3SUJBZ0lHQV\
551	   wZUx1SCtNQW9HQ0NxR1NNNDlCQU1DTURVeEV6QVJCZ05WQkFvTUNrMTVRbl\
552	   6YVc1bGMzTXhEVEFMQmdOVkJBY01CRk5wZEdVeER6QU5CZ05WQkFNTUJsUm\
553	   jM1JEUVRBZUZ3MHhPVEE1TVRFd01qTTNNekphRncweU9UQTVNVEV3TWpNM0\
554	   6SmFNRFV4RXpBUkJnTlZCQW9NQ2sxNVFuVnphVzVsYzNNeERUQUxCZ05WQk\
555	   jTUJGTnBkR1V4RHpBTkJnTlZCQU1NQmxSbGMzUkRRVEJaTUJNR0J5cUdTTT\
556	   5QWdFR0NDcUdTTTQ5QXdFSEEwSUFCT2t2a1RIdThRbFQzRkhKMVVhSTcrV3\
557	   IT2IwVVMzU0FMdEc1d3VLUURqaWV4MDYvU2NZNVBKaWJ2Z0hUQitGL1FUam\
558	   lbEhHeTFZS3B3Y05NY3NTeWFqUlRCRE1CSUdBMVVkRXdFQi93UUlNQVlCQW\
559	   4Q0FRRXdEZ1lEVlIwUEFRSC9CQVFEQWdJRU1CMEdBMVVkRGdRV0JCVG9aSU\
560	   6UWRzRC9qLytnWC83Y0JKdWNIL1htakFLQmdncWhrak9QUVFEQWdOSkFEQk\
561	   BaUVBdHhRMytJTEdCUEl0U2g0YjlXWGhYTnVocVNQNkgrYi9MQy9mVllEal\
562	   2b0NJUURHMnVSQ0hsVnEzeWhCNThUWE1VYnpIOCtPbGhXVXZPbFJEM1ZFcU\
563	   kY1F3PT0ifX0.u1iO_VB6xIhE8QuhKDGgCxkzsnR20IoL0p6qYKpYBDtgkR\
564	   2ykDO_QFjk7W8P5ATW-CQnWlJ3ILSeiwMf9nI0g
565	   <CODE ENDS>

567	   It contains the following three parts:

569	   Header:

571	   <CODE BEGINS> file "voucher_01-header.b64"
572	   {
573	     "alg": "ES256",
574	     "x5c": [
575	       "MIIBkzCCATigAwIBAgIGAWFBjCkYMAoGCCqGSM49BAMCMD0xCzAJBg\
576	   VBAYTAkFRMRUwEwYDVQQKDAxKaW5nSmluZ0NvcnAxFzAVBgNVBAMMDkppbm\
577	   KaW5nVGVzdENBMB4XDTE4MDEyOTEwNTI0MFoXDTI4MDEyOTEwNTI0MFowTz\
578	   LMAkGA1UEBhMCQVExFTATBgNVBAoMDEppbmdKaW5nQ29ycDEpMCcGA1UEAw\
579	   gSmluZ0ppbmdDb3JwIFZvdWNoZXIgU2lnbmluZyBLZXkwWTATBgcqhkjOPQ\
580	   BBggqhkjOPQMBBwNCAASC6beLAmeq1Vw6iQrRs8R0ZW+4b1GWydmWs2GAMF\
581	   wbitf2nIXH3OqHKVu8s2RviBGNivOKGBHHtBdiFEZZvb7oxIwEDAOBgNVHQ\
582	   BAf8EBAMCB4AwCgYIKoZIzj0EAwIDSQAwRgIhAI4PYbxtssHP2VHx/tzUoQ\
583	   SsydL30DQINEtcN9mCTXPAiEAvIb3o+FO3BTncLFsaJZRAkd7zOusn//ZKO\
584	   EKbsVDiU="
585	     ]
586	   }
587	   <CODE ENDS>

589	   Payload:

591	   <CODE BEGINS> file "voucher_01-payload.b64"
592	   {
593	     "ietf-voucher:voucher": {
594	       "assertion": "logged",
595	       "serial-number": "0123456789",
596	       "nonce": "eDs++/FuDHGUnRxN3E14CQ==",
597	       "created-on": "2020-10-22T02:37:39.921Z",
598	       "pinned-domain-cert": "MIIBpDCCAUmgAwIBAgIGAW0eLuH+MAoG\
599	   CqGSM49BAMCMDUxEzARBgNVBAoMCk15QnVzaW5lc3MxDTALBgNVBAcMBFNp\
600	   GUxDzANBgNVBAMMBlRlc3RDQTAeFw0xOTA5MTEwMjM3MzJaFw0yOTA5MTEw\
601	   jM3MzJaMDUxEzARBgNVBAoMCk15QnVzaW5lc3MxDTALBgNVBAcMBFNpdGUx\
602	   zANBgNVBAMMBlRlc3RDQTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABOkv\
603	   THu8QlT3FHJ1UaI7+WsHOb0US3SALtG5wuKQDjiex06/ScY5PJibvgHTB+F\
604	   QTjgelHGy1YKpwcNMcsSyajRTBDMBIGA1UdEwEB/wQIMAYBAf8CAQEwDgYD\
605	   R0PAQH/BAQDAgIEMB0GA1UdDgQWBBToZIMzQdsD/j/+gX/7cBJucH/XmjAK\
606	   ggqhkjOPQQDAgNJADBGAiEAtxQ3+ILGBPItSh4b9WXhXNuhqSP6H+b/LC/f\
607	   YDjQ6oCIQDG2uRCHlVq3yhB58TXMUbzH8+OlhWUvOlRD3VEqDdcQw=="
608	     }
609	   }
610	   <CODE ENDS>

612	   Signature:

614	   <CODE BEGINS> file "voucher_01-signature.b64"
615	   u1iO_VB6xIhE8QuhKDGgCxkzsnR20IoL0p6qYKpYBDtgkRT2ykDO_QFjk7W\
616	   P5ATW-CQnWlJ3ILSeiwMf9nI0g
617	   <CODE ENDS>

619	Authors' Addresses

621	   Michael Richardson
622	   Sandelman Software Works

624	   Email: mcr+ietf@sandelman.ca

626	   Thomas Werner
627	   Siemens

629	   Email: thomas-werner@siemens.com