idnits 2.17.1 draft-wiethuechter-drip-registries-01.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) == There are 1 instance of lines with non-RFC3849-compliant IPv6 addresses in the document. If these are example addresses, they should be changed. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (23 October 2021) is 916 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Missing Reference: 'DET' is mentioned on line 1093, but not defined == Missing Reference: 'SelfAttestation' is mentioned on line 1093, but not defined == Missing Reference: 'A-ma0' is mentioned on line 1347, but not defined == Missing Reference: 'HIP RR' is mentioned on line 1355, but not defined == Missing Reference: 'SA-oo' is mentioned on line 1370, but not defined == Missing Reference: 'SA-a0a0' is mentioned on line 1415, but not defined == Missing Reference: 'A-a0aN' is mentioned on line 1416, but not defined == Missing Reference: 'SA-aNaN' is mentioned on line 1419, but not defined == Unused Reference: 'F3411-19' is defined on line 1574, but no explicit reference was found in the text -- Possible downref: Non-RFC (?) normative reference: ref. 'F3411-19' Summary: 1 error (**), 0 flaws (~~), 11 warnings (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 drip Working Group A. Wiethuechter 3 Internet-Draft S. Card 4 Intended status: Standards Track AX Enterprize, LLC 5 Expires: 26 April 2022 R. Moskowitz 6 HTT Consulting 7 23 October 2021 9 DRIP Registries 10 draft-wiethuechter-drip-registries-01 12 Abstract 14 TODO 16 Status of This Memo 18 This Internet-Draft is submitted in full conformance with the 19 provisions of BCP 78 and BCP 79. 21 Internet-Drafts are working documents of the Internet Engineering 22 Task Force (IETF). Note that other groups may also distribute 23 working documents as Internet-Drafts. The list of current Internet- 24 Drafts is at https://datatracker.ietf.org/drafts/current/. 26 Internet-Drafts are draft documents valid for a maximum of six months 27 and may be updated, replaced, or obsoleted by other documents at any 28 time. It is inappropriate to use Internet-Drafts as reference 29 material or to cite them other than as "work in progress." 31 This Internet-Draft will expire on 26 April 2022. 33 Copyright Notice 35 Copyright (c) 2021 IETF Trust and the persons identified as the 36 document authors. All rights reserved. 38 This document is subject to BCP 78 and the IETF Trust's Legal 39 Provisions Relating to IETF Documents (https://trustee.ietf.org/ 40 license-info) in effect on the date of publication of this document. 41 Please review these documents carefully, as they describe your rights 42 and restrictions with respect to this document. Code Components 43 extracted from this document must include Simplified BSD License text 44 as described in Section 4.e of the Trust Legal Provisions and are 45 provided without warranty as described in the Simplified BSD License. 47 Table of Contents 49 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 50 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4 51 2.1. Required Terminology . . . . . . . . . . . . . . . . . . 4 52 2.2. Definitions . . . . . . . . . . . . . . . . . . . . . . . 4 53 3. Claims, Assertions, Attestations & Certificates . . . . . . . 4 54 4. DRIP Attestations & Certificates . . . . . . . . . . . . . . 5 55 4.1. Attestation Structure . . . . . . . . . . . . . . . . . . 5 56 4.1.1. Attestor Identity Information . . . . . . . . . . . . 6 57 4.1.2. Attestation Data . . . . . . . . . . . . . . . . . . 6 58 4.1.3. Expiration Timestamp . . . . . . . . . . . . . . . . 7 59 4.1.4. Signing Timestamp . . . . . . . . . . . . . . . . . . 7 60 4.1.5. Signature . . . . . . . . . . . . . . . . . . . . . . 7 61 4.2. Attestations . . . . . . . . . . . . . . . . . . . . . . 7 62 4.2.1. Self-Attestation (SA-xx) . . . . . . . . . . . . . . 7 63 4.2.2. Attestation (A-xy) . . . . . . . . . . . . . . . . . 8 64 4.2.3. Concise Attestation (CA-xy) . . . . . . . . . . . . . 9 65 4.2.4. Mutual Attestation (MA-xy) . . . . . . . . . . . . . 10 66 4.2.5. Link Attestation (LA-xy) . . . . . . . . . . . . . . 11 67 4.2.6. Broadcast Attestation (BA-xy) . . . . . . . . . . . . 12 68 4.3. Certificates . . . . . . . . . . . . . . . . . . . . . . 14 69 4.3.1. Attestation Certificate (AC-zxy) . . . . . . . . . . 14 70 4.3.2. Concise Certificate (CC-zxy) . . . . . . . . . . . . 15 71 4.3.3. Link Certificate (LC-zxy) . . . . . . . . . . . . . . 15 72 4.3.4. Mutual Certificate (MC-zxy) . . . . . . . . . . . . . 16 73 5. Registries . . . . . . . . . . . . . . . . . . . . . . . . . 17 74 5.1. Classes . . . . . . . . . . . . . . . . . . . . . . . . . 17 75 5.1.1. Root . . . . . . . . . . . . . . . . . . . . . . . . 18 76 5.1.2. Registered Assigning Authorities . . . . . . . . . . 18 77 5.1.3. Hierarchial HIT Domain Authorities . . . . . . . . . 18 78 5.2. Federation . . . . . . . . . . . . . . . . . . . . . . . 19 79 6. DRIP Fully Qualified Domain Names . . . . . . . . . . . . . . 19 80 6.1. Serial Number . . . . . . . . . . . . . . . . . . . . . . 19 81 6.2. DET . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 82 7. Supported DNS Records . . . . . . . . . . . . . . . . . . . . 20 83 7.1. HIP RR . . . . . . . . . . . . . . . . . . . . . . . . . 20 84 7.2. CERT RR . . . . . . . . . . . . . . . . . . . . . . . . . 20 85 7.3. NS RR . . . . . . . . . . . . . . . . . . . . . . . . . . 20 86 7.4. AAAA RR . . . . . . . . . . . . . . . . . . . . . . . . . 20 87 8. Registry Operations . . . . . . . . . . . . . . . . . . . . . 20 88 8.1. Registering an RAA . . . . . . . . . . . . . . . . . . . 21 89 8.1.1. Inputs . . . . . . . . . . . . . . . . . . . . . . . 21 90 8.1.2. DNS Entries . . . . . . . . . . . . . . . . . . . . . 21 91 8.1.3. Database Entries . . . . . . . . . . . . . . . . . . 21 92 8.1.4. Outputs . . . . . . . . . . . . . . . . . . . . . . . 21 93 8.2. Registering an IRM . . . . . . . . . . . . . . . . . . . 21 94 8.2.1. Inputs . . . . . . . . . . . . . . . . . . . . . . . 22 95 8.2.2. DNS Entries . . . . . . . . . . . . . . . . . . . . . 22 96 8.2.3. Database Entries . . . . . . . . . . . . . . . . . . 22 97 8.2.4. Outputs . . . . . . . . . . . . . . . . . . . . . . . 22 98 8.3. Registering an HDA . . . . . . . . . . . . . . . . . . . 22 99 8.3.1. Inputs . . . . . . . . . . . . . . . . . . . . . . . 22 100 8.3.2. DNS Entries . . . . . . . . . . . . . . . . . . . . . 23 101 8.3.3. Database Entries . . . . . . . . . . . . . . . . . . 23 102 8.3.4. Outputs . . . . . . . . . . . . . . . . . . . . . . . 23 103 8.4. Registering an MRA . . . . . . . . . . . . . . . . . . . 23 104 8.4.1. Inputs . . . . . . . . . . . . . . . . . . . . . . . 23 105 8.4.2. DNS Entries . . . . . . . . . . . . . . . . . . . . . 23 106 8.4.3. Database Entries . . . . . . . . . . . . . . . . . . 24 107 8.4.4. Outputs . . . . . . . . . . . . . . . . . . . . . . . 24 108 8.5. Registering a Serial Number . . . . . . . . . . . . . . . 24 109 8.5.1. Inputs . . . . . . . . . . . . . . . . . . . . . . . 24 110 8.5.2. DNS Entries . . . . . . . . . . . . . . . . . . . . . 24 111 8.5.3. Database Entries . . . . . . . . . . . . . . . . . . 24 112 8.5.4. Outputs . . . . . . . . . . . . . . . . . . . . . . . 25 113 8.6. Registering an Operator . . . . . . . . . . . . . . . . . 25 114 8.6.1. Inputs . . . . . . . . . . . . . . . . . . . . . . . 25 115 8.6.2. DNS Entries . . . . . . . . . . . . . . . . . . . . . 25 116 8.6.3. Database Entries . . . . . . . . . . . . . . . . . . 25 117 8.6.4. Outputs . . . . . . . . . . . . . . . . . . . . . . . 25 118 8.7. Registering a Session ID . . . . . . . . . . . . . . . . 25 119 8.7.1. Inputs . . . . . . . . . . . . . . . . . . . . . . . 26 120 8.7.2. DNS Entries . . . . . . . . . . . . . . . . . . . . . 26 121 8.7.3. Database Entries . . . . . . . . . . . . . . . . . . 26 122 8.7.4. Outputs . . . . . . . . . . . . . . . . . . . . . . . 26 123 9. Provisioning . . . . . . . . . . . . . . . . . . . . . . . . 27 124 9.1. Overview of Transactions . . . . . . . . . . . . . . . . 27 125 9.2. HHIT Delegation . . . . . . . . . . . . . . . . . . . . . 28 126 9.3. Registry . . . . . . . . . . . . . . . . . . . . . . . . 29 127 9.4. Manufacturer . . . . . . . . . . . . . . . . . . . . . . 29 128 9.5. Operator . . . . . . . . . . . . . . . . . . . . . . . . 30 129 9.6. Aircraft . . . . . . . . . . . . . . . . . . . . . . . . 31 130 9.6.1. Standard Provisioning . . . . . . . . . . . . . . . . 31 131 9.6.2. Operator Assisted Provisioning . . . . . . . . . . . 33 132 9.6.3. Initial Provisioning . . . . . . . . . . . . . . . . 35 133 10. Security Considerations . . . . . . . . . . . . . . . . . . . 35 134 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 35 135 11.1. Normative References . . . . . . . . . . . . . . . . . . 35 136 11.2. Informative References . . . . . . . . . . . . . . . . . 35 137 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 36 139 1. Introduction 141 TODO 143 2. Terminology 145 2.1. Required Terminology 147 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 148 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 149 "OPTIONAL" in this document are to be interpreted as described in BCP 150 14 [RFC2119] [RFC8174] when, and only when, they appear in all 151 capitals, as shown here. 153 2.2. Definitions 155 See [drip-requirements] for common DRIP terms. 157 HDA: Hierarchial HIT Domain Authority. The 16 bit field identifying 158 the HIT Domain Authority under a RAA. 160 HID: Hierarchy ID. The 32 bit field providing the HIT Hierarchy ID. 162 RAA: Registered Assigning Authority. The 16 bit field identifying 163 the Hierarchical HIT Assigning Authority. 165 3. Claims, Assertions, Attestations & Certificates 167 This section introduces the terms "Claims", "Assertions", 168 "Attestations", and "Certificates" as used in DRIP. In DRIP 169 certificate has a different context compared with security 170 certificates and Public Key Infrastructure used in X.509. 172 Claims: 174 A claim in DRIP is a predicate (e.g., "X is Y", "X has property 175 Y", and most importantly "X owns Y" or "X is owned by Y"). 177 Assertions: 179 An assertion in DRIP is a set of claims. This definition is 180 borrowed from JWT [RFC7519] and CWT [RFC8392]. 182 Attestations: 184 An attestation in DRIP is a signed assertion. The signer may be 185 the claimant or a related party with stake in the assertion(s). 186 Under DRIP this is normally used when an entity asserts a 187 relationship with another entity, along with other information, 188 and the asserting entity signs the assertion, thereby making it an 189 attestation. 191 Certificates: 193 A certificate in DRIP is an attestation, strictly over identity 194 information, signed by a third party. This third party should be 195 one with no stake in the attestation(s) its signing over. 197 4. DRIP Attestations & Certificates 199 4.1. Attestation Structure 201 All Attestations and Certificates under DRIP share the following 202 format: 204 0 1 2 3 205 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 206 +---------------+---------------+---------------+---------------+ 207 | | 208 . . 209 . Attestor Identity Information . 210 . . 211 | | 212 +---------------+---------------+---------------+---------------+ 213 | | 214 . . 215 . Attestation Data . 216 . . 217 | | 218 +---------------+---------------+---------------+---------------+ 219 | Expiration Timestamp by Attestor | 220 +---------------+---------------+---------------+---------------+ 221 | Signing Timestamp by Attestor | 222 +---------------+---------------+---------------+---------------+ 223 | | 224 | | 225 | | 226 | | 227 | | 228 | | 229 | | 230 | Signature by Attestor | 231 | | 232 | | 233 | | 234 | | 235 | | 236 | | 237 | | 238 | | 239 +---------------+---------------+---------------+---------------+ 241 Attestor Identity Information: (0, 16-bytes or 120-bytes) 242 Field containing Attestor Identity Information in various forms. 244 Attestation Data: 245 A field of variable length containing the attestation data. 247 Expiration Timestamp by Attestor (4 bytes): 248 Timestamp denoting recommended time to trust data to. 250 Signing Timestamp by Attestor (4 bytes): 251 Current time at signing. 253 Attestor Signature (64 bytes): 254 Signature over preceding fields using the keypair of 255 the Attestor. 257 Figure 1: Attestation Structure 259 4.1.1. Attestor Identity Information 261 This can be any one of the following: 263 1. None 265 2. Attestor HHIT: 16-bytes 267 3. Attestor SelfAttestation: 120-bytes 269 A specific definition of an Attestation or Certificate defines which 270 of these are used. 272 Two Attestation's remove this field: MutualAttestation Section 4.2.4 273 and LinkAttestation Section 4.2.5 as their definition clearly states 274 that the signer is the second party with their HHIT or 275 SelfAttestation already embedded in the Attestation Data. 277 4.1.2. Attestation Data 279 The data being attested to. It can be one of the following forms: 281 1. Claims 283 2. Assertions 285 3. Attestations 286 This field is variable length with no limit and specific definitions 287 of an Attestation or Certificate indicate the fields, size and 288 ordering. 290 4.1.3. Expiration Timestamp 292 TODO 294 4.1.4. Signing Timestamp 296 TODO 298 4.1.5. Signature 300 TODO 302 4.2. Attestations 304 4.2.1. Self-Attestation (SA-xx) 306 The only attestation to use a claim (the Host Identity) in the 307 "Attestation Data" with the HHIT acting as the "Attestor Identity 308 Information". 310 0 1 2 3 311 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 312 +---------------+---------------+---------------+---------------+ 313 | | 314 | Hierarchical | 315 | Host Identity Tag | 316 | | 317 +---------------+---------------+---------------+---------------+ 318 | | 319 | | 320 | | 321 | Host Identity | 322 | | 323 | | 324 | | 325 | | 326 +---------------+---------------+---------------+---------------+ 327 | Trust Timestamp | 328 +---------------+---------------+---------------+---------------+ 329 | Signing Timestamp | 330 +---------------+---------------+---------------+---------------+ 331 | | 332 | | 333 | | 334 | | 335 | | 336 | | 337 | | 338 | Signature | 339 | | 340 | | 341 | | 342 | | 343 | | 344 | | 345 | | 346 | | 347 +---------------+---------------+---------------+---------------+ 349 Length = 120-bytes 351 Figure 2: DRIP Self-Attestation 353 4.2.2. Attestation (A-xy) 355 (Editors Note: blurb here?) 356 0 1 2 3 357 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 358 +---------------+---------------+---------------+---------------+ 359 | | 360 . . 361 . SA-xx . 362 . . 363 | | 364 +---------------+---------------+---------------+---------------+ 365 | | 366 . . 367 . SA-yy . 368 . . 369 | | 370 +---------------+---------------+---------------+---------------+ 371 | Trust Timestamp by X | 372 +---------------+---------------+---------------+---------------+ 373 | Signing Timestamp by X | 374 +---------------+---------------+---------------+---------------+ 375 | | 376 | | 377 | | 378 | | 379 | | 380 | | 381 | | 382 | Signature by X | 383 | | 384 | | 385 | | 386 | | 387 | | 388 | | 389 | | 390 | | 391 +---------------+---------------+---------------+---------------+ 393 Length = 312-bytes 395 Figure 3: DRIP Attestation 397 4.2.3. Concise Attestation (CA-xy) 399 In constrained environments and when there is the guarantee of being 400 able to lookup the HHITs to obtain HIs this attestation can be used. 402 0 1 2 3 403 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 404 +---------------+---------------+---------------+---------------+ 405 | | 406 | Hierarchical | 407 | Host Identity Tag of X | 408 | | 409 +---------------+---------------+---------------+---------------+ 410 | | 411 | Hierarchical | 412 | Host Identity Tag of Y | 413 | | 414 +---------------+---------------+---------------+---------------+ 415 | Trust Timestamp by X | 416 +---------------+---------------+---------------+---------------+ 417 | Signing Timestamp by X | 418 +---------------+---------------+---------------+---------------+ 419 | | 420 | | 421 | | 422 | | 423 | | 424 | | 425 | | 426 | Signature by X | 427 | | 428 | | 429 | | 430 | | 431 | | 432 | | 433 | | 434 | | 435 +---------------+---------------+---------------+---------------+ 437 Length = 104-bytes 439 Figure 4: DRIP Concise Attestation 441 4.2.4. Mutual Attestation (MA-xy) 443 An attestation that perform a sign over an existing Attestation where 444 the signer is the second party of the embedded attestation. 446 This Attestation is one of two that does not fill in the "Attestor 447 Identity Information" (Section 4.1.1) as the data is already present 448 in the "Attestation Data" (Section 4.1.2) in the form of Y's 449 SelfAttestation. 451 The unique size of this attestation (384-bytes) allows for easy 452 detection and subsequent decoding without issue. 454 0 1 2 3 455 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 456 +---------------+---------------+---------------+---------------+ 457 | | 458 . . 459 . A-xy . 460 . . 461 | | 462 +---------------+---------------+---------------+---------------+ 463 | Trust Timestamp by Y | 464 +---------------+---------------+---------------+---------------+ 465 | Signing Timestamp by Y | 466 +---------------+---------------+---------------+---------------+ 467 | | 468 | | 469 | | 470 | | 471 | | 472 | | 473 | | 474 | Signature by Y | 475 | | 476 | | 477 | | 478 | | 479 | | 480 | | 481 | | 482 | | 483 +---------------+---------------+---------------+---------------+ 485 Length = 384-bytes 487 Figure 5: DRIP Mutual Attestation 489 4.2.5. Link Attestation (LA-xy) 491 An attestations that perform a sign over an existing 492 ConciseAttestation where the signer is the second party of the 493 embedded attestation. 495 This Attestation is one of two that does not fill in the "Attestor 496 Identity Information" (Section 4.1.1) as the data is already present 497 in the "Attestation Data" (Section 4.1.2) in the form of Y's HHIT. 499 The unique size of this attestation (176-bytes) allows for easy 500 detection and subsequent decoding without issue. 502 0 1 2 3 503 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 504 +---------------+---------------+---------------+---------------+ 505 | | 506 . . 507 . CA-xy . 508 . . 509 | | 510 +---------------+---------------+---------------+---------------+ 511 | Trust Timestamp by Y | 512 +---------------+---------------+---------------+---------------+ 513 | Signing Timestamp by Y | 514 +---------------+---------------+---------------+---------------+ 515 | | 516 | | 517 | | 518 | | 519 | | 520 | | 521 | | 522 | Signature by Y | 523 | | 524 | | 525 | | 526 | | 527 | | 528 | | 529 | | 530 | | 531 +---------------+---------------+---------------+---------------+ 533 Length = 176-bytes 535 Figure 6: DRIP Link Attestation 537 4.2.6. Broadcast Attestation (BA-xy) 539 Required by DRIP Authentication Formats for Broadcast RID (Editor 540 Note: add link to draft here) to satisfy [drip-requirements] GEN-1 541 and GEN-3. 543 0 1 2 3 544 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 545 +---------------+---------------+---------------+---------------+ 546 | | 547 | Hierarchical | 548 | Host Identity Tag of X | 549 | | 550 +---------------+---------------+---------------+---------------+ 551 | | 552 | Hierarchical | 553 | Host Identity Tag of Y | 554 | | 555 +---------------+---------------+---------------+---------------+ 556 | | 557 | | 558 | | 559 | Host Identity of Y | 560 | | 561 | | 562 | | 563 | | 564 +---------------+---------------+---------------+---------------+ 565 | Trust Timestamp by X | 566 +---------------+---------------+---------------+---------------+ 567 | Signing Timestamp by X | 568 +---------------+---------------+---------------+---------------+ 569 | | 570 | | 571 | | 572 | | 573 | | 574 | | 575 | | 576 | Signature by X | 577 | | 578 | | 579 | | 580 | | 581 | | 582 | | 583 | | 584 | | 585 +---------------+---------------+---------------+---------------+ 587 Length = 136-bytes 589 Figure 7: DRIP Broadcast Attestation 591 4.3. Certificates 593 In DRIP certificates are signed by a third party that has no stake in 594 the claims/assertions/attestations being attested to. 596 It is analogous to a third party in legal system that signs a 597 document as a "witness" and bears no responsibility in the document. 599 4.3.1. Attestation Certificate (AC-zxy) 601 0 1 2 3 602 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 603 +---------------+---------------+---------------+---------------+ 604 | | 605 . . 606 . SA-zz . 607 . . 608 | | 609 +---------------+---------------+---------------+---------------+ 610 | | 611 . . 612 . A-xy . 613 . . 614 | | 615 +---------------+---------------+---------------+---------------+ 616 | Trust Timestamp by Z | 617 +---------------+---------------+---------------+---------------+ 618 | Signing Timestamp by Z | 619 +---------------+---------------+---------------+---------------+ 620 | | 621 | | 622 | | 623 | | 624 | | 625 | | 626 | | 627 | Signature by Z | 628 | | 629 | | 630 | | 631 | | 632 | | 633 | | 634 | | 635 | | 636 +---------------+---------------+---------------+---------------+ 638 Length = 504-bytes 639 Figure 8: DRIP Attestation Certificate 641 4.3.2. Concise Certificate (CC-zxy) 643 0 1 2 3 644 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 645 +---------------+---------------+---------------+---------------+ 646 | | 647 | Hierarchical | 648 | Host Identity Tag of Z | 649 | | 650 +---------------+---------------+---------------+---------------+ 651 | | 652 . . 653 . CA-xy . 654 . . 655 | | 656 +---------------+---------------+---------------+---------------+ 657 | Trust Timestamp by Z | 658 +---------------+---------------+---------------+---------------+ 659 | Signing Timestamp by Z | 660 +---------------+---------------+---------------+---------------+ 661 | | 662 | | 663 | | 664 | | 665 | | 666 | | 667 | | 668 | Signature by Z | 669 | | 670 | | 671 | | 672 | | 673 | | 674 | | 675 | | 676 | | 677 +---------------+---------------+---------------+---------------+ 679 Length = 192-bytes 681 Figure 9: DRIP Concise Certificate 683 4.3.3. Link Certificate (LC-zxy) 684 0 1 2 3 685 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 686 +---------------+---------------+---------------+---------------+ 687 | | 688 | Hierarchical | 689 | Host Identity Tag of Z | 690 | | 691 +---------------+---------------+---------------+---------------+ 692 | | 693 . . 694 . LA-xy . 695 . . 696 | | 697 +---------------+---------------+---------------+---------------+ 698 | Trust Timestamp by Z | 699 +---------------+---------------+---------------+---------------+ 700 | Signing Timestamp by Z | 701 +---------------+---------------+---------------+---------------+ 702 | | 703 | | 704 | | 705 | | 706 | | 707 | | 708 | | 709 | Signature by Z | 710 | | 711 | | 712 | | 713 | | 714 | | 715 | | 716 | | 717 | | 718 +---------------+---------------+---------------+---------------+ 720 Length = 300-bytes 722 Figure 10: DRIP Link Certificate 724 4.3.4. Mutual Certificate (MC-zxy) 725 0 1 2 3 726 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 727 +---------------+---------------+---------------+---------------+ 728 | | 729 . . 730 . SA-zz . 731 . . 732 | | 733 +---------------+---------------+---------------+---------------+ 734 | | 735 . . 736 . MA-xy . 737 . . 738 | | 739 +---------------+---------------+---------------+---------------+ 740 | Trust Timestamp by Z | 741 +---------------+---------------+---------------+---------------+ 742 | Signing Timestamp by Z | 743 +---------------+---------------+---------------+---------------+ 744 | | 745 | | 746 | | 747 | | 748 | | 749 | | 750 | | 751 | Signature by Z | 752 | | 753 | | 754 | | 755 | | 756 | | 757 | | 758 | | 759 | | 760 +---------------+---------------+---------------+---------------+ 762 Length = 576-bytes 764 Figure 11: DRIP Mutual Certificate 766 5. Registries 768 5.1. Classes 770 Under DRIP there 3 classes of registries, with specific variants in 771 each. 773 5.1.1. Root 775 This is a special registry holding the RAA value of 0 and HDA value 776 of 0. It delegates out RAA values only to registries that wish to 777 act as an RAA. 779 (Editors Note: we contemplate this is ICAO running this server or 780 federation of them) 782 5.1.2. Registered Assigning Authorities 784 TODO 786 Hold RAA values of 2+ and HDA value of 0. 788 Most are contemplated to be Civil Aviation Authorities (CAAs) then 789 delegate HDAs to manage their NAS. 791 5.1.2.1. ICAO Registry of Manufacturer's (IRM) 793 A special registry that hands out HDA values to participating 794 Manufacturer's that hold an ICAO Manufacturer Code used in ANSI 795 CTA2063-A Serial Numbers. 797 It is holds the RAA value of 1 and HDA value of 0. 799 (Editors Note: we contemplate this is ICAO running this server or 800 federation of them) 802 5.1.3. Hierarchial HIT Domain Authorities 804 5.1.3.1. Manufacturer's Registry of Aircraft (MRA) 806 A registry run by a manufacturer of UAS systems that participate in 807 Remote ID. Stores UAS Serial Numbers under a specific ICAO 808 Manufacturer Code (assigned to the manufacturer by ICAO). 810 A DET can be encoded into a Serial Number (Editor Note: link to -uas- 811 rid) and when done so this registry would hold a mapping from the 812 Serial Number to the DET and its artifacts. 814 Hold RAA values of 1 and HDA value of 1+. 816 5.1.3.2. Remote ID Registries (RIDR) 818 Registry that holds the binding between a UAS Session ID (for DRIP 819 the DET) and the UA Serial Number. The Serial Number MUST have its 820 access protected to allow only authorized parties to obtain. The 821 Serial Number SHOULD be encrypted in a way the authorized party can 822 decrypt. 824 As part of the UTM system they also hold a binding between a UAS ID 825 (Serial Number or Session ID) and an Operational Intent. 827 (Editors Note: these are contemplated to be part of a USS as a 828 function or a standalone SDSP in the UTM system) 830 Hold RAA values of 2+ and HDA value of 1+. 832 5.2. Federation 834 (Editors Note: Due to nature of HHIT we could have multiple 835 registries with same RAA/HDA pairings running and being federated 836 together. How do we handle this?) 838 6. DRIP Fully Qualified Domain Names 840 Under DRIP there are a number of FQDN forms used to allow lookups to 841 take place. 843 6.1. Serial Number 845 Serial Number: 8653FZ2T7B8RA85D19LX 846 ICAO Mfr Code: 8653 847 Length Code: F 848 ID: FZ2T7B8RA85D19LX 849 FQDN: Z2T7B8RA85D19LX.F.8653.mfr.remoteid.aero 851 6.2. DET 853 DET: 2001:0030:00a0:0145:a3ad:1952:0ad0:a69e 854 ID: a3ad:1952:0ad0:a69e 855 OGA: 5 856 HDA: 0014 = 20 857 RAA: 000a = 10 858 FQDN: a3ad19520ad0a69e.5.20.10.det.remoteid.aero 860 (Editors Note: do we want to convert HDA/RAA to int or leave as hex?) 862 (Editors Note: DNS is case-sensitive in my experience, do we do all 863 upper case?) 864 (Editors Note: do we support condensed ipv6 forms? - instinct is no 865 as dns case-sensitive so it would be considered a different fqdn 866 entirely) 868 7. Supported DNS Records 870 DRIP requires a number of resource records, some specific to certain 871 registries to function. 873 7.1. HIP RR 875 All registries will have their own DET associated with them and their 876 respective DNS server will hold a HIP RR that is pointed to by their 877 DET FQDN. 879 MRA and RIDR servers will also have HIP RRs for their registered 880 parties (aircraft and operators). 882 7.2. CERT RR 884 Most attestations can be placed into DNS. An exception to this is 885 the AttestationCertificate made during Session ID registration. 887 7.3. NS RR 889 Along with their associated "glue" record (A/AAAA) supports the 890 traversal in DNS across the tree. 892 1. "" on Root points to specific DET FQDN of IRM 894 2. ".mfr.remoteid.aero" on IRM points to specific DET 895 FQDN of MRA 897 3. ".det.remoteid.aero" on Root pointing to DET FQDN of 898 matching RAA 900 4. "..det.remoteid.aero" on RAA Registry 901 pointing to DET FQDN of matching HDA 903 7.4. AAAA RR 905 DRIP requires the use of IPv6. 907 8. Registry Operations 909 (Editors Note: General processing instructions here?) 910 As a general rule the following processing performed for any 911 registration operation: 913 1. Verify SelfAttestation of registering party 915 2. Populate DNS with required/optional records 917 3. Populate Database with PII and other info 919 4. Generate and return required/optional Attestations 921 8.1. Registering an RAA 923 Specifically handled by the Root Registry (Section 5.1.1). 925 8.1.1. Inputs 927 Required: 929 1. SelfAttestation of RAA 931 2. IP Address of RAA 933 8.1.2. DNS Entries 935 Required on Root: 937 NS RR = ".det.remoteid.aero NS " 939 AAAA RR = " AAAA ..." 941 CERT RR = ??? 943 Required on RAA: 945 HIP RR = " HIP ..." 947 CERT RR = ??? 949 8.1.3. Database Entries 951 8.1.4. Outputs 953 8.2. Registering an IRM 955 Specifically handled by the Root Registry (Section 5.1.1). 957 8.2.1. Inputs 959 Required: 961 1. Self-Attestation of IRM 963 2. IP Address of IRM 965 8.2.2. DNS Entries 967 Required on Root: 969 NS RR = "mfr.remoteid.aero NS " 971 NS RR = "1.det.remoteid.aero NS " 973 AAAA RR = " AAAA ..." 975 CERT RR = ??? 977 Required on IRM: 979 HIP RR = " HIP ..." 981 CERT RR = ??? 983 8.2.3. Database Entries 985 8.2.4. Outputs 987 Required: 989 1. Attestation: Root on IRM 991 8.3. Registering an HDA 993 Specifically handled by an RAA (Section 5.1.2). 995 8.3.1. Inputs 997 Required: 999 1. Self-Attestation of HDA 1001 2. IP Address of HDA 1003 8.3.2. DNS Entries 1005 Required on RAA: 1007 NS RR = "..det.remoteid.aero NS " 1009 AAAA RR = " AAAA ..." 1011 CERT RR = ??? 1013 Required on HDA: 1015 HIP RR = " HIP ..." 1017 8.3.3. Database Entries 1019 8.3.4. Outputs 1021 8.4. Registering an MRA 1023 Specifically handled by the IRM Registry (Section 5.1.2.1). 1025 8.4.1. Inputs 1027 Required: 1029 1. ICAO Manufacturer Code 1031 2. Self-Attestation of MRA 1033 3. IP Address of MRA 1035 8.4.2. DNS Entries 1037 Required on IRM: 1039 NS RR = ".mfr.remoteid.aero NS " 1041 NS RR = ".1.det.remoteid.aero NS " 1043 AAAA RR = " AAAA ..." 1045 CERT RR = ??? 1047 Required on MRA: 1049 HIP RR = " HIP ..." 1050 CERT RR = ??? 1052 8.4.3. Database Entries 1054 (HDA value, MRA Details) 1056 8.4.4. Outputs 1058 Required: 1060 1. Attestation: IRM on MRA 1062 8.5. Registering a Serial Number 1064 Specifically handled by a MRA (Section 5.1.3.1). 1066 8.5.1. Inputs 1068 Required: 1070 1. Serial Number 1072 2. Aircraft Metadata 1074 Optional: 1076 1. SelfAttestation: Aircraft on Aircraft (if DET encoded) 1078 8.5.2. DNS Entries 1080 Required on MRA: 1082 A/AAAA with Serial Number FQDN (Section 6.1) 1084 Optional on MRA: 1086 HIP RR of Aircraft with DET FQDN (Section 6.2) (" HIP 1087 ...") 1089 CERT RRs of SelfAttestation and BroadcastAttestation 1091 8.5.3. Database Entries 1093 (Serial Number, [DET], Metadata, [SelfAttestation]) 1095 8.5.4. Outputs 1097 Optional: 1099 1. BroadcastAttestation: Mfr on Aircraft 1101 8.6. Registering an Operator 1103 Specifically handled by a RIDR (Section 5.1.3.2). 1105 8.6.1. Inputs 1107 Required: 1109 1. SelfAttestation: Operator on Operator 1111 2. Operator PII 1113 Optional: TODO 1115 8.6.2. DNS Entries 1117 Optional on RIDR: 1119 HIP RR of Operator 1121 CERT RRs SelfAttestation of Operator, A-ro 1123 8.6.3. Database Entries 1125 TODO 1127 8.6.4. Outputs 1129 Required: 1131 1. Attestation (A-ro) - using SA-rr and SA-oo 1133 Optional: 1135 1. ConciseAttestation (CA-ro) - using SA-oo 1137 2. BroadcastAttestation (BA-ro) - using SA-oo 1139 8.7. Registering a Session ID 1141 Specifically handled by a RIDR (Section 5.1.3.2). 1143 8.7.1. Inputs 1145 Required: 1147 1. Attestation: Registry on Operator 1149 2. Attestation: Operator on Aircraft 1151 3. UAS Serial Number 1153 Optional: 1155 1. ConciseAttestation: Operator on Aircraft 1157 2. MutualAttestation: Operator on Aircraft 1159 3. LinkAttestation: Operator on Aircraft 1161 4. Operational Intent ID (GUFI) 1163 8.7.2. DNS Entries 1165 Required on RIDR: 1167 HIP RR of Aircraft with DET FQDN (Section 6.2) (" 1168 HIP ...") 1170 CERT RRs for SelfAttestation of Aircraft, BroadcastAttestation 1172 8.7.3. Database Entries 1174 (Session ID, Serial Number, GUFI, A-oa, BA-ra, AC-roa) 1176 8.7.4. Outputs 1178 Required: 1180 1. BroadcastAttestation (BA-ra) - generated using the embedded SA-aa 1181 from A-oa 1183 2. AttestationCertificate (AC-roa) - using A-oa 1185 Optional: 1187 1. MutualCertificate (MC-roa) - using MA-oa 1189 2. ConciseCertificate (CC-roa) - using CA-oa 1190 3. LinkCertificate (LC-roa) - using LA-oa 1192 4. BroadcastAttestation's of parent Registries in chain 1194 9. Provisioning 1196 Under DRIP UAS RID a special provisioning procedure is required to 1197 properly generate and distribute the certificates and attestations to 1198 all parties in the USS/UTM ecosystem using DRIP RID. 1200 Keypairs are expected to be generated on the device hardware it will 1201 be used on. Due to hardware limitations (see Section 10) and 1202 connectivity it is acceptable under DRIP RID to generate keypairs for 1203 the Aircraft on Operator devices and later securely inject them into 1204 the Aircraft (as defined in Section 9.6.2). The methods to securely 1205 inject and store keypair information in a "secure element" of the 1206 Aircraft is out of scope of this document. 1208 9.1. Overview of Transactions 1210 In DRIP, each Operator MUST generate a Host Identity of the Operator 1211 (HIo) and derived Hierarchical HIT of the Operator (HHITo). These 1212 are registered with a Private Information Registry along with 1213 whatever Operator data (inc. PII) is required by the cognizant CAA 1214 and the registry. In response, the Operator will obtain an 1215 attestation from the Registry, Attestation: Registry on Operator 1216 (A-ro), signed with the Host Identity of the Registry private key 1217 (HIr(priv)) proving such registration. 1219 An Operator may now claim one or more UA. 1221 * An Operator MUST generate a Host Identity of the Aircraft (HIa) 1222 and derived Hierarchical HIT of the Aircraft (HHITa) 1224 * Create an attestation from the Operator on the Aircraft (A-oa) 1225 signed with the Host Identity of the Operator private key 1226 (HIo(priv)) to associate the UA with its Operator 1228 * Register them with a Private Information Registry along with 1229 whatever UAS data is required by the cognizant CAA and Registry 1231 * Obtain an attestation from the Registry on the Operator and 1232 Aircraft ("AC-roa") signed with the HIr(priv) proving such 1233 registration 1235 * And obtain a broadcast attestation from the Registry on the 1236 Aircraft (BA-ra) signed with HIr(priv) proving UA registration in 1237 that specific registry while preserving Operator privacy. 1239 The operator then MUST provision the UA with HIa, HIa(priv), HHITa 1240 and B-Ara. 1242 * UA engaging in Broadcast RID MUST use HIa(priv) to sign 1243 Authentication Messages and MUST periodically broadcast BA-ra. 1245 * UAS engaging in Network RID MUST use HIa(priv) to sign 1246 Authentication Messages. 1248 * Observers MUST use HIa from received BA-ra to verify received 1249 Broadcast RID Authentication messages. 1251 * Observers without Internet connectivity MAY use BA-ra to identify 1252 the trust class of the UAS based on known registry vetting. 1254 * Observers with Internet connectivity MAY use HHITa to perform 1255 lookups in the Public Information Registry and MAY then query the 1256 Private Information Registry which MUST enforce AAA policy on 1257 Operator PII and other sensitive information 1259 9.2. HHIT Delegation 1261 Under the FAA [NPRM], it is expecting that IDs for UAS are assigned 1262 by the UTM and are generally one-time use. The methods for this 1263 however are unspecified leaving two options. 1265 1 The entity generates its own HHIT, discovering and using thr RAA 1266 and HDA for the target Registry. The method for discovering a 1267 Registry's RAA and HDA is out of scope here. This allows for the 1268 device to generate an HHIT to send to the Registry to be accepted 1269 (thus generating the required Host Identity Claim) or denied. 1271 2 The entity sends to the Registry its HI for it to be hashed and 1272 result in the HHIT. The Registry would then either accept 1273 (returning the HHIT to the device) or deny this pairing. 1275 In either case the Registry must decide on if the HI/HHIT pairing is 1276 valid. This in its simplest form is checking the current Registry 1277 for a collision on the HHIT. 1279 Upon accepting a HI/HHIT pair the Registry MUST populate the required 1280 the DNS serving the HDA with the HIP RR and other relevant RR types 1281 (such as TXT and CERT). The Registry MUST also generate the 1282 appropriate Attestation for the given operation. 1284 If the Registry denied the HI/HHIT pair, because there was a HHIT 1285 collision or any other reason, the Registry MUST signal back to the 1286 device being provisioned that a new HI needs to be generated. 1288 9.3. Registry 1290 (Editor Note: this should break down the individual registrations 1291 between Root/RAA, RAA/HDA and their special variants). 1293 TODO 1295 DRIP UAS RID defines two levels of hierarchy maintained by the 1296 Registration Assigning Authority (RAA) and HHIT Domain Authority 1297 (HDA). The authors anticipate that an RAA is owned and operated by a 1298 regional CAA (or a delegated party by an CAA in a specific airspace 1299 region) with HDAs being contracted out. As such a chain of trust for 1300 registries is required to ensure trustworthiness is not compromised. 1301 More information on the registries can be found in [hhit-registries]. 1303 Both the RAA and HDA generate their own keypairs and self-signed 1304 attestations (SelfAttestation: RAA on RAA and SelfAttestation: HDA on 1305 HDA respectively). The HDA sends to the RAA its self-signed 1306 attestation to be added into the RAA DNS. 1308 The RAA confirms the attestation received is valid and that no HHIT 1309 collisions occur before added a HIP RR to its DNS for the new HDA. 1310 An Attestation: RAA on HDA (A-rh) is sent as a confirmation that 1311 provisioning was successful. 1313 The HDA is now a valid "Registry" and uses its keypair and 1314 SelfAttestation: HDA on HDA (SA-hh) with all provisioning requests 1315 from downstream. 1317 9.4. Manufacturer 1319 +--------------+ SA-a0a0 +-----------------+ 1320 | Manufacturer | <--------> | Manufacturer CA | 1321 +--------------+ A-ma0 +-----------------+ 1322 ^ | 1323 | | 1324 | | 1325 SA-a0a0 | | A-ma0 1326 | | 1327 | v 1328 +----------+ 1329 | Aircraft | 1330 +----------+ 1332 Figure 12: Manufacturer Provision 1334 During the initial configuration and production at the factory the 1335 Aircraft MUST be configured to have a serial number. ASTM defines 1336 this to be an ANSI/CTA-2063A. Under DRIP a HHIT can be encoded as 1337 such to be able to convert back and forth between them. This is out 1338 of scope for this document. TODO: link from UAS RID document. 1340 Under DRIP the Manufacturer SHOULD be using HHITs and have their own 1341 keypair and SA-mm (SelfAttestation: Manufacturer on Manufacturer). 1342 (Ed. Note: some words on aircraft keypair and certs here?). 1344 SelfAttestation: Aircraft 0 on Aircraft 0 (SA-a0a0) is extracted by 1345 the manufacturer and sent to their Certificate Authority (CA) to be 1346 verified and added. A resulting attestation (Attestation: 1347 Manufacturer on Aircraft 0 [A-ma0]) SHOULD be a DRIP Attestation - 1348 however this could be a X.509 certificate binding the serial number 1349 to the manufacturer. 1351 9.5. Operator 1353 +----------+ +---------+ 1354 | Registry | ---------> | HDA DNS | 1355 +----------+ [HIP RR] +---------+ 1356 ^ | 1357 | | 1358 | | 1359 Coo | | Aro 1360 | | 1361 | v 1362 +----------+ 1363 | Operator | 1364 +----------+ 1366 Figure 13: Operator Provision 1368 The Operator generates a keypair and HHIT as specified in DRIP UAS 1369 RID. A self-signed attestation (Attestation: Operator on Operator 1370 [SA-oo]) is generated and sent to the desired Registry (HDA). Other 1371 relevant information and possibly personally identifiable information 1372 needed may also be required to be sent to the Registry (all over a 1373 secure channel - the method of which is out of scope for this 1374 document). 1376 The Registry cross checks any personally identifiable information as 1377 required. Certificate: Operator on Operator is verified (both using 1378 the expiration timestamp and signature). The HHIT is searched in the 1379 Registries database to confirm that no collision occurs. A new 1380 attestation is generated (Attestation: Registry on Operator) and sent 1381 securely back to the Operator. Optionally the HHIT/HI pairing can be 1382 added to the Registries DNS in to form of a HIP Resource Record (RR). 1383 Other RRs, such as CERT and TXT, may also be used to hold public 1384 information. 1386 With the receipt of Attestation: Registry on Operator (A-ro) the 1387 provisioning of an Operator is complete. 1389 9.6. Aircraft 1391 9.6.1. Standard Provisioning 1393 Under standard provisioning the Aircraft has its own connectivity to 1394 the Registry, the method which is out of scope for this document. 1396 +----------+ 1397 | Registry | 1398 +----------+ 1399 ^ 1400 | 1401 | 1402 | A-ro, A-oaN 1403 | 1404 | 1405 +----------+ +----------+ 1406 | Operator | <--------------------- | Aircraft | 1407 +----------+ A-a0aN +----------+ 1409 Figure 14: Standard Provision: Step 1 1411 Through mechanisms not specified in this document the Aircraft should 1412 have methods to instruct the Aircraft onboard systems to generate a 1413 keypair and certificate. This certificate is chained to the factory 1414 provisioned certificate (SelfAttestation: Aircraft 0 on Aircraft 0 1415 [SA-a0a0]). This new attestation (Attestation: Aircraft 0 on 1416 Aircraft N [A-a0aN]) is securely extracted by the Operator. 1418 With A-a0aN the sub-attestation (SelfAttestation: Aircraft N on 1419 Aircraft N [SA-aNaN]) is used by the Operator to generate 1420 Attestation: Operator on Aircraft N (A-oaN). This along with 1421 Attestation: Registry on Operator (A-ro) is sent to the Registry. 1423 +----------+ 1424 | Registry | 1425 +----------+ 1426 | 1427 | 1428 | 1429 | Token 1430 | 1431 v 1432 +----------+ +----------+ 1433 | Operator | ---------------------> | Aircraft | 1434 +----------+ Token +----------+ 1436 Figure 15: Standard Provision: Step 2 1438 On the Registry, A-ro is verified and used as confirmation that the 1439 Operator is already registered. A-oaN also undergoes a validation 1440 check and used to generate a token to return to the Operator to 1441 continue provisioning. 1443 Upon receipt of this token, the Operator injects it into the Aircraft 1444 and its used to form a secure connection to the Registry. The 1445 Aircraft then sends Attestation: Manufacturer on Aircraft 0 (A-ma0) 1446 and Attestation: Aircraft 0 to Aircraft N (A-a0aN). 1448 +---------+ 1449 | HDA DNS | 1450 +---------+ 1451 ^ 1452 | 1453 | HIP RR 1454 | 1455 | 1456 | 1457 +----------+ <----------------------------+ 1458 | Registry | | 1459 +----------+ ------------------------+ | 1460 | | | 1461 | | | Token, 1462 | AC-roaN BA-raN | | A-ma0, A-a0aN 1463 | | | 1464 | | | 1465 v v | 1466 +----------+ +----------+ 1467 | Operator | | Aircraft | 1468 +----------+ +----------+ 1470 Figure 16: Standard Provision: Step 3 1472 The Registry uses Attestation: Manufacturer on Aircraft 0 (with an 1473 external database if supported) to confirm the validity of the 1474 Aircraft. Attestation: Aircraft 0 on Aircraft N is correlated with 1475 Attestation: Operator on Aircraft N and Attestation: Manufacturer on 1476 Aircraft 0 to see the chain of ownership. The new HHIT tied to 1477 Aircraft N is then checked for collisions in the HDA. With the 1478 information the Registry generates two items: AttestationCertificate: 1479 Registry on Operator on Aircraft N (AC-roaN) and 1480 BroadcastAttestation: Registry on Aircraft N (BA-raN). A HIP RR (and 1481 other RR types as needed) are generated and inserted into the HDA. 1483 AC-roaN is sent via a secure channel back to the Operator to be 1484 stored. ABA-raN is sent to the Aircraft to be used in Broadcast RID 1485 as specified in (Editors Note: add link to -auth-formats). 1487 9.6.2. Operator Assisted Provisioning 1489 This provisioning scheme is for when the Aircraft is unable to 1490 connect to the Registry itself or does not have the hardware required 1491 to generate keypairs and certificates. 1493 +----------+ 1494 | Registry | 1495 +----------+ 1497 +----------+ +----------+ 1498 | Operator | ---------------------> | Aircraft | 1499 +----------+ aN, SA-aNaN +----------+ 1501 Figure 17: Operator Assisted Provision: Step 1 1503 To start the Operator generates on behalf of the Aircraft a new 1504 keypair and Attestation: Aircraft N on Aircraft N (SA-aNaN). This 1505 keypair and certificate are injected into the Aircraft for it to 1506 generate Attestation: Aircraft 0 on Aircraft N (A-a0aN). After 1507 injecting the keypair and certificate, the Operator MUST destroy all 1508 copies of the keypair. 1510 +----------+ 1511 | Registry | 1512 +----------+ 1513 ^ 1514 | 1515 | 1516 | A-ro, A-ma0, A-a0aN, A-oaN 1517 | 1518 | 1519 +----------+ +----------+ 1520 | Operator | <--------------------- | Aircraft | 1521 +----------+ A-ma0, A-a0aN +----------+ 1523 Figure 18: Operator Assisted Provision: Step 2 1525 Attestation: Manufacturer on Aircraft 0 (A-ma0) and Attestation: 1526 Aircraft 0 on Aircraft N (A-a0aN) is extracted by the Operator and 1527 the following data items are sent to the Registry; Attestation: 1528 Registry on Operator (A-ro), Attestation: Manufacturer on Aircraft 0 1529 (A-ma0), Attestation: Aircraft 0 on Aircraft N (A-a0aN), Attestation: 1530 Operator on Aircraft N (A-oaN). 1532 +----------+ +---------+ 1533 | Registry | ---------> | HDA DNS | 1534 +----------+ HIP RR +---------+ 1535 | 1536 | 1537 | 1538 | AC-roaN, BA-raN 1539 | 1540 v 1541 +----------+ +----------+ 1542 | Operator | ---------------------> | Aircraft | 1543 +----------+ BA-raN +----------+ 1545 Figure 19: Operator Assisted Provision: Step 3 1547 On the Registry validation checks are done on all attestations as per 1548 the previous sections. Once complete then the Registry checks for a 1549 HHIT collision, adding to the HDA if clear and generates 1550 AttestationCertificate: Registry on Operator on Aircraft N (AC-roaN) 1551 and BroadcastAttestation: Registry on Aircraft N (BA-raN). Both are 1552 sent back to the Operator. 1554 The Operator securely inject BA-raN and securely stores AC-roaN of 1555 Aircraft N. 1557 9.6.3. Initial Provisioning 1559 A special form of provisioning is used when the Aircraft is first 1560 sold to an Operator. Instead of generating a new keypair, the built 1561 in keypair and certificate done by the Manufacturer is used to 1562 provision and register the aircraft to the owner. 1564 For this either Standard or Operator Assisted methods can be used. 1566 10. Security Considerations 1568 TODO 1570 11. References 1572 11.1. Normative References 1574 [F3411-19] "Standard Specification for Remote ID and Tracking", 1575 February 2020. 1577 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 1578 Requirement Levels", BCP 14, RFC 2119, 1579 DOI 10.17487/RFC2119, March 1997, 1580 . 1582 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 1583 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 1584 May 2017, . 1586 11.2. Informative References 1588 [drip-requirements] 1589 Card, S. W., Wiethuechter, A., Moskowitz, R., and A. 1590 Gurtov, "Drone Remote Identification Protocol (DRIP) 1591 Requirements", Work in Progress, Internet-Draft, draft- 1592 ietf-drip-reqs-18, 8 September 2021, 1593 . 1596 [drip-rid] Moskowitz, R., Card, S. W., Wiethuechter, A., and A. 1597 Gurtov, "UAS Remote ID", Work in Progress, Internet-Draft, 1598 draft-ietf-drip-uas-rid-01, 9 September 2020, 1599 . 1602 [hhit-registries] 1603 Moskowitz, R., Card, S. W., and A. Wiethuechter, 1604 "Hierarchical HIT Registries", Work in Progress, Internet- 1605 Draft, draft-moskowitz-hip-hhit-registries-02, 9 March 1606 2020, . 1609 [NPRM] "Notice of Proposed Rule Making on Remote Identification 1610 of Unmanned Aircraft Systems", December 2019. 1612 [RFC7519] Jones, M., Bradley, J., and N. Sakimura, "JSON Web Token 1613 (JWT)", RFC 7519, DOI 10.17487/RFC7519, May 2015, 1614 . 1616 [RFC8392] Jones, M., Wahlstroem, E., Erdtman, S., and H. Tschofenig, 1617 "CBOR Web Token (CWT)", RFC 8392, DOI 10.17487/RFC8392, 1618 May 2018, . 1620 Authors' Addresses 1622 Adam Wiethuechter 1623 AX Enterprize, LLC 1624 4947 Commercial Drive 1625 Yorkville, NY 13495 1626 United States of America 1628 Email: adam.wiethuechter@axenterprize.com 1630 Stuart Card 1631 AX Enterprize, LLC 1632 4947 Commercial Drive 1633 Yorkville, NY 13495 1634 United States of America 1636 Email: stu.card@axenterprize.com 1638 Robert Moskowitz 1639 HTT Consulting 1640 Oak Park, MI 48237 1641 United States of America 1643 Email: rgm@labs.htt-consult.com