1.1.Motivation

BRSKI, as defined in[RFC8995], specifies a solution forsecure automated zero-touch bootstrapping of new devices, so-called pledges.This includes the discovery of the registrar in the target domain,time synchronization, and the exchange of security informationnecessary to establish mutual trust between pledges and the target domain.¶

A pledge gains trust in the target domain via the domain registrar as follows.It obtains security information about the domain,specifically a domain certificate to be trusted,by requesting a voucher object defined in[RFC8366].Such a voucher is a self-contained signed objectoriginating from a Manufacturer Authorized Signing Authority (MASA).Therefore, the voucher may be providedin online mode (synchronously) or offline mode (asynchronously).The pledge can authenticate the voucherbecause it is shipped with a trust anchor of its manufacturer such thatit can validate signatures (including related certificates) by the MASA.¶

Trust by the target domain in a pledge is established by providing the pledgewith a domain-specific LDevID certificate.The certification request of the pledge is signed using its IDevID secret and can bevalidated by the target domain using the trust anchor of the pledge manufacturer,which needs to pre-installed in the domain.¶

For enrolling devices with LDevID certificates,BRSKI typically utilizes Enrollment over Secure Transport (EST)[RFC7030].EST has its specific characteristics, detailed inAppendix A.In particular, it requires online or on-site availability of the RAfor performing the data origin authentication and final authorization decisionon the certification request.This type of enrollment can be called 'synchronous enrollment'.For various reasons,it may be preferable to use alternative enrollment protocols such asthe Certificate Management Protocol (CMP)[RFC4210]profiled in[I-D.ietf-lamps-lightweight-cmp-profile]or Certificate Management over CMS (CMC)[RFC5272].that are more flexible and independent of the transfer mechanism because theyrepresent certification request messages as authenticated self-contained objects.¶

Depending on the application scenario,the required RA/CA components may not be part of the registrar.They even may not be available on-site but rather beprovided by remote backend systems. The registrar or its deployment site may not havean online connection with them or the connectivity may be intermittent.This may be due to security requirements for operating the backend systemsor due to site deployments where on-site or always-online operationmay be not feasible or too costly.In such scenarios, the authentication and authorization of certification requestswill not or can not be performed on-site at enrollment time.In this document, enrollment that is not performed in a (time-wise) consistentway is calledasynchronous enrollment.Asynchronous enrollment requires a store-and-forward transfer of certificationrequests along with the information needed for authenticating the requester.This allows offline processing the request.¶

Application scenarios may also involve network segmentation, which is utilizedin industrial systems to separate domains with different security needs.Such scenarios lead to similar requirements if the TLS connectioncarrying the requester authentication is terminatedand thus request messages need to be forwarded on further channelsbefore the registrar/RA can authorize the certification request.In order to preserve the requester authentication, authentication informationneeds to be retained and ideally bound directly to the certification request.¶

There are basically two approaches for forwarding certification requestsalong with requester authentication information:¶

• A trusted component (e.g., a local RA) in the target domain is neededthat forwards the certification request combined with the validated identity ofthe requester (e,g., its IDevID certificate)and an indication of successful verification ofthe proof-of-possession (of the corresponding private key) in a waypreventing changes to the combined information.When connectivity is available, the trusted componentforwards the certification request together with the requester information(authentication and proof-of-possession) for further processing.This approach offers only hop-by-hop security.The backend PKI must rely on the local pledge authentication resultprovided by the local RAwhen performing the authorization of the certification request.In BRSKI, the EST server is such a trusted component,being co-located with the registrar in the target domain.¶
• Involved components use authenticated self-contained objects for the enrollment,directly binding the certification request and the requester authenticationin a cryptographic way.This approach supports end-to-end security,without the need to trust in intermediate domain components.Manipulation of the request and the requester identity informationcan be detected during the validation of the self-contained signed object.¶

Focus of this document is the support of alternative enrollment protocols that allowusing authenticated self-contained objects for device credential bootstrapping.This enhancement of BRSKI is named BRSKI-AE,where AE stands for alternative enrollment protocols and for asynchronous enrollment.This specification carries over the main characteristics of BRSKI,namely that the pledge obtains trust anchor informationfor authenticating the domain registrar and other target domain componentsas well as a domain-specific X.509 device certificate (the LDevID certificate)along with the corresponding private key (the LDevID secret) and certificate chain.¶

The goals are to enhance BRSKI to¶

• support alternative enrollment protocols,¶
• support end-to-end security for enrollment, and¶
• make it applicable to scenarios involving asynchronous enrollment.¶

This is achieved by¶

• extending the well-known URI approach with an additional path elementindicating the enrollment protocol being used, and¶
• defining a certificate waiting indication and handling, for the case that thecertifying component is (temporarily) not available.¶

This specification can be applied to both synchronous and asynchronous enrollment.¶

In contrast to BRSKI, this specification supports offering multiple enrollment protocolson the infrastructure side, which enables pledges and their developersto pick the preferred one.¶

1.2.Supported environment

BRSKI-AE is intended to be used in domains that may have limited supportof on-site PKI services and comprises application scenarios like the following.¶

• There are requirements or implementation restrictionsthat do not allow using EST for enrolling an LDevID certificate.¶
• Pledges and/or the target domain already have an establishedcertificate management approach different from EST that shall be reused(e.g., in brownfield installations).¶
• There is no registration authority available on site in the target domain.Connectivity to an off-site RA is intermittent or entirely offline.A store-and-forward mechanism is usedfor communicating with the off-site services.¶
• Authoritative actions of a local RA are limited and may not be sufficientfor authorizing certification requests by pledges.Final authorization is done by an RA residing in the operator domain.¶

1.3.List of application examples

Bootstrapping can be handled in various ways, depending on the application domains.The informativeAppendix B provides illustrative examples fromvarious industrial control system environments and operational setups.They motivate the support of alternative enrollment protocols,based on the following examples of operational environments:¶

• Rolling stock¶
• Building automation¶
• Electrical substation automation¶
• Electric vehicle charging infrastructures¶
• Infrastructure isolation policy¶
• Sites with insufficient level of operational security¶

4.1.Architecture

The key element of BRSKI-AE is that the authorization of a certification requestMUST be performed based on an authenticated self-contained object.The certification request is bound in a self-contained wayto a proof-of-origin based on the IDevID.Consequently, the authentication and authorization of the certification requestMAY be done by the domain registrar and/or by other domain components. These componentsmay be offline or reside in some central backend of the domain operator (off-site)as described inSection 1.2. The registrar and other on-site domain componentsmay have no or only temporary (intermittent) connectivity to them.The certification requestMAY also be piggybacked on another protocol.¶

This leads to generalizations in theplacement and enhancements of the logical elements as shown inFigure 1.¶

                                           +------------------------+   +--------------Drop-Ship--------------->| Vendor Service         |   |                                       +------------------------+   |                                       | M anufacturer|         |   |                                       | A uthorized  |Ownership|   |                                       | S igning     |Tracker  |   |                                       | A uthority   |         |   |                                       +--------------+---------+   |                                                      ^   |                                                      |   V                                                      |+--------+     .........................................  ||        |     .                                       .  | BRSKI-|        |     .  +------------+       +------------+  .  | MASA| Pledge |     .  |   Join     |       | Domain     <-----+|        |     .  |   Proxy    |       | Registrar/ |  .|        <-------->............<-------> Enrollment |  .|        |     .  |        BRSKI-AE    | Proxy/LRA  |  .| IDevID |     .  |            |       +------^-----+  .|        |     .  +------------+              |        .|        |     .                              |        .+--------+     ...............................|.........                on-site "domain" components   |                                              | e.g., RFC 4210,                                              |       RFC 7030, ... .............................................|..................... . +---------------------------+     +--------v------------------+ . . | Public-Key Infrastructure <-----+ Registration Authority    | . . | PKI CA                    +-----> PKI RA                    | . . +---------------------------+     +---------------------------+ . ...................................................................         off-site or central "domain" components

The architecture overview inFigure 1has the same logical elements as BRSKI, but with more flexible placementof the authentication and authorization checks on certification requests.Depending on the application scenario, the registrarMAY still do all of thesechecks (as is the case in BRSKI), or part of them, or none of them.¶

The following list describes the on-site components in the target domainof the pledge shown inFigure 1.¶

• Join Proxy: same functionality as described in BRSKI[RFC8995].¶

• Domain Registrar / Enrollment Proxy / LRA: in BRSKI-AE,the domain registrar has mostly the same functionality as in BRSKI, namelyto facilitate the communication of the pledge with the MASA and the PKI.Yet in contrast to BRSKI, the registrar offers different enrollment protocolsandMAY act as a local registration authority (LRA) or simply as an enrollment proxy.In such cases, the domain registrar forwards the certification requestto some off-site RA component, which performs at least part of the authorization.This also covers the case that the registrar has only intermittent connectionand forwards the certification request to the RA upon re-established connectivity.¶

  Note: To support alternative enrollment protocols, the URI schemefor addressing the domain registrar is generalized (seeSection 4.2.5).¶

The following list describes the components provided by the vendor or manufactureroutside the target domain.¶

• MASA: general functionality as described in BRSKI[RFC8995].The voucher exchange with the MASA via the domain registraris performed as described in BRSKI.¶

  Note: The interaction with the MASA may be synchronous (voucher request with nonce)or asynchronous (voucher request without nonce).¶

• Ownership tracker: as defined in BRSKI.¶

The following list describes the target domain components that can optionally beoperated in the off-site backend of the target domain.¶

• PKI RA: Performs certificate management functions for the domainas a centralized public-key infrastructure for the domain operator.As far as not already done by the domain registrar, it performs the finalvalidation and authorization of certification requests.¶
• PKI CA: Performs certificate generation by signing the certificate structurerequested in already authenticated and authorized certification requests.¶

Based on the diagram in Section 2.1 of BRSKI[RFC8995] and the architectural changes,the original protocol flow is divided into three phases showing commonalitiesand differences to the original approach as follows.¶

• Discovery phase: same as in BRSKI steps (1) and (2)¶
• Voucher exchange phase: same as in BRSKI steps (3) and (4).¶
• Enrollment phase: step (5) is changed to employing an alternative enrollment protocolthat uses authenticated self-contained objects.¶

4.2.Message exchange

The behavior of a pledge described in Section 2.1 of BRSKI[RFC8995]is kept with one exception.After finishing the Imprint step (4), the Enroll step (5)MUST be performedwith an enrollment protocol utilizing authenticated self-contained objects.Section 5 discusses selected suitable enrollment protocols and options applicable.¶

+--------+                        +------------+     +------------+| Pledge |                        | Domain     |     | Operator   ||        |                        | Registrar  |     | RA/CA      ||        |                        |  (JRC)     |     | (OPKI)     |+--------+                        +------------+     +------------+  /-->                                      |                    |[Optional request of CA certificates]       |                    |  |---------- CA Certs Request ------------>|                    |  |              [if connection to operator domain is available] |  |                                         |-Request CA Certs ->|  |                                         |<-CA Certs Response-|  |<-------- CA Certs Response--------------|                    |  /-->                                      |                    |[Optional request of attributes to be included in Cert Request]  |  |---------- Attribute Request ----------->|                    |  |              [if connection to operator domain is available] |  |                                         |-Attribute Request->|  |                                         |<- Attrib Response -|  |<--------- Attribute Response -----------|                    |  /-->                                      |                    |[Certification request]                     |                    |  |-------------- Cert Request ------------>|                    |  |      [when connection to off-site components is unavailable] |  |<----- optional: Cert Waiting Response --|                    |  |                                         |                    |  |-------optional: Cert Polling ---------->|                    |  |                                         |                    |  |        [when connection to off-site components is available] |  |                                         |--- Cert Request -->|  |                                         |<-- Cert Response --|  |<------------- Cert Response ------------|                    |  /-->                                      |                    |[Optional certificate confirmation]         |                    |  |-------------- Cert Confirm ------------>|                    |  |                                         |--- Cert Confirm -->|  |                                         |<-- PKI Confirm ----|  |<------------- PKI/Registrar Confirm ----|                    |

4.3.Domain registrar support of alternative enrollment protocols

Well-known URIs for various endpoints on the domain registrar arealready defined as part of the base BRSKI specification or indirectly by EST.In addition, alternative enrollment endpointsMAY be supported at the registrar.The pledge will recognize whether itspreferred enrollment option is supported by the domain registrarby sending a request to its preferred enrollment endpointand evaluating the HTTP response status code.¶

The following list of endpoints provides an illustrative example fora domain registrar supporting several options for EST as well as forCMP to be used in BRSKI-AE. The listing contains the supportedendpoints to which the pledge may connect for bootstrapping. Thisincludes the voucher handling as well as the enrollment endpoints.The CMP related enrollment endpoints are defined as well-known URIsin CMP Updates[I-D.ietf-lamps-cmp-updates]and the Lightweight CMP profile[I-D.ietf-lamps-lightweight-cmp-profile].¶

  </brski/voucherrequest>,ct=voucher-cms+json  </brski/voucher_status>,ct=json  </brski/enrollstatus>,ct=json  </est/cacerts>;ct=pkcs7-mime  </est/fullcmc>;ct=pkcs7-mime  </est/csrattrs>;ct=pkcs7-mime  </cmp/initialization>;ct=pkixcmp  </cmp/p10>;ct=pkixcmp  </cmp/getcacerts>;ct=pkixcmp  </cmp/getcertreqtemplate>;ct=pkixcmp

5.1.Instantiation to EST (informative)

When using EST[RFC7030], the following aspects and constraintsneed to be considered and the given extra requirements need to be fulfilled,which adapt Section 5.9.3 of BRSKI[RFC8995]:¶

• proof-of-possession is provided typically by using the specified PKCS#10structure in the request.Together with Full PKI requests, also CRMF can be used.¶

• proof-of-identity needs to be achieved by signing the certification requestobject using the Full PKI Request option (including the /fullcmc endpoint).This provides sufficient information for the RA to authenticate the pledgeas the origin of the request and to make an authorization decision on thereceived certification request.Note: EST references CMC[RFC5272] for thedefinition of the Full PKI Request. For proof-of-identity, thesignature of the SignedData of the Full PKI Request isperformed using the IDevID secret of the pledge.¶

  Note: In this case the binding to the underlying TLS connection is not necessary.¶

• When the RA is temporarily not available, as per Section 4.2.3 of[RFC7030],an HTTP status code 202 should be returned by the registrar,and the pledge will repeat the initial Full PKI Request¶

5.2.Instantiation to CMP (normative if CMP is chosen)

Note: Instead of referring to CMPas specified in[RFC4210] and[I-D.ietf-lamps-cmp-updates],this document refers to the Lightweight CMP Profile[I-D.ietf-lamps-lightweight-cmp-profile] becausethe subset of CMP defined there is sufficient for the functionality needed here.¶

When using CMP, the following requirementsSHALL be fulfilled:¶

• For proof-of-possession, the approach defined in Section 4.1.1 (based on CRMF)or Section 4.1.4 (based on PKCS#10) of the Lightweight CMP Profile[I-D.ietf-lamps-lightweight-cmp-profile]SHALL be applied.¶
• proof-of-identitySHALL be provided by using signature-basedprotection of the certification request message as outlined inSection 3.2. of[I-D.ietf-lamps-lightweight-cmp-profile] using the IDevID secret.¶
• When the Cert Response from the RA/CA is not available and if polling is supported,the registrarSHALL a Cert Waiting Response as specified inSections 4.4 and 5.1.2 of[I-D.ietf-lamps-lightweight-cmp-profile].¶
• As far as requesting CA certificates or certificate request attributes is supported,theySHALL be implemented as specified inSections 4.3.1 and 4.3.3 of[I-D.ietf-lamps-lightweight-cmp-profile].¶

TBD RFC Editor: please delete /* ToDo:The following aspects need to be further specified:* Whether to use /getcacerts or the caPubs and extraCerts fields to return trust anchor and CA Certificates* Whether to use /getcertreqtemplate or modify the CRMF and use raVerified* Whether to specify the usage of /p10 */¶

B.1.Rolling stock

Rolling stock or railroad cars contain a variety of sensors,actuators, and controllers, which communicate within the railroad carbut also exchange information between railroad cars building a train,with track-side equipment, and/or possibly with backend systems.These devices are typically unaware of backend systemconnectivity. Managing certificates may be done during maintenancecycles of the railroad car, but can already be prepared duringoperation. Preparation will include generating certification requests,which are collected and later forwarded forprocessing, once the railroad car is connected to the operator backend.The authorization of the certification request is then done based onthe operator's asset/inventory information in the backend.¶

UNISIG has included a CMP profile for enrollment of TLS certificates ofon-board and track-side components in the Subset-137 specifying the ETRAM/ETCSon-line key management for train control systems[UNISIG-Subset-137].¶

B.2.Building automation

In building automation scenarios, a detachedbuilding or the basement of a building may be equipped with sensors, actuators,and controllers that are connected with each other in a local network butwith only limited or no connectivity to a central building management system.This problem may occur during installation time but also during operation.In such a situation a service technician collects the necessary dataand transfers it between the local network and the central building managementsystem, e.g., using a laptop or a mobile phone.This data may comprise parameters and settingsrequired in the operational phase of the sensors/actuators, like acomponent certificate issued by the operator to authenticate against othercomponents and services.¶

The collected data may be provided by a domain registraralready existing in the local network. In this caseconnectivity to the backend PKI may be facilitated by the servicetechnician's laptop.Alternatively, the data can also be collected from thepledges directly and provided to a domain registrar deployed in adifferent network as preparation for the operational phase.In this case, connectivity to the domain registrarmay also be facilitated by the service technician's laptop.¶

B.3.Substation automation

In electrical substation automation scenarios, a control center typically hostsPKI services to issue certificates for Intelligent Electronic Devices(IEDs) operated in a substation. Communication between the substationand control center is performed through a proxy/gateway/DMZ, whichterminates protocol flows. Note that[NERC-CIP-005-5] requiresinspection of protocols at the boundary of a securityperimeter (the substation in this case).In addition, security management in substation automation assumescentral support of several enrollment protocols in order to support thevarious capabilities of IEDs from different vendors. The IEC standardIEC62351-9[IEC-62351-9] specifies mandatorysupport of two enrollment protocols: SCEP[RFC8894] and EST[RFC7030] for the infrastructure side, whilethe IED must only support one of the two.¶

B.4.Electric vehicle charging infrastructure

For electric vehicle charging infrastructure, protocols have beendefined for the interaction between the electric vehicle and thecharging point (e.g., ISO 15118-2[ISO-IEC-15118-2])as well as between the charging point and the charging point operator(e.g. OCPP[OCPP]). Depending on the authenticationmodel, unilateral or mutual authentication is required. In both casesthe charging point uses an X.509 certificate to authenticate itselfin TLS connections between the electric vehicle andthe charging point. The management of this certificate depends,among others, on the selected backend connectivity protocol.In the case of OCPP, this protocol is meant to be the only communicationprotocol between the charging point and the backend, carrying allinformation to control the charging operations and maintain thecharging point itself. This means that the certificate managementneeds to be handled in-band of OCPP. This requires the ability toencapsulate the certificate management messages in a transport-independent way.Authenticated self-containment will support this byallowing the transport without a separate enrollment protocol,binding the messages to the identity of the communicating endpoints.¶

B.5.Infrastructure isolation policy

This refers to any case in which network infrastructure is normallyisolated from the Internet as a matter of policy, most likely forsecurity reasons. In such a case, limited access to external PKIservices will be allowed in carefully controlled short periods oftime, for example when a batch of new devices is deployed, andforbidden or prevented at other times.¶

B.6.Sites with insufficient level of operational security

The registration authority performing (at least part of) the authorization of acertification request is a critical PKI component and therefore requires higheroperational security than components utilizing the issuedcertificates for their security features. CAs may also demand highersecurity in the registration procedures. Especially the CA/Browserforum currently increases the security requirements in the certificateissuance procedures for publicly trusted certificates.In case the on-site components of the target domain cannot be operated securelyenough for the needs of a registration authority, this service should betransferred to an off-site backend component that has a sufficient level of security.¶