| Internet-Draft | home-interfaces | March 2026 |
| Wiethuechter | Expires 17 September 2026 | [Page] |
This document standardizes the interfaces of an ORCHID Management Entity (OME) to allow clients to register and query with differential access an Overlay Routable Cryptographic Hash Identifier (ORCHID) such as a Hierarchial Host Identity Tag (HHIT). Existing technologies such as CBOR/JSON Object Signing & Encryption (COSE/JOSE) and Registration Data Access Protocol (RDAP) are selected to enable widespread interoperability.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 17 September 2026.¶
Copyright (c) 2026 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
An ecosystem using Overlay Routable Cryptographic Hash IDentifiers (ORCHIDs, [RFC7343]) as its primary identifier can be a strong option for modern systems. The Hierarchical Host Identity Tags (HHITs, [RFC9374]) are used in the fast growing sector of Unmanned Aircraft Systems (UAS) to provide identity and authentication services using the Domain Name System (DNS).¶
With standardization, identity ecosystems can be created around the use of ORCHIDs to serve various use-cases. This provides widespread interoperability of the functions of registration, public query and private query using a selection of existing standards and methods. Being backed by cryptographic keys allow existing key infrastructure, certificates and policy to be leveraged with minimal overhead, modification or redeployment.¶
HHITs are an evolution of the Host Identity Tags (HITs) in the Host Identity Protocol (HIP, [RFC9063]). All of these tags are categorized as an ORCHID which were standardized in [RFC7343] and updated by [RFC9374]. HHITs solve the problem of HITs being a flat namespace, which is hard to manage at a global scale, by adding hierarchy into the identifier. When the hierarchy is laid onto the DNS, interoperability of lookups becomes trivial.¶
[RFC9434] introduces the concept of the DRIP Identity Management Entity (DIME) that provides the critical function of registering and querying information around DETs. It further specifies logical entities of the Public Information Registry and Private Information Registry of which the former has been specified in [RFC9886] using the DNS.¶
The concept of the DIME can be backported to ORCHIDs in general with the addition of the term ORCHID Management Entity (HOME). In relation to key infrastructure policies and certificates the terms ORCHID Key Infrastructure (OKI) and ORCHID Key Infrastructure X.509 (OKIX) are introduced here to mirror but be distinct from the existing Public Key Infrastructure (PKI) and Public Key Infrastructure X.509 (PKIX).¶
This document provides specification of the interfaces and models for registration and differential access query of ORCHIDs to support identity services under an HOME. This is to provide specification for the final missing pieces of a DIME and is the exemplar use-case of using HHITs, such as the DET, as the core of an identity ecosystem.¶
The term HHIT is used when discussing the general technology while DET is used with discussion around UAS/aviation specific elements when possible. Additional terms reinforcing this delineation are found in Section 2. This document defines all data models in the Concise Data Definition Language (CDDL, [RFC8610]) with the full specification in Appendix B.¶
The specifications in this document do NOT provide protection against incorrect (e.g. fraudulent) data entered during registration or asserted subsequently.¶
The selected technologies do protect against alteration (intentional or unintentional) of data subsequent to its assertion by the cryptographic signer. The signer might be the proximate sender (e.g. UA transmitting Broadcast RID) or might be an attestor far away and long ago (e.g. root Certificate Authority).¶
It is the duty of the operator of each HOME, or the party on whose behalf the HOME is being operated, to validate the registration data. An HOME at a root in the hierarchy aligned with the scope of the data SHOULD provide services to obtain this goal, see Appendix A.¶
The following requirements of [RFC9153] are satisfied when following this document: GEN-3, ID-4, REG-2, REG-4 and PRIV-2.¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.¶
A term to describe an entity providing various identity management functions (such as registration, query, etc.) to clients at a specific point in the hierarchy. HOME's have four major functional components that can be co-located or distributed as a system of systems: Registrar, Registry, Authoritative Name Server and Certificate Authority. The DRIP Identity Management Entity (DIME) is a specialization of HOME in support of the UAS/aviation ecosystem.¶
A key infrastructure consisting of policies around entities using HHITs in a domain space. An example of an OKI is the DRIP Key Infrastructure (DKI) for UAS/aviation.¶
A set of X.509 certificate profiles in compliance of Public Key Infrastructure X.509 (PKIX, [RFC5280]) that support an OKI. An example of an OKIX is the DRIP Key Infrastructure X.509 (DKIX) for UAS/aviation.¶
In the context of this specification; a HOME Token can be any of the Concise Binary Object Representation (CBOR; [STD94]) Object Signing & Encryption (COSE; [STD96]) or JavaScript Object Notation (JSON; [STD90]) Object Signing & Encryption (JOSE; [RFC7515], [RFC7516]) structure. See Section 4.1.¶
A HOME Token containing an HRI claim per Section 4.2.1.¶
A HOME Token containing an HRR claim per Section 4.2.2.¶
To properly provide the necessary services identified in both [RFC9153] and [RFC9434] a DIME, or more generally an HOME, requires four critical functions: Registrar, Registry, Authoritative Name Server and Certificate Authority as detailed below for this document and in Figure 1.¶
This document covers the client facing interface of the Registrar function used by Registrants. Interactions done by the Registrar with other HOME functions are out of scope for this document.¶
This document does not cover specific details of this function of an HOME. However, it is expected to provide at least ORCHID Key Infrastructure X.509 (OKIX) certificates used in other parts of the HOME. These are [RFC5280] compliant certificates that support HHITs, see Section 6. Explicit policy for Certificate Authorities are left for more specific implementation and documents, such as a Concept of Operations.¶
The specific details of records hosted by the Authoritative Name Server as part of DNS is specified in [RFC9886] and are out of scope for this document. Interactions done by other HOME functions to manage an Authoritative Name Server are out of scope for this document. It should be noted that some artifacts generated during the registration process specified in this document end up in RRTypes hosted in DNS. This function serves as the Public Information Registry as defined by Section 4.1 of [RFC9434].¶
This document covers the client facing interface of the Registry function used by Observers to query for additional details about the HHIT. Interactions done by the Registry with other HOME functions are out of scope for this document. It should be noted that artifacts generated during the registration process specified in this document MUST end up in the Registry for audit purposes. For this document the term Registry is short-hand for Private Information Registry as defined in Section 4.2 of [RFC9434].¶
The specific interaction models and transports between the Registrar, Certificate Authority, Registry and Authoritative Name Server when not co-located (i.e. as a distributed system of systems) is out of scope for this document. Note that of the duplicate links feeding Authoritative Name Server and Registry one set is chosen in an implementation for each. A number of these functions/interactions are lifted from the DNS and the existing relationships and protocols between such entities in that domain also can apply here. For example, between Registrar and Registry is the Extensible Provisioning Protocol (EPP, [STD69]) or equivalents such as RESTful Provisioning Protocol (RPP).¶
This document details the interactions between a registering client (known as Registrant) and the Registrar through an HTTPS interface as described in Section 4 and the RDAP interaction by Querants (such as Observers) and a Registry as described in Section 5. These interfaces can be either used by machines as an API or provided with a UI for humans to interact with such as on a web browser.¶
The elements of any maps found in CDDL for this specification MUST be declared by an ecosystem. An initial key set for elements in aviation use cases are registered in Section 7.5. Context MAY be provided in-band in HTTP using a registered Media Type as part of the Content-Type header for what key set to use to avoid processing ambiguity.¶
This sections details the process of registration following Figure 2. This Z-diagram is the upper link of Figure 1 labeled with "HOME Token/HTTPS" between Registrant and Registrar.¶
Registrant HOME
| |
GEN_HHIT/HI | |
GEN_CSR | |
|--------HRI------->|
| | VALID_HRI?
|<-------FAIL-------|
| | DUPE_HI?
|<-------FAIL-------|
| | DUPE_HHIT?
|<-------FAIL-------|
| | GEN_CERTS
| | UPDATE_DATABASE
| | UPDATE_NS
|<------ HRR--------|
ONBOARD | |
| |
The mechanism for registration is the use of COSE or JOSE over HTTPS. COSE MUST be supported and JOSE is RECOMMENDED for flexibility for non-constrained Registrants. The rest of this section specifies exact behavior for this interface of an HOME.¶
A HOME Token MUST be encoded in either COSE or JOSE. A token MAY contain multiple layers and SHOULD have the Content-Type parameter, as part of an unprotected header, set accordingly for each.¶
Respective header parameters MUST be used to indicate the verification key. When the key is part of the payload (usually an HRI claim set, Section 4.2.1) a protected header parameter MUST be used (jwk for JOSE and kccs for COSE) to carry the verification key to avoid needing to parse the payload segment of the structure. For all other cases a KID parameter is used containing an HHIT, encoded per Appendix B.3, and placed in a unprotected header.¶
HOME Tokens SHOULD be encrypted when the payload may contain Personally Identifiable Information (PII). For example, a HOME would not encrypt their response token (Section 4.2.2) containing relevant processing errors when the original request token (Section 4.2.1) failed to decrypt.¶
Asymmetric algorithms MUST be supported and symmetric MAY be supported. The precise list of encryption algorithm selected and policies are left for the HOME to decide and MUST be provided to clients.¶
Encryption is done with Elliptic Curve Diffie-Hellman (ECDH) using Ephemeral-Static (ES) keying. The static key is provided by the HOME while a unique ephemeral key is provided by the client for each HOME Token and/or recipient. The transfer of this ephemeral key is covered by the relevant COSE/JOSE specifications for using ECDH with encryption objects. The HOME MUST provide its static keys through public methods such as the DNS or an HTTPS GET endpoint.¶
A HOME Token is at its core a set of claims using a CWT or JWT claim set. The claims defined in this section are registered in the respective registries in Section 7.2 and either or both MUST be included in the claim set for HOME Tokens. A HOME Token carrying either of these claims is considered as an HRI Token or HRR Token respectively.¶
The claim set SHOULD also contain the claims of nbf, exp, and iat. The set MAY contain the aud or iss claim with a targeted HHIT, encoded per Appendix B.3, if known. Additional claims are out of scope for this document.¶
The layer (Section 4.1.1 or Section 4.1.2) carrying a claim set is RECOMMENDED to set the Content-Type parameter, as part of the unprotected header, to application/home+cbor or application/home+json. This SHOULD include the ctx parameter to indicate the set of keys/parameters being used for any maps in the payload structure as they are application specific.¶
The structure of an HRI claim is around registration of a set of entities, each uniquely identified by the Registrant that contains keys (also each uniquely identified) and metadata for each.¶
inquiry = [
entities: { &(entity-id) => entity },
metadata: map / null
]
entity = [
hhit_entity_type: uint,
keys: { &(key-id): key },
metadata: map / null
]
key = [
csr: bytes / text .b64u bytes,
metadata: map / null
]
A map containing elements using key (entity-id), value (entity) pairs for each entity being registered in the inquiry.¶
A string or integer key, as part of the entities map, set by the Registrant.¶
An array containing the elements of hhit_entity_type, keys and metadata.¶
An HHIT Entity Type as defined in the registry found at [IANA.DRIP].¶
A map containing the key (key-id), value (key) pairs for the keys being registered entity in the inquiry for a given entity.¶
A string or integer key, as part of the keys map for each entity, set by the Registrant. Constrained in uniqueness to an individual HRI and the keys as part of an entity.¶
An array containing the elements of csr and metadata.¶
OKI(X)-compliant Certificate Signing Request (CSR) that is DER encoded. See Section 4.3.1 for considerations on the CSR.¶
A map containing elements (key, value pairs) and their associated values related to keys/entities in the inquiry. The contents are subject to policy of an HOME and MUST be provided to their clients. The specific key set to be used SHOULD be indicated using the optional parameter of the registered Media Type (Section 7.8) as part of a Content-Type parameter. An initial key set is registered in Section 7.5.¶
Each nesting in Figure 3 contains its own metadata. This allows a Registrant to set elements at a higher nesting in the model to be shared among nested sections. When combining from each nesting level, elements found closer to the entities[entity-id].keys[key-id].metadata map are given priority.¶
This claim is structured to use the provided entity-ids and key-ids from an HRI. It also can contain a list of failures, organized by those same identifiers.¶
response = [
success: [
entities: { &(entity-id): success-data },
shared: map
] / null,
failure: [ + error-data ] / null
]
success-data = [
keys: { &(key-id): map },
shared: map
]
error-data = [
eid: &(entity-id) / null,
kid: &(key-id) / null,
cat: any,
msg: any
]
An array containing two elements: entities and shared. MUST be null when no successful registrations issued by the HOME.¶
A map of elements with key (entity-id), value (success-data) pairs.¶
A string or integer key, as part of the entities map, provided in an HRI from a Registrant.¶
An array containing two elements: keys and shared.¶
A map of elements with key (key-id), value pairs. The value of each element is a map (keys from Section 7.5) containing artifacts of the registration associated with the specific key and MUST have an element containing the Canonical Registration Certificate.¶
A string or integer key, as part of the keys map, provided in an HRI from a Registrant.¶
Same as the metadata field of HRI except contains artifact elements provided to the Registrant for successful registration that is shared amongst either a set of keys or set of entities.¶
An array with at least one element of error-data to indicate failures, null otherwise.¶
An array of four elements encoding a validation or processing error of an HRI. When eid or kid are null it implies that all of that type are denoting the same failure explained via cat and/or msg. When both eid and kid are null it indicates the processing of the HRI token itself or all keys across the HRI entities shared the same failure indicated by cat and/or msg. See Section 4.4.1 for more details.¶
Similar to the metadata in the HRI, Figure 4 has an shared map at each level for data that is the identical across different keys/entities. When combining from each nesting level, elements found closer to those in the success.entities[entity-id].keys[key-id] map are given priority.¶
Registrants obtains one or more Certificate Signing Requests (CSRs) that are OKI(X)-compliant by either generating their own key-pair(s), RECOMMENDED asymmetric, or obtaining them from a related party they are acting as a proxy for.¶
Cryptographic materials SHOULD be on the device intending to use said material in operation. If the Registrant is acting as a proxy the methods of the generation and/or transfer of cryptographic materials to and from the device being proxied to is out of scope for this document.¶
If the Registrant knows the HID of the Registar and/or Certificate Authority it wishes to be endorsed by, it SHOULD construct its HHIT accordingly and include it in the CSR per Section 6.2.1. The process of discovering a specific HID is out of scope for this document.¶
The /.well-known/home/registry endpoint SHOULD be redirected to a fully qualified path by the HOME and MUST use 308 Permanent Redirect.¶
HRI validation and processing is done across two functional components, which can be co-located or distributed, the Registrar and Certificate Authority. The following text is based on the processing of an HRI Token. The HOME in question uses a single HHIT for both its Registrar and Certificate Authority roles.¶
The initial steps of decryption and signature validation are skipped as they are straightforward. Failure of either of these steps results in sending a response following Section 4.4.1. Assuming success the claim set is extracted from the HRI Token to be processed.¶
The nbf, ext, iat, iss and aud claims are validated, and then hri claim is processed recursively starting from the outside of the structure. Each entity merges their metadata with the inquiry metadata with entity elements taking precedence. Next each key merges its metadata with the entity metadata with key elements taking precedence. The HOME performs validation of the final combined metadata map for each key using local validation and/or consultation of an "oracle" (see Appendix A).¶
Next each key CSR has its signature validated then the public key confirmed to be unique to the HOME's scope. The HOME then constructs, using its Hierarchy HID and the CSR public key, a prospective HHIT for the key. If the CSR contains an HHIT as part of the Subject Alternative Name the two HHITs are checked for equivalence. The HOME finally checks that the HHIT is unique in its scope.¶
If everything above validates, the HOME endorses the new HHIT by generating and signing an OKI(x)-compliant Canonical Registration Certificate along with any other artifacts required for the entity registration. Any data for the Registrant is then placed within the HRR success.entities[entity-id].keys[key-id] map using the same entity-id and key-id from the HRI. All artifacts of this endorsement are placed in the Registry and artifacts that are considered public, such as those needed for [RFC9886], are placed into the Authoritative Name Server.¶
When a failure occurs at any point in the validation and/or processing of a entity/key the HRR failure array is appended using the entity-id, key-id and other elements to provide context for the issue. The HOME MAY compress the failure array after processing. For example if all the keys for an entity-id share the same failure the individual structures can be compressed to a single [<eid>, null, <cat>, <msg>] instead of one for each key-id.¶
The HOME upon handling all entities and keys a HOME constructs an HRR Token and responds to the Registrant with it. The token SHOULD replicate the same layering as the original HRI Token. It MAY contain both the original HRI claim and the associated HRR claim.¶
This document defines the use of HTTPS as the transport for the HOME Tokens. The use of other transports are out of scope for this document.¶
For COSE, the resulting CBOR content MUST use a proper CBOR Tag to indicate what object is encoded. For JOSE content, the General or Flattened JWE JSON Serialization syntax MUST be used.¶
The "Content-Type" header of HTTPS SHOULD be used to indicate the content typing. For JOSE this is application/jose+json and for COSE is one of the following: application/cose; cose-type="cose-sign, application/cose; cose-type="cose-sign1, application/cose; cose-type="cose-encrypt, application/cose; cose-type="cose-encrypt0.¶
For HOME Tokens with a single entity/key object the HTTP Response Codes can be easily mapped. For example a key that fails processing due to a duplicate public key or HHIT can have the HOME Token returned using 409 Conflict. It is also simple for the first stages of an HOME Token carrying an HRI since it needs to successfully be decrypted and signature(s) before processing resulting in earlier failure conditions to respond to.¶
HOME Tokens with multiple entities/keys can be trivially mapped as well only when all entities/keys either pass or fail. Difficulty arises when a HOME Token has multiple entities/keys and not all of them fail or they all fail in different ways that can be attributed to either a 4xx or 5xx code.¶
For the above reasoning and to maintain interoperability HOMEs MUST follow the below guidelines for management of HTTP Response Codes and using the HRR claim's failure array and error-data structure. Unless otherwise noted a responding HOME Token MUST use both encryption and signature layers.¶
When a HOME Token fails to decrypt this response code MUST be sent with only a signature layer (Section 4.1.1) signaling in the HRR claim the decryption issue(s) experienced. The eid, kid and cat fields MUST be set to null. The msg SHOULD contains specific details about the failed decryption. More than one error-data MAY be present for different decryption issues.¶
Failed signature(s) of a HOME Token MUST use this response code with the HRR claim indicating the signature validation issue(s) experienced. The eid, kid and cat fields MUST be set to null. The msg SHOULD contains specific details about what signature failed to verify. More than one error-data MAY be present to separate signature(s) processed.¶
This response code MUST be used to indicate the overall inquiry has been processed but that some entities and/or keys failed to be registered. The cat field SHOULD be used to carry the respective 4xx or 5xx HTTP Response Code exhibited for the entities/keys to fail validation or processing. If cat is not used, then clients MUST check contents of both the success and failure fields of the HRR.¶
A response with this code MUST be used when all entities and keys in the original HRI were registered successfully and the failure in HRR MUST be set to null.¶
If all entities/keys fail with the same cat, used as in 200 OK, then the HOME Token is sent using that HTTP Response Code. The failure array in the HRR MUST be filled with error-data's setting eid and kid as needed, cat to null and msg to any specific details for the given eid/kid pair.¶
This section details the process of query for additional private information following the Z-diagram of Figure 5. It is the lower right link of Figure 1 labeled with "RDAP" between Querant and Registry.¶
Querant HOME
| |
RX_HHIT | |
|<-------DNS------->|
RDAP_URI | |
|------RDAP_Q------>|
| | ACCEPT_X509?
|<------DENY--------|
| | POLICY_CHECK?
|<------DENY--------|
| | REDACTION
|<-----RDAP_R-------|
ACT | |
| |
For HOME's the differential access mechanism known as Registration Data Access Protocol (RDAP, [STD95]) is selected as the interface for the Registry and specified in the following sections. Public information is hosted by the Authoritative Name Server and accessed using DNS methods as defined in [RFC9886]. Authentication of the HOME and Querant is done through Mutual TLS using X.509 certificates.¶
As part of RDAP, the HOME MAY follow RFC9224 to be part of the RDAP bootstrap mechanism for discovery. This is not hard requirement as the same information can be obtained through the HHIT RRType from the Authoritative Name Server.¶
It is RECOMMENDED that eXtensible Access Control Markup Language (XACML) with Security Assertion Markup Language (SAML) is used to exchange policy information.¶
A Querent with an HHIT looking for private information is RECOMMENDED to perform a series of DNS queries to build a URI that is then used for an HTTPS GET query. The same URI MAY be obtained using the RDAP bootstrap process if the HOME followed RFC9224, but Querants MUST NOT expect this.¶
The base URI needed is part of Subject Alternative Name extension of a Canonical Registration Certificate found in HHIT RRType defined in Section 5.1 of [RFC9886] and accessed by one or more reverse IPv6 DNS lookups. The exact certificate with the base URI for an HOME and its clients is determined by policy and where the URI is minimally duplicated across many certificates.¶
Once the base URI is found the Querant concatenates the /.well-known/home/query/ string then the nibble-reversed HHIT to form the full query string.¶
The HTTPS GET method MUST be authenticated using one of the methods defined in Section 5.2.¶
The /.well-known/home/query/<IP address> endpoint SHOULD be redirected to a full qualified path conforming with Section 3.1.1 of [RFC9082] (i.e. ip/<IP address>) by the HOME. All other RDAP endpoints SHOULD NOT be implemented as specified in RFC9082. Other methods MAY be provided to enable differential access controlled queries of information pertaining to an HHIT but are out of scope for this document.¶
Per REG-2 and REG-4 of Section 4.4.1 of [RFC9153], RDAP queries to an HOME MUST be protected using fine-grained AAA policies in a both human- & machine-readable form for automated enforcement. RDAP supports only HTTP-based mechanisms for authentication as defined in Section 3.2 of [RFC7481]. A federated authentication mechanism, such as the examples in Section 3.2.1 of [RFC7481], is RECOMMENDED.¶
For international and/or global harmonization, this document standardizes the following RDAP behavior for authentication of clients and servers:¶
MUST support HTTP Basic or Digest Authentication Scheme per Section 3.2 of [RFC7481] AND¶
MUST support Mutual TLS per Section 7.4.6 of [RFC5246] for global and/or international queries AND¶
SHOULD use Mutual TLS but MAY do any RDAP compatible AAA for domestic queries¶
An HOME, when supporting Mutual TLS, SHOULD accept valid OKIX-compliant certificates and MAY accept other [RFC5280] (PKIX) compliant certificates. Standard TLS rejection methods MUST be followed to signal to the Querant the rejection of the certificate and authentication.¶
The use of other RDAP compatible authentication mechanisms are out of scope for this document.¶
A HOME MUST respond to a successful query using RFC9083. The HOME RDAP Extension shown in Figure 6 is placed under the key home as part of the main JSON map. The rdapConformance array MUST include the string literal of "home_v0" to signal conformance with this specification. Other RDAP specifications MAY be part of the response such as Section 5.4 of [RFC9083].¶
[ hhit: [ ip6: text, hhit_entity_type: uint ], canon_x: text .b64u bytes, metadata: map / null ]
Array structure contain the HHIT Entity Type and the HHIT encoded per Appendix B.3.¶
Canonical Registration Certificate encoded in base64url.¶
Map that contains private information elements associated with the registration. Elements included are based on access policy and registration requirements of the HOME. Elements are redacted or removed using policy methods of the HOME and is out of scope for this document.¶
The ORCHID Key Infrastructure (OKI) is focused on the delegation and management of the Hierarchy ID field of an HHIT and its levels.¶
There are two types of nodes in the hierarchy, Root and Inode, and relationships between nodes use tree terminology such as ancestor, descendant and degree. Additional, more administrative members, include the IPv6 Prefix and Apex. The relationship between these entities (and their Authorization and Issuing HHITs) are shown in Figure 7.¶
In Figure 7 the solid connections are REQUIRED and dotted connections are OPTIONAL. A two-level hierarchy will consist of only a Root and Leaf level with no Inodes, shown in Figure 7 with a solid line but open connection point between its ancestor and descendant. Also note that Figure 7 shows two distinct paths in the hierarchy, to illustrate OPTIONAL cross-endorsement, for simplicity.¶
This level is not directly part of the OKI but performs the primary function of delegating reverse IPv6 zone(s) associated with Root Hierarchy ID values to respective Apexes or performing DNS delegations on an Apex's behalf.¶
An administrative owner of a set of Root Hierarchy ID values. The Apex performs assignment and/or allocation of these values and either delegates management of the reverse IPv6 zone(s) back to the IPv6 Prefix or manages it themselves. The Apex MAY have an Authorization HHIT, with a self-signed endorsement, as part of the function to endorse membership into a hierarchy.¶
The first level of a Hierarchy ID, with descendant levels set to 0. It MUST have at least one Authorization HHIT to be used to obtain membership into the hierarchy and is either self-signed or endorsed by an Apex. A Root is the administrative entity that assigns/allocates the next level in the hierarchy to a descendant and manages the applicable reverse IPv6 zone(s). The endorsement of a descendant membership into the hierarchy MUST be performed using an Authorization HHIT endorsed by the direct ancestor. To support the endorsement of operational entities under the Root Hierarchy ID, the Root SHOULD use one or more Issuing HHITs that are endorsed by Root Authorization HHITs.¶
A middle level node that has both an ancestor and descendant in the Hierarchy ID. It MUST have at least one Authorization HHIT to be used to obtain membership into the hierarchy and MUST be endorsed by a direct ancestor. An Inode is the administrative entity that assigns/allocates the next level in the hierarchy to a descendant and manages the applicable reverse IPv6 zone(s). To support the endorsement of operational entities under the Inode Hierarchy ID, the Inode SHOULD use one or more Issuing HHITs that are endorsed by Inode Authorization HHITs.¶
The last level of a Hierarchy ID. It MUST have at least one Authorization HHIT to be used to obtain membership into the hierarchy and MUST be endorsed by a direct ancestor. A Leaf node is the administrative entity that registers operational entities and manages the applicable reverse IPv6 zone(s). To support the endorsement of operational entities under the Leaf Hierarchy ID, the Leaf MUST use one or more Issuing HHITs that are endorsed by Leaf Authorization HHITs.¶
This document allocates two new HHIT Entity Types in each level of hierarchy, one for Authorization and one for Issuing (Section 7.4).¶
An HOME has a number of responsibilities depending on its place in the hierarchy. This section covers the technical responsibilities of each level of an HHIT's hierarchy. Specific non-technical policies for hierarchy levels are out of scope for this document and are expected to be developed into OKI policy guidance or added to existing PKI policy guidance for each use-case.¶
| Responsibility | Apex | Root | Inode | Leaf |
|---|---|---|---|---|
| provide using public methods any requirements, policy and/or guidance to prospective descendants | MUST | MUST | MUST | MUST |
| provide OKIX-compatible certificate(s) as endorsement for registration of descendant(s) | MAY see 1+ Authorization HHIT |
MUST | MUST | MUST |
| maintain registrations with relevant Personally Identifiable Information (PII) as required by their jurisdiction | MUST | MUST | MUST | MUST |
| fulfill any jurisdiction requirements that are out of scope for this document | MUST | MUST | MUST | MUST |
| support [RFC7401] MAY support services using [RFC8003] such as [RFC8004] |
- | MAY | MAY | MAY |
| 1+ Authorization HHIT see Table 2 |
MAY | MUST | MUST | MUST |
| 1+ Issuing HHIT MUST have same Hierarchy ID as an Authorization HHIT MUST be locally registered using an Authorization HHIT |
MAY | MAY | SHOULD | MUST |
| cross-endorse with siblings MUST use an Authorization HHIT |
- | MAY | MAY | MAY |
| maintain reverse IPv6 zone(s) | SHOULD or delegate back to the IPv6 Prefix |
MUST | MUST | MUST |
| assign/allocate values in the X level of hierarchy in the Hierarchy ID see Table 3 |
MUST X=Root |
MUST X=Inode |
MUST X=Inode or Leaf |
- |
| implement Section 4 and Section 5 | MAY or 501 Not Implemented |
SHOULD or 501 Not Implemented |
SHOULD or 501 Not Implemented |
MUST |
| 1+ Authorization HHIT | Apex | Root | Inode | Leaf |
|---|---|---|---|---|
| set Hierarchy ID to all zeros | MUST | MUST NOT | MUST NOT | MUST NOT |
| set Hierarchy ID to assignment/allocation from ancestor | MUST NOT | MUST | MUST | MUST |
| self register | MUST | if Apex MUST then MUST NOT | MUST NOT | MUST NOT |
| registered to direct ancestor | MUST NOT | if Apex MUST NOT then MUST | MUST | MUST |
| Assign/allocate values in Hierarchy ID | Apex | Root | Inode | Leaf |
|---|---|---|---|---|
| verify prospective descendant(s) for hierarchy membership | SHOULD | SHOULD | SHOULD | - |
| register descendant(s) hierarchy members using an Authorization HHIT | MAY | MUST | MUST | - |
| delegate corresponding reverse IPv6 zone(s) to descendant(s) | SHOULD see maintain reverse IPv6 zone(s) |
MUST | MUST | - |
Existing Public Key Infrastructure X.509 (PKIX) certificate profiles can be augmented to support HHITs creating ORCHID Key Infrastructure X.509 (OKIX) profiles.¶
Other X.509 fields and OIDs MAY be required in a given jurisdiction. This is up to the original PKI(X) policy if applicable and is out of scope for this document.¶
The Certificate Signing Request is mandatory for all HHIT registrations. Depending on the entity being registered, there is specific content rules.¶
Certificate Request:
Data:
Version: 1 (0x0)
Subject: <subject to policy>
Subject Public Key Info: <subject to policy>
Attributes:
Requested Extensions:
X509v3 Subject Alternative Name: critical
IP Address: <subject HHIT>
Signature Algorithm: <subject to policy>
As defined in Section 4.1.2.6 of [RFC5280]. This field is filled in based on the HHIT Entity Type being registered and subject to policy of the Certificate Authority.¶
When the registrant knows which HID and/or Suite ID they want the CSR SHOULD contain the Subject Alternate Name extension as defined in Section 4.2.1.6 of [RFC5280] using ipAddress containing the fully formed HHIT and MUST mark the extension as critical. The HOME MUST check to ensure that the HHIT located in the extension is properly generated with the included public key of this CSR. If the registrant does not know or care the value of their HID and/or Suite ID, the Extensions field MUST NOT appear and the HOME will use its HID for HHIT generation using the public key provided by this CSR.¶
The use of other Extension fields are out of scope for this document.¶
OKIX-Lite is designed to fully encapsulate an OKI in the smallest reasonable X.509 certificates (e.g. 240 bytes for DER), but still adhere to [RFC5280] MUST field usage. The profile can be found in Figure 9 and a field matrix found in Table 4.¶
Certificate:
Data:
Version: 3 (0x2)
Serial Number: <1 byte in size>
Signature Algorithm: <subject to policy>
Issuer: CN = <issuer HHIT>
Validity
Not Before: <subject to policy>
Not After : <subject to policy>
Subject: <subject to policy>
Subject Public Key Info: <subject to policy>
X509v3 extensions:
X509v3 Subject Alternative Name: critical
IP Address: <subject HHIT>
Signature Algorithm: <subject to policy>
| Field | Authorization | Issuing | Operational | Comments |
|---|---|---|---|---|
| Serial Number | MUST | MUST | MUST | Section 6.2.4.1.1 |
| Subject | MUST | MUST | MUST NOT | Section 6.2.4.2 |
| Issuer | MUST | MUST | MUST | Section 6.2.4.3 |
| Subject Alternative Name IP6 | MUST | MUST | MUST | Section 6.2.4.4 |
| Subject Alternative Name URI | MAY | MAY | MAY | Section 6.2.4.5 |
| Basic Constraints | MUST | MUST | MUST NOT | CA=True, flagged as Critical |
| Subject Key Identifier | MUST NOT | MUST NOT | MUST NOT | - |
| Authority Key Identifier | MUST NOT | MUST NOT | MUST NOT | - |
| Key Usage | MAY | MAY | MAY | - |
| Certificate Authority Policy OIDs | MAY | MAY | MAY | - |
The X.509 certificates are minimalistic (less than 400 bytes for DER). The profile can be found in Figure 10 and a field matrix found in Table 5. This profile MUST be used as the Canonical Registration Certificate in the DNS.¶
Certificate:
Data:
Version: 3 (0x2)
Serial Number: <20 bytes in size>
Signature Algorithm: <subject to policy>
Issuer: CN = <issuer HHIT>
Validity
Not Before: <subject to policy>
Not After : <subject to policy>
Subject: <subject to policy>
Subject Public Key Info: <subject to policy>
X509v3 extensions:
X509v3 Subject Alternative Name: critical
IP Address: <subject HHIT>
URI: <subject to policy>
X509v3 Subject Key Identifier: <subject HHIT>
X509v3 Authority Key Identifier: <issuer HHIT>
X509v3 Basic Constraints: critical
X509v3 Key Usage: critical
Signature Algorithm: <subject to policy>
| Field | Authorization | Issuing | Operational | Comments |
|---|---|---|---|---|
| Serial Number | MUST | MUST | MUST | Section 6.2.4.1.2 |
| Subject | MUST | MUST | MUST NOT | Section 6.2.4.2 |
| Issuer | MUST | MUST | MUST | Section 6.2.4.3 |
| Subject Alternative Name IP6 | MUST | MUST | MUST | Section 6.2.4.4 |
| Subject Alternative Name URI | MAY | MAY | MAY | Section 6.2.4.5 |
| Basic Constraints | MUST | MUST | MUST NOT | CA=True, flagged as Critical |
| Subject Key Identifier | MUST | MUST | MUST NOT | Section 6.2.4.6 |
| Authority Key Identifier | MUST | MUST | MUST | Section 6.2.4.7 |
| Key Usage | SHOULD | SHOULD | SHOULD | - |
| Certificate Authority Policy OIDs | RECOMMENDED | RECOMMENDED | RECOMMENDED | - |
The following sections contain clarifications on the usage of fields in the OKIX when they deviate from "standard" X.509 [RFC5280] practice.¶
The Serial Number is a MUST field, but it has no usage in the Lite profile. It is 1-byte in size and thus duplicates are guaranteed. To drop this field could make many X.509 parsing libraries fail.¶
However, Certificate Authority certificate's Serial Number MAY be the common 20 bytes. This is to avoid possible issues with general software expecting this size Serial Numbers for Certificate Authoritys.¶
If Serial Numbers are incrementally assigned, 31 bits are sufficient for an Issuing Certificate Authority with 2 billion HHITs active. A Certificate Authority should determine its best-used Serial Number field size to limit the impact of this field on the certificate size.¶
The certificates MUST contain a 20-byte randomly generated Serial Number, compliant with CABForum recommendations. Serial Numbers are included for CRL functionality.¶
The Subject field is only used in Authorization and Issuing certificates. For Operational certificates, the Subject MUST be empty and the HHIT will be in Subject Alternative Name (Section 6.2.4.4). In the Subject Alternative Name, the HHIT can be properly encoded as an IPv6 address. The contents of the Subject when used are determined by policy and is out of scope for this document.¶
The Issuer MUST be the higher level's HHIT.¶
The Issuer for the Apex Authorization certificate MUST be its HHIT (indicating self-signed). If the RAA Authorization certificate is self-signed (i.e., no Apex), its Issuer is its HHIT.¶
The Issuer content of its HHIT assists in finding this specific Issuer in the ip6.arpa. DNS tree and any additional information. The exact information that is provide is out of scope for this document.¶
Subject Alternative Name is only used in Operational certificates. It is used to provide the HHIT as an IP address with an Empty Subject (Subject Alternative Name MUST be flagged as Critical).¶
This field contains a pointer in the form of a URI where additional information on the Certificate Authority and certificates under its control can be found. The contents MUST be a base URL containing at least the fields scheme, host and port to query for additional information of a HHIT.¶
Authorization certificates MAY have a Subject Alternative Name URI and MUST when it is self-signed. Issuing certificates SHOULD have a Subject Alternative Name URI. Operational certificates MAY have a Subject Alternative Name URI.¶
The RECOMMENDED configuration with respect to Issuing and Operational certificates for a Certificate Authority is to place the Subject Alternative Name URI in the Issuing certificate and exclude them in Operational certificates.¶
When multiple providers are used by the Certificate Authority to handle additional information there SHOULD be a unique Issuing certificate with Subject Alternative Name URI for each provider, and Operational certificates MUST NOT contain a Subject Alternative Name URI.¶
Otherwise a Certificate Authority with multiple providers MUST NOT have a Subject Alternative Name URI in the Issuing certificate and MUST set the Subject Alternative Name URI to the specific provider for each Operational certificate.¶
The Subject Key Identifier MUST be the HHIT. This is a major deviation from "standard" X.509 certificates that hash (normally with SHA2) the Public Key to fill the Subject Key Identifier.¶
The Subject Key Identifier is NOT included in Operational certificates. If needed by some application, it is identical with Section 6.2.4.4.¶
The Authority Key Identifier MUST be the higher level's Subject Key Identifier (i.e. HHIT). This partially follows standard practice to chain up the Authority Key Identifier from the Subject Key Identifier, except for how the Subject Key Identifiers are populated.¶
The Authority Key Identifier for the Apex Authorization (or self-signed RAA Authorization) certificate MUST be the Subject Key Identifier (indicating self-signed).¶
IANA is requested to add the following entries in the "Well-Known URIs" registry [IANA.WellKnownURIs].¶
| URI Suffix | Change Controller | Reference | Status | Related Information |
|---|---|---|---|---|
| home/register | IETF | This RFC | permanent | N/A |
| home/query | IETF | This RFC | permanent | N/A |
| home/oaas | IETF | This RFC | permanent | N/A |
Author Note: should we also add Well-Known URIs for update and delete methods? This would then cover all parts of CRUD.¶
HOME Tokens contain a Claim Set compatible with those of CWT and JWT, so the CWT and JWT Claims registries, [IANA.CWT.Claims] and [IANA.JWT.Claims], are reused. No new IANA registry is created.¶
Per this specification, the following values are requested to be added to the "JSON Web Token Claims" registry established by [RFC7519] and the "CBOR Web Token (CWT) Claims" registry established by [RFC8392]. Each entry is requested to be added to both registries. The "Claim Description", "Change Controller", and "Reference" fields are common and equivalent for the JWT and CWT registries. The "Claim Key" and "Claim Value Type" fields are for the CWT registry only. The "Claim Name" field is as defined for the CWT registry, not the JWT registry. The "JWT Claim Name" field is equivalent to the "Claim Name" field in the JWT registry.¶
Claim Name: HOME Registration Inquiry Claim Description: HOME Registration Inquiry JWT Claim Name: hri Claim Key: TBD1 Claim Value Type: array Change Controller: IETF Reference: This RFC
Claim Name: HOME Registration Response Claim Description: HOME Registration Response JWT Claim Name: hrr Claim Key: TBD2 Claim Value Type: array Change Controller: IETF Reference: This RFC
IANA is requested to register the following value in the "RDAP Extensions" registry [IANA.RDAP.Extensions].¶
Extension Identifier: home_v0 Registry Operator: Any Specification: This specification Contact: IETF <iesg@ietf.org> Intended Usage: This extension is used to convey private information stored under a HOME registration.
IANA is requested to make the following changes to the "HHIT Entity Types" registry under [IANA.DRIP] to align with Table 7.¶
| Value | HHIT Entity Type | Abbreviation | Operational (Y/N) | Reference |
|---|---|---|---|---|
| 0 | Undefined | UKN | N | [RFC9886] |
| 1 | Hierarchical ORCHID Management Entity | HOME | N | This RFC |
| 2 | Hierarchical ORCHID Management Entity: Authorization | HOME-A | N | This RFC |
| 3 | Hierarchical ORCHID Management Entity: Issuing | HOME-I | N | This RFC |
| 4 | HOME Apex | APEX | N | [RFC9886] |
| 5 | HOME Apex: Authorization | APEX-A | N | This RFC |
| 6 | HOME Apex: Issuing | APEX-I | N | This RFC |
| 7 | DRIP Identity Management Entity | DIME | N | [RFC9886] |
| 8 | DRIP Identity Management Entity: Authorization | DIME-A | N | This RFC |
| 9 | DRIP Identity Management Entity: Issuing | DIME-I | N | This RFC |
| 10 | Registered Assigning Authority | RAA | N | [RFC9886] |
| 11 | Registered Assigning Authority: Authorization | RAA-A | N | This RFC |
| 12 | Registered Assigning Authority: Issuing | RAA-I | N | This RFC |
| 13 | HHIT Domain Authority | HDA | N | [RFC9886] |
| 14 | HHIT Domain Authority: Authorization | HDA-A | N | This RFC |
| 15 | HHIT Domain Authority: Issuing | HDA-I | N | This RFC |
| 16 | Unmanned Aircraft | UA | Y | [RFC9886] |
| 17 | Ground Control Station | GCS | Y | [RFC9886] |
| 18 | Unmanned Aircraft System | UAS | Y | [RFC9886] |
| 19 | Remote Identification Module | RID | Y | [RFC9886] |
| 20 | UAS Pilot | PILOT | Y | [RFC9886] |
| 21 | UAS Operator | OP | Y | [RFC9886] |
| 22 | Discovery & Synchronization Service | DSS | Y | [RFC9886] |
| 23 | UAS Service Supplier | USS | Y | [RFC9886] |
| 24 | Network RID Service Provider | DP | Y | [RFC9886] |
| 25 | Network RID Display Provider | SP | Y | [RFC9886] |
| 26 | Supplemental Data Service Provider | SDSP | Y | [RFC9886] |
| 27 | Crowd Sourced RID Finder | FINDER | Y | [RFC9886] |
The above changes include two new fields for "Abbreviation" and "Operational (Y/N)", re-arrangement of the first 15 values and addition of entries for Authorization and Issuing for applicable entity types.¶
This document requests IANA create a new registry under [IANA.DRIP] called "HOME Parameters" with registry policies described in Table 8.¶
| Range | Registration Policy |
|---|---|
| Integers less than 0 | delegated to HOME Common Parameters registry |
| Integers greater than -1 | Reserved |
The positive integer values (including zero) MUST NOT be directly allocated. Instead new registries for specific use-case parameters/keys are created, inherit the HOME Common Parameter registry (Section 7.6) for negative values, and setup new allocation schemes for the positive integers in their scope. See Section 7.7 for an example. Such a new registry SHOULD have an associated Media Type to allow participants a mechanism to explicitly provide context for the parameter set in use.¶
Title of the key.¶
A short description of the entry providing an overview of its semantic meaning and its expected use-cases.¶
A string value, to be used as a key in the key: value pair of a JSON object. No specific rules apply for syntax beyond being a valid JSON string for a object key, but it is recommended to use all lower-case and snake-case with underscores. Care should be given to the length of a Name to reduce wire size of JSON encodings for constrained environments.¶
A integer value to be used as a key in a CBOR map.¶
CBOR/JSON typing for value under the Key.¶
TDB¶
A link to a permanent and readily available specification defining the value syntax and semantics to be used for this key.¶
Key: Description: Name: Label: Value Type: Change Controller: Reference:
For a Key the specified value of a new registration should not duplicate the syntax and/or semantics of an existing registration. For the Name parameter of the Key, a new registration MUST NOT duplicate an existing registration Name.¶
Value Type MUST be a valid CBOR type or from [IANA.CBOR.Tags]. Their typing in JSON is assumed to follow the translation from CBOR to JSON following Section 6 of [RFC8949].¶
This document requests IANA create a new registry under [IANA.DRIP] called "HOME Common Parameters" with registry policies described in Table 9. Initial entries for this registry are in Figure 15 and uses the registration form of Section 7.5.2.¶
| Range | Registration Policy |
|---|---|
| Integers less than -65536 | Private Use (Section 4.2 of [RFC8126]) |
| Integers in the range -257 to -65536 | Specification Required (Section 4.7 of [RFC8126]) |
| Integers in the range -1 to -256 | Standard Action (Section 4.9 of [RFC8126]) |
Key: HHIT Description: Hierarchial Host Identity Tag & Entity Type Name: hhit Label: -1 Value Type: array Change Controller: IETF Reference: This RFC Key: VNB Description: Valid Not Before Name: vnb Label: -2 Value Type: tdate / time Change Controller: IETF Reference: This RFC Key: VNA Description: Valid Not After Name: vna Label: -3 Value Type: tdate / time / number Change Controller: IETF Reference: This RFC Key: Publish Description: Boolean to publish to DNS Name: publish Label: -4 Value Type: bool Change Controller: IETF Reference: This RFC Key: Certificate Signing Request (CSR) Description: DER Encoded X.509 CSR Name: csr Label: -5 Value Type: bytes Change Controller: IETF Reference: This RFC Key: Oracle Certificate Description: DER Encoded Oracle X.509 Certificate Name: oracle_x Label: -6 Value Type: bytes Change Controller: IETF Reference: This RFC Key: Canonical Certificate Description: DER Encoded X.509 Certificate Name: canon_x Label: -7 Value Type: bytes Change Controller: IETF Reference: This RFC Key: Canonical Certificate Chain Description: List of DER Encoded X.509 Certificates Name: canon_chain Label: -8 Value Type: array Change Controller: IETF Reference: This RFC Key: Contact Description: Base64 Encoded jCard Contact Information Name: contact Label: -9 Value Type: text Change Controller: IETF Reference: This RFC
This document requests IANA create a new registry under [IANA.DRIP] called "HOME Aviation Parameters" with registry policies described in Table 10. Initial entries for this registry are in Figure 16 and uses the registration form of Section 7.5.2.¶
When using this registry the "ctx" parameter of Section 7.8 is set to "aviation".¶
| Range | Registration Policy |
|---|---|
| Integers less than 0 | delegated to HOME Common Parameters registry |
| Integers in the range 0 to 65535 | Specification Required (Section 4.7 of [RFC8126]) |
| Integers greater than 65535 | First Come First Served (Section 4.3 of [RFC8126]) |
Key: UAS Type Description: ASTM F3411 UAS Type Enumeration Name: uas_type Label: 0 Value Type: uint Change Controller: IETF Reference: Section 5.2 of RFC9886 Key: UAS Identifiers Description: UAS ID Type & Value Pairs Name: uas_ids Label: 1 Value Type: array Change Controller: IETF Reference: Section 5.2 of RFC9886 Key: Authentication Data Description: Authentication Type & Data Pairs Name: auths Label: 2 Value Type: array Change Controller: IETF Reference: Section 5.2 of RFC9886 Key: Self ID Description: Self Description Type & Value Name: self_id Label: 3 Value Type: array Change Controller: IETF Reference: Section 5.2 of RFC9886 Key: UAS Classification Description: UAS Category & Class Name: classification Label: 4 Value Type: array Change Controller: IETF Reference: Section 5.2 of RFC9886 Key: Area Description: Count, Radius, Floor & Ceiling Name: area Label: 5 Value Type: array Change Controller: IETF Reference: Section 5.2 of RFC9886 Key: Operator ID Description: UAS Pilot Operator ID Name: operator_id Label: 6 Value Type: array Change Controller: IETF Reference: Section 5.2 of RFC9886
IANA is requested to add the entries of Table 11 to the "Media Types" registry [IANA.MediaTypes].¶
| Name | Template | Reference |
|---|---|---|
| home+cbor | application/home+cbor | This RFC, Section 7.8.1 |
| home+json | application/home+json | This RFC, Section 7.8.2 |
Type name: application Subtype name: home+cbor Required parameters: N/A Optional parameters: "ctx" (Context as a string for map keys. Case insensitive.) Encoding considerations: binary Security considerations: N/A Interoperability considerations: N/A Published specification: This RFC Applications that use this media type: Entities that exchange CBOR/COSE data as part of HOME interactions. Fragment identifier considerations: N/A Person & email address to contact for further information: DRIP WG mailing list (tmrid@ietf.org) Intended usage: Common Restrictions on usage: None Author/Change controller: IETF Provisional registration: No
Type name: application Subtype name: home+json Required parameters: N/A Optional parameters: "ctx" (Context as a string for map keys. Case insensitive.) Encoding considerations: same as STD90 Security considerations: N/A Interoperability considerations: N/A Published specification: This RFC Applications that use this media type: Entities that exchange JOSE/JSON data as part of HOME interactions. Fragment identifier considerations: N/A Person & email address to contact for further information: DRIP WG mailing list (tmrid@ietf.org) Intended usage: Common Restrictions on usage: None Author/Change controller: IETF Provisional registration: No
IANA is requested to add the entries of Table 12 to the "CoAP Content-Formats" registry within the "Constrained RESTful Environments (CoRE) Parameters" registry group [IANA.CORE].¶
| Content Type | Content Coding | ID | Reference |
|---|---|---|---|
| application/home+cbor; ctx=aviation | - | TBD | This RFC |
| application/home+json; ctx=aviation | - | TBD | This RFC |
The considerations discussed in [RFC9153], [RFC9374], [RFC9434] and [RFC9886] apply.¶
OMEs use and provide various methods to protect data through: Attestation, Authentication, Authorization, Access Control, Attribution, Accounting, and Audit (AAA). All data, handled under DRIP, MUST be protected by AAA, as per applicable regulation and policy (which, in some cases, for public data, may impose minimal requirements). All private data MUST also be protected by strong encryption where permitted by applicable law etc. These requirements apply to data at rest and in transit in all phases of the process, i.e. registration and query.¶
Attestation may be mandated by a jurisdiction for devices. Remote ATtestation ProcedureS (RATS, [RFC9334]) is recommended for such mandates. The specific attestation mechanisms are out of scope for this document.¶
Best practices dictate that cryptographic materials that should only be available to selected parties SHOULD be generated by one or more of those parties and stored accessibly only on those parties devices. E.g. the asymmetric key-pair from which an HHIT will be derived SHOULD be generated by the entity identified by that HHIT and the corresponding private key should be stored only on that entity's device. There may be scenarios where other parts of a system, such as a UAS, generates the cryptographic materials and provision them as needed during an operation. Any such system MUST ensure security of the cryptographic material is guaranteed.¶
The use of COSE or JOSE encryption provides privacy for Registrant data when communicating with an HOME. The considerations of [RFC9153] apply.¶
This appendix is normative.¶
In certain circumstances field contents may only be properly validated by other entities outside of DRIP. A so called "oracle" can be provided by an RAA or designated 3rd party as a service (i.e. "oracle-as-a-service") or mandated by an RAA to be implemented directly by their HDAs. If such an "oracle" is not consulted there is a risk that information being registered is fraudulent and DRIP has no method or authority to confirm the claims. If such information is accepted, future information queries by authorities could result in bogus data being returned.¶
The rest of this section (and subsections) only applies for an "oracle-as-a-service" model.¶
An an example, the binding between UAS Serial Number and Operator ID should already be known by the CAA, as typically this information is required out of band of DRIP directly to the CAA in some form. The CAA should provide or itself have access to an "oracle" that can validate these claimed bindings for registration to proceed. When an "oracle" is not consulted there is a risk that the a recorded binding between UAS and Operator is non-existent, resulting in faulty CAA enforcement capabilities.¶
HOME's when presented with additional information that requires an "oracle", MUST forward without modification the Registrants HOME Token for processing to their RAAs "oracle-as-a-service" endpoint. HOME's acting as an RAA under this specification MUST always provide the "oracle-as-a-service" endpoint (/.well-known/home/oaas) and respond as follows:¶
return an applicable HTTP Response error when the "oracle" does not exist within a given jurisdiction¶
OMEs receiving such a response SHOULD proceed as if the "oracle" successfully validated the request¶
perform a redirect to appropriate system when "oracle" is being provided as a 3rd party service that the HDAs are expected to independently consult¶
process and respond following Appendix A.3¶
OMEs process non-error HTTP codes by including the returned "oracle" certificate in artifacts in the Private Information Registry and continuing the registration process. An error HTTP code received by a HOME MUST be mimicked back to the Registrant.¶
The "oracle" MUST validate the HOME Token signature before processing any of the claim data it has authority over. Additional authentication and/or authorization on the endpoint MAY be required by a jurisdiction and its selection, implementation and policy are out of scope for this document.¶
If an "oracle" accepts the data presented it MUST respond with a valid X.509 certificate, RECOMMENDED to be OKIX compliant, with the Subject set to the same contents as the Registrant CSR. When a "oracle" denies any data presented it MUST respond with an appropriate HTTP Response code and MUST NOT include a reason. This is to avoid clients data mining information to forge malicious requests. Once the "oracle" has completed its validations on fields it has authority over and responded accordingly the HOME Token MUST be deleted from the "oracle".¶
The policy and other inner mechanics of the "oracle" are out of scope for this document.¶
This appendix is normative.¶
The HOME CDDL Prelude of Figure 19 is built upon the prelude defined in Appendix E of [RFC8610] to allow interoperability with JSON encodings. The conversion of fields to/from CBOR and JSON MUST use the advice in Section 6 of [RFC8949].¶
entity-id = int / text
key-id = int / text
map = { &(int, text) => any }
The full claim set for HRI and HRR, including prelude, are shown in Figure 20.¶
rdap = [
hhit: [ ip6: text, hhit_entity_type: uint ],
canon_x: text .b64u bytes,
metadata: map / null
]
response = [
success: { &(entity-id): success-data } / null
failure: [ + error-data ] / null
shared: map / null
]
success-data = [
keys: { &(key-id): map },
shared: map / null
]
error-data = [
eid: &(entity-id) / null,
kid: &(key-id) / null,
cat: any,
msg: any
]
inquiry = [
entities: { &(entity-id) => entity },
metadata: map / null
]
entity = [
hhit_entity_type: uint,
keys: { &(key-id): key },
metadata: map / null
]
key = [
csr: bytes / text .b64u bytes,
metadata: map / null
]
entity-id = int / text
key-id = int / text
map = { &(int, text) => any }
IPv6 addresses MUST be tagged using [RFC9164] when encoded in CBOR. For JSON, IPv6 addresses MUST be an address string as defined in [RFC4291], Section 2.2.¶
hhit = [ ip6: #6.54(bytes .size(16)) / text, ; ip6 addr tstr hhit_entity_type: uint ] vnb = tdate / time vna = tdate / time / number publish = bool csr = bytes / text .b64u bytes ; DER encoded oracle_x = bytes / text .b64u bytes ; DER encoded canon_x = bytes / text .b64u bytes ; DER encoded canon_chain = [ bytes / text .b64u bytes ] ; DER encoded contact = text ; b64 encoded jCard object
The inclusion of the valid not before (VNB) and valid not after (VNA) parameters to the metadata map of Section 4.2.1 allows a Registrant to set very specific validity times for their registration.¶
VNB when present is always an absolute time reference per its typing. VNA is either an absolute time reference (like VNB) or a positive offset in seconds (to be added to the VNB absolute time). Negative values of VNA MUST be considered an encoding error.¶
Implementation Note: due to not differentiating between integers and floats in its number type, implementations using JSON as the encoded format MUST check the value of VNA to determine if its being used as an offset or absolute time.¶
When VNB is not present in the metadata map the HOME MUST use the current absolute date/time as VNB. The absence of VNA is a signal for the HOME to use a default offset, determined by policy and out of scope for this document, to add to VNB.¶
As an example of the use of VNB and VNA, a Registrant may set VNB to null and VNA to 3600. The HOME in this instance would use the current absolute time at receipt of the registration request for VNB and then apply the offset specified by VNA to obtain an absolute time for VNA that is 3600 seconds after VNB.¶
These parameters are carried over from Section 5.2 of [RFC9886]. The content in Figure 22 carries the same semantics from [RFC9886] but is more well-defined in syntax of CDDL.¶
uas_type = (uint .le 15) .default 0 uas_ids = [ + [ id_type: uint .le 15, uas_id: bytes .size(20) ] ] auth = [ + [ type: uint .le 15, data: bytes .size(1..362) ] ] self_id = [ type: uint .size(1), description: text .size(23) ] area = [ count: (uint .size(1)) .default 1, radius: number, floor: number, ceiling: number ] classification = [ type: (uint .le 8) .default 0, class: (uint .le 15) .default 0, category: (uint .le 15) .default 0 ] operator_id = [ type: uint .size(1), id: bytes .size(20) ]
Robert Moskowitz provided the concept and general structure for the OKI and the specific inclusions for X.509 profiles to support HHITs.¶