Internet DRAFT - draft-ietf-drip-registries
draft-ietf-drip-registries
drip Working Group A. Wiethuechter, Ed.
Internet-Draft AX Enterprize, LLC
Intended status: Standards Track J. Reid
Expires: 6 June 2024 RTFM llp
4 December 2023
DRIP Entity Tag (DET) Identity Management Architecture
draft-ietf-drip-registries-14
Abstract
This document describes the high level architecture for the
registration and discovery of DRIP Entity Tags (DETs) using DNS.
Discovery of DETs and their artifacts are through DRIP specific DNS
structures and standard DNS methods. A general overview of the
interfaces required between involved components is described in this
document with future supporting documents giving technical
specifications.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on 6 June 2024.
Copyright Notice
Copyright (c) 2023 IETF Trust and the persons identified as the
document authors. All rights reserved.
Wiethuechter & Reid Expires 6 June 2024 [Page 1]
�
Internet-Draft DETIM Architecture December 2023
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/
license-info) in effect on the date of publication of this document.
Please review these documents carefully, as they describe your rights
and restrictions with respect to this document. Code Components
extracted from this document must include Revised BSD License text as
described in Section 4.e of the Trust Legal Provisions and are
provided without warranty as described in the Revised BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Abstract Process and Reasoning . . . . . . . . . . . . . . . 4
3. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 5
3.1. Required Terminology . . . . . . . . . . . . . . . . . . 5
3.2. Additional Definitions . . . . . . . . . . . . . . . . . 5
3.3. Text Conventions . . . . . . . . . . . . . . . . . . . . 6
4. DIME Roles . . . . . . . . . . . . . . . . . . . . . . . . . 6
4.1. Apex . . . . . . . . . . . . . . . . . . . . . . . . . . 6
4.2. Registered Assigning Authority (RAA) . . . . . . . . . . 7
4.2.1. ISO 3166-1 Numeric Nations (INN) . . . . . . . . . . 8
4.3. Hierarchial HIT Domain Authority (HDA) . . . . . . . . . 8
5. DIME Architecture . . . . . . . . . . . . . . . . . . . . . . 9
5.1. DRIP Provisioning Agent (DPA) . . . . . . . . . . . . . . 10
5.2. Registry . . . . . . . . . . . . . . . . . . . . . . . . 11
5.3. Name Server (NS) . . . . . . . . . . . . . . . . . . . . 12
5.4. DRIP Information Agent (DIA) . . . . . . . . . . . . . . 13
5.5. Registration Data Directory Service (RDDS) . . . . . . . 14
6. Registration/Provisioning Process . . . . . . . . . . . . . . 15
6.1. Operator . . . . . . . . . . . . . . . . . . . . . . . . 15
6.2. Session ID . . . . . . . . . . . . . . . . . . . . . . . 16
6.2.1. UA Based Session ID . . . . . . . . . . . . . . . . . 18
6.2.2. UAS Based Session ID . . . . . . . . . . . . . . . . 18
6.3. Child DIME . . . . . . . . . . . . . . . . . . . . . . . 19
7. Differentiated Access Process . . . . . . . . . . . . . . . . 20
8. DRIP in the Domain Name System . . . . . . . . . . . . . . . 21
8.1. DRIP Entity Tags . . . . . . . . . . . . . . . . . . . . 22
8.1.1. DET Resource Record . . . . . . . . . . . . . . . . . 22
9. Endorsements . . . . . . . . . . . . . . . . . . . . . . . . 24
9.1. Endorsement Structure . . . . . . . . . . . . . . . . . . 24
9.1.1. Scope . . . . . . . . . . . . . . . . . . . . . . . . 25
9.1.2. Evidence . . . . . . . . . . . . . . . . . . . . . . 25
9.1.3. Identity . . . . . . . . . . . . . . . . . . . . . . 25
9.1.4. Signature . . . . . . . . . . . . . . . . . . . . . . 26
10. X.509 Certificates . . . . . . . . . . . . . . . . . . . . . 26
10.1. Certificate Policy and Certificate Stores . . . . . . . 26
10.2. Certificate Management . . . . . . . . . . . . . . . . . 27
10.3. Examples . . . . . . . . . . . . . . . . . . . . . . . . 28
Wiethuechter & Reid Expires 6 June 2024 [Page 2]
�
Internet-Draft DETIM Architecture December 2023
10.4. Alternative Certificate Encoding . . . . . . . . . . . . 28
11. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 28
11.1. Delegation of Nibble Reversed IPv6 Prefix . . . . . . . 28
11.2. IANA DRIP Registry . . . . . . . . . . . . . . . . . . . 29
11.2.1. Endorsement Fields . . . . . . . . . . . . . . . . . 29
11.2.2. DET Type . . . . . . . . . . . . . . . . . . . . . . 30
11.2.3. DET Status . . . . . . . . . . . . . . . . . . . . . 30
12. Security Considerations . . . . . . . . . . . . . . . . . . . 31
12.1. Key Rollover & Federation . . . . . . . . . . . . . . . 31
12.2. DET Generation . . . . . . . . . . . . . . . . . . . . . 31
13. Public Key Exposure . . . . . . . . . . . . . . . . . . . . . 32
14. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 32
15. References . . . . . . . . . . . . . . . . . . . . . . . . . 32
15.1. Normative References . . . . . . . . . . . . . . . . . . 32
15.2. Informative References . . . . . . . . . . . . . . . . . 33
Appendix A. HID Abbreviation Recommendation . . . . . . . . . . 35
Appendix B. DRIP Fully Qualified Domain Names . . . . . . . . . 36
B.1. DRIP Entity Tag . . . . . . . . . . . . . . . . . . . . . 36
Appendix C. DRIP Endorsements for UAS . . . . . . . . . . . . . 36
C.1. Generic Endorsement . . . . . . . . . . . . . . . . . . . 36
C.2. Self Endorsement . . . . . . . . . . . . . . . . . . . . 37
C.3. Broadcast Endorsement . . . . . . . . . . . . . . . . . . 38
Appendix D. DNS Examples . . . . . . . . . . . . . . . . . . . . 41
D.1. Operator . . . . . . . . . . . . . . . . . . . . . . . . 41
D.2. Session ID . . . . . . . . . . . . . . . . . . . . . . . 41
D.3. Child DIME . . . . . . . . . . . . . . . . . . . . . . . 41
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 41
1. Introduction
Registries are fundamental to Unmanned Aircraft System (UAS) Remote
ID (RID). Only very limited operational information can be
Broadcast, but extended information is sometimes needed. The most
essential element of information is the UAS ID, the unique key for
lookup of extended information in relevant registries (see Figure 4
of [RFC9434]).
While it is expected that DRIP Identity Management Entity (DIME)
functions will be integrated with UAS Service Suppliers (USS)
(Appendix A.2 of [RFC9434]), who will provide DIME-like functions is
not yet determined in most, and is expected to vary between,
jurisdictions. However this evolves, the essential DIME-like
functions (including the management of identifiers (such as the DRIP
Entity Tag (DET))) are expected to remain the same, so are specified
herein.
Wiethuechter & Reid Expires 6 June 2024 [Page 3]
�
Internet-Draft DETIM Architecture December 2023
While most data to be sent via Broadcast RID (Section 1.2.1 of
[RFC9434]) or Network RID (Section 1.2.2 of [RFC9434]) is public,
much of the extended information in registries will be private. As
discussed in Section 7 of [RFC9434], Authentication, Attestation,
Authorization, Access Control, Accounting, Attribution, and Audit
(AAA) for registries is essential, not just to ensure that access is
granted only to strongly authenticated, duly authorized parties, but
also to support subsequent attribution of any leaks, audit of who
accessed information when and for what purpose. As specific AAA
requirements will vary by jurisdictional regulation, provider
choices, customer demand, etc., they are left to specification in
policies, which should be human readable to facilitate analysis and
discussion, and machine readable to enable automated enforcement,
using a language amenable to both (e.g., eXtensible Access Control
Markup Language (XACML)).
The intent of the access control requirements on registries is to
ensure that no member of the public would be hindered from accessing
public information, while only duly authorized parties would be
enabled to access private information. Mitigation of Denial of
Service (DoS) attacks and refusal to allow database mass scraping
would be based on those behavior, not on identity or role of the
party submitting the query per se, but querant identity information
might be gathered (by security systems protecting DRIP
implementations) on such misbehavior.
Registration under DRIP is vital to manage the inevitable collisions
in the hash portion of the DET (Section 9.5 of [RFC9374]). Forgery
of a DET is still possible, but including it as a part of a public
registration mitigates this risk.
This document creates the DRIP registration and discovery ecosystem
focusing on the DET. This SHOULD support all components in the
ecosystem (e.g., Unmanned Aircraft (UA), Registered Assigning
Authority (RAA), Hierarchical HIT Domain Authority (HDA), Ground
Control Station (GCS), and USS) that can use a DET.
This document uses the Concise Data Definition Language (CDDL)
[RFC8610] for describing the registration data.
2. Abstract Process and Reasoning
In DRIP each entity (DIME, Operator, UA, etc.) is expected to
generate a DET [RFC9374] on the local device their key is expected to
be used. These are registered with a Public Information Registry
(e.g. DNS) within the hierarchy along with whatever data is required
by the cognizant CAA and the DIME. Any Personally Identifiable
Information (PII) is stored in a Private Information Registry
Wiethuechter & Reid Expires 6 June 2024 [Page 4]
�
Internet-Draft DETIM Architecture December 2023
protected through industry practice AAA or stronger. In response,
the entity will obtain an endorsement from the DIME proving such
registration.
Manufacturers that wish to participate in DRIP should not only
support DRIP as a Session ID type for their aircraft but could also
generate a DET then encode it as a Serial Number (Section 4.2 of
[RFC9374]). This would allow aircraft under CAA mandates to fly only
ID Type 1 (Serial Number) could still use DRIP and most of its
benefits. Even if DRIP is not supported for Serial Numbers by a
Manufacturer it is hoped that they would still run a DIME to store
their Serial Numbers and allow look ups for generic model
information. This look up could be especially helpful in UTM for
Situational Awareness when an aircraft flying with a Serial Number is
detected and allow for an aircraft profile to be displayed.
Operators are registered with a number of registries or their
regional RAA. This acts as a verification check when a user performs
other registration operations; such as provisioning an aircraft with
a new Session ID. It is an open question if an Operator registers to
their CAA (the RAA's direct HDA) or multiple USS's (HDA's). PII of
the Operator would vary based on the CAA they are under and the DIME.
Finally, aircraft that support using a DET would provision per flight
to a USS, proposing a DET to the DIME to generate a binding between
the aircraft (Session ID, Serial Number, and Operational Intent),
operator and DIME. The aircraft then follows [drip-auth] to meet
various requirements from [RFC9153] during a flight.
3. Terminology
3.1. Required Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in BCP
14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here.
3.2. Additional Definitions
This document makes use of the terms (PII, USS, etc.) defined in
[RFC9153]. Other terms (DIME, Endorsement, etc.) are from [RFC9434],
while others (RAA, HDA, etc.) are from [RFC9374].
Wiethuechter & Reid Expires 6 June 2024 [Page 5]
�
Internet-Draft DETIM Architecture December 2023
3.3. Text Conventions
When talking about a DIME in documents it should be referred to as
the role it is serving. For example a CAA level DIME running
services both as an RAA (its primary role in the hierarchy) and as an
HDA (optionally) would be be referred to "RAA" when performing its
RAA duties and "HDA" when performing its HDA duties. The rest of the
document will follow this convention unless verbosity or clarity is
needed.
4. DIME Roles
[RFC9434] defines the DRIP Identity Management Entity (DIME) as an
entity that vets Claims and/or Evidence from a registrant and
delivers, to successful registrations, Endorsements and/or
Certificates in response. The DIME encompasses various logical
components and can be classified to serve a number of different
roles, which are detailed in the following subsections. The general
hierarchy of these initial roles (some highly specialized and
predetermined for the UAS use case) are illustrated in Figure 1.
+----------+
| Apex o--------.
+-o------o-+ |
| | |
******************|******|**********|******************
| | |
+-----o-+ +-o-----+ +-o-----+
RAAs | MCA | | INN | | RAA |
+---o---+ +---o---+ +---o---+
| | |
****************|**********|**********|****************
| | |
+---o---+ +---o---+ +---o---+
HDAs | MAA | | HDA | | HDA |
+-------+ +-------+ +-------+
Figure 1: DIME Roles and Hierarchy
4.1. Apex
The Apex is a special DIME role that holds the values of RAA=0-3 and
HDA=0. It serves as the branch point from the larger DNS system in
which DETs are defined. The Apex is the owner of the IPv6 prefix
portion of the DET associated with it (2001:30/28) which is assigned
by IANA from the special IPv6 address space for ORCHIDs.
Wiethuechter & Reid Expires 6 June 2024 [Page 6]
�
Internet-Draft DETIM Architecture December 2023
The Apex manages all delegations and allocations of the DET's RAA to
various parties. Allocations of RAAs SHOULD be done in contiguous
groups of 4.
+===================+=================+======================+
| RAA Decimal Range | RAA Hex Range | Status |
+===================+=================+======================+
| 0 - 3 | 0x0000 - 0x0003 | Apex |
+-------------------+-----------------+----------------------+
| 4 - 3999 | 0x0004 - 0x0F9F | ISO 3166-1 Countries |
| | | (Section 4.2.1) |
+-------------------+-----------------+----------------------+
| 4000 - 16375 | 0x1000 - 0x3FFF | Reserved |
+-------------------+-----------------+----------------------+
| 16376 - 16383 | 0x3FF8 - 0x3FFF | DRIP WG Experimental |
| | | Use |
+-------------------+-----------------+----------------------+
Table 1
Note: that the first column of this table is _decimal_ values
*not* _hexadecimal_.
RAA values of 0 (0x0000) to 3 (0x0003) are reserved to the Apex
exclusively.
The Experimental range of 16376 (0x3FF8) to 16383 (0x3FFF), eight (8)
RAAs, is allocated to the DRIP working group itself. 16376 to 16379
are setup by DRIP experts to act as RAAs for potential HDA users to
test against. RAA 16376 is already "in use" with driptesting.org.
The rest of the range (16377 to 16383) are reserved to be allocate by
the DRIP experts to agencies that wish to test.
4.2. Registered Assigning Authority (RAA)
RAA's are the upper hierarchy in DRIP (denoted by a 14-bit field,
i.e. 16,384 RAAs, of an DET). An RAA is a business or organization
that manages a DIME of HDAs (Section 4.3). Most are contemplated to
be Civil Aviation Authorities (CAA), such as the Federal Aviation
Authority (FAA), that then delegate HDAs to manage their National Air
Space (NAS). This is does not preclude other entities to operate an
RAA if the Apex allows it.
Wiethuechter & Reid Expires 6 June 2024 [Page 7]
�
Internet-Draft DETIM Architecture December 2023
An RAA must provide a set of services to allocate HDAs to
organizations. It must have a public policy on what is necessary to
obtain an HDA. It must maintain a DNS zone minimally for discovering
HID RVS servers. All RAA's have a single reserved HDA value: 0
(0x0000) for itself to support various functions or services. Other
HDA values can be allocated or reserved per RAA policy.
4.2.1. ISO 3166-1 Numeric Nations (INN)
The RAA range of 4 (0x0004) to 3999 (0x0F9F) are reserved for CAAs
using the ISO 3166-1 Numeric Nation Code. The RAA can be derived
from the ISO 3166-1 numeric code by multiplying the value by 4 (i.e.
raa_code = iso_code * 4). Four contiguous values (raa_code + 0,
raa_code + 1, raa_code + 2 and raa_code + 3) are used in a single
allocation. The inverse (RAA to ISO) works out as: iso_code =
floor(raa_code / 4).
As an example the United States has an ISO 3166-1 Numeric Code of
840. This derives the following RAAs: 3360, 3361, 3362 and 3363.
It should be noted that the range of codes from 900 to 999 are
defined as "user assigned code elements" without specific claimant
predefined in the RAA space. Withdrawn and other special codes also
do not have predetermined claimants.
How a CAA handles their 4 allocations are out of scope of this
document. Control of these values are expected to be claimed by
their respective owner. How a claim is vetted and validated is out
of scope of this document. Protection against fraudulent claims of
one of these values is out of scope for this document.
Note: A single entity may control more than one NAS (for example
LU and BE being covered by Skeyes.be) and would manage two
allocation spaces. How this is claimed and handled is out of
scope for this document.
4.3. Hierarchial HIT Domain Authority (HDA)
An HDA may be an USS, ISP, or any third party that takes on the
business to register the actual entities that need DETs. This
includes, but is not limited to UA, GCS, UAS Operators and
infrastructure (such as Supplemental Data Service Providers). It
should also provide needed UAS services including those required for
HIP-enabled devices (e.g. RVS).
A primary function of HDAs for DRIP, in the context of UAS RID is the
binding between a UAS Session ID (for DRIP the DET) and the UA Serial
Number. The Serial Number MUST have its access protected to allow
Wiethuechter & Reid Expires 6 June 2024 [Page 8]
�
Internet-Draft DETIM Architecture December 2023
only authorized parties to obtain it. The Serial Number MUST be
protected in a way only the authorized party can decrypt. As part of
the UTM system HDAs can also hold a binding between a UAS ID (Serial
Number or Session ID) and an Operational Intent. They may either be
a direct logical part of a UAS Service Supplier (USS) or be a UTM
wide service to USS's.
The HDA is a 14-bit field (16,384 HDAs per RAA) of a DET assigned by
an RAA. An HDA should maintain a set of RVS servers for UAS clients
that may use HIP. How this is done and scales to the potentially
millions of customers are outside the scope of this document. This
service should be discoverable through the DNS zone maintained by the
HDA's RAA.
An RAA may assign a block of values to an individual organization.
This is completely up to the individual RAA's published policy for
delegation. Such policy is out of scope.
5. DIME Architecture
The DIME, in any of its roles (Section 4), is comprised of a number
of logical components that are depicted in Figure 2. Any of these
components could be delegated to other entities as a service both co-
located or remote. For example:
* The Name Server component could be handled by a well-established
DNS registrar/registry with the DRIP Provisioning Agent (DPA)
(Section 5.1) interfacing to them
- Either the DPA or the Registry/Name Server interfaces to the
DRIP Information Agent (DIA)
* The DPA, Registry, and Name Server may all be co-located in one
implementation with an interface to a DIA offered by another
organization from any one of the co-located components
Wiethuechter & Reid Expires 6 June 2024 [Page 9]
�
Internet-Draft DETIM Architecture December 2023
+--------------------+
| Registering Client |
+---------o----------+
|
**********|******************************************************
* | DRIP Identity Management Entity (DIME) *
* | *
* +------o-------+ +-------------+ +--------------+ *
* | DRIP | | | | | *
* | Provisioning o------o | | | *
* | Agent (DPA) | | | | | *
* +-------o------+ | | | | *
* | | | | | *
* | | DRIP | | Registration | *
* +-------o--+ | Information o------o Data | *
* | Registry o----------o Agent (DIA) | | Directory | *
* +-------o--+ | | | Service | *
* | | | | (RDDS) | *
* | | | | | *
* +-------o----------+ | | | | *
* | Name Server (NS) | | | | | *
* +------o-----------+ +-----o-------+ +------o-------+ *
* | | | *
* | | | *
**********|********************|*********************|***********
| | |
| +-------o-------+ |
'------------o Lookup Client o-------------'
+---------------+
Figure 2: DIME Logical Components
5.1. DRIP Provisioning Agent (DPA)
The DPA performs the important task of vetting information coming
from clients wishing to register and then delegate (internally or
externally) various items to other components in the DIME.
A standard interface MUST be provided for clients to access. An
HTTPS based interface is RECOMMENDED. This interface specification
is out of scope for this document.
There MUST be an interface from the DPA to a Registry (Section 5.2)
component which handles the DNS specific requirements of the DIME as
defined by the Registry. There MAY also be interface from the DPA to
a DRIP Information Agent (Section 5.4) as defined by the DIA.
Wiethuechter & Reid Expires 6 June 2024 [Page 10]
�
Internet-Draft DETIM Architecture December 2023
+-------------+
| Registering |
| Client |
+------o------+
|
| HTTPS
|
|
+--o--+ +-----+
| DPA o-----------o DIA |
+--o--+ TBD +-----+
|
|
| HTTPS or EPP
|
+------o---+
| Registry |
+----------+
Figure 3: DPA Interface Mapping
5.2. Registry
The Registry component handles all the required DNS based
requirements of the DIME to function for DRIP. This includes the
registration and maintenance of various DNS Resource Records.
A standardized interface MUST be implemented for interactions with
the DPA (Section 5.1). This interface MAY be over HTTPS using JSON/
CBOR encoding or MAY use the Extensional Provisioning Protocol (EPP)
[RFC5730]. The detailed specification of either of these interfaces
is out of scope for this document.
There MAY be interface from the Registry to a DRIP Information Agent
(Section 5.4) as defined by the DIA.
Wiethuechter & Reid Expires 6 June 2024 [Page 11]
�
Internet-Draft DETIM Architecture December 2023
+-----+
| DPA |
+--o--+
|
| HTTPS or EPP
|
|
+------o---+ +-----+
| Registry o-----------o DIA |
+-----o----+ TBD +-----+
|
|
| TBD
|
+---o--+
| NS |
+------+
Figure 4: Registry Interface Mapping
5.3. Name Server (NS)
The interface of the Name Server to any component (nominally the
Registry) in a DIME is out of scope as typically they are
implementation specific.
Author Note: This may be very important here as we should not
preclude a USS from running his own Name Server but they are not
DNS experts and will need guidance or at least pointers to it to
not mess it up. Such as SOA and NS formats to allow delegation if
acting as an RAA.
Wiethuechter & Reid Expires 6 June 2024 [Page 12]
�
Internet-Draft DETIM Architecture December 2023
+----------+
| Registry |
+-----o----+
|
|
| TBD
|
+---o--+
| NS |
+--o---+
|
|
| DNS Query/Response
|
+----o----------+
| Lookup Client |
+---------------+
Figure 5: Name Server Interface Mapping
5.4. DRIP Information Agent (DIA)
The DIA is the main component handling requests for information from
entities outside of the DIME. Typically this is when an Observer
looks up a Session ID from an UA and gets pointed to the DIA to
obtain information not available publicly (i.e. via DNS).
The information contained in the DIA is generally more oriented
around the Operator of a given UAS and is thus classified as
Personally Identifiable Information (PII). To protect the privacy of
an Operator of the UAS this information is not publicly accessible
and is only available behind policy driven differentiated access
mechanisms (see Section 7).
For DRIP, the Registration Data Access Protocol (RDAP) ([RFC7480],
[RFC9082] and [RFC9083]) is the selected protocol to provide policy
driven differentiated access for queries of information from clients.
There MUST be a standardized interface for the DPA or Registry to
add, update or delete information into the DIA. Specific details for
these interfaces are out of scope for this document.
An interface defined by the Registration Data Directory Service
(RDDS) (Section 5.5) is also required as specified by the RDDS.
Wiethuechter & Reid Expires 6 June 2024 [Page 13]
�
Internet-Draft DETIM Architecture December 2023
+-----+
| DPA |
+--o--+
|
|
| TBD
|
+----------+ TBD +--o--+ +------+
| Registry o-----------o DIA o-------------o RDDS |
+----------+ +--o--+ TBD +------+
|
|
RDAP |
|
+-------o-------+
| Lookup Client |
+---------------+
Figure 6: DIA Interface Mapping
5.5. Registration Data Directory Service (RDDS)
This is the primary information database for the DIA. An interface
MUST be provided to the DIA but its specification is out of scope for
this document.
+-----+
| DIA |
+--o--+
|
|
| TBD
|
+---o--+
| RDDS |
+--o---+
|
|
| RDAP
|
+----o----------+
| Lookup Client |
+---------------+
Figure 7: RDDS Interface Mapping
Wiethuechter & Reid Expires 6 June 2024 [Page 14]
�
Internet-Draft DETIM Architecture December 2023
6. Registration/Provisioning Process
The general process for a registering party is as follows:
1. Verify input Endorsement(s) from registering party
2. Check for collision of DET and HI
3. Populate Registry/Name Server with resource record(s)
4. Populate RDDS via DIA with PII and other info
5. Generate and return Endorsement(s)
In the following subsections an abbreviated form of Section 5 using
co-located components is used to describe the flow of information.
The data elements being transmitted between entities is marked
accordingly in each figure for the specific examples.
Each section has an associated appendix (Appendix D) containing DNS
examples.
6.1. Operator
Provided either by USS or CAA run HDAs. Regulation might require
interaction between them. An Operator can request that certain
information normally generated and provisioned into DNS be omitted
due to privacy concerns.
Wiethuechter & Reid Expires 6 June 2024 [Page 15]
�
Internet-Draft DETIM Architecture December 2023
+----------+
| Operator |
+--o---o---+
| ^
(a) | | (b)
| |
*******|***|*****************************
* | | DIME:HDA *
* | | *
* v | +----------+ *
* +--o---o--+ | | *
* | DPA o--------->o | *
* +----o----+ (d) | | *
* | | | *
* | (c) | DIA/RDDS | *
* v | | *
* +----o--------+ | | *
* | Registry/NS | | | *
* +-------------+ | | *
* +----------+ *
* *
*****************************************
(a) Operator Information,
Operator Self-Endorsement
(b) Success Code,
Generic Endorsement: HDA on Operator
(c) HIP RR, DET RR, TLSA RR, URI RR, PTR RR
(d) Operator Information
Note: (c) MAY be requested by the Operator
to be omitted due to PII concerns.
Figure 8: Example DIME:HDA with Operator (DET) Registration
The definition of Operator Information is out of scope of this
document and left to local regulations (both in its format and
contents).
6.2. Session ID
Session IDs are generally handled by HDAs. In Figure 9 the UAS
comprises of an unmanned aircraft and a Ground Control Station (GCS).
Both parties are involved in the registration process.
Wiethuechter & Reid Expires 6 June 2024 [Page 16]
�
Internet-Draft DETIM Architecture December 2023
+---------+
| UAS |
+--o---o--+
| ^
(a) | | (b)
| |
*******|***|*****************************
* | | DIME: HDA *
* | | *
* v | +----------+ *
* +--o---o--+ | | *
* | DPA o--------->o | *
* +----o----+ (d) | | *
* | | | *
* | (c) | DIA/RDDS | *
* v | | *
* +----o--------+ | | *
* | Registry/NS | | | *
* +-------------+ | | *
* +----------+ *
* *
*****************************************
(a) Mutual Endorsement: HDA on GCS,
Generic Endorsement: GCS on UA,
Session ID Information
(b) Success Code,
Broadcast Endorsement: HDA on UA,
Generic Endorsement: HDA on UAS
(c) HIP RR, DET RR, TLSA RR, URI RR, PTR RR
(d) Session ID Information
Figure 9: Example DIME:HDA with Session ID (DET) Registration
Through mechanisms not specified in this document the Operator should
have methods (via the GCS) to instruct the unmanned aircraft onboard
systems to generate a keypair, DET and Self-Endorsement: UA. The
Self-Endorsement: UA is extracted by the Operator onto the GCS.
The GCS is already pre-provisioned and registered to the DIME with
its own keypair, DET, Self-Endorsement: GCS and Generic Endorsement:
HDA on GCS. The GCS creates a new Generic Endorsement: GCS on UA and
also creates Mutual Endorsement: HDA on GCS. These new endorsements
along with Session ID Information are sent to the DIME via a secure
channel.
Wiethuechter & Reid Expires 6 June 2024 [Page 17]
�
Internet-Draft DETIM Architecture December 2023
The GCS injects the Broadcast Endorsement: HDA on UA securely into
the unmanned aircraft. Endorsement: HDA on GCS is securely stored by
the GCS.
Note: in Figure 9 the Session ID Information is expected to
contain the Serial Number along with other PII specific
information (such as UTM data) related to the Session ID.
Session ID Information is defined as the current model:
sessionid_info = {
serial: tstr .size 20,
session_id: tstr,
operational_intent: tstr,
intent_src: tstr,
operator_id: tstr,
session_context: tstr,
* tstr: any
}
Future standards or implementations MAY add other keys to this list
(for local features and/or local regulation).
6.2.1. UA Based Session ID
There may be some unmanned aircraft that have their own Internet
connectivity allowing them to register a Session ID themselves
without outside help from other devices such as a GCS. When such a
system is in use its imperative that the Operator has some method to
create the Generic Endorsement: Operator on UA to send to the DIME.
The process and methods to perform this are out of scope for this
document but MUST be done in a secure fashion.
6.2.2. UAS Based Session ID
Most unmanned aircraft will not have their own Internet connectivity
but will have a connection to a GCS. Typically a GCS is an
application on a user device (such as smartphone) that allow the user
to fly their aircraft. For the Session ID registration the DIME MUST
be provided with an Generic Endorsement: GCS on UA which implies
there is some mechanism extracting and inserting information from the
unmanned aircraft to the GCS. These methods MUST be secure but are
out of scope for this document.
With this system it is also possible to have the GCS generate the DET
based Session ID and insert it securely into the unmanned aircraft
after registration is done. This is NOT RECOMMENDED as this
invalidates the objective of the asymmetric cryptography in the
Wiethuechter & Reid Expires 6 June 2024 [Page 18]
�
Internet-Draft DETIM Architecture December 2023
underlying DET as the private key MAY get in the possession of
another entity other than the unmanned aircraft. See Section 12.2
for more details.
6.3. Child DIME
Handled by the Apex and RAA's. This is an endpoint that handles
dynamic registration (or key roll-over) of lower-level DIMEs (RAAs to
Apex and HDAs to RAAs) in the hierarchy.
+---------------+
| DIME: HDA |
+--o---o--------+
| ^
(a) | | (b)
| |
*******|***|*****************************
* | | DIME: RAA *
* | | *
* v | +----------+ *
* +--o---o--+ | | *
* | DPA o--------->o | *
* +----o----+ (d) | | *
* | | | *
* | (c) | DIA/RDDS | *
* v | | *
* +----o--------+ | | *
* | Registry/NS | | | *
* +-------------+ | | *
* +----------+ *
* *
*****************************************
(a) Self-Endorsement: HDA,
HDA Information or
Generic Endorsement: old HDA, new HDA
(b) Success Code,
Broadcast Endorsement: RAA on HDA
(c) HIP RR, DET RR, TLSA RR, URI RR, PTR RR
(d) HDA Information
Figure 10: Example DIME:RAA with DIME:HDA Registration
Wiethuechter & Reid Expires 6 June 2024 [Page 19]
�
Internet-Draft DETIM Architecture December 2023
It should be noted that this endpoint DOES NOT hand out dynamically
RAA/HDA values to systems that hit the endpoint. This is done out-
of-band through processes specified by local regulations and
performed by cognizant authorities. The endpoint MUST NOT accept
queries it is not previously informed of being expected via
mechanisms not defined in this document.
It is OPTIONAL to implement this endpoint. This MAY be used to
handle lower-level DIME key roll-over.
7. Differentiated Access Process
Per [RFC9434] all information classified as public is stored in a
datastore protected using some form of differentiated access (i.e.
AAA) to satisfy REG-2 from [RFC9153].
Differentiated access, as a process, is a requirement for DIMEs as
defined in [RFC9153] by the combination of PRIV-1, PRIV-3, PRIV-4,
REG-2 and REG-4. [RFC9434] further elaborates on the concept by
citing RDAP (from [RFC7480], [RFC9082] and [RFC9083]) as a potential
means of fulfilling this requirement.
Typically the cognizant authority is the primary querant of private
information from a DIME if a Session ID is reported (the case of the
owner of the private information is ignored for the moment). This
capability MAY be delegated to other parties at the authorities
discretion (be it to a single user or many), thus requiring a
flexible system to delegate, determine and revoke querent access
rights for information. XACML MAY be a good technology choice for
this flexibility.
It is noted by the authors that as this system scales the problem
becomes a, well known and tricky, key management problem. While
recommendations for key management are useful they are not
necessarily in scope for this document as best common practices
around key management should already be mandated and enforced by the
cognizant authorities in their existing systems. This document
instead focuses on finding a balance for generic wide-spread
interoperability between DIMEs with authorities and their existing
systems in a Differentiated Access Process (DAP).
A system where cognizant authorities would require individual
credentials to each HDA is not scalable, nor practical. Any change
in policy would require the authority to interact with every single
HDA (active or inactive) to grant or revoke access; this would be
tedious and prone to mistakes. A single credential for a given
authority is also strongly NOT RECOMMENDED due to the security
concerns it would entail if it leaked.
Wiethuechter & Reid Expires 6 June 2024 [Page 20]
�
Internet-Draft DETIM Architecture December 2023
A zero-trust model would be the most appropriate for a DAP; being
highly flexible and robust. Most authorities however use "oracle"
based systems with specific user credentials and the oracle knowing
the access rights for a given user. This would require the DAP the
have some standard mechanism to locate and query a given oracle for
information on the querent to determine if access is granted.
DRIP has no intention to develop a new "art" of key management,
instead hoping to leverage existing systems and be flexible enough to
adapt as new ones become popular.
8. DRIP in the Domain Name System
Per [RFC9434] all information classified as public is stored in the
DNS to satisfy REG-1 from [RFC9153].
The apex for domain names MUST be under the administrative control of
ICAO, the international treaty organization providing the critical
coordination platform for civil aviation. ICAO SHOULD be responsible
for the operation of the DNS-related infrastructure for these domain
name apexes. It MAY chose to run that infrastructure directly or
outsource it to competent third parties or some combination of the
two. ICAO SHOULD specify the technical and administrative criteria
for the provision of these services: contractual terms (if any),
reporting, uptime, SLAs (if any), DNS query handling capacity,
response times incident handling, complaints, law enforcement
interaction and so on.
The delegation of civil aviation authorities to RAAs is already done
per Section 4.2.1 using their ISO 3166-1 Numeric Codes. Since these
are public, any entity can stand up an RAA with that value. ICAO
SHOULD be the root of trust in a Endorsement or certificate chain
that provides validation of any of these specific RAAs, in the ISO
RAA range, thus protecting against bad actors standing up fraudulent
RAAs. This also ensures DRIP complies with national law and
regulation since these are matters of national sovereignty.
Wiethuechter & Reid Expires 6 June 2024 [Page 21]
�
Internet-Draft DETIM Architecture December 2023
Each national aviation authority SHOULD be responsible for the
operation of the DNS-related infrastructure for their delegated
subdomains. As with the domain apexes overseen by ICAO, each
national aviation authority MAY chose to run that infrastructure
directly or outsource it to competent third parties or some
combination of the two. National aviation authorities SHOULD specify
the technical and administrative criteria for the provision of these
services: contractual terms (if any), reporting, uptime, SLAs (if
any), DNS query handling capacity, response times, incident handling,
complaints, law enforcement interaction and so on. These are
National Matters where national law/regulation prevail. National
policy and regulations will define how long DNS data are stored or
archived.
DNSSEC is strongly RECOMMENDED (especially for RAA-level and higher
zones). When a DIME decides to use DNSSEC they SHOULD define a
framework for cryptographic algorithms and key management [RFC6841].
This may be influenced by frequency of updates, size of the zone, and
policies.
8.1. DRIP Entity Tags
The REQUIRED mechanism is to place any information into ip6.arpa when
using a DET. Since the DET is an IPv6 address it can be nibble-
reversed and used in the zone, per standard conventions.
The prefix 2001:30/28 is registered with IANA [RFC9374] and
3.0.0.1.0.0.2.ip6.arpa - the corresponding reverse domain - SHOULD be
under the administrative control of the Apex. In addition to the DNS
infrastructure for 3.0.0.1.0.0.2.ip6.arpa, the Apex SHOULD be
responsible for the allocation of IPv6 addresses in this prefix. An
addressing plan will need to be developed.
Distribution of HHIT (IPv6 address) blocks SHOULD be done using the
14-bit RAA space as a framework. The Apex SHOULD allocate blocks to
each entity who can then assign them to HDAs in accordance with local
law and policy. All HDAs MUST have an IPv6 address in 2001:30/28. A
discrete zone SHOULD be delegated for each HDA. These MUST contain
an DET resource record (Section 8.1.1) for itself.
Reverse lookups of these IPv6 addresses will translate the address
into a domain name in the manner defined in [RFC1886]. However,
these lookups will query for, depending on what is required: HIP,
DET, TLSA, URI, or PTR RRTypes.
8.1.1. DET Resource Record
Wiethuechter & Reid Expires 6 June 2024 [Page 22]
�
Internet-Draft DETIM Architecture December 2023
Author Note: This section is very much a WIP, comments are
welcome.
The DET Resource Record is a metadata record for various bits of DRIP
specific information that isn't available in pre-existing DNS RR
Types (such as URI or HIP).
<domain> DET IN ( DET TYPE STATUS HID SN Endorsement )
DET = Base16 DET
TYPE = enumeration of Type of DET
STATUS = enumeration of Status of DET
HID = HID Abbreviation
SN = Serial Number
Endorsement = Broadcast Endorsement
8.1.1.1. Type
This field is a single byte with values defined in Section 11.2.2.
It is envisioned that there may be many types of DETs in use. In
some cases it may be helpful to understand the DETs role in the
ecosystem like described in [drip-dki].
8.1.1.2. Status
This field is a single byte with values defined in Section 11.2.3.
A DET can go through various states during its life-cycle in the
ecosystem. It is helpful for a querant to understand the current
status as a further requirement for verification.
8.1.1.3. HID Abbreviation
This field is an fixed length ASCII encoded string of 20 bytes null
padded. When not included the field MUST be filled with nulls.
The specific contents of this field are not defined here, but a
recommendation/example can be found in Appendix A.
8.1.1.4. Serial Number
This field is an fixed length ASCII encoded string of 20 bytes null
padded [CTA2063A]. When not included the field MUST be filled with
nulls.
Wiethuechter & Reid Expires 6 June 2024 [Page 23]
�
Internet-Draft DETIM Architecture December 2023
This covers the "public mapping to DET" when a user/manufacturer
already has a Serial Number that can not change and wishes to do DRIP
Authentication.
8.1.1.5. Endorsement
This field is the binary encoded Broadcast Endorsement (Appendix C.3)
of the DET. This object is a fixed length of 136 bytes.
9. Endorsements
DRIP Endorsements are defined in a CDDL [RFC8610] structure
(Figure 11) that can be encoded to CBOR, JSON or have their CDDL keys
removed and be sent as a binary blob. When the latter is used very
specific forms are defined with naming conventions to know the data
fields and their lengths for parsing and constrained environments.
CBOR is the preferred encoding format.
The CDDL was derived from the more specific structure developed for
[drip-auth]. As such the structures found in [drip-auth], such as
the UA Signed Evidence and the contents of DRIP Link (known as a
Broadcast Endorsement), are a subset of the below definition in a
strict binary form.
Appendix C specifies specific Endorsement structures for the UAS RID
use-case.
Note: this section uses the term HHIT instead of DET as the
Endorsements are designed to be generic and re-useable for other
HHIT use-cases. Specific use-cases SHOULD add new keys for each
section (if required) and define the valid keys and encoding forms
for their use-case.
9.1. Endorsement Structure
Wiethuechter & Reid Expires 6 June 2024 [Page 24]
�
Internet-Draft DETIM Architecture December 2023
endorsement = {
; TODO: add tag for self-describing type or leave up to cbor?
scope: {
vnb: number,
vna: number,
* tstr => any
},
evidence: bstr,
endorser: {
identity: {
hhit: bstr .size 16, ? hi: bstr // * tstr => any
},
signature: {
sig: bstr,
* tstr => any
}
}
}
Figure 11: Endorsement CDDL
9.1.1. Scope
The scope section is more formally "the scope of validity of the
endorsement". The scope can come in various forms but MUST always
have a "valid not before" (vnb) and "valid not after" (vna)
timestamps.
Other forms of the scope could for example be a 4-dimensional volume
definition. This could be in raw latitude, longitude, altitude pairs
or may be a URI pointing to scope information. Additional scope
fields are out of scope for this document and should be defined for
specific Endorsement structures if they are desired.
9.1.2. Evidence
The evidence section contain a byte string of evidence. Specific
content of evidence (such as subfields, length and ordering) is
defined in specific Endorsement structures.
9.1.3. Identity
The identity section is where the main identity information of the
signer of the Endorsement is found. The identity can take many forms
such as a handle to the identity (e.g. an HHIT), or can include more
explicit data such as the public key (e.g. an HI). Other keys, for
different identifiers, can be provided and MUST be defined in their
specific Endorsement.
Wiethuechter & Reid Expires 6 June 2024 [Page 25]
�
Internet-Draft DETIM Architecture December 2023
The length of the hi can be determined when using hhit by decoding
the provided IPv6 address. The prefix will inform of the ORCHID
construction being used, which informs the locations of the OGA ID in
the address. The OGA ID will then inform the user of the key
algorithm selected which has the key length defined.
9.1.4. Signature
The signature section contain the signature data for the Endorsement.
The signature itself MUST be provided under the sig key. Other forms
or data elements could also be present in the signature section if
specified in a specific Endorsement. Signatures MUST be generated
using the preceding sections in their binary forms (i.e. as a
bytestring with no keys).
10. X.509 Certificates
10.1. Certificate Policy and Certificate Stores
X.509 certificates are optional for the DRIP entities covered in this
document. DRIP endpoint entities (EE) (i.e., UA, GCS, and Operators)
may benefit from having X.509 certificates. Most of these
certificates will be for their DET and some will be for other UAS
identities. To provide for these certificates, some of the other
entities (e.g. USS) covered in this document will also have
certificates to create and manage the necessary PKI structure.
Three certificate profiles are defined, with examples, and explained
in [drip-dki]. Each has a specific role to play and an EE may have
its DET enrolled in all of them. There is a 'Lite' profile that
would work well enough on constrained communication links for those
instances where various issues push the use of X.509. There is a
'Basic; profile that is more in line with [RFC5280] recommendations,
but is still small enough for many constrained environments. Finally
there is a profile to directly add DET support into the civil/general
aviation certificates as discussed below.
A Certificate Authority (CA) supporting DRIP entities MAY adhere to
the ICAO's Aviation Common Certificate Policy (ACCP). The CA(s)
supporting this CP MUST either be a part of the ACCP cross-
certification or part of the ACCP CA Trust List. It is possible that
future versions of the ACCP will directly support the DRIP Basic
profile.
Authors Note: ACCP is ICAO Doc 10169 Aviation Common Certificate
Policy (ACCP). I can't get a url for that, but so far these is no
changes from v 0.93 of the old IATF CP; changes are in the works
then will be posted, so continue to reference IATF CP
Wiethuechter & Reid Expires 6 June 2024 [Page 26]
�
Internet-Draft DETIM Architecture December 2023
EEs may use their X.509 certificates, rather than their rawPublicKey
(i.e. HI) in authentication protocols (as not all may support
rawPublicKey identities). Short lived DETs like those used for a
single operation or even for a day's operations may not benefit from
X.509. Creating then almost immediately revoking these certificates
is a considerable burden on all parts of the system. Even using a
short notAfter date will not completely mitigate the burden of
managing these certificates. That said, many EEs will benefit to
offset the effort. It may also be a regulator requirement to have
these certificates. Finally, certificates can provide the context of
use for a DET (via policy constraint OIDs).
Typically an HDA either does or does not issue a certificate for all
its DETs. An RAA may specifically have some HDAs for DETs that do
not want/need certificates and other HDAs for DETs that do need them.
These types of HDAs could be managed by a single entity thus
providing both environments for its customers.
It is recommended that DRIP X.509 certificates be stored as DNS TLSA
Resource Records, using the DET as the lookup key. This not only
generally improves certificate lookups, but also enables use of DANE
[RFC6698] for the various servers in the UTM and particularly DIME
environment and DANCE [dane-clients] for EEs (e.g.
[drip-secure-nrid-c2]). All DRIP certificates MAY alternatively be
available via RDAP. LDAP/OCSP access for other UTM and ICAO uses
SHOULD also be provided.
10.2. Certificate Management
PKIX standard X.509 issuance practices should be used. The
certificate request SHOULD be included in the DET registration
request. A successful DET registration then MUST include certificate
creation, store, and return to the DET registrant. It is possible
that the DET registration is actually an X.509 registration. For
example, PKIX CSR may be directly used and the DET registration and
Endorsement creation are a addition to this process. Further ACME
may be directly extendable to provide the DET registration.
Note that CSRs do not include the certificate validityDate; adding
that is done by the CA. If in the registration process, the EE is
the source of notBefore and notAfter dates, they need to be sent
along with the CSR.
Certificate revocation will parallel DET revocation. TLSA RR MUST be
deleted from DNS and RDAP, LDAP, and OCSP return revoked responses.
CRLs SHOULD be maintained per the CP.
Wiethuechter & Reid Expires 6 June 2024 [Page 27]
�
Internet-Draft DETIM Architecture December 2023
10.3. Examples
For full examples of X.509 Certificates and the process to use them
see [drip-dki].
10.4. Alternative Certificate Encoding
The CBOR Encoded X.509 Certificates (C509 Certificates) [cbor-cert]
provides a standards-based approach to reduce the size of X.509
certificates both on-the-wire and in storage. The PKI-Lite RAA
certificate example in Appendix B.2 is 331 bytes. The matching C509
certificate is 183 bytes. This sort of difference may have
significant impact both on UAS storage requirements and over-the-air
transmission impact.
C509 provides two approaches for encoding X.509:
1. An invertible CBOR re-encoding of DER encoded X.509 certificates
[RFC5280], which can be reversed to obtain the original DER
encoded X.509 certificate.
2. Natively signed C509 certificates, where the signature is
calculated over the CBOR encoding instead of over the DER
encoding as in 1. This removes the need for ASN.1 and DER
parsing and the associated complexity but they are not backwards
compatible with implementations requiring DER encoded X.509.
The invertible CBOR encoding may be sufficient for most needs. The
CBOR objects clearly indicate which approach was used, so that the
receiver can properly process the C509 object. For interoperability
in DRIP, it is recommended that invertible CBOR encoding be used.
Using the invertible CBOR encoding is achieved through in-line
libraries that convert in the desired direction. Since it is not
expected that DNS protocols to implement this conversion, the DET RR
SHOULD contain the normal X.509 DER encoding. The CBOR encoding MAY
be used, but operational experience will be needed to see if there
are measurable gains in doing so.
11. IANA Considerations
11.1. Delegation of Nibble Reversed IPv6 Prefix
For DRIP to function in a interoperable way the easiest way to allow
look up of DETs is through the already existing ip6.arpa domain
structure (as defined in this document). Here IPv6 addresses are
nibble reversed and usually have PTR records.
Wiethuechter & Reid Expires 6 June 2024 [Page 28]
�
Internet-Draft DETIM Architecture December 2023
With DRIP the prefix 2001:30/28 has been allocated by IANA already
for DRIP use. However its representative reverse domain in ip6.arpa
has not.
There are a number of questions in this area for DRIP:
1. What organization would have administrative control over the
nibble-reversed ip6.arpa block for 2001:30/28?
* How do they obtain this and from whom?
* What is the SLA between IANA/ICANN and the administrative
organization for nibble-reversed 2001:30/28?
2. What organization would have technical control (i.e. day to day
operations) over the nibble-reversed ip6.arpa block for
2001:30/28?
3. How are delegation/allocation of further nibble-reversed sub-
blocks from 2001:30/28 handled by the administrative
organization?
* This is partly covered in this document already
(Apex->RAA->HDA)
* What is the SLA between the administrative organization and
sub-organizations given delegations/allocations? This might
be more general guidelines than an actual SLA?
4. What goes into a nibble-reversed ip6.arpa domain for DRIP at each
level?
This is not an exhaustive list of questions, this is more to get
discussion going.
11.2. IANA DRIP Registry
11.2.1. Endorsement Fields
This document requests a new registry for Endorsement fields under
the DRIP registry group (https://www.iana.org/assignments/drip/
drip.xhtml).
Endorsement Fields: list of field keys to be used in an Endorsement
and what section(s) they can be used in. Future additions to this
registry are to be made through First Come First Served
(Section 4.4 of [RFC8126]). The following values are defined:
Wiethuechter & Reid Expires 6 June 2024 [Page 29]
�
Internet-Draft DETIM Architecture December 2023
+============+========+===========+==============================+
| Field Name | Type | Useable | Description |
| | | Sections | |
+============+========+===========+==============================+
| vna | number | scope | Valid Not After, UTC Unix |
| | | | Timestamp |
+------------+--------+-----------+------------------------------+
| vnb | number | scope | Valid Not Before, UTC Unix |
| | | | Timestamp |
+------------+--------+-----------+------------------------------+
| hhit | bstr | identity | Hierarchial Host Identity |
| | | | Tag (HHIT), fixed size of 16 |
+------------+--------+-----------+------------------------------+
| hi | bstr | identity | Host Identity (HI) |
+------------+--------+-----------+------------------------------+
| sig | bstr | signature | Signature |
+------------+--------+-----------+------------------------------+
Table 2
11.2.2. DET Type
This document requests a new registry for DET Type under the DRIP
registry group (https://www.iana.org/assignments/drip/drip.xhtml).
DET Type: numeric, 8 bit, field of the DET RR to encode the DET
Type. Future additions to this registry are to be made through
First Come First Served (Section 4.4 of [RFC8126]). The following
values are defined:
+======================+=======+=============+
| Type | Value | Description |
+======================+=======+=============+
| Not Defined | 0 | - |
+----------------------+-------+-------------+
| Endpoint Entity (EE) | 1 | - |
+----------------------+-------+-------------+
| Issuer CA | 2 | - |
+----------------------+-------+-------------+
| Authentication CA | 3 | - |
+----------------------+-------+-------------+
Table 3
11.2.3. DET Status
This document requests a new registry for DET Status under the DRIP
registry group (https://www.iana.org/assignments/drip/drip.xhtml).
Wiethuechter & Reid Expires 6 June 2024 [Page 30]
�
Internet-Draft DETIM Architecture December 2023
DET Status: numeric, 8 bit, field of the DET RR to encode the DET
Status. Future additions to this registry are to be made through
First Come First Served (Section 4.4 of [RFC8126]). The following
values are defined:
+=============+=======+=============+
| Status | Value | Description |
+=============+=======+=============+
| Not Defined | 0 | - |
+-------------+-------+-------------+
| Inactive | 1 | - |
+-------------+-------+-------------+
| Active | 2 | - |
+-------------+-------+-------------+
Table 4
12. Security Considerations
12.1. Key Rollover & Federation
During key rollover the DIME MUST inform all children and parents of
the change - using best standard practices of a key rollover.
A DET has a natural ability for a single DIME to hold different
cryptographic identities under the same HID values. This is due to
the lower 64-bits of the DET being a hash of the public key and the
HID of the DET being generated. As such during key rollover, only
the lower 64-bits would change and a check for a collision would be
required.
This attribute could also allow for a single DIME to be "federated"
across multiple DETs sharing the same HID value. This method of
deployment has not been thoroughly studied at this time. An endpoint
such as in Section 6.3 is a possible place to have these functions.
12.2. DET Generation
Author Note: is this section valid anymore? Perhaps we hard
specify that devices ONLY generate on their own hardware instead
of "out-sourcing" as this section implies.
Under the FAA [NPRM], it is expecting that IDs for UAS are assigned
by the UTM and are generally one-time use. The methods for this
however are unspecified leaving two options.
Option 1:
Wiethuechter & Reid Expires 6 June 2024 [Page 31]
�
Internet-Draft DETIM Architecture December 2023
The entity generates its own DET, discovering and using the RAA
and HDA for the target DIME. The method for discovering a DIME's
RAA and HDA is out of scope here. This allows for the device to
generate an DET to send to the DIME to be accepted (thus
generating the required Self-Endorsement) or denied.
Option 2:
The entity sends to the DIME its HI for it to be hashed and result
in the DET. The DIME would then either accept (returning the DET
to the device) or deny this pairing.
Keypairs are expected to be generated on the device hardware it will
be used on. Due to hardware limitations and connectivity it is
acceptable, though not recommended, under DRIP to generate keypairs
for the Aircraft on Operator devices and later securely inject them
into the Aircraft. The methods to securely inject and store keypair
information in a "secure element" of the Aircraft is out of scope of
this document.
13. Public Key Exposure
DETs are built upon asymmetric keypairs. As such the public key must
be revealed to enable clients to perform signature verifications.
While unlikely the forging of a corresponding private key is possible
if given enough time (and computational power). As such it is
RECOMMENDED that the public key for any DET not be exposed in DNS
(using the HIP RR) until it is required.
Optimally this requires the UAS somehow signal the DIME that a flight
using a specific Session ID is underway or complete. It may also be
facilitated under UTM if the USS (which may or may not be a DIME)
signals when a given operation using a Session ID goes active.
14. Contributors
Thanks to Stuart Card (AX Enterprize, LLC) and Bob Moskowitz (HTT
Consulting, LLC) for their early work on the DRIP registries concept.
Their early contributions laid the foundations for the content and
processes of this architecture and document. Bob Moskowitz is also
instrumental in the PKIX work defined in this document with his
parallel work in ICAO.
15. References
15.1. Normative References
Wiethuechter & Reid Expires 6 June 2024 [Page 32]
�
Internet-Draft DETIM Architecture December 2023
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/info/rfc8174>.
[RFC8610] Birkholz, H., Vigano, C., and C. Bormann, "Concise Data
Definition Language (CDDL): A Notational Convention to
Express Concise Binary Object Representation (CBOR) and
JSON Data Structures", RFC 8610, DOI 10.17487/RFC8610,
June 2019, <https://www.rfc-editor.org/info/rfc8610>.
[RFC9153] Card, S., Ed., Wiethuechter, A., Moskowitz, R., and A.
Gurtov, "Drone Remote Identification Protocol (DRIP)
Requirements and Terminology", RFC 9153,
DOI 10.17487/RFC9153, February 2022,
<https://www.rfc-editor.org/info/rfc9153>.
[RFC9374] Moskowitz, R., Card, S., Wiethuechter, A., and A. Gurtov,
"DRIP Entity Tag (DET) for Unmanned Aircraft System Remote
ID (UAS RID)", RFC 9374, DOI 10.17487/RFC9374, March 2023,
<https://www.rfc-editor.org/info/rfc9374>.
[RFC9434] Card, S., Wiethuechter, A., Moskowitz, R., Zhao, S., Ed.,
and A. Gurtov, "Drone Remote Identification Protocol
(DRIP) Architecture", RFC 9434, DOI 10.17487/RFC9434, July
2023, <https://www.rfc-editor.org/info/rfc9434>.
15.2. Informative References
[cbor-cert]
Mattsson, J. P., Selander, G., Raza, S., Höglund, J., and
M. Furuhed, "CBOR Encoded X.509 Certificates (C509
Certificates)", Work in Progress, Internet-Draft, draft-
ietf-cose-cbor-encoded-cert-07, 20 October 2023,
<https://datatracker.ietf.org/doc/html/draft-ietf-cose-
cbor-encoded-cert-07>.
[CTA2063A] "ANSI/CTA 2063-A Small Unmanned Aerial Systems Numbers",
September 2019, <https://shop.cta.tech/products/small-
unmanned-aerial-systems-serial-numbers>.
[dane-clients]
Huque, S. and V. Dukhovni, "TLS Client Authentication via
DANE TLSA records", Work in Progress, Internet-Draft,
Wiethuechter & Reid Expires 6 June 2024 [Page 33]
�
Internet-Draft DETIM Architecture December 2023
draft-ietf-dance-client-auth-02, 12 May 2023,
<https://datatracker.ietf.org/doc/html/draft-ietf-dance-
client-auth-02>.
[drip-auth]
Wiethuechter, A., Card, S. W., and R. Moskowitz, "DRIP
Entity Tag Authentication Formats & Protocols for
Broadcast Remote ID", Work in Progress, Internet-Draft,
draft-ietf-drip-auth-41, 4 December 2023,
<https://datatracker.ietf.org/doc/html/draft-ietf-drip-
auth-41>.
[drip-dki] Moskowitz, R. and S. W. Card, "The DRIP DET public Key
Infrastructure", Work in Progress, Internet-Draft, draft-
moskowitz-drip-dki-09, 23 October 2023,
<https://datatracker.ietf.org/doc/html/draft-moskowitz-
drip-dki-09>.
[drip-secure-nrid-c2]
Moskowitz, R., Card, S. W., Wiethuechter, A., and A.
Gurtov, "Secure UAS Network RID and C2 Transport", Work in
Progress, Internet-Draft, draft-moskowitz-drip-secure-
nrid-c2-13, 19 September 2023,
<https://datatracker.ietf.org/doc/html/draft-moskowitz-
drip-secure-nrid-c2-13>.
[NPRM] "Notice of Proposed Rule Making on Remote Identification
of Unmanned Aircraft Systems", December 2019.
[RFC1886] Thomson, S. and C. Huitema, "DNS Extensions to support IP
version 6", RFC 1886, DOI 10.17487/RFC1886, December 1995,
<https://www.rfc-editor.org/info/rfc1886>.
[RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S.,
Housley, R., and W. Polk, "Internet X.509 Public Key
Infrastructure Certificate and Certificate Revocation List
(CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008,
<https://www.rfc-editor.org/info/rfc5280>.
[RFC5730] Hollenbeck, S., "Extensible Provisioning Protocol (EPP)",
STD 69, RFC 5730, DOI 10.17487/RFC5730, August 2009,
<https://www.rfc-editor.org/info/rfc5730>.
[RFC6698] Hoffman, P. and J. Schlyter, "The DNS-Based Authentication
of Named Entities (DANE) Transport Layer Security (TLS)
Protocol: TLSA", RFC 6698, DOI 10.17487/RFC6698, August
2012, <https://www.rfc-editor.org/info/rfc6698>.
Wiethuechter & Reid Expires 6 June 2024 [Page 34]
�
Internet-Draft DETIM Architecture December 2023
[RFC6841] Ljunggren, F., Eklund Lowinder, AM., and T. Okubo, "A
Framework for DNSSEC Policies and DNSSEC Practice
Statements", RFC 6841, DOI 10.17487/RFC6841, January 2013,
<https://www.rfc-editor.org/info/rfc6841>.
[RFC7480] Newton, A., Ellacott, B., and N. Kong, "HTTP Usage in the
Registration Data Access Protocol (RDAP)", STD 95,
RFC 7480, DOI 10.17487/RFC7480, March 2015,
<https://www.rfc-editor.org/info/rfc7480>.
[RFC8126] Cotton, M., Leiba, B., and T. Narten, "Guidelines for
Writing an IANA Considerations Section in RFCs", BCP 26,
RFC 8126, DOI 10.17487/RFC8126, June 2017,
<https://www.rfc-editor.org/info/rfc8126>.
[RFC9082] Hollenbeck, S. and A. Newton, "Registration Data Access
Protocol (RDAP) Query Format", STD 95, RFC 9082,
DOI 10.17487/RFC9082, June 2021,
<https://www.rfc-editor.org/info/rfc9082>.
[RFC9083] Hollenbeck, S. and A. Newton, "JSON Responses for the
Registration Data Access Protocol (RDAP)", STD 95,
RFC 9083, DOI 10.17487/RFC9083, June 2021,
<https://www.rfc-editor.org/info/rfc9083>.
Appendix A. HID Abbreviation Recommendation
On receiver devices a DET can be translated to a more human readable
form such as: {RAA Abbreviation} {HDA Abbreviation} {Last 4
Characters of DET Hash}. An example of this would be US FAA FE23.
To support this DIMEs are RECOMMENDED to have an abbreviation that
could be used for this form. These abbreviations SHOULD be a maximum
of six characters (for each section) in length. Spaces MUST NOT be
used and be replaced with either underscores (_) or dashes (-).
The concatenation of {RAA Abbreviation} and {HDA Abbreviation} with a
space between them can be what fills in the HID field of the DET RR
in Section 8.1.1.
For RAAs allocated in the ISO range Section 4.2.1, the RAA
abbreviation SHOULD be set to the ISO 3166-1 country code (either
Alpha-2 or Alpha-3). A common abbreviation for an RAAs four
allocated RAA values are out of scope. Other documents such as
[drip-dki] may have more specific recommendations or requirements.
Wiethuechter & Reid Expires 6 June 2024 [Page 35]
�
Internet-Draft DETIM Architecture December 2023
If a DIME does not have an abbreviation or it can not be looked up
then the receiver MUST use the uppercase 4-character hexadecimal
encoding of the field it is missing when using this form.
Appendix B. DRIP Fully Qualified Domain Names
B.1. DRIP Entity Tag
{hash}.{oga_id}.{hda}.{raa}.{prefix}.{apex}.
When building a DET FQDN it MUST must be built using the exploded
(all padding present) form of the IPv6 address.
Apex: .example.com
DET: 2001:0030:0280:1405:c465:1542:a33f:dc26
ID: c4651542a33fdc26
OGA: 05
HID: 0028014
HDA: 0014
RAA: 000a
Prefix: 2001003
FQDN: c4651542a33fdc26.05.0014.000a.2001003.example.com
Appendix C. DRIP Endorsements for UAS
C.1. Generic Endorsement
generic_endorsement = {
scope: {
vnb: number,
vna: number
},
evidence: bstr,
endorser: {
identity: {
hhit: bstr .size 16
},
signature: {
sig: bstr
}
}
}
Figure 12: Generic Endorsement CDDL
Wiethuechter & Reid Expires 6 June 2024 [Page 36]
�
Internet-Draft DETIM Architecture December 2023
evidence is a binary string with specified contents (in format and
ordering) by specific use-cases. As an example this format is used
by [drip-auth] to support Authentication over F3411 constrained
links. evidence data is defined by [drip-auth] for DRIP Wrapper,
Manifest and Frame formats.
C.2. Self Endorsement
self_endorsement = {
scope: {
vnb: number,
vna: number
},
evidence: bstr,
endorser: {
identity: {
hhit: bstr .size 16
},
signature: {
sig: bstr
}
}
}
Figure 13: Self Endorsement CDDL
Used during registration process as an input. evidence is filled with
the corresponding HI of the hhit.
Wiethuechter & Reid Expires 6 June 2024 [Page 37]
�
Internet-Draft DETIM Architecture December 2023
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+---------------+---------------+---------------+---------------+
| VNB |
+---------------+---------------+---------------+---------------+
| VNA |
+---------------+---------------+---------------+---------------+
| |
| |
| |
| HI |
| |
| |
| |
| |
+---------------+---------------+---------------+---------------+
| |
| HHIT |
| |
| |
+---------------+---------------+---------------+---------------+
| |
| |
| |
| |
| |
| |
| |
| Signature |
| |
| |
| |
| |
| |
| |
| |
| |
+---------------+---------------+---------------+---------------+
Figure 14: Self Endorsement Binary
TODO
Figure 15: Self Endorsement CBOR
C.3. Broadcast Endorsement
Wiethuechter & Reid Expires 6 June 2024 [Page 38]
�
Internet-Draft DETIM Architecture December 2023
broadcast_endorsement = {
scope: {
vnb: number,
vna: number
},
evidence: bstr,
endorser: {
identity: {
hhit: bstr .size 16
},
signature: {
sig: bstr
}
}
}
Figure 16: Broadcast Endorsement CDDL
Defined by [drip-auth] in a binary format to support Authentication
over F3411 constrained links. Used in the DRIP Link format. A
required output of registration to a DIME at any level. evidence is a
binary string of the concatenation of a child entities (e.g. a UA)
DET/HHIT and its associated HI. hhit is of the parent entity (e.g. a
DIME).
Wiethuechter & Reid Expires 6 June 2024 [Page 39]
�
Internet-Draft DETIM Architecture December 2023
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+---------------+---------------+---------------+---------------+
| VNB |
+---------------+---------------+---------------+---------------+
| VNA |
+---------------+---------------+---------------+---------------+
| |
| HHIT of |
| Child |
| |
+---------------+---------------+---------------+---------------+
| |
| |
| |
| HI of |
| Child |
| |
| |
| |
+---------------+---------------+---------------+---------------+
| |
| HHIT of |
| Parent |
| |
+---------------+---------------+---------------+---------------+
| |
| |
| |
| |
| |
| |
| |
| Signature |
| |
| |
| |
| |
| |
| |
| |
| |
+---------------+---------------+---------------+---------------+
Figure 17: Broadcast Endorsement Binary
TODO
Wiethuechter & Reid Expires 6 June 2024 [Page 40]
�
Internet-Draft DETIM Architecture December 2023
Figure 18: Broadcast Endorsement CBOR
Appendix D. DNS Examples
D.1. Operator
@ORIGIN 0.0.0.8.f.f.f.3.0.0.1.0.0.2.ip6.arpa
e.0.3.0.5.3.a.2.5.2.5.f.a.8.a.b.5.0 IN DET
( 2001003fff800005ba8af5252a35030e 0 1 "TEST DRIP" "" ... )
e.0.3.0.5.3.a.2.5.2.5.f.a.8.a.b.5.0 IN HIP
( 5 2001003fff800005ba8af5252a35030e ... )
e.0.3.0.5.3.a.2.5.2.5.f.a.8.a.b.5.0 IN URI
( https://example.com/operator/* )
D.2. Session ID
@ORIGIN 0.0.0.8.f.f.f.3.0.0.1.0.0.2.ip6.arpa
4.d.6.0.3.6.1.6.b.5.3.9.e.c.6.b.5.0 IN DET
( 2001003fff800005b6ce935b616306d4 0 1 "TEST DRIP" "" ... )
4.d.6.0.3.6.1.6.b.5.3.9.e.c.6.b.5.0 IN HIP
( 5 2001003fff800005b6ce935b616306d4 ... )
4.d.6.0.3.6.1.6.b.5.3.9.e.c.6.b.5.0 IN URI
( https://example.com/session/* )
D.3. Child DIME
RAA:
@ORIGIN 8.f.f.f.3.0.0.1.0.0.2.ip6.arpa
0.0.0 IN NS 0.0.0.8.f.f.f.3.0.0.1.0.0.2.ip6.arpa
HDA:
@ORIGIN 0.0.0.8.f.f.f.3.0.0.1.0.0.2.ip6.arpa
9.6.6.b.b.0.6.a.4.9.3.6.8.4.e.4.5.0 IN DET
( 2001003fff8000054e486394a60bb669 0 1 "TEST DRIP" "" ... )
9.6.6.b.b.0.6.a.4.9.3.6.8.4.e.4.5.0 IN HIP
( 5 2001003fff8000054e486394a60bb669 ... )
9.6.6.b.b.0.6.a.4.9.3.6.8.4.e.4.5.0 IN URI
( https://example.com/dime/* )
Authors' Addresses
Adam Wiethuechter (editor)
AX Enterprize, LLC
4947 Commercial Drive
Yorkville, NY 13495
United States of America
Email: adam.wiethuechter@axenterprize.com
Wiethuechter & Reid Expires 6 June 2024 [Page 41]
�
Internet-Draft DETIM Architecture December 2023
Jim Reid
RTFM llp
St Andrews House
382 Hillington Road, Glasgow Scotland
G51 4BL
United Kingdom
Email: jim@rfc1035.com
Wiethuechter & Reid Expires 6 June 2024 [Page 42]
