DRIP Entity Tag (DET) Registration using CoAP & CWTs

Introduction To properly use a DRIP Entity Tag (DET) it SHOULD be registered to a DRIP Identity Management Entity (DIME). Due to the various components of Unmanned Aircraft System (UAS), typically an Unmanned Aircraft (UA) and Ground Control Station (GCS), sharing similar properties to Internet of Thing (IoT) devices the Constrained Application Protocol (CoAP) is a good choice for registration interactions between the UAS and DIME. This document specifies registration interactions using CoAP as the transport and CBOR Web Tokens (CWTs) as the optional secure container. This document only specifies the minimum data models for registration of a DET. Other elements that MAY be required by policy are out of scope for this document.

Terminology The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here.

Interaction Model A general interaction model () is used for all DET based registrations.

Simplified DET Registration Z-Diagram | | | (3) VALID_INPUT? |<-------FAIL-------| | | (4) DUPE_HI? |<-------FAIL-------| | | (5) DUPE_DET? |<-------FAIL-------| | | (6) GEN_CERTS | | (7) UPDATE_DATABASE | | (8) UPDATE_NS |<----(9) OUTPUT----| ]]>

(0) GEN_DET/HI:: The registrant that plans to use the identity and its cryptographic properties SHOULD generate the asymmetric key-pair of their choosing and MUST protect the private key with best common practices. The registrant MAY derive the corresponding DET. How the registrant obtains the desired HID for DET generation is out of scope for this document.
(1) GEN_CSR:: The registrant MUST generate a CSR for their HI/DET. See for more details.
(2) INPUT:: The registrant MUST format and send the required information for a given service registration as specified by the DIME.
(3) VALID_INPUT?:: The DIME, upon receipt of service registration inputs, MUST validate the input data. This may be simply performing syntax checks to ensure the data is properly formatted all the way to full semantic validation. Signed data MUST have their signatures verified before further processing. Failure of input validation SHOULD return errors to the registrant.
(4) DUPE_HI?:: The DIME MUST check that the proposed HI is not a duplicate already in use. The registrant SHOULD be notified with an error if duplication is detected.
(5) DUPE_DET?:: The DIME MUST check that the proposed DET, derived from the HI, is not a duplicate already in use. If the registrant proposed a DET with HID outside that of the DIME, it MUST be rejected. If the registrant only provided the HI, the DIME MUST generate the DET using its HID. The registrant SHOULD be notified with an error if duplication is detected.
(6) GEN_CERTS:: The DIME, after all the above validation, MUST generate a Broadcast Endorsement using the provided HI and DET from the registrant as the evidence. This Endorsement is used in . An associated X.509 is also generated which signifies the DIME accepts the DET/HI pairing from the registrant
(7) UPDATE_DATABASE:: The DIME MUST update the Private Information Registry with any PII that was part of the registration. It MAY include additional metadata or public information. How the Private Information Registry is updated is out of scope for this document.
(8) UPDATE_NS:: The DIME MUST update the Authoritative Name Server with any public information that was part of the registration. This information MUST be stored as described in .
(9) OUTPUT:: The DIME, upon successful updates of the Private Information Registry and Authoritative Name Server, transmits to the registrant the list of Broadcast Endorsements that make up the trust chain for use in .

X.509 Certification Signing Request CSRs MUST be used to convey the various cryptographic and identity properties of a DET during a registration. The subjectName of the CSR is used to determine the type of registration the DET is to be used for. When the subjectName of the CSR is set to SERIAL_NUMBER then the CSR is related to the UA for use as a Session ID and/or an Authentication Key ID. Any other subjectName indicates some other entity using a DET as their identifier and are not in scope for this document. is an example CSR.

Broadcast RID Session CSR without subjectAltName A CSR without a subjectAltName is indicating to the DIME that they do not know or care which HID and OGA ID they are registered with. In this scenario the DIME MUST generate the DET for the registrant and return it. If the registrant does known which HID and/or OGA ID they want the CSR SHOULD contain the subjectAltName containing the DET they wish to register with. is an example CSR with the subjectAltName.

Broadcast RID Session CSR with subjectAltName

Models

Registration Model

Registration Model CDDL any } csr-data = [ csr: bstr ? vnb: time, ? vna_offset: uint, ] uas-id-map = { &uas-id-types: [+ uas-id] } uas-id-types = (none: 0, serial: 1, caa_id: 2, utm_id: 3, session_id: 4) uas-id: tstr .size(1..20) / bstr .size(1..20) area-grp = ( area_count: 1..255, area_radius: float, area_floor: float, area_ceiling: float ) classification-grp = ( ua_class: 0..8, eu_class: nibble-field, eu_category: nibble-field ) self-grp = ( desc_type: nibble-field, description: tstr .size(23) ) operator-grp = ( operator_id_type: nibble-field, operator_id: bstr .size(20) ) nibble-field = 0..15 ]]> The csr-data model allows flexibility of the registrant to specify the time bounds for a given key. Exclusion of either the vnb and/or vna_offset indicates to the DIME to use the defaults of the jurisdiction for the missing datum. Other keys MAY be provided and specified to carry specific data required for the registration to the DIME. Such data can include operator/organizational information. The details of such extension are out of scope for this document.

Response Model

Response Model CDDL registration_cert MUST be the Canonical Public Registration Certificate defined in in a DER (X.509) or CBOR (C.509) encoding. The be_chain contains the Broadcast Endorsement structures required for and MUST be sent in responses for a Broadcast RID Session.

Model Use Below are overviews of variants of the above data models for supported registrations in this document. Other registration types that are defined by RAA and/or HDA policy are out of scope for this document.

Broadcast RID Session:: Registrations from UA for either Session IDs, Authentication Key IDs or both. It MAY use the f3411 key to provide static F3411 Broadcast RID information. MUST use the be_chain key to return Broadcast Endorsements for .
Operator:: MUST NOT use the f3411 key. MUST NOT use the be_chain key.
DIME:: MUST NOT use the f3411 key. MUST use the be_chain key to return Broadcast Endorsements for .

CoAP CoAP SHOULD be used using DTLS when possible and MUST send the data model encoded as CBOR. When DTLS is not possible, and CoAP is instead used with UDP, the payload MUST be in a CWT as defined in .

Endpoints The base URL of a given URI is out of scope for this document, however the path of such SHOULD be /operator, /aircraft or /broadcast_session per the class of registration. These URIs SHOULD be publicly accessible and discoverable via some mechanism (such as /.well-known/).

CWT When a CWT is to be used it SHOULD be encrypted. The CWT is signed by the registrant. For a Broadcast Session the registrant usually is the Operator (or a proxy for the Operator such as the GCS) but MAY be the UA directly if the UA has a long term cryptographic identity.

IANA Considerations TBD

Security Considerations Cryptographic materials (key-pairs, CSRs, etc.) SHOULD be generated on the device they are intended to be used. There may be scenarios where other parts of the UAS MAY generate the cryptographic materials and provision them as needed during an operation. Any such system SHOULD ensure security of the cryptographic material is guaranteed.