<?xmlversion="1.0" encoding="UTF-8"?>version='1.0' encoding='utf-8'?> <!DOCTYPE rfc [ <!ENTITY nbsp " "> <!ENTITY zwsp "​"> <!ENTITY nbhy "‑"> <!ENTITY wj "⁠"> ]><?rfc toc="yes"?><rfc xmlns:xi="http://www.w3.org/2001/XInclude" category="exp" docName="draft-ietf-acme-dtnnodeid-18" number="9891" updates="" obsoletes="" sortRefs="true" symRefs="true" ipr="trust200902" submissionType="IETF" tocInclude="true"version="3">version="3" xml:lang="en" consensus="true"> <front> <title abbrev="ACME DTN NodeID"> AutomatedID">Automated Certificate Management Environment (ACME) Delay-Tolerant Networking (DTN) Node ID ValidationExtension </title>Extension</title> <seriesInfoname="Internet-Draft" value="draft-ietf-acme-dtnnodeid-18"/>name="RFC" value="9891"/> <author fullname="Brian Sipos" initials="B." surname="Sipos"> <organization abbrev="RKF Engineering">RKF Engineering Solutions, LLC</organization> <address> <postal> <street>7500 Old Georgetown Road</street> <street>Suite 1275</street> <city>Bethesda</city> <region>MD</region> <code>20814-6198</code> <country>United States of America</country> </postal> <email>brian.sipos+ietf@gmail.com</email> </address> </author><date/> <area>Security</area> <workgroup>Automated Certificate Management Environment</workgroup><date month="November" year="2025"/> <area>SEC</area> <workgroup>acme</workgroup> <keyword>ACME</keyword> <keyword>DTN</keyword> <abstract> <t> This document specifies an extension to the Automated Certificate Management Environment (ACME) protocolwhichthat allows an ACME server to validate the Delay-Tolerant Networking (DTN) Node ID for an ACME client. A DTN Node ID is an identifier used in the Bundle Protocol (BP) to name a "singletonendpoint", one whichendpoint": an endpoint that is registered on a single BPnode.Node. The DTN Node ID is encoded both as a certificate Subject Alternative Name (SAN) identity of type otherName witha namean Other Name form of <tt>BundleEID</tt> and as an ACME Identifier type "bundleEID". </t> </abstract> </front> <middle> <section anchor="sec-intro"> <name>Introduction</name> <t> Although the original purpose of the Automatic Certificate Management Environment (ACME) <xref target="RFC8555"/> was to allow Public Key InfrastructureUsingusing X.509 (PKIX) Certification Authorities (CAs) to validate network domain names of clients, the same mechanism can be used to validate any of the subject identity claims supported by the PKIX profile <xref target="RFC5280"/>. </t> <t> Inthe case ofthis specification, the claim being validated is a Subject Alternative Name (SAN) identity of type <tt>otherName</tt> witha namean Other Name form of <tt>BundleEID</tt>, which is used to represent a Bundle Protocol (BP) Endpoint ID (EID) in a Delay-Tolerant Networking (DTN) overlay network. A DTN Node ID is any EIDwhichthat can uniquely identify a BPnode,Node, as defined in <xref section="4.2.5.2" target="RFC9171"/>, which is equivalent to the EID being usable as a singleton endpoint. One common EID used as a Node ID is the Administrative EID, which is guaranteed to exist on any BPnode. CurrentlyNode. At the time of writing, the URI schemes "dtn" and "ipn" as defined in <xref section="4.2.5.1" target="RFC9171"/> are valid for a singleton endpointand thusand, thus, a Node ID. Because the <tt>BundleEID</tt> claim is new to ACME, a new ACME Identifier type "bundleEID" is needed to manage this claim within ACME messaging. </t> <t> Once an ACME server validates a Node ID, either as a pre-authorization ofthean identifier type "bundleEID"oras one of the authorizations of an order containingaan identifier type "bundleEID", the client can finalize the order using an associatedcertificate signing requestCertificate Signing Request (CSR). Because a single order can contain multiple identifiers of multiple types, there can be operational issues for a client attempting to, and possibly failing to, validate those multiple identifiers as described in <xref target="sec-multiple-claims"/>. Once a certificate is issued for a Node ID, how the ACME client configures the BP Agent with the new certificate is an implementation matter. </t> <section> <name>Scope</name> <t> This document describes the ACME message contents <xref target="RFC8555"/>, Bundle Protocol version 7 (BPv7) payloads <xref target="RFC9171"/>, and BundleprotocolProtocol Security (BPSec) operations <xref target="RFC9172"/> needed to validate claims of Node ID ownership. </t> <t> This document does not address: </t> <ul spacing="normal"> <li> Mechanisms for communication between an ACME client or ACME server and their associated BPagent(s).Agent(s), depicted as steps 1, 2, 5, and 6 of <xref target="fig-entity-relations"/>. This document only describes exchanges between ACMEclient--serverclient-server pairs and between their respective associated BPagents.Agents. </li> <li> Specific BP extension blocks or BPSecsecuritycontexts necessary to fulfill the security requirements of this protocol. The exact security context needed, andtheirits parameters,are network-specific.is network specific. </li> <li> Policies or mechanisms for defining or configuringbundleBundle integrity gateways, or trusting integrity gateways on an individual entity or across a network. </li> <li> Mechanisms for locating or identifying otherbundleBundle entities (peers) within a network or across an internet. The mapping of a Node ID to a potentialconvergence layerConvergence-Layer (CL) protocol and network address is left to implementation and configuration of the BP Agent and its various potential routing strategies. </li> <li> Logic for routingbundlesBundles along a path toward abundle'sBundle's endpoint. This protocol is involved only in creatingbundlesBundles at a source and handling them at a destination. </li> <li> Logic for performing rate control and congestion control ofbundleBundle transfers. The ACME server is responsible for rate control of validation requests. </li> <li> Policies or mechanisms for an ACME server to choose a prioritized list of acceptable hashalgorithms,algorithms or for an ACME client to choose a set of acceptable hash algorithms. </li> <li> Policies or mechanisms for provisioning, deploying, or accessing certificates and private keys; deploying or accessingcertificate revocation listsCertificate Revocation Lists (CRLs); or configuring security parameters on an individual entity or across a network. </li> <li> Policies or mechanisms for an ACME server to handle mixed-use certificate signing requests. This specification is focused only on single-use DTN-specific PKIX profiles. </li> </ul> </section> <section> <name>Authorization Strategy</name> <t> The basic unit of data exchange in a DTN is a Bundle <xref target="RFC9171"/>, which consists of a data payload with accompanying metadata. AnEndpoint IDEID is used as the destination of a Bundle and can indicate both a singleton or a group destination. A Node ID is used to identify the source of a Bundle and is used for routing through intermediate nodes, including the final node(s) used to deliver a Bundle to its destination endpoint. A Node ID can also be used as an endpoint for administrativebundles.Bundles. More detailed descriptions of the rationale and capabilities of these networks can be found in"Delay-Tolerant Network Architecture"the "<xref target="RFC4838" format="title"/>" <xref target="RFC4838"/>. </t> <t> When an ACME client requests a pre-authorization or an order witha "bundleEID"an identifier type "bundleEID" (<xref target="sec-acme-uri"/>), the ACME server offers a "bp-nodeid-00" challenge type (<xref target="sec-validate-nodeid"/>) to validate that Node ID. If the ACME client attempts the authorization challenge to validate a Node ID, the ACME server sends an ACME Node ID Validation Challenge Bundle with a destination of the Node ID being validated. The BPagentAgent on that node receives the Challenge Bundle, generates an ACMEkey authorizationKey Authorization digest, and sends an ACME Node ID Validation Response Bundle in reply. An Integrity Gateway on the client side of the DTN can be used to attest to the source of the Response Bundle. Finally, the ACME server receives the Response Bundle and checks that the digest was generated for the associated ACME challenge and from the client account key associated with the original request. This workflow is shown inthe diagram of<xref target="fig-entity-relations"/>. </t> <figure anchor="fig-entity-relations"> <name>TherelationshipsRelationships andflows betweenFlows Between Node ID Validationentities</name>Entities</name> <artworkalign="center" type="ascii-art">align="center"><![CDATA[ +------------+ +------------+ | ACME|<=====|<===== HTTPSexchanges =====>|Exchanges =====>| ACME | | Client | | Server | +------------+ +------------+ | | ^ (1) Enable or (6)disableDisable (2) Send | |validationValidation fromserverServer Challenge | |(5) Indicate | Non-DTN | | Response ~~~~~~~~~~~|~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|~~~|~~~~~~~~~~~~ V DTN V | ++------------++ ++------------++ || Admin Elem.|| || Admin Elem.||-+ |+------------+| (3) Challenge |+------------+| | | Client's|<-------------|<------------- Bundle -----| Server's | | | BP Agent | | BP Agent | | +--------------+ +--------------+ | | +----^---------+ | +-------------+ | | | Integrity | (4) Response |+---->|+---->| Gateway |------ Bundle --------+ +-------------+</artwork>]]></artwork> </figure> <t> Because the DTN Node ID is used both for routingbundlesBundles between BPagentsAgents and for multiplexing administrative services within a BPagent,Agent, there is no possibility to separate the ACME validation of a Node ID from normalbundleBundle handling for that same Node ID. This leaves administrative record types as a way to keep the Node ID unchanged while disambiguating from other service databundles.Bundles. </t> <t> There is nothing in this protocolwhichthat requires network-topological co-location of either the ACME client or ACME server with their respective associated BPagent.Agent. While ACME requires a low-enough latency network to perform HTTPS exchanges between the ACME client and server, the client's BPagentAgent (the one being validated) could be on the far side of a long-delay or multi-hop BP network. The means by which the ACME client or server communicates with its associated BPagentAgent is an implementation matter. </t> </section> <section> <name>Use of CDDL</name> <t> This document definesCBORConcise Binary Object Representation (CBOR) structure using the Concise Data Definition Language (CDDL)of<xref target="RFC8610"/>. The entire CDDL structure can be extracted from the XML version of this document using the XPath expression: </t><sourcecode>'//sourcecode[@type="cddl"]'</sourcecode><sourcecode><![CDATA['//sourcecode[@type="cddl"]']]></sourcecode> <t> The following initial fragment defines the top-level symbols of this document's CDDL, which includes the example CBOR content. </t> <sourcecodetype="cddl">type="cddl"><![CDATA[ start = acme-record / bundle / tstr</sourcecode>]]></sourcecode> </section> <section anchor="sec-terminology"> <name>Terminology</name> <t> The key words"MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY","<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>", "<bcp14>MAY</bcp14>", and"OPTIONAL""<bcp14>OPTIONAL</bcp14>" in this document are to be interpreted as described inBCP 14BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and only when, they appear in all capitals, as shown here. </t> <t> Because this document combines two otherwise unrelated contexts, ACME and DTN, when a protocol term applies to one of those areas and is used in the other its name is prefixed with either "ACME" or "DTN" respectively.ThusThus, within the ACME context the term is "DTN Node ID" while in the DTN context the name is just "Node ID". </t> <t> In this document, several terms are shortened for the sake ofterseness.brevity. These termsare:are as follows: </t> <dl newline="false" spacing="normal"> <dt>Challenge Object:</dt> <dd> This is a shortened form of the full "DTN Node ID Challenge Object". It is a JSON object created by the ACME server for challenge type "bp-nodeid-00" as defined in <xref target="sec-nodeid-challenge-obj"/>. </dd> <dt>Response Object:</dt> <dd> This is a shortened form of the full "DTN Node ID Response Object". It is a JSON object created by the ACME client to authorize a challenge type "bp-nodeid-00" as defined in <xref target="sec-nodeid-response-obj"/>. </dd> <dt>Challenge Bundle:</dt> <dd> This is a shortened form of the full "ACME Node ID Validation Challenge Bundle". It is a Bundle created by the BPagentAgent managed by the ACME server to challenge a Node ID claim as defined in <xref target="sec-bundle-challenge"/>. </dd> <dt>Response Bundle:</dt> <dd> This is a shortened form of the full "ACME Node ID Validation Response Bundle". It is a Bundle created by the BPagentAgent managed by the ACME client to validate a Node ID claim as defined in <xref target="sec-bundle-response"/>. </dd> </dl> <t> Because this isana document produced by the ACMEdocument,WG, the following DTNBundle ProtocolBP terms are defined here to clarify how they are used by this ACME identifier type and validation mechanism. </t><dl><dl spacing="normal" newline="false"> <dt anchor="term-endpoint-id">Endpoint ID:</dt> <dd> AnEndpoint IDEID is an identifier for the ultimate destination of abundle,Bundle, independent of any intermediate forwarding needed to reach that destination. An endpoint can be a singleton or not, so anEndpoint IDEID can also represent a single entity or a set of entities. This is formally defined in <xref section="4.2.5.1" target="RFC9171"/>. </dd> <dt anchor="term-node-id">Node ID:</dt> <dd> A Node ID isa (notan identifier (that is not guaranteed to be unique)identifierfor a specific node in a network in the form of a singletonEndpoint ID.EID. A single node can have any number of NodeIDsIDs, but a typical (and expected) form of Node ID is the AdministrativeEndpoint IDEID (described below). This is formally defined in <xref section="4.2.5.2" target="RFC9171"/>. </dd> <dt anchor="term-admin-eid">AdministrativeEndpoint ID:</dt>EID:</dt> <dd> An AdministrativeEndpoint IDEID is unique for a node within a specific URI scheme. Although any Node ID can be a validbundleBundle Source and Destination, the AdministrativeEndpoint IDEID is a minimum required Node ID for any node operating in a particular URI scheme. For the "dtn"schemescheme, this is the empty demuxpart andpart; for the "ipn"schemescheme, this is the service number zero. Theseisare formally defined under <xref section="4.2.5.1" target="RFC9171"/>. </dd> </dl> </section> <section anchor="sec-experiment"> <name>Experiment Scope</name> <t> The emergent properties of DTN naming and BP security are still being developed and explored, especially between different organizational and administrativedomains, sodomains. Thus, the"experimental"Experimental status of this document is related more to the practical utility of this kind of Node ID validation than to the validation method itself. The original use case is in large or cross-organizational networks where a BPnodeNode can be trusted to be allocated and added to a network, but the method of certificate validation and issuance is desired to be in-band on the network rather than configured solely through a side channel using bespoke or manual protocols. Because this mechanism is so similar to other validation methods, specifically email address validation <xref target="RFC8823"/>, it is expected to have few implementation difficulties or interoperability issues. </t> <t> Part of the experimental nature of the validation method defined in <xref target="sec-validate-nodeid"/>, and BP more generally, is understanding its vulnerability to different kinds of on-path attacks. Some attacks could be based on the topology of the BP overlay network, while others could be based on the underlying(internet protocol)(IP) network topology. Because not all of the attack surfaces of this validation method are known or fullyunderstoodunderstood, the usefulness of the multi-perspective technique described in <xref target="sec-multi-perspective"/> is also not assured. The point of those multi-perspective requirements issothat both the ACME client and server have consistent logic for handling the technique. </t> <t> The usefulness of the integrity gateway defined in <xref target="sec-bib-gateway"/> to this validation method isexperimental because it is not a settled matter howexperimental: the way that naming authority in a DTN is either allocated, delegated, orenforced. Itenforced isalsonotdefined howa settled matter. How the organization running the CA (and its ACME server) can delegate some level of trust to a different organization running a connected DTN with a securitygateway.gateway is also not defined. The organization running the integrity gateway would need to apply some minimal amount of policy to nodes running behind it, such as patterns to their Node IDs, which would behave conceptually similar to delegation ofsub-domainssubdomains in thedomain name system (DNS)Domain Name System (DNS), but without the online interaction of DNS. </t> <t> A successful experiment of this validation method would involve using the ACME protocol along with this Node ID validation to allow issuing of identity certificates across administrative domains. One possible scenario for this would be an issuing CA and an ACME server on the edge of a BP transit network operated byone agency, whichsome agency. This transit network is used by edge nodes and accessed via edge routers of a peer network operated by a secondagency, used by edgeagency. The nodesknown to andof the peer network are trusted by the second agency but not the first. The transit network can refuse to route traffic from the peer network that is not traceable to a valid identity certificate, which the edge nodes can obtain via the ACME server. </t> <t> A valuable result from any experiment, evenunsuccessful,an unsuccessful one, would be feedback about this method to improve later versions. That feedback could include improvements to object or message structure, randomvs.versus deterministic token values, client or server procedures, or naming more generally. </t> </section> </section> <section anchor="sec-acme-uri"> <name>BundleEndpoint IDEID ACME Identifier</name> <t> This specification is the first to make use of a BundleEndpoint IDEID to identify a claim for a certificate request in ACME. In this document, the only purpose for which a BundleEndpoint IDEID ACME identifier is validated is as a DTN Node ID (see <xref target="sec-validate-nodeid"/>), but other specifications can define challenge types for otherEndpoint IDEID uses. </t> <t> Every ACME identifieroftype "bundleEID" <bcp14>SHALL</bcp14> have a value containing a text URI consistent with the requirements of <xref section="4.2.5.1" target="RFC9171"/> using one of the schemes available from the "Bundle Protocol URI Scheme Types" registryof<xref target="IANA-BP"/>. Any identifier type "bundleEID" valuewhichthat fails to properly percent-decode <bcp14>SHALL</bcp14> be rejected with an ACME error type of "malformed". </t> <t> An ACME server supportingidentifiers ofidentifier type "bundleEID" <bcp14>SHALL</bcp14> decode and normalize (based on scheme-specific syntax) all such receivedidentifiers.identifier values. Any identifier type "bundleEID" value for which the scheme-specific part does not match the scheme-specific syntax <bcp14>SHALL</bcp14> be rejected with an ACME error type of "malformed". Any identifier type "bundleEID" valuewhichthat uses a scheme not handled by the ACME server <bcp14>SHALL</bcp14> be rejected with an ACME error type of "rejectedIdentifier". </t> <t> When an ACME server needs to request proof that a client controls a Bundle EID, it <bcp14>SHALL</bcp14> create an authorization with the identifier type "bundleEID". An ACME server <bcp14>SHALL NOT</bcp14> attempt to dereference a Bundle EID value on its own. It is the responsibility of an ACME validation method to ensure the EID ownership using a method authorized by the ACME client. </t><t keepWithNext="true"><t> An identifier for the Node ID of "dtn://example/" would be formatted as: </t> <sourcecodetype="json">type="json"><![CDATA[ { "type": "bundleEID", "value": "dtn://example/"} </sourcecode>}]]></sourcecode> <section anchor="sec-eid-uses"> <name>Subsets of BundleEndpoint ID</name>EID</name> <t>While theA PKIXother namecertificate SAN identity containing an Other Name form of <tt>BundleEID</tt> can hold anyEndpoint ID value,EID value (as a text URI). But the certificate profile used by the TCP Convergence Layer <xref target="RFC9174"/> and supported bythisthe ACME validation method in <xref target="sec-validate-nodeid"/> requires that the value hold a<xref target="term-node-id">Node ID</xref>.Node ID (<xref target="term-node-id"></xref>). </t> <t> In addition to the narrowing of that certificate profile, this validation method requires that the client's BPagent respondsAgent respond to administrative records sent to the Node ID being validated.This typicallyTypically, this is limited to an<xref target="term-admin-eid">Administrative Endpoint ID</xref>, but there is no prohibition onAdministrative EID (<xref target="term-admin-eid"></xref>) destination. However, the administrative element of a BPnodeNode is not prohibited from receiving administrative records for,andor sending records from, other Node IDs in order to support this validation method. </t> <t> Neither that certificate profile nor this validation method support operating on non-singletonEndpoint IDs,EIDs, but other validation methods could be defined to do so in order to support other certificate profiles. </t> </section> </section> <section anchor="sec-validate-nodeid"> <name>DTN Node ID Validation</name> <t> The DTN Node ID validation method proves control over a Node ID by requiring the ACME client to configure a BPagentAgent to respond to specific Challenge Bundles sent from the ACME server. The ACME server validates control of the Node ID by verifying that received Response Bundles correspond with the BP Node and client account key being validated. </t> <t> Similar to the ACME use case forvalidating email address ownershipemail-address validation <xref target="RFC8823"/>, this challenge splits the token into several parts, each part being transported by a different channel, and the Key Authorization result requires combining all parts of the token. A separate challenge identifier is used as a filter by BPagents similarlyAgents similar to the challenge "from" used by emailaddress ofvalidation in <xref section="3" target="RFC8823"/>. </t> <t> The token partsare:are as follows: </t><dl><dl spacing="normal" newline="true"> <dt> <tt>token-chal</tt>: </dt> <dd> This token is unique to each ACME authorization. It is contained in the Challenge Object of <xref target="sec-nodeid-challenge-obj"/>. Each authorization can consist of multiple Challenge Bundles(e.g.(e.g., taking different routes), but they all share the same <tt>token-chal</tt> value. This ensures that the Key Authorization is bound to the specific ACME challenge (and parent ACME authorization). This token does not appear on the BPchannel so thatchannel; thus, any eavesdropper knowing the client's account key thumbprint(e.g.(e.g., from some other validation method) is not able to impersonate the client. </dd> <dt> <tt>token-bundle</tt>: </dt> <dd> This token is unique to each Challenge Bundle sent by the ACME server. It is contained in the Challenge Bundle of <xref target="sec-bundle-challenge"/> and Response Bundle of <xref target="sec-bundle-response"/>. This ensures that the Key Authorization is bound to the ability to receive the Challenge Bundle and not justhavehaving access to the ACME Challenge Object. This token is also accessible to DTN on-path eavesdroppers. </dd> </dl> <t> Because multiple Challenge Bundles can be sent to validate the same Node ID, the <tt>token-bundle</tt> in the response is needed to correlate with the expected Key Authorization digest. </t> <t> The DTN Node ID Challenge Object <bcp14>SHALL</bcp14> only be allowed for an EID usable as a DTN Node ID, which is defined per-scheme in <xref section="4.2.5.1" target="RFC9171"/>. When an ACME server supports Node ID validation, the ACME server <bcp14>SHALL</bcp14> provide achallenge objectChallenge Object in accordance with <xref target="sec-nodeid-challenge-obj"/>. Once thischallenge objectChallenge Object is defined, the ACME client may begin the validation. </t> <t> To initiate a Node ID validation, the ACME client performs the following steps: </t> <ol type="1"> <li> The ACME client POSTs a newOrder or newAuthz request including the identifieroftype "bundleEID" for the desired Node ID. From either of these entrypointspoints, an authorization for the"bundleEID"identifier type "bundleEID" is indicated by the ACME server. See <xref section="7.4" target="RFC8555"/> for more details. </li> <li> The ACME client obtains the <tt>id-chal</tt> and <tt>token-chal</tt> from the<xref target="sec-nodeid-challenge-obj">challenge object</xref>Challenge Object (<xref target="sec-nodeid-challenge-obj"></xref>) contained in an authorization object associated with the order in accordance with <xref section="7.1.4" target="RFC8555"/>. </li> <li anchor="step-client-authorize"> The ACME client indicates to the administrative element of its BPagentAgent the <tt>id-chal</tt>whichthat is authorized for use along with the associated <tt>token-chal</tt> and client account key thumbprint. The ACME client waits, if necessary, until theagentAgent is configured before proceeding to the next step. </li> <li> The ACME client POSTs a<xref target="sec-nodeid-response-obj">response object</xref>response object (<xref target="sec-nodeid-response-obj"></xref>) to the challenge URL on the ACME server in accordance with <xref section="7.5.1" target="RFC8555"/>. The payload object is constructed in accordance with <xref target="sec-nodeid-response-obj"/>. </li> <li> The administrative element waits for a Challenge Bundle to be received with the authorized ACME parameters, including its <tt>id-chal</tt> payload, in accordance with <xref target="sec-bundle-challenge"/>. </li> <li> The administrative element concatenates <tt>token-bundle</tt> with <tt>token-chal</tt> (each as base64url-encoded text strings) and computes the Key Authorization in accordance with <xref section="8.1" target="RFC8555"/> using the full token and client account key thumbprint. </li> <li> The administrative element chooses the highest-priority hash algorithm supported by both the client and server, uses that algorithm to compute the digest of the Key Authorization result, and generates a Response Bundle to send back to the ACME server in accordance with <xref target="sec-bundle-response"/>. </li> <li> The ACME client waits for the authorization to be finalized on the ACME server in accordance with <xref section="7.5.1" target="RFC8555"/>. </li> <li> Once the challenge is completed (successfully or not), the ACME client indicates to the BPagentAgent that the <tt>id-chal</tt> is no longer usable. If the authorization fails, the ACME client <bcp14>MAY</bcp14> retry the challenge fromStep <xrefStep <xref format="counter" target="step-client-authorize"/>. </li> </ol> <t> The ACME server verifies the client's control over a Node ID by performing the following steps: </t> <ol type="1"> <li> The ACME server receives a newOrder or newAuthz request including the identifieroftype "bundleEID", where the URI value is a Node ID. </li> <li> The ACME server generates an authorization for the Node ID with challenge type "bp-nodeid-00" in accordance with <xref target="sec-nodeid-challenge-obj"/>. </li> <li anchor="step-server-authorize"> The ACME server receives a POST to the challenge URL indicated from the authorization object. The payload is handled in accordance with <xref target="sec-nodeid-response-obj"/>. </li> <li> The ACME server sends, via the administrative element of its BPagent,Agent, one or more Challenge Bundles in accordance with <xref target="sec-bundle-challenge"/>. Eachchallenge bundleChallenge Bundle contains a distinct, random <tt>token-bundle</tt> to be able to correlate with aresponse bundle.Response Bundle. Computing an expected Key Authorization digest is not necessary until a response is received with a chosen hash algorithm. </li> <li> The ACME server waits for a Response Bundle(s) for a limited interval of time (based on the response object of <xref target="sec-nodeid-response-obj"/>). Responses are encoded in accordance with <xref target="sec-bundle-response"/>. </li> <li> Once received and decoded, the ACME server checks the contents of each Response Bundle in accordance with <xref target="sec-response-check"/>. After all Challenge Bundles have either been responded to or timed-out, the ACME server policy (see <xref target="sec-multi-perspective"/>) determines whether the validation is successful. If validation is not successful, a client may retry the challengewhichthat starts inStep <xrefStep <xref format="counter" target="step-server-authorize"/>. </li> </ol> <t> When responding to a Challenge Bundle, a BPagentAgent <bcp14>SHALL</bcp14> send a single Response Bundle in accordance with <xref target="sec-bundle-response"/>. A BPagentAgent <bcp14>SHALL</bcp14> respond to ACME challenges only within the interval of time and only for the <tt>id-chal</tt> indicated by the ACME client. A BPagentAgent <bcp14>SHALL</bcp14> respond to multiple Challenge Bundles with the same ACME parameters but differentbundleBundle identities (source Node ID and timestamp); these correspond with the ACME server validating via multiple routing paths. </t> <section anchor="sec-nodeid-challenge-obj"> <name>DTN Node ID Challenge Object</name> <t> The DTN Node ID ChallengeobjectObject is included by the ACME server as defined in <xref section="7.5" target="RFC8555"/> when it supports validating Node IDs. </t> <t> The DTN Node ID ChallengeobjectObject has the following content: </t> <dl newline="false" spacing="normal"> <dt>type (required, string):</dt> <dd> The string "bp-nodeid-00". </dd> <dt>id-chal (required, string):</dt> <dd> This is a random value associated with a challengewhichthat allows a client to filter valid<xref target="sec-bundle-challenge">Challenge Bundles</xref>.Challenge Bundles (<xref target="sec-bundle-challenge"></xref>). The same value is used for all Challenge Bundles associated with an ACME challenge, including multi-perspective validation using multiple sources as described in <xref target="sec-multi-perspective"/>. This value <bcp14>SHALL</bcp14> have at least 128 bits of entropy. It <bcp14>SHALL NOT</bcp14> contain any characters outside the base64url alphabet as described in <xref section="5" target="RFC4648"/>. Trailing '=' padding characters <bcp14>SHALL</bcp14> be stripped. See BCP 106 <xref target="RFC4086"/> for additional information on randomness requirements. </dd> <dt>token-chal (required, string):</dt> <dd> This is a random value, used as part of the Key Authorization algorithm, which is communicated to the ACME client only over the ACME channel. This value <bcp14>SHALL</bcp14> have at least 128 bits of entropy. It <bcp14>SHALL NOT</bcp14> contain any characters outside the base64url alphabet as described in <xref section="5" target="RFC4648"/>. Trailing '=' padding characters <bcp14>SHALL</bcp14> be stripped. See BCP 106 <xref target="RFC4086"/> for additional information on randomness requirements. </dd> </dl> <sourcecodetype="json">type="json"><![CDATA[ { "type": "bp-nodeid-00", "url": "https://example.com/acme/chall/prV_B7yEyA4", "id-chal": "dDtaviYTPUWFS3NK37YWfQ", "token-chal": "tPUZNY4ONIk6LxErRFEjVw"} </sourcecode>}]]></sourcecode> <t> The <tt>token-chal</tt> value included in this object applies to the entirechallenge,challenge and may correspond with multiple separate <tt>token-bundle</tt> values when multiple Challenge Bundles are sent for a single validation. </t> </section> <section anchor="sec-nodeid-response-obj"> <name>DTN Node ID Response Object</name> <t> The DTN Node ID response object is sent by the ACME client when it authorizes validation of a Node ID as defined in <xref section="7.5.1" target="RFC8555"/>. Because a DTN has the potential for significantly longer (but roughly predictable) delays than a non-DTN network, the ACME client is able to inform the ACME server if a particular validation round-trip is expected to take longer than non-DTN network delays (on the order of seconds). </t> <t> The DTN Node ID response object has the following content: </t> <dl newline="false" spacing="normal"> <dt>rtt (optional, number):</dt> <dd> An expectedround-trip timeRound-Trip Time (RTT), in seconds, between sending a Challenge Bundle and receiving a Response Bundle. This value is a hint to the ACME server for how long to wait for responses but is not authoritative. The minimum RTT value <bcp14>SHALL</bcp14> be zero. There is no special significance to zero-value RTT, it simply indicates the response is expected in less than the least significant unit used by the ACME client. </dd> </dl> <sourcecodetype="json">type="json"><![CDATA[ { "rtt": 300.0} </sourcecode>}]]></sourcecode> <t> A response object <bcp14>SHALL NOT</bcp14> be sent until the BPagentAgent has been configured to properly respond to the challenge. The RTT value is meant to indicate any node-specific path delays expected to be encountered from the ACME server. Because there is no requirement on the path (or paths) regarding whichbundlesBundles may traverse between the ACME server and the BPagent,Agent, and the ACME server can attempt some path diversity, the RTT value <bcp14>SHOULD</bcp14> be pessimistic. </t> <t> A defaultbundleBundle response interval, used when the object does not contain an RTT, <bcp14>SHOULD</bcp14> be a configurable parameter of the ACME server. If the ACME client indicated an RTT value in the object, the response interval <bcp14>SHOULD</bcp14> be twice the RTT (with limiting logic applied as described below). The lower limit on the response interval isnetwork-specific,network specific, but it <bcp14>SHOULD NOT</bcp14> be shorter than one second. The upper limit on response interval isnetwork-specific,network specific, but it <bcp14>SHOULD NOT</bcp14> be longer than one minute (60 seconds) for a terrestrial-only DTN. </t> </section> <section anchor="sec-bundle-challenge"> <name>ACME Node ID Validation Challenge Bundle</name> <t> Each ACME Node ID Validation Challenge Bundle <bcp14>SHALL</bcp14> be structured and encoded in accordance with BPv7 <xref target="RFC9171"/>. </t> <t> Each Challenge Bundle has parameters as listed here: </t> <dl newline="false" spacing="normal"> <dt>Bundle Processing Control Flags:</dt> <dd> The primary block flags <bcp14>SHALL</bcp14> indicate that the payload is an administrative record. The primary block flags <bcp14>SHALL</bcp14> indicate that user application acknowledgement is requested; this flag distinguishes the Challenge Bundle from the Response Bundle. </dd> <dt>Destination EID:</dt> <dd> The Destination EID <bcp14>SHALL</bcp14> be the ACME-server-normalized Node ID being validated. </dd> <dt>Source Node ID:</dt> <dd> The Source Node ID <bcp14>SHALL</bcp14> indicate the Node ID of a BPagentAgent of the ACME server performing the challenge. </dd> <dt>Creation Timestamp and Lifetime:</dt> <dd> The Creation Timestamp <bcp14>SHALL</bcp14> be set to the time at which the challenge was generated. The Lifetime <bcp14>SHALL</bcp14> indicate the response interval (of <xref target="sec-nodeid-response-obj"/>) for which the ACME server will accept responses to this challenge. </dd> <dt>Administrative Record Type Code:</dt> <dd>SetThis is set to the ACME Node ID Validation type code defined in <xref target="sec-iana-bp-admin-type"/>. </dd> <dt>Administrative Record Content:</dt> <dd> <t> The Challenge Bundle administrative record content <bcp14>SHALL</bcp14> consist of a CBOR map containing the following three pairs: </t> <ul> <li> One pair <bcp14>SHALL</bcp14> consist of key 1 with a value of ACME challenge <tt>id-chal</tt>, copied from thechallenge object,Challenge Object, represented as a CBOR byte string. </li> <li> One pair <bcp14>SHALL</bcp14> consist of key 2 with a value of ACME challenge <tt>token-bundle</tt>, represented as a CBOR byte string. The <tt>token-bundle</tt> is a random value that uniquely identifies thechallenge bundle.Challenge Bundle. This value <bcp14>SHALL</bcp14> have at least 128 bits of entropy. See BCP 106 <xref target="RFC4086"/> for additional information on randomness requirements. </li> <li> One pair <bcp14>SHALL</bcp14> consist of key 4 with a value of an array containing acceptable hash algorithm identifiers. The array <bcp14>SHALL</bcp14> be ordered in descending preference, with the first item being the most preferred. The array <bcp14>SHALL</bcp14> contain at least one item. Each algorithm identifier <bcp14>SHALL</bcp14> correspond to the Value column (integer or text string) of the algorithm registered in the "COSE Algorithms" registryof<xref target="IANA-COSE"/>. </li> </ul> </dd> </dl> <t> This structure is part of the extension CDDL in <xref target="sec-cddl"/>. An example full Challenge Bundle is included in <xreftarget="sec-example-bundle-challenge"/>target="sec-example-bundle-challenge"/>. </t> <t> For interoperability, entitieswhichthat use this validation method <bcp14>SHALL</bcp14> support the hash algorithm "SHA-256"(-16) of(value -16) <xreftarget="RFC9054"/>, but can use other hash algorithms.target="RFC9054"/>. This requirement allows for different implementations to be configured to use an interoperable algorithm, but does not preclude the use of otheralgorithms.algorithms with either higher or lower priority. </t> <t> If the BPagentAgent generating a Challenge Bundle does not have a well-synchronized clock or the agent responding to the challenge is expected to not have a well-synchronized clock, thebundleBundle <bcp14>SHALL</bcp14> include a Bundle Age extensionblock.block in accordance with <xref section="4.4.2" target="RFC9171"/>. </t> <t> Challenge Bundles <bcp14>SHALL</bcp14> include a Block Integrity Block (BIB) in accordance with <xref target="sec-bib-gateway"/> or with a Security Source identical to thebundleBundle Source Node. Challenge Bundles <bcp14>SHALL NOT</bcp14> be directly encrypted by the Block Confidentiality Block (BCB) method or any other method (see <xref target="sec-security-leak"/>). </t> <section anchor="sec-challenge-check"> <name>Challenge Bundle Checks</name> <t> A proper Challenge Bundle meets all of the following criteria: </t> <ul spacing="normal"> <li> The Challenge Bundle was received within the time interval allowed for the challenge. The allowed interval starts at the Creation Timestamp and extends for the Lifetime of the Challenge Bundle. </li> <li> The Challenge Bundle contains a BIBwhichthat covers at least the primary block and payload. That BIB has asecurity source whichSecurity Source that is trusted and passes security-context-specific validation(i.e. MAC(i.e., Message Authentication Code (MAC) or signature verification). </li> <li> The challenge payload contains the <tt>id-chal</tt> as indicated in the ACMEchallenge object.Challenge Object. </li> <li> The challenge payload contains a <tt>token-bundle</tt>meetingmatching the definition in <xref target="sec-bundle-challenge"/>. </li> <li> The challenge payload contains at least one hash algorithm identifier acceptable to the client. </li> </ul> <t>AnyFailure to match any of thefailuresabove <bcp14>SHALL</bcp14> cause thechallenge bundleChallenge Bundle to be otherwise ignored by the BPagent.Agent. It is an implementation matter of how to react to such failures, which could include logging the event, incrementing counters, or raising alarms. </t> </section> </section> <section anchor="sec-bundle-response"> <name>ACME Node ID Validation Response Bundles</name> <t> Each ACME Node ID Validation Response Bundle <bcp14>SHALL</bcp14> be structured and encoded in accordance with BPv7 <xref target="RFC9171"/>. </t> <t> Each Response Bundle has parameters as listed here: </t> <dl newline="false" spacing="normal"> <dt>Bundle Processing Control Flags:</dt> <dd> The primary block flags <bcp14>SHALL</bcp14> indicate that the payload is an administrative record. The primary block flags <bcp14>SHALL NOT</bcp14> indicate that user application acknowledgement is requested; this flag distinguishes the Response Bundle from the Challenge Bundle. </dd> <dt>Destination EID:</dt> <dd> The Destination EID <bcp14>SHALL</bcp14> be identical to the Source Node ID of the Challenge Bundle to which this response corresponds. </dd> <dt>Source Node ID:</dt> <dd> The Source Node ID <bcp14>SHALL</bcp14> be identical to the Destination EID of the Challenge Bundle to which this response corresponds. </dd> <dt>Creation Timestamp and Lifetime:</dt> <dd> The Creation Timestamp <bcp14>SHALL</bcp14> be set to the time at which the response was generated. The response Lifetime <bcp14>SHALL</bcp14> indicate the response interval remaining if the Challenge Bundle indicated a limited Lifetime. </dd> <dt>Administrative Record Type Code:</dt> <dd> Set to the ACME Node ID Validation type code defined in <xref target="sec-iana-bp-admin-type"/>. </dd> <dt>Administrative Record Content:</dt> <dd> <t> The Response Bundle administrative record content <bcp14>SHALL</bcp14> consist of a CBOR map containing the following three pairs: </t> <ul> <li> One pair <bcp14>SHALL</bcp14> consist of key 1 with value of ACME challenge <tt>id-chal</tt>, copied from the Request Bundle, represented as a CBOR byte string. </li> <li> One pair <bcp14>SHALL</bcp14> consist of key 2 with value of ACME challenge <tt>token-bundle</tt>, copied from the Request Bundle, represented as a CBOR byte string. </li> <li> One pair <bcp14>SHALL</bcp14> consist of key 3 with value of a two-element array containing the pair of a hash algorithm identifier and the hash byte string. The algorithm identifier <bcp14>SHALL</bcp14> correspond to the Value column (integer or text string) of the algorithm registered in the "COSE Algorithms" registryof<xref target="IANA-COSE"/>. </li> </ul> </dd> </dl> <t> This structure is part of the extension CDDL in <xref target="sec-cddl"/>. An example full Response Bundle is included in <xreftarget="sec-example-bundle-response"/>target="sec-example-bundle-response"/>. </t> <t> If the BPagentAgent responding to a Challenge Bundle does not have a well-synchronized clock, it <bcp14>SHALL</bcp14> use any information about last-hop delays and (if present) Bundle Age extension data to infer the age of the Challenge Bundle andlifetimeLifetime of the Response Bundle. </t> <t> Response Bundles <bcp14>SHALL</bcp14> include a BIB in accordance with <xref target="sec-bib-gateway"/>. Response Bundles <bcp14>SHALL NOT</bcp14> be directly encrypted by BCB or any other method (see <xref target="sec-security-leak"/> for explanation). </t> <section anchor="sec-response-check"> <name>Response Bundle Checks</name> <t> A proper Response Bundle meets all of the following criteria: </t> <ul spacing="normal"> <li> The Response Bundle was received within the time interval allowed for the challenge. The allowed interval starts at the Creation Timestamp and extends for the Lifetime of the associated Challenge Bundle. The interval of the Challenge Bundle is used here because the interval of the Response Bundle could be made to disagree with the Challenge Bundle. </li> <li> The Response Bundle Source Node ID is identical to the Node ID being validated. The comparison of Node IDs <bcp14>SHALL</bcp14> use the comparison logic of the NODE-ID from <xref section="4.4.1" target="RFC9174"/>. </li> <li> The Response Bundle contains a BIBwhichthat covers at least the primary block and payload. That BIB has asecurity source whichSecurity Source that is trusted and passes security-context-specific validation. </li> <li> The response payload contains the same <tt>id-chal</tt> and <tt>token-bundle</tt> as sent in the Challenge Bundle (this is also how the twobundlesBundles are correlated). </li> <li> The response payload contains a hash algorithm identifier acceptable to the server (as indicated in thechallenge bundle).Challenge Bundle). </li> <li> The response payload contains the expected Key Authorization digest computed by the ACME server. </li> </ul> <t> Any of the failures above <bcp14>SHALL</bcp14> cause that single-perspective validation to fail. Any of the failures above <bcp14>SHOULD</bcp14> be distinguished as subproblems to the ACME client. The lack of a response within the expected response interval, as defined in <xref target="sec-nodeid-response-obj"/>, <bcp14>SHALL</bcp14> also be treated as a validation failure. </t> </section> </section> <section anchor="sec-multi-perspective"> <name>Multi-Perspective Validation</name> <t> To avoid on-path attacks in certain networks, an ACME server can perform a single validation using multiplechallenge bundleChallenge Bundle sources or via multiple routing paths. This technique is calledmulti-perspective validation"multi-perspective validation" as recommended in <xref section="10.2" target="RFC8555"/> and an implementation is used by the Let's Encryptis describedservice in its operational deployment <xref target="LE-multi-perspective"/>. The utility of a multi-perspective validation is part of the experimental nature (see <xreftarget="sec-experiment">experimental nature</xref>target="sec-experiment"></xref>) of this specification. </t> <t> When required by policy, an ACME server <bcp14>SHALL</bcp14> send multiplechallenge bundlesChallenge Bundles from different sources in the BP network. When multiple Challenge Bundles are sent for a single validation, it is a matter of ACME server policy to determine whether or not the validation as a whole is successful. The result of each single-source validation is defined as success or failure in <xref target="sec-response-check"/>. </t> <t> A <bcp14>RECOMMENDED</bcp14> validation policy is to succeed if the challenge from a primarybundleBundle source is successful and if thereareis no more than one failure from a secondary source. The determination of which perspectives are considered primary or secondary is an implementation matter. </t> <t> Regardless of whether a validation is single- or multi-perspective, a validation failure <bcp14>SHALL</bcp14> be indicated by an ACME error type of "incorrectResponse". Each specific perspective failure <bcp14>SHOULD</bcp14> be indicated to the ACME client as a validation subproblem. </t> </section> </section> <section anchor="sec-bib-gateway"> <name>Bundle Integrity Gateway</name> <t> This section defines a BIB usewhichthat closely resembles the function of DKIM email signing <xref target="RFC6376"/>. In thismechanismmechanism, a routing node in a DTNsub-networksubnetwork attests to the origination of abundleBundle by adding a BIB before forwarding it. ThebundleBundle receiver then need not trust the source of thebundle, butBundle, it only needs to trust thissecurity sourceSecurity Source node. The receiver needs policy configuration to know whichsecurity sourcesSecurity Sources are permitted to attest for whichbundleBundle sources. The utility of an integrity gateway is part of the<xref target="sec-experiment">experimental nature</xref>experimental nature (<xref target="sec-experiment"></xref>) of this specification. </t> <t> An integrity gateway <bcp14>SHALL</bcp14> validate the Source Node ID of abundle,Bundle, using local-network-specific means, before adding a BIB to thebundle.Bundle. The exact means by which an integrity gateway validates abundle'sBundle's source isnetwork-specific,network specific, but it could use physical-layer,network-layernetwork-layer, or BP-convergence-layer authentication. ThebundleBundle source could also add its own BIB with a local-network-specific security context or local-network-specific key material(i.e.(i.e., a group key shared within the local network). </t> <t> When an integrity gateway adds aBIBBIB, it <bcp14>SHALL</bcp14> be in accordance with BPSec <xreftarget="RFC9172"/>.target="RFC9172"/> requirements. The BIB targets <bcp14>SHALL</bcp14> cover both the payload block and the primary block (either directly as a target or as additional authenticated data for the payload block MAC/signature). The Security Source of this BIB <bcp14>SHALL</bcp14> be either thebundleBundle source Node ID itself or a routing node trusted by the destination node (see <xref target="sec-security-impersonate"/>). </t> </section> <section> <name>Certificate Request Profile</name> <t> The ultimate purpose of this ACME validation is to allow a CA to issue certificates following the profiles of <xref section="4.4.2" target="RFC9174"/> and <xref section="4" target="I-D.ietf-dtn-bpsec-cose"/>. These purposes are referred to here asbundle"Bundle securitycertificates.certificates". </t> <t> The ACMEidentifiers ofidentifier type "bundleEID"correlatecorrelates to the PKIX certificaterequests withinand certificate request "NODE-ID" as defined in <xref section="4.4.1" target="RFC9174"/>. This NODE-ID is present in certificate requests with an <tt>extensionRequest</tt> attribute (see <xref target="RFC2985"/>) containing a<tt>subjectAltName</tt>SAN extension with identities of type <tt>otherName</tt>with a namehaving an Other Name form of <tt>BundleEID</tt>, identified by <tt>id-on-bundleEID</tt>offrom the "SMI Security for PKIX Other Name Forms" registry <xref target="IANA-SMI"/>.This form is referred to as a "NODE-ID" as defined in <xref section="4.4.1" target="RFC9174"/>.Because the <tt>BundleEID</tt>nameOther Name form is encoded as anIA5StringIA5String, it <bcp14>SHALL</bcp14> be treated as being in the percent-encoded form of <xref section="2.1" target="RFC3986"/>. </t> <t> One defining aspect ofbundleBundle security certificates is the Extended Key Usage key purpose <tt>id-kp-bundleSecurity</tt>of<xref target="IANA-SMI"/>, as defined in <xref section="4.4.2.1" target="RFC9174"/>. When requesting a certificatewhichthat includes a NODE-ID, the CSR <bcp14>SHOULD</bcp14> include an Extended Key Usage of <tt>id-kp-bundleSecurity</tt>. When abundleBundle security certificate is issued based on a validated NODE-ID, the certificate <bcp14>SHALL</bcp14> include an Extended Key Usage of <tt>id-kp-bundleSecurity</tt>. </t> <section anchor="sec-multiple-claims"> <name>Multiple Identity Claims</name> <t> A singlebundleBundle security CSR <bcp14>MAY</bcp14> contain a mixed set of SAN identifiers, including combinations ofIP-ID,IP-ID <xref target="RFC9525"/>, DNS-ID <xreftarget="RFC9525"/>target="RFC9525"/>, and NODE-ID <xref target="RFC9174"/> types. These correspond with ACME identifier types "ip", "dns", and"bundleEID""bundleEID", respectively. </t> <t> There is no restriction on how a certificate combines these claims, but each identifier <bcp14>SHALL</bcp14> be validated by an ACME server to issue such a certificate as part of an associated ACME order. This is no different than the existing behavior of ACME <xref target="RFC8555"/> but is mentioned here to make sure that CA policy handles suchsituations;situations, especially related to validation failure of an identifier in the presence of multiple identifiers.The initial "ip" validationsExisting validation mechanisms are definedinfor identifier types "ip" <xref target="RFC8738"/> andinitial"dns"validations are defined in<xreftarget="RFC8555"/>.target="RFC8555"/> among others <xref target="IANA-ACME"/>. </t> <t> The specific use case of TLS-based security for BPv7 CL transport in <xref section="4.4" target="RFC9174"/> allows, and for some network policies requires, that a certificate authenticate both the DNS name of an entity as well as the Node ID of the entity. These authentications apply to each identifier type, used for different network layers, at different points during secure session establishment. </t> </section> <section> <name>GeneratingEncryption-onlyEncryption-Only orSigning-onlySigning-Only Bundle Security Certificates</name> <t> ACME extensions specified in this document can be used to request encryption-only or signing-onlybundleBundle security certificates. The validity of a request for either a restricted-use or unrestricted-use certificate is dependent on both CA policy to issue such certificates as well as constraints based on the requested key and algorithm types. </t> <t> In order to requestsigning only bundlea signing-only Bundle security certificate, the CSR <bcp14>SHALL</bcp14> include the key usage extension with the digitalSignature and/or nonRepudiation bits set and no other bits set. </t> <t> In order to requestencryption only bundlean encryption-only Bundle security certificate, the CSR <bcp14>SHALL</bcp14> include the key usage extension with the keyEncipherment or keyAgreement bits set and no other bits set. </t> <t> Presence of both of the above sets of key usage bits in the CSR, as well as absence of key usage extension in the CSR, signalstothe ACME server to issue abundleBundle security certificate suitable for both signing and encryption. </t> </section> </section> <section anchor="sec-security"> <name>Security Considerations</name> <t> This section separates security considerations into threat categories based on guidance of BCP 72 <xref target="RFC3552"/>. </t> <section anchor="sec-security-leak"> <name>Threat: Passive Leak of Validation Data</name> <t> Because this challenge mechanism is used to bootstrap security between DTN Nodes, the challenge and its response are likely to be transferred in plaintext. The only ACME data present on-the-wire is a random token and a cryptographic digest, so there is no sensitive data to be leaked within the Node ID ValidationbundleBundle exchange. Because each challenge uses a separate token pair, there is no value in an on-path attacker seeing the tokens from past challenges and/or responses. </t> <t> It is possible for intermediate BPnodesNodes to encapsulate-and-encrypt Challenge Bundles and/or Response Bundles while they traverse untrusted networks, but that is a DTN configuration matter outside of the scope of this document. </t> </section> <section anchor="sec-security-impersonate"> <name>Threat: BP Node Impersonation</name> <t> As described in <xref section="10.1" target="RFC8555"/>, it is possible for an active attacker to alter data on both ACME client channel and the DTN validation channel. </t> <t> The primary mitigation is to delegatebundleBundle integrity sourcing to a trusted routing node near, in the sense ofbundleBundle routing topology,tothebundleBundle source node as defined in <xref target="sec-bib-gateway"/>. This is functionally similar to the DKIM signingof<xref target="RFC6376"/> and provides some level ofbundlesecure Bundle origination. </t> <t> Another way to mitigatesingle-pathon-path attacks is to attempt validation of the same Node ID from multiplesources orsources, hopefully via multiplebundleBundle routing paths, as defined in <xref target="sec-multi-perspective"/>. It is not a trivial task to guaranteebundleBundle routing though, so more advanced techniques such as onion routing (usingbundle-in-bundleBundle-in-Bundle encapsulation) could be employed. </t> </section> <section anchor="sec-security-replay"> <name>Threat: Bundle Replay</name> <t> It is possible for an on-path attacker to replay both Challenge Bundles or Response Bundles. Even in aproperly-configured DTNproperly configured DTN, it is possible that intermediatebundleBundle routerstowould use multi-path forwarding of a singleton-destinationbundle.Bundle. </t> <t> Ultimately, the point of the ACMEbundleBundle exchange is to derive a Key Authorization value and its cryptographicdigestdigest, and to communicateitthat digest back to the ACME server for validation, so the uniqueness of the Key Authorization directly determines the scope of replay validity. The uniqueness of each <tt>token-bundle</tt> to eachchallenge bundleChallenge Bundle ensures that the Key Authorization is unique to thechallenge bundle.Challenge Bundle. The uniqueness of each <tt>token-chal</tt> to the ACME challenge ensures that the Key Authorization is unique to that ACME challenge and not based solely on values visible to on-path eavesdroppers. </t> <t> Having eachbundle'sBundle's primary block and payload block covered by a BIB from a trustedsecurity sourceSecurity Source (see <xref target="sec-bib-gateway"/>) ensures that a replayedbundleBundle cannot be altered in the blocks used by ACME. All together, these properties mean that there is no degraded security caused by replay of either a Challenge Bundle or a Response Bundle even in the case where the primary or payload block is not covered by a BIB. The worst that can come ofbundleBundle replay is the waste of network resources as described in <xref target="sec-security-dos"/>. </t> </section> <section anchor="sec-security-dos"> <name>Threat: Denial of Service</name> <t> The behaviors described in this section all amount to a potential denial-of-service to a BPagent.Agent. </t> <t> A malicious entity can continually send Challenge Bundles to a BPagent.Agent. The victim BPagentAgent can ignore Challenge Bundleswhichthat do not conform to the specific time interval and challenge token for which the ACME client has informed the BPagentAgent that challenges are expected. The victim BPagentAgent can require all Challenge Bundles to be BIB-signed to ensure authenticity of the challenge. </t> <t> A malicious entity can continually send Response Bundles to a BPagent.Agent. The victim BPagentAgent can ignore Response Bundleswhichthat do not conform to the specific time interval or Source Node ID or challenge token for an active Node ID validation. </t> <t> Similar to other validation methods, an ACME server validating a DTN Node ID could be used as adenial of servicedenial-of-service amplifier. For thisreasonreason, any ACME server can rate-limit validation activities for individual clients and individual certificate requests. </t> </section> <section> <name>Inherited Security Considerations</name> <t> Because this protocol relies on ACME for part of its operation, the security considerations of ACME <xref target="RFC8555"/> apply to all ACMEclient--serverclient-server exchanges during Node ID validation. </t> <t> Because this protocol relies on BPv7 for part of its operation, the security considerations of BPv7 <xref target="RFC9171"/> and BPSec <xref target="RFC9172"/> apply to all BP messaging during Node ID validation. </t> </section> <section> <name>Out-of-Scope BP Agent Communication</name> <t> Although messaging between an ACME client or ACME serveranand its associated BPagentAgent are out-of-scope for this document, both of those channels are critical to Node ID validation security. Either channel can potentially leak data or provide attack vectors if not properly secured. These channels need to protect against spoofing of messaging in both directions to avoid interruption of normal validation sequencing and to prevent false validations from succeeding. </t> <t> The ACME server and its BPagentAgent exchange the outgoing <tt>id-chal</tt>, <tt>token-bundle</tt>, and Key Authorizationdigestdigest, but these values do not need to be confidential (they are also in plaintext over the BP channel). </t> <t> Depending on implementation details, the ACME client might transmit the client account key thumbprint to its BPagentAgent to allow computing the Key Authorization digest on the BPagent.Agent. If an ACME client does transmit its client account key thumbprint to a BPagent,Agent, it is important that this data is kept confidential because it provides the binding of the client account key to the Node ID validation (as well as for all other types of ACME validation). Avoiding this transmission would require a full round-trip between BPagentAgent and ACME client, which can be undesirable if the two are separated by a long-delay network. </t> </section> </section> <section anchor="sec-iana"> <name>IANA Considerations</name> <t> This specification adds to theACME"Automated Certificate Management Environment (ACME) Protocol" registry group andBPthe "Bundle Protocol" registrygroup for this behavior.group. </t> <section anchor="sec-iana-acme-identifier"> <name>ACME Identifier Types</name> <t> Within the "Automated Certificate Management Environment (ACME) Protocol" registry group <xref target="IANA-ACME"/>, the following entry has been added to the "ACME Identifier Types" registry. </t> <table> <thead> <tr> <th>Label</th> <th>Reference</th> </tr> </thead> <tbody> <tr> <td>bundleEID</td><td>[This specification]</td><td>RFC 9891</td> </tr> </tbody> </table> </section> <section anchor="sec-iana-acme-method"> <name>ACME Validation Methods</name> <t> Within the "Automated Certificate Management Environment (ACME) Protocol" registry group <xref target="IANA-ACME"/>, the following entry has been added to the "ACME Validation Methods" registry. </t> <table> <thead> <tr> <th>Label</th> <th>Identifier Type</th> <th>ACME</th> <th>Reference</th> </tr> </thead> <tbody> <tr> <td>bp-nodeid-00</td> <td>bundleEID</td> <td>Y</td><td>[This specification]</td><td>RFC 9891</td> </tr> </tbody> </table> </section> <section anchor="sec-iana-bp-admin-type"> <name>Bundle Administrative Record Types</name> <t> Within the "Bundle Protocol" registry group <xref target="IANA-BP"/>, the followingentries haveentry has been added to the "Bundle Administrative Record Types" registry. </t><t> [NOTE to IANA: For <xref target="RFC5050"/> compatibility the AR-TBD value needs to be no larger than 15, but such compatibility is not needed. For BPbis the AR-TBD value needs to be no larger than 65535 as defined by <xref target="RFC9713"/>.] </t><table> <thead> <tr> <th>Bundle Protocol Version</th> <th>Value</th> <th>Description</th> <th>Reference</th> </tr> </thead> <tbody> <tr> <td>7</td><td>AR-TBD</td><td>255</td> <td>ACME Node ID Validation</td><td>[This specification]</td><td>RFC 9891</td> </tr> </tbody> </table> </section> </section> </middle> <back> <displayreference target="I-D.ietf-dtn-bpsec-cose" to="BPSEC-COSE"/> <references> <name>References</name> <references> <name>Normative References</name> <reference anchor="IANA-ACME" target="https://www.iana.org/assignments/acme/"> <front> <title>Automated Certificate Management Environment (ACME) Protocol</title> <author> <organization>IANA</organization> </author> <date/> </front> </reference> <reference anchor="IANA-BP" target="https://www.iana.org/assignments/bundle/"> <front> <title>Bundle Protocol</title> <author> <organization>IANA</organization> </author> <date/> </front> </reference> <reference anchor="IANA-COSE" target="https://www.iana.org/assignments/cose/"> <front> <title>CBOR Object Signing and Encryption (COSE)</title> <author> <organization>IANA</organization> </author> <date/> </front> </reference> <reference anchor="IANA-SMI" target="https://www.iana.org/assignments/smi-numbers/"> <front> <title>Structure of Management Information (SMI)Numbers</title>Numbers (MIB Module Registrations)</title> <author> <organization>IANA</organization> </author> <date/> </front> </reference> <xi:includehref="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.2119.xml"/>href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.2119.xml"/> <xi:includehref="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.2985.xml"/>href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.2985.xml"/> <xi:includehref="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.3552.xml"/>href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.3552.xml"/> <xi:includehref="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.3986.xml"/>href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.3986.xml"/> <xi:includehref="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.4086.xml"/>href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.4086.xml"/> <xi:includehref="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.4648.xml"/>href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.4648.xml"/> <xi:includehref="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.4838.xml"/>href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.4838.xml"/> <xi:includehref="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.5280.xml"/>href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.5280.xml"/> <xi:includehref="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.8174.xml"/>href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8174.xml"/> <xi:includehref="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.8555.xml"/>href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8555.xml"/> <xi:includehref="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.8610.xml"/>href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8610.xml"/> <xi:includehref="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.9054.xml"/>href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9054.xml"/> <xi:includehref="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.9171.xml"/>href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9171.xml"/> <xi:includehref="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.9172.xml"/>href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9172.xml"/> <xi:includehref="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.9174.xml"/>href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9174.xml"/> <xi:includehref="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.9525.xml"/>href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9525.xml"/> </references> <references> <name>Informative References</name> <xi:includehref="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.5050.xml"/> <xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.6376.xml"/> <xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.7942.xml"/>href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.6376.xml"/> <xi:includehref="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.8738.xml"/>href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8738.xml"/> <xi:includehref="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.8792.xml"/>href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8792.xml"/> <xi:includehref="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.8823.xml"/> <xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.9713.xml"/> <xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml-ids/reference.I-D.ietf-dtn-bpsec-cose.xml"/> <reference anchor="github-dtn-demo-agent" target="https://github.com/BrianSipos/dtn-demo-agent/"> <front> <title>Python implementationhref="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8823.xml"/> <!-- [I-D.ietf-dtn-bpsec-cose] draft-ietf-dtn-bpsec-cose-08 IESG State: I-D Exists as ofbasic BPv7-related protocols</title> <author fullname="Brian Sipos" initials="B." surname="Sipos"> </author> <date/> </front> </reference> <reference anchor="github-dtn-wireshark" target="https://github.com/BrianSipos/dtn-wireshark/"> <front> <title>Wireshark Dissectors for BPv7-related Protocols</title> <author fullname="Brian Sipos" initials="B." surname="Sipos"> </author> <date/> </front> </reference>08/15/25 --> <xi:include href="https://datatracker.ietf.org/doc/bibxml3/reference.I-D.ietf-dtn-bpsec-cose.xml"/> <reference anchor="LE-multi-perspective" target="https://letsencrypt.org/2020/02/19/multi-perspective-validation.html"> <front> <title>Multi-Perspective Validation Improves Domain Validation Security</title> <author fullname="Josh Aas"/> <author fullname="Daniel McCarney"/> <author fullname="Roland Shoemaker"/> <date day="19" month="Feb" year="2020"/> </front> </reference> </references> </references> <section anchor="sec-cddl"> <name>Administrative Record Types CDDL</name> <t>[NOTE to the RFC Editor: The "0xFFFF" in this CDDL is replaced by the "ACME Node ID Validation" administrative record type code.] </t> <t keepWithNext="true">The extension of BPv7 from <xref section="B" target="RFC9171"/> for the ACMEbundlesBundles in Sections <xreftarget="sec-bundle-challenge"/>target="sec-bundle-challenge" format="counter"/> and <xreftarget="sec-bundle-response"/>target="sec-bundle-response" format="counter"/> is the followingCDDL.CDDL: </t> <sourcecodetype="cddl">type="cddl"><![CDATA[ ; All ACME records have the same structure $admin-record /=[0xFFFF,[0xFF, acme-record] acme-record = acme-challenge-record / acme-response-record acme-challenge-record = { id-chal, token-bundle, alg-list } acme-response-record = { id-chal, token-bundle, key-auth-digest } id-chal = (1: bstr) token-bundle = (2: bstr) key-auth-digest = (3: [ alg: alg-id, value: bstr ]) alg-list = (4: [+ alg-id]) ; From the IANA COSE registry, only hash algorithms allowed alg-id = tstr / int</sourcecode>]]></sourcecode> </section> <section> <name>Example Authorization</name> <t>[NOTE to the RFC Editor: The "0xFFFF" in these examples are replaced by the "ACME Node ID Validation" administrative record type code.] </t> <t>This example is abundleBundle exchange for the ACME server with Node ID "dtn://acme-server/" performing a verification for ACME client Node ID "dtn://acme-client/". The examplebundlesBundles use no block CRC or BPSec integrity, which is for simplicity and is not recommended for normal use. The provided figures are extended diagnostic notation <xref target="RFC8610"/>. </t> <t> For thisexampleexample, the ACME client key thumbprint has thebase64url encodedbase64url-encoded value of: </t> <sourcecodetype="cbor"> "LPJNul-wow4m6DsqxbninhsWHlwfp0JecwQzYpOLmCQ" </sourcecode>type="cbor"><![CDATA[ "LPJNul-wow4m6DsqxbninhsWHlwfp0JecwQzYpOLmCQ"]]></sourcecode> <t>Andand the ACME-server generated <tt>token-chal</tt> has the base64url-encoded value of: </t> <sourcecodetype="cbor"> "tPUZNY4ONIk6LxErRFEjVw" </sourcecode>type="cbor"><![CDATA[ "tPUZNY4ONIk6LxErRFEjVw"]]></sourcecode> <section anchor="sec-example-bundle-challenge"> <name>Challenge Bundle</name> <t> For the singlechallenge bundleChallenge Bundle in this example, the <tt>token-bundle</tt> (transported as byte string via BP) has the base64url-encoded value of: </t> <sourcecodetype="cbor"> "p3yRYFU4KxwQaHQjJ2RdiQ" </sourcecode>type="cbor"><![CDATA[ "p3yRYFU4KxwQaHQjJ2RdiQ"]]></sourcecode> <t> The minimal-but-valid Challenge Bundle is shown in <xref target="fig-example-bundle-challenge"/>. This challenge requires that the ACME client respond within a60 second60-second time window. </t> <figure anchor="fig-example-bundle-challenge"> <name>Example Challenge Bundle</name> <sourcecodetype="cbor">type="cbor"><![CDATA[ [_ [ 7, / BP version / 0x22, / flags: user-app-ack, payload-is-an-admin-record / 0, / CRC type: none / [1, "//acme-client/"], / destination / [1, "//acme-server/"], / source / [1, 0], / report-to: none / [1000000, 0], / timestamp: 2000-01-01T00:16:40+00:00 / 60000 / lifetime: 60s / ], [ 1, / block type code / 1, / block number / 0, / flags / 0, / CRC type: none /<<[<<[ / type-specific data /0xFFFF,0xFF, / record-type-code / { / record-content / 1: b64'dDtaviYTPUWFS3NK37YWfQ', / id-chal / 2: b64'p3yRYFU4KxwQaHQjJ2RdiQ', / token-bundle / 4: [-16] / alg-list: SHA-256 / }]>>]>> ]] </sourcecode>]]]></sourcecode> </figure> </section> <section anchor="sec-example-bundle-response"> <name>Response Bundle</name> <t> When the tokens are combined with the key thumbprint, the full Key Authorization value is the following, folded across lines for readability using the "single backslash" strategy of <xref section="7" target="RFC8792"/>. </t> <sourcecodetype="cbor">type="cbor"><![CDATA[ / NOTE: '\' line wrapping per RFC 8792 / "p3yRYFU4KxwQaHQjJ2RdiQtPUZNY4ONIk6LxErRFEjVw.\LPJNul-wow4m6DsqxbninhsWHlwfp0JecwQzYpOLmCQ" </sourcecode>LPJNul-wow4m6DsqxbninhsWHlwfp0JecwQzYpOLmCQ"]]></sourcecode> <t> The minimal-but-valid Response Bundle is shown in <xref target="fig-example-bundle-response"/>. This response indicates that thereisare 30 seconds remaining in the response time window. </t> <figure anchor="fig-example-bundle-response"> <name>Example Response Bundle</name> <sourcecodetype="cbor">type="cbor"><![CDATA[ [_ [ 7, / BP version / 0x02, / flags: payload-is-an-admin-record / 0, / CRC type: none / [1, "//acme-server/"], / destination / [1, "//acme-client/"], / source / [1, 0], / report-to: none / [1030000, 0], / timestamp: 2000-01-01T00:17:10+00:00 / 30000 / lifetime: 30s / ], [ 1, / block type code / 1, / block number / 0, / flags / 0, / CRC type: none /<<[<<[ / block-type-specific data /0xFFFF,0xFF, / record-type-code / { / record-content / 1: b64'dDtaviYTPUWFS3NK37YWfQ', / id-chal / 2: b64'p3yRYFU4KxwQaHQjJ2RdiQ', / token-bundle / 3: [-16, b64'mVIOJEQZie8XpYM6MMVSQUiNPH64URnhM9niJ5XHrew'] / SHA-256 key auth. digest / }]>> ]]>> ]</sourcecode>]]]></sourcecode> </figure> </section> </section> <section anchor="sec-doc-ack" numbered="false"><name>Acknowledgments</name><name>Acknowledgements</name> <t> This specification is based on DTN use cases related to PKIX certificate issuance. </t> <t> The workflow and terminology of this validation methodwaswere originally copied from the work ofAlexey Melnikov in <xref target="RFC8823"/>. </t> </section> <section numbered="false" removeInRFC="true"> <name>Implementation Status</name> <t> [NOTE to the RFC Editor: please remove this section before publication, as well as the reference to <xref target="RFC7942"/> and <xref target="github-dtn-demo-agent"/> and <xref target="github-dtn-wireshark"/>.] </t> <t> This section records the status of known implementations of the protocol defined by this specification at the time of posting of this Internet-Draft, and is based on a proposal described in <xref target="RFC7942"/>. The description of implementations in this section is intended to assist the IETF in its decision processes in progressing drafts to RFCs. Please note that the listing of any individual implementation here does not imply endorsement by the IETF. Furthermore, no effort has been spent to verify the information presented here that was supplied by IETF contributors. This is not intended as, and must not be construed to be, a catalog of available implementations or their features. Readers are advised to note that other implementations can exist. </t> <t> An example implementation of the this draft of ACME Node ID Validation has been created as a GitHub project <xref target="github-dtn-demo-agent"/> and is intended to use as a proof-of-concept and as a possible source of interoperability testing. </t> <t> A Wireshark dissector<contact fullname="Alexey Melnikov"/> forof the this draft of ACME Node ID Validation has been created as a GitHub projectemail validation <xreftarget="github-dtn-wireshark"/> and is intended to be used to inspect and troubleshoot implementations.target="RFC8823"/>. </t> </section> </back> </rfc>