Trust Anchor Bootstrap Protocol for Proof of Process
draft-condrey-rats-witnessd-enrollment-00
This document is an Internet-Draft (I-D).
Anyone may submit an I-D to the IETF.
This I-D is not endorsed by the IETF and has no formal standing in the
IETF standards process.
| Document | Type | Active Internet-Draft (individual) | |
|---|---|---|---|
| Author | David Lee Condrey | ||
| Last updated | 2026-02-07 | ||
| RFC stream | (None) | ||
| Intended RFC status | (None) | ||
| Formats | |||
| Additional resources |
GitHub Organization
GitHub Repository Additional Web Page |
||
| Stream | Stream state | (No stream defined) | |
| Consensus boilerplate | Unknown | ||
| RFC Editor Note | (None) | ||
| IESG | IESG state | I-D Exists | |
| Telechat date | (None) | ||
| Responsible AD | (None) | ||
| Send notices to | (None) |
draft-condrey-rats-witnessd-enrollment-00
Remote ATtestation procedureS D. Condrey
Internet-Draft Writerslogic Inc
Intended status: Standards Track 7 February 2026
Expires: 11 August 2026
Trust Anchor Bootstrap Protocol for Proof of Process
draft-condrey-rats-witnessd-enrollment-00
Abstract
This document specifies a trust anchor bootstrap protocol for the
witnessd Proof of Process framework. The protocol defines how new
devices enter the witnessd ecosystem, how device keys are provisioned
and verified, and how Verifiers discover and validate device trust
anchors.
Three enrollment modes are defined: self-sovereign mode for
individual users, organizational mode for enterprise deployments, and
public registry mode for federated trust ecosystems.
About This Document
This note is to be removed before publishing as an RFC.
This is a companion document to draft-condrey-rats-pop, which defines
the core Proof of Process evidence framework. This document
addresses the bootstrapping problem: how do Verifiers know which
device keys to trust?
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on 11 August 2026.
Condrey Expires 11 August 2026 [Page 1]
Internet-Draft witnessd Enrollment February 2026
Copyright Notice
Copyright (c) 2026 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/
license-info) in effect on the date of publication of this document.
Please review these documents carefully, as they describe your rights
and restrictions with respect to this document. Code Components
extracted from this document must include Revised BSD License text as
described in Section 4.e of the Trust Legal Provisions and are
provided without warranty as described in the Revised BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1. Requirements Notation . . . . . . . . . . . . . . . . . . 3
2. Enrollment Modes . . . . . . . . . . . . . . . . . . . . . . 3
2.1. Self-Sovereign Mode . . . . . . . . . . . . . . . . . . . 3
2.2. Organizational Mode . . . . . . . . . . . . . . . . . . . 4
2.2.1. Well-Known URI for Device Discovery . . . . . . . . . 4
2.3. Public Registry Mode . . . . . . . . . . . . . . . . . . 4
3. Device Enrollment Protocol . . . . . . . . . . . . . . . . . 5
3.1. Enrollment Request . . . . . . . . . . . . . . . . . . . 5
3.2. Challenge-Response Flow . . . . . . . . . . . . . . . . . 5
3.3. Certificate Issuance . . . . . . . . . . . . . . . . . . 6
4. Trust Anchor Discovery . . . . . . . . . . . . . . . . . . . 7
4.1. Discovery Mechanisms . . . . . . . . . . . . . . . . . . 7
4.2. Caching Policy . . . . . . . . . . . . . . . . . . . . . 7
4.3. Revocation Checking Integration . . . . . . . . . . . . . 8
5. Key Lifecycle Management . . . . . . . . . . . . . . . . . . 8
5.1. Key Rotation . . . . . . . . . . . . . . . . . . . . . . 8
5.2. Device Migration . . . . . . . . . . . . . . . . . . . . 9
5.3. Key Compromise Response . . . . . . . . . . . . . . . . . 9
5.4. Certificate Renewal . . . . . . . . . . . . . . . . . . . 10
6. Security Considerations . . . . . . . . . . . . . . . . . . . 10
6.1. Threat Model . . . . . . . . . . . . . . . . . . . . . . 10
6.2. Compromise Impact Analysis . . . . . . . . . . . . . . . 11
6.3. Mitigation Requirements . . . . . . . . . . . . . . . . . 11
7. Privacy Considerations . . . . . . . . . . . . . . . . . . . 11
7.1. Device Identifier Privacy . . . . . . . . . . . . . . . . 12
7.2. Enrollment Metadata Minimization . . . . . . . . . . . . 12
7.3. Registry Privacy Modes . . . . . . . . . . . . . . . . . 12
8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 13
9. References . . . . . . . . . . . . . . . . . . . . . . . . . 13
9.1. Normative References . . . . . . . . . . . . . . . . . . 13
9.2. Informative References . . . . . . . . . . . . . . . . . 13
Condrey Expires 11 August 2026 [Page 2]
Internet-Draft witnessd Enrollment February 2026
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 13
1. Introduction
The Proof of Process (PoP) specification [I-D.condrey-rats-pop]
defines how Attesters generate Evidence during document authorship.
Evidence packets are signed with device keys, but the core
specification does not define how these keys are provisioned or how
Verifiers establish trust in them.
This document addresses the trust anchor bootstrap problem by
defining:
* Device enrollment protocols for provisioning signing keys
* Trust anchor discovery mechanisms for Verifiers
* Multiple enrollment modes for different deployment scenarios
* Key lifecycle management including rotation and migration
1.1. Requirements Notation
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in BCP
14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here.
2. Enrollment Modes
2.1. Self-Sovereign Mode
In self-sovereign mode, users generate their own device keys and
manually provide trust anchors to Verifiers they wish to work with.
This mode provides maximum privacy but requires out-of-band trust
establishment.
Workflow:
1. Device generates key pair in secure hardware (if available)
2. Device exports public key and self-signed certificate
3. User manually provides public key to Verifier (via secure
channel)
4. Verifier stores trust anchor associated with user identity
Condrey Expires 11 August 2026 [Page 3]
Internet-Draft witnessd Enrollment February 2026
Use cases: Individual authors, privacy-conscious users, testing
environments.
2.2. Organizational Mode
In organizational mode, device keys are signed by an organization's
Certificate Authority (CA). The organization publishes its CA
certificate, and Verifiers trust devices whose keys chain to the
organization's CA.
Workflow:
1. Organization establishes CA infrastructure
2. Organization publishes CA certificate at well-known location
3. Device generates key pair and creates certificate signing request
4. Organization signs device certificate (may require proof of
device identity)
5. Device stores signed certificate
6. Verifiers validate device certificates against organization CA
Use cases: Enterprises, academic institutions, publishing houses.
2.2.1. Well-Known URI for Device Discovery
Organizations SHOULD publish device trust information at:
/.well-known/witnessd-devices
This endpoint returns a signed JSON document listing:
* Organization CA certificate chain
* Supported enrollment methods
* Device certificate validation policy
* Contact information for enrollment requests
2.3. Public Registry Mode
In public registry mode, devices register with a public discovery
service, similar to ACME for TLS certificates. This enables
federated trust without requiring prior relationship establishment.
Condrey Expires 11 August 2026 [Page 4]
Internet-Draft witnessd Enrollment February 2026
Workflow:
1. Device generates key pair
2. Device proves control of user identifier (email, domain, etc.)
3. Registry issues device certificate bound to user identifier
4. Registry publishes certificate in transparency log
5. Verifiers query registry to validate device certificates
Use cases: Open ecosystems, cross-organization verification, consumer
applications.
3. Device Enrollment Protocol
The device enrollment protocol establishes trust between a new device
and the enrollment authority. The protocol uses a challenge-response
flow to verify device identity and key possession.
3.1. Enrollment Request
Devices initiate enrollment by submitting a request containing:
enrollment-request = {
device-public-key: bstr, ; Device's public key (COSE_Key)
user-identifier: tstr, ; Email, domain, or opaque ID
enrollment-mode: mode-type,
? device-attestation: bstr, ; TPM/Secure Enclave attestation
? proof-of-possession: bstr, ; Signature over challenge
nonce: bstr, ; Freshness nonce
timestamp: time
}
mode-type = &(
self-sovereign: 0,
organizational: 1,
public-registry: 2
)
3.2. Challenge-Response Flow
For organizational and public registry modes, the enrollment
authority issues a challenge:
1. Device submits initial enrollment request
Condrey Expires 11 August 2026 [Page 5]
Internet-Draft witnessd Enrollment February 2026
2. Authority returns challenge (random nonce + user verification
requirement)
3. Device signs challenge with private key (proof of possession)
4. User completes verification (email link, domain TXT record, etc.)
5. Device submits signed challenge and verification proof
6. Authority validates and issues device certificate
enrollment-challenge = {
challenge-nonce: bstr,
verification-method: verification-type,
? verification-uri: tstr, ; For email/web verification
expires: time
}
verification-type = &(
email-link: 0,
domain-txt: 1,
organizational-approval: 2,
device-attestation-only: 3
)
enrollment-response = {
challenge-nonce: bstr,
challenge-signature: bstr, ; Signed by device private key
verification-token: tstr, ; From email/domain verification
timestamp: time
}
3.3. Certificate Issuance
Upon successful verification, the authority issues a device
certificate:
Condrey Expires 11 August 2026 [Page 6]
Internet-Draft witnessd Enrollment February 2026
device-certificate = {
device-id: bstr, ; Unique device identifier
public-key: bstr, ; COSE_Key
user-identifier: tstr,
issuer: tstr, ; Authority identifier
issued-at: time,
expires-at: time,
? constraints: [* constraint],
signature: bstr ; Authority signature
}
constraint = &(
max-evidence-per-day: uint,
allowed-document-types: [* tstr],
geographic-restriction: tstr
)
Certificates MUST be valid for no more than 1 year. Devices MUST re-
enroll before certificate expiration.
4. Trust Anchor Discovery
Verifiers must discover and maintain trust anchors for device
certificate validation. This section defines discovery mechanisms
and caching policies.
4.1. Discovery Mechanisms
Verifiers discover trust anchors through:
Well-known URI: Query /.well-known/witnessd-devices at the
organization's domain to retrieve CA certificates and enrollment
policies.
Public Registry: Query the public registry service for device
certificates bound to user identifiers. The registry provides
certificate chains and revocation status.
Out-of-band provisioning: For self-sovereign mode, trust anchors are
manually configured by the Verifier operator.
4.2. Caching Policy
Verifiers SHOULD cache trust anchors to reduce latency and network
load. Caching policies:
* CA certificates: Cache for up to 24 hours or until the next-update
field indicates refresh is needed
Condrey Expires 11 August 2026 [Page 7]
Internet-Draft witnessd Enrollment February 2026
* Device certificates: Cache for the certificate validity period
minus a safety margin (RECOMMENDED: 1 hour)
* Revocation status: Cache according to revocation list TTL (see
draft-condrey-rats-witnessd-revocation)
Verifiers MUST refresh cached trust anchors before expiration. Stale
cache entries MUST NOT be used for verification.
4.3. Revocation Checking Integration
Trust anchor discovery integrates with revocation checking:
1. Verifier receives Evidence packet
2. Verifier extracts device certificate from Evidence
3. Verifier validates certificate chain to trusted CA
4. Verifier checks certificate revocation status
5. Verifier checks Evidence revocation status
6. If all checks pass, Verifier proceeds with appraisal
Certificate revocation and Evidence revocation are independent. A
revoked certificate invalidates all Evidence signed by that device.
Evidence may be revoked even if the certificate remains valid.
5. Key Lifecycle Management
Device keys have a lifecycle from generation through retirement.
This section defines key management operations.
5.1. Key Rotation
Devices SHOULD rotate signing keys periodically to limit exposure
from potential compromise. Key rotation workflow:
1. Device generates new key pair
2. Device requests certificate for new key (standard enrollment)
3. Device publishes key rotation notice signed by old key
4. Rotation notice links old key to new key
5. Old key enters grace period (RECOMMENDED: 30 days)
Condrey Expires 11 August 2026 [Page 8]
Internet-Draft witnessd Enrollment February 2026
6. After grace period, old key is retired
key-rotation-notice = {
old-device-id: bstr,
new-device-id: bstr,
old-public-key: bstr,
new-public-key: bstr,
rotation-time: time,
grace-period-end: time,
old-key-signature: bstr, ; Proves control of old key
new-key-signature: bstr ; Proves control of new key
}
Evidence signed during the grace period MAY use either key. After
the grace period, only the new key is valid.
5.2. Device Migration
When users migrate to a new device, Evidence continuity must be
maintained. Migration is treated as key rotation with additional
verification:
* User initiates migration from old device (if available)
* Old device signs migration authorization for new device
* New device completes enrollment with migration authorization
* If old device is unavailable, user completes out-of-band
verification (email, organizational approval, etc.)
Migration without old device access requires stronger verification to
prevent unauthorized device takeover.
5.3. Key Compromise Response
When a device key is compromised:
1. User reports compromise to enrollment authority
2. Authority revokes device certificate immediately
3. User enrolls new device with fresh key
4. User may re-endorse historical Evidence with new key (see draft-
condrey-rats-witnessd-revocation)
Condrey Expires 11 August 2026 [Page 9]
Internet-Draft witnessd Enrollment February 2026
Hardware-backed keys (TPM, Secure Enclave) reduce compromise risk and
are RECOMMENDED for high-security deployments.
5.4. Certificate Renewal
Devices MUST renew certificates before expiration. Renewal may use
the existing key (if not compromised) or coincide with key rotation.
Renewal workflow:
1. Device submits renewal request with current certificate
2. Authority validates current certificate is still valid
3. Authority issues new certificate (same or new key)
4. New certificate validity period begins from issuance
Devices SHOULD initiate renewal at least 7 days before certificate
expiration to allow for processing delays.
6. Security Considerations
6.1. Threat Model
The enrollment protocol considers the following threats:
Unauthorized enrollment: Attacker attempts to enroll a device under
another user's identity. Mitigated by user identifier
verification (email, domain, organizational approval).
Key extraction: Attacker attempts to extract device private key.
Mitigated by hardware-backed key storage (TPM, Secure Enclave)
where available.
Enrollment authority compromise: Attacker compromises the enrollment
authority and issues fraudulent certificates. Mitigated by
certificate transparency logs and short certificate validity
periods.
Man-in-the-middle: Attacker intercepts enrollment messages.
Mitigated by TLS for all enrollment communications and challenge-
response binding.
Replay attacks: Attacker replays old enrollment requests. Mitigated
by nonces and timestamps in all protocol messages.
Condrey Expires 11 August 2026 [Page 10]
Internet-Draft witnessd Enrollment February 2026
6.2. Compromise Impact Analysis
The impact of various compromises:
* Single device key compromise: Only Evidence from that device is
affected. Other devices and users are unaffected.
* Organizational CA compromise: All devices enrolled under that CA
are potentially affected. Requires CA re-keying and mass device
re-enrollment.
* Public registry compromise: All devices using that registry are
potentially affected. Requires registry recovery and certificate
reissuance.
Organizational deployments SHOULD use Hardware Security Modules
(HSMs) for CA key protection. Public registries MUST implement
multi-party controls for certificate issuance.
6.3. Mitigation Requirements
Implementations MUST:
* Use TLS 1.3 or later for all enrollment communications
* Validate certificate chains completely before trusting
* Check certificate revocation status before accepting Evidence
* Implement rate limiting to prevent enrollment abuse
* Log enrollment events for audit purposes
Implementations SHOULD:
* Use hardware-backed key storage where available
* Implement certificate transparency monitoring
* Support multiple enrollment authorities for redundancy
* Provide key compromise notification mechanisms
7. Privacy Considerations
Condrey Expires 11 August 2026 [Page 11]
Internet-Draft witnessd Enrollment February 2026
7.1. Device Identifier Privacy
Device identifiers enable tracking across Evidence packets. To
protect user privacy:
* Device identifiers SHOULD be opaque random values, not derived
from hardware identifiers or user information
* Users MAY request new device identifiers during key rotation to
break tracking linkage
* Verifiers MUST NOT share device verification patterns with third
parties
Self-sovereign mode provides the strongest privacy as no central
authority learns about device enrollment. Public registry mode has
the weakest privacy as the registry sees all enrolled devices.
7.2. Enrollment Metadata Minimization
Enrollment authorities collect metadata during device registration.
To minimize privacy impact:
* Collect only the minimum information necessary for enrollment
* Do not retain IP addresses or location data beyond enrollment
completion
* Do not share enrollment metadata with third parties
* Provide data deletion upon user request (subject to legal
retention requirements)
Enrollment authorities MUST publish a privacy policy describing data
collection, retention, and sharing practices.
7.3. Registry Privacy Modes
Public registries MAY offer privacy modes:
Public mode: Device certificates are publicly discoverable. Anyone
can verify Evidence from the device. Suitable for public authors.
Unlisted mode: Device certificates are not publicly listed but can
be retrieved by packet-id lookup. Provides some obscurity.
Private mode: Device certificates are only returned to authenticated
Condrey Expires 11 August 2026 [Page 12]
Internet-Draft witnessd Enrollment February 2026
Verifiers with a legitimate need. Suitable for sensitive
contexts.
Users SHOULD select the privacy mode appropriate for their use case.
The default mode is deployment-specific.
8. IANA Considerations
This document requests registration of the following well-known URI:
* URI suffix: witnessd-devices
* Change controller: IETF
* Specification document: [this document]
9. References
9.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, May 2017,
<https://www.rfc-editor.org/info/rfc8174>.
9.2. Informative References
[I-D.condrey-rats-pop]
Condrey, D., "Proof of Process: An Evidence Framework for
Digital Authorship Attestation", Work in Progress,
Internet-Draft, draft-condrey-rats-pop,
<https://datatracker.ietf.org/doc/html/draft-condrey-rats-
pop>.
Author's Address
David Condrey
Writerslogic Inc
United States
Email: david@writerslogic.com
Condrey Expires 11 August 2026 [Page 13]