ACME-Based Provisioning of IoT Devices
draft-sweet-iot-acme-05

Document Type Active Internet-Draft (individual)
Author Michael Sweet
Last updated 2024-01-30
RFC stream (None)
Intended RFC status (None)
Formats
txt html xml htmlized pdf bibtex bibxml
Stream Stream state (No stream defined)
Consensus boilerplate Unknown
RFC Editor Note (None)
IESG IESG state I-D Exists
Telechat date (None)
Responsible AD (None)
Send notices to (None)
Email authors IPR References Referenced by Nits Search email archive
draft-sweet-iot-acme-05 
IOT Operations                                             M. Sweet, Ed.
Internet-Draft                             Lakeside Robotics Corporation
Intended status: Experimental                            30 January 2024
Expires: 2 August 2024

                 ACME-Based Provisioning of IoT Devices
                        draft-sweet-iot-acme-05

Abstract

   This document extends the Automatic Certificate Management
   Environment (ACME) [RFC8555] to provision X.509 certificates for
   local Internet of Things (IoT) devices that are accepted by existing
   web browsers and other software running on End User client devices.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at https://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on 2 August 2024.

Copyright Notice

   Copyright (c) 2024 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents (https://trustee.ietf.org/
   license-info) in effect on the date of publication of this document.
   Please review these documents carefully, as they describe your rights
   and restrictions with respect to this document.

Sweet                     Expires 2 August 2024                 [Page 1]
RFC draft-sweet-iot-acme-0ACME IoT Provisioning             January 2024

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
     1.1.  Connecting to the Network . . . . . . . . . . . . . . . .   3
     1.2.  Trusting IoT Devices on the Network . . . . . . . . . . .   3
   2.  Terminology . . . . . . . . . . . . . . . . . . . . . . . . .   4
   3.  Specification . . . . . . . . . . . . . . . . . . . . . . . .   4
     3.1.  ACME Server Discovery . . . . . . . . . . . . . . . . . .   4
     3.2.  ACME Server Extensions  . . . . . . . . . . . . . . . . .   5
       3.2.1.  Root (CA) Certificate . . . . . . . . . . . . . . . .   5
       3.2.2.  Accounts  . . . . . . . . . . . . . . . . . . . . . .   6
       3.2.3.  IoT Device Certificate Signing Requests . . . . . . .   6
       3.2.4.  IoT Device Certificates . . . . . . . . . . . . . . .   6
     3.3.  Client Device Configuration . . . . . . . . . . . . . . .   6
     3.4.  IoT Device Configuration  . . . . . . . . . . . . . . . .   7
   4.  Security Considerations . . . . . . . . . . . . . . . . . . .   7
     4.1.  Trusting Local DHCP and DNS Infrastructure  . . . . . . .   7
     4.2.  Certificate Signing Request Validation  . . . . . . . . .   7
     4.3.  Man-in-the-Middle Attacks . . . . . . . . . . . . . . . .   8
     4.4.  Storage of Key Material . . . . . . . . . . . . . . . . .   8
     4.5.  Revocation and Reissuance/Regeneration  . . . . . . . . .   8
     4.6.  Use of mDNS . . . . . . . . . . . . . . . . . . . . . . .   8
     4.7.  mDNS Domain Name Collisions . . . . . . . . . . . . . . .   8
     4.8.  Network Identification and Validation . . . . . . . . . .   9
     4.9.  Multiple Network Support  . . . . . . . . . . . . . . . .   9
     4.10. Protection of Certificates and Key Material . . . . . . .   9
     4.11. Reuse of Key Material . . . . . . . . . . . . . . . . . .   9
   5.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .   9
     5.1.  DHCP Option . . . . . . . . . . . . . . . . . . . . . . .   9
     5.2.  Service Name  . . . . . . . . . . . . . . . . . . . . . .  10
   6.  Normative References  . . . . . . . . . . . . . . . . . . . .  10
   7.  Informative References  . . . . . . . . . . . . . . . . . . .  12
   Appendix A.  Change History . . . . . . . . . . . . . . . . . . .  12
   Author's Address  . . . . . . . . . . . . . . . . . . . . . . . .  13

1.  Introduction

   IoT Devices are common on local networks and often utilize TLS
   [RFC8446] with self-signed X.509 certificates [RFC5280] to provide
   HTTPS [RFC2818] based web pages and services.  Unfortunately, web
   browsers typically do not trust such certificates and show error
   messages intended to deter usage.  Some IoT Devices also have
   manufacturer-supplied X.509 certificates, however due to the service
   life of such devices, the need for crypto-agility, and well-known
   challenges of secure key management, those certificates are better
   suited to attestation and secure network connection than direct use
   with TLS.

Sweet                     Expires 2 August 2024                 [Page 2]
Show full document