ACME-Based Provisioning of IoT Devices
draft-sweet-iot-acme-05
Document | Type | Active Internet-Draft (individual) | |
---|---|---|---|
Author | Michael Sweet | ||
Last updated | 2024-01-30 | ||
RFC stream | (None) | ||
Intended RFC status | (None) | ||
Formats | |||
Stream | Stream state | (No stream defined) | |
Consensus boilerplate | Unknown | ||
RFC Editor Note | (None) | ||
IESG | IESG state | I-D Exists | |
Telechat date | (None) | ||
Responsible AD | (None) | ||
Send notices to | (None) |
draft-sweet-iot-acme-05
IOT Operations M. Sweet, Ed. Internet-Draft Lakeside Robotics Corporation Intended status: Experimental 30 January 2024 Expires: 2 August 2024 ACME-Based Provisioning of IoT Devices draft-sweet-iot-acme-05 Abstract This document extends the Automatic Certificate Management Environment (ACME) [RFC8555] to provision X.509 certificates for local Internet of Things (IoT) devices that are accepted by existing web browsers and other software running on End User client devices. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on 2 August 2024. Copyright Notice Copyright (c) 2024 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/ license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Sweet Expires 2 August 2024 [Page 1] RFC draft-sweet-iot-acme-0ACME IoT Provisioning January 2024 Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1.1. Connecting to the Network . . . . . . . . . . . . . . . . 3 1.2. Trusting IoT Devices on the Network . . . . . . . . . . . 3 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4 3. Specification . . . . . . . . . . . . . . . . . . . . . . . . 4 3.1. ACME Server Discovery . . . . . . . . . . . . . . . . . . 4 3.2. ACME Server Extensions . . . . . . . . . . . . . . . . . 5 3.2.1. Root (CA) Certificate . . . . . . . . . . . . . . . . 5 3.2.2. Accounts . . . . . . . . . . . . . . . . . . . . . . 6 3.2.3. IoT Device Certificate Signing Requests . . . . . . . 6 3.2.4. IoT Device Certificates . . . . . . . . . . . . . . . 6 3.3. Client Device Configuration . . . . . . . . . . . . . . . 6 3.4. IoT Device Configuration . . . . . . . . . . . . . . . . 7 4. Security Considerations . . . . . . . . . . . . . . . . . . . 7 4.1. Trusting Local DHCP and DNS Infrastructure . . . . . . . 7 4.2. Certificate Signing Request Validation . . . . . . . . . 7 4.3. Man-in-the-Middle Attacks . . . . . . . . . . . . . . . . 8 4.4. Storage of Key Material . . . . . . . . . . . . . . . . . 8 4.5. Revocation and Reissuance/Regeneration . . . . . . . . . 8 4.6. Use of mDNS . . . . . . . . . . . . . . . . . . . . . . . 8 4.7. mDNS Domain Name Collisions . . . . . . . . . . . . . . . 8 4.8. Network Identification and Validation . . . . . . . . . . 9 4.9. Multiple Network Support . . . . . . . . . . . . . . . . 9 4.10. Protection of Certificates and Key Material . . . . . . . 9 4.11. Reuse of Key Material . . . . . . . . . . . . . . . . . . 9 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9 5.1. DHCP Option . . . . . . . . . . . . . . . . . . . . . . . 9 5.2. Service Name . . . . . . . . . . . . . . . . . . . . . . 10 6. Normative References . . . . . . . . . . . . . . . . . . . . 10 7. Informative References . . . . . . . . . . . . . . . . . . . 12 Appendix A. Change History . . . . . . . . . . . . . . . . . . . 12 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 13 1. Introduction IoT Devices are common on local networks and often utilize TLS [RFC8446] with self-signed X.509 certificates [RFC5280] to provide HTTPS [RFC2818] based web pages and services. Unfortunately, web browsers typically do not trust such certificates and show error messages intended to deter usage. Some IoT Devices also have manufacturer-supplied X.509 certificates, however due to the service life of such devices, the need for crypto-agility, and well-known challenges of secure key management, those certificates are better suited to attestation and secure network connection than direct use with TLS. Sweet Expires 2 August 2024 [Page 2]