| Internet-Draft | det-moc | November 2024 |
| Wiethuechter | Expires 8 May 2025 | [Page] |
This document is intended for Civil Aviation Authorities (CAAs) as a Means of Compliance (MOC) for using Drone Remote Identification Protocol (DRIP) Entity Tags (DETs) for Unmanned Aircraft System (UAS) Remote ID (RID) identifiers. This enables Session IDs, Authentication Key IDs for accountability, and encryption key IDs for confidentiality.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 8 May 2025.¶
Copyright (c) 2024 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
This document is written to reference other documents, thus acting as an introduction for Civil Aviation Authorities (CAAs) and their Operators attempting to comply within a given jurisdiction. A CAA MAY override any requirement in this document, but MUST provide the reason and an alternative for their operators to implement. This document offers technical options, with recommendations of defaults for international interoperability.¶
A registry function including Hierarchical Host Identity Tag (HHIT) Domain Authority (HDA) is required to support Session IDs that can be used by CAAs and other lawfully authorized parties to look up essential safety and security information associated with UAS and their Operators.¶
In the Unmanned Aerial System (UAS) Traffic Management (UTM) context, it is expected that the HDA function will be provided by each UAS Service Supplier (USS). This can be in-house or out-sourced to a service bureau more specialized in cryptographically verifiable identifiers usable to access data and systems on networks. Outside the UTM context, each Operator must still obtain this function from some provider.¶
The HDA function also can support other services related to Session IDs. The DRIP Entity Tag (DET) can act as a Session ID and/or Authentication Key ID, thus HDA functionality in this document assumes both are being provided to registrants (see Section 9.1 for more details). The use of Authentication is mandated in some (e.g. Japan) but not all regions.¶
Each DET is tied to a longer term identifier by its HDA. Typically this identifier is expected to be the UAS Serial Number, however a CAA MAY choose another long term identifier of significance to them.¶
Any entity involved in UAS Broadcast RID as per this document:¶
The archetypal case is a UAS for which the DET serves as both the UAS ID (e.g. in the ASTM [F3411] Basic ID Message as a Type 4, Subtype 1 Specific Session ID) and the Authentication Key ID.¶
DRIP builds upon existing UAS RID standards (ASTM [F3411]) and baseline Means of Compliance (ASTM [F3586]). This document acts as a further Means of Compliance for DETs to be used as Session IDs and/or Authentication Key IDs. This document is intended to be internationally applicable but at the time of first writing the authors have only confirmed compatibility with ASTM [F3586] (and thus US FAA rules).¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.¶
This document makes use of terms (PII, USS, etc.) defined in [RFC9153], [RFC9434] and [RFC9374]. For convenience of the reader, some of the major definitions are restated here.¶
TODO: find good accurate definitions of these terms & order them¶
This section outlines the various players in the ecosystem. For each, it outlines relevant motivations for using DRIP, as well as the interactions and responsibilities they have in doing so.¶
An Observer has many motivations for detecting Broadcast RID. Regardless of their motivation the authenticity of the data presented is important for them to make decisions on their next actions. This is accomplished by the use of Authentication of the Broadcast RID, something DRIP provides. Observers also may need additional information, beyond what is sent over Broadcast RID. While the use of a Session ID provides a level of privacy, the use of DRIP allows this privacy while also enabling authorized queries for additional data.¶
An Observer device is expected to be able to process messages compliant with [F3586] and [F3411] Broadcast RID including:¶
UAS Operators may want to protect the privacy of their details (such as Operator Location) and their reputation. Reputation can be gained or lost with observation and reports of behavior backed by Authentication. They MAY decide for which UAS RID identifier purposes they will use DETs. This choice may be constrained by the jurisdiction's RID regulations.¶
Manufacturers typically wish to maintain good reputation of their brands and are often driven by market forces. Such forces include requirements and preferences of both UAS Observers and Operators.¶
To satisfy CAA requirements, a UA MUST transmit whatever [F3411] messages are needed to carry at least the minimal elements of information required by the regulator. In the US, under the current FAA RID rule, these are Basic ID, Location/Vector, and System as specified in [F3586]. If the content of these messages is to be trusted, the UA MUST also sign those messages, using the DRIP Wrapper and/or DRIP Manifest methods, as described in [RFC9575].¶
The UAS MUST provide mechanisms and interfaces to enable DET support for UAS Operator selected purposes. For DRIP this requires at minimum the UAS Operator to be able to select DRIP options and start the process of generating and registering a DET with a selected HDA.¶
An HDA Operator must fullfil the requirements of their jurisdiction. They must also satisfy the desires of UAS Operators.¶
The HDA MUST provide, upon successful registration of a DET, the four Broadcast Endorsement objects for use in [RFC9575]. These are:¶
The HDA must also place certain essential information into the Internet Domain Name System (DNS) and maintain that information as operations are activated, completed, etc. All the information to be placed into the DNS is public as it is either needed to make the DET based systems work or because it is a high-availability replica of information transmitted in clear-text via Broadcast RID. The DNS records also MUST point to the private registry in which additional information, required by the HDA/USS itself or the CAA, must be placed and maintained, for query by authorized parties only.¶
RAAs in this document are scoped to be operated by a State. Each State is allocated four RAAs, and may decide on their usage.¶
Each RAA MUST register HDAs within its scope. Each RAA MUST provide both widely supported "long form" X.509 certificates and DRIP-specific "short form" endorsements of its HDAs.¶
The RAA MAY provide services to HDAs for verification of data pertaining to UAS Operators. For example an HDA registering a UAS Session ID may query the RAA to verify a previously RAA-registered UAS Serial Number.¶
The RAA Operator MUST obtain valid DNS delegation. See Section 7 for more details.¶
TODO: selection options matrix¶
The requirements below apply to both RAA and HDA operators with a focus on how HDA operators provide registration and related services for their clients (i.e. UAS Operators and their UAS).¶
A DIME has two query interfaces it MUST support. One interface is used for public information query and another (identified and using data found via public queries) is for private information.¶
The information found in these registries has been designated as public (explicitly or implicitly) by cognizant authority and/or the information owner. Such information includes public cryptographic keys needed for authentication in [RFC9575], static Broadcast RID data and trustworthy pointers to additional information.¶
These registries are Authoritative Name Servers of DNS. See [DET-DNS] for operational requirements, query mechanism and response models.¶
The information found in these registries is considered Personally Identifiable Information (PII) and/or is stored for potential future audit of registration.¶
Private information queries MUST follow [DET-DIFF-ACCESS]. This specifies the use of Registration Data Access Protocol (RDAP) data models and query formats as the primary query mechanisms. The specific access control policies are to be defined by the CAA. A CAA MAY require additional query mechanisms for their jurisdiction.¶
There are several registration functions essential to achieving the purposes to which this document is directed. Likewise there are several viable technical approaches to performing these functions. The only approaches fully specified in [DET-REGISTRATION] are the Constrained Application Protocol (CoAP) [RFC7252] and/or Concise Binary Object Representation (CBOR) Web Tokens (CWT) [RFC8392].¶
DRIP does NOT provide protection against incorrect (e.g. fraudulent) data entered during registration or asserted subsequently. DRIP does protect against alteration (intentional or unintentional) of data subsequent to its assertion by the cryptographic signer. The signer might be the proximate sender (e.g. UA transmitting Broadcast RID) or might be an attestor far away and long ago (e.g. root Certificate Authority). It is the duty of the operator of each DIME, or the party on whose behalf the DIME is being operated, to validate the registration data.¶
DIMEs use and provide various methods to protect data as described below under seven categories: Attestation, Authentication, Authorization, Access Control, Attribution, Accounting and Audit. DRIP refers to these categories collectively as AAA. The definitions of the seven categories are provided in Section 2.1.¶
All data, handled under DRIP, MUST be protected by AAA. All private data MUST also be protected by strong encryption where permitted by law. These requirements apply to data at rest and in transit in all phases of the process, i.e. registration and query.¶
All interfaces MUST be tested on valid and invalid data (such as being malformed). When policy is required on an interface all defined permutations of the policy MUST be tested. The policy engine MUST be evoked to validate proper decisions and actions are being made. All data returned from an interface MUST be tested to check that it conforms with specifications.¶
The DRIP WG is allocated eight RAA values for experimentation and testing purposes. These can be delegated to parties, for a limited period of time at the behest of the DRIP WG, to test DIME interoperability (e.g. HDA to RAA interactions) in any of the below subsections. The IANA Considerations section of [DET-DNS] contains more information on how these delegations are to be handled.¶
Appendix B provides a set of forms to be filled out and submitted as part of a CAA compliance process for using DRIP.¶
+-----+ +-----+ | | | | | o----(1)--->o | | A | | B | | o<---(2)----o | | | | | +-----+ +-----+
A, B pairs: (registrant, HDA), (HDA, RAA)¶
1: Ensure that CoAP endpoints on B can be accessed according to B's policy by A. Ensure that the endpoints conform to the normative requirements of [DET-REGISTRATION] Test that B interface properly handles valid and malformed data. Test that B securely generates proper artifacts and stores them.¶
2: Ensure that the CoAP interactions for (1) properly returns data to A from B. This data MUST include the Broadcast Endorsements, X.509s and any other data elements required.¶
A, B pairs: (UAS Observer, HDA), (UAS Observer, RAA), (HDA, RAA), (RAA, HDA), (HDA, HDA'), (RAA, RAA')¶
1: Ensure that B has a properly configured and publicly accessible Authoritative Name Server for its delegated ip6.arpa domain.¶
2: Ensure that B returns the valid RRTypes defined in [DET-DNS] to A based on an ip6.arpa query via standard DNS methods (i.e. using UDP on port 53). Ensure that the HHIT RRType contains the correct Certificate with an URI.¶
A, B pairs: (UAS Observer, HDA), (UAS Observer, RAA), (HDA, RAA), (RAA, HDA), (HDA, HDA'), (RAA, RAA')¶
1: Ensure that the provide URI from the public query interface points to a valid URI. Ensure that the endpoint on B has proper AAA mechanisms as defined in this document and enforces the proper policy options.¶
2: Ensure that the B endpoint securely returns the data expected according to policy (matrix of authorized, valid request, unauthorized and invalid request) to A.¶
This document requires no new or modified actions by IANA. It does depend on actions IANA has already undertaken to perform in support of DRIP [DET-DNS]. It also informs other parties of interactions they must have with IANA to achieve the intended purposes of this document; e.g. Nation states MUST request IANA delegation of the DNS zone under ip6.arpa corresponding to their allocated RAA values.¶
The considerations discussed in [RFC9153], [RFC9434], [RFC9374], [RFC9575] and [DET-DNS] apply.¶
TODO¶
The considerations discussed in [RFC9153] apply.¶
The properties of a DET allow it to be used as a Session ID and/or an Authentication Key ID. There may be scenarios in which Session IDs are desired for privacy but Authentication is not; although this may reduce transparency and security, a DET MAY be used exclusively as a Session ID in such. There are scenarios in which Authentication is desired but Session IDs are not (e.g. where a CAA does not allow Session IDs); a DET MAY be used exclusively as an Authentication Key ID in such. In the scenario expected to be most common, both Session IDs and Authentication are desired; the same DET SHOULD be used as both the Session ID and Authentication Key ID in such.¶
The DET, in its capacity as a Session ID, already acts as a query key for various data elements (both public and private). Selective encryption MAY be allowed when using a Session ID to allow authorized parties to obtain decryption as a service (under UTM, from the USS under which the observed UA is flying) or access decryption key material (under UTM or not, from the HDA) via a private lookup. This enables the encryption of selected data elements in Broadcast RID to provide a layer of privacy for operators (e.g. their position) without compromising transparency to entities (e.g.public safety / law enforcement personnel) that need to know.¶
Selective encryption typically requires network connectivity of the Observer to perform the private query to obtain the decryption service or key material. CAAs should consider the expected Observer environment and prohibit encryption wherever and whenever Observers cannot reasonably be expected to have connectivity. For example selective encryption, per CAA regulations, MAY be allowed in dense urban areas but prohibited in rural areas.¶
The issue of Observer network connectivity MAY be mitigated with the use of a shared key, for encryption/decryption, used by multiple Session IDs in a given HDA over a period of time, that is preloaded onto the Observer before connectivity is lost. For example Observers MAY query HDAs for flight volumes in which they are interested to preload their decryption key(s) for the registrations that day.¶
The DET MAY be abbreviated. This is useful for display application with limited screen real-estate as the display of the entire 128-bit (32-character in hexadecimal) IPv6 address can be costly. Abbreviations SHOULD follow the following format rules.¶
: character found in an IPv6 address string is ignored.¶
For example a DET with the values of RAA 16383 and HDA 1 without any abbreviation hint from DNS is represented by the string 3FFF 0001 xxxx with xxxx representing a entity hash. If an abbreviation for the RAA (such as DRIP01) and HDA (such as TEST) are found in DNS then the DET can be represented with the string of DRIP01 TEST xxxx.¶
For an example of the entity hash, let's assume there are two DETs with the following hashes in the same HID: 0000:1111:2222:3333 and 0000:2222:1111:3333. At first both DETs are represented with the same abbreviation: RAA HDA 3333. One of these DETs is selected by the display application to shift the display hash one character to avoid the collision resulting in the following two abbreviations: RAA HDA 3333 and RAA HDA 1333.¶