Zero Touch Provisioning for NETCONF or RESTCONF based ManagementJuniper Networkskwatsen@juniper.netT-Systemsmikael.abrahamsson@t-systems.seDeutsche Telekom AGian.farrer@telekom.de
Operations
NETCONF Working GroupzerotouchThis draft presents a secure technique for establishing a
NETCONF or RESTCONF connection between a newly deployed
device, configured with just its preconfigured initial state
(e.g., factory default settings), and its deployment specific
network management system (NMS).This draft contains many placeholder values that need to be replaced
with finalized values at the time of publication. This note summarizes
all of the substitutions that are needed. Please note that no other
RFC Editor instructions are specified anywhere else in this document.Artwork in the IANA Considerations section contains placeholder
values for DHCP options pending IANA assignment. Please apply the
following replacements:
OPTION_V4_ZEROTOUCH_REDIRECT --> the option code assigned for the "DHCPv4 Zero Touch Option" optionOPTION_V6_ZEROTOUCH_REDIRECT --> the option code assigned for the "DHCPv6 Zero Touch Option" optionArtwork in this document contains shorthand references to drafts in
progress. Please apply the following replacements:
XXXX --> the assigned RFC value for this draftArtwork in this document contains placeholder values for the date of publication of this
draft. Please apply the following replacement:
2017-08-29 --> the publication date of this draftPlease update the following references to reflect their final RFC assignments:
I-D.ieft-netconf-netconf-client-serverThe following one Appendix section is to be removed prior to publication:
Appendix A. Change LogA fundamental business requirement for any network operator is
to reduce costs where possible. For network operators, deploying
devices to many locations can be a significant cost, as sending
trained specialists to each site for installations is both cost
prohibitive and does not scale.This document defines a bootstrapping strategy enabling devices to
securely obtain bootstrapping data with no installer action beyond
physical placement and connecting network and power cables. The ultimate
goal of this document is to enable a secure NETCONF
or RESTCONF connection to a deployment specific
network management system (NMS).This document primarily regards physical devices, where the setting
of the device's initial state, described in ,
occurs during the device's manufacturing process. However, the zerotouch solution may be
extensible to virtual machines whereby, for instance, the host-system
has an IDevID certificate and some ability to verify the virtual
machine's image before loading it and also provision a just-in-time
IDevID certificate. Details for how this may be accomplished can be
defined in future work.Device connecting to a remotely administered network
This use-case involves scenarios, such as a remote branch office
or convenience store, whereby a device connects as an access gateway
to an ISP's network. Assuming it is not possible to customize the
ISP's network to provide any bootstrapping support, and with no other
nearby device to leverage, the device has no recourse but to reach
out to an Internet-based bootstrap server to bootstrap from.Device connecting to a locally administered network
This use-case covers all other scenarios and differs only in that
the device may additionally leverage nearby devices, which may direct
it to use a local service to bootstrap from. If no such information
is available, or the device is unable to use the information provided,
it can then reach out to the network just as it would for the remotely
administered network use-case.Conceptual workflows for how zerotouch might be deployed are
provided in .This document uses the following terms (sorted by name):
The term "artifact" is used throughout to represent
any of the three artifacts defined in (Zero Touch
Information, Ownership Voucher, and Owner Certificate). These artifacts
collectively provide all the bootstrapping data a device may use.The term "bootstrapping data" is used
throughout this document to refer to the collection of data that a device
may obtain during the bootstrapping process. Specifically, it refers
to the three artifacts defined in .The term "bootstrap server" is used within
this document to mean any RESTCONF server implementing the YANG module
defined in .The term "device" is used throughout this document
to refer to the network element that needs to be bootstrapped. See
for more information about devices.The term "IDevID"
is defined in as the globally unique
secure device identifier (DevID) installed on the device by the manufacturer.
This identifier is used in this document to enable a Bootstrap Server to
securely identify and authenticate a device.The term "manufacturer" is used herein to
refer to the manufacturer of a device or a delegate of the manufacturer.The acronym "NMS" is used
throughout this document to refer to the deployment specific management
system that the bootstrapping process is responsible for introducing devices to.
From a device's perspective, when the bootstrapping process has completed,
the NMS is a NETCONF or RESTCONF client.The term "onboarding information" is used
herein to refer to one of the two types of 'zero touch information' (see term)
defined in this document, the other being 'redirect information'. Specifically,
onboarding information is defined by the 'onboarding-information' YANG-data
struture in .The term "owner" is used throughout this document
to refer to the person or organization that purchased or otherwise owns
a device.The term "owner certificate" is used in
this document to represent an X.509 certificate that binds an owner identity
to a public key, which a device can use to validate a signature over the
zero touch information artifacts. The owner certificate is one of
the three bootstrapping artifacts described in .The term "ownership voucher" is used in
this document to represent the voucher artifact defined in . The ownership voucher is used to
assign a device to an owner. The ownership voucher is one of
the three bootstrapping artifacts described in .The term "redirect information" is used
herein to refer to one of the two types of 'zero touch information' (see term)
defined in this document, the other being 'onboarding information'. Specifically,
redirect information is defined by the 'redirect-information' YANG-data
structure in .The term "redirect server" is used to refer
to a bootstrap server that only returns redirect information. A redirect
server is particularly useful when hosted by a manufacturer, as an
Internet-based resource to redirect devices to deployment-specific
bootstrap servers.The term "signed data" is used throughout to mean
either redirect information or onboarding information that has been signed,
specifically by a private key possessed by a device's owner.The term "unsigned data" is used throughout to mean
either redirect information or onboarding information that has not been signed.The term "zero touch information" is used
generally herein to refer either redirect information or onboarding information.
Zero touch information is one of the three bootstrapping artifacts described in
.The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL
NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED",
"MAY", and "OPTIONAL" in this document are to be interpreted as
described in BCP 14
when, and only when, they appear in all capitals, as shown here.A simplified graphical representation of the data models
is used in this document. The meaning of the symbols in
these diagrams is as follows:
Brackets "[" and "]" enclose list keys.Braces "{" and "}" enclose feature names, and indicate
that the named feature must be present for the subtree
to be present.Abbreviations before data node names: "rw" (read-write)
represents configuration data and "ro" (read-only)
represents state data.Symbols after data node names: "?" means an optional
node, "!" means a presence container, and "*" denotes a
list and leaf-list.Parentheses enclose choice and case nodes, and case
nodes are also marked with a colon (":").Ellipsis ("...") stands for contents of subtrees that
are not shown.This document defines two types of information that devices access during
the bootstrapping process. These information types are described in
this section. Examples are provided in Redirect information redirects a device to
another bootstrap server. Redirect information encodes a list of bootstrap
servers, each defined by its hostname or IP address, an optional port,
and an optional trust anchor certificate.Redirect information is YANG modeled data formally defined by the
"redirect-information" container in the YANG module presented in
. This container has the tree
diagram shown below. Please see for tree
diagram notation.Redirect information MAY be trusted or untrusted. The redirect information
is trusted whenever it is obtained via a secure connection to a trusted bootstrap
server, or whenever it is signed by the device's owner. In all other
cases, the redirect information is untrusted.Trusted redirect information is useful for enabling a device to establish
a secure connection to a bootstrap server, which is possible when the redirect
information includes the bootstrap server's trust anchor certificate. When
a device is able to establish a secure connection to a bootstrap server, the
data is implicitly trusted, and does not need to be signed.Untrusted redirect information is useful for directing a device to a bootstrap
server where signed data has been staged for it to obtain. When the redirect
information is untrusted, the device MUST discard any potentially included trust
anchor certificates and SHOULD establish a provisional connection (by blindly
accepting the TLS certificate) to any of the specified bootstrap servers. In
this case, the device MUST NOT trust the bootstrap server, and data provided
by the bootstrap server MUST be signed for it to be of any use to the device.How devices process redirect information is described more formally in
.Bootstrap information provides all the data necessary for a device
to bootstrap itself, in order to be considered ready to be managed
(e.g., by an NMS). As defined in this document, this data includes
information about a boot image the device MUST be running, an initial
configuration the device MUST commit, and optional scripts that, if
specified, the device MUST successfully execute.Bootstrap information is YANG modeled data formally defined by the
"onboarding-information" container in the YANG module presented in
. This container has the tree diagram
shown below. Please see for tree
diagram notation.Bootstrap information MUST be trusted for it to be of any use to a device.
There is no option for a device to process untrusted onboarding information.Bootstrap information is trusted whenever it is obtained via a secure connection
to a trusted bootstrap server, or whenever it is signed by the device's
owner. In all other cases, the onboarding information is untrusted.How devices process onboarding information is described more formally in
.This document defines three artifacts that can be made available
to devices while they are bootstrapping. Each source of bootstrapping
information specifies a means for providing each of the artifacts
defined in this section (see ).The zero touch information artifact encodes the essential bootstrapping
data for the device. This artifact is used to encode the redirect
information and onboarding information types discussed in .The zero touch information artifact is a PKCS#7 SignedData structure, as
specified by Section 9.1 of , encoded
using ASN.1 distinguished encoding rules (DER), as specified
in ITU-T X.690. The PKCS#7 structure MUST contain JSON-encoded
content conforming to the YANG module specified in
.In order for the zero touch information artifact to be trusted when
conveyed over an untrusted transport, the PKCS#7 structure MUST also
contain a 'signerInfo' structure, as described in Section 9.1 of
, containing a signature generated over the
content using the private key associated with the owner certificate
(). In order to simplify the
verification process, the PKCS#7 structure MUST also contain the
signing X.509 certificate.The owner certificate artifact is a certificate that is used to
identify an 'owner' (e.g., an organization). The owner certificate
can be signed by any certificate authority (CA). The owner certificate
MUST either have no Key Usage specified, or the Key Usage MUST set the
"digitalSignature" bit. The values for the owner certificate's "subject"
and/or "subjectAltName" are not constrained by this document.The owner certificate is used by a device to verify the signature
for the zero touch information artifact (),
the device SHOULD also have received, as described in
. In particular, the device verifies
signature using the public key in the owner certificate over the content
contained within the zero touch information artifact.The owner certificate artifact is formally an unsigned PKCS #7
SignedData structure as specified by Section 9.1 in ,
encoded using ASN.1 distinguished encoding rules (DER), as
specified in ITU-T X.690.The owner certificate PKCS#7 structure MUST contain the owner
certificate itself, as well as all intermediate certificates leading
up to the 'pinned-domain-cert' certificate specified in the ownership voucher.
The owner certificate artifact MAY optionally include the trust anchor
certificate.Additionally, in order to support devices deployed on private networks,
the owner certificate PKCS#7 structure MAY also contain suitably fresh
CRLs and/or OCSP Responses .
Having these revocation objects stapled to the owner certificate precludes
the need for the device to have to download them dynamically using the CRL
distribution point or an OCSP responder specified in the associated
certificates.The ownership voucher artifact is used to securely identify a device's
owner, as it is known to the manufacturer. The ownership voucher is signed
by the device's manufacturer or delegate.More specifically, the ownership voucher is used to verify the owner
certificate () that the device SHOULD
have also received, as described in .
In particular, the device verifies that the owner certificate has
a chain of trust leading to the trusted certificate included in the
ownership voucher, even if it is itself (e.g., self-signed certificate).The ownership voucher artifact, including its encoding, is formally defined
in .This section lists all the possible bootstrapping artifacts,
but only certain groupings of these artifacts make sense to return in the
various bootstrapping situations described in this document. These groupings
are:
This grouping is useful for cases
when transport level security can be used to convey trust (e.g., HTTPS),
or when the information can be processed in a provisional manner (i.e.
unsigned redirect information).The grouping
is useful when signed information is needed, because it's obtained
from an untrusted source, and it cannot be processed provisionally,
and yet either revocations are not needed or they can be obtained
dynamically.The grouping
is useful when signed information is needed, because it's obtained
from an untrusted source, and it cannot be processed provisionally,
and revocations are needed and cannot be obtained dynamically.The artifacts associated with these groupings are described below:
This section defines some sources for zero touch bootstrapping data that
a device can access. The list of sources defined here is not meant to be exhaustive.
It is left to future documents to define additional sources for obtaining
zero touch bootstrapping data.For each source defined in this section, details are given for how each
of the three artifacts listed in is provided.A directly attached removable storage device (e.g., a USB flash drive)
MAY be used as a source of zero touch bootstrapping data.To use a removable storage device as a source of bootstrapping data,
a device need only detect if the removable storage device is plugged in
and mount its filesystem.Use of a removable storage device is compelling, as it doesn't require
any external infrastructure to work. It is notable that the raw boot
image file can be located on the removable storage device, enabling
a removable storage device to be a fully self-standing bootstrapping
solution.A removable storage device is an untrusted source of bootstrapping data.
This means that the information stored on the removable storage device either
MUST be signed, or it MUST be information that can be processed
provisionally (e.g., unsigned redirect information).From an artifact perspective, since a removable storage device presents
itself as a filesystem, the bootstrapping artifacts need to be presented
as files. The three artifacts defined in are
mapped to files below.Artifact to File Mapping:
Mapped to a file containing
the binary artifact described in
(e.g., zerotouch-information.pkcs7).Mapped to a file containing the
binary artifact described in
(e.g., owner-certificate.pkcs7).Mapped to a file containing the
binary artifact described in
(e.g., ownership-voucher.pkcs7).The format of the removable storage device's filesystem and the naming of the
files are outside the scope of this document. However, in order to facilitate
interoperability, it is RECOMMENDED devices support open and/or standards based
filesystems. It is also RECOMMENDED that devices assume a file naming convention
that enables more than one instance of bootstrapping data to exist on a removable
storage device. The file naming convention SHOULD be unique to the manufacturer,
in order to enable bootstrapping data from multiple manufacturers to exist on a
removable storage device.A DNS server MAY be used as a source of zero touch bootstrapping data.Using a DNS server may be a compelling option for deployments having
existing DNS infrastructure, as it enables a touchless bootstrapping option
that does not entail utilizing an Internet based resource hosted by a
3rd-party.To use a DNS server as a source of bootstrapping data, a device MAY
perform a multicast DNS query searching for the
service "_zerotouch._tcp.local.". Alternatively the device MAY perform
DNS-SD via normal DNS operation, using the domain
returned to it from the DHCP server; for example, searching for the service
"_zerotouch._tcp.example.com".Unsigned DNS records (e.g., not using DNSSEC as described in )
are an untrusted source of bootstrapping data. This means that the information
stored in the DNS records either MUST be signed, or it MUST be information
that can be processed provisionally (e.g., unsigned redirect information).From an artifact perspective, since a DNS server presents resource records
(Section 3.2.1 of ), the bootstrapping artifacts need
to be presented as resource records. The three artifacts defined in
are mapped to resource records below.Artifact to Resource Record Mapping:
Mapped to a TXT record called "zt-info"
containing the base64-encoding of the binary artifact described in
.Mapped to a TXT record called
"zt-cert" containing the base64-encoding of the binary artifact
described in .Mapped to a TXT record called
"zt-voucher" containing the base64-encoding of the binary artifact
described in .TXT records have an upper size limit of 65535 bytes (Section 3.2.1
in RFC1035), since 'RDLENGTH' is a 16-bit field. Please see Section
3.1.3 in RFC4408 for how a TXT record can achieve this size. Due to this
size limitation, some zero touch information artifacts may not fit. In particular,
onboarding information could hit this upper bound, depending
on the size of the included configuration and scripts.When onboarding information (not redirect information) is provided, it
is notable that the URL for the boot-image the device can download would
have to point to another server (e.g., http://, ftp://, etc.), as DNS
servers do not themselves distribute files.A DHCP server MAY be used as a source of zero touch bootstrapping data.Using a DHCP server may be a compelling option for deployments having
existing DHCP infrastructure, as it enables a touchless bootstrapping option
that does not entail utilizing an Internet based resource hosted by a
3rd-party.A DHCP server is an untrusted source of bootstrapping data. Thus the
information stored on the DHCP server either MUST be signed, or it MUST
be information that can be processed provisionally (e.g., unsigned redirect
information).However, unlike other sources of bootstrapping data described
in this document, the DHCP protocol (especially DHCP for IPv4) is limited
in the amount of data that can be conveyed, to the extent that
signed data cannot be communicated. This means only unsigned redirect
information can be conveyed. Since the redirect information is unsigned,
it SHOULD NOT include the optional trust anchor certificate, as the
device would have to discard it anyway.From an artifact perspective, the three artifacts defined in
are mapped to the DHCP fields specified in
as follows:
This artifact is not supported
directly. Instead, the essence of redirect information (not onboarding
information) is mapped to the DHCP fields described in
.Not supported. There is not enough
space in the DHCP packet to hold an owner certificate artifact.Not supported. There is not enough
space in the DHCP packet to hold an ownership voucher artifact.A bootstrap server MAY be used as a source of zero touch bootstrapping data.
A bootstrap server is defined as a RESTCONF
server implementing the YANG module provided in .Unlike any other source of bootstrap data described in this document, a
bootstrap server is not only a source of data, but it can also receive data
from devices using the YANG-defined 'update-progress' action defined
in the YANG module (). The data sent from devices
both enables visibility into the bootstrapping process (e.g., warnings and
errors) as well as provides potentially useful completion status information
(e.g., the device's SSH host-keys).To use a bootstrap server as a source of bootstrapping data, a device MUST
use the RESTCONF protocol to access the YANG container node /device,
passing its unique identifier in the URL as the key to the 'device' list.Using a bootstrap server as a source of bootstrapping data is a compelling
option as it MAY use transport-level security, in lieu of signed data, which
may be easier to deploy in some situations. Additionally, the bootstrap server
is able to receive progress updates from devices, which may be critical to
some deployments (e.g., the passing of the device's SSH host keys).A bootstrap server may be trusted or an untrusted source of bootstrapping
data, depending on how the device learned about the bootstrap server's trust
anchor from a trusted source. When a bootstrap server is trusted, the
information returned from it MAY be signed. However, when the server is
untrusted, in order for its information to be of any use to the device, the
bootstrap information MUST either be signed or be information that can be
processed provisionally (e.g., unsigned redirect information).When a device is able to trust a bootstrap server, it MUST send its
IDevID certificate in the form of a TLS client certificate, and it MUST
send progress updates to the bootstrap server. When a device is not able
to trust a bootstrap server, it MUST NOT send its IDevID certificate in
the form of a TLS client certificate, and it MUST NOT send any
progress updates to the bootstrap server.From an artifact perspective, since a bootstrap server presents data as
a YANG-modeled data, the bootstrapping artifacts need to be mapped to
nodes in the YANG module. The three artifacts defined in
are mapped to bootstrap server nodes defined in
below.Artifact to Bootstrap Server Node Mapping:
Mapped to
the leaf node /device/zerotouch-information.Mapped to the
leaf node /device/owner-certificate.Mapped to the
leaf node /device/ownership-voucher.While RESTCONF servers typically support a nested hierarchy of
resources, zero touch bootstrap servers only need to support the
paths /device and /device/update-progress. The device processing
instructions provided in only
uses these two URLs.Devices supporting the bootstrapping strategy described in this document
MUST have the preconfigured state and bootstrapping logic
described in the following sections.Each numbered item below corresponds to a numbered item in the diagram above.
Devices MUST possess an initial device identifier (IDevID),
as defined in . The IDevID is an X.509
certificate, encoding e.g., the device's serial number and hardware
manufacturer. The device MUST also possess any intermediate certificates
between the IDevID certificate and the IDevID trust anchor
certificate, which is provided to prospective owners separately
(e.g., ).Devices that support loading bootstrapping data from an Internet-based
bootstrap server (see ) MUST possess:
A configured list of trusted bootstrap servers. Consistent with
redirect information (, each bootstrap
server MAY be identified by its hostname or IP address, and an optional port.A configured list of trust anchor certificates that can be used for
X.509 certificate path validation (, Section 6)
on the bootstrap server's TLS server certificate.Devices that support loading signed data (see )
MUST possess the manufacturer's trust anchor certificate for
validating ownership vouchers.Devices MUST possess a private key that corresponds to the
public key encoded in the device's IDevID certificate. This private key SHOULD be
securely stored, ideally by a cryptographic processor (e.g., a TPM).A device claiming to support the bootstrapping strategy defined in this
document MUST support the boot sequence described in this section.Each numbered item below corresponds to a numbered item in the diagram above.
When the device powers on, it first checks to see if zerotouch bootstrapping
is configured, as is expected to be the case for the device's preconfigured
state. If zerotouch bootstrapping is not configured, then the device
boots normally.The device iterates over its list of sources for
bootstrapping data (). Details for
how to processes a source of bootstrapping data are provided
in .If the device is able to bootstrap itself from any of
the sources of bootstrapping data, it runs with the new
bootstrapped configuration.Otherwise the device MAY loop back through the list of
bootstrapping sources again and/or wait for manual provisioning.This section describes a recursive algorithm that devices can use to,
ultimately, obtain onboarding information. The algorithm is recursive
only because sources of bootstrapping data MAY return redirect information,
which causes the algorithm to run again, for the newly discovered sources
of information. To be clear, an expression that captures all possible
combinations is "(redirect information)* onboarding information". That is,
zero or more redirect information responses, followed by one bootstrap
information response.An important aspect of the algorithm is knowing when data needs to be
signed or not. The following figure provides a summary of options:
As an example, imagine a device initially obtains unsigned
redirect information, which redirects it to an [untrusted]
bootstrap server where it obtains more unsigned redirect
information, which redirects it to another [untrusted]
bootstrap server where it obtains signed redirect information,
which redirects it to a [trusted] bootstrap server where it
obtains redirect information (signed or unsigned doesn't matter,
its trusted either way), but without an included trust anchor
certificate, which is unexpected but possible, so the device
can't trust the server it's redirected to, and so on, until
finally the device obtains some onboarding information.To support this behavior, this recursive algorithm uses a
conceptually global-scoped algorithm variable called
"trust-state". The trust-state variable is initialized to FALSE.
The ultimate goal of this algorithm is for the device to process
onboarding information ()
while the trust-state variable is TRUE.If the data source is a bootstrap server, the only source of
bootstrapping data defined in this document that can be trusted
via transport level security, and the device is able to
authenticate the server using X.509 certificate path validation
(, Section 6) to one of the device's
preconfigured trust anchors, or to a trust anchor that it learned
from a previous step, then the device MUST set trust-state to TRUE.If trust-state is TRUE, when connecting to the bootstrap server,
the device MUST use its IDevID certificate for client certificate
based authentication and MUST post progress updates using the
bootstrap server's "update-progress" action. Otherwise, if trust-state
is FALSE, when connecting to the bootstrap server, the device MUST NOT
use its IDevID certificate for a client certificate based authentication
and MUST NOT post progress updates using the bootstrap server's
"update-progress" action.When accessing a bootstrap server, the device SHOULD only access its
top-level resource, to obtain all the data staged for it in a single GET
request.For any source of bootstrapping data (e.g., ),
if the data is signed and the device is able to validate the signed data
using the algorithm described in ,
then the device MUST set trust-state to TRUE, else the device MUST set
trust-state to FALSE. Note, this is worded to cover the special case
when signed data is returned even from a trusted bootstrap server.If the data is onboarding information (not redirect information), and
trust-state is FALSE, the device MUST exit the recursive algorithm (as
this is not allowed, per the figure above), returning to the state machine
described in . Otherwise, the device MUST
attempt to process the onboarding information as described in
. In either case, success
or failure, the device MUST exit the recursive algorithm, returning to
the state machine described in , the only
difference being in how it responds to the "Able to bootstrap from any
source?" conditional described in the figure in the section.If the data is redirect information, the device MUST process the redirect
information as described in .
This is the recursion step, it will cause to device to reenter this algorithm,
but this time the data source will most definitely be a bootstrap server, as
that is all redirect information is able to redirect a device to.Whenever a device is presented signed data from an untrusted source,
it MUST validate the signed data as described in this section. If the
signed data is provided by a trusted source, a redundant trust case,
the device MAY skip verifying the signature.Whenever there is signed data, the device MUST also be provided
an ownership voucher and an owner certificate. How all the needed
artifacts are provided for each source of bootstrapping data is
defined in .The device MUST first authenticate the ownership voucher by validating
the signature on it to one of its preconfigured trust anchors (see
). If the device has an accurate
clock, it MUST ensure that the ownership voucher was created in the past
(i.e., 'created-on' < now). If the 'expires-on' leaf is present, the
device MUST verify that the ownership voucher has not yet expired
(i.e., now < 'expires-on'), which requires an accurate clock. The
device MUST verify that the ownership voucher's 'assertion' value is
acceptable (e.g., some devices may only accept the assertion value
'verified'). The device MUST verify that the ownership voucher specifies
the device's serial number in the 'serial-number' leaf. If the
'idevid-issuer' leaf is present, the device MUST verify that the
value is set correctly. If the authentication of the ownership voucher
is successful, the device extracts the 'pinned-domain-certificate' node,
an X.509 certificate, that is needed to verify the owner certificate in
the next step.The device MUST next authenticate the owner certificate by performing
X.509 certificate path verification to the trusted certificate extracted
from the voucher's 'pinned-domain-cert' node. If the ownership voucher's
'domain-cert-revocation-checks' node's value is set to "true", the device
MUST verify the revocation status of the certificate chain used to sign
the owner certificate and, if the revocation status is not attainable or
if it is determined that a certificate has been revoked, the device
MUST not validate the owner certificate.Finally the device MUST verify the signature over information
artifact was generated by the private key matching the public
key from the owner certificate.If any of these steps fail, then the device MUST mark the data as
invalid and not perform any subsequent processing step.In order to process redirect information (),
the device MUST follow the steps presented in this section.Processing redirect information is straightforward. The device sequentially
steps through the list of provided bootstrap servers until it can find one it
can bootstrap from.If a hostname is provided, and the hostname's DNS resolution is to more
than one IP address, the device MUST attempt to connect to all of the DNS
resolved addresses at least once, before moving on to the next bootstrap
server. If the device is able to obtain bootstrapping data from any of the
DNS resolved addresses, it MUST immediately process that data, without
attempting to connect to any of the other DNS resolved addresses.If the redirect information is trusted (e.g., trust-state is TRUE), and the
bootstrap server entry contains a trust anchor certificate, then the device MUST
authenticate the bootstrap server using X.509 certificate path validation
(, Section 6) to the specified trust anchor. If the
device is unable to authenticate the bootstrap server to the specified trust
anchor, the device MUST NOT attempt a provisional connection to the bootstrap
server (i.e., by blindly accepting its server certificate).If the redirect information is untrusted (e.g., trust-state is FALSE), the
device MUST discard any trust anchors provided by the redirect information and
establish a provisional connection to the bootstrap server (i.e., by blindly
accepting its TLS server certificate).In order to process onboarding information (),
the device MUST follow the steps presented in this section.When processing onboarding information, the device MUST first process the boot image
information, then execute the pre-configuration script (if any), then commit the initial
configuration, and then execute the post-configuration script (if any), in that order.
If the device encounters an error at any step, it MUST NOT proceed to the next step.First the device MUST determine if the image it is running satisfies the specified
boot image criteria (e.g., name and/or fingerprint match). If it does not, the device
MUST download (using the supplied URI), verify, and install the specified boot image,
and then reboot. To verify the boot image, the device MUST check that the boot image
file matches the fingerprint (e.g., sha256) supplied by the bootstrapping
information. Upon rebooting, the device MUST still be in its initial state,
causing the bootstrapping process to run again, which will eventually
come to this very point, but this time the device's running image will satisfy
the specified criteria, and thus the device will move to processing the next step.Next, for devices that support executing scripts, if a pre-configuration
script has been specified, the device MUST execute the script and check its
exit status code to determine if had any warnings or errors. In the case of
errors, the device MUST reset itself in such a way that forces a reinstallation
of the boot image, thereby wiping out any bad state the script may have
left behind.Next the device commits the provided initial configuration. Assuming no errors,
the device moves to processing the next step.Again, for devices that support executing scripts, if a post-configuration script
has been specified, the device MUST execute the script and check its exit status
code to determine if it had any warnings or errors. In the case of errors, the
device MUST reset itself in such a way that forces a reinstallation of the boot
image, thereby wiping out any bad state the script may have left behind.At this point, the device has completely processed the bootstrapping
data and is ready to be managed. If the device obtained the bootstrap
information from a trusted bootstrap server, the device MUST post the
'bootstrap-complete' progress update now, using the bootstrap server's
'update-progress' action.At this point the device is running its initial configuration. Notably,
if NETCONF Call Home or RESTCONF Call Home is
configured, the device initiates trying to establish a call home connection
at this time.This section defines a YANG module that is used to
define the data model for the zero touch information artifact described in
. Examples illustrating this artifact in
use are provided in .The following tree diagram provides an overview of the data model for the
zero touch information artifact. The syntax used for this tree diagram is
described in .This section presents examples for how the zero touch information artifact
() can be encoded into a document that
can be distributed outside the bootstrap server's RESTCONF API.The following example illustrates how redirect information can be encoded
into an artifact.The following example illustrates how onboarding information can be encoded
into an artifact. This example uses data models from
and .The zero touch information artifact is normatively defined
by the YANG module defined in this section.Note: the module defined herein uses data types defined
in , , and
.This section defines a YANG module that is used to
define the RESTCONF API used by the
bootstrap server defined in . Examples
illustrating this API in use are provided in .The following tree diagram provides an overview for the bootstrap server
RESTCONF API. The syntax used for this tree diagram is described in
.In the above diagram, notice that all of the protocol accessible nodes are read-only,
to assert that devices can only pull data from the bootstrap server.Also notice that the module defines an action statement, which devices use to provide
progress updates to the bootstrap server.This section presents some examples illustrating the bootstrap server's API.
Two examples are provided, one illustrating a device fetching bootstrapping data
from the server, and the other illustrating a data posting a progress updates
to the server.The following example illustrates a device using the API to fetch its
bootstrapping data from the bootstrap server. In this example, the device
receives a signed response; an unsigned response would look similar except
the last two fields (owner-certificate and ownership-voucher) would be
absent in the response.The following example illustrates a device using the API to post
a progress update to a bootstrap server. Illustrated below is
the 'bootstrap-complete' message, but the device may send other
progress updates to the server while bootstrapping (e.g., to provide
status updates). In this message, the device is sending both its
SSH host keys and TLS server certificate, which the bootstrap
server may, for example, pass to an NMS, as discussed in
.Note that devices that are able to present an IDevID certificate
when establishing SSH or TLS
connections do not need to include its DevID certificate in the
bootstrap-complete message. It is unnecessary to send the DevID
certificate in this case because the IDevID certificate does not
need to be pinned by an NMS in order to be trusted.Note that the bootstrap server MUST NOT process a progress update
from a device without first authenticating the device. This is in
contrast to when a device is fetching data from the server, a read-only
operation, in which case device authentication is not strictly
required (e.g., when sending signed information).The bootstrap server's device-facing API is normatively defined
by the YANG module defined in this section.Note: the module defined herein uses data types
defined in , ,
and .This section defines two DHCP options, one for DHCPv4 and one for
DHCPv6. These two options are semantically the same, though syntactically
different.The DHCPv4 Zero Touch Option is used to provision the client
with one or more URIs for bootstrap servers that can be
contacted to attempt further configuration.DHCPv4 Client BehaviorClients MAY request the OPTION_V4_ZEROTOUCH_REDIRECT by including its
option code in the Parameter Request List (55) in DHCP request messages.On receipt of a DHCPv4 Reply message which contains the
OPTION_V4_ZEROTOUCH_REDIRECT, the client performs the following steps:
Check the contents of the DHCPv4 message for at least one valid
URI. If there is more than one valid URI in the list, a candidate
list of possible URIs is created.Attempt to connect to the one of the URIs in the candidate list.
The order in which these are processed by the client is implementation
specific and not defined here.If a successful connection to the Zero Touch bootstrap server,
then the client stops processing entries in the list and proceeds
according to , step(3).If the Zero Touch bootstrap server does not respond, provides
an invalid response, or the transaction otherwise fails, the client
SHOULD attempt to contact another server from the candidate list.Any invalid URI entries received in the uri-data field are ignored by
the client. If OPTION_V4_ZEROTOUCH_REDIRECT does not contain at least one
valid URI entry in the uri-data field, then the client MUST discard the option.DHCPv4 Server BehaviorThe DHCPv4 server MAY include a single instance of Option
OPTION_V4_ZEROTOUCH_REDIRECT in DHCP messages it sends. Servers MUST
NOT send more than one instance of the OPTION_V4_ZEROTOUCH_REDIRECT option.The DHCPv6 Zero Touch Option is used to provision the client with
one or more URIs for bootstrap servers that can be contacted to
attempt further configuration.DHCPv6 Client BehaviorClients MAY request the OPTION_V6_ZEROTOUCH_REDIRECT option, as defined
in , Sections 17.1.1, 18.1.1, 18.1.3, 18.1.4,
18.1.5, and 22.7. As a convenience to the reader, we mention here that
the client includes requested option codes in the Option Request Option.On receipt of a DHCPv6 reply message which contains the
OPTION_V6_ZEROTOUCH_REDIRECT, the client performs the following steps:
Check the contents of the DHCPv6 message for at least one valid
URI. If there is more than one valid URI in the list, a candidate
list of possible URIs is created.Attempt to connect to the one of the URIs in the candidate list.
The order in which these are processed by the client is implementation
specific and not defined here.If a successful connection to the Netconf Zero Touch Bootstrap server,
then the client stops processing entries in the list and proceeds
according to , step(3).If the Zero Touch bootstrap server does not respond, provides
and invalid response or the transaction otherwise fails, the client
SHOULD attempt to contact another server from the candidate list.Any invalid URI entries received in the uri-data field are ignored
by the client. If OPTION_V6_ZEROTOUCH_REDIRECT does not contain at least
one valid URI entry in the uri-data field, then the client MUST discard
the option.DHCPv6 Server BehaviorSections 17.2.2 and 18.2 of govern server
operation in regard to option assignment. As a convenience to the
reader, we mention here that the server will send a particular option
code only if configured with specific values for that option code and
if the client requested it.Option OPTION_V6_ZEROTOUCH_REDIRECT is a singleton. Servers MUST
NOT send more than one instance of the OPTION_V6_ZEROTOUCH_REDIRECT
option.Both of the DHCPv4 and DHCPv6 options defined in this section
encode a list of bootstrap server URIs. The 'URI' structure is
an option that can contain multiple URIs (see ,
Section 5.7).Devices MUST ensure that all their trust anchor
certificates, including those for connecting to bootstrap
servers and verifying ownership vouchers, are protected from
external modification.It may be necessary to update these
certificates over time (e.g., the manufacturer wants to
delegate trust to a new CA). It is therefore expected
that devices MAY update these trust anchors when
needed through a verifiable process, such as a
software upgrade using signed software images.The solution in this document relies on TLS certificates,
owner certificates, and ownership vouchers, all of which
require an accurate clock in order to be processed
correctly (e.g., to test validity dates and revocation
status). Implementations MUST ensure devices have an
accurate clock when shipped from manufacturing facilities,
and take steps to prevent clock tampering.If it is not possible to ensure clock accuracy, it is
RECOMMENDED that implementations disable the aspects of the
solution having clock sensitivity. In particular, such
implementations should assume that TLS certificates,
ownership vouchers, and owner certificates never expire
and are not revokable. In real-world terms, this means
that manufacturers SHOULD only issue a single ownership
voucher for the lifetime of such devices.Implementations SHOULD NOT rely on NTP for time, as
NTP is not a secure protocol.This document allows a device to blindly authenticate a
bootstrap server's TLS certificate. It does so to allow
for cases where the redirect information may be obtained
in an unsecured manner, which is desirable to support
in some cases.To compensate for this, this document requires that
devices, when connected to an untrusted bootstrap server,
do not send their IDevID certificate for client authentication,
and they do not POST any progress updates, and they
assert that data downloaded from the server is signed.Section 7.2.7.2 of the IEEE Std 802.1AR-2009 standard says
that IDevID certificate should never expire (i.e. having the
notAfter value 99991231235959Z). Given the long-lived
nature of these certificates, it is paramount to use a
strong key length (e.g., 512-bit ECC).This draft uses the device's serial number both in the
IDevID certificate as well as in the bootstrap server API.
Serial numbers are ubiquitous and prominently contained
in invoices and on labels affixed to devices and their
packaging. That said, serial numbers many times encode
revealing information, such as the device's model number,
manufacture date, and/or sequence number. Knowledge of this
information may provide an adversary with details needed
to launch an attack.For devices supporting more than one source for bootstrapping
data, no particular sequencing order has to be observed for
security reasons, as the solution for each source is considered
equally secure. However, from a privacy perspective, it is
RECOMMENDED that devices access local sources before accessing
remote sources.IANA is kindly requested to allocate a new option code from the
"BOOTP Manufacturer Extensions and DHCP Options" registry
maintained at http://www.iana.org/assignments/bootp-dhcp-parameters:
And a new option code from the "Dynamic Host Configuration Protocol
for IPv6 (DHCPv6)" registry maintained at
http://www.iana.org/assignments/dhcpv6-parameters:
This document registers two URIs in the IETF XML
registry . Following the format in
, the following registrations are
requested:This document registers two YANG modules in the
YANG Module Names registry .
Following the format defined in , the
the following registrations are requested:The authors would like to thank for following for
lively discussions on list and in the halls (ordered
by last name):
David Harrington,
Michael Behringer,
Dean Bogdanovic,
Martin Bjorklund,
Joe Clarke,
Toerless Eckert,
Stephen Farrell,
Stephen Hanna,
Wes Hardaker,
Russ Mundy,
Reinaldo Penno,
Randy Presuhn,
Max Pritikin,
Michael Richardson,
Phil Shafer,
Juergen Schoenwaelder.Special thanks goes to Steve Hanna, Russ Mundy, and
Wes Hardaker for brainstorming the original I-D's solution
during the IETF 87 meeting in Berlin.IEEE Standard for Local and metropolitan area networks - Secure Device IdentityIEEE SA-Standards BoardThe zero touch solution presented in this document is conceptualized
to be composed of the non-normative workflows described in this section.
Implementations details are expected to vary. Each diagram is followed
by a detailed description of the steps presented in the diagram, with
further explanation on how implementations may vary.The following diagram illustrates key interactions that may occur from when a
prospective owner enrolls in a manufacturer's zero touch program to when the
manufacturer ships devices for an order placed by the prospective owner.Each numbered item below corresponds to a numbered item
in the diagram above.
A prospective owner of a manufacturer's devices, or an existing owner that
wishes to start using zero touch for future device orders, initiates an
enrollment process with the manufacturer or delegate.
This process includes the following:
Regardless how the prospective owner intends to bootstrap their devices,
they will always obtain from the manufacturer or delegate the trust anchor
certificate for its device's IDevID certificates. This certificate will
need to be installed on the prospective owner's NMS so that the NMS can
subsequently authenticate the devices' IDevID certificates.If the manufacturer hosts an Internet based bootstrap server (e.g., a
redirect server) such as described in ,
then credentials necessary to configure the bootstrap server would be
provided to the prospective owner. If the bootstrap server is
configurable through an API (outside the scope of this document), then
the credentials might be installed on the prospective owner's NMS so
that the NMS can subsequently configure the manufacturer-hosted
bootstrap server directly.If the manufacturer's devices are able to validate signed data
(), and assuming that the
prospective owner's NMS is able to prepare and sign the bootstrapping
data itself, the prospective owner's NMS might set a trust anchor
certificate onto the manufacturer's bootstrap server, using the
credentials provided in the previous step. This certificate is the
trust anchor certificate that the prospective owner would like the
manufacturer to place into the ownership vouchers it generates, thereby
enabling devices to trust the owner's owner certificate. How this trust
anchor certifiate is used to enable devices to validate signed bootstrapping
data is described in .Some time later, the prospective owner places an order
with the manufacturer or delegate, perhaps with a special
flag checked for zero touch handling. At this time, or
perhaps before placing the order, the owner may model
the devices in their NMS, creating virtual objects for the
devices with no real-world device associations. For instance
the model can be used to simulate the device's location in the
network and the configuration it should have when fully
operational.When the manufacturer or delegate fulfills the order, shipping
the devices to their intended locations, they may notify the owner
of the devices's serial numbers and shipping destinations, which
the owner may use to stage the network for when the devices power
on. Additionally, the manufacturer may send one or more ownership
vouchers, cryptographically assigning ownership of those devices to
the owner. The owner may set this information on their NMS, perhaps
binding specific modeled devices to the serial numbers and ownership
vouchers.The following diagram illustrates how an owner might stage the
network for bootstrapping devices.Each numbered item below corresponds to a numbered item
in the diagram above.
Having previously modeled the devices, including setting their
fully operational configurations and associating both device serial
numbers and ownership vouchers, the owner might "activate" one or
more modeled devices. That is, the owner tells the NMS to perform
the steps necessary to prepare for when the real-world devices
power up and initiate the bootstrapping process. Note that,
in some deployments, this step might be combined with the last step
from the previous workflow. Here it is depicted that an NMS performs
the steps, but they may be performed manually or through some other
mechanism.If it is desired to use a deployment specific bootstrap server,
it must be configured to provide the bootstrapping information for
the specific devices. Configuring the bootstrap server may occur
via a programmatic API not defined by this document. Illustrated
here as an external component, the bootstrap server may be
implemented as an internal component of the NMS itself.If it is desired to use a manufacturer (or delegate) hosted bootstrap
server, it must be configured to provide the bootstrapping information
for the specific devices. The configuration must be either redirect or
onboarding information. That is, either the manufacturer hosted bootstrap
server will redirect the device to another bootstrap server, or provide
the device with its bootstrapping information itself. The types of
bootstrapping information the manufacturer hosted bootstrap server
supports may vary by implementation; some implementations may only
support redirect information, or only support onboarding information,
or support both redirect and onboarding information. Configuring the
bootstrap server may occur via a programmatic API not defined by this
document.If it is desired to use a DNS server to supply bootstrapping
information, a DNS server needs to be configured. If multicast
DNS-SD is desired, then the server must reside on the local network,
otherwise the DNS server may reside on a remote network. Please see
for more information about how to
configure DNS servers. Configuring the DNS server may occur via
a programmatic API not defined by this document.If it is desired to use a DHCP server to supply bootstrapping
data, a DHCP server needs to be configured. The DHCP server may
be accessed directly or via a DHCP relay. Please see
for more information about how to
configure DHCP servers. Configuring the DHCP server may occur
via a programmatic API not defined by this document.If it is desired to use a removable storage device (e.g., USB flash
drive) to supply bootstrapping information, the information would need
to be placed onto it. Please see
for more information about how to configure a removable storage device.The following diagram illustrates the sequence of activities
that occur when a device powers on.
The interactions in the above diagram are described below.
Upon power being applied, the device checks to see if zerotouch
bootstrapping is configured, such as is the case when running its
"factory default" configuration. If zerotouch bootstrapping is
not configured, then the bootstrapping logic exits and none of the
following interactions occur.For each source of bootstrapping data the device supports, preferably
in order of closeness to the device (e.g., removable storage before
Internet based servers), the device checks to see if there is any
bootstrapping data for it there.If onboarding information is found, the device initializes
itself accordingly (e.g., installing a boot-image and committing an
initial configuration). If the source is a bootstrap server, and the
bootstrap server can be trusted (i.e., TLS-level authentication), the
device also sends progress updates to the bootstrap server.
The contents of the initial configuration should configure
an administrator account on the device (e.g., username, ssh-rsa
key, etc.) and should configure the device either to listen for
NETCONF or RESTCONF connections or to initiate call home connections
.If the bootstrap server supports forwarding device progress updates
to external systems (e.g., via a webhook), a "bootstrap-complete"
progress update () informs the external
system to know when it can, for instance, initiate a connection to
the device (assuming it knows the device's address and the device
was configured to listen for connections). To support this further,
the bootstrap-complete progress update may also relay the device's SSH
host keys and/or TLS certificates, with which the external system
can use to authenticate subsequent connections to the device.
If the device successfully completes the bootstrapping process
(i.e., zerotouch bootstrapping is no longer configured), it exits
the bootstrapping logic without considering any additional sources of
bootstrapping data.
Otherwise, if redirect information is found, the device iterates
through the list of specified bootstrap servers, checking to see if
there is any bootstrapping data for it on them. If the bootstrap server
returns more redirect information, then the device processes it recursively.
Otherwise, if the bootstrap server returns onboarding information,
the device processes it following the description provided in (3) above.After having tried all supported sources of bootstrapping data, the
device may retry again all the sources and/or provide manageability
interfaces for manual configuration (e.g., CLI, HTTP, NETCONF, etc.).
If manual configuration is allowed, and such configuration is provided,
the device should cease trying to obtain bootstrapping data, as the
need to do so would no longer be present.Major structural update; the essence is the same.
Most every section was rewritten to some degree.Added a Use Cases sectionAdded diagrams for "Actors and Roles" and
"NMS Precondition" sections, and greatly improved
the "Device Boot Sequence" diagramRemoved support for physical presence or any
ability for configlets to not be signed.Defined the Zero Touch Information DHCP optionAdded an ability for devices to also download
images from configuration serversAdded an ability for configlets to be encryptedNow configuration servers only have to support
HTTP/S - no other schemes possibleAdded boot-image and validate-owner annotations
to the "Actors and Roles" diagram.Fixed 2nd paragraph in section 7.1 to reflect
current use of anyxml.Added encrypted and signed-encrypted examplesReplaced YANG module with XSD schemaAdded IANA request for the Zero Touch Information DHCP OptionAdded IANA request for media types for boot-image and configurationReplaced the need for a configuration signer with the
ability for each NMS to be able to sign its own configurations,
using manufacturer signed ownership vouchers and owner certificates.Renamed configuration server to bootstrap server, a more
representative name given the information devices download from it.Replaced the concept of a configlet by defining a southbound
interface for the bootstrap server using YANG.Removed the IANA request for the boot-image and configuration
media typesMinor update, mostly just to add an Editor's Note to show how this
draft might integrate with the draft-pritikin-anima-bootstrapping-keyinfra.Major update formally introducing unsigned data and support for
Internet-based redirect servers.Added many terms to Terminology section.Added all new "Guiding Principles" section.Added all new "Sources for Bootstrapping Data" section.Rewrote the "Interactions" section and renamed it "Workflow Overview".Semi-major update, refactoring the document into more logical partsCreated new section for information typesAdded support for DNS serversNow allows provisional TLS connectionsBootstrapping data now supports scriptsDevice Details section overhauledSecurity Considerations expandedFilled in enumerations for notification typesMinor updateAdded many Normative and Informative references.Added new section Other Considerations.Minor updateAdded an Editorial Note section for RFC Editor.Updated the IANA Considerations section.Minor updateUpdated to reflect review from Michael Richardson.Added in missing "Signature" artifact example.Added recommendation for manufacturers to use interoperable
formats and file naming conventions for removable storage devices.Added configuration-handling leaf to guide if config should be
merged, replaced, or processed like an edit-config/yang-patch document.Added a pre-configuration script, in addition to the
post-configuration script from -05 (issue #15).Factored ownership vocher and voucher revocation to a
separate document: draft-kwatsen-netconf-voucher. (issue #11)Removed <configuration-handling> options 'edit-config' and
yang-patch'. (issue #12)Defined how a signature over signed-data returned from a
bootstrap server is processed. (issue #13)Added recommendation for removable storage devices to use
open/standard file systems when possible. (issue #14)Replaced notifications "script-[warning/error]" with
"[pre/post]-script-[warning/error]". (goes with issue #15)switched owner-certificate to be encoded using the pkcs#7
format. (issue #16)Replaced md5/sha1 with sha256 inside a choice statement, for
future extensibility. (issue #17)A ton of editorial changes, as I went thru the entire draft
with a fine-toothed comb.fixed yang validation issues found by IETFYANGPageCompilation.
note: these issues were NOT found by pyang --ietf or by the
submission-time validator...fixed a typo in the yang module, someone the config false statement
was removed.fixed typo that prevented Appendix B from loading the
examples correctly.fixed more yang validation issues found by
IETFYANGPageCompilation. note: again, these issues were
NOT found by pyang --ietf or by the submission-time
validator...updated a few of the notification enumerations to be
more consistent with the other enumerations (following the
warning/error pattern).updated the information-type artifact to state how it's
encoded, matching the language that was in Appendix B.defined a standalone artifact to encode the old information-type
into a PKCS#7 structure.standalone information artifact hardcodes JSON encoding (to
match the voucher draft).combined the information and signature PKCS#7 structures into a
single PKCS#7 structure.moved the certificate-revocations into the owner-certificate's
PKCS#7 structure.eliminated support for voucher-revocations, to reflect the
voucher-draft's switch from revocations to renewals.Renamed "bootstrap information" to "onboarding information".Rewrote DHCP sections to address the packet-size limitation
issue, as discussed in Chicago.Added Ian as an author for his text-contributions to the
DHCP sections.Removed the Guiding Principles section.Renamed action 'notification' to 'update-progress' and, likewise
'notification-type' to 'update-type'.Updated examples to use "base64encodedvalue==" for binary values.Greatly simplified the 'Artifact Groupings' section, and
moved it as a subsection to the 'Artifacts' section.Moved the 'Workflow Overview' section to the Appendix.Renamed 'bootstrap information' to 'update information'.Removed 'Other Considerations' section.Tons of editorial updates.tweaked language to refer to "initial state" rather than "factory
default configuration", so as accomodate white-box scenarios.added a paragraph to Intro regarding how the solution primarily regards
physical machines, but could be extended to VMs by a future document.added a pointer to the Workflow Overview section (recently moved to
the Appendix) to the Intro.added a note that, in order to simplify the verification process,
the "Zerotouch Information" PKCS#7 structure MUST also contain the
signing X.509 certificate.noted that the owner certificate's must either have no Key Usage or
the Key Usage must set the "digitalSignature" bit.noted that the owner certificate's subject and subjectAltName values
are not constrained.moved/consolidated some text from the Artifacts section down to the
Device Details section.tightened up some ambigous language, for instance, by refering to
specific leaf names in the Voucher artifact.reverted a previously overzealous s/unique-id/serial-number/ change.modified language for when ZTP runs from when factory-default config
is running to when ZTP is confgured, which the factory-defaults should set .