附录 C. FIDO Device Onboarding 示例流程 (FIDO Device Onboarding Example Flow)
中文导读: 本节对应 RFC 9944 的 附录 C. FIDO Device Onboarding 示例流程 (FIDO Device Onboarding Example Flow) 部分, 对应文档标题为 RFC 9944 - SCIM 模型的设备模式扩展. 下方若包含英文 RFC 原文, 注册表名称, 字段名, 算法名, 对象标识符, 媒体类型, 邮箱地址, URL, 代码, ABNF, ASN.1, YANG, JSON, XML, 测试向量或参考文献条目, 均按规范原样保留, 因为这些内容需要与 RFC 文本, IANA 注册表, 实现代码或验证工具逐字一致. 中文段落用于说明本节的作用, 阅读重点和实现含义, 不改变任何协议语义或注册值.
本页中的示例, 测试向量和样例报文用于帮助实现者验证编码, 解析, 互操作或错误处理行为. 示例值, 二进制串, Base64, 十六进制, JSON/XML 成员, HTTP/邮件头字段, 域名和地址均属于可复制测试材料, 因此不翻译. 中文说明只解释示例目的, 字段关系和使用注意事项.
以下图示展示如何使用 FDO. 在第一张图中, 设备不仅被加入设备所有者流程, 也被加入 AAA server 以执行初始 onboarding. voucher 包含一个设备证书, AAA 系统使用该证书进行认证.
Appendix C. FIDO Device Onboarding Example Flow
,------. ,------. ,-------.
|SCIM | |SCIM | |Owner | ,---.
|Client| |Server| |Service| |AAA|
`---+--' `---+--' `---+---' `-+-'
,------------------------------!. | |
|Voucher contains |_\ | |
|an X.509 cert chain | | |
`--------------------------------' | |
|1 POST [FDO(voucher)] | | |
|/HTTP | | |
|--------------------->| | |
| | | |
| |----. | |
| | | 2 Recover X.509 | |
| |<---' cert chain | |
| | from voucher | |
| | | |
| | | |
| |3 Add device(voucher) | |
| |/HTTP | |
| |--------------------->| |
| | | |
| | 4 200 "ok" | |
| |<---------------------| |
| | | |
| | 5 Add identity |
| |------------------------------->|
| | | |
| | 6 200 "ok" |
| |<-------------------------------|
| | | |
| 7 200 "ok" | | |
|<---------------------| | |
| | | |
| | | |
此流程完成后, 设备可以先临时 onboarding, 然后稍后通过 FDO 的
Transfer Ownership Protocol 2 (TO2) 流程接收 trust anchor. 如下所示.
,-------. ,------.
|Owner | ,---. |Access| ,------.
|Service| |AAA| |Point | |Device|
`---+---' `-+-' `---+--' `---+--'
| | | ,------------------!.
| | | |Device configured |_\
| | | |with well-known |
| | | |RCOI and for trust |
| | | |on first use |
| | | `--------------------'
| | ,---------------!. |
| | |WLAN configured|_\ |
| | |with well-known | |
| | |RCOI | |
| | `-----------------' |
| | | 1 EAP-TLS/EAPOL |
| | |<-----------------|
| | | |
| |2 EAP-TLS/Radius | |
| |<----------------| |
| | | |
| | ,--------------------------!.
| | |Device skips |_\
| | |server authentication |
| | `----------------------------'
| |3 Result=Success | |
| |---------------->| |
| | | |
| ,-----------------------!. |
| |Limited access |_\ |
| |for now | |
| `-------------------------' |
| | |4 Result=Success |
| | |----------------->|
| | | |
| | 5 FDO TO2 | |
|<----------------------------------------------------|
| | | |
,-------------------------------------------------------------!.
|FSIM, Runtime SSID, |_\
|Credentials incl. |
|local trust anchor |
`---------------------------------------------------------------'
| | | 6 dissasociate |
| | |<-----------------|
| | | |
| | |7 EAP-TLS w/ LSC |
| | |<-----------------|
| | | |
| | | |
. . etc . .