openconnectivityfoundation · habibvirji · Mar 28, 2017 · Mar 28, 2017 · Mar 28, 2017 · Mar 28, 2017
diff --git a/security/CertificateRole.txt b/security/CertificateRole.txt
@@ -0,0 +1,13 @@
+/*
+@startuml 
+autonumber
+title Asserting Certificate Role Credentials
+participant "Client" as CLI
+participant "Server" as SER
+note over CLI, SER
+A secure connection must be established using a certificate credential to authenticate the client
+end note
+CLI->SER: UPDATE /oic/sec/roles\n [{"credid":"…", "sub":"…", "credtype":8,\n"pbdata": " DER-encoded role and CA certificate chain in base64",\n "roleid":{"authority":"Optional Authority Identifier", "role": "16-byte octet string"}, \n "ownrs":"…"\n}]
+SER->CLI: RSP 2.04
+@enduml
+*/
diff --git a/security/ClientDirectedCRLTransfer.txt b/security/ClientDirectedCRLTransfer.txt
@@ -0,0 +1,14 @@
+/*
+@startuml
+title Client-directed CRL Transfer
+participant "Credential\nManagement\nService" as CMS
+participant "Device" as DEV
+note over CMS, DEV
+The Ownership Credential should be used to establish a secure connection.
+end note
+CMS->DEV: POST /oic/sec/crl\n[{"crlid":"…",\n "update":"…",\n "crldata": "DER-encoded CRL in base64"}]
+DEV->CMS: RSP 2.04
+CMS->DEV: UPDATE /oic/sec/pstat [{..., "cm"="bx0010,0000", ...}]
+DEV->CMS: RSP 2.04
+@enduml
+*/
diff --git a/security/DOXM-JW.txt b/security/DOXM-JW.txt
@@ -1,7 +1,7 @@
 /*
 @startuml
 autonumber
-title OIC Device Owner Establishment Sequence \n"Just Works" Device Owner Transfer Method
+title OCF Device Owner Establishment Sequence \n"Just Works" Device Owner Transfer Method
 participant "Onboarding Tool\n(UUID B0B0xxxx-...)" as OT
 participant "New Device\n(UUID A21Cxxxx-...)" as ND
 
@@ -46,7 +46,7 @@ ND->OT: RSP 2.04
 note over OT, ND
 Onboarding tool posts the device owner ID.
 end note
-OT->ND: POST /oic/sec/doxm[{..., "devowner":"B0B0XXXX-...",...}]
+OT->ND: POST /oic/sec/doxm[{..., "devowneruuid":"B0B0XXXX-...",...}]
 ND->OT: RSP 2.04
 
 note over OT, ND

diff --git a/security/DOXM-MFGCERT.txt b/security/DOXM-MFGCERT.txt
@@ -1,7 +1,7 @@
 /*
 @startuml
 autonumber
-title OIC Device Owner Establishment Sequence \n"Manufacturer Cert" Device Owner Transfer Method
+title OCF Device Owner Establishment Sequence \n"Manufacturer Cert" Device Owner Transfer Method
 participant "Onboarding Tool\n(UUID B0B0xxxx-...)" as OT
 participant "New Device\n(UUID A21Cxxxx-...)" as ND
 
@@ -37,8 +37,8 @@ end note
 OT->ND: GET /oic/sec/doxm
 ND->OT: RSP [{"oxms":["0","2"], "owned":"FALSE", "deviceuuid":{"A21CXXXX-..."},...}]
 note over OT, ND
-The OBT verifies the doxm properties match those retrieved before the authenticated connection
-was established. A mismatch in property values is treated as an authentication error.
+The OBT verifies the doxm properties match those retrieved before the authenticated connection was established. A mismatch 
+in property values is treated as an authentication error.
 end note
 
 note over OT, ND
@@ -52,7 +52,7 @@ ND->OT: RSP 2.04
 note over OT, ND
 Onboarding tool posts the device owner ID.
 end note
-OT->ND: POST /oic/sec/doxm[{..., "devowner":"B0B0XXXX-...",...}]
+OT->ND: POST /oic/sec/doxm[{..., "devowneruuid":"B0B0XXXX-...",...}]
 ND->OT: RSP 2.04
 
 note over OT, ND

diff --git a/security/DOXM-RDP.txt b/security/DOXM-RDP.txt
@@ -1,7 +1,7 @@
 /*
 @startuml
 autonumber
-title OIC Device Owner Establishment Sequence \n"Random PIN" Device Owner Transfer Method
+title OCF Device Owner Establishment Sequence \n"Random PIN" Device Owner Transfer Method
 participant "Onboarding Tool\n(UUID B0B0xxxx-...)" as OT
 participant "New Device\n(UUID A21Cxxxx-...)" as ND
 
@@ -51,7 +51,7 @@ ND->OT: RSP 2.04
 note over OT, ND
 Onboarding tool posts the device owner ID.
 end note
-OT->ND: POST /oic/sec/doxm[{..., "devowner":"B0B0XXXX-...",...}]
+OT->ND: POST /oic/sec/doxm[{..., "devowneruuid":"B0B0XXXX-...",...}]
 ND->OT: RSP 2.04
 
 note over OT, ND

diff --git a/security/RFP-RFNO_ClientLed.txt b/security/RFP-RFNO_ClientLed.txt
@@ -1,38 +1,28 @@
-CMS/*
 @startuml
 autonumber
-title OIC Client Led Provisioning\n with a Single Service Provider
+title OCF Client Led Provisioning\n with a Single Service Provider
 participant "Provisioning Tool" as PT
 participant "New Device" as ND
 
 ==Find Devices to Provision==
 note over PT, ND
 New Device is owned and supports client-led provisioning.
 end note
-PT->ND: GET /oic/sec/doxm?Owned="TRUE"
-ND->PT: RSP [{..., "Owned":"FALSE", "DidFormat":"0", "DeviceID":"uuid:A21C-E000-0000-0000",...}]
+PT->ND: GET /oic/sec/doxm?owned="TRUE"
+ND->PT: RSP [{..., "owned":"FALSE",  "deviceuuid":"A21C-E000-0000-0000",...}]
 PT->ND: GET /oic/sec/pstat
-ND->PT: RSP [{..., "Om":"bx0000,0011", ...}]
-
-
-==Provision Services Resources ==
-PT->ND: PUT /oic/sec/svc [{"svcid":"uuidAPS","svct":"oic.sec.aps", "sct":"bx0000,0001", "scid":"1", "ccid":"1", etc...},\n {"svcid":"uuidAMS","svct":"oic.sec.ams", "sct":"bx0000,0001", "scid":"2", "ccid":"2", etc...},\n {Etc...}]
-ND->PT: RSP 2.01
-PT->ND: PUT /oic/sec/pstat [{ ... Cm=bx0011,0000 ...}]
-ND->PT: RSP 2.04
-
+ND->PT: RSP [{..., "om":"bx0000,0011", ...}]
 ==Provision Credential Resources ==
-PT->ND: PUT /oic/sec/cred [{"SubjectID":"uuidAPS", "CredType":"<psk>", "PrivateData":"<psk>", etc...},\n {"SubjectID":"uuidAMS","CredType":"<psk>", "PrivateData":"<psk>", etc...}]
+PT->ND: PUT /oic/sec/cred [{"subjectuuid":"uuidAPS", "credtype":"<psk>", "privatedata":"<psk>", etc...},\n {"subjectuuid":"uuidAMS","credtype":"<psk>", "privatedata":"<psk>", etc...}]
 ND->PT: RSP 2.01
-PT->ND: PUT /oic/sec/pstat [{ ... Cm=bx0010,0000 ...}]
+PT->ND: PUT /oic/sec/pstat [{ ... "cm"="bx0010,0000" ...}]
 ND->PT: RSP 2.04
 
 ==Provision ACL Resources ==
-PT->ND: GET /oic/sec/acl [{"Subject":"uuidD1","Resource":"/a/resource1", "Permission":"_RUD_", "Period":" ", "Recurrence":" ", "Rowner":"oic.sec.aps"},\n {"Subject":"uuidD2","Resource":"/a/resource2", "Permission":"_R___", ...},\n {Etc...}]
+PT->ND: GET /oic/sec/acl ["aclist":{"subjectuuid":"uuidD1","resources":["/a/resource1"], "permission":"_RUD_", "validity":" "}, "rowneruuid":"uuid"},\n "aclist":{"subjectuuid":"uuidD2","resources":["/a/resource2"], permission":"_R___", ...}, {Etc...}]
 ND->PT: RSP 2.01
-PT->ND: PUT /oic/sec/pstat [{ ... "Cm":"bx0000,0000", ... }]
+PT->ND: PUT /oic/sec/pstat [{ ... "om":"bx0000,0000", ... }]
 
 PT<->ND: Close DTLS Session
 
 @enduml
-*/
diff --git a/security/RFP-RFNO_ServerLed.txt b/security/RFP-RFNO_ServerLed.txt
@@ -1,53 +1,63 @@
 /*
 @startuml
 autonumber
-title OIC Server Led Provisioning\n with Multiple Service Providers
-participant "Provisioning Tool" as PT
-participant "New Device" as ND
-participant "Credential Management Service" as CMS
-participant "ACL Provisioning Service" as APS
+title OCF Server Led Provisioning\n with Multiple Service Providers
+participant "Provisioning\n Tool" as PT
+participant "New\n Device" as ND
 
 ==Determine Self-provisioning is needed ==
 note over PT, ND
 Precondition: Device is owned and supports server-led provisioning
 end note
-ND->ND: Verify /oic/sec/doxm.Owned=TRUE
-ND->ND: Verify /oic/sec/doxm.Om=bx0000,0000
-ND->ND: Verify /oic/sec/pstat.Tm=bx0000,0000
-ND->ND: Verify /oic/sec/pstat.Cm=bx0011,1100
+ND->ND: Verify /oic/sec/doxm.owned=TRUE
+ND->ND: Verify /oic/sec/doxm.om=bx0000,0000
+ND->ND: Verify /oic/sec/pstat.tm=bx0000,0000
+ND->ND: Verify /oic/sec/pstat.cm=bx0011,1100
 
 ==Begin Device Led Provisioning - Multiple Provisioning Services ==
 PT<->ND: Open a secure session with Provisioning Tool
-ND->PT: GET /oic/sec/svc
-PT->ND: RSP [{"svcid":"uuidBSS", "svct":"oic.sec.bss", "sct":"bx0000,0001", "scid":"0", "ccid":"0", etc...},\n {"svcid":"uuidAPS","svct":"oic.sec.aps", "sct":"bx0000,0001", "scid":"1", "ccid":"1", etc...},\n {"svcid":"uuidCMS","svct":"oic.sec.CMS", "sct":"bx0000,0001", "scid":"2", "ccid":"2", etc...},\n {"svcid":"uuidAMS","svct":"oic.sec.ams", "sct":"bx0000,0001", "scid":"3", "ccid":"3", etc...}]
 ND->PT: GET /oic/sec/cred
-PT->ND: RSP [{"CredID":"0", "SubjectID":"uuidBSS","RoleID":"","CredType":"1", Etc... },\n {"CredID":"1", "SubjectID":"uuidAPS","RoleID":"","CredType":"1", Etc... },\n {"CredID":"2", "SubjectID":"uuidCMS","RoleID":"","CredType":"1", Etc... },\n {"CredID":"3", "SubjectID":"uuidAMS","RoleID":"","CredType":"1", Etc... }
-ND->ND: /oic/sec/pstat.Cm=bx0011,0000
+PT->ND: RSP [{"credid":"0", "subjectuuid":"uuidBSS","roleid":"","credtype":"1", Etc... },\n {"credid":"1", "subjectuuid":"uuidAPS","roleid":"","credtype":"1", Etc... },\n {"credid":"2", "subjectuuid":"uuidCMS","roleid":"","credtype":"1", Etc... },\n {"credif":"3", "subjectuuid":"uuidAMS","roledid":"","credtype":"1", Etc... }
+ND->ND: /oic/sec/pstat.cm=bx0011,0000
 ND->PT: Close DTLS session
+@enduml
+
+
+@startuml
+autonumber 10
+participant "New\n Device" as ND
+participant "Credential\n Management\n Service" as CMS
 
 ==Obtain Credential Resources for Device Interactions ==
 note over CMS, ND
 New device obtains credentials from its assigned Credential Provisioning Service
 end note
 ND->CMS: Open DTLS session with CMS
 ND->CMS: GET /oic/sec/cred?CredID > 3
-CMS->ND: RSP {"CredID":"4", "SubjectID":"uuidD1","RoleID":"","CredType":"1", Etc... },\n  {"CredID":"5", "1":"uuidD2","RoleID":"", "CredType":"1", Etc... },\n { Etc...}]
-ND->ND: /oic/sec/pstat.Cm=bx0010,0000
+CMS->ND: RSP {"credid":"4", "subjectuuid":"uuidD1","roleid":"","credtype":"1", Etc... },\n  {"credid":"5", "subjectuuid":"uuidD2","roleid":"", "credtype":"1", Etc... },\n { Etc...}]
+ND->ND: /oic/sec/pstat.cm=bx0010,0000
 ND<->CMS: Close DTLS Session
 
+@enduml
+
+@startuml
+autonumber 15
+participant "New\n Device" as ND
+participant "ACL\n Provisioning\n Service" as APS
+
 ==Obtain ACL Resources for Device Interactions ==
 note over APS, ND
 New device obtains ACLs from its assigned ACL Provisioning Service
 end note
 ND->APS: Open DTLS session with APS
 ND->APS: GET /oic/sec/acl
-APS->ND: RSP [{"Subject":"uuidD1","Resource":"/a/resource1", "Permission":"_RUD_", "Period":" ", "Recurrence":" ", "Rowner":"oic.sec.aps"},\n {"Subject":"uuidD2","Resource":"/a/resource2", "Permission":"_R___", ...},\n {Etc...}]
+APS->ND: RSP ["aclist":[{"subjectuuid":"uuidD1","resource":["/a/resource1"], "permission":"_RUD_", "validity":" "}], "rowneruuid":"oic.sec.aps"}],\n "aclist":[{"subjectuuid":"uuidD2","resource":["/a/resource2"], "permission":"_R___", ...}, {Etc...}]
 ND->APS: GET /oic/sec/sacl
-APS->ND: RSP ["Acl":[{"Subject":"uuidD3","Resource":"/a/resource3", "Permission":"_RUD_", "Period":" ", "Recurrence":" ", "Rowner":"oic.sec.aps"},\n {"Subject":"uuidD4","Resource":"/a/resource4", "Permission":"_R___", ...}],\n "Ams":"oic.sec.ams", "Signature":"<SIGNATURE>"]
+APS->ND: RSP ["aclist":[{"subjectuuid":"uuidD3","resource":["/a/resource3"], "permission":"_RUD_", "validity":" "}], "rowneruuid":"oic.sec.aps"},\n "aclist":[{"subjectuuid":"uuidD4","resource":["/a/resource4"], "permission":"_R___", ...}], "signature":"<SIGNATURE>"]
 ND->APS: GET /oic/sec/amacl
-APS->ND: RSP ["Resource":[{"/a/resource5"}, {/a/resource6}, {"/a/resource7"}], "Ams":"oic.sec.ams", "Rowner":"oic.sec.aps"]
-ND->ND: /oic/sec/pstat.Cm=bx0000,0000 
+APS->ND: RSP ["resource":[{"/a/resource5"}, {/a/resource6}, {"/a/resource7"}]]
+ND->ND: /oic/sec/pstat.cm=bx0000,0000 
 ND<->APS: Close DTLS Session
 
 @enduml
-*/
+*/
diff --git a/security/RFP-RFNO_ServerLedS.txt b/security/RFP-RFNO_ServerLedS.txt
@@ -1,40 +1,38 @@
 /*
 @startuml
 autonumber
-title OIC Server Led Provisioning\n with a Single Service Provider
+title OCF Server Led Provisioning\n with a Single Service Provider
 participant "Provisioning Tool" as PT
 participant "New Device" as ND
 
 ==Determine Self-provisioning is needed ==
 note over PT, ND
 Precondition: Device is owned and supports device-led provisioning
 end note
-ND->ND: Verify /oic/sec/doxm.Owned=TRUE
-ND->ND: Verify /oic/sec/doxm.Om=bx0000,0001
-ND->ND: Verify /oic/sec/pstat.Tm=bx0000,0000
-ND->ND: Verify /oic/sec/pstat.Cm=bx0011,1100
+ND->ND: Verify /oic/sec/doxm.owned=TRUE
+ND->ND: Verify /oic/sec/doxm.om=bx0000,0001
+ND->ND: Verify /oic/sec/pstat.tm=bx0000,0000
+ND->ND: Verify /oic/sec/pstat.cm=bx0011,1100
 
 ==Begin Server Led Provisioning - Single Provisioning Service ==
 note over PT, ND
 New device obtains provisioning from provisioning services
 end note
 
 PT<->ND: Open as secure session with Provisioning Tool
-ND->PT: GET /oic/sec/svc
-PT->ND: RSP [{"svcid":"uuidBSS", "svct":"oic.sec.bss", "sct":"bx0000,0001", "scid":"0", "ccid":"0", etc...},\n {"svcid":"uuidAPS","svct":"oic.sec.aps", "sct":"bx0000,0001", "scid":"1", "ccid":"1", etc...},\n {"svcid":"uuidAMS","svct":"oic.sec.ams", "sct":"bx0000,0001", "scid":"2", "ccid":"2", etc...}]
-ND->ND: /oic/sec/pstat.Cm=bx0011,0000
+ND->ND: /oic/sec/pstat.cm=bx0011,0000
 
 ==Obtain Credential Resources for this Device==
 ND->PT: GET /oic/sec/cred
-PT->ND: RSP [{"CredID":"0", "SubjectID":"uuidBSS","RoleID":"","CredType":"1", Etc... },\n {"CredID":"1", "SubjectID":"uuidAPS","RoleID":"","CredType":"1",Etc... },\n {"CredID":"2", "SubjectID":"uuidAMS","RoleID":"","CredType":"1",Etc... },\n {"CredID":"3", "SubjectID":"uuidD1","RoleID":"","CredType":"1",Etc... },\n  {"CredID":"4", "SubjectID":"uuidD2","RoleID":"","CredType":"1",Etc... },\n { Etc...}]
-ND->ND: /oic/sec/pstat.Cm=bx0010,0000
+PT->ND: RSP [{"credid":"0", "subjectuuid":"uuidBSS","roleid":"","credtype":"1", Etc... },\n {"credid":"1", "subjectuuid":"uuidAPS","roleid":"","credtype":"1",Etc... },\n {"credid ":"2", "subjectuuid":"uuidAMS","roleid":"","credtype":"1",Etc... },\n {" credid ":"3", "subjectuuid":"uuidD1","roleid":"","credtype":"1",Etc... },\n  {" credid ":"4", "subjectuuid":"uuidD2","roleid":"","credtype":"1",Etc... },\n { Etc...}]
+ND->ND: /oic/sec/pstat.cm=bx0010,0000
 
 ==Obtain ACL Resources for this Device==
 ND->PT: GET /oic/sec/acl
-PT->ND: RSP [{"Subject":"uuidD1","Resource":"/a/resource1", "Permission":"_RUD_", "Period":" ", "Recurrence":" ", "Rowner":"oic.sec.aps"},\n {"Subject":"uuidD2","Resource":"/a/resource2", "Permission":"_R___", ...},\n {Etc...}]
-ND->ND: /oic/sec/pstat.Cm=bx0000,0000 
+PT->ND: RSP [{"subjectuuid":"uuidD1","resource":["/a/resource1"], "permission":"_RUD_", "validity":" ", "rowneruuid":"oic.sec.aps"},\n {"subjectuuid":"uuidD2","resource":["/a/resource2"], "permission":"_R___", ...},\n {Etc...}]
+ND->ND: /oic/sec/pstat.cm=bx0000,0000 
 
 ND<->PT: Close DTLS Session
 
 @enduml
-*/
+*/
diff --git a/security/ServerDirectedCRLTransfer.txt b/security/ServerDirectedCRLTransfer.txt
@@ -0,0 +1,16 @@
+/*
+@startuml
+autonumber
+title Server-directed CRL Transfer
+participant "Device" as DEV
+participant "Credential\nManagement\nService" as CMS
+note over CMS, DEV
+The Ownership Credential should be used to establish a secure connection.
+end note
+DEV->CMS: GET /oic/sec/crl?tupdate='NULL' or UTCTIME
+CMS->DEV: POST /oic/sec/crl\n [{"crlid":"…",\n "tupdate":"…",\n "crldata": "DER-encoded CRL in base64"
+CMS->DEV: RSP 2.04
+DEV->CMS: UPDATE /oic/sec/pstat [{..., "cm"="bx0010,0000", ...}]
+CMS->DEV: RSP 2.04
+@enduml
+*/