+--------+         +---------+    +------------+     +------------+
| Pledge |         | Circuit |    | Domain     |     | Vendor     |
|        |         | Join    |    | Registrar  |     | Service    |
|        |         | Proxy   |    |  (JRC)     |     | (MASA)     |
+--------+         +---------+    +------------+     +------------+
  |                     |                   |           Internet |
[discover]              |                   |                    |
  |<-RFC 4862 IPv6 addr |                   |                    |
  |<-RFC 3927 IPv4 addr | Appendix A        |  Legend            |
  |-++++++++++++++++++->|                   | C - Circuit        |
  | optional: mDNS query| Appendix B        |     Join Proxy     |
  | RFCs 6763/6762 (+)  |                   | P - Provisional TLS|
  |<-++++++++++++++++++-|                   |     Connection     |
  | GRASP M_FLOOD       |                   |                    |
  |   periodic broadcast|                   |                    |
[identity]              |                   |                    |
  |<------------------->C<----------------->|                    |
  |         TLS via the Join Proxy          |                    |
  |<--Registrar TLS server authentication---|                    |
[PROVISIONAL accept of server cert]         |                    |
  P---X.509 client authentication---------->|                    |
[request join]                              |                    |
  P---Voucher-Request(w/nonce for voucher)->|                    |
  P                  /-------------------   |                    |
  P                  |                 [accept device?]          |
  P                  |                 [contact vendor]          |
  P                  |                      |--Pledge ID-------->|
  P                  |                      |--Domain ID-------->|
  P                  |                      |--optional:nonce--->|
  P              optional:                  |     [extract DomainID]
  P        can occur in advance             |     [update audit-log]
  P            if nonceless                 |                    |
  P                  |                      |<- voucher ---------|
  P                  \-------------------   | w/nonce if provided|
  P<------voucher---------------------------|                    |
[imprint]                                   |                    |
  |-------voucher status telemetry--------->|                    |
  |                                         |<-device audit-log--|
  |                             [verify audit-log and voucher]   |
  |<--------------------------------------->|                    |
[enroll]                                    |                    |
  | Continue with enrollment using now      |                    |
  | bidirectionally authenticated TLS       |                    |
  | session per RFC 7030.                   |                    |
[enrolled]                                  |                    |