+--------+ +---------+ +------------+ +------------+ | Pledge | | Circuit | | Domain | | Vendor | | | | Join | | Registrar | | Service | | | | Proxy | | (JRC) | | (MASA) | +--------+ +---------+ +------------+ +------------+ | | | Internet | [discover] | | | |<-RFC 4862 IPv6 addr | | | |<-RFC 3927 IPv4 addr | Appendix A | Legend | |-++++++++++++++++++->| | C - Circuit | | optional: mDNS query| Appendix B | Join Proxy | | RFCs 6763/6762 (+) | | P - Provisional TLS| |<-++++++++++++++++++-| | Connection | | GRASP M_FLOOD | | | | periodic broadcast| | | [identity] | | | |<------------------->C<----------------->| | | TLS via the Join Proxy | | |<--Registrar TLS server authentication---| | [PROVISIONAL accept of server cert] | | P---X.509 client authentication---------->| | [request join] | | P---Voucher-Request(w/nonce for voucher)->| | P /------------------- | | P | [accept device?] | P | [contact vendor] | P | |--Pledge ID-------->| P | |--Domain ID-------->| P | |--optional:nonce--->| P optional: | [extract DomainID] P can occur in advance | [update audit-log] P if nonceless | | P | |<- voucher ---------| P \------------------- | w/nonce if provided| P<------voucher---------------------------| | [imprint] | | |-------voucher status telemetry--------->| | | |<-device audit-log--| | [verify audit-log and voucher] | |<--------------------------------------->| | [enroll] | | | Continue with enrollment using now | | | bidirectionally authenticated TLS | | | session per RFC 7030. | | [enrolled] | |