rfc9944xml2.original.xml   rfc9944.xml 
<?xml version="1.0" encoding="UTF-8"?> <?xml version='1.0' encoding='UTF-8'?>
<?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
<!-- generated by https://github.com/cabo/kramdown-rfc version 1.7.29 (Ruby 2.
6.10) -->
<!DOCTYPE rfc [ <!DOCTYPE rfc [
<!ENTITY nbsp "&#160;"> <!ENTITY nbsp "&#160;">
<!ENTITY zwsp "&#8203;"> <!ENTITY zwsp "&#8203;">
<!ENTITY nbhy "&#8209;"> <!ENTITY nbhy "&#8209;">
<!ENTITY wj "&#8288;"> <!ENTITY wj "&#8288;">
<!ENTITY RFC7643 SYSTEM "https://bib.ietf.org/public/rfc/bibxml/reference.RFC.76
43.xml">
<!ENTITY RFC7644 SYSTEM "https://bib.ietf.org/public/rfc/bibxml/reference.RFC.76
44.xml">
<!ENTITY RFC2119 SYSTEM "https://bib.ietf.org/public/rfc/bibxml/reference.RFC.21
19.xml">
<!ENTITY RFC8174 SYSTEM "https://bib.ietf.org/public/rfc/bibxml/reference.RFC.81
74.xml">
<!ENTITY RFC8520 SYSTEM "https://bib.ietf.org/public/rfc/bibxml/reference.RFC.85
20.xml">
<!ENTITY RFC4648 SYSTEM "https://bib.ietf.org/public/rfc/bibxml/reference.RFC.46
48.xml">
<!ENTITY RFC5280 SYSTEM "https://bib.ietf.org/public/rfc/bibxml/reference.RFC.52
80.xml">
<!ENTITY RFC6241 SYSTEM "https://bib.ietf.org/public/rfc/bibxml/reference.RFC.62
41.xml">
<!ENTITY RFC8040 SYSTEM "https://bib.ietf.org/public/rfc/bibxml/reference.RFC.80
40.xml">
<!ENTITY RFC7950 SYSTEM "https://bib.ietf.org/public/rfc/bibxml/reference.RFC.79
50.xml">
<!ENTITY RFC8995 SYSTEM "https://bib.ietf.org/public/rfc/bibxml/reference.RFC.89
95.xml">
<!ENTITY I-D.ietf-asdf-nipc SYSTEM "https://bib.ietf.org/public/rfc/bibxml3/refe
rence.I-D.ietf-asdf-nipc.xml">
<!ENTITY I-D.brinckman-nipc SYSTEM "https://bib.ietf.org/public/rfc/bibxml3/refe
rence.I-D.brinckman-nipc.xml">
]> ]>
<rfc ipr="trust200902" docName="draft-ietf-scim-device-model-18" category="std" <rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft
consensus="true" submissionType="IETF" tocInclude="true" sortRefs="true" symRefs -ietf-scim-device-model-18" number="9944" updates="" obsoletes="" xml:lang="en"
="true"> category="std" consensus="true" submissionType="IETF" tocInclude="true" sortRefs
<front> ="true" symRefs="true" version="3">
<title abbrev="SCIM Device Schema Extensions">Device Schema Extensions to th
e SCIM model</title> <!-- [rfced] Please note that the title of the document has been updated as
follows:
Abbreviations have been expanded per Section 3.6 of RFC 7322 ("RFC
Style Guide"). Please review.
Original:
Device Schema Extensions to the SCIM model
Current:
Device Schema Extensions to the System for Cross-Domain Identity
Management (SCIM) Model
-->
<front>
<title abbrev="SCIM Device Schema Extensions">Device Schema Extensions to th
e System for Cross-Domain Identity Management (SCIM) Model</title>
<seriesInfo name="RFC" value="9944"/>
<author initials="M." surname="Shahzad" fullname="Muhammad Shahzad"> <author initials="M." surname="Shahzad" fullname="Muhammad Shahzad">
<organization>North Carolina State University</organization> <organization>North Carolina State University</organization>
<address> <address>
<postal> <postal>
<street>Department of Computer Science</street> <street>890 Oval Drive <street>Department of Computer Science</street>
</street> <street>Campus Box 8206</street> <street>890 Oval Drive</street>
<city>Raleigh, NC</city> <street>Campus Box 8206</street>
<city>Raleigh</city><region>NC</region>
<code>27695-8206</code> <code>27695-8206</code>
<country>USA</country> <country>United States of America</country>
</postal> </postal>
<email>mshahza@ncsu.edu</email> <email>mshahza@ncsu.edu</email>
</address> </address>
</author> </author>
<author initials="H." surname="Iqbal" fullname="Hassan Iqbal"> <author initials="H." surname="Iqbal" fullname="Hassan Iqbal">
<organization>North Carolina State University</organization> <organization>North Carolina State University</organization>
<address> <address>
<postal> <postal>
<street>Department of Computer Science</street> <street>890 Oval Drive <street>Department of Computer Science</street>
</street> <street>Campus Box 8206</street> <street>890 Oval Drive</street>
<city>Raleigh, NC</city> <street>Campus Box 8206</street>
<city>Raleigh</city><region>NC</region>
<code>27695-8206</code> <code>27695-8206</code>
<country>USA</country> <country>United States of America</country>
</postal> </postal>
<email>hassaniqbal931@gmail.com</email> <email>hassaniqbal931@gmail.com</email>
</address> </address>
</author> </author>
<author initials="E." surname="Lear" fullname="Eliot Lear"> <author initials="E." surname="Lear" fullname="Eliot Lear">
<organization>Cisco Systems</organization> <organization>Cisco Systems</organization>
<address> <address>
<postal> <postal>
<street>Richtistrasse 7</street> <street>Richtistrasse 7</street>
<city>Wallisellen</city> <city>Wallisellen</city>
<code>CH-8304</code> <code>8304</code>
<country>Switzerland</country> <country>Switzerland</country>
</postal> </postal>
<phone>+41 44 878 9200</phone> <phone>+41 44 878 9200</phone>
<email>lear@cisco.com</email> <email>lear@cisco.com</email>
</address> </address>
</author> </author>
<date year="2026" month="March"/>
<date year="2025" month="September" day="03"/> <area>SEC</area>
<workgroup>scim</workgroup>
<keyword>Internet-Draft</keyword>
<abstract>
<?line 117?> <!-- [rfced] Please insert any keywords (beyond those that appear in
the title) for use on https://www.rfc-editor.org/search. -->
<t>The initial core schema for SCIM (System for Cross-domain Identity <keyword>example</keyword>
Management) was designed for provisioning users. This memo specifies
schema extensions that enables provisioning of devices, using various
underlying bootstrapping systems, such as Wi-fi Easy Connect, FIDO
device onboarding vouchers, BLE passcodes, and MAC authenticated bypass.</t>
<abstract>
<t>The initial core schema for the System for Cross-domain Identity Management
(SCIM) was designed for provisioning users. This memo specifies schema
extensions that enable provisioning of devices using various underlying
bootstrapping systems such as Wi-Fi Easy Connect, FIDO device onboarding
vouchers, Bluetooth Low Energy (BLE) passcodes, and MAC Authenticated Bypass (MA
B).</t>
</abstract> </abstract>
</front> </front>
<middle> <middle>
<?line 125?> <section anchor="introduction">
<name>Introduction</name>
<section anchor="introduction"><name>Introduction</name> <t>The Internet of Things presents a management challenge in many
dimensions. One of them is the ability to onboard and manage a large
<t>The Internet of Things presents a management challenge in many
dimensions. One of them is the ability to onboard and manage large
number of devices. There are many models for bootstrapping trust number of devices. There are many models for bootstrapping trust
between devices and network deployments. Indeed it is expected that between devices and network deployments. Indeed, it is expected that
different manufacturers will make use of different methods.</t> different manufacturers will make use of different methods.</t>
<t>The System for Cross-domain Identity Management (SCIM) <xref target="RF
<t>SCIM (System for Cross-domain Identity Management) <xref target="RFC7643"/> < C7643"/> <xref target="RFC7644"/>
xref target="RFC7644"/> defines a protocol and a schema for the provisioning of users. However, it
defines a protocol and a schema for provisioning of users. However, it
can easily be extended to provision device credentials and other can easily be extended to provision device credentials and other
attributes into a network. The protocol and core schema were designed attributes into a network. The protocol and core schema were designed
to permit just such extensions. Bulk operations are supported. This is to permit just such extensions. Bulk operations are supported. This is
good because often devices are procured in bulk.</t> good because often devices are procured in bulk.</t>
<t>A primary purpose of this specification is to provision the network
<t>A primary purpose of this specification is to provision the network
for onboarding and communications access to and from devices within a for onboarding and communications access to and from devices within a
local deployment based on the underlying capabilities of those local deployment based on the underlying capabilities of those
devices.</t> devices.</t>
<t>The underlying security mechanisms of some devices range from
<t>The underlying security mechanisms of some devices range from
non-existent such as the Bluetooth Low Energy (BLE) "Just Works" non-existent such as the Bluetooth Low Energy (BLE) "Just Works"
pairing method to a robust FIDO Device Onboard (FDO) mechanism. pairing method to a robust FIDO Device Onboard (FDO) mechanism.
Information from the SCIM server is dispatched to control functions Information from the SCIM server is dispatched to control functions
based on selected schema extensions to enable these communications based on selected schema extensions to enable these communications
within a network. The SCIM database is therefore essentially within a network. The SCIM database is therefore essentially
equivalent to a network's Authentication, Authorization, and equivalent to a network's Authentication, Authorization, and
Accounting (AAA) database, and should be carefully managed as such.</t> Accounting (AAA) database and should be carefully managed as such.</t>
<section anchor="why-scim-for-devices">
<section anchor="why-scim-for-devices"><name>Why SCIM for devices?</name> <name>Why SCIM for Devices?</name>
<t>There are a number of existing models that might provide the basis for <t>There are a number of existing models that might provide the basis fo
r
a scheme for provisioning devices onto a network, including two a scheme for provisioning devices onto a network, including two
standardised by the IETF: NETCONF <xref target="RFC6241"/> or RESTCONF <xref ta rget="RFC8040"/> standardized by the IETF: NETCONF <xref target="RFC6241"/> or RESTCONF <xref tar get="RFC8040"/>
with YANG <xref target="RFC7950"/>. SCIM was chosen for the following reasons:</ t> with YANG <xref target="RFC7950"/>. SCIM was chosen for the following reasons:</ t>
<ul spacing="normal">
<t><list style="symbols"> <li>
<t>NETCONF and RESTCONF focus on <strong>configuration</strong> rather than <t>NETCONF and RESTCONF focus on <strong>configuration</strong> rath
er than
provisioning.</t> provisioning.</t>
<t>SCIM is designed with inter-domain provisioning in mind. </li>
<li>
<t>SCIM is designed with inter-domain provisioning in mind.
The use of HTTP as a substrate permits both user-based authentication The use of HTTP as a substrate permits both user-based authentication
for local provisioning applications, as well as OAUTH or certificate- for local provisioning applications, as well as OAUTH or certificate-
based authentication. The inter-domain nature of these operations based authentication. The inter-domain nature of these operations
does not expose local policy, which itself must be (and often is) does not expose local policy, which itself must be (and often is)
configured with other APIs, many of which are not standardized.</t> configured with other APIs, many of which are not standardized.</t>
<t>SCIM is also a familiar tool within the enterprise enviroment, used </li>
<li>
<t>SCIM is also a familiar tool within the enterprise environment, u
sed
extensively to configure federated user accounts.</t> extensively to configure federated user accounts.</t>
<t>Finally, once one chooses a vehicle such as SCIM, one is beholden </li>
<li>
<t>Finally, once one chooses a vehicle such as SCIM, one is beholden
to its data model. The SCIM data model is more targeted to provisioning to its data model. The SCIM data model is more targeted to provisioning
as articulated in <xref target="RFC7643"/>.</t> as articulated in <xref target="RFC7643"/>.</t>
</list></t> </li>
</ul>
<t>This taken together with the fact that end devices are not intended to <t>This taken together with the fact that end devices are not intended t
be <strong>directly</strong> configured leave us with SCIM as the best standard o
option.</t> be <strong>directly</strong> configured leaves us with SCIM as the best standard
option.</t>
</section> </section>
<section anchor="protocol-participants"><name>Protocol Participants</name> <section anchor="protocol-participants">
<name>Protocol Participants</name>
<t>In the normal SCIM model, it was presumed that large federated <t>In the normal SCIM model, it was presumed that large federated
deployments would be SCIM clients who provision and remove employees deployments would be SCIM clients who provision and remove employees
and contractors as they enter and depart those deployments, and and contractors as they enter and depart those deployments, and
federated services such as sales, payment, or conferencing services federated services such as sales, payment, or conferencing services
would be the servers.</t> would be the servers.</t>
<t>In the device model, the roles are reversed and may be somewhat more
<t>In the device model, the roles are reversed, and may be somewhat more
varied. The SCIM server resides within a deployment and is used for varied. The SCIM server resides within a deployment and is used for
receiving information about devices that are expected to be connected receiving information about devices that are expected to be connected
to its network. That server will apply appropriate local policies to its network. That server will apply appropriate local policies
regarding whether/how the device should be connected.</t> regarding whether/how the device should be connected.</t>
<t>The client may be one of a number of entities:</t>
<t>The client may be one of a number of entities:</t> <ul spacing="normal">
<li>
<t><list style="symbols"> <t>A vendor who is authorized to add devices to a network as part of
<t>A vendor who is authorized to add devices to a network as part of
a sales transaction. This is similar to the sales integration a sales transaction. This is similar to the sales integration
sometimes envisioned by Bootstrapping Remote Key Infrastructure sometimes envisioned by Bootstrapping Remote Secure Key Infrastructure
(BRSKI) <xref target="RFC8995"/>.</t> (BRSKI) <xref target="RFC8995"/>.</t>
<t>A client application that administrators or employees use to add, </li>
remove, or get information about devices. An example might be an <li>
tablet or phone app that scans Wi-fi Easy Connect QR codes.</t> <t>A client application that administrators or employees use to add,
</list></t> remove, or get information about devices. An example might be a
tablet or phone app that scans Wi-Fi Easy Connect QR codes.</t>
<figure title="Basic Architecture - non-IP example" anchor="arch"><artset><artwo </li>
rk type="svg"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="304 </ul>
" width="496" viewBox="0 0 496 304" class="diagram" text-anchor="middle" font-fa <figure anchor="arch">
mily="monospace" font-size="13px" stroke-linecap="round"> <name>Basic Architecture - Non-IP Example</name>
<path d="M 8,64 L 8,112" fill="none" stroke="black"/> <artset>
<path d="M 8,176 L 8,224" fill="none" stroke="black"/> <artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" version=
<path d="M 104,64 L 104,112" fill="none" stroke="black"/> "1.1" height="304" width="496" viewBox="0 0 496 304" class="diagram" text-anchor
<path d="M 104,176 L 104,224" fill="none" stroke="black"/> ="middle" font-family="monospace" font-size="13px" stroke-linecap="round">
<path d="M 200,32 L 200,72" fill="none" stroke="black"/> <path d="M 8,64 L 8,112" fill="none" stroke="black"/>
<path d="M 200,128 L 200,256" fill="none" stroke="black"/> <path d="M 8,176 L 8,224" fill="none" stroke="black"/>
<path d="M 224,64 L 224,112" fill="none" stroke="black"/> <path d="M 104,64 L 104,112" fill="none" stroke="black"/>
<path d="M 224,176 L 224,208" fill="none" stroke="black"/> <path d="M 104,176 L 104,224" fill="none" stroke="black"/>
<path d="M 264,120 L 264,168" fill="none" stroke="black"/> <path d="M 200,32 L 200,72" fill="none" stroke="black"/>
<path d="M 304,64 L 304,112" fill="none" stroke="black"/> <path d="M 200,128 L 200,256" fill="none" stroke="black"/>
<path d="M 328,176 L 328,208" fill="none" stroke="black"/> <path d="M 224,64 L 224,112" fill="none" stroke="black"/>
<path d="M 408,176 L 408,208" fill="none" stroke="black"/> <path d="M 224,176 L 224,208" fill="none" stroke="black"/>
<path d="M 472,176 L 472,208" fill="none" stroke="black"/> <path d="M 264,120 L 264,168" fill="none" stroke="black"/>
<path d="M 488,32 L 488,256" fill="none" stroke="black"/> <path d="M 304,64 L 304,112" fill="none" stroke="black"/>
<path d="M 200,32 L 488,32" fill="none" stroke="black"/> <path d="M 328,176 L 328,208" fill="none" stroke="black"/>
<path d="M 8,64 L 104,64" fill="none" stroke="black"/> <path d="M 408,176 L 408,208" fill="none" stroke="black"/>
<path d="M 224,64 L 304,64" fill="none" stroke="black"/> <path d="M 472,176 L 472,208" fill="none" stroke="black"/>
<path d="M 112,80 L 216,80" fill="none" stroke="black"/> <path d="M 488,32 L 488,256" fill="none" stroke="black"/>
<path d="M 112,96 L 216,96" fill="none" stroke="black"/> <path d="M 200,32 L 488,32" fill="none" stroke="black"/>
<path d="M 8,112 L 104,112" fill="none" stroke="black"/> <path d="M 8,64 L 104,64" fill="none" stroke="black"/>
<path d="M 224,112 L 304,112" fill="none" stroke="black"/> <path d="M 224,64 L 304,64" fill="none" stroke="black"/>
<path d="M 8,176 L 104,176" fill="none" stroke="black"/> <path d="M 112,80 L 216,80" fill="none" stroke="black"/>
<path d="M 224,176 L 328,176" fill="none" stroke="black"/> <path d="M 112,96 L 216,96" fill="none" stroke="black"/>
<path d="M 408,176 L 472,176" fill="none" stroke="black"/> <path d="M 8,112 L 104,112" fill="none" stroke="black"/>
<path d="M 224,208 L 328,208" fill="none" stroke="black"/> <path d="M 224,112 L 304,112" fill="none" stroke="black"/>
<path d="M 408,208 L 472,208" fill="none" stroke="black"/> <path d="M 8,176 L 104,176" fill="none" stroke="black"/>
<path d="M 8,224 L 104,224" fill="none" stroke="black"/> <path d="M 224,176 L 328,176" fill="none" stroke="black"/>
<path d="M 200,256 L 488,256" fill="none" stroke="black"/> <path d="M 408,176 L 472,176" fill="none" stroke="black"/>
<polygon class="arrowhead" points="272,168 260,162.4 260,173.6" fill="black" tra <path d="M 224,208 L 328,208" fill="none" stroke="black"/>
nsform="rotate(90,264,168)"/> <path d="M 408,208 L 472,208" fill="none" stroke="black"/>
<polygon class="arrowhead" points="224,80 212,74.4 212,85.6" fill="black" transf <path d="M 8,224 L 104,224" fill="none" stroke="black"/>
orm="rotate(0,216,80)"/> <path d="M 200,256 L 488,256" fill="none" stroke="black"/>
<polygon class="arrowhead" points="120,96 108,90.4 108,101.6" fill="black" trans <polygon class="arrowhead" points="272,168 260,162.4 260,173.6"
form="rotate(180,112,96)"/> fill="black" transform="rotate(90,264,168)"/>
<g class="text"> <polygon class="arrowhead" points="224,80 212,74.4 212,85.6" fil
<text x="160" y="68">Request</text> l="black" transform="rotate(0,216,80)"/>
<text x="60" y="84">onboarding</text> <polygon class="arrowhead" points="120,96 108,90.4 108,101.6" fi
<text x="260" y="84">SCIM</text> ll="black" transform="rotate(180,112,96)"/>
<text x="56" y="100">app</text> <g class="text">
<text x="260" y="100">Server</text> <text x="160" y="68">Request</text>
<text x="140" y="116">Ctrl</text> <text x="60" y="84">Onboarding</text>
<text x="184" y="116">Endpt</text> <text x="260" y="84">SCIM</text>
<text x="296" y="148">(device</text> <text x="56" y="100">App</text>
<text x="352" y="148">info)</text> <text x="260" y="100">Server</text>
<text x="56" y="196">Control</text> <text x="140" y="116">Ctrl</text>
<text x="152" y="196">...........</text> <text x="184" y="116">Endpt</text>
<text x="212" y="196">..</text> <text x="296" y="148">(Device</text>
<text x="272" y="196">ALG</text> <text x="352" y="148">Info)</text>
<text x="368" y="196">.........</text> <text x="56" y="196">Control</text>
<text x="436" y="196">device</text> <text x="152" y="196">...........</text>
<text x="56" y="212">App</text> <text x="212" y="196">..</text>
<text x="296" y="244">Local</text> <text x="272" y="196">ALG</text>
<text x="352" y="244">network</text> <text x="368" y="196">.........</text>
</g> <text x="436" y="196">Device</text>
</svg> <text x="56" y="212">App</text>
</artwork><artwork type="ascii-art"><![CDATA[ <text x="296" y="244">Local</text>
<text x="352" y="244">Network</text>
</g>
</svg>
</artwork>
<artwork type="ascii-art"><![CDATA[
+-----------------------------------+ +-----------------------------------+
| | | |
+-----------+ Request | +---------+ | +-----------+ Request | +---------+ |
| onboarding|------------->| SCIM | | | Onboarding|------------->| SCIM | |
| app |<-------------| Server | | | App |<-------------| Server | |
+-----------+ Ctrl Endpt +---------+ | +-----------+ Ctrl Endpt +---------+ |
| | | | | |
| |(device info) | | |(Device Info) |
| v | | v |
+-----------+ | +------------+ +-------+ | +-----------+ | +------------+ +-------+ |
| Control |...........|..| ALG |.........|device | | | Control |...........|..| ALG |.........|Device | |
| App | | +------------+ +-------+ | | App | | +------------+ +-------+ |
+-----------+ | | +-----------+ | |
| Local network | | Local Network |
+-----------------------------------+ +-----------------------------------+
]]></artwork></artset></figure> ]]></artwork>
</artset>
<t>In <xref target="arch"/>, the onboarding application (app) provides the devic </figure>
e particulars, <t>In <xref target="arch"/>, the onboarding application (app) provides t
he device particulars,
which will vary based on the type of device, as indicated by the which will vary based on the type of device, as indicated by the
selection of schema extensions. As selection of schema extensions. As
part of the response, the SCIM server might provide additional part of the response, the SCIM server might provide additional
information, especially in the case of non-IP devices, where an information, especially in the case of non-IP devices, where an
application-layer gateway may need to be used to communicate with application-layer gateway may need to be used to communicate with
the device (c.f., <xref target="I-D.ietf-asdf-nipc"/>). The control endpoint the device (c.f., <xref target="I-D.ietf-asdf-nipc"/>). The control endpoint
is one among a number of objects is one among a number of objects
that may be returned. That control endpoint will then communicate that may be returned. That control endpoint will then communicate
with the application layer gateway (ALG) to reach the device.</t> with the Application Layer Gateway (ALG) to reach the device.</t>
<figure anchor="arch2">
<figure title="Interaction with AAA" anchor="arch2"><artset><artwork type="svg" <name>Interaction with AAA</name>
><svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="272" width="504" <artset>
viewBox="0 0 504 272" class="diagram" text-anchor="middle" font-family="monospac <artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" version=
e" font-size="13px" stroke-linecap="round"> "1.1" height="272" width="504" viewBox="0 0 504 272" class="diagram" text-anchor
<path d="M 8,64 L 8,112" fill="none" stroke="black"/> ="middle" font-family="monospace" font-size="13px" stroke-linecap="round">
<path d="M 8,144 L 8,192" fill="none" stroke="black"/> <path d="M 8,64 L 8,112" fill="none" stroke="black"/>
<path d="M 104,64 L 104,112" fill="none" stroke="black"/> <path d="M 8,144 L 8,192" fill="none" stroke="black"/>
<path d="M 104,144 L 104,192" fill="none" stroke="black"/> <path d="M 104,64 L 104,112" fill="none" stroke="black"/>
<path d="M 200,32 L 200,72" fill="none" stroke="black"/> <path d="M 104,144 L 104,192" fill="none" stroke="black"/>
<path d="M 200,128 L 200,224" fill="none" stroke="black"/> <path d="M 200,32 L 200,72" fill="none" stroke="black"/>
<path d="M 224,64 L 224,112" fill="none" stroke="black"/> <path d="M 200,128 L 200,224" fill="none" stroke="black"/>
<path d="M 224,144 L 224,176" fill="none" stroke="black"/> <path d="M 224,64 L 224,112" fill="none" stroke="black"/>
<path d="M 304,64 L 304,112" fill="none" stroke="black"/> <path d="M 224,144 L 224,176" fill="none" stroke="black"/>
<path d="M 328,144 L 328,176" fill="none" stroke="black"/> <path d="M 304,64 L 304,112" fill="none" stroke="black"/>
<path d="M 336,64 L 336,96" fill="none" stroke="black"/> <path d="M 328,144 L 328,176" fill="none" stroke="black"/>
<path d="M 376,64 L 376,96" fill="none" stroke="black"/> <path d="M 336,64 L 336,96" fill="none" stroke="black"/>
<path d="M 408,144 L 408,176" fill="none" stroke="black"/> <path d="M 376,64 L 376,96" fill="none" stroke="black"/>
<path d="M 416,64 L 416,96" fill="none" stroke="black"/> <path d="M 408,144 L 408,176" fill="none" stroke="black"/>
<path d="M 440,104 L 440,136" fill="none" stroke="black"/> <path d="M 416,64 L 416,96" fill="none" stroke="black"/>
<path d="M 472,64 L 472,96" fill="none" stroke="black"/> <path d="M 440,104 L 440,136" fill="none" stroke="black"/>
<path d="M 472,144 L 472,176" fill="none" stroke="black"/> <path d="M 472,64 L 472,96" fill="none" stroke="black"/>
<path d="M 496,32 L 496,224" fill="none" stroke="black"/> <path d="M 472,144 L 472,176" fill="none" stroke="black"/>
<path d="M 200,32 L 496,32" fill="none" stroke="black"/> <path d="M 496,32 L 496,224" fill="none" stroke="black"/>
<path d="M 8,64 L 104,64" fill="none" stroke="black"/> <path d="M 200,32 L 496,32" fill="none" stroke="black"/>
<path d="M 224,64 L 304,64" fill="none" stroke="black"/> <path d="M 8,64 L 104,64" fill="none" stroke="black"/>
<path d="M 336,64 L 376,64" fill="none" stroke="black"/> <path d="M 224,64 L 304,64" fill="none" stroke="black"/>
<path d="M 416,64 L 472,64" fill="none" stroke="black"/> <path d="M 336,64 L 376,64" fill="none" stroke="black"/>
<path d="M 112,80 L 216,80" fill="none" stroke="black"/> <path d="M 416,64 L 472,64" fill="none" stroke="black"/>
<path d="M 312,80 L 328,80" fill="none" stroke="black"/> <path d="M 112,80 L 216,80" fill="none" stroke="black"/>
<path d="M 384,80 L 408,80" fill="none" stroke="black"/> <path d="M 312,80 L 328,80" fill="none" stroke="black"/>
<path d="M 112,96 L 216,96" fill="none" stroke="black"/> <path d="M 384,80 L 408,80" fill="none" stroke="black"/>
<path d="M 336,96 L 376,96" fill="none" stroke="black"/> <path d="M 112,96 L 216,96" fill="none" stroke="black"/>
<path d="M 416,96 L 472,96" fill="none" stroke="black"/> <path d="M 336,96 L 376,96" fill="none" stroke="black"/>
<path d="M 8,112 L 104,112" fill="none" stroke="black"/> <path d="M 416,96 L 472,96" fill="none" stroke="black"/>
<path d="M 224,112 L 304,112" fill="none" stroke="black"/> <path d="M 8,112 L 104,112" fill="none" stroke="black"/>
<path d="M 8,144 L 104,144" fill="none" stroke="black"/> <path d="M 224,112 L 304,112" fill="none" stroke="black"/>
<path d="M 224,144 L 328,144" fill="none" stroke="black"/> <path d="M 8,144 L 104,144" fill="none" stroke="black"/>
<path d="M 408,144 L 472,144" fill="none" stroke="black"/> <path d="M 224,144 L 328,144" fill="none" stroke="black"/>
<path d="M 224,176 L 328,176" fill="none" stroke="black"/> <path d="M 408,144 L 472,144" fill="none" stroke="black"/>
<path d="M 408,176 L 472,176" fill="none" stroke="black"/> <path d="M 224,176 L 328,176" fill="none" stroke="black"/>
<path d="M 8,192 L 104,192" fill="none" stroke="black"/> <path d="M 408,176 L 472,176" fill="none" stroke="black"/>
<path d="M 200,224 L 496,224" fill="none" stroke="black"/> <path d="M 8,192 L 104,192" fill="none" stroke="black"/>
<polygon class="arrowhead" points="416,80 404,74.4 404,85.6" fill="black" transf <path d="M 200,224 L 496,224" fill="none" stroke="black"/>
orm="rotate(0,408,80)"/> <polygon class="arrowhead" points="416,80 404,74.4 404,85.6" fil
<polygon class="arrowhead" points="392,80 380,74.4 380,85.6" fill="black" transf l="black" transform="rotate(0,408,80)"/>
orm="rotate(180,384,80)"/> <polygon class="arrowhead" points="392,80 380,74.4 380,85.6" fil
<polygon class="arrowhead" points="336,80 324,74.4 324,85.6" fill="black" transf l="black" transform="rotate(180,384,80)"/>
orm="rotate(0,328,80)"/> <polygon class="arrowhead" points="336,80 324,74.4 324,85.6" fil
<polygon class="arrowhead" points="224,80 212,74.4 212,85.6" fill="black" transf l="black" transform="rotate(0,328,80)"/>
orm="rotate(0,216,80)"/> <polygon class="arrowhead" points="224,80 212,74.4 212,85.6" fil
<polygon class="arrowhead" points="120,96 108,90.4 108,101.6" fill="black" trans l="black" transform="rotate(0,216,80)"/>
form="rotate(180,112,96)"/> <polygon class="arrowhead" points="120,96 108,90.4 108,101.6" fi
<g class="text"> ll="black" transform="rotate(180,112,96)"/>
<text x="160" y="68">Request</text> <g class="text">
<text x="60" y="84">onboarding</text> <text x="160" y="68">Request</text>
<text x="260" y="84">SCIM</text> <text x="60" y="84">Onboarding</text>
<text x="360" y="84">AAA</text> <text x="260" y="84">SCIM</text>
<text x="444" y="84">switch</text> <text x="360" y="84">AAA</text>
<text x="56" y="100">app</text> <text x="444" y="84">Switch</text>
<text x="260" y="100">Server</text> <text x="56" y="100">App</text>
<text x="140" y="116">Ctrl</text> <text x="260" y="100">Server</text>
<text x="184" y="116">Endpt</text> <text x="140" y="116">Ctrl</text>
<text x="56" y="164">Control</text> <text x="184" y="116">Endpt</text>
<text x="152" y="164">...........</text> <text x="56" y="164">Control</text>
<text x="212" y="164">..</text> <text x="152" y="164">...........</text>
<text x="272" y="164">router/fw</text> <text x="212" y="164">..</text>
<text x="368" y="164">.........</text> <text x="272" y="164">Router/fw</text>
<text x="436" y="164">device</text> <text x="368" y="164">.........</text>
<text x="56" y="180">App</text> <text x="436" y="164">Device</text>
<text x="304" y="212">Local</text> <text x="56" y="180">App</text>
<text x="360" y="212">network</text> <text x="304" y="212">Local</text>
</g> <text x="360" y="212">Network</text>
</svg> </g>
</artwork><artwork type="ascii-art"><![CDATA[ </svg>
</artwork>
<artwork type="ascii-art"><![CDATA[
+------------------------------------+ +------------------------------------+
| | | |
+-----------+ Request | +---------+ +----+ +------+ | +-----------+ Request | +---------+ +----+ +------+ |
| onboarding|------------->| SCIM |-->| AAA|<-->|switch| | | Onboarding|------------->| SCIM |-->| AAA|<-->|Switch| |
| app |<-------------| Server | +----+ +------+ | | App |<-------------| Server | +----+ +------+ |
+-----------+ Ctrl Endpt +---------+ | | +-----------+ Ctrl Endpt +---------+ | |
| | | | | |
+-----------+ | +------------+ +-------+ | +-----------+ | +------------+ +-------+ |
| Control |...........|..| router/fw |.........|device | | | Control |...........|..| Router/fw |.........|Device | |
| App | | +------------+ +-------+ | | App | | +------------+ +-------+ |
+-----------+ | | +-----------+ | |
| Local network | | Local Network |
+------------------------------------+ +------------------------------------+
]]></artwork>
]]></artwork></artset></figure> </artset>
</figure>
<t><xref target="arch2"/> shows how IP-based endpoints can be provisioned. In t <t><xref target="arch2"/> shows how IP-based endpoints can be provisione
his d. In this
case, the onboarding application provisions a device via SCIM. The necessary case, the onboarding application provisions a device via SCIM. The necessary
information is passed to the Authentication, Authorization, and Accounting information is passed to the Authentication, Authorization, and Accounting
(AAA) subsystem, such that the device is (AAA) subsystem, such that the device is
permitted to connect. Once it is online, since the device is based permitted to connect. Once it is online, since the device is based
on IP, it will not need an ALG, but will use the normal IP on IP, it will not need an ALG, but it will use the normal IP
infrastructure to communicate with its control application.</t> infrastructure to communicate with its control application.</t>
</section>
<section anchor="schema-description">
<name>Schema Description</name>
</section> <!-- [rfced] In the text below, we have updated "JSON Schema" to "JSON Schemas"
<section anchor="schema-description"><name>Schema Description</name> (plural)
and "OpenAPI" to "OpenAPI versions" (for consistency with the first sentence).
Please review to confirm these changes are accurate.
<t>RFC 7643 does not prescribe a language to describe a schema, but instead Original:
uses narrative description with examples. We follow that approach.
In addition, we provide non-normative JSON Schema In addition, we provide non-normative JSON Schema [JSONSchema] and OpenAPI
[OpenAPI] versions in the appendices for ease of implementation, neither of
which existed when SCIM was originally developed. The only difference the
authors note between the normative schema representations is that JSON
Schema and OpenAPI do not have a means to express...
Current:
In addition, we provide non-normative JSON Schemas [JSONSchema] and OpenAPI
[OpenAPI] versions in the appendices for ease of implementation, neither of
which existed when SCIM was originally developed. The only difference the
authors note between the normative schema representations is that the JSON
Schemas and OpenAPI versions do not have a means to express...
-->
<t><xref target="RFC7643"/> does not prescribe a language to describe a
schema but instead
uses a narrative description with examples. We follow that approach.
In addition, we provide non-normative JSON Schemas
<xref target="JSONSchema"/> and OpenAPI <xref target="OpenAPI"/> versions in the appendices for <xref target="JSONSchema"/> and OpenAPI <xref target="OpenAPI"/> versions in the appendices for
ease of implementation, neither of which existed when SCIM was originally ease of implementation, neither of which existed when SCIM was originally
developed. The only difference the authors note developed. The only difference the authors note
between the normative schema representations is that JSON Schema and OpenAPI between the normative schema representations is that the JSON Schemas and OpenAP I versions
do not have a means to express case sensitivity, and thus attributes that do not have a means to express case sensitivity, and thus attributes that
are not case sensitive must be manually validated.</t> are not case sensitive must be manually validated.</t>
<t>Several additional schemas specify specific onboarding mechanisms,
<t>Several additional schemas specify specific onboarding mechanisms, such as Bluetooth Low Energy (BLE) <xref target="BLE54"/>, Wi-Fi Easy Connect <x
such as Bluetooth Low energy (BLE) <xref target="BLE54"/>, Wi-fi Easy Connect <x ref target="DPP2"/>,
ref target="DPP2"/>,
and FIDO Device Onboard <xref target="FDO11"/>.</t> and FIDO Device Onboard <xref target="FDO11"/>.</t>
</section>
<section anchor="schema-representation">
<name>Schema Representation</name>
</section> <!-- [rfced] Could the citations below be updated as follows for clarity?
<section anchor="schema-representation"><name>Schema Representation</name> We ask because it appears that attribute characteristics are defined
in Section 2.2 of RFC 7643, and that attribute datatypes are defined
in Section 2.3 of RFC 7643.
<t>Attributes defined in the device core schema and extensions comprise Original:
characteristics and SCIM datatypes defined in Sections 2.2 and 2.3 of
<xref target="RFC7643"/>. This specification does not define new
characteristics and datatypes for the SCIM attributes.</t>
</section> Attributes defined in the device core schema and extensions comprise
<section anchor="terminology"><name>Terminology</name> characteristics and SCIM datatypes defined in Sections 2.2 and 2.3 of
<t>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL [RFC7643].
NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED",
"MAY", and "OPTIONAL" in this document are to be interpreted as
described in BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and
only when, they
appear in all capitals, as shown here.</t>
<t>The reader is also expected to be familiar with the narrative schema Perhaps:
language used in <xref target="RFC7643"/>.</t>
</section> Attributes defined in the device core schema (see Section 2.2 of
</section> [RFC7643]) and extensions comprise characteristics and the SCIM datatypes
<section anchor="resourcetype-device"><name>ResourceType Device</name> (defined in Section 2.3 of [RFC7643]).
<t>A new resource type 'Device' is specified. The "ResourceType" schema -->
specifies the metadata about a resource type (see Section 6 of <t>Attributes defined in the device core schema and extensions comprise
<xref target="RFC7643"/>). It comprises a core device schema and several characteristics and SCIM datatypes defined in Sections <xref target="RFC7643" se
ctionFormat="bare" section="2.2"/> and <xref target="RFC7643" sectionFormat="bar
e" section="2.3"/> of
<xref target="RFC7643"/>. This specification does not define new
characteristics and datatypes for the SCIM attributes.</t>
</section>
<section anchor="terminology">
<name>Terminology</name>
<t>
The key words "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>",
"<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL NOT</bcp14>
",
"<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>",
"<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>",
"<bcp14>MAY</bcp14>", and "<bcp14>OPTIONAL</bcp14>" in this document are to
be
interpreted as described in BCP&nbsp;14 <xref target="RFC2119"/> <xref
target="RFC8174"/> when, and only when, they appear in all capitals, as
shown here.
</t>
<t>The reader is also expected to be familiar with the narrative schema
language used in <xref target="RFC7643"/>.</t>
</section>
</section>
<section anchor="resourcetype-device">
<name>ResourceType Device</name>
<t>A new resource type 'Device' is specified. The "ResourceType" schema
specifies the metadata about a resource type (see
<xref target="RFC7643" section="6"/>). It comprises a core device schema and se
veral
extension schemas. This schema provides a minimal resource extension schemas. This schema provides a minimal resource
representation, whereas extension schemas extend it representation, whereas extension schemas extend it
depending on the device's capability.</t> depending on the device's capability.</t>
<section anchor="commonatts">
<section anchor="commonatts"><name>Common Attributes</name> <name>Common Attributes</name>
<t>The Device schema contains three common attributes as defined in
<t>The Device schema contains three common attributes as defined in Section <xref target="RFC7643" section="3.1"/>. No semantic or syntax changes are made
3.1 of <xref target="RFC7643"/>. No semantic or syntax changes are made here, b here, but the
ut the
attributes are listed merely for completeness.</t> attributes are listed merely for completeness.</t>
<dl>
<dl> <dt>id:</dt>
<dt>id:</dt> <dd>
<dd> <t>A required and unique attribute of the core device schema
<t>A required and unique attribute of the core device schema (see <xref target="RFC7643" section="3.1"/>).</t>
(see section 3.1 of <xref target="RFC7643"/>).</t> </dd>
</dd> <dt>externalId:</dt>
<dt>externalId:</dt> <dd>
<dd> <t>An optional attribute (see <xref target="RFC7643" section="3.1"/>
<t>An optional attribute (see section 3.1 of <xref target="RFC7643"/>).</t> ).</t>
</dd> </dd>
<dt>meta:</dt> <dt>meta:</dt>
<dd> <dd>
<t>A complex attribute and is required (see section 3.1 of <xref target="RFC <t>A required and complex attribute (see <xref target="RFC7643" sect
7643"/>).</t> ion="3.1"/>).</t>
</dd> </dd>
</dl> </dl>
</section>
</section> </section>
</section> <section anchor="scim-core-device-schema">
<section anchor="scim-core-device-schema"><name>SCIM Core Device Schema</name> <name>SCIM Core Device Schema</name>
<t>The core device schema provides the minimal representation of a
<t>The core device schema provides the minimal representation of a
resource "Device". It contains only those attributes that any device resource "Device". It contains only those attributes that any device
may need, and only one attribute is required. It is identified using the may need, and only one attribute is required. It is identified using the
schema URI:</t> schema URI:</t>
<t>urn:ietf:params:scim:schemas:core:2.0:Device</t>
<t>The following attributes are defined in the core device schema.</t>
<t>"urn:ietf:params:scim:schemas:core:2.0:Device".</t> <section anchor="singular-attributes">
<name>Singular Attributes</name>
<dl>
<dt>displayName:</dt>
<dd>
<t>A string that provides a human-readable name
for a device. It is intended to be displayed to end users and should be
suitable for that purpose. The attribute is not required and is not
case sensitive. It may be modified and <bcp14>SHOULD</bcp14> be returned
by default. No uniqueness constraints are imposed on this attribute.</t>
</dd>
<!-- [rfced] For clarity, may we update the text below as follows? Note that
this update is similar to text that appears in Appendix A.2.
<t>The following attributes are defined in the core device schema.</t> Original:
<section anchor="singular-attributes"><name>Singular Attributes</name> For example, when used in conjunction with NIPC [I-D.brinckman-nipc],
commands such as connect, disconnect, subscribe that control application
sends to the controller for the devices any command will be rejected by
the controller.
<dl> Perhaps:
<dt>displayName:</dt>
<dd> For example, when used in conjunction with Non-IP Device Control (NIPC) [N
<t>A string that provides a human-readable name IPC],
for a device. It is intended to be displayed to end-users and should be commands (such as connect, disconnect, and subscribe) that control applica
suitable for that purpose. The attribute is not required, and is not tion
case-sensitive. It may be modified and SHOULD be returned sends to the controller for devices will be rejected by the controller.
by default. No uniqueness constraints are imposed on this attribute.</t>
</dd> -->
<dt>active:</dt> <dt>active:</dt>
<dd> <dd>
<t>A mutable boolean that is required. If set to TRUE, it means that this de <t>A mutable boolean that is required. If set to TRUE, it means that
vice this device
is intended to be operational. Attempts to control or access a device is intended to be operational. Attempts to control or access a device
where this value is set to FALSE may fail. For example, when used in where this value is set to FALSE may fail. For example, when used in
conjunction with NIPC <xref target="I-D.brinckman-nipc"/>, commands such as conjunction with Non-IP Device Control (NIPC) <xref target="I-D.brinckman-nipc"
connect, disconnect, subscribe that control application sends to the />, commands such as
connect, disconnect, and subscribe that control application sends to the
controller for the devices any command will be rejected by the controller.</t> controller for the devices any command will be rejected by the controller.</t>
</dd> </dd>
<dt>mudUrl:</dt>
<dd> <!-- [rfced] To make this definition more concise, may we combine the second
<t>A string that represents the URL to the Manufacturer Usage Description and fifth sentences as follows?
Original:
mudUrl: A string that represents the URL to the Manufacturer Usage
Description (MUD) file associated with this device. This
attribute is optional and mutable.
The mudUrl value is case sensitive and not unique.
When present, this attribute may be used as described in [RFC8520].
This attribute is case sensitive and returned by default.
Perhaps:
mudUrl: A string that represents the URL to the Manufacturer Usage
Description (MUD) file associated with this device. This
attribute is optional, case sensitive, mutable, and returned by default.
When present, this attribute may be used as described in [RFC8520].
The mudUrl value is case sensitive and not unique.
-->
<dt>mudUrl:</dt>
<dd>
<t>A string that represents the URL to the Manufacturer Usage Descri
ption
(MUD) file associated with this device. This attribute is optional and mutable. (MUD) file associated with this device. This attribute is optional and mutable.
The mudUrl value is case sensitive and not unique. When present, this attribute The mudUrl value is case sensitive and not unique. When present, this attribute
may be used as described in <xref target="RFC8520"/>. This attribute is case may be used as described in <xref target="RFC8520"/>. This attribute is case
sensitive and returned by default.</t> sensitive and returned by default.</t>
</dd> </dd>
<dt>groups:</dt> <dt>groups:</dt>
<dd> <dd>
<t>An optional read-only complex object that indicates group membership. It <t>An optional read-only complex object that indicates group members
s hip. Its
form is precisely the same as that defined in <xref section="4.1.2" sectionForma t="of" target="RFC7643"/>.</t> form is precisely the same as that defined in <xref section="4.1.2" sectionForma t="of" target="RFC7643"/>.</t>
</dd> </dd>
</dl> </dl>
<table anchor="tabDevice">
<name>Characteristics of Device Schema Attributes</name>
<thead>
<tr>
<th align="left">Attribute</th>
<th align="left">Multi Value</th>
<th align="left">Req</th>
<th align="left">Case Exact</th>
<th align="left">Mutable</th>
<th align="left">Return</th>
<th align="left">Unique</th>
</tr>
</thead>
<tbody>
<tr>
<td align="left">displayName</td>
<td align="left">F</td>
<td align="left">F</td>
<td align="left">F</td>
<td align="left">RW</td>
<td align="left">Def</td>
<td align="left">None</td>
</tr>
<tr>
<td align="left">active</td>
<td align="left">F</td>
<td align="left">T</td>
<td align="left">F</td>
<td align="left">RW</td>
<td align="left">Def</td>
<td align="left">None</td>
</tr>
<tr>
<td align="left">mudUrl</td>
<td align="left">F</td>
<td align="left">F</td>
<td align="left">T</td>
<td align="left">RW</td>
<td align="left">Def</td>
<td align="left">None</td>
</tr>
<tr>
<td align="left">groups</td>
<td align="left">T</td>
<td align="left">F</td>
<td align="left">T</td>
<td align="left">RO</td>
<td align="left">Def</td>
<td align="left">n/a</td>
</tr>
</tbody>
</table>
<!-- [rfced] Please review the following questions regarding the notation used
in Tables 1 through 8:
<texttable title="Characteristics of device schema attributes. (Req = Required, a) We note different notation used for "ReadOnly" in
T = True, F = False, RO = ReadOnly, RW = ReadWrite, and Def = Default)" anchor=" these tables ("R" vs. "RO"). Please review and let us know
tabDevice"> which form you prefer so we may update for consistency:
<ttcol align='left'>Attribute</ttcol>
<ttcol align='left'>Multi Value</ttcol>
<ttcol align='left'>Req</ttcol>
<ttcol align='left'>Case Exact</ttcol>
<ttcol align='left'>Mutable</ttcol>
<ttcol align='left'>Return</ttcol>
<ttcol align='left'>Unique</ttcol>
<c>displayName</c>
<c>F</c>
<c>F</c>
<c>F</c>
<c>RW</c>
<c>Def</c>
<c>None</c>
<c>active</c>
<c>F</c>
<c>T</c>
<c>F</c>
<c>RW</c>
<c>Def</c>
<c>None</c>
<c>mudUrl</c>
<c>F</c>
<c>F</c>
<c>T</c>
<c>RW</c>
<c>Def</c>
<c>None</c>
<c>groups</c>
<c>T</c>
<c>F</c>
<c>T</c>
<c>RO</c>
<c>Def</c>
<c>n/a</c>
</texttable>
<figure title="Core Device Example Entries" anchor="coreExample"><artwork><![CDA R: ReadOnly
TA[ RO: ReadOnly
<CODE BEGINS>
b) We note these notations also appear with and without a space. Please review
and let us know how to update for consistency:
WO: Write Only
WO: WriteOnly
c) We note that "Manuf" is not included in Table 2. May we remove it from the
legend listed directly after the table?
Manuf: Manufacturer
-->
<t>Legend:</t>
<dl spacing="compact" newline="false">
<dt>Req:</dt><dd>Required</dd>
<dt>T:</dt><dd>True</dd>
<dt>F:</dt><dd>False</dd>
<dt>RO:</dt><dd>ReadOnly</dd>
<dt>RW:</dt><dd>ReadWrite</dd>
<dt>Def:</dt><dd>Default</dd>
</dl>
<figure anchor="coreExample">
<name>Core Device Example Entries</name>
<sourcecode markers="true"><![CDATA[
{ {
"schemas": ["urn:ietf:params:scim:schemas:core:2.0:Device"], "schemas": ["urn:ietf:params:scim:schemas:core:2.0:Device"],
"id": "e9e30dba-f08f-4109-8486-d5c6a3316111", "id": "e9e30dba-f08f-4109-8486-d5c6a3316111",
"displayName": "BLE Heart Monitor", "displayName": "BLE Heart Monitor",
"active": true, "active": true,
"meta": { "meta": {
"resourceType": "Device", "resourceType": "Device",
"created": "2022-01-23T04:56:22Z", "created": "2022-01-23T04:56:22Z",
"lastModified": "2022-05-13T04:42:34Z", "lastModified": "2022-05-13T04:42:34Z",
"version": "W\/\"a330bc54f0671c9\"", "version": "W\/\"a330bc54f0671c9\"",
"location": "https://example.com/v2/Devices/e9e30dba-f08f "location": "https://example.com/v2/Devices/e9e30dba-f08f
-4109-8486-d5c6a3316111" -4109-8486-d5c6a3316111"
} }
} }]]></sourcecode>
<CODE ENDS> </figure>
]]></artwork></figure> </section>
</section>
</section> <section anchor="groups">
</section> <name>Groups</name>
<section anchor="groups"><name>Groups</name> <t>Device and EndpointApp groups are created using the SCIM groups as defi
ned
<t>Device and EndpointApp groups are created using the SCIM groups as defined
in <xref section="4.2" sectionFormat="of" target="RFC7643"/>. If set, the "type " subattribute in <xref section="4.2" sectionFormat="of" target="RFC7643"/>. If set, the "type " subattribute
of the "members" attribute MUST be set to "Device" for devices and of the "members" attribute <bcp14>MUST</bcp14> be set to "Device" for devices an d
"EndpointApp" for endpoint applications.</t> "EndpointApp" for endpoint applications.</t>
</section>
</section> <section anchor="resource-type-endpointapp">
<section anchor="resource-type-endpointapp"><name>Resource Type EndpointApp</nam <name>Resource Type EndpointApp</name>
e> <t>This section defines the 'EndpointApp' resource type. The
<t>This section defines the 'EndpointApp' resource type. The
"ResourceType" schema specifies the metadata about a resource type "ResourceType" schema specifies the metadata about a resource type
(see Section 6 of <xref target="RFC7643"/>). The resource "EndpointApp" represen ts (see <xref target="RFC7643" section="6"/>). The resource "EndpointApp" represent s
client applications that can control and/or receive data from the client applications that can control and/or receive data from the
devices.</t> devices.</t>
</section>
</section> <section anchor="endpointapp-schema">
<section anchor="endpointapp-schema"><name>SCIM EndpointApp Schema</name> <name>SCIM EndpointApp Schema</name>
<t>The EndpointApp schema is used to authorize control
<t>The EndpointApp schema is used to authorize control
or telemetry services for clients. The schema identifies the application or telemetry services for clients. The schema identifies the application
and how clients are to authenticate to the various services.</t> and how clients are to authenticate to the various services.</t>
<t>The schema for "EndpointApp" is identified using the schema URI:</t>
<t>urn:ietf:params:scim:schemas:core:2.0:EndpointApp</t>
<t>The following attributes are defined in this schema.</t>
<section anchor="common-attributes">
<name>Common Attributes</name>
<t>Like <xref target="commonatts"/>, the EndpointApp schema contains the
three common
attributes specified in <xref target="RFC7643" section="3.1"/>.</t>
</section>
<section anchor="singular-attributes-1">
<name>Singular Attributes</name>
<dl>
<dt>applicationType:</dt>
<dd>
<t>A string that represents the type of
application. It will only contain two values: 'deviceControl'
or 'telemetry'. deviceControl is the application that sends commands
to control the device. telemetry is the application that receives
data from the device. The attribute is required and is not
case sensitive. The attribute is readOnly and should be returned
by default. No uniqueness constraints are imposed on this attribute.</t>
</dd>
<dt>applicationName:</dt>
<dd>
<t>A string that represents a
human-readable name for the application. This attribute is required and
mutable. The attribute should be returned by default and there is no
uniqueness constraint on the attribute.</t>
</dd>
<t>The schema for "EndpointApp" is identified using the schema URI: <!-- [rfced] May we adjust these definitions below in order to clarify what
"urn:ietf:params:scim:schemas:core:2.0:EndpointApp". The following list items "not" refers to?
attributes are defined in this schema.</t>
<section anchor="common-attributes"><name>Common Attributes</name> Original:
<t>Like <xref target="commonatts"/> The EndpointApp schema contains the three co It is not mutable, read-only, generated if no certificateInfo
mmon object is provisioned, case sensitive and returned by default if it exists.
attributes specified in Section 3.1 <xref target="RFC7643"/>.</t> ...
This attribute is not required, mutable, singular and NOT case
sensitive.
...
It is not required, multivalued, mutable, and returned by default.
</section> Perhaps:
<section anchor="singular-attributes-1"><name>Singular Attributes</name>
<dl> It is not mutable. It is read only, case sensitive, and generated if no certi
<dt>applicationType:</dt> ficateInfo
<dd> object is provisioned. It is returned by default if it exists.
<t>A string that represents the type of ...
application. It will only contain two values; 'deviceControl' This attribute is not required and not case sensitive. It is mutable and sing
or 'telemetry'. 'deviceControl' is the application that sends commands ular.
to control the device. 'telemetry' is the application that receives ...
data from the device. The attribute is required, and is not It is not required. It is multivalued, mutable, and returned by default.
case-sensitive. The attribute is readOnly and should be returned
by default. No uniqueness constraints are imposed on this attribute.</t> -->
</dd>
<dt>applicationName:</dt> <dt>clientToken:</dt>
<dd> <dd>
<t>a string that represents a <t>A string that contains a token that the client will use
human readable name for the application. This attribute is required and
mutable. The attribute should be returned by default and there is no
uniqueness contraint on the attribute.</t>
</dd>
<dt>clientToken:</dt>
<dd>
<t>A string contains a token that the client will use
to authenticate itself. Each token may be a string up to 500 to authenticate itself. Each token may be a string up to 500
characters in length. It is not mutable, read-only, generated if characters in length. It is not mutable, read only, generated if
no certificateInfo object is provisioned, case sensitive and returned no certificateInfo object is provisioned, case sensitive, and returned
by default if it exists. The SCIM server should expect that client by default if it exists. The SCIM server should expect that client
tokens will be shared by the SCIM client with other components within tokens will be shared by the SCIM client with other components within
the client's infrastructure. the client's infrastructure.</t>
groups:</t> </dd>
</dd> <dt>groups:</dt>
<dt/> <dd>
<dd> <t>An optional read-only complex object that indicates group members
<t>An optional read-only complex object that indicates group membership. It hip. Its
s
form is precisely the same as that defined in <xref section="4.1.2" sectionForma t="of" target="RFC7643"/>.</t> form is precisely the same as that defined in <xref section="4.1.2" sectionForma t="of" target="RFC7643"/>.</t>
</dd> </dd>
</dl> </dl>
</section>
<section anchor="complex-attributes">
<name>Complex Attributes</name>
<section anchor="certificateinfo">
<name>certificateInfo</name>
<t>certificateInfo is a complex attribute that contains an X.509 certi
ficate's subject
name and root Certificate Authority (CA) information associated with application
clients that
will connect for purposes of device control or telemetry.</t>
<dl>
<!-- [rfced] How may we clarify "a trust anchor certificate" in the first senten
ce
below? In addition, may we adjust the second sentence as follows, in order to
clarify what list items "not" refers to?
</section> Original:
<section anchor="complex-attributes"><name>Complex Attributes</name>
<section anchor="certificateinfo"><name>certificateInfo</name> rootCA: A base64-encoded string as described in [RFC4648] Section 4
a trust anchor certificate. This trust anchor is applicable for
certificates used for client application access.
The object is not required, singular, case sensitive, and read/write.
<t>certificateInfo is a complex attribute that contains x509 certificate's subje Perhaps:
ct
name and root CA information associated with application clients that
will connect for purposes of device control or telemetry.</t>
<dl> rootCA: A base64-encoded string as described in Section 4 of
<dt>rootCA:</dt> [RFC4648]. It is a trust anchor certificate applicable for
<dd> certificates used for client application access.
<t>A base64-encoded string as The object is not required. It is singular, case sensitive, and read/write
described in <xref target="RFC4648"/> Section 4 a trust anchor certificate. .
-->
<dt>rootCA:</dt>
<dd>
<t>A base64-encoded string as
described in <xref target="RFC4648" section="4"/> a trust anchor certificate.
This trust anchor is applicable This trust anchor is applicable
for certificates used for client application access. The object for certificates used for client application access. The object
is not required, singular, case sensitive, and read/write. If not is not required, singular, case sensitive, and read/write. If not
present, a set of trust anchors MUST be configured out of band.</t> present, a set of trust anchors <bcp14>MUST</bcp14> be configured out of band.<
</dd> /t>
<dt>subjectName:</dt> </dd>
<dd> <dt>subjectName:</dt>
<t>when present, a string taht contains one of two one of two names: <dd>
</t> <t>When present, a string that contains one of two names:</t>
<ul spacing="normal">
<t><list style="symbols"> <li>
<t>a distinguished name as that will be present in the certificate <t>a distinguished name that will be present in the certificat
subject field, as described in Section 4.1.2.4 of <xref target="RFC5280"/>; or</ e
t> subject field, as described in <xref target="RFC5280" section="4.1.2.4"/> or</t>
<t>or a dnsName as part of a subjectAlternateName as described in </li>
Section 4.2.1.6 of <xref target="RFC5280"/>.</t> <li>
</list></t> <t>a dnsName as part of a subjectAlternateName, as described i
n
<t>In the latter case, servers validating such certificates SHALL reject <xref target="RFC5280" section="4.2.1.6"/>.</t>
connections when name of the peer as resolved by a DNS reverse lookup </li>
</ul>
<t>In the latter case, servers validating such certificates <bcp14
>SHALL</bcp14> reject
connections when the name of the peer as resolved by a DNS reverse lookup
does not match the dnsName in the certificate. If multiple dnsNames does not match the dnsName in the certificate. If multiple dnsNames
are present, it is left to server implementations to address any are present, it is left to server implementations to address any
authorization conflicts associated with those names. This attribute authorization conflicts associated with those names. This attribute
is not required, mutable, singular and NOT case sensitive.</t> is not required, mutable, singular, and NOT case sensitive.</t>
</dd> </dd>
</dl> </dl>
<table anchor="tabEndpointApp">
<texttable title="Characteristics of EndpointApp schema attributes. <name>Characteristics of EndpointApp Schema Attributes</name>
(Req = Required, T = True, F = False, R = ReadOnly, RW = ReadWrite, <thead>
Manuf = Manufacturer, N = No, and Def = Default)" anchor="tabEndpointApp"> <tr>
<ttcol align='left'>Attribute</ttcol> <th align="left">Attribute</th>
<ttcol align='left'>Multi Value</ttcol> <th align="left">Multi Value</th>
<ttcol align='left'>Req</ttcol> <th align="left">Req</th>
<ttcol align='left'>Case Exact</ttcol> <th align="left">Case Exact</th>
<ttcol align='left'>Mutable</ttcol> <th align="left">Mutable</th>
<ttcol align='left'>Return</ttcol> <th align="left">Return</th>
<ttcol align='left'>Unique</ttcol> <th align="left">Unique</th>
<c>applicationType</c> </tr>
<c>F</c> </thead>
<c>T</c> <tbody>
<c>F</c> <tr>
<c>R</c> <td align="left">applicationType</td>
<c>Def</c> <td align="left">F</td>
<c>None</c> <td align="left">T</td>
<c>applicationName</c> <td align="left">F</td>
<c>F</c> <td align="left">R</td>
<c>T</c> <td align="left">Def</td>
<c>F</c> <td align="left">None</td>
<c>RW</c> </tr>
<c>Def</c> <tr>
<c>None</c> <td align="left">applicationName</td>
<c>clientToken</c> <td align="left">F</td>
<c>F</c> <td align="left">T</td>
<c>F</c> <td align="left">F</td>
<c>T</c> <td align="left">RW</td>
<c>R</c> <td align="left">Def</td>
<c>N</c> <td align="left">None</td>
<c>None</c> </tr>
<c>certificateInfo</c> <tr>
<c>F</c> <td align="left">clientToken</td>
<c>F</c> <td align="left">F</td>
<c>F</c> <td align="left">F</td>
<c>RW</c> <td align="left">T</td>
<c>Def</c> <td align="left">R</td>
<c>None</c> <td align="left">N</td>
<c>rootCA</c> <td align="left">None</td>
<c>F</c> </tr>
<c>F</c> <tr>
<c>T</c> <td align="left">certificateInfo</td>
<c>RW</c> <td align="left">F</td>
<c>Def</c> <td align="left">F</td>
<c>None</c> <td align="left">F</td>
<c>subjectName</c> <td align="left">RW</td>
<c>F</c> <td align="left">Def</td>
<c>T</c> <td align="left">None</td>
<c>T</c> </tr>
<c>RW</c> <tr>
<c>Def</c> <td align="left">rootCA</td>
<c>None</c> <td align="left">F</td>
</texttable> <td align="left">F</td>
<td align="left">T</td>
<t>Note that either clientToken or certificateInfo are used for the <td align="left">RW</td>
<td align="left">Def</td>
<td align="left">None</td>
</tr>
<tr>
<td align="left">subjectName</td>
<td align="left">F</td>
<td align="left">T</td>
<td align="left">T</td>
<td align="left">RW</td>
<td align="left">Def</td>
<td align="left">None</td>
</tr>
</tbody>
</table>
<t>Legend:</t>
<dl spacing="compact" newline="false">
<dt>Req:</dt><dd>Required</dd>
<dt>T:</dt><dd>True</dd>
<dt>F:</dt><dd>False</dd>
<dt>R:</dt><dd>ReadOnly</dd>
<dt>RW:</dt><dd>ReadWrite</dd>
<dt>Manuf:</dt><dd>Manufacturer</dd>
<dt>N:</dt><dd>No</dd>
<dt>Def:</dt><dd>Default</dd>
</dl>
<t>Note that either clientToken or certificateInfo is used for the
authentication of the application. If certificateInfo is NOT present authentication of the application. If certificateInfo is NOT present
when an endpointApp is object created, then the server SHOULD return when an endpointApp object is created, then the server <bcp14>SHOULD</bcp14> ret urn
a clientToken. Otherwise, if the server accepts the certificateInfo a clientToken. Otherwise, if the server accepts the certificateInfo
object for authentication, it SHOULD NOT return a clientToken. object for authentication, it <bcp14>SHOULD NOT</bcp14> return a clientToken.
If the server accepts and produces a clientToken, then control and If the server accepts and produces a clientToken, then control and
telemetry servers MUST validate both. The SCIM client will know telemetry servers <bcp14>MUST</bcp14> validate both. The SCIM client will know
that this is the case based on the SCIM object that is returned.</t> that this is the case based on the SCIM object that is returned.</t>
<t>certificateInfo is preferred in situations where client functions
<t>certificateInfo is preferred in situations where client functions
are federated such that different clients may connect for different are federated such that different clients may connect for different
purposes.</t> purposes.</t>
<figure anchor="eaExample">
<figure title="Endpoint App Example" anchor="eaExample"><artwork><![CDATA[ <name>Endpoint App Example</name>
<CODE BEGINS> <sourcecode markers="true"><![CDATA[
{ {
"schemas": ["urn:ietf:params:scim:schemas:core:2.0:EndpointApp"], "schemas": ["urn:ietf:params:scim:schemas:core:2.0:EndpointApp"],
"id": "e9e30dba-f08f-4109-8486-d5c6a3316212", "id": "e9e30dba-f08f-4109-8486-d5c6a3316212",
"applicationType": "deviceControl", "applicationType": "deviceControl",
"applicationName": "Device Control App 1", "applicationName": "Device Control App 1",
"certificateInfo": { "certificateInfo": {
"rootCA" : "MIIBIjAN...", "rootCA" : "MIIBIjAN...",
"subjectName": "www.example.com" "subjectName": "www.example.com"
}, },
"meta": { "meta": {
"resourceType": "EndpointApp", "resourceType": "EndpointApp",
"created": "2022-01-23T04:56:22Z", "created": "2022-01-23T04:56:22Z",
"lastModified": "2022-05-13T04:42:34Z", "lastModified": "2022-05-13T04:42:34Z",
"version": "W\/\"a330bc54f0671c9\"", "version": "W\/\"a330bc54f0671c9\"",
"location": "https://example.com/v2/EndpointApps/e9e30dba-f08f "location": "https://example.com/v2/EndpointApps/e9e30dba-f08f
-4109-8486-d5c6a3316212" -4109-8486-d5c6a3316212"
} }
} }]]></sourcecode>
<CODE ENDS> </figure>
]]></artwork></figure> </section>
</section>
</section>
<!-- [rfced] May we adjust the text below as follows to make these list items
more parallel and readable?
</section> Original:
</section>
</section>
<section anchor="extensions"><name>SCIM Device Extensions</name>
<t>SCIM provides various extension schemas, their attributes, JSON SCIM provides various extension schemas, their attributes, JSON
representation, and example object.
Perhaps:
SCIM provides various extension schemas and their attributes, along with JSON
representations and example objects.
-->
<section anchor="extensions">
<name>SCIM Device Extensions</name>
<t>SCIM provides various extension schemas, their attributes, JSON
representation, and example object. The core schema is extended with a representation, and example object. The core schema is extended with a
new resource type, Device. No new resource type, Device. No
schemaExtensions list is specified in that definition. Instead, schemaExtensions list is specified in that definition. Instead,
IANA registry entries are created, where all values for "required" are set to IANA registry entries have been created, where all values for "required" are set
false. All extensions to the Device schema MUST be registered via IANA, to
as described in <xref target="device-schema-extensions"></xref>. The schemas be false. All extensions to the Device schema <bcp14>MUST</bcp14> be registered vi
low demonstrate how a IANA,
this model is to work. All the SCIM Server related Schema URIs are valid only as described in <xref target="device-schema-extensions"/>. The schemas below de
monstrate how
this model is to work. All the SCIM server-related schema URIs are valid only
with Device resource types.</t> with Device resource types.</t>
<section anchor="ble-extension">
<section anchor="ble-extension"><name>Bluetooth Low Energy (BLE) Extension</name <name>Bluetooth Low Energy (BLE) Extension</name>
> <t>This schema extends the device schema to represent the devices
<t>This schema extends the device schema to represent the devices
supporting BLE. The extension is identified using the following supporting BLE. The extension is identified using the following
schema URI:</t> schema URI:</t>
<t>urn:ietf:params:scim:schemas:extension:ble:2.0:Device</t> <t>urn:ietf:params:scim:schemas:extension:ble:2.0:Device</t>
<t>The attributes are as follows.</t>
<t>The attributes are as follows:</t> <section anchor="singular-attributes-2">
<name>Singular Attributes</name>
<section anchor="singular-attributes-2"><name>Singular Attributes</name> <dl>
<dt>deviceMacAddress:</dt>
<dl> <dd>
<dt>deviceMacAddress:</dt> <t>A string value that represents a public MAC address assigned by
<dd> the
<t>A string value that represent a public MAC address assigned by the
manufacturer. It is a unique 48-bit value. It is required, case manufacturer. It is a unique 48-bit value. It is required, case
insensitive, is mutable, and is returned by default. The ECMA insensitive, mutable, and returned by default. The ECMA
regular expression pattern <xref target="ECMA"/> is the following:</t> regular expression pattern <xref target="ECMA"/> is the following:</t>
</dd> <artwork><![CDATA[
</dl>
<figure><artwork><![CDATA[
^[0-9A-Fa-f]{2}(:[0-9A-Fa-f]{2}){5}$ ^[0-9A-Fa-f]{2}(:[0-9A-Fa-f]{2}){5}$
]]></artwork></figure> ]]></artwork>
</dd>
<dl> <dt>isRandom:</dt>
<dt>isRandom:</dt> <dd>
<dd> <t>A boolean flag taken from <xref target="BLE54"/>. If FALSE,
<t>A boolean flag taken from <xref target="BLE54"/>. If FALSE,
the device is using a public MAC address. If TRUE, the device uses a the device is using a public MAC address. If TRUE, the device uses a
random address. If an Idenifying Resolving Key (IRK) is present, the random address. If an Identifying Resolving Key (IRK) is present, the
address represents a resolvable private address. Otherwise, the address represents a resolvable private address. Otherwise, the
address is assumed to be a random static address. Non-resolvable address is assumed to be a random static address. Non-resolvable
private addresses are not supported by this specification. This private addresses are not supported by this specification. This
attribute is not required. It is mutable, and is returned by default. attribute is not required. It is mutable and is returned by default.
The default value is FALSE.</t> The default value is FALSE.</t>
</dd> </dd>
<dt>separateBroadcastAddress:</dt> <dt>separateBroadcastAddress:</dt>
<dd> <dd>
<t>When present, this string represents an address used for broadcasts/adver <t>When present, this string represents an address used for broadc
tisements. asts/advertisements.
This value MUST NOT be set when an IRK is provided. Its form is the This value <bcp14>MUST NOT</bcp14> be set when an IRK is provided. Its form is
the
same as deviceMacAddress. It is not required, multivalued, mutable, same as deviceMacAddress. It is not required, multivalued, mutable,
and returned by default.</t> and returned by default.</t>
</dd> </dd>
<dt>irk:</dt> <dt>irk:</dt>
<dd> <dd>
<t>A string value that specifies the identity resolving key (IRK), which
is unique to each device. It is used to resolve private random <t>A string value that specifies the IRK, which
is unique to each device. It is used to resolve a private random
address. It should only be provisioned when isRandom is TRUE. It is address. It should only be provisioned when isRandom is TRUE. It is
mutable and never returned. For more information about the use of mutable and never returned. For more information about the use of
the IRK, see Section 5.4.5 of <xref target="BLE54"/>.</t> the IRK, see Volume 1, Part A, Section 5.4.5 of <xref target="BLE54"/>.</t>
</dd> </dd>
<dt>mobility:</dt> <dt>mobility:</dt>
<dd> <dd>
<t>A boolean attribute to enable BLE device mobility. If set to TRUE, the <t>A boolean attribute to enable BLE device mobility. If set to TR
UE, the
device could be expected to move within a network of APs. For device could be expected to move within a network of APs. For
example, BLE device is connected with AP-1 and moves out of range but example, if a BLE device is connected with AP-1 and moves out of range but
comes in range of AP-2, it will be disconnected with AP-1 and connects comes in range of AP-2, it will be disconnected with AP-1 and connected
with AP-2. It is returned by default and mutable.</t> with AP-2. It is returned by default and mutable.</t>
</dd> </dd>
</dl> </dl>
</section>
</section> <section anchor="multivalued-attributes">
<section anchor="multivalued-attributes"><name>Multivalued Attributes</name> <name>Multivalued Attributes</name>
<dl>
<dl> <dt>versionSupport:</dt>
<dt>versionSupport:</dt> <dd>
<dd> <t>A multivalued set of strings that specifies the BLE versions su
<t>A multivalued set of strings that specifies the BLE versions supported by pported by the
the device in the form of an array, for example,
device in the form of an array. For example,
["4.1", "4.2", "5.0", "5.1", "5.2", "5.3", "5.4"]. It is required, mutable, and ["4.1", "4.2", "5.0", "5.1", "5.2", "5.3", "5.4"]. It is required, mutable, and
return as default.</t> returned by default.</t>
</dd> </dd>
<dt>pairingMethods:</dt> <dt>pairingMethods:</dt>
<dd> <dd>
<t>An multivalued set of strings that specifies pairing methods associated w <t>A multivalued set of strings that specifies pairing methods ass
ith the BLE ociated with the BLE
device. The pairing methods may require sub-attributes, such as device. The pairing methods may require subattributes such as
key/password, for the device pairing process. To enable the key/password for the device pairing process. To enable the
scalability of pairing methods in the future, they are represented as scalability of pairing methods in the future, they are represented as
extensions to incorporate various attributes that are part of the extensions to incorporate various attributes that are part of the
respective pairing process. Pairing method extensions are nested respective pairing process. Pairing method extensions are nested
inside the BLE extension. It is required, case sensitive, mutable, and inside the BLE extension. It is required, case sensitive, mutable, and
returned by default.</t> returned by default.</t>
</dd> </dd>
</dl> </dl>
</section>
<section anchor="ble-pairing-method-extensions">
<name>BLE Pairing Method Extensions</name>
<t>The details on pairing methods and their associated attributes are
in
Volume 1, Part A, Section 5.2.4 of <xref target="BLE54"/>. This memo defines ext
ensions for four
pairing methods that are nested inside the BLE extension schema. Each
extension contains the common attributes in <xref target="common-attributes"/>.
These
extensions are as follows:</t>
</section> <!--[rfced] Because these following URNs appear in an ordered list, the
<section anchor="ble-pairing-method-extensions"><name>BLE Pairing Method Extensi indentation causes the lines to exceed the 72-character limit. In order to
ons</name> fit the character limit, we suggest converting the ordered list into a
definitions list as follows. Please review.
<t>The details on pairing methods and their associated attributes are in Current:
section 5.2.4 of <xref target="BLE54"/>. This memo defines extensions for four
pairing methods that are nested insided the BLE extension schema. Each
extension contains the common attributes <xref target="common-attributes"></xref
>. These
extension are as follows:</t>
<t>(i) pairingNull extension is identified using the following schema URI:</t> ii. The pairingJustWorks extension is identified using the
following schema URI:
<t>urn:ietf:params:scim:schemas:extension:pairingNull:2.0:Device</t> urn:ietf:params:scim:schemas:extension:pairingJustWorks:2.0:Device
<t>pairingNull does not have any attribute. It allows pairing for BLE The Just Works pairing method does not require a key to pair
devices that do not require a pairing method.</t> devices. For completeness, the key attribute is included and
is set to 'null'. The key attribute is required, immutable,
and returned by default.
<t>(ii) pairingJustWorks extension is identified using the following iii. The pairingPassKey extension is identified using the following
schema URI:</t> schema URI:
<t>urn:ietf:params:scim:schemas:extension:pairingJustWorks:2.0:Device</t> urn:ietf:params:scim:schemas:extension:pairingPassKey:2.0:Device
<t>Just Works pairing method does not require a key to pair devices. For The passkey pairing method requires a 6-digit key to pair
completeness, the key attribute is included and is set to 'null'. Key devices. This extension has one singular integer attribute,
attribute is required, immutable, and returned by default.</t> "key", which is required, mutable, and returned by default.
The key pattern is as follows:
<t>(iii) pairingPassKey extension is identified using the following ^[0-9]{6}$
schema URI:</t>
<t>urn:ietf:params:scim:schemas:extension:pairingPassKey:2.0:Device</t> Perhaps:
<t>The passkey pairing method requires a 6-digit key to pair devices. pairingJustWorks extension: Identified using the following schema
This extension has one singular integer attribute, "key", which is URI:
required, mutable and returned by default. The key pattern is
as follows:</t>
<figure><artwork><![CDATA[ urn:ietf:params:scim:schemas:extension:pairingJustWorks:2.0:Device
^[0-9]{6}$
]]></artwork></figure>
<t>(iv) pairingOOB extension is identified using the following The Just Works pairing method does not require a key to pair
schema URI:</t> devices. For completeness, the key attribute is included and is
set to 'null'. The key attribute is required, immutable, and
returned by default.
<t>urn:ietf:params:scim:schemas:extension:pairingOOB:2.0:Device</t> pairingPassKey extension: Identified using the following
schema URI:
<t>The out-of-band pairing method includes three singular attributes, urn:ietf:params:scim:schemas:extension:pairingPassKey:2.0:Device
i.e., key, randomNumber, and confirmationNumber.</t>
<dl> The passkey pairing method requires a 6-digit key to pair
<dt>key:</dt> devices. This extension has one singular integer attribute,
<dd> "key", which is required, mutable, and returned by default.
<t>A string value, required and received from out-of-band The key pattern is as follows:
sources such as NFC. It is case sensitive, mutable, and returned
^[0-9]{6}$
-->
<ol type="i">
<li><t>The pairingNull extension is identified using the following schema URI:
</t>
<t>urn:ietf:params:scim:schemas:extension:pairingNull:2.0:Device</t>
<t>pairingNull does not have any attribute. It allows pairing for BLE
devices that do not require a pairing method.</t></li>
<li><t>The pairingJustWorks extension is identified using the following
schema URI:</t>
<t>urn:ietf:params:scim:schemas:extension:pairingJustWorks:2.0:Device</t>
<t>The Just Works pairing method does not require a key to pair devices. For
completeness, the key attribute is included and is set to 'null'. The key
attribute is required, immutable, and returned by default.</t></li>
<li><t>The pairingPassKey extension is identified using the following
schema URI:</t>
<t>urn:ietf:params:scim:schemas:extension:pairingPassKey:2.0:Device</t>
<t>The passkey pairing method requires a 6-digit key to pair devices.
This extension has one singular integer attribute, "key", which is
required, mutable, and returned by default. The key pattern is
as follows:</t>
<artwork><![CDATA[
^[0-9]{6}$
]]></artwork></li>
<li><t>The pairingOOB extension is identified using the following
schema URI:</t>
<t>urn:ietf:params:scim:schemas:extension:pairingOOB:2.0:Device</t>
<t>The out-of-band (OOB) pairing method includes three singular attributes:
key, randomNumber, and confirmationNumber.</t>
<dl>
<dt>key:</dt>
<dd>
<t>A string value that is required and received from out-of-band
sources such as Near Field Communication (NFC). It is case sensitive, mutable,
and returned
by default.</t> by default.</t>
</dd> </dd>
<dt>randomNumber:</dt> <dt>randomNumber:</dt>
<dd> <dd>
<t>An integer that represents a nonce added to the key. It is <t>An integer that represents a nonce added to the key. It is
a required attribute. It is mutable and returned by default.</t> a required attribute. It is mutable and returned by default.</t>
</dd> </dd>
<dt>confirmationNumber:</dt> <dt>confirmationNumber:</dt>
<dd> <dd>
<t>An integer which some solutions require in RESTful message <t>An integer that some solutions require in a RESTful message
exchange. It is not required. It is mutable and returned by default if exchange. It is not required. It is mutable and returned by default if
it exists.</t> it exists.</t>
</dd> </dd>
</dl> </dl>
</li>
<texttable title="Characteristics of BLE extension schema attributes. </ol>
sepBroadcastAdd is short for separateBroadcastAddress. (Req = Required, <table anchor="tabBLE">
T = True, F = False, RW = ReadWrite, WO=Write Only, Def = Default, <name>Characteristics of BLE Extension Schema Attributes</name>
Nev = Never, and Manuf = Manufacturer)." anchor="tabBLE"> <thead>
<ttcol align='left'>Attribute</ttcol> <tr>
<ttcol align='left'>Multi Value</ttcol> <th align="left">Attribute</th>
<ttcol align='left'>Req</ttcol> <th align="left">Multi Value</th>
<ttcol align='left'>Case Exact</ttcol> <th align="left">Req</th>
<ttcol align='left'>Mutable</ttcol> <th align="left">Case Exact</th>
<ttcol align='left'>Return</ttcol> <th align="left">Mutable</th>
<ttcol align='left'>Unique</ttcol> <th align="left">Return</th>
<c>deviceMacAddress</c> <th align="left">Unique</th>
<c>F</c> </tr>
<c>T</c> </thead>
<c>F</c> <tbody>
<c>RW</c> <tr>
<c>Def</c> <td align="left">deviceMacAddress</td>
<c>Manuf</c> <td align="left">F</td>
<c>isRandom</c> <td align="left">T</td>
<c>F</c> <td align="left">F</td>
<c>T</c> <td align="left">RW</td>
<c>F</c> <td align="left">Def</td>
<c>RW</c> <td align="left">Manuf</td>
<c>Def</c> </tr>
<c>None</c> <tr>
<c>sepBroadcastAdd</c> <td align="left">isRandom</td>
<c>T</c> <td align="left">F</td>
<c>F</c> <td align="left">T</td>
<c>F</c> <td align="left">F</td>
<c>RW</c> <td align="left">RW</td>
<c>Def</c> <td align="left">Def</td>
<c>None</c> <td align="left">None</td>
<c>irk</c> </tr>
<c>F</c> <tr>
<c>F</c> <td align="left">sepBroadcastAdd</td>
<c>F</c> <td align="left">T</td>
<c>WO</c> <td align="left">F</td>
<c>Nev</c> <td align="left">F</td>
<c>Manuf</c> <td align="left">RW</td>
<c>versionSupport</c> <td align="left">Def</td>
<c>T</c> <td align="left">None</td>
<c>T</c> </tr>
<c>F</c> <tr>
<c>RW</c> <td align="left">irk</td>
<c>Def</c> <td align="left">F</td>
<c>None</c> <td align="left">F</td>
<c>mobility</c> <td align="left">F</td>
<c>F</c> <td align="left">WO</td>
<c>F</c> <td align="left">Nev</td>
<c>F</c> <td align="left">Manuf</td>
<c>RW</c> </tr>
<c>Def</c> <tr>
<c>None</c> <td align="left">versionSupport</td>
<c>pairingMethods</c> <td align="left">T</td>
<c>T</c> <td align="left">T</td>
<c>T</c> <td align="left">F</td>
<c>T</c> <td align="left">RW</td>
<c>RW</c> <td align="left">Def</td>
<c>Def</c> <td align="left">None</td>
<c>None</c> </tr>
</texttable> <tr>
<td align="left">mobility</td>
<td align="left">F</td>
<td align="left">F</td>
<td align="left">F</td>
<td align="left">RW</td>
<td align="left">Def</td>
<td align="left">None</td>
</tr>
<tr>
<td align="left">pairingMethods</td>
<td align="left">T</td>
<td align="left">T</td>
<td align="left">T</td>
<td align="left">RW</td>
<td align="left">Def</td>
<td align="left">None</td>
</tr>
</tbody>
</table>
<figure title="BLE Example" anchor="btExample"><artwork><![CDATA[ <t>Legend:</t>
<CODE BEGINS> <dl spacing="compact" newline="false">
<dt>sepBroadcastAdd:</dt><dd>separateBroadcastAddress</dd>
<dt>Req:</dt><dd>Required</dd>
<dt>T:</dt><dd>True</dd>
<dt>F:</dt><dd>False</dd>
<dt>RW:</dt><dd>ReadWrite</dd>
<dt>WO:</dt><dd>Write Only</dd>
<dt>Def:</dt><dd>Default</dd>
<dt>Nev:</dt><dd>Never</dd>
<dt>Manuf:</dt><dd>Manufacturer</dd>
</dl>
<figure anchor="btExample">
<name>BLE Example</name>
<sourcecode markers="true"><![CDATA[
{ {
"schemas": ["urn:ietf:params:scim:schemas:core:2.0:Device", "schemas": ["urn:ietf:params:scim:schemas:core:2.0:Device",
"urn:ietf:params:scim:schemas:extension:ble:2.0:Device"], "urn:ietf:params:scim:schemas:extension:ble:2.0:Device"],
"id": "e9e30dba-f08f-4109-8486-d5c6a3316111", "id": "e9e30dba-f08f-4109-8486-d5c6a3316111",
"displayName": "BLE Heart Monitor", "displayName": "BLE Heart Monitor",
"active": true, "active": true,
"urn:ietf:params:scim:schemas:extension:ble:2.0:Device" : { "urn:ietf:params:scim:schemas:extension:ble:2.0:Device" : {
"versionSupport": ["5.3"], "versionSupport": ["5.3"],
"deviceMacAddress": "2C:54:91:88:C9:E2", "deviceMacAddress": "2C:54:91:88:C9:E2",
skipping to change at line 984 skipping to change at line 1257
} }
}, },
"meta": { "meta": {
"resourceType": "Device", "resourceType": "Device",
"created": "2022-01-23T04:56:22Z", "created": "2022-01-23T04:56:22Z",
"lastModified": "2022-05-13T04:42:34Z", "lastModified": "2022-05-13T04:42:34Z",
"version": "W\/\"a330bc54f0671c9\"", "version": "W\/\"a330bc54f0671c9\"",
"location": "https://example.com/v2/Devices/e9e30dba-f08f-4109 "location": "https://example.com/v2/Devices/e9e30dba-f08f-4109
-8486-d5c6a3316111" -8486-d5c6a3316111"
} }
} }]]></sourcecode>
<CODE ENDS> </figure>
]]></artwork></figure> <t>In the above example, the pairing method is "pairingPassKey", which
implies
<t>In the above example, the pairing method is "pairingPassKey", which implies
that this BLE device pairs using only a passkey. In another example below, that this BLE device pairs using only a passkey. In another example below,
the pairing method is "pairingOOB", denoting that this BLE device uses the the pairing method is "pairingOOB", denoting that this BLE device uses the
out-of-band pairing method.</t> out-of-band pairing method.</t>
<figure anchor="btExample2">
<figure title="BLE with pairingOOB" anchor="btExample2"><artwork><![CDATA[ <name>BLE with pairingOOB</name>
<CODE BEGINS> <sourcecode markers="true"><![CDATA[
{ {
"schemas": ["urn:ietf:params:scim:schemas:core:2.0:Device", "schemas": ["urn:ietf:params:scim:schemas:core:2.0:Device",
"urn:ietf:params:scim:schemas:extension:ble:2.0:Device"], "urn:ietf:params:scim:schemas:extension:ble:2.0:Device"],
"id": "e9e30dba-f08f-4109-8486-d5c6a3316111", "id": "e9e30dba-f08f-4109-8486-d5c6a3316111",
"displayName": "BLE Heart Monitor", "displayName": "BLE Heart Monitor",
"active": true, "active": true,
"urn:ietf:params:scim:schemas:extension:ble:2.0:Device" : { "urn:ietf:params:scim:schemas:extension:ble:2.0:Device" : {
"versionSupport": ["5.3"], "versionSupport": ["5.3"],
"deviceMacAddress": "2C:54:91:88:C9:E2", "deviceMacAddress": "2C:54:91:88:C9:E2",
skipping to change at line 1025 skipping to change at line 1296
} }
}, },
"meta": { "meta": {
"resourceType": "Device", "resourceType": "Device",
"created": "2022-01-23T04:56:22Z", "created": "2022-01-23T04:56:22Z",
"lastModified": "2022-05-13T04:42:34Z", "lastModified": "2022-05-13T04:42:34Z",
"version": "W\/\"a330bc54f0671c9\"", "version": "W\/\"a330bc54f0671c9\"",
"location": "https://example.com/v2/Devices/e9e30dba-f08f-4109 "location": "https://example.com/v2/Devices/e9e30dba-f08f-4109
-8486-d5c6a3316111" -8486-d5c6a3316111"
} }
} }]]></sourcecode>
<CODE ENDS> </figure>
]]></artwork></figure> <t>However, a device can have more than one pairing method. Support fo
r multiple
<t>However, a device can have more than one pairing method. Support for multiple pairing methods is also provided by the multivalued attribute pairingMethods.
pairing methods is also provided by the multi-valued attribute pairingMethods.
In the example below, the BLE device can pair with both passkey and OOB pairing In the example below, the BLE device can pair with both passkey and OOB pairing
methods.</t> methods.</t>
<figure anchor="btExample3">
<figure title="BLE Pairing with both passkey and OOB" anchor="btExample3"><artwo <name>BLE Pairing with Both Passkey and OOB</name>
rk><![CDATA[ <sourcecode markers="true"><![CDATA[
<CODE BEGINS>
{ {
"schemas": ["urn:ietf:params:scim:schemas:core:2.0:Device", "schemas": ["urn:ietf:params:scim:schemas:core:2.0:Device",
"urn:ietf:params:scim:schemas:extension:ble:2.0:Device"], "urn:ietf:params:scim:schemas:extension:ble:2.0:Device"],
"id": "e9e30dba-f08f-4109-8486-d5c6a3316111", "id": "e9e30dba-f08f-4109-8486-d5c6a3316111",
"displayName": "BLE Heart Monitor", "displayName": "BLE Heart Monitor",
"active": true, "active": true,
"urn:ietf:params:scim:schemas:extension:ble:2.0:Device" : { "urn:ietf:params:scim:schemas:extension:ble:2.0:Device" : {
"versionSupport": ["5.3"], "versionSupport": ["5.3"],
"deviceMacAddress": "2C:54:91:88:C9:E2", "deviceMacAddress": "2C:54:91:88:C9:E2",
skipping to change at line 1072 skipping to change at line 1341
} }
}, },
"meta": { "meta": {
"resourceType": "Device", "resourceType": "Device",
"created": "2022-01-23T04:56:22Z", "created": "2022-01-23T04:56:22Z",
"lastModified": "2022-05-13T04:42:34Z", "lastModified": "2022-05-13T04:42:34Z",
"version": "W\/\"a330bc54f0671c9\"", "version": "W\/\"a330bc54f0671c9\"",
"location": "https://example.com/v2/Devices/e9e30dba-f08f-4109 "location": "https://example.com/v2/Devices/e9e30dba-f08f-4109
-8486-d5c6a3316111" -8486-d5c6a3316111"
} }
} }]]></sourcecode>
<CODE ENDS> </figure>
]]></artwork></figure> </section>
</section>
<section anchor="wi-fi-easy-connect-extension">
<name>Wi-Fi Easy Connect Extension</name>
</section> <!-- [rfced] How may we make the two instances below complete sentences in
</section> order to provide more context for the reader?
<section anchor="wi-fi-easy-connect-extension"><name>Wi-Fi Easy Connect Extensio
n</name>
<t>A schema that extends the device schema to enable Wi-Fi Easy Connect Original:
(otherwise known as Device Provisioning Protocol or DPP). Throughout this
specification we use the term DPP. The extension
is identified using the following schema URI:</t>
<t>urn:ietf:params:scim:schemas:extension:dpp:2.0:Device</t> 7.2. Wi-Fi Easy Connect Extension
<t>The attributes in this extension are adopted from <xref target="DPP2"/>. The A schema that extends the device schema to enable Wi-Fi Easy Connect
attributes are as follows:</t> (otherwise known as Device Provisioning Protocol or DPP).
<section anchor="singular-attributes-3"><name>Singular Attributes</name> 7.5. Zigbee Extension
<dl> A schema that extends the device schema to enable the provisioning of
<dt>dppVersion:</dt> Zigbee devices [Zigbee].
<dd>
<t>An integer that represents the version of DPP the device supports. Perhaps:
7.2. Wi-Fi Easy Connect Extension
This section describes a schema that extends the device schema to enable Wi-F
i Easy Connect
(otherwise known as Device Provisioning Protocol (DPP)).
7.5. Zigbee Extension
This section describes a schema that extends the device schema to enable the
provisioning of
Zigbee devices [Zigbee].
-->
<t>A schema that extends the device schema to enable Wi-Fi Easy Connect
(otherwise known as Device Provisioning Protocol (DPP)). Throughout this
specification, we use the term "DPP". The extension
is identified using the following schema URI:</t>
<t>urn:ietf:params:scim:schemas:extension:dpp:2.0:Device</t>
<t>The attributes in this extension are adopted from <xref target="DPP2"
/>. The
attributes are as follows.</t>
<section anchor="singular-attributes-3">
<name>Singular Attributes</name>
<dl>
<dt>dppVersion:</dt>
<dd>
<t>An integer that represents the version of DPP the device suppor
ts.
This attribute is required, case insensitive, mutable, and This attribute is required, case insensitive, mutable, and
returned by default.</t> returned by default.</t>
</dd> </dd>
<dt>bootstrapKey:</dt> <dt>bootstrapKey:</dt>
<dd> <dd>
<t>A string value representing an Elliptic-Curve Diffie-Hellman (ECDH) publi <t>A string value representing an Elliptic Curve Diffie-Hellman (E
c CDH) public
key. The base64 encoded lengths for P-256, P-384, and P-521 are key. The base64-encoded lengths for P-256, P-384, and P-521 are
80, 96, and 120 characters. This attribute is required, case-sensitive, 80, 96, and 120 characters. This attribute is required, case sensitive,
mutable, and returned by default.</t> mutable, and returned by default.</t>
</dd> </dd>
<dt>deviceMacAddress:</dt> <dt>deviceMacAddress:</dt>
<dd> <dd>
<t>A MAC address stored as string. It is a unique 48-bit value. This attribu <t>A MAC address stored as a string. It is a unique 48-bit value.
t This attribute
is optional, case insensitive, mutable, and returned by default. Its form is optional, case insensitive, mutable, and returned by default. Its form
is identical to that of the deviceMacAddress for BLE devices.</t> is identical to that of the deviceMacAddress for BLE devices.</t>
</dd> </dd>
<dt>serialNumber:</dt> <dt>serialNumber:</dt>
<dd> <dd>
<t>An alphanumeric serial number, stored as string, may also be passed <t>An alphanumeric serial number stored as a string. It may also b
e passed
as bootstrapping information. This attribute is optional, case as bootstrapping information. This attribute is optional, case
insensitive, mutable, and returned by default.</t> insensitive, mutable, and returned by default.</t>
</dd> </dd>
</dl> </dl>
</section>
</section> <section anchor="multivalued-attributes-1">
<section anchor="multivalued-attributes-1"><name>Multivalued Attributes</name> <name>Multivalued Attributes</name>
<dl>
<dl> <dt>bootstrappingMethod:</dt>
<dt>bootstrappingMethod:</dt> <dd>
<dd> <t>One or more strings of all the bootstrapping methods available
<t>One or more strings of all the bootstrapping methods available on the enrollee device, for example, [QR, NFC]. This attribute is
on the enrollee device. For example, [QR, NFC]. This attribute is
optional, case insensitive, mutable, and returned by default.</t> optional, case insensitive, mutable, and returned by default.</t>
</dd> </dd>
<dt>classChannel:</dt> <dt>classChannel:</dt>
<dd> <dd>
<t>One or more strings representing the global operating class and <t>One or more strings representing the global operating class and
channel shared as bootstrapping information. It is formatted as channel shared as bootstrapping information. It is formatted as
class/channel. For example, ['81/1','115/36']. This attribute class/channel, for example, ['81/1','115/36']. This attribute
is optional, case insensitive, mutable, and returned by default.</t> is optional, case insensitive, mutable, and returned by default.</t>
</dd> </dd>
</dl> </dl>
<table anchor="tabDPP">
<texttable title="Characteristics of DPP extension schema attributes. <name>Characteristics of DPP Extension Schema Attributes</name>
(Req = Required, T = True, F = False, RW = ReadWrite, WO = Write Only, <thead>
Def = Default, Nev = Never, and Manuf = Manufacturer)." anchor="tabDPP"> <tr>
<ttcol align='left'>Attribute</ttcol> <th align="left">Attribute</th>
<ttcol align='left'>Multi Value</ttcol> <th align="left">Multi Value</th>
<ttcol align='left'>Req</ttcol> <th align="left">Req</th>
<ttcol align='left'>Case Exact</ttcol> <th align="left">Case Exact</th>
<ttcol align='left'>Mutable</ttcol> <th align="left">Mutable</th>
<ttcol align='left'>Return</ttcol> <th align="left">Return</th>
<ttcol align='left'>Unique</ttcol> <th align="left">Unique</th>
<c>dppVersion</c> </tr>
<c>F</c> </thead>
<c>T</c> <tbody>
<c>F</c> <tr>
<c>RW</c> <td align="left">dppVersion</td>
<c>Def</c> <td align="left">F</td>
<c>None</c> <td align="left">T</td>
<c>bootstrapKey</c> <td align="left">F</td>
<c>F</c> <td align="left">RW</td>
<c>T</c> <td align="left">Def</td>
<c>T</c> <td align="left">None</td>
<c>WO</c> </tr>
<c>Nev</c> <tr>
<c>None</c> <td align="left">bootstrapKey</td>
<c>deviceMacAddress</c> <td align="left">F</td>
<c>F</c> <td align="left">T</td>
<c>F</c> <td align="left">T</td>
<c>F</c> <td align="left">WO</td>
<c>RW</c> <td align="left">Nev</td>
<c>Def</c> <td align="left">None</td>
<c>Manuf</c> </tr>
<c>serialNumber</c> <tr>
<c>F</c> <td align="left">deviceMacAddress</td>
<c>F</c> <td align="left">F</td>
<c>F</c> <td align="left">F</td>
<c>RW</c> <td align="left">F</td>
<c>Def</c> <td align="left">RW</td>
<c>None</c> <td align="left">Def</td>
<c>bootstrappingMethod</c> <td align="left">Manuf</td>
<c>T</c> </tr>
<c>F</c> <tr>
<c>F</c> <td align="left">serialNumber</td>
<c>RW</c> <td align="left">F</td>
<c>Def</c> <td align="left">F</td>
<c>None</c> <td align="left">F</td>
<c>classChannel</c> <td align="left">RW</td>
<c>T</c> <td align="left">Def</td>
<c>F</c> <td align="left">None</td>
<c>F</c> </tr>
<c>RW</c> <tr>
<c>Def</c> <td align="left">bootstrappingMethod</td>
<c>None</c> <td align="left">T</td>
</texttable> <td align="left">F</td>
<td align="left">F</td>
<td align="left">RW</td>
<td align="left">Def</td>
<td align="left">None</td>
</tr>
<tr>
<td align="left">classChannel</td>
<td align="left">T</td>
<td align="left">F</td>
<td align="left">F</td>
<td align="left">RW</td>
<td align="left">Def</td>
<td align="left">None</td>
</tr>
</tbody>
</table>
<t>Legend:</t>
<dl spacing="compact" newline="false">
<dt>Req:</dt><dd>Required</dd>
<dt>T:</dt><dd>True</dd>
<dt>F:</dt><dd>False</dd>
<dt>RW:</dt><dd>ReadWrite</dd>
<dt>WO:</dt><dd>Write Only</dd>
<dt>Def:</dt><dd>Default</dd>
<dt>Nev:</dt><dd>Never</dd>
<dt>Manuf:</dt><dd>Manufacturer</dd>
</dl>
<figure title="DPP Example" anchor="dPPExample"><artwork><![CDATA[ <figure anchor="dPPExample">
<CODE BEGINS> <name>DPP Example</name>
<sourcecode markers="true"><![CDATA[
{ {
"schemas": ["urn:ietf:params:scim:schemas:core:2.0:Device", "schemas": ["urn:ietf:params:scim:schemas:core:2.0:Device",
"urn:ietf:params:scim:schemas:extension:dpp:2.0 "urn:ietf:params:scim:schemas:extension:dpp:2.0
:Device"], :Device"],
"id": "e9e30dba-f08f-4109-8486-d5c6a3316111", "id": "e9e30dba-f08f-4109-8486-d5c6a3316111",
"displayName": "WiFi Heart Monitor", "displayName": "WiFi Heart Monitor",
"active": true, "active": true,
"urn:ietf:params:scim:schemas:extension:dpp:2.0:Device" : { "urn:ietf:params:scim:schemas:extension:dpp:2.0:Device" : {
"dppVersion": 2, "dppVersion": 2,
skipping to change at line 1222 skipping to change at line 1542
}, },
"meta": { "meta": {
"resourceType": "Device", "resourceType": "Device",
"created": "2022-01-23T04:56:22Z", "created": "2022-01-23T04:56:22Z",
"lastModified": "2022-05-13T04:42:34Z", "lastModified": "2022-05-13T04:42:34Z",
"version": "W\/\"a330bc54f0671c9\"", "version": "W\/\"a330bc54f0671c9\"",
"location": "https://example.com/v2/Devices/e9e30dba-f08f "location": "https://example.com/v2/Devices/e9e30dba-f08f
-4109-8486-d5c6a3316111" -4109-8486-d5c6a3316111"
} }
} }]]></sourcecode>
<CODE ENDS> </figure>
]]></artwork></figure> </section>
</section>
</section> <section anchor="ethernet-mab-extension">
</section> <name>Ethernet MAB Extension</name>
<section anchor="ethernet-mab-extension"><name>Ethernet MAB Extension</name> <t>This extension enables a legacy means of (very) weak authentication,
<t>This extension enables a legacy means of (very) weak authentication,
known as MAC Authenticated Bypass (MAB), that is supported in many wired known as MAC Authenticated Bypass (MAB), that is supported in many wired
ethernet solutions. If the MAC address is known, then the device may ethernet solutions. If the MAC address is known, then the device may
be permitted (perhaps limited) access. The extension is identified be permitted (perhaps limited) access. The extension is identified
by the following URI:</t> by the following URI:</t>
<t>urn:ietf:params:scim:schemas:extension:ethernet-mab:2.0:Device</t> <t>urn:ietf:params:scim:schemas:extension:ethernet-mab:2.0:Device</t>
<t>Note that this method is not likely to work properly with
<t>Note that this method is not likely to work properly with
MAC address randomization.</t> MAC address randomization.</t>
<section anchor="single-attribute">
<section anchor="single-attribute"><name>Single Attribute</name> <name>Single Attribute</name>
<t>This extension has a singular attribute:</t>
<t>This extension has a singular attribute:</t> <dl>
<dt>deviceMacAddress:</dt>
<dl> <dd>
<dt>deviceMacAddress:</dt> <t>This is the Ethernet address to be provisioned onto the network
<dd> . It
<t>This is the Ethernet address to be provisioned onto the network. It
takes the identical form as found in the BLE extension.</t> takes the identical form as found in the BLE extension.</t>
</dd> </dd>
</dl> </dl>
<table anchor="tabMAB">
<texttable title="Characteristics of MAB extension schema attributes <name>Characteristics of MAB Extension Schema Attributes</name>
(Req = Required, T = True, F = False, RW = ReadWrite, and <thead>
Def = Default)" anchor="tabMAB"> <tr>
<ttcol align='left'>Attribute</ttcol> <th align="left">Attribute</th>
<ttcol align='left'>Multi Value</ttcol> <th align="left">Multi Value</th>
<ttcol align='left'>Req</ttcol> <th align="left">Req</th>
<ttcol align='left'>Case Exact</ttcol> <th align="left">Case Exact</th>
<ttcol align='left'>Mutable</ttcol> <th align="left">Mutable</th>
<ttcol align='left'>Return</ttcol> <th align="left">Return</th>
<ttcol align='left'>Unique</ttcol> <th align="left">Unique</th>
<c>deviceMacAddress</c> </tr>
<c>F</c> </thead>
<c>T</c> <tbody>
<c>F</c> <tr>
<c>RW</c> <td align="left">deviceMacAddress</td>
<c>Def</c> <td align="left">F</td>
<c>None</c> <td align="left">T</td>
</texttable> <td align="left">F</td>
<td align="left">RW</td>
<td align="left">Def</td>
<td align="left">None</td>
</tr>
</tbody>
</table>
<t>Legend:</t>
<dl spacing="compact" newline="false">
<dt>Req:</dt><dd>Required</dd>
<dt>T:</dt><dd>True</dd>
<dt>F:</dt><dd>False</dd>
<dt>RW:</dt><dd>ReadWrite</dd>
<dt>Def:</dt><dd>Default</dd>
</dl>
<figure title="MAB Example" anchor="MABExample"><artwork><![CDATA[ <figure anchor="MABExample">
<CODE BEGINS> <name>MAB Example</name>
<sourcecode markers="true"><![CDATA[
{ {
"schemas": ["urn:ietf:params:scim:schemas:core:2.0:Device", "schemas": ["urn:ietf:params:scim:schemas:core:2.0:Device",
"urn:ietf:params:scim:schemas:extension:ethernet-mab:2.0 "urn:ietf:params:scim:schemas:extension:ethernet-mab:2.0
:Device"], :Device"],
"id": "e9e30dba-f08f-4109-8486-d5c6a3316111", "id": "e9e30dba-f08f-4109-8486-d5c6a3316111",
"displayName": "Some random Ethernet Device", "displayName": "Some random Ethernet Device",
"active": true, "active": true,
"urn:ietf:params:scim:schemas:extension:ethernet-mab:2.0:Device" "urn:ietf:params:scim:schemas:extension:ethernet-mab:2.0:Device"
: { : {
skipping to change at line 1295 skipping to change at line 1624
}, },
"meta": { "meta": {
"resourceType": "Device", "resourceType": "Device",
"created": "2022-01-23T04:56:22Z", "created": "2022-01-23T04:56:22Z",
"lastModified": "2022-05-13T04:42:34Z", "lastModified": "2022-05-13T04:42:34Z",
"version": "W\/\"a330bc54f0671c9\"", "version": "W\/\"a330bc54f0671c9\"",
"location": "https://example.com/v2/Devices/e9e30dba-f08f-4109 "location": "https://example.com/v2/Devices/e9e30dba-f08f-4109
-8486-d5c6a3316111" -8486-d5c6a3316111"
} }
} }]]></sourcecode>
<CODE ENDS> </figure>
]]></artwork></figure> </section>
</section>
</section> <section anchor="fido-device-onboard-extension">
</section> <name>FIDO Device Onboard Extension</name>
<section anchor="fido-device-onboard-extension"><name>FIDO Device Onboard Extens <t>This extension specifies a voucher to be used by the FDO Device
ion</name>
<t>This extension specifies a voucher to be used by the FDO Device
Onboard (FDO) protocols <xref target="FDO11"/> to complete a trusted transfer of Onboard (FDO) protocols <xref target="FDO11"/> to complete a trusted transfer of
ownership and control of the device to the environment. The SCIM ownership and control of the device to the environment. The SCIM
server MUST know how to process the voucher, either directly server <bcp14>MUST</bcp14> know how to process the voucher, either directly
or by forwarding it along to an owner process as defined in the FDO or by forwarding it along to an owner process as defined in the FDO
specification.</t> specification. The extension is identified
using the following schema URI:</t>
<!-- [rfced] Section 7.4: FYI - We have added an introductory sentence to the
URN below to match other instances in the document. Please review and let us
know if any further updates are needed.
<t>urn:ietf:params:scim:schemas:extension:fido-device-onboard:2.0:Device</t> Original:
<section anchor="single-attribute-1"><name>Single Attribute</name> The SCIM server MUST know how to process the voucher, either directly or by
forwarding it along to an owner process as defined in the FDO specification.
<t>This extension has a singular attribute:</t> urn:ietf:params:scim:schemas:extension:fido-device-onboard:2.0:Device
<dl> Current:
<dt>fdoVoucher:</dt>
<dd>
<t>The voucher is formated as a PEM-encoded object in accordance with <xref
target="FDO11"/>.</t>
</dd>
</dl>
<texttable title="Characteristics of FDO extension schema attributes The SCIM server MUST know how to process the voucher, either directly or by
(Req = Required, T = True, F = False, WO = WriteOnly, and forwarding it along to an owner process as defined in the FDO
Nev = Never)" anchor="tabFDO"> specification. The extension is identified using the following schema URI:
<ttcol align='left'>Attribute</ttcol>
<ttcol align='left'>Multi Value</ttcol>
<ttcol align='left'>Req</ttcol>
<ttcol align='left'>Case Exact</ttcol>
<ttcol align='left'>Mutable</ttcol>
<ttcol align='left'>Return</ttcol>
<ttcol align='left'>Unique</ttcol>
<c>fdoVoucher</c>
<c>F</c>
<c>T</c>
<c>F</c>
<c>WO</c>
<c>Nev</c>
<c>None</c>
</texttable>
<figure title="FDO Example" anchor="fdoExample"><artwork><![CDATA[ urn:ietf:params:scim:schemas:extension:fido-device-onboard:2.0:Device
<CODE BEGINS>
-->
<t>urn:ietf:params:scim:schemas:extension:fido-device-onboard:2.0:Device</t>
<section anchor="single-attribute-1">
<name>Single Attribute</name>
<t>This extension has a singular attribute:</t>
<dl>
<dt>fdoVoucher:</dt>
<dd>
<t>The voucher is formatted as a PEM-encoded object in accordance
with <xref target="FDO11"/>.</t>
</dd>
</dl>
<table anchor="tabFDO">
<name>Characteristics of FDO Extension Schema Attributes</name>
<thead>
<tr>
<th align="left">Attribute</th>
<th align="left">Multi Value</th>
<th align="left">Req</th>
<th align="left">Case Exact</th>
<th align="left">Mutable</th>
<th align="left">Return</th>
<th align="left">Unique</th>
</tr>
</thead>
<tbody>
<tr>
<td align="left">fdoVoucher</td>
<td align="left">F</td>
<td align="left">T</td>
<td align="left">F</td>
<td align="left">WO</td>
<td align="left">Nev</td>
<td align="left">None</td>
</tr>
</tbody>
</table>
<t>Legend:</t>
<dl spacing="compact" newline="false">
<dt>Req:</dt><dd>Required</dd>
<dt>T:</dt><dd>True</dd>
<dt>F:</dt><dd>False</dd>
<dt>WO:</dt><dd>WriteOnly</dd>
<dt>Nev:</dt><dd>Never</dd>
</dl>
<figure anchor="fdoExample">
<name>FDO Example</name>
<sourcecode markers="true"><![CDATA[
{ {
"schemas": ["urn:ietf:params:scim:schemas:core:2.0:Devices", "schemas": ["urn:ietf:params:scim:schemas:core:2.0:Devices",
"urn:ietf:params:scim:schemas:extension:fido-device-onboard "urn:ietf:params:scim:schemas:extension:fido-device-onboard
:2.0:Devices"], :2.0:Devices"],
"id": "e9e30dba-f08f-4109-8486-d5c6a3316111", "id": "e9e30dba-f08f-4109-8486-d5c6a3316111",
"displayName": "Some random Ethernet Device", "displayName": "Some random Ethernet Device",
"active": true, "active": true,
"urn:ietf:params:scim:schemas:extension:fido-device-onboard:2.0 "urn:ietf:params:scim:schemas:extension:fido-device-onboard:2.0
:Devices" : { :Devices" : {
skipping to change at line 1365 skipping to change at line 1726
}, },
"meta": { "meta": {
"resourceType": "Device", "resourceType": "Device",
"created": "2022-01-23T04:56:22Z", "created": "2022-01-23T04:56:22Z",
"lastModified": "2022-05-13T04:42:34Z", "lastModified": "2022-05-13T04:42:34Z",
"version": "W\/\"a330bc54f0671c9\"", "version": "W\/\"a330bc54f0671c9\"",
"location": "https://example.com/v2/Devices/e9e30dba-f08f-4109 "location": "https://example.com/v2/Devices/e9e30dba-f08f-4109
-8486-d5c6a3316111" -8486-d5c6a3316111"
} }
} }]]></sourcecode>
<CODE ENDS> </figure>
]]></artwork></figure> </section>
</section>
</section> <section anchor="zigbee-extension">
</section> <name>Zigbee Extension</name>
<section anchor="zigbee-extension"><name>Zigbee Extension</name> <t>A schema that extends the device schema to enable the provisioning of
<t>A schema that extends the device schema to enable the provisioning of
Zigbee devices <xref target="Zigbee"/>. The extension is identified using the fo llowing Zigbee devices <xref target="Zigbee"/>. The extension is identified using the fo llowing
schema URI:</t> schema URI:</t>
<t>urn:ietf:params:scim:schemas:extension:zigbee:2.0:Device</t> <t>urn:ietf:params:scim:schemas:extension:zigbee:2.0:Device</t>
<t>It has one singular attribute and one multivalued
<t>It has one singular attribute and one multivalued attribute. The attributes are as follows.</t>
attribute. The attributes are as follows:</t> <section anchor="singular-attribute">
<name>Singular Attribute</name>
<section anchor="singular-attribute"><name>Singular Attribute</name> <dl>
<dt>deviceEui64Address:</dt>
<dl> <dd>
<dt>deviceEui64Address:</dt> <t>A 64-bit Extended Unique Identifier (EUI-64) device address sto
<dd> red as string.
<t>An EUI-64 (Extended Unique Identifier) device address stored as string.
This attribute is required, case insensitive, mutable, and returned by This attribute is required, case insensitive, mutable, and returned by
default. It takes the same form as the deviceMACaddress in the BLE default. It takes the same form as the deviceMACaddress in the BLE
extension.</t> extension.</t>
</dd> </dd>
</dl> </dl>
</section>
</section> <section anchor="multivalued-attribute">
<section anchor="multivalued-attribute"><name>Multivalued Attribute</name> <name>Multivalued Attribute</name>
<dl>
<dl> <dt>versionSupport:</dt>
<dt>versionSupport:</dt> <dd>
<dd> <t>One or more strings of all the Zigbee versions supported
<t>One or more strings of all the Zigbee versions supported by the device, for example, [3.0]. This attribute is required, case
by the device. For example, [3.0]. This attribute is required, case
insensitive, mutable, and returned by default.</t> insensitive, mutable, and returned by default.</t>
</dd> </dd>
</dl> </dl>
<table anchor="tabZigbee">
<texttable title="Characteristics of Zigbee extension schema attributes. <name>Characteristics of Zigbee Extension Schema Attributes</name>
(Req = Required, T = True, F = False, RW = ReadWrite, and <thead>
Def = Default)" anchor="tabZigbee"> <tr>
<ttcol align='left'>Attribute</ttcol> <th align="left">Attribute</th>
<ttcol align='left'>Multi Value</ttcol> <th align="left">Multi Value</th>
<ttcol align='left'>Req</ttcol> <th align="left">Req</th>
<ttcol align='left'>Case Exact</ttcol> <th align="left">Case Exact</th>
<ttcol align='left'>Mutable</ttcol> <th align="left">Mutable</th>
<ttcol align='left'>Return</ttcol> <th align="left">Return</th>
<ttcol align='left'>Unique</ttcol> <th align="left">Unique</th>
<c>deviceEui64Address</c> </tr>
<c>F</c> </thead>
<c>T</c> <tbody>
<c>F</c> <tr>
<c>RW</c> <td align="left">deviceEui64Address</td>
<c>Def</c> <td align="left">F</td>
<c>None</c> <td align="left">T</td>
<c>versionSupport</c> <td align="left">F</td>
<c>T</c> <td align="left">RW</td>
<c>T</c> <td align="left">Def</td>
<c>F</c> <td align="left">None</td>
<c>RW</c> </tr>
<c>Def</c> <tr>
<c>None</c> <td align="left">versionSupport</td>
</texttable> <td align="left">T</td>
<td align="left">T</td>
<figure title="Zigbee Example" anchor="zigBeeExample"><artwork><![CDATA[ <td align="left">F</td>
<CODE BEGINS> <td align="left">RW</td>
<td align="left">Def</td>
<td align="left">None</td>
</tr>
</tbody>
</table>
<t>Legend:</t>
<dl spacing="compact" newline="false">
<dt>Req:</dt><dd>Required</dd>
<dt>T:</dt><dd>True</dd>
<dt>F:</dt><dd>False</dd>
<dt>RW:</dt><dd>ReadWrite</dd>
<dt>Def:</dt><dd>Default</dd>
</dl>
<figure anchor="zigBeeExample">
<name>Zigbee Example</name>
<sourcecode markers="true"><![CDATA[
{ {
"schemas": ["urn:ietf:params:scim:schemas:core:2.0:Device", "schemas": ["urn:ietf:params:scim:schemas:core:2.0:Device",
"urn:ietf:params:scim:schemas:extension:zigbee:2.0:Device"], "urn:ietf:params:scim:schemas:extension:zigbee:2.0:Device"],
"id": "e9e30dba-f08f-4109-8486-d5c6a3316111", "id": "e9e30dba-f08f-4109-8486-d5c6a3316111",
"displayName": "Zigbee Heart Monitor", "displayName": "Zigbee Heart Monitor",
"active": true, "active": true,
"urn:ietf:params:scim:schemas:extension:zigbee:2.0:Device" : { "urn:ietf:params:scim:schemas:extension:zigbee:2.0:Device" : {
"versionSupport": ["3.0"], "versionSupport": ["3.0"],
"deviceEui64Address": "50:32:5F:FF:FE:E7:67:28" "deviceEui64Address": "50:32:5F:FF:FE:E7:67:28"
}, },
"meta": { "meta": {
"resourceType": "Device", "resourceType": "Device",
"created": "2022-01-23T04:56:22Z", "created": "2022-01-23T04:56:22Z",
"lastModified": "2022-05-13T04:42:34Z", "lastModified": "2022-05-13T04:42:34Z",
"version": "W\/\"a330bc54f0671c9\"", "version": "W\/\"a330bc54f0671c9\"",
"location": "https://example.com/v2/Devices/e9e30dba-f08f-4109 "location": "https://example.com/v2/Devices/e9e30dba-f08f-4109
-8486-d5c6a3316111" -8486-d5c6a3316111"
} }
} }]]></sourcecode>
<CODE ENDS> </figure>
]]></artwork></figure> </section>
</section>
</section> <section anchor="endpointsappext-schema">
</section> <name>The Endpoint Applications Extension Schema</name>
<section anchor="endpointsappext-schema"><name>The Endpoint Applications Extensi <t>Sometimes non-IP devices such as those using BLE or Zigbee require an
on Schema</name> application gateway interface to manage them. SCIM clients <bcp14>MUST NOT</bcp1
4>
<t>Sometimes non-IP devices such as those using BLE or Zigbee require an
application gateway interface to manage them. SCIM clients MUST NOT
specify this to describe native IP-based devices.</t> specify this to describe native IP-based devices.</t>
<t>endpointAppsExt provides the list of applications that connect to
<t>endpointAppsExt provides the list of applications that connect to an enterprise gateway. endpointAppsExt has one multivalued attribute
enterprise gateway. The endpointAppsExt has one multivalued attribute
and two singular attributes. The extension is identified using the and two singular attributes. The extension is identified using the
following schema URI:</t> following schema URI:</t>
<t>urn:ietf:params:scim:schemas:extension:endpointAppsExt:2.0:Device</t>
<t>urn:ietf:params:scim:schemas:extension:endpointAppsExt:2.0:Device</t> <section anchor="singular-attributes-4">
<name>Singular Attributes</name>
<section anchor="singular-attributes-4"><name>Singular Attributes</name> <dl>
<dt>deviceControlEnterpriseEndpoint:</dt>
<dl> <dd>
<dt>deviceControlEnterpriseEndpoint:</dt> <t>A string representing the URL of the
<dd>
<t>A string representing the URL of the
enterprise endpoint to reach the enterprise gateway. When the enterprise enterprise endpoint to reach the enterprise gateway. When the enterprise
receives the SCIM object from receives the SCIM object from
the onboarding application, it adds this attribute to it and sends it back as the onboarding application, it adds this attribute to it and sends it back as
a response to the onboarding application. This attribute is required, a response to the onboarding application. This attribute is required,
case-sensitive, mutable, and returned by default. The uniqueness is case sensitive, mutable, and returned by default. The uniqueness is
enforced by the enterprise.</t> enforced by the enterprise.</t>
</dd> </dd>
<dt>telemetryEnterpriseEndpoint:</dt> <dt>telemetryEnterpriseEndpoint:</dt>
<dd> <dd>
<t>A string representing a URL of the enterprise endpoint to reach the <t>A string representing a URL of the enterprise endpoint to reach
an enterprise gateway for telemetry. When the enterprise receives the SCIM obje ct from an enterprise gateway for telemetry. When the enterprise receives the SCIM obje ct from
the onboarding application, it adds this attribute to it and sends it back as the onboarding application, it adds this attribute to it and sends it back as
a response to the onboarding application. This attribute is optional, a response to the onboarding application. This attribute is optional,
case-sensitive, mutable, and returned by default. The uniqueness is case sensitive, mutable, and returned by default. The uniqueness is
enforced by the enterprise. An implementation MUST generate an enforced by the enterprise. An implementation <bcp14>MUST</bcp14> generate an
exception if telemetryEnterpriseEndpoint is not returned and telemetry exception if telemetryEnterpriseEndpoint is not returned and telemetry
is required for the proper functioning of a device.</t> is required for the proper functioning of a device.</t>
</dd> </dd>
</dl> </dl>
</section>
</section> <section anchor="multivalued-attribute-1">
<section anchor="multivalued-attribute-1"><name>Multivalued Attribute</name> <name>Multivalued Attribute</name>
<dl>
<dl> <dt>applications:</dt>
<dt>applications:</dt> <dd>
<dd> <t>A multivalued attribute of one or more complex attributes that
<t>A multivalued attribute of one or more complex attributes that represent represent
a list of endpoint applications i.e., deviceControl and telemetry. Each a list of endpoint applications, i.e., deviceControl and telemetry. Each
entry in the list comprises two attributes including "value" and "$ref".</t> entry in the list comprises two attributes including "value" and "$ref".</t>
</dd> </dd>
<dt>value:</dt> <dt>value:</dt>
<dd> <dd>
<t>A string containingthe identifier of the endpoint application formated as <t>A string containing the identifier of the endpoint
UUID. It application formatted as a Universally Unique Identifier
is same as the common attribute "$id" of the resource "endpointApp". (UUID). It is the same as the common attribute "$id" of the resour
It is read/write, required, case insensitive and returned by default.</t> ce
</dd> "endpointApp". It is read/write, required, case insensitive,
<dt>$ref:</dt> and returned by default.</t>
<dd> </dd>
<t>A reference to the respective endpointApp resource object <dt>$ref:</dt>
stored in the SCIM server. It is readOnly, required, case sensitive <dd>
<t>A reference to the respective endpointApp resource object
stored in the SCIM server. It is readOnly, required, case sensitive,
and returned by default.</t> and returned by default.</t>
</dd> </dd>
</dl> </dl>
<table anchor="tabEndpointAppsExt">
<name>Characteristics of EndpointAppsExt Extension Schema Attributes
</name>
<thead>
<tr>
<th align="left">Attribute</th>
<th align="left">Multi Value</th>
<th align="left">Req</th>
<th align="left">Case Exact</th>
<th align="left">Mutable</th>
<th align="left">Return</th>
<th align="left">Unique</th>
</tr>
</thead>
<tbody>
<tr>
<td align="left">devContEntEndpoint</td>
<td align="left">F</td>
<td align="left">T</td>
<td align="left">T</td>
<td align="left">R</td>
<td align="left">Def</td>
<td align="left">Ent</td>
</tr>
<tr>
<td align="left">telEntEndpoint</td>
<td align="left">F</td>
<td align="left">F</td>
<td align="left">T</td>
<td align="left">R</td>
<td align="left">Def</td>
<td align="left">Ent</td>
</tr>
<tr>
<td align="left">applications</td>
<td align="left">T</td>
<td align="left">T</td>
<td align="left">F</td>
<td align="left">RW</td>
<td align="left">Def</td>
<td align="left">None</td>
</tr>
<tr>
<td align="left">value</td>
<td align="left">F</td>
<td align="left">T</td>
<td align="left">F</td>
<td align="left">RW</td>
<td align="left">Def</td>
<td align="left">None</td>
</tr>
<tr>
<td align="left">$ref</td>
<td align="left">F</td>
<td align="left">T</td>
<td align="left">F</td>
<td align="left">R</td>
<td align="left">Def</td>
<td align="left">None</td>
</tr>
</tbody>
</table>
<texttable title="Characteristics of EndpointAppsExt extension schema <t>Legend:</t>
attributes. DevContEntEndpoint represents attribute <dl spacing="compact" newline="false">
deviceControlEnterpriseEndpoint and telEntEndpoint represents <dt>devContEntEndpoint:</dt><dd>deviceControlEnterpriseEndpoi
telemetryEnterpriseEndpoint. (Req = Required, T = True, F = False, nt</dd>
R = ReadOnly, RW = ReadWrite, Ent = Enterprise, and Def = Default)." anchor="tab <dt>telEntEndpoint:</dt><dd>telemetryEnterpriseEndpoint</dd>
EndpointAppsExt"> <dt>Req:</dt><dd>Required</dd>
<ttcol align='left'>Attribute</ttcol> <dt>T:</dt><dd>True</dd>
<ttcol align='left'>Multi Value</ttcol> <dt>F:</dt><dd>False</dd>
<ttcol align='left'>Req</ttcol> <dt>R:</dt><dd>ReadOnly</dd>
<ttcol align='left'>Case Exact</ttcol> <dt>RW:</dt><dd>ReadWrite</dd>
<ttcol align='left'>Mutable</ttcol> <dt>Ent:</dt><dd>Enterprise</dd>
<ttcol align='left'>Return</ttcol> <dt>Def:</dt><dd>Default</dd>
<ttcol align='left'>Unique</ttcol> </dl>
<c>devContEntEndpoint</c>
<c>F</c>
<c>T</c>
<c>T</c>
<c>R</c>
<c>Def</c>
<c>Ent</c>
<c>telEntEndpoint</c>
<c>F</c>
<c>F</c>
<c>T</c>
<c>R</c>
<c>Def</c>
<c>Ent</c>
<c>applications</c>
<c>T</c>
<c>T</c>
<c>F</c>
<c>RW</c>
<c>Def</c>
<c>None</c>
<c>value</c>
<c>F</c>
<c>T</c>
<c>F</c>
<c>RW</c>
<c>Def</c>
<c>None</c>
<c>$ref</c>
<c>F</c>
<c>T</c>
<c>F</c>
<c>R</c>
<c>Def</c>
<c>None</c>
</texttable>
<figure title="Endpoint Applications Extension Example" anchor="eaExtension"><ar <figure anchor="eaExtension">
twork><![CDATA[ <name>Endpoint Applications Extension Example</name>
<CODE BEGINS> <sourcecode markers="true"><![CDATA[
{ {
"schemas": ["urn:ietf:params:scim:schemas:core:2.0:Device", "schemas": ["urn:ietf:params:scim:schemas:core:2.0:Device",
"urn:ietf:params:scim:schemas:extension:ble:2.0:Device", "urn:ietf:params:scim:schemas:extension:ble:2.0:Device",
"urn:ietf:params:scim:schemas:extension:endpointAppsExt:2.0 "urn:ietf:params:scim:schemas:extension:endpointAppsExt:2.0
:Device"], :Device"],
"id": "e9e30dba-f08f-4109-8486-d5c6a3316111", "id": "e9e30dba-f08f-4109-8486-d5c6a3316111",
"displayName": "BLE Heart Monitor", "displayName": "BLE Heart Monitor",
"active": true, "active": true,
"urn:ietf:params:scim:schemas:extension:ble:2.0:Device" : { "urn:ietf:params:scim:schemas:extension:ble:2.0:Device" : {
"versionSupport": ["5.3"], "versionSupport": ["5.3"],
skipping to change at line 1624 skipping to change at line 2017
://example.com/telemetry_app_endpoint/" ://example.com/telemetry_app_endpoint/"
}, },
"meta": { "meta": {
"resourceType": "Device", "resourceType": "Device",
"created": "2022-01-23T04:56:22Z", "created": "2022-01-23T04:56:22Z",
"lastModified": "2022-05-13T04:42:34Z", "lastModified": "2022-05-13T04:42:34Z",
"version": "W\/\"a330bc54f0671c9\"", "version": "W\/\"a330bc54f0671c9\"",
"location": "https://example.com/v2/Devices/e9e30dba-f08f-4109 "location": "https://example.com/v2/Devices/e9e30dba-f08f-4109
-8486-d5c6a3316111" -8486-d5c6a3316111"
} }
} }]]></sourcecode>
<CODE ENDS> </figure>
]]></artwork></figure> <t>The schema for the endpointAppsExt extension along with BLE extensi
on is
<t>The schema for the endpointAppsExt extension along with BLE extension is
presented in JSON format in <xref target="endpointappsext-extension-schema-json" />, while presented in JSON format in <xref target="endpointappsext-extension-schema-json" />, while
the openAPI representation is provided in <xref target="endpointappsext-extensio the OpenAPI representation is provided in <xref target="endpointappsext-extensio
n-schema-openapi-representation"/>.</t> n-schema-openapi-representation"/>.</t>
</section>
</section> </section>
</section> </section>
</section> <section anchor="security-considerations">
<section anchor="security-considerations"><name>Security Considerations</name> <name>Security Considerations</name>
<t>Because provisioning operations permit device access to a network,
<t>Because provisioning operations permit device access to a network, each SCIM client <bcp14>MUST</bcp14> be appropriately authenticated.</t>
each SCIM client MUST be appropriately authenticated.</t> <section anchor="scim-operations">
<name>SCIM Operations</name>
<section anchor="scim-operations"><name>SCIM operations</name> <t>An attacker that has authenticated to a trusted SCIM client could
<t>An attacker that has authenticated to a trusted SCIM client could
manipulate portions of the SCIM database. To be clear on the risks, manipulate portions of the SCIM database. To be clear on the risks,
we specify each operation below:</t> we specify each operation below.</t>
<section anchor="unauthorized-object-creation">
<section anchor="unauthorized-object-creation"><name>Unauthorized Object Creatio <name>Unauthorized Object Creation</name>
n</name> <t>An attacker that is authenticated could attempt to add
<t>An attacker that is authenticated could attempt to add
elements that the enterprise would not normally permit on a network. elements that the enterprise would not normally permit on a network.
For instance, an enterprise may not wish specific devices that have For instance, an enterprise may not wish specific devices that have
well-known vulnerabilities to be introduced to their environment. well-known vulnerabilities to be introduced to their environment.
To mitigate the attack, network administrators should layer additional To mitigate the attack, network administrators should layer additional
policies regarding what devices are permitted on the network.</t> policies regarding what devices are permitted on the network.</t>
<t>An attacker that gains access to SCIM could attempt to add an IP-ba
<t>An attacker that gains access to SCIM could attempt to add an IP-based sed
device that itself attempts unauthorized access, effectively acting as device that itself attempts unauthorized access, effectively acting as
a Bot. Network administrators SHOULD establish appropriate access-control a bot. Network administrators <bcp14>SHOULD</bcp14> establish appropriate acces s-control
policies that follow the principle of least privilege to mitigate this policies that follow the principle of least privilege to mitigate this
attack.</t> attack.</t>
</section>
</section> </section>
</section> <section anchor="object-deletion">
<section anchor="object-deletion"><name>Object Deletion</name> <name>Object Deletion</name>
<t>Once granted, even if the object is removed, the server may or may no
<t>Once granted, even if the object is removed, the server may or may not t
act on that removal. The deletion of the object is a signal of intent act on that removal. The deletion of the object is a signal of intent
by the application that it no longer expects the device to be on the by the application that it no longer expects the device to be on the
network. It is strictly up to the SCIM server and its back end policy network. It is strictly up to the SCIM server and its back end policy
to decide whether or not to revoke access to the infrastructure. It is to decide whether or not to revoke access to the infrastructure. It is
RECOMMENDED that SCIM delete operations trigger a workflow in accordance <bcp14>RECOMMENDED</bcp14> that SCIM delete operations trigger a workflow in acc ordance
with local network policy.</t> with local network policy.</t>
</section>
</section> <section anchor="read-operations">
<section anchor="read-operations"><name>Read operations</name> <name>Read Operations</name>
<t>Read operations are necessary in order for an application to sync its
<t>Read operations are necessary in order for an application to sync its
state to know what devices it is expected to manage. An attacker with state to know what devices it is expected to manage. An attacker with
access to SCIM objects may gain access to the devices themselves. To access to SCIM objects may gain access to the devices themselves. To
prevent one SCIM client from interfering with devices that it has no prevent one SCIM client from interfering with devices that it has no
business managing, only clients that have created objects or those business managing, only clients that have created objects or those
they authorize SHOULD have the ability to read those objects.</t> they authorize <bcp14>SHOULD</bcp14> have the ability to read those objects.</t>
</section>
</section> <section anchor="update-operations">
<section anchor="update-operations"><name>Update Operations</name> <name>Update Operations</name>
<t>Update operations may be necessary if a device has been modified in
<t>Update operations may be necessary if a device has been modified in
some way. Attackers with update access may be able to disable network some way. Attackers with update access may be able to disable network
access to devices or device access to networks. To avoid this, the access to devices or device access to networks. To avoid this, the
same access control policy for read operations is RECOMMENDED here.</t> same access control policy for read operations is <bcp14>RECOMMENDED</bcp14> her
e.</t>
</section> </section>
<section anchor="higher-level-protection-for-certain-systems"><name>Higher level <section anchor="higher-level-protection-for-certain-systems">
protection for certain systems</name> <name>Higher Level Protection for Certain Systems</name>
<t>Devices provisioned with this model may be completely controlled by
<t>Devices provisioned with this model may be completely controlled by
the administrator of the SCIM server, depending on how those systems the administrator of the SCIM server, depending on how those systems
are defined. For instance, if BLE passkeys are provided, the device are defined. For instance, if BLE passkeys are provided, the device
can be connected to, and perhaps paired with. If the administrator of can be connected to, and perhaps paired with. If the administrator of
the SCIM client does not wish the network to have complete access to the SCIM client does not wish the network to have complete access to
the device, the device itself MUST support finer levels of access the device, the device itself <bcp14>MUST</bcp14> support finer levels of access
control and additional authentication mechanisms. control and additional authentication mechanisms.
Any additional security Any additional security
must be provided at higher application layers. For example, if client must be provided at higher application layers. For example, if client
applications wish to keep private information to and from the device, applications wish to keep private information to and from the device,
they should encrypt that information over-the-top.</t> they should encrypt that information over-the-top.</t>
</section>
</section> <section anchor="logging">
<section anchor="logging"><name>Logging</name> <name>Logging</name>
<t>An attacker could learn what devices are on a network by examining
<t>An attacker could learn what devices are on a network by examining
SCIM logs. Due to the sensitive nature of SCIM operations, logs SCIM logs. Due to the sensitive nature of SCIM operations, logs
SHOULD be encrypted both on the disk and in transit.</t> <bcp14>SHOULD</bcp14> be encrypted both on the disk and in transit.</t>
</section>
</section> </section>
</section> <section anchor="iana-considerations">
<section anchor="iana-considerations"><name>IANA Considerations</name> <name>IANA Considerations</name>
<section anchor="new-schemas">
<section anchor="new-schemas"><name>New Schemas</name>
<t>The IANA is requested to add the following additions to the "SCIM
Schema URIs for Data Resources" registry as follows:</t>
<texttable>
<ttcol align='left'>URN</ttcol>
<ttcol align='left'>Name</ttcol>
<ttcol align='left'>Reference</ttcol>
<c>urn:ietf:params:scim:schemas:core: 2.0:Device</c>
<c>Core Device Schema</c>
<c>This memo, <xref target="scim-core-device-schema"></xref></c>
<c>urn:ietf:params:scim:schemas:core: 2.0:EndpointApp</c>
<c>Endpoint Application</c>
<c>This memo, <xref target="endpointapp-schema"/></c>
</texttable>
<t>Note that the line break in URNs should be removed, as should this comment.</
t>
</section> <!--[rfced] We acknowledge this note included in the IANA Considerations section
<section anchor="device-schema-extensions"><name>Device Schema Extensions</name> :
<t>IANA is requested to create the following extensions in the SCIM Note that the line break in URNs should be removed, as should this
Server-Related Schema URIs registry as described in <xref target="extensions"/>: comment.
</t>
<texttable> However, without the line breaks in the URNs, the tables exceed the 72-character
<ttcol align='left'>URN</ttcol> line limit. We have left the line breaks as is. To keep the URN lines unbroken,
<ttcol align='left'>Description</ttcol> we suggest reformatting to lists rather than tables.
<ttcol align='left'>Resource Type</ttcol>
<ttcol align='left'>Reference</ttcol>
<c>urn:ietf:params:scim: schemas:extension: ble:2.0:Device</c>
<c>BLE Extension</c>
<c>Device</c>
<c>This memo, <xref target="ble-extension"></xref></c>
<c>urn:ietf:params:scim: schemas:extension: ethernet-mab:2.0:Device</c>
<c>Ethernet MAB</c>
<c>Device</c>
<c>This memo, <xref target="ethernet-mab-extension"></xref></c>
<c>urn:ietf:params:scim: schemas:extension: fido-device-onboard:2.0:Device
</c>
<c>FIDO Device Onboard</c>
<c>Device</c>
<c>This memo, <xref target="fido-device-onboard-extension"></xref></c>
<c>urn:ietf:params:scim: schemas:extension: dpp:2.0:Device</c>
<c>Wi-fi Easy Connect</c>
<c>Device</c>
<c>This memo, <xref target="wi-fi-easy-connect-extension"></xref></c>
<c>urn:ietf:params:scim: schemas:extension: endpointAppsExt:2.0:Device</c>
<c>Application Endpoint Extension</c>
<c>Device</c>
<c>This memo, <xref target="ble-pairing-method-extensions"></xref></c>
<c>urn:ietf:params:scim: schemas:extension: pairingJustWorks:2.0:Device</c
>
<c>Just Works Auth BLE</c>
<c>Device</c>
<c>This memo, <xref target="ble-pairing-method-extensions"></xref></c>
<c>urn:ietf:params:scim: schemas:extension: pairingOOB:2.0:Device</c>
<c>Out of Band Pairing for BLE</c>
<c>Device</c>
<c>This memo, <xref target="ble-pairing-method-extensions"></xref></c>
<c>urn:ietf:params:scim: schemas:extension: pairingPassKey:2.0:Device</c>
<c>Passkey Pairing for BLE</c>
<c>Device</c>
<c>This memo, <xref target="ble-pairing-method-extensions"></xref></c>
</texttable>
</section> For example:
</section>
<section anchor="acknowledgments"><name>Acknowledgments</name>
<t>The authors would like to thank Bart Brinckman, Rohit Mohan, Lars URN: urn:iet:params:scim:schemas:extension:fido-device-onboard:2.0:Device
Streubesand, Christian Amsüss, Jason Livingwood, Mike Ounsworth, Monty Description: FIDO Device Onboard
Wiseman, Geoffrey Cooper, Paulo Jorge N. Correia, Phil Hunt, and Elwyn Resource Type: Device
Davies for their reviews, and Nick Ross for his contribution to the Appendix.</t Reference: RFC 9944, Section 7.4
> -->
</section> <name>New Schemas</name>
<t>IANA has added the following additions to the "SCIM
Schema URIs for Data Resources" registry:</t>
<table>
<thead>
<tr>
<th align="left">Schema URI </th>
<th align="left">Name</th>
<th align="left">Reference</th>
</tr>
</thead>
<tbody>
<tr>
<td align="left">urn:ietf:params:scim:schemas:core: 2.0:Device</td
>
<td align="left">Core Device Schema</td>
<td align="left">RFC 9944, <xref target="scim-core-device-schema"/
></td>
</tr>
<tr>
<td align="left">urn:ietf:params:scim:schemas:core: 2.0:EndpointAp
p</td>
<td align="left">Endpoint Application</td>
<td align="left">RFC 9944, <xref target="endpointapp-schema"/></td
>
</tr>
</tbody>
</table>
</section>
<section anchor="device-schema-extensions">
<name>Device Schema Extensions</name>
<t>IANA has created the following extensions in the "SCIM
Server-Related Schema URIs" registry as described in <xref target="extensions"/>
:</t>
<table>
<thead>
<tr>
<th align="left">Schema URI</th>
<th align="left">Description</th>
<th align="left">Resource Type</th>
<th align="left">Reference</th>
</tr>
</thead>
<tbody>
<tr>
<td align="left">urn:ietf:params:scim: schemas:extension: ble:2.0:
Device</td>
<td align="left">BLE Extension</td>
<td align="left">Device</td>
<td align="left">RFC 9944, <xref target="ble-extension"/></td>
</tr>
<tr>
<td align="left">urn:ietf:params:scim: schemas:extension: ethernet
-mab:2.0:Device</td>
<td align="left">Ethernet MAB</td>
<td align="left">Device</td>
<td align="left">RFC 9944, <xref target="ethernet-mab-extension"/>
</td>
</tr>
<tr>
<td align="left">urn:ietf:params:scim: schemas:extension: fido-dev
ice-onboard:2.0:Device</td>
<td align="left">FIDO Device Onboard</td>
<td align="left">Device</td>
<td align="left">RFC 9944, <xref target="fido-device-onboard-exten
sion"/></td>
</tr>
<tr>
<td align="left">urn:ietf:params:scim: schemas:extension: dpp:2.0:
Device</td>
<td align="left">Wi-Fi Easy Connect</td>
<td align="left">Device</td>
<td align="left">RFC 9944, <xref target="wi-fi-easy-connect-extens
ion"/></td>
</tr>
<tr>
<td align="left">urn:ietf:params:scim: schemas:extension: endpoint
AppsExt:2.0:Device</td>
<td align="left">Application Endpoint Extension</td>
<td align="left">Device</td>
<td align="left">RFC 9944, <xref target="ble-pairing-method-extens
ions"/></td>
</tr>
<tr>
<td align="left">urn:ietf:params:scim: schemas:extension: pairingJ
ustWorks:2.0:Device</td>
<td align="left">Just Works Auth BLE</td>
<td align="left">Device</td>
<td align="left">RFC 9944, <xref target="ble-pairing-method-extens
ions"/></td>
</tr>
<tr>
<td align="left">urn:ietf:params:scim: schemas:extension: pairingO
OB:2.0:Device</td>
<td align="left">Out-of-Band Pairing for BLE</td>
<td align="left">Device</td>
<td align="left">RFC 9944, <xref target="ble-pairing-method-extens
ions"/></td>
</tr>
<tr>
<td align="left">urn:ietf:params:scim: schemas:extension: pairingP
assKey:2.0:Device</td>
<td align="left">Passkey Pairing for BLE</td>
<td align="left">Device</td>
<td align="left">RFC 9944, <xref target="ble-pairing-method-extens
ions"/></td>
</tr>
</tbody>
</table>
</section>
</section>
</middle> </middle>
<back> <back>
<!-- [rfced] [BLE54]: Please review the following questions regarding this refer ence:
<references title='References' anchor="sec-combined-references"> a) We were unable to find "isRandom" mentioned in [BLE54] as seen
below. Should this citation be updated?
<references title='Normative References' anchor="sec-normative-references"> Original:
<reference anchor="BLE54" target="https://www.bluetooth.org/DocMan/handlers/Down isRandom: A boolean flag taken from [BLE54].
loadDoc.ashx?doc_id=587177">
<front>
<title>Bluetooth Core Specification, Version 5.4</title>
<author >
<organization>Bluetooth SIG</organization>
</author>
<date year="2023"/>
</front>
</reference>
<reference anchor="DPP2" >
<front>
<title>Wi-Fi Easy Connect Specification, Version 2.0</title>
<author >
<organization>Wi-Fi Alliance</organization>
</author>
<date year="2020"/>
</front>
</reference>
<reference anchor="ECMA" target="https://ecma-international.org/publications-and
-standards/standards/ecma-262/">
<front>
<title>ECMA-262, 16th Edition</title>
<author >
<organization>ECMA International</organization>
</author>
<date year="2025" month="June"/>
</front>
</reference>
<reference anchor="FDO11" >
<front>
<title>FIDO Device Onboard Specification 1.1</title>
<author >
<organization>FIDO Alliance</organization>
</author>
<date year="2022" month="April"/>
</front>
</reference>
<reference anchor="Zigbee" target="https://zigbeealliance.org/wp-content/uploads
/2019/11/docs-05-3474-21-0csg-zigbee-specification.pdf">
<front>
<title>Zigbee Specification</title>
<author >
<organization>Zigbee Alliance</organization>
</author>
<date year="2015" month="August"/>
</front>
</reference>
&RFC7643;
&RFC7644;
&RFC2119;
&RFC8174;
&RFC8520;
&RFC4648;
&RFC5280;
</references> b) We also note a few instances of "BLE core specifications 5.3" mentioned
throughout this document. However, the Normative References section cites
Version 5.4. Please review and let us know if/how to update accordingly.
<references title='Informative References' anchor="sec-informative-reference s"> For example:
<reference anchor="JSONSchema" target="https://json-schema.org/draft/2020-12/jso "description": "The isRandom flag is taken from the BLE
n-schema-core"> core specifications 5.3. If TRUE, device is using a
<front> random address. Default value is false.",
<title>JSON Schema- A Media Type for Describing JSON Documents</title>
<author initials="A." surname="Wright" fullname="Austin Wright" role="editor
">
<organization></organization>
</author>
<author initials="H. A." surname="Andrews" fullname="Henry Andrews" role="ed
itor">
<organization></organization>
</author>
<author initials="B." surname="Hutton" fullname="Ben Hutton" role="editor">
<organization>Postman</organization>
</author>
<author initials="G." surname="Dennis" fullname="Greg Dennis">
<organization></organization>
</author>
<date year="2022" month="December"/>
</front>
</reference>
<reference anchor="OpenAPI" target="https://swagger.io/specification/">
<front>
<title>OpenAPI Specification, Version 3.1.1</title>
<author >
<organization>swagger.io</organization>
</author>
<date year="2024" month="October"/>
</front>
</reference>
&RFC6241;
&RFC8040;
&RFC7950;
&RFC8995;
&I-D.ietf-asdf-nipc;
&I-D.brinckman-nipc;
</references> c) Please review our updates to the text below. There are multiple volumes in
[BLE54]; it appears Section 5.4.5 is referring to Volume 1, Part A, Section
5.4.5 of [BLE54]. Is this the correct section?
</references> Original:
<?line 1364?> For more information about the use of the IRK, see Section 5.4.5 of
[BLE54].
<section anchor="changes-from-earlier-versions"><name>Changes from Earlier Versi Current:
ons</name>
<t>[RFC Editor to remove this section.]</t>
<t>Draft 17:</t> For more information about the use of the IRK, see Volume 1, Part A,
Section 5.4.5 of [BLE54].
<t><list style="symbols"> -->
<t>Fix example.</t> <!-- [rfced] References:
</list></t>
<t>Draft 16:</t> a) We note that [draft-brinckman-nipc] was replaced by [draft-ietf-asdf-nipc].
Should these remain as two separate references? Or, would you like to remove
the citation to [draft-brinckman-nipc] and only keep the
reference to [draft-ietf-asdf-nipc]?
<t><list style="symbols"> b) [JSONSchema] also exists as an Internet-Draft:
<t>More DISCUSS resolution: make clear that JSON Schema is not normative</t> https://datatracker.ietf.org/doc/draft-bhutton-json-schema/.
<t>Add reference for ECMA for regex</t>
<t>lots of typo/spelling error cleanup</t>
<t>Add figure labels for examples</t>
<t>fix an aasvg rendering problem</t>
<t>add some reference targets.</t>
<t>Elwyn Davies review suggestions.</t>
</list></t>
<t>Drafts 17: May we update this reference to point to the Internet-Draft?
* Post DISCUSS hiccup with groups.
* Add OpenAPI header
* multivalues-&gt;multivalued
* externalID-&gt;externalId
* remove nullable (wasn't doing anything)
* Update appropriate json schema and openapi accordingly.</t>
<t>Drafts 14, 15, 16: c) We were unable to find Version 2.0 of [DPP2] "Wi-Fi Easy Connect
* Resolve DISCUSSes</t> Specification". We did find Version 3.0 from 2022:
https://www.wi-fi.org/system/files/Wi-Fi_Easy_Connect_Specification_v3.0.pdf.
<t>Draft 13: Should we update this reference to point to Version 3.0 of the "Wi-Fi
* post IANA and IETF LC</t> Easy Connect Specification"?
<t>Drafts 10-12: Current:
* additional WGLC and shepherd comments</t>
<t>Draft -09: [DPP2] Wi-Fi Alliance, "Wi-Fi Easy Connect Specification",
* last call comments, bump BLE version, add acknowledgments. Version 2.0, 2020.
* Also, recapture Rohit comments and those of Christian.</t>
<t>Drafts 04-08: Perhaps:
* Lots of cleanup [DPP3] Wi-Fi Alliance, "Wi-Fi Easy Connect Specification",
* Security review responses Version 3.0, 2020, <https://www.wi-fi.org/system/files/Wi-
* Removal of a tab Fi_Easy_Connect_Specification_v3.0.pdf>.
* Dealing with certificate stuff</t>
<t>Draft -03: -->
* Add MAB, FDO
* Some grammar improvements
* fold OpenAPI
* IANA considerations</t>
<t>Draft -02: <displayreference target="I-D.brinckman-nipc" to="NIPC"/>
* Clean up examples <displayreference target="I-D.ietf-asdf-nipc" to="NIPC-API"/>
* Move openapi to appendix
Draft -01:</t>
<t><list style="symbols"> <references anchor="sec-combined-references">
<t>Doh! We forgot the core device scheme!</t> <name>References</name>
</list></t> <references anchor="sec-normative-references">
<name>Normative References</name>
<t>Draft -00:</t> <reference anchor="BLE54" target="https://www.bluetooth.org/DocMan/handl
ers/DownloadDoc.ashx?doc_id=587177">
<front>
<title>Bluetooth Core Specification</title>
<author>
<organization>Bluetooth SIG</organization>
</author>
<date year="2023"/>
</front>
<refcontent>Version 5.4</refcontent>
</reference>
<t><list style="symbols"> <reference anchor="DPP2">
<t>Initial revision</t> <front>
</list></t> <title>Wi-Fi Easy Connect Specification</title>
<author>
<organization>Wi-Fi Alliance</organization>
</author>
<date year="2020"/>
</front>
<refcontent>Version 2.0</refcontent>
</reference>
<!-- Note to PE: XML for possible update to [DPP2]
<reference anchor="DPP2" target="https://www.wi-fi.org/system/files/Wi-F
i_Easy_Connect_Specification_v3.0.pdf">
<front>
<title>Wi-Fi Easy Connect Specification</title>
<author>
<organization>Wi-Fi Alliance</organization>
</author>
<date year="2020"/>
</front>
<refcontent>Version 3.0</refcontent>
</reference>
-->
<reference anchor="ECMA" target="https://ecma-international.org/publicat
ions-and-standards/standards/ecma-262/">
<front>
<title>ECMAScript(R) 2025 Language Specification</title>
<author>
<organization>ECMA International</organization>
</author>
<date year="2025" month="June"/>
</front>
<refcontent>ECMA-262, 16th Edition</refcontent>
</reference>
<reference anchor="FDO11" target="https://fidoalliance.org/specs/FDO/FID
O-Device-Onboard-PS-v1.1-20220419/FIDO-Device-Onboard-PS-v1.1-20220419.html">
<front>
<title>FIDO Device Onboard Specification 1.1</title>
<author>
<organization>FIDO Alliance</organization>
</author>
<date year="2022" month="April"/>
</front>
<refcontent>Proposed Standard</refcontent>
</reference>
<reference anchor="Zigbee" target="https://zigbeealliance.org/wp-content
/uploads/2019/11/docs-05-3474-21-0csg-zigbee-specification.pdf">
<front>
<title>Zigbee Specification</title>
<author>
<organization>Zigbee Alliance</organization>
</author>
<date year="2015" month="August"/>
</front>
<refcontent>ZigBee Document 05-3474-21</refcontent>
</reference>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7
643.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7
644.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.2
119.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8
174.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8
520.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.4
648.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.5
280.xml"/>
</references>
<references anchor="sec-informative-references">
<name>Informative References</name>
</section> <reference anchor="JSONSchema" target="https://json-schema.org/draft/202
<section anchor="json-schema-representation"><name>JSON Schema Representation</n 0-12/json-schema-core">
ame> <front>
<title>JSON Schema- A Media Type for Describing JSON Documents</titl
e>
<author initials="A." surname="Wright" fullname="Austin Wright" role
="editor">
<organization/>
</author>
<author initials="H. A." surname="Andrews" fullname="Henry Andrews"
role="editor">
<organization/>
</author>
<author initials="B." surname="Hutton" fullname="Ben Hutton" role="e
ditor">
<organization>Postman</organization>
</author>
<author initials="G." surname="Dennis" fullname="Greg Dennis">
<organization/>
</author>
<date year="2022" month="December"/>
</front>
</reference>
<reference anchor="OpenAPI" target="https://swagger.io/specification/">
<front>
<title>OpenAPI Specification</title>
<author>
<organization>Swagger</organization>
</author>
<date year="2024" month="October"/>
</front>
<refcontent>Version 3.1.1</refcontent>
</reference>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.6
241.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8
040.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7
950.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8
995.xml"/>
<!--
draft-brinckman-nipc-01
IESG State: Replaced by draft-ietf-asdf-nipc -->
<xi:include href="https://bib.ietf.org/public/rfc/bibxml3/reference.I-D.
ietf-asdf-nipc.xml"/>
<section anchor="resource-schema"><name>Resource Schema</name> <!--
draft-ietf-asdf-nipc-14
IESG State: I-D Exists as of 11/26/25
-->
<xi:include href="https://bib.ietf.org/public/rfc/bibxml3/reference.I-D.
brinckman-nipc.xml"/>
</references>
</references>
<figure><artwork><![CDATA[ <section anchor="json-schema-representation">
<CODE BEGINS> <name>JSON Schema Representation</name>
<section anchor="resource-schema">
<name>Resource Schema</name>
<sourcecode markers="true"><![CDATA[
[ [
{ {
"schemas": ["urn:ietf:params:scim:schemas:core:2.0 "schemas": ["urn:ietf:params:scim:schemas:core:2.0
:ResourceType"], :ResourceType"],
"id": "Device", "id": "Device",
"name": "Device", "name": "Device",
"endpoint": "/Devices", "endpoint": "/Devices",
"description": "Device Account", "description": "Device account.",
"schema": "urn:ietf:params:scim:schemas:core:2.0:Device", "schema": "urn:ietf:params:scim:schemas:core:2.0:Device",
"meta": { "meta": {
"location": "https://example.com/v2/ResourceTypes/Device", "location": "https://example.com/v2/ResourceTypes/Device",
"resourceType": "ResourceType" "resourceType": "ResourceType"
} }
}, },
{ {
"schemas": ["urn:ietf:params:scim:schemas:core:2.0 "schemas": ["urn:ietf:params:scim:schemas:core:2.0
:ResourceType"], :ResourceType"],
"id": "EndpointApp", "id": "EndpointApp",
skipping to change at line 2002 skipping to change at line 2437
"endpoint": "/EndpointApp", "endpoint": "/EndpointApp",
"description": "Endpoint application such as device control and "description": "Endpoint application such as device control and
telemetry.", telemetry.",
"schema": "urn:ietf:params:scim:schemas:core:2.0:EndpointApp", "schema": "urn:ietf:params:scim:schemas:core:2.0:EndpointApp",
"meta": { "meta": {
"location": "https "location": "https
://example.com/v2/ResourceTypes/EndpointApp", ://example.com/v2/ResourceTypes/EndpointApp",
"resourceType": "ResourceType" "resourceType": "ResourceType"
} }
} }
] ]]]></sourcecode>
<CODE ENDS> </section>
]]></artwork></figure> <section anchor="device-schema-json">
<name>Core Device Schema</name>
</section> <sourcecode markers="true"><![CDATA[
<section anchor="device-schema-json"><name>Core Device Schema</name>
<figure><artwork><![CDATA[
<CODE BEGINS>
{ {
"id": "urn:ietf:params:scim:schemas:core:2.0:Device", "id": "urn:ietf:params:scim:schemas:core:2.0:Device",
"name": "Device", "name": "Device",
"description": "Entry containing attributes about a device", "description": "Entry containing attributes about a device.",
"attributes" : [ "attributes" : [
{ {
"name": "displayName", "name": "displayName",
"type": "string", "type": "string",
"description": "Human readable name of the device, suitable "description": "Human-readable name of the device, suitable
for displaying to end-users. For example, 'BLE Heart for displaying to end users, for example, 'BLE Heart
Monitor' etc.", Monitor', etc.",
"multiValued": false, "multiValued": false,
"required": false, "required": false,
"caseExact": false, "caseExact": false,
"mutability": "readWrite", "mutability": "readWrite",
"returned": "default", "returned": "default",
"uniqueness": "none" "uniqueness": "none"
}, },
{ {
"name": "active", "name": "active",
"type": "boolean", "type": "boolean",
"description": "A mutable boolean value indicating the device "description": "A mutable boolean value indicating the device
administrative status. If set TRUE, the commands (such as administrative status. If set TRUE, the commands (such as
connect, disconnect, subscribe) that control app sends to connect, disconnect, subscribe) that control app sends to
the controller for the devices will be processeed by the the controller for the devices will be processed by the
controller. If set FALSE, any command comming from the controller. If set FALSE, any command coming from the
control app for the device will be rejected by the control app for the device will be rejected by the
controller.", controller.",
"multiValued": false, "multiValued": false,
"required": true, "required": true,
"caseExact": false, "caseExact": false,
"mutability": "readWrite", "mutability": "readWrite",
"returned": "default", "returned": "default",
"uniqueness": "none" "uniqueness": "none"
}, },
{ {
skipping to change at line 2097 skipping to change at line 2528
"caseExact": false, "caseExact": false,
"mutability": "readOnly", "mutability": "readOnly",
"returned": "default", "returned": "default",
"uniqueness": "none" "uniqueness": "none"
}, },
{ {
"name": "display", "name": "display",
"type": "string", "type": "string",
"multiValued": false, "multiValued": false,
"description": "A human-readable name, primarily used for "description": "A human-readable name, primarily used for
display purposes. READ-ONLY.", display purposes. READ ONLY.",
"required": false, "required": false,
"caseExact": false, "caseExact": false,
"mutability": "readOnly", "mutability": "readOnly",
"returned": "default", "returned": "default",
"uniqueness": "none" "uniqueness": "none"
}, },
{ {
"name": "type", "name": "type",
"type": "string", "type": "string",
"multiValued": false, "multiValued": false,
skipping to change at line 2130 skipping to change at line 2561
], ],
"mutability": "readOnly", "mutability": "readOnly",
"returned": "default" "returned": "default"
} }
], ],
"meta" : { "meta" : {
"resourceType" : "Schema", "resourceType" : "Schema",
"location" : "location" :
"/v2/Schemas/urn:ietf:params:scim:schemas:core:2.0:Device" "/v2/Schemas/urn:ietf:params:scim:schemas:core:2.0:Device"
} }
} }]]></sourcecode>
<CODE ENDS> </section>
]]></artwork></figure> <section anchor="endpointapp-schema-json">
<name>EndpointApp Schema</name>
</section> <sourcecode markers="true"><![CDATA[
<section anchor="endpointapp-schema-json"><name>EndpointApp Schema</name>
<figure><artwork><![CDATA[
<CODE BEGINS>
{ {
"id": "urn:ietf:params:scim:schemas:core:2.0:EndpointApp", "id": "urn:ietf:params:scim:schemas:core:2.0:EndpointApp",
"name": "EndpointApp", "name": "EndpointApp",
"description": "Endpoint application and their credentials", "description": "Endpoint application and their credentials.",
"attributes" : [ "attributes" : [
{ {
"name": "applicationType", "name": "applicationType",
"type": "string", "type": "string",
"description": "This attribute will only contain two values; "description": "This attribute will only contain two values:
'deviceControl' or 'telemetry'.", 'deviceControl' or 'telemetry'.",
"multiValued": false, "multiValued": false,
"required": true, "required": true,
"caseExact": false, "caseExact": false,
"mutability": "readOnly", "mutability": "readOnly",
"returned": "default", "returned": "default",
"uniqueness": "none" "uniqueness": "none"
}, },
{ {
"name": "applicationName", "name": "applicationName",
"type": "string", "type": "string",
"description": "Human readable name of the application.", "description": "Human-readable name of the application.",
"multiValued": false, "multiValued": false,
"required": true, "required": true,
"caseExact": false, "caseExact": false,
"mutability": "readWrite", "mutability": "readWrite",
"returned": "default", "returned": "default",
"uniqueness": "none" "uniqueness": "none"
}, },
{ {
"name": "certificateInfo", "name": "certificateInfo",
"type": "complex", "type": "complex",
"description": "Contains x509 certificate's subject name and "description": "Contains X.509 certificate's subject name and
root CA information associated with the device control or root CA information associated with the device control or
telemetry app.", telemetry app.",
"multiValued": false, "multiValued": false,
"required": false, "required": false,
"caseExact": false, "caseExact": false,
"mutability": "readWrite", "mutability": "readWrite",
"returned": "default", "returned": "default",
"uniqueness": "none", "uniqueness": "none",
"subAttributes" : [ "subAttributes" : [
{ {
"name" : "rootCA", "name" : "rootCA",
"type" : "string", "type" : "string",
"description" : "The base64 encoding of the DER encoding "description" : "The base64 encoding of the DER encoding
of the CA certificate", of the CA certificate.",
"multiValued" : false, "multiValued" : false,
"required" : false, "required" : false,
"caseExact" : true, "caseExact" : true,
"mutability" : "readWrite", "mutability" : "readWrite",
"returned" : "default", "returned" : "default",
"uniqueness" : "none" "uniqueness" : "none"
}, },
{ {
"name" : "subjectName", "name" : "subjectName",
"type" : "string", "type" : "string",
"description" : "A Common Name (CN) of the form of CN = "description" : "A Common Name (CN) of the form of CN =
dnsName", dnsName.",
"multiValued" : false, "multiValued" : false,
"required" : true, "required" : true,
"caseExact" : true, "caseExact" : true,
"mutability" : "readWrite", "mutability" : "readWrite",
"returned" : "default", "returned" : "default",
"uniqueness" : "none" "uniqueness" : "none"
} }
] ]
}, },
{ {
skipping to change at line 2260 skipping to change at line 2687
"caseExact": false, "caseExact": false,
"mutability": "readOnly", "mutability": "readOnly",
"returned": "default", "returned": "default",
"uniqueness": "none" "uniqueness": "none"
}, },
{ {
"name": "display", "name": "display",
"type": "string", "type": "string",
"multiValued": false, "multiValued": false,
"description": "A human-readable name, primarily used for "description": "A human-readable name, primarily used for
display purposes. READ-ONLY.", display purposes. READ ONLY.",
"required": false, "required": false,
"caseExact": false, "caseExact": false,
"mutability": "readOnly", "mutability": "readOnly",
"returned": "default", "returned": "default",
"uniqueness": "none" "uniqueness": "none"
}, },
{ {
"name": "type", "name": "type",
"type": "string", "type": "string",
"multiValued": false, "multiValued": false,
skipping to change at line 2293 skipping to change at line 2720
], ],
"mutability": "readOnly", "mutability": "readOnly",
"returned": "default" "returned": "default"
} }
], ],
"meta" : { "meta" : {
"resourceType" : "Schema", "resourceType" : "Schema",
"location" : "location" :
"/v2/Schemas/urn:ietf:params:scim:schemas:core:2.0:Device" "/v2/Schemas/urn:ietf:params:scim:schemas:core:2.0:Device"
} }
} }]]></sourcecode>
<CODE ENDS> </section>
]]></artwork></figure> <section anchor="ble-extension-schema-json">
<name>BLE Extension Schema</name>
</section> <sourcecode markers="true"><![CDATA[
<section anchor="ble-extension-schema-json"><name>BLE Extension Schema</name>
<figure><artwork><![CDATA[
<CODE BEGINS>
[ [
{ {
"id": "urn:ietf:params:scim:schemas:extension:ble:2.0:Device", "id": "urn:ietf:params:scim:schemas:extension:ble:2.0:Device",
"name": "bleExtension", "name": "bleExtension",
"description": "Ble extension for device account", "description": "BLE extension for device account.",
"attributes" : [ "attributes" : [
{ {
"name": "versionSupport", "name": "versionSupport",
"type": "string", "type": "string",
"description": "Provides a list of all the BLE versions "description": "Provides a list of all the BLE versions
supported by the device. For example, [4.1, 4.2, 5.0, supported by the device, for example, [4.1, 4.2, 5.0,
5.1, 5.2, 5.3].", 5.1, 5.2, 5.3].",
"multiValued": true, "multiValued": true,
"required": true, "required": true,
"caseExact": false, "caseExact": false,
"mutability": "readWrite", "mutability": "readWrite",
"returned": "default", "returned": "default",
"uniqueness": "none" "uniqueness": "none"
}, },
{ {
"name": "deviceMacAddress", "name": "deviceMacAddress",
skipping to change at line 2352 skipping to change at line 2776
"mutability": "readWrite", "mutability": "readWrite",
"returned": "default", "returned": "default",
"uniqueness": "none" "uniqueness": "none"
}, },
{ {
"name": "separateBroadcastAddress", "name": "separateBroadcastAddress",
"type": "string", "type": "string",
"description": "When present, this address is used for "description": "When present, this address is used for
broadcasts/advertisements. This value MUST NOT be set broadcasts/advertisements. This value MUST NOT be set
when an IRK is provided. Its form is the same as when an IRK is provided. Its form is the same as
deviceMa`cAddress.", deviceMacAddress.",
"multiValued": true, "multiValued": true,
"required": false, "required": false,
"caseExact": false, "caseExact": false,
"mutability": "readWrite", "mutability": "readWrite",
"returned": "default", "returned": "default",
"uniqueness": "none" "uniqueness": "none"
}, },
{ {
"name": "irk", "name": "irk",
"type": "string", "type": "string",
"description": "Identity resolving key, which is unique for "description": "Identity Resolving Key (IRK), which is
every device. It is used to resolve random address. unique for every device. It is used to resolve a
This value MUST NOT be set when random address. This value MUST NOT be set when
separateBroadcastAddress is set.", separateBroadcastAddress is set.",
"multiValued": false, "multiValued": false,
"required": false, "required": false,
"caseExact": false, "caseExact": false,
"mutability": "readWrite", "mutability": "readWrite",
"returned": "default", "returned": "default",
"uniqueness": "Manufacturer" "uniqueness": "Manufacturer"
}, },
{ {
"name": "mobility", "name": "mobility",
"type": "bool", "type": "bool",
"description": "If set to True, the BLE device will "description": "If set to True, the BLE device will
automatically connect to the closest AP. For example, automatically connect to the closest AP. For example,
BLE device is connected with AP-1 and moves out of if a BLE device is connected with AP-1 and moves out of
range but comes in range of AP-2, it will be range but comes in range of AP-2, it will be
disconnected with AP-1 and connects with AP-2.", disconnected with AP-1 and connected with AP-2.",
"multiValued": false, "multiValued": false,
"required": false, "required": false,
"caseExact": false, "caseExact": false,
"mutability": "readWrite", "mutability": "readWrite",
"returned": "default", "returned": "default",
"uniqueness": "none" "uniqueness": "none"
}, },
{ {
"name": "pairingMethods", "name": "pairingMethods",
"type": "string", "type": "string",
"description": "List of pairing methods associated with the "description": "List of pairing methods associated with the
ble device, stored as schema URI.", BLE device, stored as schema URI.",
"multiValued": true, "multiValued": true,
"required": true, "required": true,
"caseExact": true, "caseExact": true,
"mutability": "readWrite", "mutability": "readWrite",
"returned": "default", "returned": "default",
"uniqueness": "none" "uniqueness": "none"
} }
], ],
"meta" : { "meta" : {
"resourceType" : "Schema", "resourceType" : "Schema",
"location" : "/v2/Schemas/urn:ietf:params:scim:schemas "location" : "/v2/Schemas/urn:ietf:params:scim:schemas
:extension:ble:2.0:Device" :extension:ble:2.0:Device"
} }
}, },
{ {
"id": "urn:ietf:params:scim:schemas:extension:pairingNull:2.0 "id": "urn:ietf:params:scim:schemas:extension:pairingNull:2.0
:Device", :Device",
"name": "nullPairing", "name": "nullPairing",
"description": "Null pairing method for ble. It is included for "description": "Null pairing method for BLE. It is included for
the devices that do not have a pairing method.", the devices that do not have a pairing method.",
"meta" : { "meta" : {
"resourceType" : "Schema", "resourceType" : "Schema",
"location" : "/v2/Schemas/urn:ietf:params:scim:schemas "location" : "/v2/Schemas/urn:ietf:params:scim:schemas
:extension:pairingNull:2.0:Device" :extension:pairingNull:2.0:Device"
} }
}, },
{ {
"id": "urn:ietf:params:scim:schemas:extension:pairingJustWorks "id": "urn:ietf:params:scim:schemas:extension:pairingJustWorks
:2.0:Device", :2.0:Device",
"name": "pairingJustWorks", "name": "pairingJustWorks",
"description": "Just works pairing method for ble.", "description": "Just Works pairing method for BLE.",
"attributes" : [ "attributes" : [
{ {
"name": "key", "name": "key",
"type": "integer", "type": "integer",
"description": "Just works does not have any key value. For "description": "Just Works does not have any key value. For
completeness, it is added with a key value 'null'.", completeness, it is added with a key value 'null'.",
"multiValued": false, "multiValued": false,
"required": true, "required": true,
"caseExact": false, "caseExact": false,
"mutability": "immutable", "mutability": "immutable",
"returned": "default", "returned": "default",
"uniqueness": "none" "uniqueness": "none"
} }
], ],
"meta" : { "meta" : {
"resourceType" : "Schema", "resourceType" : "Schema",
"location" : "/v2/Schemas/urn:ietf:params:scim:schemas "location" : "/v2/Schemas/urn:ietf:params:scim:schemas
:extension:pairingJustWorks:2.0:Device" :extension:pairingJustWorks:2.0:Device"
} }
}, },
{ {
"id": "urn:ietf:params:scim:schemas:extension:pairingPassKey "id": "urn:ietf:params:scim:schemas:extension:pairingPassKey
:2.0:Device", :2.0:Device",
"name": "pairingPassKey", "name": "pairingPassKey",
"description": "Pass key pairing method for ble.", "description": "Passkey pairing method for BLE.",
"attributes" : [ "attributes" : [
{ {
"name": "key", "name": "key",
"type": "integer", "type": "integer",
"description": "A six digit passkey for ble device. The "description": "A six-digit passkey for BLE device. The
pattern of key is ^[0-9]{6}$.", pattern of key is ^[0-9]{6}$.",
"multiValued": false, "multiValued": false,
"required": true, "required": true,
"caseExact": false, "caseExact": false,
"mutability": "readWrite", "mutability": "readWrite",
"returned": "default", "returned": "default",
"uniqueness": "none" "uniqueness": "none"
} }
], ],
"meta" : { "meta" : {
"resourceType" : "Schema", "resourceType" : "Schema",
"location" : "/v2/Schemas/urn:ietf:params:scim:schemas "location" : "/v2/Schemas/urn:ietf:params:scim:schemas
:extension:pairingPassKey:2.0:Device" :extension:pairingPassKey:2.0:Device"
} }
}, },
{ {
"id": "urn:ietf:params:scim:schemas:extension:pairingOOB:2.0 "id": "urn:ietf:params:scim:schemas:extension:pairingOOB:2.0
:Device", :Device",
"name": "pairingOOB", "name": "pairingOOB",
"description": "Pass key pairing method for ble.", "description": "Passkey pairing method for BLE.",
"attributes" : [ "attributes" : [
{ {
"name": "key", "name": "key",
"type": "string", "type": "string",
"description": "A key value retrieved from out of band "description": "A key value retrieved from out-of-band
source such as NFC.", source such as NFC.",
"multiValued": false, "multiValued": false,
"required": true, "required": true,
"caseExact": true, "caseExact": true,
"mutability": "readWrite", "mutability": "readWrite",
"returned": "default", "returned": "default",
"uniqueness": "none" "uniqueness": "none"
}, },
{ {
"name": "randomNumber", "name": "randomNumber",
skipping to change at line 2518 skipping to change at line 2942
"returned": "default", "returned": "default",
"uniqueness": "none" "uniqueness": "none"
} }
], ],
"meta" : { "meta" : {
"resourceType" : "Schema", "resourceType" : "Schema",
"location" : "/v2/Schemas/urn:ietf:params:scim:schemas "location" : "/v2/Schemas/urn:ietf:params:scim:schemas
:extension:pairingOOB:2.0:Device" :extension:pairingOOB:2.0:Device"
} }
} }
] ]]]></sourcecode>
<CODE ENDS> </section>
]]></artwork></figure> <section anchor="dpp-extension-schema-json">
<name>DPP Extension Schema</name>
</section> <sourcecode markers="true"><![CDATA[
<section anchor="dpp-extension-schema-json"><name>DPP Extension Schema</name>
<figure><artwork><![CDATA[
<CODE BEGINS>
{ {
"id": "urn:ietf:params:scim:schemas:extension:dpp:2.0:Device", "id": "urn:ietf:params:scim:schemas:extension:dpp:2.0:Device",
"name": "dppExtension", "name": "dppExtension",
"description": "Device extension schema for Wi-Fi Easy Connect "description": "Device extension schema for Wi-Fi Easy Connect
/ Device Provisioning Protocol (DPP)", / Device Provisioning Protocol (DPP).",
"attributes" : [ "attributes" : [
{ {
"name": "dppVersion", "name": "dppVersion",
"type": "integer", "type": "integer",
"description": "Version of DPP this device supports.", "description": "Version of DPP this device supports.",
"multiValued": false, "multiValued": false,
"required": true, "required": true,
"caseExact": false, "caseExact": false,
"mutability": "readWrite", "mutability": "readWrite",
"returned": "default", "returned": "default",
"uniqueness": "none" "uniqueness": "none"
}, },
{ {
"name": "bootstrappingMethod", "name": "bootstrappingMethod",
"type": "string", "type": "string",
"description": "The list of all the bootstrapping methods "description": "The list of all the bootstrapping methods
available on the enrollee device. For example, [QR, available on the enrollee device, for example, [QR,
NFC].", NFC].",
"multiValued": true, "multiValued": true,
"required": false, "required": false,
"caseExact": false, "caseExact": false,
"mutability": "readWrite", "mutability": "readWrite",
"returned": "default", "returned": "default",
"uniqueness": "none" "uniqueness": "none"
}, },
{ {
"name": "bootstrapKey", "name": "bootstrapKey",
"type": "string", "type": "string",
"description": "A base64-encoded Elliptic-Curve Diffie "description": "A base64-encoded Elliptic Curve Diffie-
-Hellman public key (may be P-256, P-384, or P-521).", Hellman public key (may be P-256, P-384, or P-521).",
"multiValued": false, "multiValued": false,
"required": true, "required": true,
"caseExact": true, "caseExact": true,
"mutability": "readWrite", "mutability": "readWrite",
"returned": "default", "returned": "default",
"uniqueness": "none" "uniqueness": "none"
}, },
{ {
"name": "deviceMacAddress", "name": "deviceMacAddress",
"type": "string", "type": "string",
skipping to change at line 2586 skipping to change at line 3007
"caseExact": false, "caseExact": false,
"mutability": "readWrite", "mutability": "readWrite",
"returned": "default", "returned": "default",
"uniqueness": "Manufacturer" "uniqueness": "Manufacturer"
}, },
{ {
"name": "classChannel", "name": "classChannel",
"type": "string", "type": "string",
"description": "A list of global operating class and "description": "A list of global operating class and
channel shared as bootstrapping information. It is channel shared as bootstrapping information. It is
formatted as class/channel. For example, '81/1', formatted as class/channel, for example, '81/1',
'115/36'.", '115/36'.",
"multiValued": true, "multiValued": true,
"required": false, "required": false,
"caseExact": false, "caseExact": false,
"mutability": "readWrite", "mutability": "readWrite",
"returned": "default", "returned": "default",
"uniqueness": "none" "uniqueness": "none"
}, },
{ {
"name": "serialNumber", "name": "serialNumber",
skipping to change at line 2614 skipping to change at line 3035
"returned": "default", "returned": "default",
"uniqueness": "none" "uniqueness": "none"
} }
], ],
"meta" : { "meta" : {
"resourceType" : "Schema", "resourceType" : "Schema",
"location" : "/v2/Schemas/urn:ietf:params:scim:schemas "location" : "/v2/Schemas/urn:ietf:params:scim:schemas
:extension:dpp:2.0:Device" :extension:dpp:2.0:Device"
} }
} }]]></sourcecode>
<CODE ENDS> </section>
]]></artwork></figure> <section anchor="ethernet-mab-extension-schema-json">
<name>Ethernet MAB Extension Schema</name>
</section> <sourcecode markers="true"><![CDATA[
<section anchor="ethernet-mab-extension-schema-json"><name>Ethernet MAB Extensio
n Schema</name>
<figure><artwork><![CDATA[
<CODE BEGINS>
{ {
"id": "urn:ietf:params:scim:schemas:extension:ethernet-mab:2.0 "id": "urn:ietf:params:scim:schemas:extension:ethernet-mab:2.0
:Device", :Device",
"name": "ethernetMabExtension", "name": "ethernetMabExtension",
"description": "Device extension schema for MAC authentication "description": "Device extension schema for MAC Authentication
Bypass.", Bypass.",
"attributes" : [ "attributes" : [
{ {
"name": "deviceMacAddress", "name": "deviceMacAddress",
"type": "string", "type": "string",
"pattern": "^[0-9A-Fa-f]{2}(:[0-9A-Fa-f]{2}){5}$", "pattern": "^[0-9A-Fa-f]{2}(:[0-9A-Fa-f]{2}){5}$",
"description": "A MAC address assigned by the manufacturer", "description": "A MAC address assigned by the manufacturer.",
"multiValued": false, "multiValued": false,
"required": true, "required": true,
"caseExact": false, "caseExact": false,
"mutability": "readWrite", "mutability": "readWrite",
"returned": "default", "returned": "default",
"uniqueness": "Manufacturer" "uniqueness": "Manufacturer"
} }
], ],
"meta" : { "meta" : {
"resourceType" : "Schema", "resourceType" : "Schema",
"location" : "/v2/Schemas/urn:ietf:params:scim:schemas "location" : "/v2/Schemas/urn:ietf:params:scim:schemas
:extension:ethernet-mab:2.0:Device" :extension:ethernet-mab:2.0:Device"
} }
} }]]></sourcecode>
<CODE ENDS> </section>
]]></artwork></figure> <section anchor="fdo-extension-schema-json">
<name>FDO Extension Schema</name>
</section> <sourcecode markers="true"><![CDATA[
<section anchor="fdo-extension-schema-json"><name>FDO Extension Schema</name>
<figure><artwork><![CDATA[
<CODE BEGINS>
{ {
"id": "urn:ietf:params:scim:schemas:extension:fido-device-onboard "id": "urn:ietf:params:scim:schemas:extension:fido-device-onboard
:2.0:Devices", :2.0:Devices",
"name": "FDOExtension", "name": "FDOExtension",
"description": "Device extension schema for FIDO Device Onboard "description": "Device extension schema for FIDO Device Onboard
(FDO).", (FDO).",
"attributes" : [ "attributes" : [
{ {
"name": "fdoVoucher", "name": "fdoVoucher",
"type": "string", "type": "string",
"description": "A voucher as defined in the FDO "description": "A voucher as defined in the FDO
specification", specification.",
"multiValued": false, "multiValued": false,
"required": true, "required": true,
"caseExact": false, "caseExact": false,
"mutability": "readWrite", "mutability": "readWrite",
"returned": "default", "returned": "default",
"uniqueness": "Manufacturer" "uniqueness": "Manufacturer"
} }
], ],
"meta" : { "meta" : {
"resourceType" : "Schema", "resourceType" : "Schema",
"location" : "/v2/Schemas/urn:ietf:params:scim:schemas "location" : "/v2/Schemas/urn:ietf:params:scim:schemas
:extension:fido-device-onboard:2.0:Devices" :extension:fido-device-onboard:2.0:Devices"
} }
} }]]></sourcecode>
<CODE ENDS> </section>
]]></artwork></figure> <section anchor="zigbee-extension-schema-json">
<name>Zigbee Extension Schema</name>
</section> <sourcecode markers="true"><![CDATA[
<section anchor="zigbee-extension-schema-json"><name>Zigbee Extension Schema</na
me>
<figure><artwork><![CDATA[
<CODE BEGINS>
{ {
"id": "urn:ietf:params:scim:schemas:extension:zigbee:2.0:Device", "id": "urn:ietf:params:scim:schemas:extension:zigbee:2.0:Device",
"name": "zigbeeExtension", "name": "zigbeeExtension",
"description": "Device extension schema for zigbee.", "description": "Device extension schema for Zigbee.",
"attributes" : [ "attributes" : [
{ {
"name": "versionSupport", "name": "versionSupport",
"type": "string", "type": "string",
"description": "Provides a list of all the zigbee versions "description": "Provides a list of all the Zigbee versions
supported by the device. For example, [3.0].", supported by the device, for example,
[3.0].",
"multiValued": true, "multiValued": true,
"required": true, "required": true,
"caseExact": false, "caseExact": false,
"mutability": "readWrite", "mutability": "readWrite",
"returned": "default", "returned": "default",
"uniqueness": "none" "uniqueness": "none"
}, },
{ {
"name": "deviceEui64Address", "name": "deviceEui64Address",
"type": "string", "type": "string",
"pattern": "^[0-9A-Fa-f]{2}(:[0-9A-Fa-f]{2}){7}$", "pattern": "^[0-9A-Fa-f]{2}(:[0-9A-Fa-f]{2}){7}$",
"description": "The EUI-64 (Extended Unique Identifier) "description": "The 64-bit Extended Unique Identifier (EUI-64)
device address.", device address.",
"multiValued": false, "multiValued": false,
"required": true, "required": true,
"caseExact": false, "caseExact": false,
"mutability": "readWrite", "mutability": "readWrite",
"returned": "default", "returned": "default",
"uniqueness": "none" "uniqueness": "none"
} }
], ],
"meta" : { "meta" : {
"resourceType" : "Schema", "resourceType" : "Schema",
"location" : "/v2/Schemas/urn:ietf:params:scim:schemas "location" : "/v2/Schemas/urn:ietf:params:scim:schemas
:extension:zigbee:2.0:Device" :extension:zigbee:2.0:Device"
} }
} }]]></sourcecode>
<CODE ENDS> </section>
]]></artwork></figure> <section anchor="endpointappsext-extension-schema-json">
<name>EndpointAppsExt Extension Schema</name>
</section> <sourcecode markers="true"><![CDATA[
<section anchor="endpointappsext-extension-schema-json"><name>EndpointAppsExt Ex
tension Schema</name>
<figure><artwork><![CDATA[
<CODE BEGINS>
{ {
"id": "urn:ietf:params:scim:schemas:extension:endpointAppsExt:2.0 "id": "urn:ietf:params:scim:schemas:extension:endpointAppsExt:2.0
:Device", :Device",
"name": "endpointAppsExt", "name": "endpointAppsExt",
"description": "Extension for partner endpoint applications that "description": "Extension for partner endpoint applications that
can onboard, control, and communicate with the device.", can onboard, control, and communicate with the device.",
"attributes" : [ "attributes" : [
{ {
"name": "applications", "name": "applications",
"type": "complex", "type": "complex",
"description": "Includes references to two types of "description": "Includes references to two types of
application that connect with entrprise, i.e., applications that connect with enterprise, i.e.,
deviceControl and telemetry.", deviceControl and telemetry.",
"multiValued": true, "multiValued": true,
"required": true, "required": true,
"caseExact": false, "caseExact": false,
"mutability": "readWrite", "mutability": "readWrite",
"returned": "default", "returned": "default",
"uniqueness": "none", "uniqueness": "none",
"subAttributes" : [ "subAttributes" : [
{ {
"name" : "value", "name" : "value",
skipping to change at line 2768 skipping to change at line 3178
"caseExact" : false, "caseExact" : false,
"mutability" : "readWrite", "mutability" : "readWrite",
"returned" : "default", "returned" : "default",
"uniqueness" : "none" "uniqueness" : "none"
}, },
{ {
"name" : "$ref", "name" : "$ref",
"type" : "reference", "type" : "reference",
"referenceTypes" : "EndpointApps", "referenceTypes" : "EndpointApps",
"description" : "The URI of the corresponding "description" : "The URI of the corresponding
'EndpointApp' resource which will control or obtain 'EndpointApp' resource that will control or obtain
data from the device.", data from the device.",
"multiValued" : false, "multiValued" : false,
"required" : false, "required" : false,
"caseExact" : true, "caseExact" : true,
"mutability" : "readOnly", "mutability" : "readOnly",
"returned" : "default", "returned" : "default",
"uniqueness" : "none" "uniqueness" : "none"
} }
] ]
}, },
{ {
"name": "deviceControlEnterpriseEndpoint", "name": "deviceControlEnterpriseEndpoint",
"type": "reference", "type": "reference",
"description": "The URL of the enterprise endpoint which "description": "The URL of the enterprise endpoint that
device control apps use to reach enterprise network device control apps use to reach enterprise network
gateway.", gateway.",
"multiValued": false, "multiValued": false,
"required": true, "required": true,
"caseExact": true, "caseExact": true,
"mutability": "readOnly", "mutability": "readOnly",
"returned": "default", "returned": "default",
"uniqueness": "Enterprise" "uniqueness": "Enterprise"
}, },
{ {
"name": "telemetryEnterpriseEndpoint", "name": "telemetryEnterpriseEndpoint",
"type": "reference", "type": "reference",
"description": "The URL of the enterprise endpoint which "description": "The URL of the enterprise endpoint that
telemetry apps use to reach enterprise network gateway.", telemetry apps use to reach enterprise network gateway.",
"multiValued": false, "multiValued": false,
"required": false, "required": false,
"caseExact": true, "caseExact": true,
"mutability": "readOnly", "mutability": "readOnly",
"returned": "default", "returned": "default",
"uniqueness": "Enterprise" "uniqueness": "Enterprise"
} }
], ],
"meta" : { "meta" : {
"resourceType" : "Schema", "resourceType" : "Schema",
"location" : "/v2/Schemas/urn:ietf:params:scim:schemas "location" : "/v2/Schemas/urn:ietf:params:scim:schemas
:extension:endpointAppsExt:2.0:Device" :extension:endpointAppsExt:2.0:Device"
} }
} }]]></sourcecode>
<CODE ENDS> </section>
]]></artwork></figure> </section>
<section anchor="openapi-representation">
</section> <name>OpenAPI Representation</name>
</section> <t>The following sections are provided for informational purposes.</t>
<section anchor="openapi-representation"><name>OpenAPI representation</name> <section anchor="device-schema-openapi-representation">
<name>Core Device Schema OpenAPI Representation</name>
<t>The following sections are provided for informational purposes.</t> <t>OpenAPI representation of core device schema is as follows:</t>
<sourcecode markers="true"><![CDATA[
<section anchor="device-schema-openapi-representation"><name>Core Device Schema
OpenAPI Representation</name>
<t>OpenAPI representation of core device schema is as follows:</t>
<figure><artwork><![CDATA[
<CODE BEGINS>
openapi: 3.1.0 openapi: 3.1.0
info: info:
title: SCIM Device Schema title: SCIM Device Schema
version: 1.0.0 version: 1.0.0
components: components:
schemas: schemas:
Group: Group:
type: object type: object
description: A list of groups to which the device belongs, description: A list of groups to which the device belongs,
either through direct membership, through nested either through direct membership, through nested
groups, or dynamically calculated. groups, or dynamically calculated.
properties: properties:
value: value:
type: string type: string
description: the unique identifier of a group, description: The unique identifier of a group,
typically a UUID. typically a UUID.
readOnly: true readOnly: true
writeOnly: false writeOnly: false
display: display:
type: string type: string
description: a display string for the group. description: A display string for the group.
readOnly: true readOnly: true
writeOnly: false writeOnly: false
$ref: $ref:
type: string type: string
format: uri format: uri
description: reference to the group object description: Reference to the group object.
readOnly: true readOnly: true
writeOnly: true writeOnly: true
Device: Device:
description: Entry containing attributes about a device description: Entry containing attributes about a device.
type: object type: object
properties: properties:
displayName: displayName:
type: string type: string
description: "Human readable name of the device, suitable description: "Human-readable name of the device, suitable
for displaying to end-users. For example, for displaying to end users, for example,
'BLE Heart Monitor' etc." 'BLE Heart Monitor' etc."
readOnly: false readOnly: false
writeOnly: false writeOnly: false
active: active:
type: boolean type: boolean
description: A mutable boolean value indicating the device description: A mutable boolean value indicating the device
administrative status. If set TRUE, the administrative status. If set TRUE, the
commands (such as connect, disconnect, commands (such as connect, disconnect,
subscribe) that control app sends to the subscribe) that control app sends to the
controller for the devices will be processeed controller for the devices will be processed
by the controller. If set FALSE, any command by the controller. If set FALSE, any command
comming from the control app for the device coming from the control app for the device
will be rejected by the controller. will be rejected by the controller.
readOnly: false readOnly: false
writeOnly: false writeOnly: false
mudUrl: mudUrl:
type: string type: string
format: uri format: uri
description: A URL to MUD file of the device (RFC 8520). description: A URL to MUD file of the device (RFC 8520).
It It is added for future use. Current usage is
is added for future use. Current usage is not not defined yet.
defined yet.
readOnly: false readOnly: false
writeOnly: false writeOnly: false
groups: groups:
type: array type: array
description: list of groups device belongs to description: List of groups to which a device belongs to.
items: items:
$ref: '#/components/schemas/Group' $ref: '#/components/schemas/Group'
required: required:
- active - active
additionalProperties: false additionalProperties: false
allOf: allOf:
- $ref: '#/components/schemas/CommonAttributes' - $ref: '#/components/schemas/CommonAttributes'
CommonAttributes: CommonAttributes:
type: object type: object
skipping to change at line 2918 skipping to change at line 3321
description: The list of schemas that define the resource. description: The list of schemas that define the resource.
id: id:
type: string type: string
format: uri format: uri
description: The unique identifier for a resource. description: The unique identifier for a resource.
readOnly: true readOnly: true
writeOnly: false writeOnly: false
externalId: externalId:
type: string type: string
description: An identifier for the resource that is description: An identifier for the resource that is
defined defined by the provisioning client.
by the provisioning client.
readOnly: false readOnly: false
writeOnly: false writeOnly: false
meta: meta:
type: object type: object
readOnly: true readOnly: true
properties: properties:
resourceType: resourceType:
type: string type: string
description: The name of the resource type of the description: The name of the resource type of the
resource. resource.
skipping to change at line 2958 skipping to change at line 3360
description: The most recent date and time that the description: The most recent date and time that the
details of this resource were updated at details of this resource were updated at
the service provider. the service provider.
readOnly: true readOnly: true
writeOnly: false writeOnly: false
version: version:
type: string type: string
description: The version of the resource. description: The version of the resource.
readOnly: true readOnly: true
writeOnly: false writeOnly: false
additionalProperties: false additionalProperties: false]]></sourcecode>
<CODE ENDS> </section>
]]></artwork></figure> <section anchor="endpointapp-schema-openapi-representation">
<name>EndpointApp Schema OpenAPI Representation</name>
</section> <t>OpenAPI representation of endpointApp schema is as follows:</t>
<section anchor="endpointapp-schema-openapi-representation"><name>EndpointApp Sc <sourcecode markers="true"><![CDATA[
hema OpenAPI Representation</name>
<t>OpenAPI representation of endpointApp schema is as follows:</t>
<figure><artwork><![CDATA[
<CODE BEGINS>
openapi: 3.1.0 openapi: 3.1.0
info: info:
title: SCIM endpoint app schema title: SCIM Endpoint App Schema
version: 1.0.0 version: 1.0.0
components: components:
schemas: schemas:
Group: Group:
type: object type: object
description: A list of groups to which the endpoint description: A list of groups to which the endpoint
application belongs, either through application belongs, either through
direct membership, through nested direct membership, through nested
groups, or dynamically calculated. groups, or dynamically calculated.
properties: properties:
value: value:
type: string type: string
description: the unique identifier of a group, description: The unique identifier of a group,
typically a UUID. typically a UUID.
readOnly: true readOnly: true
writeOnly: false writeOnly: false
display: display:
type: string type: string
description: a display string for the group. description: A display string for the group.
readOnly: true readOnly: true
writeOnly: false writeOnly: false
$ref: $ref:
type: string type: string
format: uri format: uri
description: reference to the group object description: Reference to the group object.
readOnly: true readOnly: true
writeOnly: true writeOnly: true
EndpointApp: EndpointApp:
title: EndpointApp title: EndpointApp
description: Endpoint application resource description: Endpoint application resource.
type: object type: object
properties: properties:
applicationType: applicationType:
type: string type: string
description: This attribute will only contain two values; description: This attribute will only contain two values:
'deviceControl' or 'telemetry'. 'deviceControl' or 'telemetry'.
readOnly: false readOnly: false
writeOnly: false writeOnly: false
applicationName: applicationName:
type: string type: string
description: Human readable name of the application. description: Human-readable name of the application.
readOnly: false readOnly: false
writeOnly: false writeOnly: false
groups: groups:
type: array type: array
description: list of groups to which the endpointApp description: List of groups to which the endpointApp
belongs. belongs.
items: items:
$ref: '#/components/schemas/Group' $ref: '#/components/schemas/Group'
required: required:
- applicationType - applicationType
- applicationName - applicationName
additionalProperties: true additionalProperties: true
oneOf: oneOf:
skipping to change at line 3045 skipping to change at line 3443
clientToken: clientToken:
type: string type: string
description: "This attribute contains a token that the client description: "This attribute contains a token that the client
will use to authenticate itself. Each token may will use to authenticate itself. Each token may
be a string up to 500 characters in length." be a string up to 500 characters in length."
readOnly: true readOnly: true
writeOnly: false writeOnly: false
certificateInfo: certificateInfo:
type: object type: object
description: "Contains x509 certificate's subject name and description: "Contains X.509 certificate's subject name and
root CA information associated with the device root CA information associated with the device
control or telemetry app." control or telemetry app."
properties: properties:
rootCA: rootCA:
type: string type: string
description: "The base64 encoding of a trust anchor description: "The base64 encoding of a trust anchor
certificate,as per RFC 4648 Section 4." certificate, as per RFC 4648, Section 4."
readOnly: false readOnly: false
writeOnly: false writeOnly: false
subjectName: subjectName:
type: string type: string
description: "Also known as the Common Name (CN), the description: "Also known as the Common Name (CN), the
Subject Name is a field in the X.509 Subject Name is a field in the X.509
certificate that identifies the primary certificate that identifies the primary
domain or IP address for which the domain or IP address for which the
certificate is issued." certificate is issued."
skipping to change at line 3121 skipping to change at line 3519
description: The most recent date and time that the description: The most recent date and time that the
details of this resource were updated at details of this resource were updated at
the service provider. the service provider.
readOnly: true readOnly: true
writeOnly: false writeOnly: false
version: version:
type: string type: string
description: The version of the resource. description: The version of the resource.
readOnly: true readOnly: true
writeOnly: false writeOnly: false
additionalProperties: false additionalProperties: false]]></sourcecode>
<CODE ENDS> </section>
]]></artwork></figure> <section anchor="ble-extension-schema-openapi-representation">
<name>BLE Extension Schema OpenAPI Representation</name>
</section> <t>OpenAPI representation of BLE extension schema is as follows:</t>
<section anchor="ble-extension-schema-openapi-representation"><name>BLE Extensio
n Schema OpenAPI Representation</name>
<t>OpenAPI representation of BLE extension schema is as follows:</t>
<figure><artwork><![CDATA[ <sourcecode markers="true"><![CDATA[
<CODE BEGINS>
openapi: 3.1.0 openapi: 3.1.0
info: info:
title: SCIM Bluetooth Extension Schema title: SCIM Bluetooth Extension Schema
version: 1.0.0 version: 1.0.0
components: components:
schemas: schemas:
BleDevice: BleDevice:
type: object type: object
description: BLE Device schema. description: BLE Device schema.
skipping to change at line 3160 skipping to change at line 3555
$ref: '#/components/schemas/BleDeviceExtension' $ref: '#/components/schemas/BleDeviceExtension'
required: true required: true
BleDeviceExtension: BleDeviceExtension:
type: object type: object
properties: properties:
versionSupport: versionSupport:
type: array type: array
items: items:
type: string type: string
description: Provides a list of all the BLE versions description: Provides a list of all the BLE versions
supported by the device. For example, supported by the device, for example,
[4.1, 4.2, 5.0, 5.1, 5.2, 5.3]. [4.1, 4.2, 5.0, 5.1, 5.2, 5.3].
readOnly: false readOnly: false
writeOnly: false writeOnly: false
deviceMacAddress: deviceMacAddress:
type: string type: string
description: It is the public MAC address assigned by the description: It is the public MAC address assigned by the
manufacturer. It is unique 48 bit value. The manufacturer. It is a unique 48-bit value. The
regex pattern is regex pattern is
^[0-9A-Fa-f]{2}(:[0-9A-Fa-f]{2}){5}. ^[0-9A-Fa-f]{2}(:[0-9A-Fa-f]{2}){5}.
readOnly: false readOnly: false
writeOnly: false writeOnly: false
isRandom: isRandom:
type: boolean type: boolean
description: AddressType flag is taken from the BLE core description: AddressType flag is taken from the BLE core
specifications 5.3. If FALSE, the device is specifications 5.3. If FALSE, the device is
using public MAC address. If TRUE, device is using a public MAC address. If TRUE, device
using a random address. is using a random address.
readOnly: false readOnly: false
writeOnly: false writeOnly: false
separateBroadcastAddress: separateBroadcastAddress:
type: string type: string
description: "When present, this address is used for description: "When present, this address is used for
broadcasts/advertisements. This value MUST broadcasts/advertisements. This value
NOT MUST NOT be set when an IRK is provided.
be set when an IRK is provided. Its form is Its form is the same as deviceMacAddress."
the same as deviceMa`cAddress."
readOnly: false readOnly: false
writeOnly: false writeOnly: false
irk: irk:
type: string type: string
description: Identity resolving key, which is unique for description: Identity Resolving Key (IRK), which is unique
every device. It is used to resolve random for every device. It is used to resolve a
address. random address.
readOnly: false readOnly: false
writeOnly: true writeOnly: true
mobility: mobility:
type: boolean type: boolean
description: If set to True, the BLE device will description: If set to True, the BLE device will
automatically connect to the closest AP. For automatically connect to the closest AP. For
example, BLE device is connected with AP-1 example, if a BLE device is connected with
and AP-1 and moves out of range but comes in
moves out of range but comes in range of AP range of AP-2, it will be disconnected with
-2, AP-1 and connected with AP-2.
it will be disconnected with AP-1 and
connects
with AP-2.
readOnly: false readOnly: false
writeOnly: false writeOnly: false
pairingMethods: pairingMethods:
type: array type: array
items: items:
type: string type: string
description: List of pairing methods associated with the description: List of pairing methods associated with the
ble device, stored as schema URI. BLE device, stored as schema URI.
readOnly: false readOnly: false
writeOnly: false writeOnly: false
urn:ietf:params:scim:schemas:extension:pairingNull:2.0 urn:ietf:params:scim:schemas:extension:pairingNull:2.0
:Device: :Device:
$ref: '#/components/schemas/NullPairing' $ref: '#/components/schemas/NullPairing'
required: false required: false
urn:ietf:params:scim:schemas:extension:pairingJustWorks:2.0 urn:ietf:params:scim:schemas:extension:pairingJustWorks:2.0
:Device: :Device:
$ref: '#/components/schemas/PairingJustWorks' $ref: '#/components/schemas/PairingJustWorks'
required: false required: false
skipping to change at line 3249 skipping to change at line 3640
- deviceMacAddress - deviceMacAddress
- AddressType - AddressType
- pairingMethods - pairingMethods
additionalProperties: false additionalProperties: false
NullPairing: NullPairing:
type: object type: object
PairingJustWorks: PairingJustWorks:
type: object type: object
description: Just works pairing method for ble description: Just Works pairing method for BLE.
properties: properties:
key: key:
type: integer type: integer
description: Just works does not have any key value. For description: Just Works does not have any key value. For
completeness, it is added with a key value completeness, it is added with a key value
'null'. 'null'.
readOnly: false readOnly: false
writeOnly: false writeOnly: false
required: required:
- key - key
PairingPassKey: PairingPassKey:
type: object type: object
description: Pass key pairing method for ble description: Passkey pairing method for BLE.
properties: properties:
key: key:
type: integer type: integer
description: A six digit passkey for ble device. description: A six-digit passkey for BLE device.
The pattern of key is ^[0-9]{6}$. The pattern of key is ^[0-9]{6}$.
readOnly: false readOnly: false
writeOnly: true writeOnly: true
required: required:
- key - key
PairingOOB: PairingOOB:
type: object type: object
description: Out-of-band pairing method for BLE description: Out-of-band pairing method for BLE.
properties: properties:
key: key:
type: string type: string
description: The OOB key value for ble device. description: The OOB key value for BLE device.
readOnly: false readOnly: false
writeOnly: false writeOnly: false
randomNumber: randomNumber:
type: integer type: integer
description: Nonce added to the key description: Nonce added to the key.
readOnly: false readOnly: false
writeOnly: true writeOnly: true
confirmationNumber: confirmationNumber:
type: integer type: integer
description: Some solutions require a confirmation number description: Some solutions require a confirmation number
in the RESTful message exchange. in the RESTful message exchange.
readOnly: false readOnly: false
writeOnly: true writeOnly: true
required: required:
- key - key
- randomNumber - randomNumber]]></sourcecode>
<CODE ENDS> </section>
]]></artwork></figure> <section anchor="dpp-extension-schema-openapi-representation">
<name>DPP Extension Schema OpenAPI Representation</name>
</section> <t>OpenAPI representation of DPP extension schema is as follows:</t>
<section anchor="dpp-extension-schema-openapi-representation"><name>DPP Extensio <sourcecode markers="true"><![CDATA[
n Schema OpenAPI Representation</name>
<t>OpenAPI representation of DPP extension schema is as follows:</t>
<figure><artwork><![CDATA[
<CODE BEGINS>
openapi: 3.1.0 openapi: 3.1.0
info: info:
title: SCIM Device Provisioning Protocol Extension Schema title: SCIM Device Provisioning Protocol Extension Schema
version: 1.0.0 version: 1.0.0
components: components:
schemas: schemas:
DppDevice: DppDevice:
type: object type: object
description: Wi-Fi Easy Connect (DPP) device extension schema description: Wi-Fi Easy Connect (DPP) device extension schema.
properties: properties:
schemas: schemas:
type: array type: array
items: items:
type: string type: string
enum: enum:
- urn:ietf:params:scim:schemas:extension:dpp:2.0 - urn:ietf:params:scim:schemas:extension:dpp:2.0
:Device :Device
urn:ietf:params:scim:schemas:extension:dpp:2.0:Device: urn:ietf:params:scim:schemas:extension:dpp:2.0:Device:
$ref: '#/components/schemas/DppDeviceExtension' $ref: '#/components/schemas/DppDeviceExtension'
skipping to change at line 3340 skipping to change at line 3727
dppVersion: dppVersion:
type: integer type: integer
description: Version of DPP this device supports. description: Version of DPP this device supports.
readOnly: false readOnly: false
writeOnly: false writeOnly: false
bootstrappingMethod: bootstrappingMethod:
type: array type: array
items: items:
type: string type: string
description: The list of all the bootstrapping methods description: The list of all the bootstrapping methods
available on the enrollee device. For available on the enrollee device, for
example, [QR, NFC]. example, [QR, NFC].
readOnly: false readOnly: false
writeOnly: false writeOnly: false
bootstrapKey: bootstrapKey:
type: string type: string
description: An Elliptic-Curve Diffie Hellman description: An Elliptic Curve Diffie-Hellman
(ECDH) public key. The base64 encoded length (ECDH) public key. The base64-encoded length
for P-256, P-384, and P-521 is 80, 96, and for P-256, P-384, and P-521 is 80, 96, and
120 120 characters.
characters.
readOnly: false readOnly: false
writeOnly: true writeOnly: true
deviceMacAddress: deviceMacAddress:
type: string type: string
description: The MAC address assigned by the manufacturer. description: The MAC address assigned by the manufacturer.
The regex pattern is The regex pattern is
^[0-9A-Fa-f]{2}(:[0-9A-Fa-f]{2}){5}. ^[0-9A-Fa-f]{2}(:[0-9A-Fa-f]{2}){5}.
readOnly: false readOnly: false
writeOnly: false writeOnly: false
classChannel: classChannel:
type: array type: array
items: items:
type: string type: string
description: A list of global operating class and channel description: A list of global operating class and channel
shared as bootstrapping information. It is shared as bootstrapping information. It is
formatted as class/channel. For example, formatted as class/channel, for example,
'81/1', '115/36'. '81/1', '115/36'.
readOnly: false readOnly: false
writeOnly: false writeOnly: false
serialNumber: serialNumber:
type: string type: string
description: An alphanumeric serial number that may also description: An alphanumeric serial number that may also
be be passed as bootstrapping information.
passed as bootstrapping information.
readOnly: false readOnly: false
writeOnly: false writeOnly: false
required: required:
- dppVersion - dppVersion
- bootstrapKey - bootstrapKey
additionalProperties: false additionalProperties: false]]></sourcecode>
<CODE ENDS> </section>
]]></artwork></figure> <section anchor="ethernet-mab-extension-schema-openapi-representation">
<name>Ethernet MAB Extension Schema OpenAPI Representation</name>
</section> <t>OpenAPI representation of Ethernet MAB extension schema is as follows
<section anchor="ethernet-mab-extension-schema-openapi-representation"><name>Eth :</t>
ernet MAB Extension Schema OpenAPI Representation</name> <sourcecode markers="true"><![CDATA[
<t>OpenAPI representation of Ethernet MAB extension schema is as follows:</t>
<figure><artwork><![CDATA[
<CODE BEGINS>
openapi: 3.1.0 openapi: 3.1.0
info: info:
title: SCIM MAC Authentication Bypass Extension Schema title: SCIM MAC Authentication Bypass Extension Schema
version: 1.0.0 version: 1.0.0
components: components:
schemas: schemas:
EthernetMABDevice: EthernetMABDevice:
type: object type: object
description: Ethernet MAC Authenticated Bypass description: Ethernet MAC Authenticated Bypass.
properties: properties:
schemas: schemas:
type: array type: array
items: items:
type: string type: string
enum: enum:
- urn:ietf:params:scim:schemas:extension:ethernet-mab - urn:ietf:params:scim:schemas:extension:ethernet-mab
:2.0:Device :2.0:Device
urn:ietf:params:scim:schemas:extension:ethernet-mab:2.0 urn:ietf:params:scim:schemas:extension:ethernet-mab:2.0
:Device: :Device:
$ref: '#/components/schemas/EthernetMABDeviceExtension' $ref: '#/components/schemas/EthernetMABDeviceExtension'
required: true required: true
EthernetMABDeviceExtension: EthernetMABDeviceExtension:
type: object type: object
properties: properties:
deviceMacAddress: deviceMacAddress:
type: string type: string
description: It is the public MAC address assigned by the description: It is the public MAC address assigned by the
manufacturer. It is unique 48 bit value. The manufacturer. It is a unique 48-bit value.
regex pattern is The regex pattern is
^[0-9A-Fa-f]{2}(:[0-9A-Fa-f]{2}){5}. ^[0-9A-Fa-f]{2}(:[0-9A-Fa-f]{2}){5}.
readOnly: false readOnly: false
writeOnly: false writeOnly: false
required: required:
- deviceMacAddress - deviceMacAddress
description: Device extension schema for Ethernet-MAB description: Device extension schema for Ethernet-MAB.]]></sourcecode>
<CODE ENDS> </section>
]]></artwork></figure> <section anchor="fdo-extension-schema-openapi-representation">
<name>FDO Extension Schema OpenAPI Representation</name>
</section> <t>OpenAPI representation of FDO extension schema is as follows:</t>
<section anchor="fdo-extension-schema-openapi-representation"><name>FDO Extensio <sourcecode markers="true"><![CDATA[
n Schema OpenAPI Representation</name>
<t>OpenAPI representation of FDO extension schema is as follows:</t>
<figure><artwork><![CDATA[
<CODE BEGINS>
openapi: 3.1.0 openapi: 3.1.0
info: info:
title: SCIM Fido Device Onboarding Extension Schema title: SCIM FIDO Device Onboarding Extension Schema
version: 1.0.0 version: 1.0.0
components: components:
schemas: schemas:
FDODevice: FDODevice:
type: object type: object
description: FIDO Device Onboarding Extension description: FIDO Device Onboarding (FDO) extension.
properties: properties:
schemas: schemas:
type: array type: array
items: items:
type: string type: string
enum: enum:
- urn:ietf:params:scim:schemas:extension:fido-device - urn:ietf:params:scim:schemas:extension:fido-device
-onboard:2.0:Devices -onboard:2.0:Devices
urn:ietf:params:scim:schemas:extension:fido-device-onboard urn:ietf:params:scim:schemas:extension:fido-device-onboard
:2.0:Devices: :2.0:Devices:
$ref: '#/components/schemas/FDODeviceExtension' $ref: '#/components/schemas/FDODeviceExtension'
required: true required: true
FDODeviceExtension: FDODeviceExtension:
type: object type: object
properties: properties:
fdoVoucher: fdoVoucher:
type: string type: string
description: A FIDO Device Onboard (FDO) Voucher description: A FIDO Device Onboard (FDO) voucher.
readOnly: false readOnly: false
writeOnly: false writeOnly: false
required: required:
- fdoVoucher - fdoVoucher
description: Device Extension for a FIDO Device Onboard (FDO) description: Device extension for a FIDO Device Onboard (FDO).]]></sourcec
<CODE ENDS> ode>
]]></artwork></figure> </section>
<section anchor="zigbee-extension-schema-openapi-representation">
</section> <name>Zigbee Extension Schema OpenAPI Representation</name>
<section anchor="zigbee-extension-schema-openapi-representation"><name>Zigbee Ex <t>OpenAPI representation of Zigbee extension schema is as follows:</t>
tension Schema OpenAPI Representation</name> <sourcecode markers="true"><![CDATA[
<t>OpenAPI representation of zigbee extension schema is as follows:</t>
<figure><artwork><![CDATA[
<CODE BEGINS>
openapi: 3.1.0 openapi: 3.1.0
info: info:
title: SCIM Zigbee Extension Schema title: SCIM Zigbee Extension Schema
version: 1.0.0 version: 1.0.0
components: components:
schemas: schemas:
ZigbeeDevice: ZigbeeDevice:
type: object type: object
description: Zigbee Device schema. description: Zigbee Device schema.
skipping to change at line 3506 skipping to change at line 3879
$ref: '#/components/schemas/ZigbeeDeviceExtension' $ref: '#/components/schemas/ZigbeeDeviceExtension'
required: true required: true
ZigbeeDeviceExtension: ZigbeeDeviceExtension:
type: object type: object
properties: properties:
versionSupport: versionSupport:
type: array type: array
items: items:
type: string type: string
description: Provides a list of all the Zigbee versions description: Provides a list of all the Zigbee versions
supported by the device. For example, [3.0]. supported by the device, for example, [3.0].
readOnly: false readOnly: false
writeOnly: false writeOnly: false
deviceEui64Address: deviceEui64Address:
type: string type: string
description: The EUI-64 (Extended Unique Identifier) description: The 64-bit Extended Unique Identifier (EUI-64)
device device address. The regex pattern is
address. The regex pattern is
^[0-9A-Fa-f]{16}$. ^[0-9A-Fa-f]{16}$.
readOnly: false readOnly: false
writeOnly: false writeOnly: false
required: required:
- versionSupport - versionSupport
- deviceEui64Address - deviceEui64Address
description: Device extension schema for Zigbee. description: Device extension schema for Zigbee.]]></sourcecode>
<CODE ENDS> </section>
]]></artwork></figure> <section anchor="endpointappsext-extension-schema-openapi-representation">
<name>EndpointAppsExt Extension Schema OpenAPI Representation</name>
</section> <t>OpenAPI representation of endpoint Apps extension schema
<section anchor="endpointappsext-extension-schema-openapi-representation"><name>
EndpointAppsExt Extension Schema OpenAPI Representation</name>
<t>OpenAPI representation of endpoint Apps extension schema
is as follows:</t> is as follows:</t>
<sourcecode markers="true"><![CDATA[
<figure><artwork><![CDATA[
<CODE BEGINS>
openapi: 3.1.0 openapi: 3.1.0
info: info:
title: SCIM Endpoint extension schema title: SCIM Endpoint Extension Schema
version: 1.0.0 version: 1.0.0
components: components:
schemas: schemas:
EndpointAppsExt: EndpointAppsExt:
type: object type: object
properties: properties:
applications: applications:
$ref: '#/components/schemas/applications' $ref: '#/components/schemas/applications'
deviceControlEnterpriseEndpoint: deviceControlEnterpriseEndpoint:
type: string type: string
format: url format: url
description: The URL of the enterprise endpoint which description: The URL of the enterprise endpoint that
device device control apps use to reach an
control apps use to reach enterprise network enterprise network gateway.
gateway.
readOnly: true readOnly: true
writeOnly: false writeOnly: false
telemetryEnterpriseEndpoint: telemetryEnterpriseEndpoint:
type: string type: string
format: url format: url
description: The URL of the enterprise endpoint which description: The URL of the enterprise endpoint that
telemetry apps use to reach enterprise telemetry apps use to reach an enterprise
network network gateway.
gateway.
readOnly: true readOnly: true
writeOnly: false writeOnly: false
required: required:
- applications - applications
- deviceControlEnterpriseEndpoint - deviceControlEnterpriseEndpoint
applications: applications:
type: array type: array
items: items:
value: value:
type: string type: string
description: The identifier of the endpointApp. description: The identifier of the endpointApp.
readOnly: false readOnly: false
writeOnly: false writeOnly: false
ref: ref:
type: string type: string
format: uri format: uri
description: The URI of the corresponding 'EndpointApp' description: The URI of the corresponding 'EndpointApp'
resource which will control or obtain data resource that will control or obtain data
from from the device.
the device.
readOnly: true readOnly: true
writeOnly: false writeOnly: false
required: required:
- value - value
- ref - ref]]></sourcecode>
</section>
<CODE ENDS> </section>
]]></artwork></figure> <section anchor="fido-device-onboarding-example-flow">
<name>FIDO Device Onboarding Example Flow</name>
</section> <t>The following diagrams are included to demonstrate how FDO can be used.
</section> In this first diagram, a device
<section anchor="fido-device-onboarding-example-flow"><name>Fido Device Onboardi is onboarded not only to the device owner process but also to the AAA server for
ng Example Flow</name> initial onboarding.
<t>The following diagrams are included to demonstrate how FDO can be used. In t
his first diagram, a device
is onboarded not only to the device owner process, but also to the AAA server fo
r initial onboarding.
The voucher contains a device certificate that is used by the AAA system for aut hentication.</t> The voucher contains a device certificate that is used by the AAA system for aut hentication.</t>
<artset>
<figure><artset><artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" ver <artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" version="1.1
sion="1.1" height="592" width="520" viewBox="0 0 520 592" class="diagram" text-a " height="592" width="520" viewBox="0 0 520 592" class="diagram" text-anchor="mi
nchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round"> ddle" font-family="monospace" font-size="13px" stroke-linecap="round">
<path d="M 8,96 L 8,144" fill="none" stroke="black"/> <path d="M 8,96 L 8,144" fill="none" stroke="black"/>
<path d="M 16,32 L 16,80" fill="none" stroke="black"/> <path d="M 16,32 L 16,80" fill="none" stroke="black"/>
<path d="M 48,152 L 48,576" fill="none" stroke="black"/> <path d="M 48,152 L 48,576" fill="none" stroke="black"/>
<path d="M 72,32 L 72,80" fill="none" stroke="black"/> <path d="M 72,32 L 72,80" fill="none" stroke="black"/>
<path d="M 200,32 L 200,80" fill="none" stroke="black"/> <path d="M 200,32 L 200,80" fill="none" stroke="black"/>
<path d="M 232,152 L 232,576" fill="none" stroke="black"/> <path d="M 232,152 L 232,576" fill="none" stroke="black"/>
<path d="M 256,32 L 256,80" fill="none" stroke="black"/> <path d="M 256,32 L 256,80" fill="none" stroke="black"/>
<path d="M 272,120 L 272,144" fill="none" stroke="black"/> <path d="M 272,120 L 272,144" fill="none" stroke="black"/>
<path d="M 272,224 L 272,256" fill="none" stroke="black"/> <path d="M 272,224 L 272,256" fill="none" stroke="black"/>
<path d="M 384,32 L 384,80" fill="none" stroke="black"/> <path d="M 384,32 L 384,80" fill="none" stroke="black"/>
<path d="M 416,80 L 416,416" fill="none" stroke="black"/> <path d="M 416,80 L 416,416" fill="none" stroke="black"/>
<path d="M 416,504 L 416,576" fill="none" stroke="black"/> <path d="M 416,504 L 416,576" fill="none" stroke="black"/>
<path d="M 448,32 L 448,80" fill="none" stroke="black"/> <path d="M 448,32 L 448,80" fill="none" stroke="black"/>
<path d="M 480,48 L 480,80" fill="none" stroke="black"/> <path d="M 480,48 L 480,80" fill="none" stroke="black"/>
<path d="M 496,80 L 496,576" fill="none" stroke="black"/> <path d="M 496,80 L 496,576" fill="none" stroke="black"/>
<path d="M 512,48 L 512,80" fill="none" stroke="black"/> <path d="M 512,48 L 512,80" fill="none" stroke="black"/>
<path d="M 16,32 L 72,32" fill="none" stroke="black"/> <path d="M 16,32 L 72,32" fill="none" stroke="black"/>
<path d="M 200,32 L 256,32" fill="none" stroke="black"/> <path d="M 200,32 L 256,32" fill="none" stroke="black"/>
<path d="M 384,32 L 448,32" fill="none" stroke="black"/> <path d="M 384,32 L 448,32" fill="none" stroke="black"/>
<path d="M 480,48 L 512,48" fill="none" stroke="black"/> <path d="M 480,48 L 512,48" fill="none" stroke="black"/>
<path d="M 16,80 L 72,80" fill="none" stroke="black"/> <path d="M 16,80 L 72,80" fill="none" stroke="black"/>
<path d="M 200,80 L 256,80" fill="none" stroke="black"/> <path d="M 200,80 L 256,80" fill="none" stroke="black"/>
<path d="M 384,80 L 448,80" fill="none" stroke="black"/> <path d="M 384,80 L 448,80" fill="none" stroke="black"/>
<path d="M 480,80 L 512,80" fill="none" stroke="black"/> <path d="M 480,80 L 512,80" fill="none" stroke="black"/>
<path d="M 8,96 L 248,96" fill="none" stroke="black"/> <path d="M 8,96 L 248,96" fill="none" stroke="black"/>
<path d="M 8,144 L 272,144" fill="none" stroke="black"/> <path d="M 8,144 L 272,144" fill="none" stroke="black"/>
<path d="M 56,192 L 224,192" fill="none" stroke="black"/> <path d="M 56,192 L 224,192" fill="none" stroke="black"/>
<path d="M 240,224 L 272,224" fill="none" stroke="black"/> <path d="M 240,224 L 272,224" fill="none" stroke="black"/>
<path d="M 240,256 L 272,256" fill="none" stroke="black"/> <path d="M 240,256 L 272,256" fill="none" stroke="black"/>
<path d="M 240,352 L 408,352" fill="none" stroke="black"/> <path d="M 240,352 L 408,352" fill="none" stroke="black"/>
<path d="M 240,400 L 408,400" fill="none" stroke="black"/> <path d="M 240,400 L 408,400" fill="none" stroke="black"/>
<path d="M 240,448 L 488,448" fill="none" stroke="black"/> <path d="M 240,448 L 488,448" fill="none" stroke="black"/>
<path d="M 240,496 L 488,496" fill="none" stroke="black"/> <path d="M 240,496 L 488,496" fill="none" stroke="black"/>
<path d="M 56,544 L 224,544" fill="none" stroke="black"/> <path d="M 56,544 L 224,544" fill="none" stroke="black"/>
<path d="M 264,96 L 276,120" fill="none" stroke="black"/> <path d="M 264,96 L 276,120" fill="none" stroke="black"/>
<polygon class="arrowhead" points="496,448 484,442.4 484,453.6" fill="black" tra <polygon class="arrowhead" points="496,448 484,442.4 484,453.6" fill
nsform="rotate(0,488,448)"/> ="black" transform="rotate(0,488,448)"/>
<polygon class="arrowhead" points="416,352 404,346.4 404,357.6" fill="black" tra <polygon class="arrowhead" points="416,352 404,346.4 404,357.6" fill
nsform="rotate(0,408,352)"/> ="black" transform="rotate(0,408,352)"/>
<polygon class="arrowhead" points="248,496 236,490.4 236,501.6" fill="black" tra <polygon class="arrowhead" points="248,496 236,490.4 236,501.6" fill
nsform="rotate(180,240,496)"/> ="black" transform="rotate(180,240,496)"/>
<polygon class="arrowhead" points="248,400 236,394.4 236,405.6" fill="black" tra <polygon class="arrowhead" points="248,400 236,394.4 236,405.6" fill
nsform="rotate(180,240,400)"/> ="black" transform="rotate(180,240,400)"/>
<polygon class="arrowhead" points="248,256 236,250.4 236,261.6" fill="black" tra <polygon class="arrowhead" points="248,256 236,250.4 236,261.6" fill
nsform="rotate(180,240,256)"/> ="black" transform="rotate(180,240,256)"/>
<polygon class="arrowhead" points="232,192 220,186.4 220,197.6" fill="black" tra <polygon class="arrowhead" points="232,192 220,186.4 220,197.6" fill
nsform="rotate(0,224,192)"/> ="black" transform="rotate(0,224,192)"/>
<polygon class="arrowhead" points="64,544 52,538.4 52,549.6" fill="black" transf <polygon class="arrowhead" points="64,544 52,538.4 52,549.6" fill="b
orm="rotate(180,56,544)"/> lack" transform="rotate(180,56,544)"/>
<g class="text"> <g class="text">
<text x="36" y="52">SCIM</text> <text x="36" y="52">SCIM</text>
<text x="220" y="52">SCIM</text> <text x="220" y="52">SCIM</text>
<text x="408" y="52">Owner</text> <text x="408" y="52">Owner</text>
<text x="44" y="68">Client</text> <text x="44" y="68">Client</text>
<text x="228" y="68">Server</text> <text x="228" y="68">Server</text>
<text x="416" y="68">Service</text> <text x="416" y="68">Service</text>
<text x="496" y="68">AAA</text> <text x="496" y="68">AAA</text>
<text x="256" y="100">!</text> <text x="256" y="100">!</text>
<text x="40" y="116">voucher</text> <text x="40" y="116">Voucher</text>
<text x="108" y="116">contains</text> <text x="108" y="116">contains</text>
<text x="260" y="116">|_</text> <text x="260" y="116">|_</text>
<text x="20" y="132">an</text> <text x="20" y="132">an</text>
<text x="56" y="132">X.509</text> <text x="56" y="132">X.509</text>
<text x="100" y="132">cert</text> <text x="100" y="132">cert</text>
<text x="144" y="132">chain</text> <text x="144" y="132">chain</text>
<text x="56" y="164">1</text> <text x="56" y="164">1</text>
<text x="84" y="164">POST</text> <text x="84" y="164">POST</text>
<text x="164" y="164">[FDO(voucher)]</text> <text x="164" y="164">[FDO(voucher)]</text>
<text x="72" y="180">/HTTP</text> <text x="72" y="180">/HTTP</text>
<text x="288" y="244">2</text> <text x="288" y="244">2</text>
<text x="328" y="244">Recover</text> <text x="328" y="244">Recover</text>
<text x="384" y="244">X.509</text> <text x="384" y="244">X.509</text>
<text x="300" y="260">cert</text> <text x="300" y="260">cert</text>
<text x="344" y="260">chain</text> <text x="344" y="260">chain</text>
<text x="300" y="276">from</text> <text x="300" y="276">from</text>
<text x="352" y="276">voucher</text> <text x="352" y="276">voucher</text>
<text x="240" y="324">3</text> <text x="240" y="324">3</text>
<text x="264" y="324">Add</text> <text x="264" y="324">Add</text>
<text x="344" y="324">device(voucher)</text> <text x="344" y="324">device(voucher)</text>
<text x="256" y="340">/HTTP</text> <text x="256" y="340">/HTTP</text>
<text x="280" y="388">4</text> <text x="280" y="388">4</text>
<text x="304" y="388">200</text> <text x="304" y="388">200</text>
<text x="340" y="388">&quot;ok&quot;</text> <text x="340" y="388">"ok"</text>
<text x="336" y="436">5</text> <text x="336" y="436">5</text>
<text x="360" y="436">add</text> <text x="360" y="436">Add</text>
<text x="412" y="436">identity</text> <text x="412" y="436">identity</text>
<text x="416" y="468">|</text> <text x="416" y="468">|</text>
<text x="352" y="484">6</text> <text x="352" y="484">6</text>
<text x="376" y="484">200</text> <text x="376" y="484">200</text>
<text x="412" y="484">&quot;ok&quot;</text> <text x="412" y="484">"ok"</text>
<text x="96" y="532">7</text> <text x="96" y="532">7</text>
<text x="120" y="532">200</text> <text x="120" y="532">200</text>
<text x="156" y="532">&quot;ok&quot;</text> <text x="156" y="532">"ok"</text>
</g> </g>
</svg> </svg>
</artwork><artwork type="ascii-art"><![CDATA[ </artwork>
<artwork type="ascii-art"><![CDATA[
,------. ,------. ,-------. ,------. ,------. ,-------.
|SCIM | |SCIM | |Owner | ,---. |SCIM | |SCIM | |Owner | ,---.
|Client| |Server| |Service| |AAA| |Client| |Server| |Service| |AAA|
`---+--' `---+--' `---+---' `-+-' `---+--' `---+--' `---+---' `-+-'
,------------------------------!. | | ,------------------------------!. | |
|voucher contains |_\ | | |Voucher contains |_\ | |
|an X.509 cert chain | | | |an X.509 cert chain | | |
`--------------------------------' | | `--------------------------------' | |
|1 POST [FDO(voucher)] | | | |1 POST [FDO(voucher)] | | |
|/HTTP | | | |/HTTP | | |
|--------------------->| | | |--------------------->| | |
| | | | | | | |
| |----. | | | |----. | |
| | | 2 Recover X.509 | | | | | 2 Recover X.509 | |
| |<---' cert chain | | | |<---' cert chain | |
| | from voucher | | | | from voucher | |
| | | | | | | |
| | | | | | | |
| |3 Add device(voucher) | | | |3 Add device(voucher) | |
| |/HTTP | | | |/HTTP | |
| |--------------------->| | | |--------------------->| |
| | | | | | | |
| | 4 200 "ok" | | | | 4 200 "ok" | |
| |<---------------------| | | |<---------------------| |
| | | | | | | |
| | 5 add identity | | | 5 Add identity |
| |------------------------------->| | |------------------------------->|
| | | | | | | |
| | 6 200 "ok" | | | 6 200 "ok" |
| |<-------------------------------| | |<-------------------------------|
| | | | | | | |
| 7 200 "ok" | | | | 7 200 "ok" | | |
|<---------------------| | | |<---------------------| | |
| | | | | | | |
| | | | | | | |
]]></artwork></artset></figure> ]]></artwork>
</artset>
<t>After this flow is complete, the device can then first provisionally onboard, <!-- [rfced] Appendix C: Please review the ASCII artwork that appears at the
and then later receive end of this section. The submitted ASCII artwork does not render or match its SV
G
equivalent. -->
<t>After this flow is complete, the device can then first provisionally on
board and then later receive
a trust anchor through FDO's TO2 process. This is shown below.</t> a trust anchor through FDO's TO2 process. This is shown below.</t>
<artset>
<artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" version="1.1
" height="864" width="576" viewBox="0 0 576 864" class="diagram" text-anchor="mi
ddle" font-family="monospace" font-size="13px" stroke-linecap="round">
<path d="M 8,640 L 8,704" fill="none" stroke="black"/>
<path d="M 16,32 L 16,80" fill="none" stroke="black"/>
<path d="M 48,80 L 48,632" fill="none" stroke="black"/>
<path d="M 48,712 L 48,824" fill="none" stroke="black"/>
<path d="M 80,32 L 80,80" fill="none" stroke="black"/>
<path d="M 152,480 L 152,528" fill="none" stroke="black"/>
<path d="M 168,48 L 168,80" fill="none" stroke="black"/>
<path d="M 184,80 L 184,472" fill="none" stroke="black"/>
<path d="M 184,536 L 184,600" fill="none" stroke="black"/>
<path d="M 184,712 L 184,824" fill="none" stroke="black"/>
<path d="M 200,48 L 200,80" fill="none" stroke="black"/>
<path d="M 256,192 L 256,256" fill="none" stroke="black"/>
<path d="M 288,368 L 288,416" fill="none" stroke="black"/>
<path d="M 296,32 L 296,80" fill="none" stroke="black"/>
<path d="M 328,80 L 328,184" fill="none" stroke="black"/>
<path d="M 328,264 L 328,360" fill="none" stroke="black"/>
<path d="M 328,424 L 328,472" fill="none" stroke="black"/>
<path d="M 328,536 L 328,600" fill="none" stroke="black"/>
<path d="M 328,712 L 328,824" fill="none" stroke="black"/>
<path d="M 352,32 L 352,80" fill="none" stroke="black"/>
<path d="M 360,504 L 360,528" fill="none" stroke="black"/>
<path d="M 400,96 L 400,176" fill="none" stroke="black"/>
<path d="M 400,216 L 400,256" fill="none" stroke="black"/>
<path d="M 448,48 L 448,80" fill="none" stroke="black"/>
<path d="M 480,184 L 480,360" fill="none" stroke="black"/>
<path d="M 480,424 L 480,632" fill="none" stroke="black"/>
<path d="M 480,712 L 480,824" fill="none" stroke="black"/>
<path d="M 504,48 L 504,80" fill="none" stroke="black"/>
<path d="M 520,392 L 520,416" fill="none" stroke="black"/>
<path d="M 520,664 L 520,704" fill="none" stroke="black"/>
<path d="M 568,120 L 568,176" fill="none" stroke="black"/>
<path d="M 16,32 L 80,32" fill="none" stroke="black"/>
<path d="M 296,32 L 352,32" fill="none" stroke="black"/>
<path d="M 168,48 L 200,48" fill="none" stroke="black"/>
<path d="M 448,48 L 504,48" fill="none" stroke="black"/>
<path d="M 16,80 L 80,80" fill="none" stroke="black"/>
<path d="M 168,80 L 200,80" fill="none" stroke="black"/>
<path d="M 296,80 L 352,80" fill="none" stroke="black"/>
<path d="M 448,80 L 504,80" fill="none" stroke="black"/>
<path d="M 400,96 L 544,96" fill="none" stroke="black"/>
<path d="M 400,176 L 568,176" fill="none" stroke="black"/>
<path d="M 256,192 L 376,192" fill="none" stroke="black"/>
<path d="M 256,256 L 400,256" fill="none" stroke="black"/>
<path d="M 336,288 L 472,288" fill="none" stroke="black"/>
<path d="M 192,336 L 320,336" fill="none" stroke="black"/>
<path d="M 288,368 L 496,368" fill="none" stroke="black"/>
<path d="M 288,416 L 520,416" fill="none" stroke="black"/>
<path d="M 192,448 L 320,448" fill="none" stroke="black"/>
<path d="M 152,480 L 336,480" fill="none" stroke="black"/>
<path d="M 152,528 L 360,528" fill="none" stroke="black"/>
<path d="M 336,560 L 472,560" fill="none" stroke="black"/>
<path d="M 56,608 L 472,608" fill="none" stroke="black"/>
<path d="M 8,640 L 496,640" fill="none" stroke="black"/>
<path d="M 8,704 L 520,704" fill="none" stroke="black"/>
<path d="M 336,736 L 472,736" fill="none" stroke="black"/>
<path d="M 336,784 L 472,784" fill="none" stroke="black"/>
<path d="M 352,480 L 364,504" fill="none" stroke="black"/>
<path d="M 512,640 L 524,664" fill="none" stroke="black"/>
<path d="M 392,192 L 404,216" fill="none" stroke="black"/>
<path d="M 512,368 L 524,392" fill="none" stroke="black"/>
<path d="M 560,96 L 572,120" fill="none" stroke="black"/>
<polygon class="arrowhead" points="480,560 468,554.4 468,565.6" fill
="black" transform="rotate(0,472,560)"/>
<polygon class="arrowhead" points="344,784 332,778.4 332,789.6" fill
="black" transform="rotate(180,336,784)"/>
<polygon class="arrowhead" points="344,736 332,730.4 332,741.6" fill
="black" transform="rotate(180,336,736)"/>
<polygon class="arrowhead" points="344,288 332,282.4 332,293.6" fill
="black" transform="rotate(180,336,288)"/>
<polygon class="arrowhead" points="328,448 316,442.4 316,453.6" fill
="black" transform="rotate(0,320,448)"/>
<polygon class="arrowhead" points="200,336 188,330.4 188,341.6" fill
="black" transform="rotate(180,192,336)"/>
<polygon class="arrowhead" points="64,608 52,602.4 52,613.6" fill="b
lack" transform="rotate(180,56,608)"/>
<g class="text">
<text x="40" y="52">Owner</text>
<text x="324" y="52">Access</text>
<text x="48" y="68">Service</text>
<text x="184" y="68">AAA</text>
<text x="320" y="68">Point</text>
<text x="476" y="68">Device</text>
<text x="552" y="100">!</text>
<text x="428" y="116">Device</text>
<text x="500" y="116">configured</text>
<text x="556" y="116">|_</text>
<text x="420" y="132">with</text>
<text x="484" y="132">well-known</text>
<text x="420" y="148">RCOI</text>
<text x="456" y="148">and</text>
<text x="488" y="148">for</text>
<text x="528" y="148">trust</text>
<text x="412" y="164">on</text>
<text x="448" y="164">first</text>
<text x="488" y="164">use</text>
<text x="384" y="196">!</text>
<text x="276" y="212">WLAN</text>
<text x="348" y="212">configured|_</text>
<text x="276" y="228">with</text>
<text x="340" y="228">well-known</text>
<text x="276" y="244">RCOI</text>
<text x="344" y="276">1</text>
<text x="408" y="276">EAP-TLS/EAPOL</text>
<text x="192" y="324">2</text>
<text x="260" y="324">EAP-TLS/Radius</text>
<text x="504" y="372">!</text>
<text x="316" y="388">Device</text>
<text x="368" y="388">skips</text>
<text x="508" y="388">|_</text>
<text x="316" y="404">server</text>
<text x="404" y="404">authentication</text>
<text x="192" y="436">3</text>
<text x="260" y="436">Result=Success</text>
<text x="344" y="484">!</text>
<text x="184" y="500">Limited</text>
<text x="244" y="500">access</text>
<text x="348" y="500">|_</text>
<text x="168" y="516">for</text>
<text x="200" y="516">now</text>
<text x="336" y="548">4</text>
<text x="404" y="548">Result=Success</text>
<text x="224" y="596">5</text>
<text x="248" y="596">FDO</text>
<text x="280" y="596">TO2</text>
<text x="184" y="628">|</text>
<text x="328" y="628">|</text>
<text x="504" y="644">!</text>
<text x="32" y="660">FSIM,</text>
<text x="88" y="660">Runtime</text>
<text x="144" y="660">SSID,</text>
<text x="508" y="660">|_</text>
<text x="56" y="676">Credentials</text>
<text x="128" y="676">incl.</text>
<text x="32" y="692">local</text>
<text x="80" y="692">trust</text>
<text x="132" y="692">anchor</text>
<text x="344" y="724">6</text>
<text x="404" y="724">dissasociate</text>
<text x="336" y="772">7</text>
<text x="376" y="772">EAP-TLS</text>
<text x="420" y="772">w/</text>
<text x="448" y="772">LSC</text>
<text x="48" y="836">.</text>
<text x="184" y="836">.</text>
<text x="264" y="836">etc</text>
<text x="328" y="836">.</text>
<text x="480" y="836">.</text>
</g>
</svg>
</artwork>
<artwork type="ascii-art"><![CDATA[ ,-------. ,------.
|Owner | ,---. |Access| ,------. |Service| |AAA| |Point |
|Device| `---+---' `-+-' `---+--' `---+--' | | |
,------------------!. | | | |Device configured |_\ | | |
|with well-known | | | | |RCOI and for trust | | | | |on first
use | | | | `--------------------' | | ,---------------!. | |
| |WLAN configured|_\ | | | |with well-known | | | | |RCOI | |
| | `-----------------' | | | | 1 EAP-TLS/EAPOL | | |
|<-----------------| | | | | | |2 EAP-TLS/Radius | | |
|<----------------| | | | | | | |
,--------------------------!. | | |Device skips |_\ | |
|server authentication | | | `----------------------------' |
|3 Result=Success | | | |---------------->| | | | | | |
,-----------------------!. | | |Limited access |_\ | | |for
now | | | `-------------------------' | | | |4 Result=Success
| | | |----------------->| | | | | | | 5 FDO TO2 | |
|<----------------------------------------------------| | | |
|
,-------------------------------------------------------------!.
|FSIM, Runtime SSID, |_\ |Credentials incl. | |local trust
anchor |
`---------------------------------------------------------------'
| | | 6 dissasociate | | | |<-----------------| | | | | | | |7
EAP-TLS w/ LSC | | | |<-----------------| | | | | | | | | . .
etc . .
<figure><artset><artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" ver ]]></artwork>
sion="1.1" height="864" width="576" viewBox="0 0 576 864" class="diagram" text-a </artset>
nchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round"> </section>
<path d="M 8,640 L 8,704" fill="none" stroke="black"/>
<path d="M 16,32 L 16,80" fill="none" stroke="black"/>
<path d="M 48,80 L 48,632" fill="none" stroke="black"/>
<path d="M 48,712 L 48,824" fill="none" stroke="black"/>
<path d="M 80,32 L 80,80" fill="none" stroke="black"/>
<path d="M 152,480 L 152,528" fill="none" stroke="black"/>
<path d="M 168,48 L 168,80" fill="none" stroke="black"/>
<path d="M 184,80 L 184,472" fill="none" stroke="black"/>
<path d="M 184,536 L 184,600" fill="none" stroke="black"/>
<path d="M 184,712 L 184,824" fill="none" stroke="black"/>
<path d="M 200,48 L 200,80" fill="none" stroke="black"/>
<path d="M 256,192 L 256,256" fill="none" stroke="black"/>
<path d="M 288,368 L 288,416" fill="none" stroke="black"/>
<path d="M 296,32 L 296,80" fill="none" stroke="black"/>
<path d="M 328,80 L 328,184" fill="none" stroke="black"/>
<path d="M 328,264 L 328,360" fill="none" stroke="black"/>
<path d="M 328,424 L 328,472" fill="none" stroke="black"/>
<path d="M 328,536 L 328,600" fill="none" stroke="black"/>
<path d="M 328,712 L 328,824" fill="none" stroke="black"/>
<path d="M 352,32 L 352,80" fill="none" stroke="black"/>
<path d="M 360,504 L 360,528" fill="none" stroke="black"/>
<path d="M 400,96 L 400,176" fill="none" stroke="black"/>
<path d="M 400,216 L 400,256" fill="none" stroke="black"/>
<path d="M 448,48 L 448,80" fill="none" stroke="black"/>
<path d="M 480,184 L 480,360" fill="none" stroke="black"/>
<path d="M 480,424 L 480,632" fill="none" stroke="black"/>
<path d="M 480,712 L 480,824" fill="none" stroke="black"/>
<path d="M 504,48 L 504,80" fill="none" stroke="black"/>
<path d="M 520,392 L 520,416" fill="none" stroke="black"/>
<path d="M 520,664 L 520,704" fill="none" stroke="black"/>
<path d="M 568,120 L 568,176" fill="none" stroke="black"/>
<path d="M 16,32 L 80,32" fill="none" stroke="black"/>
<path d="M 296,32 L 352,32" fill="none" stroke="black"/>
<path d="M 168,48 L 200,48" fill="none" stroke="black"/>
<path d="M 448,48 L 504,48" fill="none" stroke="black"/>
<path d="M 16,80 L 80,80" fill="none" stroke="black"/>
<path d="M 168,80 L 200,80" fill="none" stroke="black"/>
<path d="M 296,80 L 352,80" fill="none" stroke="black"/>
<path d="M 448,80 L 504,80" fill="none" stroke="black"/>
<path d="M 400,96 L 544,96" fill="none" stroke="black"/>
<path d="M 400,176 L 568,176" fill="none" stroke="black"/>
<path d="M 256,192 L 376,192" fill="none" stroke="black"/>
<path d="M 256,256 L 400,256" fill="none" stroke="black"/>
<path d="M 336,288 L 472,288" fill="none" stroke="black"/>
<path d="M 192,336 L 320,336" fill="none" stroke="black"/>
<path d="M 288,368 L 496,368" fill="none" stroke="black"/>
<path d="M 288,416 L 520,416" fill="none" stroke="black"/>
<path d="M 192,448 L 320,448" fill="none" stroke="black"/>
<path d="M 152,480 L 336,480" fill="none" stroke="black"/>
<path d="M 152,528 L 360,528" fill="none" stroke="black"/>
<path d="M 336,560 L 472,560" fill="none" stroke="black"/>
<path d="M 56,608 L 472,608" fill="none" stroke="black"/>
<path d="M 8,640 L 496,640" fill="none" stroke="black"/>
<path d="M 8,704 L 520,704" fill="none" stroke="black"/>
<path d="M 336,736 L 472,736" fill="none" stroke="black"/>
<path d="M 336,784 L 472,784" fill="none" stroke="black"/>
<path d="M 352,480 L 364,504" fill="none" stroke="black"/>
<path d="M 512,640 L 524,664" fill="none" stroke="black"/>
<path d="M 392,192 L 404,216" fill="none" stroke="black"/>
<path d="M 512,368 L 524,392" fill="none" stroke="black"/>
<path d="M 560,96 L 572,120" fill="none" stroke="black"/>
<polygon class="arrowhead" points="480,560 468,554.4 468,565.6" fill="black" tra
nsform="rotate(0,472,560)"/>
<polygon class="arrowhead" points="344,784 332,778.4 332,789.6" fill="black" tra
nsform="rotate(180,336,784)"/>
<polygon class="arrowhead" points="344,736 332,730.4 332,741.6" fill="black" tra
nsform="rotate(180,336,736)"/>
<polygon class="arrowhead" points="344,288 332,282.4 332,293.6" fill="black" tra
nsform="rotate(180,336,288)"/>
<polygon class="arrowhead" points="328,448 316,442.4 316,453.6" fill="black" tra
nsform="rotate(0,320,448)"/>
<polygon class="arrowhead" points="200,336 188,330.4 188,341.6" fill="black" tra
nsform="rotate(180,192,336)"/>
<polygon class="arrowhead" points="64,608 52,602.4 52,613.6" fill="black" transf
orm="rotate(180,56,608)"/>
<g class="text">
<text x="40" y="52">Owner</text>
<text x="324" y="52">Access</text>
<text x="48" y="68">Service</text>
<text x="184" y="68">AAA</text>
<text x="320" y="68">Point</text>
<text x="476" y="68">Device</text>
<text x="552" y="100">!</text>
<text x="428" y="116">Device</text>
<text x="500" y="116">configured</text>
<text x="556" y="116">|_</text>
<text x="420" y="132">with</text>
<text x="484" y="132">well-known</text>
<text x="420" y="148">RCOI</text>
<text x="456" y="148">and</text>
<text x="488" y="148">for</text>
<text x="528" y="148">trust</text>
<text x="412" y="164">on</text>
<text x="448" y="164">first</text>
<text x="488" y="164">use</text>
<text x="384" y="196">!</text>
<text x="276" y="212">WLAN</text>
<text x="348" y="212">configured|_</text>
<text x="276" y="228">with</text>
<text x="340" y="228">well-known</text>
<text x="276" y="244">RCOI</text>
<text x="344" y="276">1</text>
<text x="408" y="276">EAP-TLS/EAPOL</text>
<text x="192" y="324">2</text>
<text x="260" y="324">EAP-TLS/Radius</text>
<text x="504" y="372">!</text>
<text x="316" y="388">Device</text>
<text x="368" y="388">skips</text>
<text x="508" y="388">|_</text>
<text x="316" y="404">server</text>
<text x="404" y="404">authentication</text>
<text x="192" y="436">3</text>
<text x="260" y="436">Result=Success</text>
<text x="344" y="484">!</text>
<text x="184" y="500">Limited</text>
<text x="244" y="500">access</text>
<text x="348" y="500">|_</text>
<text x="168" y="516">for</text>
<text x="200" y="516">now</text>
<text x="336" y="548">4</text>
<text x="404" y="548">Result=Success</text>
<text x="224" y="596">5</text>
<text x="248" y="596">FDO</text>
<text x="280" y="596">TO2</text>
<text x="184" y="628">|</text>
<text x="328" y="628">|</text>
<text x="504" y="644">!</text>
<text x="32" y="660">FSIM,</text>
<text x="88" y="660">Runtime</text>
<text x="144" y="660">SSID,</text>
<text x="508" y="660">|_</text>
<text x="56" y="676">Credentials</text>
<text x="128" y="676">incl.</text>
<text x="32" y="692">local</text>
<text x="80" y="692">trust</text>
<text x="132" y="692">anchor</text>
<text x="344" y="724">6</text>
<text x="404" y="724">dissasociate</text>
<text x="336" y="772">7</text>
<text x="376" y="772">EAP-TLS</text>
<text x="420" y="772">w/</text>
<text x="448" y="772">LSC</text>
<text x="48" y="836">.</text>
<text x="184" y="836">.</text>
<text x="264" y="836">etc</text>
<text x="328" y="836">.</text>
<text x="480" y="836">.</text>
</g>
</svg>
</artwork><artwork type="ascii-art"><![CDATA[
,-------. ,------.
|Owner | ,---. |Access| ,------.
|Service| |AAA| |Point | |Device|
`---+---' `-+-' `---+--' `---+--'
| | | ,------------------!.
| | | |Device configured |_\
| | | |with well-known |
| | | |RCOI and for trust |
| | | |on first use |
| | | `--------------------'
| | ,---------------!. |
| | |WLAN configured|_\ |
| | |with well-known | |
| | |RCOI | |
| | `-----------------' |
| | | 1 EAP-TLS/EAPOL |
| | |<-----------------|
| | | |
| |2 EAP-TLS/Radius | |
| |<----------------| |
| | | |
| | ,--------------------------!.
| | |Device skips |_\
| | |server authentication |
| | `----------------------------'
| |3 Result=Success | |
| |---------------->| |
| | | |
| ,-----------------------!. |
| |Limited access |_\ |
| |for now | |
| `-------------------------' |
| | |4 Result=Success |
| | |----------------->|
| | | |
| | 5 FDO TO2 | |
|<----------------------------------------------------|
| | | |
,-------------------------------------------------------------!.
|FSIM, Runtime SSID, |_\
|Credentials incl. |
|local trust anchor |
`---------------------------------------------------------------'
| | | 6 dissasociate |
| | |<-----------------|
| | | |
| | |7 EAP-TLS w/ LSC |
| | |<-----------------|
| | | |
| | | |
. . etc . .
]]></artwork></artset></figure>
</section> <section anchor="acknowledgments" numbered="false">
<name>Acknowledgments</name>
<t>The authors would like to thank <contact fullname="Bart Brinckman"/>,
<contact fullname="Rohit Mohan"/>, <contact fullname="Lars
Streubesand"/>, <contact fullname="Christian Amsüss"/>, <contact
fullname="Jason Livingwood"/>, <contact fullname="Mike Ounsworth"/>,
<contact fullname="Monty Wiseman"/>, <contact fullname="Geoffrey
Cooper"/>, <contact fullname="Paulo Jorge N. Correia"/>, <contact
fullname="Phil Hunt"/>, and <contact fullname="Elwyn Davies"/> for their
reviews and <contact fullname="Nick Ross"/> for his contribution to the
appendix.</t>
</section>
</back> </back>
<!-- ##markdown-source: </rfc>
H4sIAAAAAAAAA+196VobV7bo/3qK3aS/D0gkMWNbp5NzZIaYjg0EcPt0J7nd
JakkKpSqdKokMDH0k91/98XuGvZYgybAsXNcX3csatjD2muvea9Vr9e9UTiK <!-- [rfced] Please review the "type" attribute of each sourcecode element
gqbYD67DTiDOO5fBwBcH70dBnIVJnIlRIkaX8GDv6I0YJN0g8vx2Ow2um3yr in the XML file to ensure correctness. If the current list of preferred
6juvm3RifwAtd1O/N6qHwahXzzrhoN6lL+rUVn3juZeN24Mww48ubofw/tHB values for "type"
xaHX8UdBP0lvmyIbdT0vHKZNMUrH2Whzff3F+qZ3FdzeJGkX3o5HQRoHo/o+ (https://www.rfc-editor.org/rpc/wiki/doku.php?id=sourcecode-types)
duN52ciPu//0oySGpuLEG4ZN8dMo6dRElqSjNOhl8Ot2gD9+8Tx/PLpM0qYn does not contain an applicable type, then feel free to let us know.
6kKEcdYUbxri/NK//M3vegIunsGb8aU/GPhd51GS9pviGNq8FHt+mkRh7Ivz Also, it is acceptable to leave the "type" attribute not set.
EQxbvI3D6yDNwtEtvZhBr8GoSb/rAK+hn44GQTwSSU/sJYPhGCYA8AuDuBPI
l56/WBcn134k9lNoSt7c8+HdTLxM3ovnm+u7dLcDnTTFmR8FYf+yJo73+C6A In addition, review each artwork element. Specifically,
tik2n+2+2KmbV5NxPEKAvj1v0Q1YrzBqikFGk/qvuJONG0F3DLCgxwSOVw1x should any artwork element be tagged as sourcecode or another
9D9tP7KA8crPMj+2bv9RAHFJEwtxXi+2Nv6rj3cbnWTgAOSgIV4HfmrB4yAK element?
k5G5SdDYC7NOIs5vs1EwyOy5i7OwczkK4S/oLBDPrFHuvao/31rftmbzzo+i -->
MAuiKIjdgZ/fhKPfgjQCTKcHw0vC9m+2N8T2tnj+7Ll4AdvEnlsEw/uvDo6K
ZuTFSTrwRwBSXI2Xrw92tnlZJDF4GY2DUZLgiiYpbO5h0Al7IexJ2KQ18Tdc <!-- [rfced] Terminology:
0yQWOw0erd5EdNXlvxIUpqnzo+/pURdQAxZlfXOLu/TTPkLmcjQaZs21tZub
m0ZbfdSANtb2k84bP167hOlG0DX8fRNHid+F+w0/u3z/n0Bq/hl2v915/mzj a) We note that the following items appear differently throughout this
2TMPWt0/Pd10JvQurB+G4sDPbmFGcRx0RlWT2mysT58UN9eC5fEVrupZreMA document (with different quotation marks, capitalization, spacing, etc.).
DvbetJwB4I365u5mTWzsAiwOuiF2W+xJd0T94FeSwtEw5Y7jvv46joMa9rhT Please review and let us know if any of these should be updated for
CsegM/Drof0tAXM4bkdy0lkdIFongumn3WzN/KJvYbRrOJfD/ZONDWcyh0f7 consistency:
J4rwn8TtBL5xwSk2GhvT5kaNlICwNUzDSGy8oKltwoN/hP12EDgD4Ftun9P6
k9+U9TjuA2PB/jbKQfkbferLLwmMN8N6JwHgxqO18RCRMVuDz1+sbWysATZm the device
9fWd+tb2s+365kZ9vZP169xEPbNH3Bh2e8Da4p69Gf96fnLMzNSZMd6WTLYu the Device
WuJN0A19gfxSwNewFlknDdth3OcXYWeMkbJmE4BC5KzVEO9SoJgjdZdpWgvg
Eca5R0Da4RF0PErSsraAV0BzrbibBjeZ296rIE5v84+mtfeyIV6NRyO5srqt Device schema
l0Gcu0/Le5pko4Efz9r49w0AWhyHuYF+nwZ9+wEjyH7QCQbtINUoWUSRX7Mk device schema
BvEG14fwg4SeNSQH9Y1N+ymgTYrIdzIM4tbpkbPI8l4VadpqTNxWBIbsxu/3
g7QRJtb4TzqjRA1/u3T45rM1B0WBANTrdeG3kWN1QLy6AFEwjIF4AU/GmQie "ResourceType" schema
FWEhyYMrzPXoxl6aZFm9mwAPAoGhCwiJogDQcr8fIHquihs/E90gC/tx0KVP
hmlyHeJsEZfHGcy8IS4uw0wMgkEi5NiCzJPdBpaceumPRBD77SjI3GZAvGCZ EndpointApp schema
E0S/cYZ3rv00TMaZN467wEZv8VYb2A1OcjjEvzJm3SAqjjuXAgYJFL/nMpAa endpointApp schema
UTCPWxYJk0FqPIFvYOA1ZKxiCIweGTz8CdRVvGnt0eohLFDG7Yr2Lb7SYEAP endpoint Apps extension schema
wi7wOM8Dmp8m3XGHCNu31sUroIRenBpAJ+7jjIMMd7zwxUADWHQufRQf+rho schema for "EndpointApp"
eP/W64YDCbEG0O4AW4DRDESYkZjvt8MIFgmlfjklGjY3KSJEGy8e42awwIpL
FAAu+PB/7IT1hIwW1IUrifBeOxjdBLCN5efUA8wGBPoruAfk9JaIF8iesD4A resource type 'Device'
onCEwwvew+ojxHClYR69HvQJc4Qexz1AznEKQBc3YRTBrasAsYfGaF4MYNd0 resource type, Device
EdSzYaqwMfXDhz+dHe49293eur83f2zf3wMG9MIYZ4FYB5pGEtGEfHtr5PFR Device resource types
Yvar5Ca4xo0ZjkDjiUXgZ2F0K9oBI3YXJ5uYjyXARCcNaIh+xLADQSlIPX80 resource "Device"
Ah4AQnQGiw2f+QqmtDzu4Oyte4NLpzahh/0F6QBA/issFeO/2WUN8XIcXYkE
XmERgtY8Gw+HIP8HXblXgXj2kwRQO+j4vAoje7VTGkwH1quLaNmGFmFNWnAz 'EndpointApp' resource type
HPjAJ4bjdJhkEjWhOYciEaLaMEGslRP1ENTWTuSZDgbjWEk8wu/AEKgFfNhL 'EndpointApp' resource
k4EeFwjVsJWE70VJB6ibQUTR9jMYquzLohkdf8j7BSgSjxaG7alNwVvVej0L resource "EndpointApp"
YM6IV4MA9iWwmAF9lSWDQA8i9XGz4rhARo/rwXvQFXAIig7hCIxI/Tq5EQdx resource "endpointApp"
kPZvxQoQm1Wx9FdctHcAi2zJG/phiv0y3tOcgS+28Y0yCW4FBL1VM7YGECEp endpointApp resource object
mcDMCVLaDgDYC2iLS9ENs6E/AkSi9lEkAs4reuOYSFfmadCBHsO7t4RyJ5Ju
Ywew7u6SeWpdDDoTPtNAgL/52IUkX6DVI2LDCvP2iG694H/GISiQCEN7Tyxn 'deviceControl'
IORoMkxstkVMNfxN/onKVatDOhcCcaXVaq3q/piYZ5fJOEI0B0yArsfQn6SU deviceControl
XVwrXDPAgneXtzxYxE65zv+J1L54eYaOwkg1mSUsoJVkukqsboCyGe+DLkEO
0TQkoutJ2hMUaY/Cs8ShEECA4k40pk0DNzylCYQZMShqHc0yTSGODy72To4P 'telemetry'
gQT+J5DA3c3tDaCH0MvZwbn94Pn69jrQRlw78ffW8ffy9rMXO3C7wfBA5t/B telemetry
LRPTOLGTXhJFyQ0OIwVaCKvfBL6o+0SY6356QEFwHuLrrwHtemF/zCTp669h
EyEuIJhQHrTn34DWqO/QkjtokKQpKQ7ggAw5Zxh3Gx7jnWQrry4uTnGRAdRj b) We note that different forms of "true" and "false" are used throughout this
ko5GgSScGfA8aBBJfJ3R33cwDdrB6TKVcXoCJql1sxo2fgPKP/570np78Qqh document in running text. May we make these items consistent by updating to
3AnSEZPCAMW+subl9nDmAxogUFvJ63H8mn5DI90E8CFORshgkezKgSUwlNua "true" and "false" (lowercase) throughout?
uLkMgfLArIKoJwZIOwDdV4jrEFUPs1UPTRO8AgqaxJEEyLIwD5IIoGtuCXEb
O9Mo9huwDWtVgKchYvb8ARBWHxYxAXoiSQBiSIDzAk6R4c/rEMgS3EG5LkBb TRUE, True > true
iKQq10F0K+kRD0v0gGOmJG/huiAbwI2dYc+HYYyUoga4RIJcgEgJgMC1vQ5g FALSE > false
0FGgyS+OskbvwFDbwWUSdck4A33hwiN54E2aJ1J8F78aIIVi+TvH3gEFoCnE
KVjkzjii4cK0bdGDuAoSO5BwACAJtIKQJqDTBgJBSInCXYflItARKaRUAUIY c) We note a few instances of "NOT" capitalized throughout this document. May
7JxumAJVjm5h01hLGAX+NSI6N0tzkKynHWRm6QCNCOE871TJFqc09HDoo+5Z we make these instances lowercase (change "NOT" to "not") for consistency and
TuKArTDPRt4SWXZllIKIJqAoC+orC3osc5r18ywBUdwo+kutdKKQ717a8gGi so that these do not get mistaken for a BCP 14 keyword?
agrKA8woGOCnAagPLBnEpNQkIDXy9G4Zu+iTLpknmaXbQikzBoNOyAoJxgpF
MmA28NbQv2XMxF0LoEURtMNSAH/g6cEjNJijotAgwSNFPQkZvIMqLS9likIj
IHxNyuYkMaIYcUOMARVM1HBYHnNZNoAW2IURdmwxBxsD1MKtRFwEUCMIr5kE
GknAbyfjkcYsWiIck5HOE2KIrCSxQIlbw5JF4Qs5GhLWkerd4n/TBPY10lGL
AqGuBzq5FOhuLgnd1y5B7rGAZPFh1a2UvhglFIgS1ncc1oqSPnQCfEagYeUa
9gesGKIQEiMpEvC0/K7ZUTb3xFUnZEl6qFz7jAKg6/hx5neYJku5WGQh0DUi
a7zs9CZuy36qrVi4kiNQ0zKicIjEzIVfOqrUGeA0wOoHwFoQ1FIfnoxJCcIm
Vl6enf9wtKqY8YsXO0Q6aIoSJhazkavYBTZHpmnaEgAFvV+I6TEEatg87yfC
bSBA1eiB5iDADB/aCaTAAsvAVpoRSnwjbILM1zgeHkcGmlCZwi1+PCNTOW6S
f//738L3s+u+pw2zZdc3pSTIvb6Z2MLdpIfqHS/f1zfw9xlInkgt7+xH30xq
4c7SXe6cMX4HjdAurhyQagEuBCT+/ovTxJ045z03uYXcLPZGaQQaRnc4mnkW
lVDK/fuAFlbkvke8W12kheupY8ivptWCg1Tm2Tf6jl6LPakOibuGueA3DaP1
+ntu0TyR07qzV7MlV3OhMUyYxdRrNkgK0EGRWCtSOHsLs+1N3Oneh6b4yk+B
vZKd9Null6DodEQL7oSjgGgeEDZUl49OFbVZuidO+uEDfnd/zxzUNg1Y1G8F
/lhVmlRmM5ahksTSrOax/Eos6xrNFI5VYISmeG0RI+EddAZt4sN3PFaBsUfU
+vNqMNDKzJNshPl9kA3hflAr6N2u6gdEOZTOIYsQ10ALRrsJirZCys4dn3UX
CSptFL1hrTP2LKjUI/8WuurDBG78W+KgcaDZO8kIJGArVT0gkcKzgLfSafQa
NWRBR/X9Bvn//azbq8fhsHN/v8qyibIYANsdJsAHvTAjNu0PElwli1Mn7V8B
epnHyi8z9DSAxY9RzmGxIt8arxZqR/ZIPS0t21jgzncFtucqzhD00M6lhROP
y3wegfvMy36+0cTgG31zHv5Df7VaLeQv391lAMvO5d3cDKh6FItxoDsbFouB
02niIfR/FgaQJhjtsNa7KWcAj8ABHoEFzA7Op2QCeS6wqdgAeUFYwGZNFbAS
6T4T/c37e1QMbjKB2sLRqbTFKNKQCTS4twOjKRIZIe0rzLyOrwhvBdPQn2Wk
RNG6XYc+bRMmbSCzBlkGnMImy6gDoL+HySe2P90MKYwZ0mMzJJqcyHkhHVRE
Ey3SCxNgW9RI22VRgob5naCNg/0pSRyFGEGQhXjP+Zp5mwfDPTpltRzpKFoQ
iAcA4IA81kR7LJ+QemB0+qNTnLKlkpSxCtIKFcG2IIvuGeaN7NUmG0OJLcHz
QLMRaBUxFiy0HKAjHM2nkR/3x+i0gr675jbzXR57GAMM/a43RmNP7KcpeeHl
20ODV1KmABYt3ikbpdSZUGv10cwLiKMYMTDUQHNn5LU62sZ24wvAU+PsB2TF
lVYe4A8f5C+4f83u30xxcegzQNEiYAebF0iuHuIYUZGXmBMHIdmGtOmNnQld
ZPexscACrvXZAoaeiyBKhpKfIuqD7KD8ZxJHWCUmcAfakafXniYpRZs0kD5J
6XoJpbXAhoE1Z6+b0Bpeou3JF4PAl66B99hMxsJLhsISdBKObnlrjC7HsAGN
54t8g8rc5XwSaOslOgxJLLr2oxA95GgtOEebCuCukabkPJT/6Vb7oWySYFw5
NU9ZgFz/TGD7Zz58oGArFEhLFNwPHzBwCR6SfarMR/PhA0XjkDL/1VcKimcO
pD2vZeDBzsmuwh3lQLTcf9iV5YyBbUrWVQ/mhcQ1SNH30GFHozZnorjrNH7O
km0mNhub9OpmYwvtIY7tkq0grjtP711uDLD2prRr06vyFbBdUk8VLT5I8+Ik
Svq3NsEgS9BVcCswYjQTS2/enl8s1fhfcXxCv88Ofnx7dHawj7/PX7Vev9Y/
PPnG+auTt6/3zS/z5d7JmzcHx/v8MdwVzi1v6U3r70uMrUsnpxdHJ8et10u8
IOiFkKE6ZERj4TpkEzfZh/3MU8SL4Pxy71RsbEuT8ObGxgvtjX6+8QzwijY3
d0a7l/9E2yYK94GfYiOA/Oi7DEd+xH4G5JOxQC1A2s1A6u2yg4/s8TnjnjbO
a0HaEE/GKk9TX9IUikbssyBLxmknoBAmRnInzsHEO7QQJVAZovdZ0VrmL5aF
QSdl7FyyW15Sw9GBIzTaQTDyySjPxio/1/pKhrFlUlXbzWPxKkoJI71PkP3T
dlK2SLOrMiYpnt5diqKojcCvasXTRz9TiAxUjcdzaajU1PxMFJqUAQMYSNAN
iD9goIG96Zcz46++ZfKxBywZ3rHIxYevOnQPtlV2z6iw78wLGbYfUrhNGrCr
Fo1+pgW/jCx4W40N5EMuNRDHCcAIqPEIaWoqslto+z3GrMR9aekeABoSXjLD
Ri3a7gveiJinDeAdQPceWduREQI0AgqrCbtN4TVFC4D6P+MwDTigBSQR0I/M
wJXSXVxKMqciRmQSI0rmsgr94AKkwDaOuk3sLpbeEWQpupNZ2kHkpBbkRN5b
30sLvZ7JLO1xsAvF8Tqx+qXbTUcYlaC0YyAxmGojKFnXPb2blrjDpQZvGIk5
RJfYr5Jj3AI9hdyppwwOFi0ju4CGhQUH3pFoYKewGCQGMtCLzC48/LdnR03P
WxqncRNtEc0h8JhB1sQjCU25iZo46+ZmY72pB87QMG7pHPbl2GsRapJPw6do
RbK2mudh6ETk3x5j4CGtN4jLPGZ/ZBOFyzFskTpSZIqRwEBF0qkQ15Xq0VAA
MA4+JNSyC/4bHtQp7siNXeDw9HFI9njJXHEAHITDRNWBOjJrBfmaQkm4yTHq
IHLVtchFw5K2mkHS5ZUhQYJZqGXCoa/buPw9fxyBqgLEgTdpTNIfyBaj1CfF
DQEPwm6izW+hJQICwFElvJYwHYx5Xu0kiUCi5Lk5qHPUgx1EwSEXZ28PSNuR
sicrVRQpQCgJAyyCWLvS/aiByxsMhqPMjoVJUhV05FsNscmNWgcpdEyAlcM4
bL0+PyCo9fAEgjhETwxrIDWW3SVPxXagl19lsA1z4+Oj0z1lc2sDPnWuEHvY
5lYjeg3w195K2QTHM3bxfID8jRomq0wj27Bma8Cwyl11PEi2g+9EIDcoEc0E
+N2qrllhpIX/lWUKGV9iPkciOO6+TaPittDkhqnQ27PXSo1+Y0UBircZih62
/ohE/M3b/VXRCwEbQAFPOiHZZqUIo1dZ8mYH4w0lR3crYxSGg9De4KGaVcwp
HRTbCDuGcbkh3uECyknUcriLTcrdQkvMwbFG+JOC3s7muhamnXFi1+RAdHpX
O8zeXZ7XT5PxMMuzKqQydSK2ivmw2VXuG2nRzgR9jTG5baAnl+GQKHDGkS0U
Swoz7ODZlVvp5hwE7GP3RzbN/PBBiVnbjQ1QHIB92ELinaGXZG56A0MPxd8I
0ndo4YT/7iG4D97DyuNz3uz4DOcMP94yn7/zXIPmnfPvnXvT+mV+wGAsgk22
r0O2gR2q/9LNs3fSNLYf9PjHMfKtxxkBUzZjfZOdXny8EUhsz4/gUI3j6UfA
iGtGcFE6gpP8CES85uMI0IoIWCJFIWlJ3MspnNqRo8V5o2aKFUS8b8nATizQ
u4C/LtIxUOdD+HUIGhP8hBHgO373JMbYIgAJ//kuDUcyfBDH9i3+F7fkKlou
0c7Jl/eXvZP9A/Hy4Puj4/PvvA/airokZZWlpvhpPmHml5ppJOzC90vBi2Br
vdv2673157369sb6i/rz7ee79e5OZ9ff2trY3djYWLK+sjYAfo7h7a8C9Fi9
SWI8aGG/y6i6RKc2A+s+irdw94NlFl5KbZWtqcVG9dVSB8gS0Gp8hAcw6usb
9c2ti/Xt5s5uc3PzH1a38HLkZ6M3UtYwX+zUN+iL7c3m1nbuC2lgw5ff/bz2
8xJMfb3d2dnure8+2+i8+Hkp10HCDBDf14etmD/j4bq16801nkC25gDYNYRX
gVu/de/dSyQ4ON4HFDCogSiMi3sgAysUElsivnp0ADwVtF7Ere9p33g5WV++
j+h4IC3j6G+QmwwlLQl8I1Cz4UW9odU9L0fPc9RcSEGLjepLI9bOx23D/KQG
tiS5ypLF28hSgzFOLCEpBLEjaiksa8maAz/VnkA7thK1ImUm4ENU1ndVehFr
RiSm8RRV3D8OetlqYNk1J5AE7ZWaJcQ8ZgmvYJbIqXqCDTdK93JAYeQmrxj+
I/ky+kO0nBd31xKMFsMIsIAjGFUIuA5wF0q5tDFHmiQ/fKUgDx3Jo0/3k1VO
uxUJHxWNhqFHKhRLjdFDGTNAi/covTVheGQB4EBAacVWbSndMMu7fsnaik4i
FUAoTXH2OR0lZsqTQ7o/aS+zjnq4gK9QSoWtlM5Ixu12ebG1Wpo3ijhqqbY0
VRh9PO91eBUAMlmmn3tRsSKW/SdwbUD2GLRNzrIBkX0iZwWsUo2txaGcANP0
ABl9QdF3licJtU9SN6RES0PHAHeW1rP/EMuMy9JPu4wNwBIua7xabuRf0Qel
8uFzrA4pBYsi3IwSaMUP2K1XNiY3HjXjbD5LS6kwhuRV8rxGXvIhCym5Iw22
Yv5IermZpTJ6+FWrSmY3snwIx/KhVUtnnYuqkG3sI7VKam256Rena81VOphQ
USdwYjvu1Hnmys5qz5VJyUVyFcQO9ur94wN6UAi3ct1Kuqz8qRKBHBrEUfgN
cUAhKfS5VBc1HEErg692+PS/9qOQ7xDPAY4ulaUIdVIJlJpR+2qij/4qjjyn
/RQn9qEDPBKkVMIws33ntTLFtxyHoGW0spA7MrMD5WV4k1wUdjpI3kTAYZjA
tDNtRchgisaGYIWB2+cQUJeFMVJsOMU9U0Ma5ssIHttd3fgstGOm5TQMm3Z+
BfdzKwbomFvCkN0WefuytvUQir7fWX9hN7WMZiOasEdbkVY4ATzaa7khwDnr
ik3dFIslPy0tojQ58VElNjraCphlRtN0EyaP/e61eGthsMLudj2IMTq4q3YC
G7dK7Cfbu9vPgcFp2OJWxGOpMJ/OpXvGRhp5kErbbyD0eE6we/CVnvuZiaEv
C7Zma6BysTM8hShaVjPJGfM7qya3lt9du0FlkkVrSe21ZcknYRllamvkmZak
rdMeKGvCe20fzzh5coWJQKPf5MaxVxl67V86Jn12oNwk9k9EEgqsF+JrNH7y
IbZxmOFpwdhGerWbZT/anG5AymqRHJwA0SLq1gr2MWe7NLaNiLyz+Xz9/v4/
BOcC+Fqw5TzOjuUgVNilr3poRZw3I1Bv2P3wWCxNB7rbzXfWoHnLwxwRbDGk
QxRUJI96qOgDOhOC1lgHgcj1LG2klpGWpHVaEoKfVJmGAR5ayUj4j66ZHPpi
//hcnRQRUZJcjYe0IZS/fYDHNlmkkIAoQp1Ra4BmN9Qm5Yu0sfgUr0QLDiiK
gh6pZ+p0qBOPksnzAxTLgQfRhdAyvSQNgJKwSZD5F8yz6CwidGqIHLMv3Tqa
sak9RFsGXfPuVnJtjPMbGCvti4ubt3Kib7WVT+QtXOU2tkcZCa76g+2Ni4/E
EqZkVxV2RwWT4ycah8tFH2wDXnwkzP4mA+PJB2GxitxILkpGUjoUaY21Fc1q
k2yJOmrbZb28YVaUG2Yn2WU99iPBPdufVAOE+hbGXGW2PU6U7CRD7myEdUUD
kr6QdmoJgWIanBhQRdYdFQcJcYkUhzRNkmGP+AJmkbDghN4r5pnSjlfjcHhz
5lD5YllW93x78BgwihO6CRFyYc/+DMWYodS/8/Km7JI81LnwVmAVJn5Kdirc
Tr2j0o4Q9kPKisJBN+aLmgrx18Yrz7UMBUryURF/dETbVj1s7esqTm484/2V
OjpxDufMB33oaACZOZFQKnPDSvWCVOa9ABY09jVHT7UGaJIn+M7BZRPpa1Ka
KHEa1UBbkNZveEqkbkx2LizgVrDtUeRbmNWrsLmxSRb1pRyvw48dY0vhLeV5
kFZrFV6PiM6OiqUc0C1PwxLTzCUB3785Onp59GvruNFoGC+DRc6wD8xDZ5n1
0TB/T104HoyC78KGCjc9o/tiHsfFzC6LWZwV1ogrPBZVi+hN81IEfs5Hofqi
JTswR7XsVKJW7tEPX5nI1CrrsfxYB8woC20hRI6oRJhaPKNGsciFIDuOiOVx
8/ZWZ5VM1GyYmRQ9rOR6hTDFmpwRRbrJMCRrchi55gQwsgCubAChovscpF7z
jlrHGMTWxyO6dFIdPTu2i0Yf5IpkOAJbw5eUXLzEyXrIh+L1kBtC8y14OShk
e3WD/pTSyJ0HSL/wqAMOqObllbCffln5SqZ4lRnPTPOrjkkeMyhgJH03GLAV
EejyJZFeSpMg8yXAiGTWlxaf5WK6e67Os3OahHNtT2eQEKEnuy+f9pITctYn
YyPKhHQ6erUAE0HuNzO5V74g6xRf1zk6KJ/QCTKl1lohMZ7MmYTaH3TFCGZQ
tsptYCz+TlTbRIKtW23CFCyHMHsucp4DP5N9oOL+VWXoGjXwxu+0WKFzTJwc
CeMadDE5FiWe5ARoSg3MZAYWeUAS7bSW2KVMlb6K1tx+Xm+D/EAdqIdG6VPR
L2FsmUoQk5QyqKMni/Ew7O7Ye9Pi0+08Y3nygE77kAKPFiR86f5eCQV6PZqK
vXr/56f1+otW/RBI6C8fNu9Xmu7fqx927v+s3vXC7AxGlQykIUsGqfUivy8z
fJDdX58aoGg1ig+rKROmObPDWFIGaPqMo9usT+jUC9nZUxqDeRtf9zkPWti7
5WQDaFnAX5hvYOXo7IdVKc+oOCYCvVpY25AvrRKkNw/T8Bp3uenJEi9zbYSE
H5wHJGEbtxxnhoS6YzUC2kTd9MJmMKcjKwWKzlXGSJc/jyDtCzSQqqBHhXqz
IJaKElOmbx0mRquI9jbMMwJDfZkmfhdQeGRtqZJYMbnHbADHGmRap2irxrI1
v3uNIlEWcEo9bdDkgagjEMq5rlQIWGBt3+/yjDNtvZYLlWnTmEsMbA+DbZKJ
RiF1atlnCMyVIWpheiVDt4uUxfWchypjX6rx9ErhqUxhJO1EkpJgOCw6Udzo
WeVrlnY0jUWMdxZy0gfSTUH+APccIYNR7W1sGTef7MXyRsnEh8zH9ElmjPek
JEHFtBojnX9KbX+YIVoUTWDATmO7scPGSEU0PG+QcNi/BKeiM5bhX6dgw6Ae
nXtGHhYoxMhKDNAmeulDs4+JUMKdfOo2HFfrNONJYgs6rtXqNsxMGhd5rvO0
vsGxl9BopgzWnCoPhs/20QElUpF3qZ/6pjm7yMHQVe3K+7Q26smm4TDlnkEd
CEp88o3Bb4dVSkn9nMmOCko270orPWN4VobcCBp9BjBHvuxlkOZb2qUJEXA8
lHPrBhDj+z//tLTd2MDDStuNTfxnp7HO/2zwP/LmFv+zvfTzL0VuaxM/Zpqs
yWfWBpYJCN9w3k3pTZt98m7+wjKzMAHHgEAmusx9hrqxHDearOq2/G+FQQPB
WMOTuXhIrJaLYNZtYt5K2v8Xds5CooYdP1LJU2FK+UGoxRmjZMMHsmQqJ0nI
+ayXEDlhPIxB64AVRzKkNJvCqYk0EFbiCF4NBCP5YQtDP3XTQlr9EY8M8DyN
lKNUZkFEQf1eueRl+6fKcSNP3nHXYMNqPIwmdgkJjznnyA8jyvRXQAj2z6NO
Z1AjJ9CGsZdp0qidQlqeMrmFVTiXBQ9Egh7oC16+Yw12hpYEVbcIKxV5Qy57
6yCYE0ZTPESFOhTftbCVI7xAxjXNFCT2lXBVQel4bGt20zUKsYhGYfXlaBb2
GLTHiU/2xrdWoASikk+D14uLQMdd7WQYk2eD1Tb2c6jQwJmbqWMSVMqB+uQa
Vb5DBwgmF2tuuAYkZkIor2AyQHjRZM9CLmkfZ2P5HV91hFNO3imP1piDJMsx
gH+5gSK7VxEqFA4cIbZ8oyJsDXBPYa+hEvCRQCu7K+itSKoREDnIyqmh3rFb
74Z94P9lkGXt3Uzh0mcntvYXUkq2wDIWASuEhpZ0QkxMS5fjhZUgFOoAslIj
4Wtn21qa4y8fdpV+iIC/1nA/OXn5sWAOXRXgDUJXPenV22SFd2Eu0U+dCTU+
V8NovbARNGoIg5qUpo/HnFFfil+9UEq6fB+wDt4tmhVq7ilOGSYnEzlbQySO
TJYek5jx+HBPsa5JDKsq8M3z7IFLYUahSSF8DfM+dEj/NJk+YEZqAKRLWHNx
CKJRLSdsyiLMckNiPKXk0qDNjNnRoOgNiCOYSLc3jmARMzwtxaIHn70t0+Bm
HJmMGjPhXZ+ehz2vr87u2Gbf4CMORauI8pp9KOxAfUxnbjC0TRDFozUfbyhh
PoVQlZ/9nTrlcxxcP80Cudqbc+DoYy+Q0sanQuXph+LqdSVQqYxB0EORjn8U
lqsd/mWitJPxI4+0IaWySNkHWmVZm/kEV+7I1ruTb+mX4MgBJwyg5iEKfouI
qJhaWSDBagOdXY/rhnUPS03+qMoVgP7bORy46ljYbAfCikfBFhyk0E5Xd1sS
sNBcIU+4LeUpPHlT95o7280XG83nz5t7L5oHm8pDqmgwvEQ+MXm7Cnuos1ar
+fIltvTsWXNzs7lBdhPrpnKc0sNNPS61hZ1TcUvubpq+8ho+updKUVn3vLDM
rfvIr4FgebgpNja3tne4st79jD7yxc73/W4O8tLTfLQvtIO89BxflW+ciF97
lHON4+Y5cJKXUgxQmxKXKzPpqGDfQpq35K6bUVLgI0ygbWJZLDMrfqOcRmTD
9pVOhXV3gIRx7LxyhJOrtuZNHgAoDtA56CXJSB/qyPdLbic0U1VrFI0vNPIL
jXwaGumqtgvSx1wjqkikyJPGJVCcYT+S5grqTBqCdNA9BFWV9omOS7LUSvho
c+v5sxe7zze2djZ2n7/4QlgXJqybNmUlh4FFpYDC6uJbOn8nnoAlIyXX6ABd
mIxCOeIklDaAQqaKjS+YiFXqNOVCVUeU6IO69H8Yq5yL4A1F/l3qq+3L1njJ
rEWzo6ozyixGiRVPXqp2PVP77Atl/UJZP5L0aaV9WIjA6s8tAfQjS7Rf+MMf
lj9s2fxBOSErKSlyjK++KiskrR2WHiarVHF/dBpgUligdB8XG/RWEhUURaHo
5FSX8YundrkwXXUJKwCfnpJ/ME3G/UsOFQkzz021ehPoRM2jIB3gNzIe02zq
p3ETdofDSYGHKk1BzrHZTYYjZdtXqXE5m8akoMUJUYvDoSylO8V6T4keZNHd
pIdwcpaQ6b4VS1XhXCMvgxONOJtjXJdM/aHMBWIGyiUuxUEUYZKzTn1vnILs
sh/2YO3qr4IowtPzKwd7+69WZVCgjHNghxQfmxXq2CwfD2en92l9c2e3Bv9s
Pd9ma9ZpfWdzA4GNTTxfr4kXu/xgY3PdOmc+6Sh+LZeKoGZFQk1yP5YHm9px
pBkwe1lykQA1JXDUGaKMC1NnvKetWrl/T4fHydZ4C2FKfHL9+LqmR34uyttt
HJNeFqShHzkuHT8agiw6HsCTjuDnsjBGrTD3GsW7kOjZDmSqefI2ZblSvFZ0
2aScdxVxtbO4jSeFRTljYeEDJ8sliWX8mwoLwmAmGfrtTkHHgVz7YaRCPxNV
J5CSCZqEGU4axZ9/+vGshh5BDG0qTJ6aeQhCYP4HgPwerFocUBrDsnk5GxnH
3I+SNiytTCmJ2SKwFUUsOtyaSnkweUF5A/ANE1tE7a3JhgogWX6+sbaxXFve
2NhZ29pdLoLmMfbKJ+gP1GxBC5vKp3KxsF/FHsOM47DJftk4lFOl4PV65HEU
aJQZx+HC7tEFxmETwhw8Jo/jqdbFkCrl6Pqo47BJioHHxx6Hyp+IMlGl4w6f
TnTczXhUt+CBg78tH5zn+uDE4/jgpG70UFuIfc2qP0o5udiAcBRgM8hHyeP4
LgQNZO5EjguJ/ra2bYHHkGBUcIsAXCrZg7QwP57ZaS2Lr6M3pFkKzqU3+1c3
Bzd/f/VD8o+j335d32v9+Pcj+Xu/9WNn/6jf2n979tv7wajs+9E/kqOzo9N3
3yc/vvnb+vp/v3oHDRxd/nc6/tu7k9/Wj3+Nro5a35bgwizmocPNsg/t/U+T
R3aNph/m16WAsGkodrT97Nn261eb7e317W0r1aSNUl8SdPK1cIJOIpHd09Oc
fw9pouXfA9n4ANX8OIBd13ppWxFysYlsKEBtJgr6fudWpicHMrsCgLldBb3e
v8qfs/e05QAVJavGFEhjL29RLRAr0O1qTZ9cNycLsOA5huneIGn2AjVKHUVG
50FQXrV1MGiBurTyC6hjJP4tFps2BalW4OelP8QTsHAn6K7qlEgTDkF60n5u
DBFzWSDULOoDv+2YIkzuBj52qn2aGPwWhVeykjidXsEKxUGKVVWw1KE9e7bR
yUw2DcsIAeuvpd3Cyl5y/fhCvGSzXOm9sLIRaNxRI+AzcvYhpCSWcYe69PIR
Z1Dzr5xjU6im0qERMqOMY13NwI36/wQF94UD+fJhSLgBq6UZfDpBmllQmEGt
rphK5FPwzuT3iqZ4j+uvOcfQVHmkU6OzNeLFPTcVm31J8Ey0eXw2T42nGOQX
4/pU4zpslRzbY95ms72yumbV3M8cB/PFdTLuYEyKVYNWcoVD3aSnmlyBe1TV
l2zkmSmdJosR0qEKlfsPg7SxXHuP6uV5wMc4c6MKT+cUhLYNTwV1Y4n2NInx
dK2VT8aTuWvofC3yRcovPErUKSw2MfN0aiprUBeoR2cU3WJm4zbVMrqRVeZC
PCWDBXExh1osaHi6Kb9Q5Q0m6pr+GzPzyV7YTeoyfYMsc+ewy4fytV43+RtP
mzmahoIxV7FtyxenB290TkeVcpSyJyZp18fgevLV2BXxPjUGZSbLG6qSQVWb
dCSDQvyuZlD49OEMymjXHOCKDMrSqJ+MPWXz8qcSHDUsym73U+dTFZvNs5lt
ZqnMSwahcGAfGo2G3j7w+/4Lq5qDVQEsc6wKt5HFqohZ/SPst4PA5k/zu3gp
ZtJ23AKHke2qQ44fPvAN6eBc/KDXrHT+N+rOIe1Ho+IxOLf0HD6yjm971rGl
aalkKryyStE5GIe727Z/LxYHb4/qu9ti5UClWZLk+UhBI11VEK/0Az7MQ2v7
L7Al7e4DSBklKpNZyQeczVb7+Fp7WjXW6hS2YmtUlR6ysrwBU1xjEqOKmQKw
UykmVfjCthrrpX6wacl1PkdnTwHd7MSZH/UUTf5skXt+Zh71VS59tYAgX3gC
k/ynq8UWKNwjiQMSlo8ZaVgc6sRgQ9iuuWBDG59xjDvrza3N5s5h8xD+d9A8
eNbcfdbcfP5FPphDPoBFeRnkayxpccBICUDCL6xaKZjZ0BTWMQnkCnVxMqzH
/H6ka+N4KGeOwgFlBojrR6daOFAHmDkNNosAaJsDIi7Ho9MIxHaRDdGHRbvx
b7mgdM9npXXgx1gcEdjBoGHnPs10MihPFTwni+go0fn9RMw1no9O65wI1USt
WDlnM5i0WyyWMh0iqyrWHJIxdKPEC7jqNUa9yXFLUSjXspJR7DwyJkKBUoLc
JGWH0GeUrLyHhbrlhluqPFfk05PpTA80IBROuVmwCmEjWAXTpH6x4KiLX1FO
K1+mey8D9DtlszcPOT6Ny9AU0t1iTB7ZkjEzAGsuFI1mFphSL4EElAm3Dgwl
tRnJ+tgoOcMfbb9zJSNUKF3cEPBDG1jKm58orVCoixtrNkMQF2KHVd6Fw4AC
DKrpGEOTgQ8gvU4yXLJklSvmW+s1dbEIJHHJknGCIl0Qo2wBP7PV01FFH2f1
BAWAOiUKmACqAjhITElcx+zTRC96YsKCm3wJcnBEidT7MnJKJ3xQ6aXYo6RT
PrNyaKo6Twqic+opyaDIcqKITSaW8lCo+5LlImB5KRXVLi2hJzihh0O43CnL
nEdEkNJbpQRRozgAhF1GpNoJBMZMIgiFJZrEEjW59Oc06C0BMOheWTmlEENX
A0POU7O/imN3zIxv3x7tS8cY+kB1UZJiViYYBkiOqmFTZy+wy7J5QifHUuVZ
ahP0zQmKE865KevWUypv6EttKiu7l53rXY/JFJWRGnFoJSxny3TDGieb+6rS
eTEJ+oz0O8TGA/yfXPqcglcoFqG0KvhGPKqCB1vBHofs7lA4I/pIY3H2rrZG
z6dtPpriSwjiXBOV8CcdDO4zMdtgKsdSrGJBkupMlSzozbxi7tlS634Rpe1M
Q5ofTBEiFXUub2eSLFNMmFFqG/AmVtYglP5WmNbLiml8qukx5nWgF3WAMh/6
lyOPH/HIo91V8czj3GGN1ecKC4v8O6TfeCie6pOLav1t9mHBywqXlfLaPPU/
5Jck3YmH1KfAa0KNCoJN7UFD3tra+jhDxo7UkOlfHdW5NIW+a/uY6SI3MG7g
nzKc4Z+wpv9UGLBmbH0TGMH0LvTHuda9L+dTZ7U7BqZGSFnVlDLbomWOvLh0
ilGPSgxo1ilLiimhMAo31RZozyYtMSgPWCZFqk1cR9Mq7p2hEVN/qmp+/Jol
8f09JaKJAsoaA4pu3Do9Em61FTvL/IxNY0P+MKy7DVEAyHnQGaeYIw12CWbk
TRlU1XXHXwYdH8/Euu7ZofpQBq1qP2OnI0MtdUbzmkemGruGlKqWAhMA7T7F
rMSYXccOwZWlr8kkozvzvBapm37nSp1JpUAaJ3aX+lYhS3avlITdG/hxOBxj
SRRB1UUSDhTWyh/WkkbTLYYqURBVJwLxQZ2Zg71+ldW8m0AoCzBNTg+R01DI
wiBvY12SvStO2LC0h/uVveT5qYT5mXDWeDydNhiOZHFIL2BzTKYich171g19
gUaWGFExAqjK9UmsHPMND72boGSPMEioljOf4eFIbOEmzC515QdtaZdAB6X3
JoiiOsdQX48jtAiRJEE52QlwIRJRrEWm0nuGqRML5gF8YWhhn4rHs3ccwFHT
qfD97iCMQyp7g4VZZTUBEO4w62y3G7I1zBsmsOOx2zToS0PaDdcI4iFT8m8d
Wi0XUoOiuA59rj6tMZlxqGQtqAyENPR7KuaNVpKqUKu3saSChQjccE0EvR5b
KBD1O2z4zDxfvEwwTO64HAayMFyQoZkAF8jaQrLluuReBi40JrbZS5NaGHeo
XCkgPmB3NqI6DkCG+uz/MIuCaXgJOLwfJRLvAxIyEp+g0aWf+jEVVwqug1jV
wDMlsNMAixJwWT1VsQ6RLEkVrnkwf2EKu8PrftRQVUG4K7VHTbMYPtfHmtPw
BN038UgFwBdqxYe4HwSSckrXhZYhJx6F8ZUxw9Ox4NL+g3Y0jDmUhcNzViJO
KA3NkY03wERdCPZbj5xCHUwPf3NJ0bY4X9xXZLy+Tq5sYkmmObfAtuzeOzvY
O3nzBrjgwT5PhqlUQLGZFh2GUfYpHTMF4vdwrZ1YQC7yhCw70huMh8pLi3qo
Q2pzN2Qydxyxz8ZKaBgNs1jBMHZhnojsNu4gWDysREMAphBPZ19ySVynIgY5
3tjwrPcknSTI7UbGAi5cgNs1B0pDrIIB7MRrLoqbIMe+DqgavVvTkPInsAsw
MDkuHJIXMquJE6+NfjDsjEZL58m54LlVt5tzJEnZTI+WpI0kI2Z/q0v7BmpT
0zec0Y7TmLKboyu9mrIVXq23Q6rReGKtl7xlrRhCp+0smjGc02zaAezXgRQL
qQ4ABvKRuwuNlgR/LggPyN81JEa1zLFbCdYNoZ8Sr6zVUjBM0qKEIN/mtRH+
dRJ2ieJw8RQ2NPPLKryY8ZVQLs1hJ2CSvVOwyhtD6lXYx80XwcpHFOssSx2o
guSIPdktCAsDgKEUV91KNVxIQxdck3NX8dFU6p6GF3EYFK2gTbUd8YKpBroF
QEbrcmZBjnymRVYjwc0mQ5Y5Fslw65CzvsrkK5K9SfnQrl7lYe4rrmMeqx3G
FiV1uAiVaTlBfWApP3JPj1zuFZ2Yn+QDi5XikjLa68hxtdSeGZVTX0vySRIH
M5UyLIzVcnHwFjXiWZVLLd6fO9MlBgGe3A+zAWyTFpZRMG9mUvD1BlhzoG1g
JnC7MpLYRIzEjCwXCAawZzA4niUJCqBxQTDUJZHs2kQUlC7ztFiwYEIg5Zog
7qS3Q1Un1foYmGdahzfro2TIOP066SPhcWUXllBQWI2L8o8t/qF7AmdETiEu
DRklfdyG+2PtlTQOmNhHfoRLkZPGa/SZJ6kXFjfiGeA2wPRAUtIC4nDFXDLm
EwQhekWoVON0HcTzjoMbGRmSeZYlm/U4akV6DbnOiJTM3HNwCg00g1iiEwh2
RUQkB/sg+lMdN8qKv2QqSTpxmnfwwTHatpFAoZ9G+Z7QVg4jE/xf/ocu/A3P
pltjhbEs3gFwUl1lUo70zhRjqVEFFGyijp+qGGlubhWGMmNvlh3mrkyJvrN6
dDRPFZVzf+eeEEQHJrDXdopHLmHJAVhadKcCmVIY9PVdoq3oSySlwHOnbNW6
KbozFCqUogFz3xwmWKVrLI+fx6Uy62clpTJtJHCqeAI0TOXVewzgVZixT6+x
S/xOI5RAE04eYXIOmPxfzu8qFBJFs6VwzdTQK+fOVdaLO4VYdzmEckp4roq5
+qw4U3bnnuI1XeeR2f5+4UFMPp2DiSBKzlZVj6mkOWtoc43MPeYPXb0L671c
orTqgdzgy3XQ1W7rkqEvvk6V8Vd39s438XpleJMfHyKONM7X+YSwXdR2rvFN
qBgE/Volg/DMNiH2xxyWm7nwTpxwqb2XlALMLdD0UcdVTC4JvZ7KDH2PNzDv
K9HqoC4H0m6fDFEyVx1pM5m0QOGpcJnYK74C2IBc9xKNDlegM9XEWXIZoj/u
Ev947acgQ4zSYNwOMgBiTexdkh8YpNfWIPt//xdtJX/1M8C+1yHWrbxJEnjp
DfZwMo6xGN3osobePZDt3mEVT2z1+yDp9dIAdxYKLDWAwDhKxF+TtB+I4wYy
1zQIfbh/GUbi1Rirh+IKHkQ3t7G371+HsjQ0m61AbwyDm4zfOQ5B0z9LZGoy
Zl4xu5ilrId8BXYSCvjvgaOhCIDmAc/bo+IxGQuCB34aYSCOzOtRaYOVktDP
P50d7omDLjoxWTWkApJc85SVmsbPvwD/TP3eSGw8a2IU89fiMHyv5NeGfrgr
H74hGePofO/t+TnX9KQ5NEHJuVKWT+LrZN4+14W9tYVRhr98LbC2hAnDQcBg
GWCpqvWD9/RSlIzY2Ho7TNayYRBFxJPTFHUxrLc5HurGemEfxc7Ib6Mi0DNS
eEav9GBaaHbws2uMHoy7gSrhBxg8oFdQDiSF1oxr5MP6kw6NL9BiC7nYvMSg
hvRhgTiJgwRXRsDED04ToD0KXJdhpzMesnrYT5PxkNId8uBPpCX/ErTUIKXb
Ju4sq39nHxHCh7jFUtBSjvbr3+nf/EguMxYqIx175cbP4mXUwzi54S3WD+2v
0rvSBGDbBNHLoM8yxKQyo2tAGobwmOqtNc/tmtjYqRF+YHtnssqrnDLG4UoE
2uIXhggQkr6w7aODi0Pxes80t17f2GyqtVCK2LvvX+9xeORlMASO31Wyn269
vv6Cv0Kvlejg8R31Sk20x4OhXfCzxpZYlybJlYiyBKO2Ov6QVBimO6opWRuR
TCs9Q3QMNNa36+vPeSCvJeLaSKo9KRJzVFxnJkFHVkyOVRz5bbq5H/iRNi+h
8YGPH+NhpXGvZ6YvoYuYBCJTjU4rU5eIzX1gBwOsvzZADZadAbwlkkhjHt2g
hem4OpbuQy6M2KM6t4DIzvYCynAdaGRBpUqSM/39hiQhYj+5/JN4R3u+n4xk
YGDqnvUL/mQ6XpcfHsWAEQAhBJ/MDWtTmTPHdzWFNrIBU8rZ+hyB8p2aAwT/
roicQW+9dLjOHT+jAxDObFetimvg8BXHa7sUy9gU925guZCV33RJR49ojcJ8
CIwYdH74oGaPHJ8vEPeTT2o0i3PXnnC2lvdM5z3XDnjcaIynBL2l4ObhX/LI
WYSS57mFMJFjltysDqPIDWBZrnRQgAkBXnTxSsY2dQUrYxIKa1lsffYF9X4p
9dz/mzZpiVHjw1eO7YL94l71Xv1gosLmxvOyrVdcU9T2Tdi0c2iXaowrG7oM
JdOPMd6F4370Gqj+7Kg0E0ciAcmR2ktWGIszoFdjzFKMBm82sqPdyUm0gUWa
w5HK7iovlJhkryGnxQDcro+zolFzWcfIWZ/LaLll0Oo7DTM0ElwofLnrRowR
fnDsY+EBRktTfHPhCR1aUPFnS6kKhbRxjkOqCYYcAmkemsMM+DhOYoWGtfJF
kEF/BfjLYu+VC9DSJR1VWXiOzw2BIXZ8fchImt0NDC1bOhpS0RU2znSpeF0n
niQSH4+KrFjFtuUllf2aVZsdl7vNhqhVfUaMScxwKA+djBKrDe5D+ijSXOHu
TFd/l9lSAqdyuhmG/FyP/7D1+vygRtWK5QToX1IzpZ272AANMVc5XPWfBr+y
n2JS73Ojop2T8ZPBxMG4+zaNipioNZUJuIhno2A3v3m7D0pQlCMFYgWVxOc7
m+urj7lrHSB+XFCxalUElTyiUzVJZ8QFGKqDO9w4Za+jcmAWIDGQJ+5ndtpE
mYRoxCUEZDIitJ20ORVSTT+SRc+5ebsJJMq3MDVMKYeeQz/qUCxSt7E0fUVg
25sjkU5MrpOKUkGOgzedvI8VHGcakpQB8aL0NBHz1eWMp95we6iaWAHdik+L
OIch9Pnmq9FuIupZ6FcJTIpnLYVlcc/K0cjbJFE5q0XPv0cALVn3fnnoarw9
O1LL0EHzFqqj5GFepr6Wnf6FOQs1Afv/QAsoZaEn2w8tcYlyWt2R02roDQZl
PcTwoYxPNeaWQY5LDMfpMMkoUuXsoLVfPzl+/fc/EPgJ0k8HezIT5gUyLZkv
Zzmgq9OkNRE0+g0QgZmWLyN9XsZW6K/HA3/HB2ghzac5lVAD7jGX03hJjWQS
mXjqdfVy3U7rsrQ7qR3+YgLcRXmEO54YYL2wEGQuVJbqJdRXZUjA2lwqoFcd
WM7qqaX3FtNRGKe30lEfTUXN69uVJoqZDBBs2ES/RQfQFVk0IOQcyqrV1oW9
bWdVWHMn10m+5xA5VqrpTDObwv/DwsNl5/gG70VtKFn+iJL/dHxeXAU1oH1s
W4CdPOCPoSVZFvKjuJfMoAPkoLXH+JaJ9zvrL2yD+zKmjOFIYgKhbZsDyShJ
RmKv5QRh+VmWdEKKDpEBgUHewOewdo24uC6fkQGlQtkQk7UNJNsItb1WCY8X
FUzeXiwhZVi74pZM9UBqxcGZvpdj5fINWC5rfaulCVHGnjXgS58a6It8iQd3
BUTpErjLIGZgwmI+6Yrgy9js0JT5VwAj8iilA8W2rewdryrwUvY+dJMdi2/z
AmycFbudC+QFmH4KEFdyz2QKRcGgF8lVED+US3YUrcK8mFdBrOPprCHLEFxi
qGPOIGOfGJLxtKBBHFByHGoGawuYFjBoW2UG4fMMO+t2dToMbOMydx/RfPSE
/PajWo/oHBXLYxbIbclMGZWmm5JsVlJqVPrDm5JKQJkD5xcz02drZirNOvTF
6PTF6PTF6PTF6PS4RifZzCdrdkK7kxudry1PTjS+a3uaIZJpBgPUlHQ+eiPB
Uz28ilCYl5GdObTnHPizo5TKLFBOzhEtc7gJdQzyVG/i/JhOVYpVk6pP5QK3
IgjdfWqKfE3KCP7TdmOjJrYbmzWx01h3d9AOPtrhR1u/2Pt5gpRZbY6ZvM+n
WgCm7sUJO7EsJYxmbfmERjMt0BDPxKe0OP/np/X6i1b90K/3fvmweb/SdP9e
/bBz/+cJa9tSlau5brdTac3P8Gh4WSSBwFO7utDlhLXJg/nTWBy7Sucsi6QT
SZUsTj7qpQzIJJnLNkQv8vtUXM1HvVKfZZRJ+62Lwj+d6joZbgWKHOGoF3X+
M5NJhf280Mg9yvVsCJX+TAXeZAzpxdYv/+hT3F2Vqb4WIYOU+VZG09ZkulpT
k7BURGyrfrM1v3uNhrWMI40bslwEL4TKh412hSxwVbUb7BUzZJz9YKewsUrB
q0p9Mqeo87UiL/9S9GUhOvo5LHWYXi20qlzlg+LPMUoft9FVcFuTShYuLNPH
/NJipaJbzdU4xwXhAJ0p4YD//P5zGqhef1pzl5tW4DEl1ghGn98GnpcC6/x6
FRR40gJznB0sC+eRVGKLFTbnwNofjxL0Vkh7kM4bz6p6hHreSLROXUnGacFq
nU81ycQB5PFondY3yLWI51EykdC5N+fzFA83CZDtMBCQchXLWyB3wdeblDJb
Rvu5m13HNhY6k/czfXvz88OZWSlBLuniIkThtRRzZVOyWGtW5r5y6X1kBROb
GkH6HPRjS7G5R08KcfpX57t0tMCpeqCrCc6uAxrgVutYWj+1z0DMpbTJVT4e
R1FZKsycEodHyORB0AodDhvKoQ5pcjBwxSk4/3hOYnBz7mDqiYSOCFI6ED/X
oj7y8HsuRQ5yj74k+vCyXpNq5Tr/ScXi0MFnSphTtURzq9iYH7WEymAmpH6Q
TiAz1lh0Phhe7PgWpRAWD4jTOGRGpYaJKQMaJ4ACIUNRJd98K5YRXZc/soYW
DmSk/x+M8kw4Uv94OC9PoM+O8fKDCnzHp4QPvzu2t0QWvgchpQ8IK9MuqVFo
Ofoix1CloQN5Mb4OeE72jl8+7N7/+bMzO3zSSF1MfPB4KC2TPUxhrObl3xmV
p4qHLYvAAgakISiDMi0Vy/Oi7YZCgQbH3jt1qPH4cO/R0fdjCoMTxG9Weo/H
6INfjFAcJzHX2tQpTxHen/d2nwAw0M16oQyQewjY6Fi7yj2hSwAJu3kRU/sO
ZoJ6eXZwftEbR7CfsgxLtgXvO5Rh4zPXET81EuvmvJn1rO/+6WnRqYXHfYfD
eb1ai5BwN99SnmbD02keLXlMuVASFKn2u7B+6OZu0vBbU+ebT+2M2fDHKOkk
kVgBsKzOTfBhuDJNzGJbTH6MFB6XhWzAKkEDO7wmGVg/bzLVTpIRHsIdDrVx
ZSHmeWHXaZRuRKdtZW1xqJR/7YecuSVR5efoKGuVY/HHM9cmBwx3MR/iJ0PN
ZlmaHxYWaDhiuE7RwQEmcIrwaae+N04xc03Y64WOZF5/FUQRBtFLvyEKRCsy
p+tpfXNntwb/bD3fpgC70/rO5sbqH1Xg+d/rwv2cPAidCGCBicPiIFpwj+iA
1ShpY04iTuGKxQGxbZEX+TvcmcgufWkIdsmcdS5CmgWdz/mhrB5IPazJFvOJ
J55vrG0su+RueWNjZ21rd5Lh5/MmeVmQhn5ULS5PX06sSjIEgI4H0FRHcINS
QGbzK5IzmG7iQBYzPMBaTFvQz24/uZLzJyM658RPS2aecPzQTpRaJjqXp0gt
kaEXPJBoFb7KJXPlOZbm0lGvvvHbrkg9j0BNtN9J5i2h+vIWsZbRcg55+Xdn
bROYmcPAPjepu5R9eQ8Ospx/t01A1mmBl7TZDvdPSvdYr5s87dYqySksd5cZ
euZuMRjr4lurLOMxd7gC7a7Ou7UAPn9LxtD8guxLXPPXnCKNShyoXNyc59Bc
TgzZl43y8I0yOTt2NnnD/CPst4OgdM/8Ro8WserMt3W4n8qsbvx48Z3C30/Y
EIXzZRVByrOeAZwQoMxjKYtRnjFCeauxbhkOJh1w+9TPgfP8Dsbh7naenVcC
eh5W/sxi5WVGn4O3R/XdbbFCiIVGBlmT+0ifWVu1lkeFvefDFj+Po/i/M4Eq
bvAqklSWs4OKN5aco5itFuMj0qmpZWNdAdp9u5RsmVkhoYLeR1gmp+wYHYfg
SNhiDSBJ6GsqUUFNqFx945jPDecyGsxDAJ2yt4VdOS1BwxFHE2UmRTeXaLlJ
MEc4RhnaEYaFum4qxpHGD3tRlc0OG0GjVtiSe1YJoUIC1k+eQupncydmqDq8
O09ehurjua1h/vztI579n3im8HdMt1BxTJdHNMs5XXzTJlzTV6Dq2K0jMAux
bLW6bA7fclA4xd6adCUiaWPKgVwLWAA1X6nqISv8CAk1JhwvfMrsDtPKSRfI
3fT0nbySr80m0mVXNSmnpSrKE1YC1Uwlf0ip+KzViCrAZ77GOp5Y0O/xxJCn
SuZgADxZGpxUffvjrIiT22fqYiy+BB8/oUZhDX5ncbC6VNHUQ7W6BodbBJur
1ZiCYLJyiltGkWQsyyjuR+akfFUac9WdW7egkN28ojS355UPl4pO5KspUAkW
pyZdleQqe2uKrcYGiKA4JTzOTEXTm1zPz5kFPJMKZ1PAB/CJhyIc0M54lOGX
StSltaJ8D+p4NO64pixS6inKpXdaUyyadFdf82bfLWtjeu4U+RUWUMFTb0HW
1O2QHNW06QBNmUUoh2Bb08bJSS+nK0P5PJjSqcrG5eh88fbt0X7DelHtcSYE
1oMbFIX4CREP/UgmfJh39L7OFCFzBqnU3Zx35UFDQhlqhvHwJmyKcRpWjdKq
75OY0bm4OOsY9RPeF80yVJ69QkD13ihDMKtIwLwLtWCRAPeauWRAVQumkkCu
fkDpIrjoMAFTOG9/ESTyBHMVTBZN2+9cM+bwr/q8kNq/NKF/1dez5Pmf3Psc
Sf+rGpFGRrsCQHUJgElwsCsDTKgHUNVERZkAe2APQzNOyv84JGmONP25+R7l
E17pS5+VQXj1xlTSCjZnQ+yNQR8EOXVMMbBcnq2qEeVxuQ1GDwQX89IiuPw0
dVLOOXDJyQAu23erVoRYCLvpzINYhlj+as0IJWtSIlmTyac8NR+Wos33dUlG
5A1TkOzUUGJnhsB7T3r295N657yJxi7DWbDydyfISmX8wBG2JoG4BFQVqAti
VDweNHPYUZ+hNrERvavW1o6PlJ/K04CEc4T+Sm8wuBd2H2fHXZQKWrhV/JJe
FxFYTGG+eblzK86PyYaFrPidTxcld+oUsjy0g4w5P+RDySBoesUJzi5MlWEy
f2BUxjwCVmJrySLboo0BIdZW5puV4o01hjzRrZzMREjhpTTdOWZUjsylc7WM
fnqq7QCXWin1jzcTrpfdXWAiWHSyPgoH+e4K0+HqlGh+h5fdWd34krtNWj5d
mz4ltiHV9fQRV9PPRm+SLu7TJwXEAOtmgv6KXDsPlELW18LVhR0aRlxJ9ZLK
nisgBigSUBHQrvArZQCazZPCURkRHrDNr82JhXLG8bAxTuL/ExK1lRQIqDT8
lNQNqLL+VBt/LAvYNOPP/LYf230oW//dLEAV6V55saan0C377IuJ6IuJ6ClN
RBYx0HuAd5f1pGwnlFbtUBRuPh0hV6tj3tVbsFSHc02p27GYNFo2wUUMYzMW
zPj9VeFSYmjwp3CpZMlPqjG7yFX+BFdFNVLOVa2tBEOYXam2susvz/qJWzJE
z+6Byjx9aA3HZXkOBrpm2VmT/MvGSxd7arr/ymz/NrbMnvdfI0QJKSzfpzmo
zyoQLFqfxVzzVWopbcIKh8jVbJlAdbnWydxG+ooKJz5CGIiBH3cuC6m6rZEa
+NRAAIRBCbQibu9uP8di9DT57UVt7fqZVUlk7vm1oiwRV3Fyg6vAZVly9UQm
GsvFuVxzeh03jgBRKNLh4f/dADSZBTzSoqKEqUxaSjApevn2oKkkA2R4gAdH
p/rkBgozmizP1DXmyMqyMZZheNBK5Olx3V4ZfumPZl4sSk20Lv+bbIxfjG9z
mWu+GN++GN++GN/+8Ma3CUUSyq1vEwxq2Erh8M/jmdRegqo8AunwsjBUby7L
2ssocCNQpgnTOK99O0hskp3qU2H9hdyoxV2TdzouVM/CHtYkzU9DXS+eXc5I
i2QG3YsfzCmEuQfIHnNBHOxYpBKGdc105Kzq41ytjHx9jAfqK/mT3vMqLZzW
lhSE+bKQWJeTkESlVGc5EXSzdjhS+VDzWSKtKw36wXudNrLgDdbXDAfTHwpS
VfFh/ogrBhsKmROqRVBAayWmlZeNkJFGVgRNNYS4pERxNcvqT0xuw88nwn+o
bl2RDX9uRXuBig72NUd1h0liDGb+r+7DVASYWgWishGrOkRZRYiH4nl6NTe1
WLDognXNXn+hqoVFsdER0lRhgrk3+bxlCeyBz1GhoBJ86oDz1GIFk1B3Qqii
Xd5gSkmDCT3UNyv5oSmCMKHwwaTBq5oIVe+YUgmLbRD1wK1H8GSyyaI1C6xr
avmChwHiYen48ZpTDj02qfrLBdCHjM/JAv6AQZ7mmnv8kVqpnR8+TtnY448y
lyR68RFCQ9NHV+anc5UI60FeOLYeWbKaddfd8vLBJHWdXrHQtVT9oXt5dJlV
sZ1a92CCdgW8uUi2ZLbUKnK0aG0D65q9zEFVC7L6wUPIVhmiQL/OYqgNNuNS
TMlj/sgLMUPa/SrwoQ1rYgb+B4hOs8AVScKMMD0Zj+pJr45518vAaqrrzQzW
aREfgYDhWYngq2G6AKu0k6jPveLl+dMfJOYWc5TPPaqK9OT+1ATl1iU9mJX5
yp8AH81f9ppU2Fer0nXPbV7FVp7QvDoxtfbDLK77w+F8FtdiDnBO7q20kjwY
JuzjT88eK9NXFvF5QXusmw5zVsFIr8ms9tjiB3PaY02i9bnpxCw51h9GXEsy
mT+ZVrZYtnPrminx+VQtH/Ohcw70RwLdD/OzzFZcnlZcyFTiVZNYOdjbf7Vq
JRonA7ATAQSMjsOuqtroURZyOy05CgqUlxzJ6vP1mnixW5tmMdjYLNnJfJkY
sIfZkx5qh0fIzJozdaLc9/sb0jVorczdT7ZPZ8nurTJ6V4FiwUTf1jVrzu9K
fYdTgZv03w+DvJ1ke4HdvlB+bZGvampdsyTefmxdz3Ay66ZNBmfQ7iuFxcmZ
queWGp3mnlB8RALTcrJMy/zSD5Qd1fhh+PPJkNbEnZEBsvDAPiuh0c7DXCI5
lhwhflA2ctnsfCJlYalmFS2rP5xXxPzisX5URltK/MoNnw4cJ2UCVotdh9Wu
poKlKcTnJn7YyhPSvMOwm+TSfyPreRjBgzHPR+hKkpA7o/is6JyVRruI9GWJ
teeld5Up4vmym56V7ukVm5XeFT+Yk86ZRPFzi2ClOespW72QTT42wTCDnUAq
3CS8fvUoq0lGVRL1uamGzA/+hISjYqjzEQpuZD5aITv+jKMZTRrrEjFoMRGo
kBl71o1vr8Cse7/0m88usvEflSn0nWuefPoPU0uLiewXsZLMl47e9Fs1fx0e
t7D1ZGMRl9oDndo2FOeV7hgxGhPU22k55WdJ+lCean7xFBACR1P0KjwewdfH
0ks8F3mSP1EbzmVtnY9u2BnlZ6Vx9jfL+djgygTOcx0KiyZtyTkTCJuxVW2v
BbM9O5fKO1y6MacdSNPPJqRb/l3hZ3qeKRtz1dd4fQQ4TjldnxXIWyXScotl
m6TIVnMsdaHsJNOz/z+MJz5aio9JSfLdtPgVCz1TsnxKjz8BmTDQveKxJVos
hErq/RJW6YQS1RGmQKEruFu1QYAkHXEIfCSfJbsb+n0UTilLdshFOyhEoxsM
AAMxO2ogLpMbsmVgzZE2paakMO+YPaG9MAXpTDZUMxly4ZHUcKFFjLWi9CMy
+kO6T5MbLHYiU5XWKBwXze/qrVarRcfp5FncMA5HaLFP9NwaNB1Vd8xKwqBy
6xeOjsuQbCkQUge3GewmVvwcC3KDWK7w/ewaMLZWp6uRW/vJt+uAEHfEgsVd
7o2q2ycEErpfkw3sUQqJYgMEmdLbMHe8fwfzu/PEv6Cdb+r15dybk2/T/X/B
r2VPTabi+lN+8sKeFvzy7gor5L78z5+nNQCYR0kCaEXR6wUbtvz18gb+NXkK
RSjkG+AfG+L05PxC/AS7YUXOafWXks4rG1h7dXFxOuHNqQ2UDv67ORqY9uai
DZTtgrlHcCc2QfLuJLjjeb3naOAvtIx5BJkbBnSiSSHsIg1U3376BrYw/FdS
P42h8zQwDUFnwoNJCPqRgLgtNtfXxVJytTR/A38pncPvhQc7qMdLSW10O2MD
U6jddx8blXfzy7HoKjjr8ahTeFaNMVMbmIYxs43gwVNYrAGSHlu9EQVBoEAH
siGfvOJgd+d0JsqAKCRJsU9nKaaDX7ogHSVewLcwsWJKORkwQ7ebD0nnbARu
upyJi5NNJQmq04rwv+wSkw5hTrSbUnmshOfoq0I2sy/PEbis7+yP7lodHJUN
zHzTniN36e9A/LLbOSWl17nF4vqdaccWv+RFUpiw/y4IbvlbFVgxQUwqEfJA
sJu/HTkjjqHujzH8COS7BdqhExU3QRTVOfEU3VygnbO9kyNCSMpfSfi3UDuJ
wnk0RKib87dTKokuT2snvzq2zG1/Na2du3evW8fW2tii91ztFFbnrvjSLO3Q
6pQ+mqudIlSXiy/N0I51Z0MctE7rF6/P1+Dfk9eLtlNkDQuOZ+KtqnY29STO
/G44zhZtpzCLBduZ+NGC7UxQT/U2maUdRbmyq3BYpaHO1I40WbjWBPfNWdqZ
qLMuT25nC9SobByNvj0fE+9aFM75bss0zY+07lXLXDA/TGnn7nU4CCmglSGj
7+etENPaQX4CtG/yRKa3U73MOZvEYnDezmPCgu0URvfdR1p3fWOHjJAoJs7c
zjQdovR6knlNsaFNuQwduzs8P3pTE2fjmBKbnZ8f7deKXVddho7d7QH3R+rk
RxkZfidJyWUtqXYwVV/kyvWLtDPVQDflmkIPS/rdxSQNmS9TEYhF98Xvy9+L
Hz1THF/crInX53t/lHnN0k4Bh/WNYNQR5a+4t0jF9P4/Q2sQgByqAQA=
--> -->
</rfc> <!-- [rfced] Abbreviations:
a) Per Section 3.6 of RFC 7322 ("RFC Style Guide"), abbreviations should be
expanded upon first use. Please review the items below and let us know if/how
they should be expanded:
i) How may we expand "TO2" below?
After this flow is complete, the device can then first provisionally
onboard, and then later receive a trust anchor through FDO's TO2 process.
ii) Should "AP" be expanded as "Access Point", "Authenticating Party", or
something else?
If set to TRUE, the device could be expected to move within a network of
APs.
b) May we expand "RESTful" by providing a definition as follows?
Original:
confirmationNumber: An integer which some solutions require in
RESTful message exchange.
Perhaps:
confirmationNumber: An integer that some solutions require in
a RESTful message exchange (where RESTful refers to the Representational
State Transfer (REST) architecture).
c) FYI - We have added expansions for the following abbreviations. Please review
each expansion in the document carefully to ensure correctness.
Certificate Authority (CA)
Near Field Communication (NFC)
Non-IP Device Control (NIPC)
Universally Unique Identifier (UUID)
-->
<!-- [rfced] Please review the "Inclusive Language" portion of the online
Style Guide <https://www.rfc-editor.org/styleguide/part2/#inclusive_language>
and let us know if any changes are needed. Updates of this nature typically
result in more precise language, which is helpful for readers.
For example, please consider whether "native" should be updated:
SCIM clients MUST NOT specify this to describe native IP-based devices.
-->
 End of changes. 352 change blocks. 
2524 lines changed or deleted 2507 lines changed or added

This html diff was produced by rfcdiff 1.48.