This specification defines the Secure Physical Binding sub-protocol of UORA (Universal Object & Resource Attestation), governing how a Decentralized Identifier (DID) is cryptographically bound to a physical object, how that binding is verified by third parties, and how it is lifecycle-managed through upgrade, transfer, and revocation. The protocol operates under a formally specified attacker model, requires no trusted transport channel, and is stratified across four Binding Assurance Levels (BAL-1 through BAL-4) that scale from passive tamper-evident labels to continuous, autonomous environmental attestation with hardware-rooted keys derived from Physically Unclonable Functions (PUFs).
Cryptographic foundations follow [[RFC8032]] (Ed25519), [[FIPS186-5]] (P-256/ECDSA), [[RFC7517]] (JWK), and [[RFC8785]] (JCS canonicalization). PUF constructions are analyzed under the [[Armknecht2011]] security framework. The threat model is drawn from [[NIST-SP800-98]] and ETSI GR QSC 006.
This document is a Working Draft. It has been released for review and comment. Working Drafts are works in progress and subject to change based on implementation experience and community review. Implementors are cautioned against deploying Working Draft material in production systems. Please report issues at the feedback URI above.
A UORA attestation chain proves, with cryptographic certainty, the provenance and integrity of claims made about an object identified by a DID. It does not prove that any particular physical artifact is the referent of that DID. This gap — between digital identity and physical matter — is the binding problem.
Consider a high-value pharmaceutical supply chain: every attestation in the chain may be validly signed, the DID document may be intact, and the governance rules may be satisfied — yet the capsules inside the bottle may have been replaced with counterfeits. No purely digital protocol can eliminate this risk; only a protocol that ties an unforgeable physical secret to the DID can address it.
This section specifies the mechanisms — passive, active, and continuous — by which such ties are established and verified. It draws on foundational work in physical unclonable functions [[Pappu2002]], [[Ruhrmair2013]], hardware security models [[FIDO-CTAP2]], and DID-based key management [[[DID-CORE]]], [[[VC-DATA-INTEGRITY]]].
This section specifies the threat model against which the binding protocol is designed. Implementations SHALL document which attacker classes they claim to resist.
| Class | Capabilities | BAL Resisting |
|---|---|---|
| A0 | Network-only attacker. Can intercept, replay, and modify messages in transit. Cannot access the physical object. | BAL-1 through BAL-4 (all) |
| A1 | A0 plus physical access to the object. Can photograph, scan, or optically clone identifiers. Cannot remove the binding device from its carrier without destruction. | BAL-2 through BAL-4 |
| A2 | A1 plus ability to remove the binding device from the carrier. Can attempt side-channel analysis (power, timing, EM). Cannot access the secure element's key store. | BAL-2 through BAL-4 |
| A3 | A2 plus access to semiconductor fabrication equipment. Can attempt non-invasive attacks on PUF responses. Cannot reproduce PUF manufacturing variations. | BAL-3 and BAL-4 |
| A4 | A3 plus full access to one enrolled device (logical break). Can extract helper data. Cannot derive the PUF response on a different device. | BAL-3 and BAL-4 (partial; see §8.6) |
| A5 | A4 plus access to a dedicated high-speed, low-latency RF relay system. Can relay NFC/BLE challenges between a counterfeit object and a genuine device over distances. | BAL-4 with PBAC (see Appendix C) |
The following attacks are explicitly outside the scope of this protocol:
The protocol's transport-independence property (Section 1.1, Principle 5) is the primary mitigation for Class A0. All BAL levels address A0 by design.
The four BAL tiers form a strict partial order of assurance: a verifier requiring BAL-n MUST NOT accept a binding at BAL-m where m < n, unless explicitly and verifiably authorized by the applicable Trust Framework policy. This constraint is enforced in the protocol via the BAL selection rules of Section 4.3.5.
Security objective. Demonstrate that a visual or machine-readable identifier has not been physically altered or transferred from the object it was applied to.
Mechanism. A machine-readable representation of the object's DID (QR code, Data Matrix, NFC NDEF record, or equivalent) is applied to a tamper-evident carrier. The carrier MUST exhibit an irreversible, visible change upon removal or attempted transfer. Suitable carrier classes include void-pattern adhesives, destructible polyester labels, and security holographic laminates. The carrier engineering MUST be documented at enrollment.
Assurance boundaries. BAL-1 does not provide cryptographic challenge-response. A BAL-1 binding is defeated by A1 attackers who succeed in carrier replication or who access the object before any carrier damage is detected. BAL-1 is appropriate for consumer-facing authentication where visual inspection at point-of-verification is feasible, and for batch-level supply chain tracking where individual object verification is not required.
No device certificate required. BAL-1 bindings do not require a device certificate or a binding device in the sense of this specification. The DID document need not contain a UORABindingVerification method.
Security objective. Cryptographically prove possession of a device-bound private key that cannot be extracted by A0 or A1 attackers, and resist A2 attackers via tamper detection and key zeroization.
Mechanism. The binding device contains a hardware secure element (compliant with Common Criteria EAL 4+ or equivalent) with an asymmetric keypair generated on-device. The private key MUST NOT leave the secure element boundary at any time. The public key is registered in the DID document as a verification method with type UORABindingVerification and relationship assertionMethod.
Key generation requirement. The keypair MUST be generated on-device after personalization, not pre-generated and loaded. Vendors claiming BAL-2 compliance SHALL provide attestation of on-device generation, auditable by the Enrollment Authority.
Replay protection. Replay protection is the responsibility of the verifier, not the binding device. This design accommodates constrained devices (NFC tags, RFID tokens) that cannot maintain reliable persistent state. The verifier enforces replay protection by: (a) generating a cryptographically random nonce (≥ 256 bits) per challenge; (b) enforcing a response timestamp skew tolerance; and (c) maintaining a short-lived nonce cache for the duration of the skew window. The binding device SHALL NOT be required to maintain nonce history. This is consistent with the FIDO2 authenticator model [[FIDO-CTAP2]].
Tamper response. The secure element MUST implement a hardware tamper detection mechanism (active shield, mesh, or equivalent). On tamper detection, the device SHOULD zeroize the private key. Key zeroization SHALL be documented in the device's security policy.
Minimum algorithm requirements. Implementations SHALL support at least one of the cryptographic profiles in Section 6.
Conformance. Passing the UORA BAL-2 Conformance Test Suite (CTS-BAL2) is REQUIRED. The CTS is available at w3id.org/uora/conformance/binding/v1.
Security objective. Prove possession of a key that is physically unclonable and never persisted, eliminating the vendor key-retention threat present in BAL-2.
Mechanism. The binding device derives its private key from a Physically Unclonable Function using a fuzzy extractor [[Dodis2008]]. At enrollment, the PUF is queried with a defined challenge set, and the fuzzy extractor produces: (a) a stable derived key (the binding private key) and (b) public helper data required for re-derivation. The helper data is stored in the DID document or in a publicly accessible endpoint. The private key is never stored in non-volatile memory; it exists only transiently during device power-on and is recomputed on each challenge-response cycle.
Unclonability guarantee. The security of a PUF-based binding under the [[Armknecht2011]] framework requires that the PUF satisfy: (1) uniqueness — the inter-device Hamming distance between responses to the same challenge is approximately 50%; (2) reliability — the intra-device Hamming distance across conditions is below the fuzzy extractor's error-correction bound; and (3) unpredictability — an adversary observing polynomially many challenge-response pairs gains negligible advantage in predicting responses to unseen challenges. Implementations SHALL publish these statistics via the PUF Interface Descriptor (PID) as defined in Appendix A.
PUF Interface Descriptor (PID). BAL-3 and BAL-4 devices MUST include a PID in the DID document's binding verification method. The PID is a machine-readable JSON object that fully describes the PUF construction, the fuzzy extractor algorithm and parameters, the challenge construction mechanism, the helper data location and content hash, and the measured inter- and intra-device statistics. The PID schema is defined in Appendix A. A verifier SHALL use the PID to construct a challenge and to interpret the helper data. Conformance test C-07a requires that a clean-room verifier can construct a valid challenge from the PID alone, without vendor-proprietary knowledge.
Vendor cannot retain key. Because the private key is derived at power-on from silicon manufacturing variations, no manufacturing process can produce the key without the physical device. This property distinguishes BAL-3 from BAL-2 in the supply chain trust model.
Conformance. Passing CTS-BAL3 plus a valid and complete PID are REQUIRED.
Security objective. Continuously prove that the bound physical object has not been tampered with, relocated without authorization, or subjected to conditions outside its permitted environmental envelope, even in the absence of an active verifier.
Mechanism. All BAL-3 requirements apply, including the PID. In addition, the binding device: (a) continuously monitors the object's physical state via onboard sensors (motion, temperature, tamper switches, or other sensors specified at enrollment); (b) generates signed attestations autonomously when monitored parameters cross defined thresholds or on a configured periodic interval; (c) maintains a trusted time source with documented drift bounds; and (d) SHALL implement the Proximity-Bound Authenticated Channel (PBAC) extension defined in Appendix C as its mandatory proximity verification mechanism. The response-time bounding of Section 4.3.6 serves as a fallback when PBAC is not available.
Maximum attestation interval. The maximum permitted interval between autonomous attestations MUST be declared at enrollment and recorded in the BEA. Verifiers SHALL treat a gap exceeding the declared interval (plus the documented clock drift) as a verification_inconclusive result requiring investigation.
Conformance. Passing CTS-BAL3 plus CTS-BAL4 (continuous attestation test vectors) are REQUIRED.
| BAL | Key Type | Possession Proof | Anti-Cloning | Autonomous Attestation | Attacker Resisted |
|---|---|---|---|---|---|
| 1 | None | Visual / carrier integrity | Carrier engineering | No | A0 |
| 2 | SE-generated asymmetric | Challenge-response | Secure element | No | A0, A1, A2 |
| 3 | PUF-derived, ephemeral | Challenge-response | PUF + fuzzy extractor | No | A0, A1, A2, A3 |
| 4 | PUF-derived, ephemeral | Challenge-response + continuous + PBAC | PUF + environmental monitor | Yes | A0, A1, A2, A3, A5 |
The binding protocol is transport-agnostic. The ChallengeRequest and ChallengeResponse messages MAY be carried over any transport, including NFC (ISO/IEC 14443, ISO/IEC 15693), Bluetooth LE, USB, HTTP/S, or proprietary RF protocols. Implementations SHOULD use transport-layer security where available as defense-in-depth. Implementations MUST NOT assume transport-layer integrity or authenticity. All security properties derive from the application-layer message signatures.
Proximity enforcement. Some transports provide inherent proximity enforcement (NFC, RFID). For transports without inherent proximity enforcement, verifiers SHOULD apply maximum round-trip time thresholds calibrated to the expected transport medium (see Section 4.3.6). This does not eliminate relay attacks but raises the practical cost; see Section 8.2. BAL-4 devices and any deployment requiring strong relay-attack resistance SHALL implement the PBAC extension defined in Appendix C.
CertificationCredential, issued by the applicable Trust Framework Governance Authority, authorizing the EA to issue BEAs at the declared BAL. An EA that has had its CertificationCredential revoked MUST NOT issue new BEAs.UORABindingVerification. The method MUST be listed under assertionMethod in the DID document.urn:uora:trust-framework:profile-1); PUF Interface Descriptor (PID) as defined in Appendix A (BAL-3/4 only); tamper-evidence carrier class and engineering specification (all BALs).If an EA's CertificationCredential is compromised or revoked, all BEAs issued by that EA SHOULD be treated as untrusted by default. Trust frameworks MUST specify: (a) the mechanism for revoking an EA's CertificationCredential; (b) the notification obligation of the EA and the Trust Framework Governance Authority; and (c) the procedure for verifying or re-enrolling affected bindings. An EA operating under a revoked CertificationCredential has no standing to issue BEAs or to attest to previously issued BEAs.
TFP-1 default. Under TFP-1 (Appendix B), the revocation mechanism SHALL be StatusList2021. When an EA credential is revoked, all BEAs issued by that EA are invalid until the object owner completes re-enrollment with a valid EA. The object owner has 30 calendar days to complete re-enrollment. Failure to re-enroll within this window SHALL cause the binding to be marked as revoked with reason code authority_revoked.
| Field | Type | Required? | Description |
|---|---|---|---|
did | string (DID) | REQUIRED | The DID of the object whose binding is being verified. |
didVersion | string | OPTIONAL | Version identifier of the DID document the verifier resolved. If present, verification SHALL be performed against that version. If the version is unavailable, the verification SHALL fail with error version_unavailable. If absent, the current DID document version is used. |
nonce | string (base64url) | REQUIRED | Cryptographically random value, ≥ 256 bits (≥ 32 bytes). Generated by the verifier using a CSPRNG [[NIST-SP800-90A]]. MUST NOT be reused. |
timestamp | string (ISO 8601) | REQUIRED | Verifier's current time in UTC, expressed as a full ISO 8601 datetime with timezone offset Z. Used for skew tolerance enforcement. |
verifier | string (DID) | REQUIRED | The verifier's DID, providing accountability for challenge issuance. |
minBal | string | OPTIONAL | Minimum BAL the verifier will accept. If omitted, any BAL is accepted. Values: "BAL-1", "BAL-2", "BAL-3", "BAL-4". |
requestPbac | boolean | OPTIONAL | If true and the binding method advertises PBAC support (see Appendix C), the verifier requests that the challenge-response be bound to the transport channel using PBAC. If true and the device does not support PBAC, the device SHALL proceed with standard challenge-response and set pbacApplied to false. Default: true for verifiers that support PBAC. |
The didVersion field enables time-consistent verification. A verifier that resolved a DID document and cached its binding verification methods SHOULD include the cached version identifier in subsequent challenges. This prevents a scenario where the DID document has been updated (e.g., a binding upgraded or revoked) between the verifier's resolution and the challenge.
| Field | Type | Required? | Description |
|---|---|---|---|
did | string (DID) | REQUIRED | Must match the did in the corresponding ChallengeRequest. |
nonce | string (base64url) | REQUIRED | Must be the nonce from the corresponding ChallengeRequest, reproduced without modification. When PBAC is applied, this field carries the PBAC-encrypted payload as a base64url-encoded binary blob. See Appendix C for the transformation. |
signature | string (base64url) | REQUIRED | The binding device's signature over the JCS-canonicalized ChallengeRequest, as received, without modification. |
bindingMethod | string (URI) | REQUIRED | The verification method ID from the DID document corresponding to the keypair used to produce the signature. |
timestamp | string (ISO 8601) | CONDITIONAL | Device-generated timestamp in UTC. REQUIRED for BAL-4. OPTIONAL for BAL-2 (constrained devices without reliable clocks MAY omit). If present, used to bound response time and detect relay attacks. |
bal | string | REQUIRED | The device's actual BAL. Values: "BAL-2", "BAL-3", "BAL-4". If this value is lower than the minBal in the ChallengeRequest, the verifier SHALL return insufficient_bal. |
deviceStatus | string | OPTIONAL | Device self-reported operational status. Values: operational, degraded, tampered. Absence implies operational. A tampered status SHALL cause the verifier to return verification_inconclusive regardless of signature validity. |
continuousAttestation | object | CONDITIONAL | Required for BAL-4. Contains the latest signed autonomous attestation payload, including sensor readings, event log, and timestamp. Schema specified in Appendix A. |
pbacApplied | boolean | REQUIRED for BAL-4. OPTIONAL for BAL-2/3. | true if the response was generated using the Proximity-Bound Authenticated Channel (PBAC) extension. false otherwise. If the ChallengeRequest had requestPbac = true and this field is false, the verifier SHALL return verification_inconclusive unless a Trust Framework exception applies. |
pbacSignature | object | CONDITIONAL | Required when pbacApplied is true. Contains a signed attestation from the Proximity Verifier Service (PVS) confirming that the PBAC challenge was correctly decrypted and the response latency is within the physical limit of the transport. Schema: { pvsDid: string, decryptedNonce: string, latencyMs: number, timestamp: string, signature: string }. |
The signature MUST be computed over the JCS-canonicalized form of the ChallengeRequest, exactly as received by the binding device, without modification, including all fields present in the received message and no additional fields. The canonicalization algorithm is the JSON Canonicalization Scheme specified in [[RFC8785]]. This algorithm: (a) sorts object keys lexicographically by Unicode code point; (b) applies IEEE 754 serialization for numeric values; and (c) removes insignificant whitespace. The binding device MUST apply JCS to the received bytes; it MUST NOT re-parse or reconstruct the ChallengeRequest.
Implementations MUST validate that the JCS output is byte-for-byte reproducible before verifying or producing signatures. A reference implementation with test vectors is provided at the conformance URI.
didVersion was specified, resolve that specific version. If the version is unavailable, abort with version_unavailable.UORABindingVerification. If none are found, abort with no_binding_method.minBal requirement, abort with insufficient_bal.unsupported_trust_framework.verification_inconclusive with detail invalid_pid.requestPbac = true.requestPbac was true, verify that pbacApplied is true. If false, return verification_inconclusive with detail pbac_not_applied.pbacApplied is true, validate the pbacSignature against the PVS's public key and verify the attestation contents per Appendix C. If PVS validation fails, return verification_inconclusive with detail pbac_validation_failed.invalid_nonce. Note: if PBAC was applied, the nonce comparison is performed against the decryptedNonce in the validated PVS attestation, not the raw nonce field.expired_challenge.verification_inconclusive.tampered, return verification_inconclusive.invalid_signature.revoked_binding.valid. Record the verification event in the UORA audit log.If a DID document contains multiple binding verification methods, the verifier SHALL select a method according to the following rules:
minBal specified in the ChallengeRequest.BAL downgrade attacks exploit a multi-method DID document by presenting a lower-assurance binding for an object that also has a higher-assurance binding. The rule above, combined with the verification result states in Section 4.5, ensures that a verifier receives an accurate picture of the highest available assurance.
A relay attack occurs when an attacker intercepts a ChallengeRequest, relays it to the genuine binding device at a different location, and returns the response — thereby making a fraudulent object appear to be the genuine article. The protocol provides a tiered set of mitigations:
verification_inconclusive. This raises the cost of relay attacks but does not eliminate them against a sophisticated A5 attacker.verification_inconclusive.continuousAttestation object. Verifiers SHOULD validate that declared proximity is consistent with the verification context.Binding devices SHOULD implement rate limiting on challenge-response operations to mitigate denial-of-service attacks and resource exhaustion. Rate limiting is especially critical for:
Recommended rate limits: no more than 10 challenge-response operations per 60-second window per verifier DID, with exponential backoff on excess. Implementations SHALL document their rate limiting policy in the device's security policy.
Verifiers operating in environments with intermittent connectivity MAY cache resolved DID documents and associated binding verification methods subject to the following constraints:
StatusList2021, bitstring status list, or method-specific revocation endpoint).| Code | Meaning |
|---|---|
tamper_detected | Hardware tamper indicator activated. The physical security of the binding device has been compromised. |
device_failure | The binding device has failed and can no longer produce valid challenge responses. |
device_replacement | The binding device is being replaced as part of scheduled maintenance. Use with rebinding (Section 4.5). |
object_decommissioned | The physical object has reached end-of-life and is being decommissioned. No rebinding will follow. |
binding_upgraded | The binding has been upgraded to a higher BAL. Use with rebinding (Section 4.5). |
authority_revoked | The Enrollment Authority that issued this binding's BEA has had its CertificationCredential revoked. The binding should be re-evaluated. |
key_compromise | There is evidence that the binding private key has been or may have been compromised. |
Rebinding replaces one binding device with another while maintaining the object's DID and attestation chain continuity.
binding_upgraded. A downgrade in BAL MUST be explicitly authorized by the Trust Framework and logged.| Result Code | Meaning | Recommended Action |
|---|---|---|
| valid | Challenge-response succeeded. Binding is intact and verified at the returned BAL. | Accept. Log event with BAL and timestamp. |
| invalid_signature | Signature verification failed. The response does not correspond to the registered public key. | Reject. Investigate possible key mismatch or device substitution. |
| expired_challenge | Challenge timestamp exceeds skew tolerance or response time threshold exceeded. | Reject. Retry with fresh challenge. If persistent, investigate relay attack. |
| revoked_binding | Binding verification method is marked revoked in the DID document. | Reject. Do not accept the object without re-enrollment. |
| insufficient_bal | Device's actual BAL is below the verifier's minBal requirement. | Reject. Do not downgrade without Trust Framework authorization. |
| device_unreachable | Binding device did not respond within the transport timeout. | Inconclusive. Retry. If persistent, escalate to object owner. |
| verification_inconclusive | Transient error, tampered device status, relay attack suspicion, PBAC not applied when requested, or PVS validation failure. Binding cannot be confirmed or denied. | Inconclusive. Retry. Do not accept. Investigate if persistent. |
| version_unavailable | The didVersion specified in the ChallengeRequest is not available from the DID resolver. | Inconclusive. Retry without didVersion or with a later version. |
| no_binding_method | No UORABindingVerification method found in the resolved DID document. | Reject. The object may not have been enrolled or the DID document may be malformed. |
| invalid_nonce | Nonce in the ChallengeResponse does not match the ChallengeRequest. | Reject. Possible replay or device malfunction. |
| unsupported_trust_framework | The TFP declared in the BEA is not supported by the verifier. | Reject. Cannot verify binding under an unknown governance framework. |
| profile_c_risk_not_accepted | The binding uses Profile C (symmetric-key) but the required risk acceptance acknowledgment is missing or invalid. | Reject. The verifier cannot trust a symmetric-key binding without explicit, signed risk acceptance per Section 6.3. |
| invalid_pid | The PUF Interface Descriptor (PID) for a BAL-3/4 binding is missing or malformed. | Inconclusive. Cannot construct a valid PUF challenge without a valid PID. |
This section formally characterizes the trust assumptions at each boundary of the binding protocol. An implementation that does not document its trust assumptions provides no verifiable security guarantees.
| Actor | Trust Assumption | Failure Scenario | Mitigation |
|---|---|---|---|
| Binding Device Vendor (BAL-2) | Vendor manufactured the secure element correctly and did not retain a copy of the private key. | Vendor retains key; can impersonate any bound object without physical access. | Independent Enrollment Authorities. Vendor audits and Common Criteria certification. BAL-3 preferred for high-value deployments. |
| Binding Device Vendor (BAL-3/4) | Vendor's PUF construction satisfies uniqueness, reliability, and unpredictability per the [[Armknecht2011]] framework. | PUF modeling attack succeeds; attacker can predict responses from published helper data. | Documented PUF statistics from production samples via PID. Controlled challenge sets. Vendor SHALL provide attack mitigation disclosure. |
| Enrollment Authority | EA correctly verified device authenticity before issuing the BEA. | EA compromise: attacker can issue fraudulent BEAs for non-genuine devices. | EA must hold valid CertificationCredential. EA revocation and binding revalidation mechanisms per §4.2.3. |
| Verifier | None. Protocol is designed such that verifiers cannot learn the private key. | Malicious verifier mounts repeated challenges to perform side-channel analysis. | Rate limiting per §4.3.7. BAL-3/4 key non-existence between power cycles. |
| Proximity Verifier Service (PVS) | PVS holds Channel Key shadows and correctly attests to PBAC decryption results. PVS is trusted not to collude with a relay attacker. | PVS compromise: attacker with PVS keys can forge PBAC attestations and defeat relay protection. | PVS SHALL be operated by an independent, audited third party. PVS Channel Key shadow storage SHALL be HSMed. PVS attestation signing key SHALL be rotated per the Trust Framework schedule. Verifiers MAY query multiple independent PVS instances for mutual corroboration. |
| Transport | None. Transport is fully untrusted. | Man-in-the-middle intercepts and replays challenge-response pairs. | Application-layer signatures. Nonce freshness. Timestamp skew. Response time bounding. PBAC for BAL-4. |
This specification defines the cryptographic binding protocol. It does not define the governance framework that determines which EAs are trusted, which BALs are required for specific use cases, or how disputes are resolved. These questions are addressed by the applicable Trust Framework, which MUST:
Baseline Profile. Appendix B defines TFP-1, the minimal Trust Framework Profile. TFP-1 provides a fully specified, normative governance model suitable for closed supply chains and single-provider deployments. Conformant implementations that do not operate under a community-specific Trust Framework SHALL support TFP-1 as the default interoperability profile.
Implementations SHALL support at least one of the following profiles. The profile used for a given binding SHALL be recorded in the BEA. Verifiers MUST support all profiles they may encounter in their deployment context.
| Algorithm | Ed25519 (Twisted Edwards curve, cofactor 8) [[RFC8032]] |
| JWK key type | OKP, curve: Ed25519 |
| Signature format | 64-byte raw (r || s), base64url-encoded |
| Signature input | JCS-canonicalized ChallengeRequest bytes |
| Security level | ~128-bit classical; secure under DL assumption on the Ed25519 curve [[Bernstein2011]] |
| Recommended for | BAL-2, BAL-3, BAL-4 (general purpose, high-performance constrained devices) |
| Algorithm | ECDSA with SHA-256 on NIST P-256 [[FIPS186-5]] |
| JWK key type | EC, crv: P-256 |
| Signature format | DER-encoded (r, s), base64url-encoded |
| Signature input | JCS-canonicalized ChallengeRequest bytes |
| Security level | ~128-bit classical; secure under ECDLP assumption on P-256 |
| Recommended for | BAL-2, BAL-3, BAL-4 (FIPS-regulated environments, HSM-backed deployments) |
Security Warning: Profile C is DEPRECATED as of this Working Draft. New implementations SHOULD use Profile A or B. Profile C is included only for backward compatibility with existing deployments. Profile C fundamentally breaks the non-repudiation property of UORA because the Enrollment Authority shares the symmetric key and can impersonate any bound device at will.
| Algorithm | AES-128 CMAC per ISO/IEC 29192-6 and NIST SP 800-38B |
| Key material | 128-bit symmetric key, provisioned at enrollment via secure channel |
| Signature format | 16-byte MAC, base64url-encoded |
| Security level | ~128-bit classical under AES assumption |
| Constraints | SHALL be used only in closed ecosystems with a single trusted EA. SHALL NOT be used in multi-party trust frameworks. Key diversification per device MUST be implemented per [[NIST-SP800-108]]. Non-repudiation properties are absent: the EA and the device share the key. |
| Mandatory Risk Acceptance (NEW). | Any BEA using Profile C MUST include a signed profileCRiskAcceptance object. A verifier that encounters a Profile C BEA without this object, or with an invalid signature, SHALL return profile_c_risk_not_accepted. The risk acceptance object SHALL contain: the DID of the accepting party, a statement acknowledging the non-repudiation break, the acceptance timestamp (ISO 8601 UTC), and a signature from the accepting party's DID key over the JCS-canonicalized acceptance object. |
| Recommended for | Legacy NFC-constrained BAL-2 deployments in closed supply chains. For all new deployments, prefer Profile A (Ed25519) on hardware capable of it. |
Post-quantum algorithm profiles (e.g., ML-DSA per FIPS 204, SLH-DSA per FIPS 205) are reserved for a future version of this specification. Implementors planning for long-term binding validity (>10 years) SHOULD monitor NIST PQC standardization progress and plan migration paths.
The following states define the normative lifecycle of a physical binding. State transitions MUST be recorded as signed UORA attestations.
| State | Entry Condition | Exit Conditions | Attestation Required |
|---|---|---|---|
| Manufactured | Device produced; keypair generated or PUF characterized; device certificate issued. | → Enrolled: successful BEA issuance. | Device certificate (BDV-issued). |
| Enrolled | BEA issued and anchored to VDR; binding verification method registered in DID document. | → Active: first successful challenge-response. → Revoked: pre-operational compromise. | BEA (EA-issued). |
| Active | Binding operational; challenge-response succeeds. | → Degraded: device reports degraded status. → Revoked: authorized revocation event. | Periodic verification events (logged by verifier). |
| Degraded | Device reports deviceStatus = degraded. Challenge-response may succeed with reduced reliability. | → Active: device recovers. → Revoked: degradation progresses to failure or tamper detection. | Degradation event attestation. |
| Revoked | Binding verification method removed or marked revoked in DID document. | → Enrolled (new device): rebinding per §4.5. | Binding Revocation Attestation. |
| Decommissioned | Object at end-of-life; all bindings revoked; DID document updated with decommission claim. | Terminal state. | Disposition attestation (Object Owner-issued). |
This section analyzes the security properties of the protocol against the attacker classes defined in Section 2. Implementations claiming a specific BAL MUST demonstrate, with reference to this section, that the identified mitigations are in place.
A cloning attack involves replicating the binding identifier on a counterfeit object such that the counterfeit passes verification.
A relay attack intercepts a legitimate challenge and relays it to the genuine device from a remote location. The protocol provides tiered mitigations:
Verifiers requiring strong relay prevention SHALL use PBAC or supplement with UWB distance bounding.
Replay attacks are mitigated by nonce freshness and timestamp skew enforcement. The verifier's short-lived nonce cache (maintained for the skew window) ensures that a captured challenge-response pair cannot be replayed within the skew window. After the skew window expires, the nonce is no longer valid and the response cannot be replayed, because a fresh nonce is required for each new challenge.
A BAL downgrade attack presents a lower-assurance binding for an object that also has a higher-assurance binding. The BAL selection rules in Section 4.3.5 prevent this by requiring the verifier to select the highest available BAL that meets or exceeds minBal. Any permitted downgrade event MUST be logged and justified.
Compromise of an EA's CertificationCredential key allows an attacker to issue fraudulent BEAs for non-genuine devices. Trust frameworks MUST implement EA revocation and binding revalidation per Section 4.2.3. The use of independent EAs (multiple CertificationCredential holders) limits the blast radius of a single EA compromise. Verifiers SHOULD validate that the EA's CertificationCredential is non-revoked as part of every binding verification.
PUF modeling attacks use machine learning classifiers trained on challenge-response pairs to predict unseen responses [[Ruhrmair2013]]. Arbiter PUFs with large challenge spaces are particularly vulnerable. Mitigations: (a) use of XOR-Arbiter PUFs or Ring Oscillator PUFs with controlled challenge sets; (b) challenge set restriction (the verifier's challenge set MUST be kept confidential and rotated); (c) fuzzy extractors that operate on a fixed enrollment challenge, limiting the exposed challenge-response space; (d) preferring SRAM PUFs for BAL-3 implementations where manufacturing access risks are high; and (e) PUF Interface Descriptors (Appendix A) that allow verifiers to evaluate the PUF's published susceptibility profile before issuing challenges. Vendors SHALL document their PUF construction's susceptibility to modeling attacks and the implemented mitigations in the PID.
Evidence of binding private key compromise SHOULD trigger immediate revocation (reason code key_compromise) and rebinding. For BAL-3/4, key compromise in the cryptographic sense (not a physical break) is infeasible without device access, due to the non-persistence of the derived key. For BAL-2, compromise of the SE vendor's manufacturing process could theoretically enable key extraction; independent EA verification and BAL-3 preference for high-value bindings mitigate this.
Repeated challenge requests can exhaust processing capacity or battery reserves of constrained devices. Rate limiting per Section 4.3.7 is the primary mitigation. Trust frameworks SHOULD also define verifier authentication requirements so that only authorized verifiers can submit challenges to binding devices in high-value deployments.
A compromise of the Proximity Verifier Service (PVS) or its Channel Key shadow store would allow an attacker to forge PBAC attestations, defeating the relay-attack protection at BAL-4. Mitigations:
verification_inconclusive.An implementation claiming conformance to this specification SHALL satisfy all of the following requirements. Claims of conformance at a specific BAL MUST be accompanied by a completed Conformance Declaration referencing the test suite results.
| Req. ID | Requirement | BAL Scope |
|---|---|---|
| C-01 | Specify the supported BAL(s) and document any BAL combinations. | All |
| C-02 | Implement the enrollment protocol per Section 4.2 for each supported BAL. | All |
| C-03 | Implement the challenge-response protocol per Section 4.3, including JCS canonicalization, nonce generation, and skew tolerance enforcement. | BAL-2+ |
| C-04 | Implement the revocation procedure per Section 4.4, including all reason codes. | All |
| C-05 | Support at least one cryptographic profile from Section 6. | BAL-2+ |
| C-06 | Pass the UORA Binding Conformance Test Suite (CTS) for all claimed BALs. Test vectors: w3id.org/uora/conformance/binding/v1. | All |
| C-07 | Publish a valid and complete PUF Interface Descriptor (PID) per Appendix A, including measured inter/intra-device statistics from ≥ 1000 devices. | BAL-3+ |
| C-07a | NEW: Demonstrate that a clean-room verifier implementation can parse the PID and construct a valid PUF challenge without vendor-proprietary knowledge. | BAL-3+ |
| C-08 | Return all verification result states defined in Section 4.6 with the correct semantics. | BAL-2+ |
| C-09 | Support the didVersion field in ChallengeRequest and implement time-consistent verification per Section 4.3.1. | BAL-2+ |
| C-10 | Enforce BAL selection rules per Section 4.3.5, including downgrade prevention. | BAL-2+ |
| C-11 | Implement rate limiting per Section 4.3.7 and document the rate limiting policy. | BAL-2+ |
| C-12 | Implement the lifecycle model per Section 7, recording each state transition as a signed UORA attestation. | All |
| C-13 | Document trust model assumptions per Section 5 for each claimed BAL. | All |
| C-14 | Document the tamper-evidence carrier class and engineering specification in the BEA. | All |
| C-15 | Implement continuous attestation, including trusted time source and autonomous attestation per Section 3.4. | BAL-4 |
| C-16 | NEW: Support the mandatory risk acceptance mechanism for Profile C per Section 6.3, and return profile_c_risk_not_accepted when the mechanism is violated. | BAL-2 (Profile C only) |
| C-17 | NEW: Implement PBAC per Appendix C, including Channel Key generation, PBAC response generation, and PVS integration. | BAL-4 |
| C-18 | NEW: Support TFP-1 per Appendix B as the default Trust Framework Profile, including StatusList2021 EA credential revocation and 30-day re-enrollment window. | All |
| C-19 | NEW: Include the TFP identifier in every BEA per Section 4.2.2, Step 6. | All |
The PUF Interface Descriptor (PID) is REQUIRED for all BAL-3 and BAL-4 bindings. The PID SHALL be embedded in the UORABindingVerification verification method in the DID document, or included directly in the BEA and referenced by URL from the DID document. The PID provides all information a verifier needs to construct a challenge the binding device can process, without requiring vendor-proprietary knowledge.
{
"pidVersion": "1.0",
"pufConstruction": "SRAM-PUF",
"pufVendor": "PUFvendor Corp",
"pufPartNumber": "PV-SRAM-256A",
"challengeConstruction": {
"algorithm": "sha256",
"inputFormat": "utf8-string",
"maxChallengeLength": 64,
"minChallengeLength": 8,
"description": "The binding device hashes the UTF-8 bytes of the nonce field from the ChallengeRequest. The resulting 256-bit hash is the PUF challenge."
},
"helperData": {
"uri": "https://vendor.example/helper-data/device123.bin",
"hash": {
"algorithm": "sha256",
"value": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"
},
"format": "bch-params",
"formatVersion": "1",
"description": "BCH error-correcting code parameters for the fuzzy extractor. The binary helper data file contains the BCH codeword."
},
"fuzzyExtractor": {
"algorithm": "BCH",
"parameters": {
"codewordLength": 2047,
"messageLength": 1023,
"errorCorrectionCapability": 50
},
"implementation": "Standard binary BCH per Lin & Costello",
"derivedKeyLength": 256
},
"pufStatistics": {
"interDeviceHD": { "mean": 0.49, "stddev": 0.02, "min": 0.44, "max": 0.54 },
"intraDeviceHD": { "mean": 0.04, "stddev": 0.01, "min": 0.01, "max": 0.08 },
"sampleSize": 5000,
"temperatureRange": "-20C to +85C",
"voltageRange": "1.62V to 1.98V",
"measurementMethod": "NIST NVLAP-accredited lab, report #2025-PUF-001",
"reportUri": "https://pufvendor.example/audit/2025-puf-001.pdf",
"measuredBy": "Independent Testing Lab Inc."
},
"modelingAttackResistance": {
"classifierTested": ["Support Vector Machine", "Deep Neural Network", "Logistic Regression"],
"challengeResponsePairsExposed": 1000000,
"predictionAccuracy": { "maxObserved": 0.52, "atPairCount": 1000000 },
"reportUri": "https://pufvendor.example/security/puf-modeling-2025.pdf"
}
}
Required fields: pidVersion, pufConstruction, challengeConstruction, helperData, fuzzyExtractor, pufStatistics (with interDeviceHD, intraDeviceHD, and sampleSize).
Verifier usage: A verifier SHALL parse the PID, validate that pidVersion is supported, verify that the helperData.hash.value matches the actual helper data retrieved from helperData.uri, and construct challenges according to challengeConstruction. If any PID field is missing or invalid, the verifier SHALL return invalid_pid.
TFP-1 is the baseline Trust Framework Profile. Conformant implementations that do not operate under a community-specific Trust Framework SHALL support TFP-1 as the default interoperability profile. BEA issuers SHALL record the TFP identifier urn:uora:trust-framework:profile-1 in the BEA when operating under TFP-1.
Under TFP-1, an EA's CertificationCredential SHALL be a W3C Verifiable Credential conforming to the following minimum schema:
{
"@context": [
"https://www.w3.org/ns/credentials/v2",
"https://w3id.org/uora/contexts/v1"
],
"type": ["VerifiableCredential", "UORACertificationCredential"],
"issuer": "did:example:governance-authority",
"validFrom": "2026-01-01T00:00:00Z",
"validUntil": "2027-01-01T00:00:00Z",
"credentialSubject": {
"id": "did:example:ea-123",
"authorizedBALs": ["BAL-1", "BAL-2", "BAL-3", "BAL-4"],
"jurisdiction": "Global",
"contactEmail": "compliance@ea-123.example"
},
"credentialStatus": {
"id": "https://ea-123.example/status/1",
"type": "StatusList2021Entry",
"statusPurpose": "revocation",
"statusListIndex": "0",
"statusListCredential": "https://governance.example/status/lists/1"
}
}
EA CertificationCredentials under TFP-1 SHALL be revocable via StatusList2021. When an EA credential index is set to revoked:
Revoked state with reason code authority_revoked.Verification events under TFP-1 SHALL be logged with the following minimum structure:
{
"eventType": "UORABindingVerification",
"eventId": "uuid",
"timestamp": "ISO8601 UTC",
"verifierDid": "did:example:verifier",
"objectDid": "did:example:object",
"bindingMethodId": "did:example:object#key-1",
"result": "valid | invalid_signature | ...",
"bal": "BAL-3",
"pbacApplied": true,
"pvsAttestation": { "..." },
"tfp": "urn:uora:trust-framework:profile-1"
}
Audit logs SHALL be retained for a minimum of 7 years from the verification date, or as required by the applicable regulatory regime, whichever is longer.
TFP-1 defines a default two-step dispute process:
The Proximity-Bound Authenticated Channel (PBAC) is a normative extension to the challenge-response protocol that provides cryptographic relay-attack protection. PBAC is REQUIRED for BAL-4 devices and OPTIONAL for BAL-2 and BAL-3 devices. BAL-4 devices SHALL implement PBAC as their primary proximity verification mechanism.
The core idea: the verifier's challenge nonce is encrypted under a symmetric Channel Key (CK) that exists only inside the binding device and in a trusted Proximity Verifier Service (PVS). The binding device decrypts and re-encrypts the nonce within the same transport session. A relay attacker who intercepts the encrypted nonce and sends it to a distant device cannot produce a valid response because the distant device's decrypted response can never return fast enough to satisfy the transport's physical timing constraints, and the verifier cannot decrypt the response itself. The PVS acts as a trusted third party that verifies the decryption was correct and the latency was within expected bounds.
CKHash = SHA-256(CK).CKHash and the DID of the designated Proximity Verifier Service responsible for this device.CKHash and registers the PVS binding in the DID document.When a verifier sets requestPbac = true in the ChallengeRequest and the binding device supports PBAC:
requestPbac: true.nonce field.pbacBlindedNonce = AES-256-CTR(CK, nonce) using the internally stored CK. The ciphertext is a deterministic encryption of the nonce under the Channel Key.nonce = base64url(pbacBlindedNonce), pbacApplied = true, and computes the standard signature over the JCS-canonicalized original ChallengeRequest (not over pbacBlindedNonce).pbacApplied = true, the verifier cannot directly compare the nonce. Instead, the verifier submits a PBAC Verification Request to the PVS:
{
"deviceJwkThumbprint": "urn:ietf:params:oauth:jwk-thumbprint:sha-256:...",
"originalNonce": "base64url(original nonce)",
"pbacBlindedNonce": "base64url(pbacBlindedNonce from response)",
"challengeTimestamp": "ISO 8601",
"responseTimestamp": "ISO 8601",
"transportType": "NFC",
"verifierDid": "did:example:verifier"
}
deviceJwkThumbprint.decryptedNonce = AES-256-CTR-DECRYPT(CK, pbacBlindedNonce).decryptedNonce == originalNonce. If not, the PVS returns a failure attestation.(responseTimestamp - challengeTimestamp) is within the expected transport latency bound (e.g., ≤ 10 ms for NFC).
{
"pvsDid": "did:example:pvs",
"deviceJwkThumbprint": "urn:ietf:params:oauth:jwk-thumbprint:sha-256:...",
"decryptedNonce": "base64url(decrypted nonce, matching originalNonce)",
"latencyMs": 4.2,
"latencyBoundMs": 10,
"latencyValid": true,
"verifiedAt": "ISO 8601",
"signature": "base64url(PVS_sign(JCS_canonicalize(payload)))"
}
ChallengeResponse.pbacSignature field and proceeds with standard verification.pbacBlindedNonce without access to CK. The attacker cannot replay the response because the original nonce is fresh and verifier-generated.pbacBlindedNonce, will fail the PVS latency check because the round-trip time to the distant device violates the transport's physical latency bound.Channel Keys SHALL be rotatable. The rotation procedure:
The continuousAttestation object in a BAL-4 ChallengeResponse SHALL conform to the following structure:
{
"did": "<object DID>",
"bindingMethod": "<method ID>",
"generatedAt": "<ISO 8601 UTC>",
"nextExpectedBy": "<ISO 8601 UTC>",
"sensors": {
"<sensorId>": {
"value": <number>,
"unit": "<SI unit>",
"withinLimits": <bool>
}
},
"events": [
{
"eventType": "<string>",
"timestamp": "<ISO 8601 UTC>",
"details": "<string>"
}
],
"signature": "<base64url(device_sign(JCS(this_object_without_signature_field)))>"
}
The signature field SHALL be computed over the JCS-canonicalized attestation object with the signature field absent, using the binding device's private key. Verifiers MUST verify this signature against the public key in the DID document's binding verification method before trusting any sensor readings or event records.
| Section | Change |
|---|---|
| 2 (Attacker Model) | New. Formally specifies five attacker classes (A0–A4) with defined capabilities and BAL resistance mapping. Added A5 class for dedicated RF relay attackers. |
| 3.2 (BAL-2) | Added key generation on-device requirement and vendor attestation obligation. Clarified replay protection is verifier-side. Added reference to FIDO-CTAP2. |
| 3.3 (BAL-3) | Grounded PUF unclonability in Armknecht et al. (2011) framework. Added PUF Interface Descriptor (PID) as normative mechanism for PUF interoperability. Added inter/intra-device statistics requirement from ≥ 1000 devices via PID. Added Dodis et al. (2008) theorem citation for helper data security. |
| 3.4 (BAL-4) | Added PBAC as mandatory proximity verification mechanism for BAL-4. |
| 4.1 (Transport) | Explicitly stated transport-agnostic model. Added proximity enforcement guidance and PBAC reference. |
| 4.2 (Enrollment) | Added EA revocation and binding revalidation requirements (§4.2.3). Added TFP identifier requirement in BEA. Added PID requirement in BEA for BAL-3/4. |
| 4.3.1 (ChallengeRequest) | didVersion field fully specified. Added version_unavailable error state. Added minBal and requestPbac fields. |
| 4.3.2 (ChallengeResponse) | Added continuousAttestation conditional field for BAL-4. Added deviceStatus tampered handling. Added pbacApplied and pbacSignature fields. |
| 4.3.5 (BAL Selection) | Added explicit downgrade logging requirement. Clarified conditions for permitted downgrade. |
| 4.3.6 (Relay Attack) | Added PBAC as primary mitigation for A5 attackers. Added quantitative response time thresholds per transport. Added UWB distance bounding as optional supplement. |
| 4.3.7 (Rate Limiting) | New dedicated section with recommended rate limit parameters and PUF modeling attack connection. |
| 4.6 (Verification States) | Added version_unavailable, no_binding_method, invalid_nonce, unsupported_trust_framework, profile_c_risk_not_accepted, and invalid_pid result codes. |
| 6 (Cryptographic Profiles) | Profile C deprecated and marked with a security warning. Added mandatory risk acceptance mechanism for Profile C. Added post-quantum migration note. Added key diversification requirement for Profile C per NIST SP 800-108. |
| 8 (Security Considerations) | New sections: 8.3 (Replay), 8.4 (BAL Downgrade), 8.6 (PUF Modeling Attacks), 8.9 (PBAC Channel Key Compromise). Updated Section 8.2 (Relay Attacks) with PBAC cryptographic mitigation. Added Rührmair et al. (2013) citation. |
| 9 (Conformance) | Added C-07a (PID interoperability), C-16 (Profile C risk acceptance), C-17 (PBAC), C-18 (TFP-1 support), C-19 (TFP identifier in BEA). |
| Appendix A | Formal PID schema with mandatory and optional fields, verifier usage instructions, and conformance requirement. |
| Appendix B (NEW) | Trust Framework Profile 1 (TFP-1) with CertificationCredential schema, EA revocation, audit log structure, and dispute resolution. |
| Appendix C (NEW) | Proximity-Bound Authenticated Channel (PBAC) with Channel Key generation, PBAC challenge-response protocol, PVS integration, and key rotation. |
| 10 (References) | Added NIST SP 800-108 and ISO/IEC 29192-6 references. |
| Terminology | Added PUF Interface Descriptor (PID), Trust Framework Profile (TFP), Proximity-Bound Authenticated Channel (PBAC), and Proximity Verifier Service (PVS) definitions. |