]> JHU/APL

rahel.fainchtein@jhuapl.edu

linkerfelix@gmail.com

Veridigo

alexr@veridigo.com

Brigham Young University

casey@byu.edu

Packet Clearing House

allison@pch.net

Applications and Real-Time Digital Emblems Digital emblems are a means for an asset to signal to validating entities that it should be protected or treated in a specific way, using some normative framework. This document lists the requirements and use cases that an architecture for digital emblems must accommodate. About This Document The latest revision of this draft can be found at . Status information for this document may be found at . Discussion of this document takes place on the Digital Emblems Working Group mailing list (), which is archived at . Subscribe at . Source for this draft and an issue tracker can be found at .

Introduction Digital emblems are a means for an asset to signal to validating entities that it should be protected or treated in a specific way, using some normative framework. The DIEM WG will define a set of standards for an architecture that enables discovery and validation of digital emblems. This document lists the requirements that the architecture must accommodate. These requirements were identified across different use cases. Not all use cases share all requirements. We envision an architecture system comprising multiple standards, which can be flexibly profiled for different use cases. We use the terms "(digital) emblem" and "validation" in accordance with the DIEM charter as of this writing . These definitions have been reproduced in section Conventions and Definitions.

Conventions and Definitions The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here. The definitions for terms "(digital) emblem" and "validation" are reproduced from the charter as of this writing.

(Digital) Emblem:

Emblems such as the Red Cross, Red Crescent, Red Crystal, and Blue Shield can be symbols of protection governed by International Humanitarian Law (IHL). Emblems can also be identified by other laws, agreements, or standards. There is a need to present emblems through digital communication channels. Emblems presented in such ways are called digital emblems. Digital emblems extend the range of identifying marks from the physical (visual and tactile) to the digital realm.

Asset:

A physical resource -- such as place or thing; or a digital resource, system, or service - such as a server, data repository, or networked device - that can present a digital emblem.

Emblem issuer:

The entity that operates or controls an asset that bears a digital emblem. Depending on the applicable emblem, the issuer may have received authorization to issue emblems, and in such cases, emblem issuers are also called authorized entities. For example, emblem issuers could be a medical or humanitarian organization, a cultural institution, or an operator of installations containing dangerous forces, among others.

Authorizing entity:

An entity competent to grant authorization for the use, by an authorized entity, of a digital emblem. The authorizing entity ensures that such authorization is issued and recorded in accordance with applicable legal requirements, enabling technical and operational verification. In certain specific cases, the authorizing entity is also the authorized entity.

Validator:

An entity that queries, inspects, or otherwise interacts with assets to determine whether they are marked with a valid digital emblem. Validators may include technical systems, network operators, or other actors implementing protective or non-interference measures consistent with the emblem's purpose.

Validation:

"To validate an emblem" means to confirm the authenticity or legitimacy of a particular symbol or design, often by checking its details against a known standard or reference point. Validation may include ensuring that the emblem has not been forged, stolen, or tampered with.

Requirements The DIEM architecture will allow validators to discover and validate digital emblems that are associated with assets. This section contains the requirements that this architecture will address. They are based on use cases identified thus far (see Section Use Cases), but note that not all use cases share all requirements. We categorize these requirements into: requirements on digital emblems and their format, on their discovery, on their validation, and other requirements.

Digital Emblem Requirements

Digital Emblem Format Digital emblems MUST identify the marked asset and their kind of digital emblem. Beyond that, digital emblems MAY include other data, for example, an issuer or a validity window. To accommodate use cases requiring extensible data, a digital emblem architecture SHOULD introduce minimal overhead size except for fields required to fulfil other requirements in this document. Each emblem type will make use of a subset of the requirements set out in this document. The requirements for individual digital emblem types are independent and the requirements for an individual emblem type MUST NOT constrain, override, or otherwise affect the requirements, design, or use of any other digital emblem. Where a use case specifies a limited domain of application (e.g. only digital or physical assets, a narrow scope of valid issuers or validators, or specific discovery mechanism) for a particular emblem, such a limitation SHOULD be understood as reflecting current use case constraints only. It SHOULD NOT be interpreted as precluding future use cases from applying that emblem under a different or expanded domain of application, provided that the emblem’s core semantics remain intact. As of this writing, the DIEM charter requires that digital emblems MUST explicitly identify the marked asset by a Fully Qualified Domain Name (FQDN).

Emblem Semantics Individual use cases MUST specify the semantics of the emblem. It must be clearly stated how discovery and validation of a digital emblem should inform validator behavior.

Discovery Requirements

Discovery Digital emblems MUST specify how validators can check for the presence of a digital emblem. That is, given an asset a validator must be able to determine whether it has an associated emblem. For example, verifying whether a FQDN has an emblem associated with it could be realized by fetching digital emblem-associated records for said FQDN.

Query Response Specifications for each use case MUST each determine how servers must respond to queries for Digital Emblems of their specified type. Specifically, they must determine the responsiveness and consistency requirements for emblems of their given type and provide explanations of how the chosen requirements apply and the rationales for their selection. For responsiveness, an instance of a specific type of digital emblem can either be required to respond to all queries for it (Assured Response), or allowed to selectively respond to a specific subset of incoming queries (Selective Response). For consistency of response, specifications for a given type of Digital Emblem T must denote whether all queries for an asset's records (as denoted by its FQDN) must return all Digital Emblems of type T associated with the asset (Consistent Content), or whether the inclusion of emblems of type T in a response may vary based on specific requester attributes (Selective Content). Note that as of this writing, neither the baseline definition for the minimum set of attributes that constitute a unique Digital Emblem, nor the attributes needed to attain Consistent Content have been defined. Given the limited scope of this document, that definition as well as the mechanism to ensure its extensibility across newly defined emblem types will be outlined in the architecture document.

Removable Digital emblems MAY require to be removable in that checking for the presence of an asset's emblems results in no emblem. Note that checking for emblem presence is independent of its validation. That is, emblems do not count as removed when they become invalid.

Undetectable Validation A digital emblem MAY require that its discovery and validation is undetectable. This requirement is motivated by emblems that mark its asset as protected and ask validators to not disrupt the marked asset. If emblem discovery were detectable, malicious parties could misuse the digital emblem as an intrusion detection system. For specific use cases and designs, it may be acceptable that certain parties can detect emblem discovery and validation, for example, when the validator can hide in a sufficiently large anonymity set, or it is acceptable that the given party could detect the discovery or validation. Concrete designs MUST specify a threat model for undetectable validation. This threat model must detail which parties can detect emblem discovery and validation, under which conditions, and to what extent.

Validation Requirements

Validation Digital emblems MAY require validation. The digital emblem architecture MUST allow individual standards to support verification of all the digital emblem's data or a defined subset without restriction. This ensures digital emblems can support static or dynamic data without having to account for the pain of frequent re-signing of dynamic data if its validation is not required by a given digital emblem type. In particular, when validation is defined, it MUST ensure that the emblem was issued for the respective asset. Some use cases MAY use unverified digital emblems.

Authorization Digital emblems MAY require authorization by third-parties. When they do, they MUST define a trust model that describes how validators can discover authorities and how the system selects authorities. The generalized digital emblem architecture MUST NOT assume that Internet access is available or required so that individual digital emblems standards can choose to take a dependency on Internet access or not. For example, a given digital emblem MAY use PKI or the DNS as a root of trust if they want, but the generalized digital emblem architecture cannot mandate this or other options and MUST make this a point of extensibility. Any authorization mechanism MUST account for the possibility of compromise of cryptographic key material, for example, by specifying revocation mechanisms or using short-lived credentials.

Other Requirements

Extensibility The digital emblem architecture should be extensible. The initial work should not preclude future extensions and individual standards should be designed as general as possible.

Extensions In this section, we sketch how the digital emblem architecture could be extended by future standards to accommodate more use cases, but it is not a comprehensive list.

Data Formats Emblems for additional use cases may be defined via new profiles in future standards, potentially including new types of atomic data elements requiring additional specification.

Asset Identifier Discovery It may be non-obvious for some use cases to learn the identifier associated with an asset, and thus impossible to discover emblems associated with that asset. To accommodate for such use cases, one could specify means to discover identifiers for different types of assets.

Implicit Discovery An alternative approach to the above problem would be to bind emblems implicitly to the marked asset. Implicit binding could identify the marked asset by the emblem's location. For example, if emblems were distributed via NFC, the marked asset could be the asset to which the NFC chip was attached. As of this writing, the current charter scope requires that digital emblems explicitly identify their asset, but such discovery mechanisms could be investigated in future WG work.

Confidentiality Some use cases may contain confidential or sensitive data, and may require mechanisms to protect such data. For example, this could be realized with encryption of the general emblem data format that will be part of the architecture or by only serving emblems over channels with access control mechanisms.

Proof of Presence Since emblems themselves are unable to directly protect assets against attack, emblems indicating assets are entitled to protections may require a mechanism through which violations of their laws or provisions can be verified forensically. This would be particularly relevant in cases where emblems can be applied and removed dynamically. These protections are defined in three different levels, listed from weakest to strongest. Level 1 - presence and verifiability: Establishing that an actor or querying party was able to obtain the emblem at the time of violation. That is forensically demonstrating/proving that the emblem was discoverable and verifiable at the time of an alleged violation. Level 2 - presence, verifiability and access: Establishing the emblem’s presence and verifiability and that the querying party accessed the digital emblem. Level 3 - presence, verifiability access and verification: Demonstrating presence verifiability and access and that the querying party verified the emblem upon accessing it. This level of proof can only be made by the querying party. Note that Levels 2 and 3 are intended to be mutually exclusive requirements with Undetectable Validation . An example from the Diplomatic Pouch use case, described in Section , illustrates the Level 3 Proof of Presence requirement, and how it in some cases may need to be part of a chain of custody and/or accompanied by additional security measures to provide adequate security guarantees.

Use Cases Different use cases have different requirements. The purpose of this document is to list the requirements that will be addressed with the initial architecture. The use cases overlap and would benefit from a DIEM architecture developed to provide the requirements listed above, though some may require additional extensions. We alphabetically list use cases here so that relevant stakeholders can provide input whether their use case would indeed benefit from a DIEM architecture, and invite participants to provide use cases or details that we have missed. We provide auxiliary material under Informative References.

Basel Convention Regulates the trans-boundary movement of hazardous wastes. Use cases are functionally identical to OPCW and IAEA.

Diplomatic Pouches (1961 Vienna Convention on Diplomatic Relations) Digital emblems can protect diplomatic pouch shipments, diplomatic couriers, and diplomatic envoys. All three of these are protected under the 1961 Vienna Convention on Diplomatic Relations , which states that they may not be stopped, delayed, or inspected. This creates the paradox that the validity of their credentials must be evaluated, yet doing so has historically compromised the very rights that are intended to be signaled. Diplomatic markings have also been misappropriated as cover for the smuggling of drugs and other contraband. Digital emblems, which can be validated instantaneously, at a distance, and without interrupting the subject, address both of these problems, while streamlining and automating customs and immigrations processes. The use case for diplomatic pouches involves the following entities: - Point of Entry Country/Customs Agent(s): Validator - Origin Country or Accredited Organization: Issuer and Authorizing entity - Diplomat: Agent of Country or Accredited Organization - Pouch: Asset As noted in Section , a Level 3 Proof of presence record could help demonstrate, for the benefit of the customs service, that a customs agent(s) in a Point of Entry country validated the diplomatic pouch. To that end, the Proof of Presence record of processing a diplomatic pouch's digital emblem could include the following information.

• Specific point of entry
• Time/Date of arrival at point of entry
• identifier(s) of customs agent(s) validating the pouch
• A baseline record establishing the Emblem's existence and accessibility (or a pointer thereto)
• Record of the customs agent's attempt to validate the Digital Emblem and its result signed by the customs agent(s)

Limitations of proof of presence: As indicated in Section , Level 3 Proof of Presence alone does not provide proof that no tampering with the diplomatic pouch or inspection of its contents has occured. This is because a proof of presence neither provides a chain of custody nor any mechanisms to detect tampering should it occur. For this reason, Level 3 validation may be used along side or as part of an attested chain of custody and/or accompanied by the use of physical mechanisms for tamper-proofing a physical asset. Any such chain of custody specification or anti-tampering mechanism is out of the scope of the DIEM WG.

International Atomic Energy Agency (IAEA) IAEA administers several treaties, especially related to the controlled shipment of atomic fuels and wastes across borders. Similar use case as OPCW.

International Civil Aviation Organization (ICAO) Requires protection of civil aviation flights and the ability to assert that they are not dual-use (i.e., not carrying military cargo). Digital emblem would carry a geographic description of the flight plan, its current location, and an indicator of its identity (i.e., tail number). Potential need for the emblem to reference a limited or partially redacted flight manifest.

Protective Emblems under The Geneva Conventions, its Additional Protocols, and the 1954 Hague Convention

Background The Geneva Conventions and their Additional Protocols constitute the core of International Humanitarian Law (IHL). Some assets enjoy certain specific protections under IHL, including that they must not be attacked. In addition to recognizing other signs, IHL codifies four types of protective emblems for armed conflict, which inform other parties that marked assets benefit from one or several of these specific or special protections. In other words, protective emblems under IHL signal the applicability of a specific or special protection under IHL. Namely, these emblems are:

• The emblems of the Red Cross, Red Crescent, and Red Crystal, defined in the Geneva Conventions and Additional Protocol III of the Geneva Conventions
• The Blue Shield emblem, defined in the 1954 Hague Convention
• The international distinctive sign of civil defence, defined in Additional Protocol I of the Geneva Conventions
• The dangerous forces special sign, defined in Additional Protocol I of the Geneva Conventions

However, these emblems can currently only be used to mark physical assets, and there is no way to mark digital, network-connected infrastructure that enjoys the same protections. A digital emblem using the DIEM architecture could address this gap, and resolutions from UNESCO and the International Conference of the Red Cross and Red Crescent have expressed the support for such a digital emblem .

Domain Model and Stakeholders In context of digital, protective emblems under IHL, emblems will mark assets that are digital services and that solely serve protected purposes (for example, a medical unit, a cultural site, or an installation containing dangerous forces). Such emblems will be issued by the party controlling the marked service, and they signal that these assets must be respected and protected. Emblems must only be issued by entities that have been authorized to bear a digital emblem or other distinctive sign under international law. Such authorizations must be issued by a state, other party to an armed conflict, or other entity competent under international law. For digital, protective emblems under IHL, validators will typically be armed forces under the command of either state or non-state actors. In situations of armed conflict, all such actors are under an obligation to check whether assets subject to military activities bear an emblem. Similarly, other malicious ICT actors, whilst not necessarily obligated under IHL, may choose to respect assets bearing the emblem. Concretely, we can assume that they will typically first identify an asset that they plan to engage with and then check whether that asset bears an emblem.

Requirements The purpose of a digital emblem is to prevent disruptions of assets by informing verifiers that marked assets enjoy protection under IHL. Digital emblems will only be able to do so when verifiers are willing to pay attention to them. As verifiers intend to attack assets that are not protected under IHL, this will only be the case they are confident that their targets cannot fake protection and that they do not alert their target about an imminent attack. Therefore, digital, protective emblems under IHL require validation for authenticity () that is undetectable (). At the same time, digital, protective emblems under IHL should fit well into the existing framework of IHL and not put emblem issuers at increased risk. First, IHL requires that, emblem issuers must seek authorization from a competent authority prior to applying them (see and ). The authorization must be decentralized, i.e., there must be no central authorities that govern the use or distribution of digital emblems. Second, bearing an emblem can increase the risk for targeted attacks. We require that emblem issuers must be able to individually assess that risk and remove emblems whenever they see the risks to outweigh the benefits, i.e., we require that digital emblems are removable (). Beyond the DIEM architecture as described in this document, digital, protective emblems under IHL would benefit from other discovery mechanisms than the DNS, as not all assets may have domain names associated with them.

Organization for the Prohibition of Chemical Weapons (OPCW) Requires protection of Schedule 1 chemicals in transit between signatory countries for research, medical, pharmaceutical, or protective purposes. Emblem would identify place, date, and volume of production, and the emblem can contain confidential data.

Other IHL-related use cases Many organizations use recognizable insignia or logos to mark staff, vehicles, buildings, and materials that derive protection from IHL and Customary IHL . Most humanitarian medical international non-governmental organizations (NGOs) use their own logos rather than using the Red Cross or Red Crescent emblem, even when they would have authorization to do so. As humanitarian NGOs have a "right of initiative" established by IHL, and many NGOs have been operating for years in a location before conflict breaks out, their presence is natural and they are often first to provide medical care. Customary IHL requires combatants to provide the same protection to a marked hospital or identified medical staff as they would to one marked with a Red Cross or Red Crescent, provided the combatant reasonably understand that the mark is associated with a humanitarian medical function. Community acceptance of unarmed humanitarian staff requires awareness of their presence and identity, whether in time of conflict or in time of peace. IHL generally requires combatants to limit impact on civilians and infrastructure that civilians rely on. For example, destroying an electrical substation that serves a hospital and serves no military function, is usually prohibited by IHL. Other types of infrastructure important to civilians include drinking water reservoirs, water towers, and gas lines. Likewise schools and elder care facilities usually contain a high concentration of civilians. Digital emblems could be defined to identify such civilian infrastructure. The Whiteflag Protocol specifically identifies several categories of infrastructure.

Press Journalists in conflict zones use protective markings that indicate their status as a non-combatant. Assets belonging to the press could be digitally marked, and protective markings in conflict zones could be digitized.

Ramsar Convention on the Wetlands The Convention on Wetlands of International Importance especially as Waterfowl Habitat "providees the single most global framework for intergovernmental cooperation on wetland issues" and it features a list of geographic areas designated by Member States. A digital emblem for the geographic areas potentially requires

• Indication of location
• Access to presence or absence of Ramsar designation of a specified location
• Textual description
• Ability to validate the presence or absence of Ramsar designation

United Nations Economic and Social Council (ECOSOC) UN Model Regulations includes "Recommendations on the Transport of Dangerous Goods." This includes labeling of items with a four digit "UN Number" that indicates the comounds contained within, such as chemicals, explosives, flammable liquids, etc. For example, items containing lithium-based batteries are labeled with 3480 or 3481 and accompanied by a specific "battery mark" emblem.

United Nations Food and Agriculture Organization (FAO) Among other things is responsible for the International Plant Protection Convention (IPPC) and International Standards for Phytosanitary Measures standards including ISPM 15 that requires wood packaging materials (pallets, crates, dunnages) to be debarked, heat-treated or fumigated with methyl-bromide, and stamped or branded with a compliance mark known as a "wheat stamp."

United Nations Peacekeepers UN Peacekeepers use protective markings in theater as well as facilities associated with the mission.

World Customs Organization (WCO) Specifies "Harmonized Systems" codes that classify items such as livestock, arms and ammunition, chemicals, plastics, machinery, foodstuffs, etc. They also provide a system for labeling origin of items and valuation of items, all enforced by numerous international trade agreements between individual nations and groups of nations.

World Health Organization (WHO) Similar to the use case of the Red Cross, Red Crystal, and Red Crescent.

World Intellectual Property Organization (WIPO) WIPO administers 26+ treaties with different protections for different things. Brands that are protected under international law (e.g., Madrid Protocol) can mark their shipments with an emblem allowing customs agents to positively identify legitimate products.

Security Considerations Because this is a requirements document, it does not directly have security considerations. However, multiple of the defined requirements include security properties. The architecture and standards developed need to detail the security properties of validation and authorization especially. Use cases have threat models and discussion of mitigating specific threats is needed. For example, in a use case where removability () is needed, there are security considerations such as the potential for replay of removed emblems.

IANA Considerations This document has no IANA actions.

References Normative References In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings. Informative References International Committee of the Red Cross International Committee of the Red Cross Doctors Without Borders n.d. United Nations Educational, Scientific and Cultural Organization n.d. International Committee of the Red Cross n.d. 34th International Conference of the Red Cross and Red Crescent United Nations Educational, Scientific and Cultural Organization Reporters Without Borders n.d. Cornell Law School - Legal Information Institute n.d. International Committee of the Red Cross United Nations Educational, Scientific and Cultural Organization Convention on Wetlands Secretariat n.d. International Plant Protection Convention, Food and Agriculture Organization of the United Nations n.d. United Nations Economic and Social Council n.d. World Customs Organization n.d. United Nations n.d. International Committe of the Red Cross n.d. Whiteflag Foundation n.d.

Acknowledgments Brian Haberman and Bill Woodcock created an early version of a use cases and requirements document, from which this draws ideas. We also thank Eric Vynke, Suresh Krishan, Antonio DeSimone, Nick Doty, Tommy Jensen, and Michael Christie for their valuable input.

Contributors Packet Clearing House

woody@pch.net

RTFM llp

jim@rfc1035.com

International Committee of the Red Cross

sdcunha@icrc.org

Australian Red Cross

nchabbra@redcross.org.au