ISO/IEC 29341-13-11:2008

ISO/IEC 29341-13-11
Edition 1.0 2008-11
INTERNATIONAL
STANDARD


Information technology – UPnP Device Architecture –
Part 13-11: Device Security Device Control Protocol – Security Console Service


ISO/IEC 29341-13-11:2008(E)

---------------------- Page: 1 ----------------------
THIS PUBLICATION IS COPYRIGHT PROTECTED
Copyright © 2008 ISO/IEC, Geneva, Switzerland

All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form
or by any means, electronic or mechanical, including photocopying and microfilm, without permission in writing from
either IEC or IEC's member National Committee in the country of the requester.
If you have any questions about ISO/IEC copyright or have an enquiry about obtaining additional rights to this
publication, please contact the address below or your local IEC member National Committee for further information.

IEC Central Office
3, rue de Varembé
CH-1211 Geneva 20
Switzerland
Email: inmail@iec.ch
Web: www.iec.ch

About the IEC
The International Electrotechnical Commission (IEC) is the leading global organization that prepares and publishes
International Standards for all electrical, electronic and related technologies.

About IEC publications
The technical content of IEC publications is kept under constant review by the IEC. Please make sure that you have the
latest edition, a corrigenda or an amendment might have been published.
ƒ Catalogue of IEC publications: www.iec.ch/searchpub
The IEC on-line Catalogue enables you to search by a variety of criteria (reference number, text, technical committee,…).
It also gives information on projects, withdrawn and replaced publications.
ƒ IEC Just Published: www.iec.ch/online_news/justpub
Stay up to date on all new IEC publications. Just Published details twice a month all new publications released. Available
on-line and also by email.
ƒ Electropedia: www.electropedia.org
The world's leading online dictionary of electronic and electrical terms containing more than 20 000 terms and definitions
in English and French, with equivalent terms in additional languages. Also known as the International Electrotechnical
Vocabulary online.
ƒ Customer Service Centre: www.iec.ch/webstore/custserv
If you wish to give us your feedback on this publication or need further assistance, please visit the Customer Service
Centre FAQ or contact us:
Email: csc@iec.ch
Tel.: +41 22 919 02 11
Fax: +41 22 919 03 00

---------------------- Page: 2 ----------------------
ISO/IEC 29341-13-11
Edition 1.0 2008-11
INTERNATIONAL
STANDARD


Information technology – UPnP Device Architecture –
Part 13-11: Device Security Device Control Protocol – Security Console Service
INTERNATIONAL
ELECTROTECHNICAL
COMMISSION
PRICE CODE
J
ICS 35.200 ISBN 2-8318-1012-9

---------------------- Page: 3 ----------------------
– 2 – 29341-13-11 © ISO/IEC:2008(E)
CONTENTS
FOREWORD .3
ORIGINAL UPNP DOCUMENTS (informative) .5
1. Overview and Scope.7
1.1. Security Console Actions .7
1.1.1. Control Point Discovery.8
1.1.2. Local Dictionary Communication .8
1.1.3. Certificate Processing.8
2. Service Modeling Definitions .10
2.1. Service Type .10
2.2. Namespaces .10
2.3. State Variables.10
2.3.1. PendingCPList .10
2.3.2. NameListVersion.11
2.3.3. A_ARG_TYPE_string.11
2.3.4. A_ARG_TYPE_base64.11
2.4. Eventing and Moderation .11
2.5. Actions.11
2.5.1. PresentKey.11
2.5.2. GetNameList.12
2.5.3. GetMyCertificates .14
2.5.4. RenewCertificate.15
2.6. Relationships between Actions .17
2.7. Common Error Codes .17
3. Theory of Operation .18
3.1. Control Point Discovery.18
3.2. “My Domain” and Component Naming.18
3.2.1. Hardware alternatives .18
3.3. Certificates .19
3.4. Certificate Delivery .19
3.5. Certificate Renewal .19
3.6. BASE32 Encoding.20
3.7. XML Strings as UPnP Arguments.21
4. XML Service Description.22

LIST OF TABLES
Table 1: State variable.10
Table 2: Event Moderation.11
Table 3: Actions.11

---------------------- Page: 4 ----------------------
29341-13-11 © ISO/IEC:2008(E) – 3 –
INFORMATION TECHNOLOGY –
UPNP DEVICE ARCHITECTURE –

Part 13-10: Device Security Device Control Protocol –
Security Console Service
FOREWORD
1) ISO (International Organization for Standardization) and IEC (International Electrotechnical Commission) form
the specialized system for worldwide standardization. National bodies that are members of ISO or IEC
participate in the development of International Standards. Their preparation is entrusted to technical
committees; any ISO and IEC member body interested in the subject dealt with may participate in this
preparatory work. International governmental and non-governmental organizations liaising with ISO and IEC
also participate in this preparation.
2) In the field of information technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC
1. Draft International Standards adopted by the joint technical committee are circulated to national bodies for
voting. Publication as an International Standard requires approval by at least 75 % of the national bodies
casting a vote.
3) The formal decisions or agreements of IEC and ISO on technical matters express, as nearly as possible, an
international consensus of opinion on the relevant subjects since each technical committee has representation
from all interested IEC and ISO member bodies.
4) IEC, ISO and ISO/IEC publications have the form of recommendations for international use and are accepted
by IEC and ISO member bodies in that sense. While all reasonable efforts are made to ensure that the
technical content of IEC, ISO and ISO/IEC publications is accurate, IEC or ISO cannot be held responsible for
the way in which they are used or for any misinterpretation by any end user.
5) In order to promote international uniformity, IEC and ISO member bodies undertake to apply IEC, ISO and
ISO/IEC publications transparently to the maximum extent possible in their national and regional publications.
Any divergence between any ISO/IEC publication and the corresponding national or regional publication should
be clearly indicated in the latter.
6) ISO and IEC provide no marking procedure to indicate their approval and cannot be rendered responsible for
any equipment declared to be in conformity with an ISO/IEC publication.
7) All users should ensure that they have the latest edition of this publication.
8) No liability shall attach to IEC or ISO or its directors, employees, servants or agents including individual
experts and members of their technical committees and IEC or ISO member bodies for any personal injury,
property damage or other damage of any nature whatsoever, whether direct or indirect, or for costs (including
legal fees) and expenses arising out of the publication of, use of, or reliance upon, this ISO/IEC publication or
any other IEC, ISO or ISO/IEC publications.
9) Attention is drawn to the normative references cited in this publication. Use of the referenced publications is
indispensable for the correct application of this publication.
IEC and ISO draw attention to the fact that it is claimed that compliance with this document may involve the use of
patents as indicated below.
ISO and IEC take no position concerning the evidence, validity and scope of the putative patent rights. The holders
of the putative patent rights have assured IEC and ISO that they are willing to negotiate free licences or licences
under reasonable and non-discriminatory terms and conditions with applicants throughout the world. In this respect,
the statements of the holders of the putative patent rights are registered with IEC and ISO.
Intel Corporation has informed IEC and ISO that it has patent applications or granted patents.
Information may be obtained from:
Intel Corporation
Standards Licensing Department
5200 NE Elam Young Parkway
MS: JFS-98
USA – Hillsboro, Oregon 97124
Microsoft Corporation has informed IEC and ISO that it has patent applications or granted patents as listed below:

---------------------- Page: 5 ----------------------
– 4 – 29341-13-11 © ISO/IEC:2008(E)
6101499 / US; 6687755 / US; 6910068 / US; 7130895 / US; 6725281 / US; 7089307 / US; 7069312 / US;
10/783 524 /US
Information may be obtained from:
Microsoft Corporation
One Microsoft Way
USA – Redmond WA 98052
Philips International B.V. has informed IEC and ISO that it has patent applications or granted patents.
Information may be obtained from:
Philips International B.V. – IP&S
High Tech campus, building 44 3A21
NL – 5656 Eindhoven
NXP B.V. (NL) has informed IEC and ISO that it has patent applications or granted patents.
Information may be obtained from:
NXP B.V. (NL)
High Tech campus 60
NL – 5656 AG Eindhoven
Matsushita Electric Industrial Co. Ltd. has informed IEC and ISO that it has patent applications or granted patents.
Information may be obtained from:
Matsushita Electric Industrial Co. Ltd.
1-3-7 Shiromi, Chuoh-ku
JP – Osaka 540-6139
Hewlett Packard Company has informed IEC and ISO that it has patent applications or granted patents as listed
below:
5 956 487 / US; 6 170 007 / US; 6 139 177 / US; 6 529 936 / US; 6 470 339 / US; 6 571 388 / US; 6 205
466 / US
Information may be obtained from:
Hewlett Packard Company
1501 Page Mill Road
USA – Palo Alto, CA 94304
Samsung Electronics Co. Ltd. has informed IEC and ISO that it has patent applications or granted patents.
Information may be obtained from:
Digital Media Business, Samsung Electronics Co. Ltd.
416 Maetan-3 Dong, Yeongtang-Gu,
KR – Suwon City 443-742
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights
other than those identified above. IEC and ISO shall not be held responsible for identifying any or all such patent
rights.
ISO/IEC 29341-13-11 was prepared by UPnP Implementers Corporation and adopted, under the PAS procedure, by
joint technical committee ISO/IEC JTC 1, Information technology, in parallel with its approval by national bodies of
ISO and IEC.
The list of all currently available parts of the ISO/IEC 29341 series, under the general title Universal plug and play
(UPnP) architecture, can be found on the IEC web site.
This International Standard has been approved by vote of the member bodies, and the voting results may be
obtained from the address given on the second title page.

---------------------- Page: 6 ----------------------
29341-13-11 © ISO/IEC:2008(E) – 5 –
ORIGINAL UPNP DOCUMENTS
(informative)
Reference may be made in this document to original UPnP documents. These references are retained in order to
maintain consistency between the specifications as published by ISO/IEC and by UPnP Implementers Corporation.
The following table indicates the original UPnP document titles and the corresponding part of ISO/IEC 29341:
UPnP Document Title ISO/IEC 29341 Part
UPnP Device Architecture 1.0 ISO/IEC 29341-1
UPnP Basic:1 Device ISO/IEC 29341-2
UPnP AV Architecture:1 ISO/IEC 29341-3-1
UPnP MediaRenderer:1 Device ISO/IEC 29341-3-2
UPnP MediaServer:1 Device ISO/IEC 29341-3-3
UPnP AVTransport:1 Service ISO/IEC 29341-3-10
UPnP ConnectionManager:1 Service ISO/IEC 29341-3-11
UPnP ContentDirectory:1 Service ISO/IEC 29341-3-12
UPnP RenderingControl:1 Service ISO/IEC 29341-3-13
UPnP MediaRenderer:2 Device ISO/IEC 29341-4-2
UPnP MediaServer:2 Device ISO/IEC 29341-4-3
UPnP AV Datastructure Template:1 ISO/IEC 29341-4-4
UPnP AVTransport:2 Service ISO/IEC 29341-4-10
UPnP ConnectionManager:2 Service ISO/IEC 29341-4-11
UPnP ContentDirectory:2 Service ISO/IEC 29341-4-12
UPnP RenderingControl:2 Service ISO/IEC 29341-4-13
UPnP ScheduledRecording:1 ISO/IEC 29341-4-14
UPnP DigitalSecurityCamera:1 Device ISO/IEC 29341-5-1
UPnP DigitalSecurityCameraMotionImage:1 Service ISO/IEC 29341-5-10
UPnP DigitalSecurityCameraSettings:1 Service ISO/IEC 29341-5-11
UPnP DigitalSecurityCameraStillImage:1 Service ISO/IEC 29341-5-12
UPnP HVAC_System:1 Device ISO/IEC 29341-6-1
UPnP HVAC_ZoneThermostat:1 Device ISO/IEC 29341-6-2
UPnP ControlValve:1 Service ISO/IEC 29341-6-10
UPnP HVAC_FanOperatingMode:1 Service ISO/IEC 29341-6-11
UPnP FanSpeed:1 Service ISO/IEC 29341-6-12
UPnP HouseStatus:1 Service ISO/IEC 29341-6-13
UPnP HVAC_SetpointSchedule:1 Service ISO/IEC 29341-6-14
UPnP TemperatureSensor:1 Service ISO/IEC 29341-6-15
UPnP TemperatureSetpoint:1 Service ISO/IEC 29341-6-16
UPnP HVAC_UserOperatingMode:1 Service ISO/IEC 29341-6-17
UPnP BinaryLight:1 Device ISO/IEC 29341-7-1
UPnP DimmableLight:1 Device ISO/IEC 29341-7-2
UPnP Dimming:1 Service ISO/IEC 29341-7-10
UPnP SwitchPower:1 Service ISO/IEC 29341-7-11
UPnP InternetGatewayDevice:1 Device ISO/IEC 29341-8-1
UPnP LANDevice:1 Device ISO/IEC 29341-8-2
UPnP WANDevice:1 Device ISO/IEC 29341-8-3
UPnP WANConnectionDevice:1 Device ISO/IEC 29341-8-4
UPnP WLANAccessPointDevice:1 Device ISO/IEC 29341-8-5
UPnP LANHostConfigManagement:1 Service ISO/IEC 29341-8-10
UPnP Layer3Forwarding:1 Service ISO/IEC 29341-8-11
UPnP LinkAuthentication:1 Service ISO/IEC 29341-8-12
UPnP RadiusClient:1 Service ISO/IEC 29341-8-13
UPnP WANCableLinkConfig:1 Service ISO/IEC 29341-8-14
UPnP WANCommonInterfaceConfig:1 Service ISO/IEC 29341-8-15
UPnP WANDSLLinkConfig:1 Service ISO/IEC 29341-8-16
UPnP WANEthernetLinkConfig:1 Service ISO/IEC 29341-8-17
UPnP WANIPConnection:1 Service ISO/IEC 29341-8-18
UPnP WANPOTSLinkConfig:1 Service ISO/IEC 29341-8-19
UPnP WANPPPConnection:1 Service ISO/IEC 29341-8-20
UPnP WLANConfiguration:1 Service ISO/IEC 29341-8-21
UPnP Printer:1 Device ISO/IEC 29341-9-1
UPnP Scanner:1.0 Device ISO/IEC 29341-9-2
UPnP ExternalActivity:1 Service ISO/IEC 29341-9-10
UPnP Feeder:1.0 Service ISO/IEC 29341-9-11
UPnP PrintBasic:1 Service ISO/IEC 29341-9-12
UPnP Scan:1 Service ISO/IEC 29341-9-13
UPnP QoS Architecture:1.0 ISO/IEC 29341-10-1
UPnP QosDevice:1 Service ISO/IEC 29341-10-10
UPnP QosManager:1 Service ISO/IEC 29341-10-11
UPnP QosPolicyHolder:1 Service ISO/IEC 29341-10-12
UPnP QoS Architecture:2 ISO/IEC 29341-11-1
UPnP QOS v2 Schema Files ISO/IEC 29341-11-2

---------------------- Page: 7 ----------------------
– 6 – 29341-13-11 © ISO/IEC:2008(E)
UPnP Document Title ISO/IEC 29341 Part
UPnP QosDevice:2 Service ISO/IEC 29341-11-10
UPnP QosManager:2 Service ISO/IEC 29341-11-11
UPnP QosPolicyHolder:2 Service ISO/IEC 29341-11-12
UPnP RemoteUIClientDevice:1 Device ISO/IEC 29341-12-1
UPnP RemoteUIServerDevice:1 Device ISO/IEC 29341-12-2
UPnP RemoteUIClient:1 Service ISO/IEC 29341-12-10
UPnP RemoteUIServer:1 Service ISO/IEC 29341-12-11
UPnP DeviceSecurity:1 Service ISO/IEC 29341-13-10
UPnP SecurityConsole:1 Service ISO/IEC 29341-13-11

---------------------- Page: 8 ----------------------
29341-13-11 © ISO/IEC:2008(E) – 7 –
1. Overview and Scope
This service is offered by a Security Console (SC). The Security Console offers a user interface for
administration of access control on security-aware UPnP devices. [See DeviceSecurity:1 for a description of the
actions used in the creation and editing of Access Control Lists (ACLs) and in taking security ownership of
Devices.] As a device the Security Console is self-owned. If it has any access controlled actions, then those are
to be administered by the human user and not by some other Security Console. Therefore, a Security Console
does not need to include a DeviceSecurity service. It does have a certificate cache, but it is an outgoing cache,
rather than an incoming cache.
A network built of the user’s own components with no connection to anything outside the user’s personal domain
and with no control points belonging to anyone other than the user ever attached to the network would not require
the features of UPnP Security. Network isolation would already have achieved a level of physical security. We
are concerned in UPnP Security with networks in which more than the user’s own Control Points are present on
the physical network and able to reach the user’s Devices with control messages. These situations can include:
1. use of wireless, power-line networking or cable modem without a firewall, allowing an attacker to join
the network without the user’s knowledge or permission
2. shared infrastructure networks, such as a college dorm or a condominium building wired for Ethernet as
one network segment serving more than one person’s residence
3. households of multiple adults or teens, in which each individual wants to establish a private security
domain, in addition to any domain of devices or control points shared among them, while using a shared
network domain
4. connections to the Internet via devices or services that create single network segments of multiple
subscribers as a side effect of offering network connectivity (such as some cable modems and some ISP
connections)
5. households in which guests might bring mobile devices or control points into the network temporarily
In such networks of intentional or accidental sharing, one cannot rely on physical network security to protect
devices or on discovery methods (e.g., multicast SSDP) to compile a list of “My Devices” or “My Control
Points”. This leaves it up to the user manually to select from physically accessible devices and control points,
choosing those of interest to that user. One primary function of the SC is to enable the user to make that
selection. This process requires two operations that were not anticipated in the original design of UPnP:
1. discovery of control points; and
2. naming of devices and control points on a per-user basis.
The actions provided in this service allow the SC to perform those two functions.
In addition, the sharing of devices across security domains sometimes calls for the use of authorization
certificates, as described in sections 1.1.3 and 3 .3. This service provides actions for the delivery of such
certificates (or certificate chains) (see 2.5.3) and for the revocation (via renewal) of certificates (see 2.5.4).
1.1. Security Console Actions
When the Security Console interacts with a security-aware device, it does so through actions offered by that
device. However, the Security Console must also interact with control points (CPs). Instead of forcing CPs to
become devices as well, in order to support these interactions, we define actions that a SC offers. The actions of
this service fall in three functional categories:
1. discovery of control points
2. communication of dictionaries of local names
3. processing of certificates

---------------------- Page: 9 ----------------------
– 8 – 29341-13-11 © ISO/IEC:2008(E)
1.1.1. Control Point Discovery
UPnP Device Architecture 1.0 includes a protocol, SSDP, for discovery of devices by control points. However,
there is no protocol for discovery of control points by other control points or devices.
The Security Console needs to discover control points so that it can identify those that should receive access
rights on devices in the local security domain. We achieve this discovery by reversing the logic of UPnP
discovery. A security-aware control point will discover a SC that offers the PresentKey action and will then
invoke that action to announce itself to the SC. Since a CP might act within multiple security domains, it should
announce itself to every SC it detects. The mere act of announcing itself does not imply that it will receive any
rights, since the assignment of rights is an expression of a user’s decision. However, a CP cannot know ahead of
time whether a particular SC will choose to grant it some rights and must therefore announce itself to all SCs.
1.1.2. Local Dictionary Communication
One primary function of the SC is to identify devices and control points in the user’s local network. In at least
one implementation of the SC, this process includes permitting the user to assign names of the user’s own
choosing (local names) to those devices and control points. Since devices and control points might be visible to
(and therefore named within) different security domains operated by different users, a single device or control
point could have different local names. Therefore, these names remain the property of the user (specifically the
SC) rather than the named device or control point itself. Normally, they would reside within and not be released
from the SC.
For example, consider two roommates, Joe and Sue, sharing a network in their Cambridge apartment. Each has a
personal domain of UPnP devices and control points, but some components are shared between them. One
shared device is Joe’s archive of digital photos. Joe refers to it by the name “pix”, while Sue names it “Joe’s
Snapshot Archive”. Neither name fits the preferences of the other user; therefore, neither name is appropriate as
the sole friendly name for the shared device. Meanwhile, the archive device is known on the network by a unique
name such as DE7Z-GVGK-QTYR-TWPO-YF54-GB4M-OGFH-XJYM that neither user wants to deal with.
The mapping from friendly name to unique name is the function of each user’s user interface (the Security
Console, in this case). That mapping is referred to here as a “local dictionary”.
It is possible that this local dictionary of “My Devices and Control Points” might be useful to other components
within the user’s domain. For example, Joe might have two computers on the network, on one of which he
named his personal devices, but on the second computer he would prefer just to import all names from the first
computer, rather than go to all the work of manually assigning names again to each of his devices. To support
such cases, we provide for access to that dictionary, via the GetNameList action, and we also provide for an event
notification whenever that name list changes.
1.1.3. Certificate Processing
The Security Console is responsible for granting access rights to devices under its control. If a device is shared
among multiple domains, there will be multiple Security Consoles that need to grant rights on that device. This
sharing of the right to grant access can be achieved through co-ownership (see GrantOwnership, in
DeviceSecurity:1), but a co-owner has total access to a device and is, among other things, capable of removing
all access rights of the first owner including its ownership status. If that is too much power to share with some
other SC, that other SC can be granted permissions via the device’s Access Control List, just like any control
point. In that case, that SC will grant rights to CPs (or still other SCs) not by adding ACL entries, since it does
not have the right to edit the ACL, but rather via authorization certificates. (See DeviceSecurity:1 for a definition
of authorization certificates.)
It is possible that a Security Console that does have ownership of a device might also grant rights by certificate,
for example if that device has too little storage for a detailed ACL or if the device is offline at the time the access
right needs to be granted.
The authorization certificate is like an ACL entry, but it is digitally signed and includes an issuer and
specification of the device(s) to which it applies. It will probably also include at least an expiration date and
time.
There are two actions provided here to facilitate the processing of certificates:

---------------------- Page: 10 ----------------------
29341-13-11 © ISO/IEC:2008(E) – 9 –
1. GetMyCertificates: which serves as a post office mechanism to allow a control point or other security
console to fetch certificates that have been issued to it by this SC (This action is backed up by an
evented variable, PendingCPList, by which the CP or other SC can learn that there are certificates
waiting.); and
2. RenewCertificate: by which a control point can request an updated copy of an expired (or soon to
expire) certificate. For more details about renewal, see section 3, Theory of Operation.
Although GetMyCertificates provides a communication mechanism for certificates, that does not preclude other
communication mechanisms to be implemented by Security Console applications. For example, one might use e-
mail, sneaker-net, some directory service or HTTP for this communication function. In a truly complex network
with a large number of certificates, one might have an intelligent directory service that returns to a CP precisely
the certificate chain it needs to access a particular action on a particular device. These are application design
issues and out of scope of this protocol specification. GetMyCertificates stands as a common denominator, to
insure interoperability (assuming components that share a network at least occasionally).

---------------------- Page: 11 ----------------------
– 10 – 29341-13-11 © ISO/IEC:2008(E)
2. Service Modeling Definitions
2.1. Service Type
The following service type identifies a service that is compliant with this template:
urn:schemas-upnp-org:service:SecurityConsole:1
The shorthand SecurityConsole:1 is used herein to refer to this service type.
2.2. Namespaces
The XML in this document should be read as if the following namespace definitions were in effect.
xmlns=“urn:schemas-upnp-org:service:DeviceSecurity:1”
xmlns:us=“urn:schemas-upnp-org:service:DeviceSecurity:1”
xmlns:sc=“urn:schemas-upnp-org:service:SecurityConsole:1”
xmlns:ds=“ http://www.w3.org/2000/09/xmldsig#”
2.3. State Variables
SecurityConsole:1 defines two state variables: PendingCPList and NameListVersion.

Table 1: State variable
Variable Name Req. or Data Type Default Value
1
Opt.
PendingCPList O string
NameListVersion O string
A_ARG_TYPE_string R string
A_ARG_TYPE_base64 R bin.base64
1
R = Required, O = Optional, X = Non-standard.
2.3.1. PendingCPList
The PendingCPList is the string encoding of an XML document giving the list of Control Points (specifically the
hashes of those Control Point keys) that have certificates waiting to be fetched via GetMyCertificates. This
variable is optional: not needed if there is no
...