All Tickets (see 8.2.3 and 8.2.4) are encoded as JSON documents. These JSON documents secured with digital signature applied to the general serialization described by RFC 7515. The structure of an RFC 7515 document is as follows.

{

"payload":"BASE64URL(UTF8(JSON encoded Ticket))",

"signatures":[

{"protected":"BASE64URL(UTF8(JSON encoded protected header))",

"header": JSON encoded header,

"signature":" BASE64URL(JWS Signature)"},

...

{"protected":"BASE64URL(UTF8(JSON encoded protected header))",

"header": JSON encoded header,

"signature":" BASE64URL(JWS Signature)"}]

}

Appendix A.6 in RFC 7515 provides an example of a document encoding using this structure.

The BASE64URL transform which allows binary data (e.g., UTF-8 encoded text) to be represented as ASCII.

The Ticket is encoded as a JSON object using the reversible JSON encoding defined in OPC 10000-6. This JSON object is converted to an UTF-8 byte array and then BASE64URL before being added to the document.

The protected header specifies the signing Certificate and other information needed to verify the Signature. The required fields are defined in Table 5.

The unprotected header is generally not used; however, it could be used for additional vendor specific information such as a RFC 3161 timestamp or other anti-forgery or validation metadata.

A Signature is computed on the following byte array:

<protected header>.<payload>

Tickets may have additional signatures added by any actor in the supply chain. For example, a CompositeBuilder shall add Signatures to all Tickets for Devices incorporated into the Composite. The protected header shall have the CompositeInstanceUri.

The Certificate and algorithms used to create the payload Signature are the same as the Certificate and algorithms used to create the RFC 7515 Signature. The RFC 7515 header provides the information needed to calculate the size of payload Signature.

Table 5 – RFC 7515 Header Fields

Header Field

Type

Description

alg

String

The cryptographic algorithm used to sign the Ticket.

The possible values are defined by RFC 7518.

The default when using RSA public keys is “RS256”.

x5c

String []

The signing Certificate and all of its issuers.

Each array element is base64 encoded (see RFC 4648) DER encoding.

The first element is the signing Certificate.

cty

String

The type of Ticket contained in the payload.

This is media type defined by RFC 2045 with the leading “application/” omitted.

The subtype is "opc-ticket+json".

The type parameter is the name from BrowseName of the Structure.

For example, the value for a DeviceIdentityTicketType is:

opc-ticket+json;type=DeviceIdentityTicketType

opc-uri

String

The CompositeInstanceUri if the Signature was created by a CompositeBuilder who has incorporated the Device into a Composite.

The EncodedTicket is a simple DataType representing a JSON encoded Ticket.

Its representation in the AddressSpace is defined in Table 8.

Table 6 – EncodedTicket Definition

Attribute

Value

BrowseName

0:EncodedTicket

IsAbstract

False

References

NodeClass

BrowseName

DataType

TypeDefinition

Other

Subtype of the 0:String DataType defined in OPC 10000-5.

Conformance Units

Onboarding Ticket Reader

The BaseTicketType is an abstract base class for a Ticket.

The fields of this DataType are defined in Table 7.

Table 7 – BaseTicketType Structure

Name

Type

Description

BaseTicketType

0:Structure

Subtype of the Structure DataType defined in OPC 10000-5.

manufacturerName

0:String

The name of the Manufacturer for the Device.

modelName

0:String

The model name assigned by the Manufacturer.

Not specified if no model name was assigned or known.

modelVersion

0:String

The model version assigned by the Manufacturer.

Not specified if no model version was assigned or known.

hardwareRevision

0:String

The hardware revision assigned by the Manufacturer.

Not specified if no hardware revision was assigned or known.

softwareRevision

0:String

The software revision assigned by the Manufacturer.

May not be the same as the current version of software installed on the Device.

Not specified if no software revision was assigned or known.

serialNumber

0:String

The serial number assigned by the Manufacturer.

Not specified if no serial number was assigned or known.

manufactureDate

0:DateTime

When the Device was manufactured.

DateTime.MinValue if the date is not known.

authorities

2:CertificateAuthorityType []

A list of CAs need to validate DeviceIdentity Certificates on the Device that were installed when the Ticket was created.

Its representation in the AddressSpace is defined in Table 8.

Table 8 – BaseTicketType Definition

Attribute

Value

BrowseName

2:BaseTicketType

IsAbstract

True

References

NodeClass

BrowseName

DataType

TypeDefinition

Other

Subtype of the Structure DataType defined in OPC 10000-5.

Conformance Units

Onboarding Ticket Reader

The DeviceIdentityTicketType describes a single Device produced by a Manufacturer.

The fields of this DataType are defined in Table 9.

Table 9 – DeviceIdentityTicketType Structure

Name

Type

Description

DeviceIdentityTicketType

0:Structure

Subtype of the 2:BaseTicketType DataType defined in 8.2.1.

productInstanceUri

0:UriString

The ProductInstanceUri for the Device.

Its representation in the AddressSpace is defined in Table 10.

Table 10 – DeviceIdentityTicketType Definition

Attribute

Value

BrowseName

2:DeviceIdentityTicketType

IsAbstract

False

References

NodeClass

BrowseName

DataType

TypeDefinition

Other

Subtype of the BaseTicketType DataType defined in 8.2.1.

Conformance Units

Onboarding Ticket Reader

The CompositeIdentityTicketType describes a single Composite produced by a CompositeBuilder.

The fields of this DataType are defined in Table 11.

Table 11 – CompositeIdentityTicketType Structure

Name

Type

Description

CompositeIdentityTicketType

0:Structure

Subtype of the 2:BaseTicketType DataType defined in 8.2.2.

compositeInstanceUri

0:UriString

The ProductInstanceUri assigned to the Composite.

This value appears in LDevID Certificates assigned to Devices by the CompositeBuilder (see 5.3).

devices

0:UriString []

A list of ProductInstanceUris for the Devices in the Composite that are externally visible.

composites

0:UriString []

A list of CompositeInstanceUris for the sub-components in the Composite that are externally visible.

Its representation in the AddressSpace is defined in Table 12.

Table 12 – CompositeIdentityTicketType Definition

Attribute

Value

BrowseName

2:CompositeIdentityTicketType

IsAbstract

False

References

NodeClass

BrowseName

DataType

TypeDefinition

Other

Subtype of the BaseTicketType DataType defined in 8.2.2.

Conformance Units

Onboarding Ticket Reader

The TicketListType describes a list of Devices and Composites which are part of a shipment from one organization to another.

The fields of this DataType are defined in Table 13.

Table 13 – TicketListType Structure

Name

Type

Description

TicketListType

0:Structure

Subtype of the 0:Structure DataType defined in OPC 10000-5.

devices

0:EncodedTicket []

A list of signed DeviceIdentityTickets.

The format is described in 8.1.

composites

0:EncodedTicket []

A list of signed CompositeIdentityTickets.

The format is described in 8.1.

Its representation in the AddressSpace is defined in Table 14.

Table 14 – TicketListType Definition

Attribute

Value

BrowseName

2:TicketListType

IsAbstract

False

References

NodeClass

BrowseName

DataType

TypeDefinition

Other

Subtype of the Structure DataType defined in OPC 10000-5.

Conformance Units

Onboarding Ticket Reader

The CertificateAuthorityType describes a Certificate Authority (CA) used to issue Certificates to Devices, Composites or to organizations that create Tickets.

The fields of this DataType are defined in Table 15.

Table 15 – CertificateAuthorityType Structure

Name

Type

Description

CertificateAuthorityType

0:Structure

Subtype of the 0:Structure DataType defined in OPC 10000-5.

authorityCertificate

0:ByteString

The DER encoded Certificate used to issue Certificates.

issuerCertificates

0:ByteString []

The DER encoded form of the Issuer for the authorityCertificate.

It should include the entire chain.

Its representation in the AddressSpace is defined in Table 16.

Table 16 – CertificateAuthorityType Definition

Attribute

Value

BrowseName

2:CertificateAuthorityType

IsAbstract

False

References

NodeClass

BrowseName

DataType

TypeDefinition

Other

Subtype of the 0:Structure DataType defined in OPC 10000-5.

Conformance Units

Onboarding Ticket Reader