Zero-touch IoT device provisioning

What is claimed is: 1. A method, comprising: receiving, at an authorized signing authority server, an authenticity request from a security registrar to vouch for authenticity of a particular device; determining, by the authorized signing authority server based on receiving the authenticity request, an authenticity state of the particular device; requesting, by the authorized signing authority server based on receiving the authenticity request, a device provisioning file for the particular device from a device provisioning server, the device provisioning file defining one or more network security policies for the particular device; receiving, at the authorized signing authority server from the device provisioning server, the device provisioning file; and returning, from the authorized signing authority server to the security registrar, the authenticity state and the device provisioning file for the particular device, causing the security registrar to complete authentication of the particular device based on the authenticity state and the device provisioning file. 2. The method as in claim 1 , wherein the authorized signing authority server is a Manufacturer Authorized Signing Authority (MASA) server. 3. The method as in claim 1 , wherein the security registrar is a Bootstrapping Remote Secure Key Infrastructures (BRSKI) registrar, and wherein the authenticity request is a BRSKI-based request. 4. The method as in claim 1 , wherein the security registrar is an authentication, authorization, and accounting (AAA) server. 5. The method as in claim 1 , wherein the particular device is an Internet of Things (IoT) device. 6. The method as in claim 1 , wherein the device provisioning file is a Manufacturer Usage Description (MUD) file. 7. The method as in claim 1 , wherein the authenticity request contains a Manufacturer Usage Description (MUD) uniform resource identifier (URI) for the particular device. 8. The method as in claim 1 , wherein the authenticity request does not contain a Manufacturer Usage Description (MUD) uniform resource identifier (URI) for the particular device, the method further comprising: determining a proper device provisioning file for the particular device to request from the device provisioning server based on other information within the authenticity request from the security registrar. 9. The method as in claim 1 , wherein the device provisioning file is based on a class of device associated with the particular device. 10. The method as in claim 1 , wherein the authorized signing authority server and the device provisioning server are co-located processes on a same server. 11. A method, comprising: receiving, at a security registrar, a security key request for a particular device; transmitting, from the security registrar, an authenticity request to an authorized signing authority server for the authorized signing authority server to vouch for authenticity of the particular device; causing, by the authenticity request, the authorized signing authority server to request a device provisioning file for the particular device from a device provisioning server, the device provisioning file defining one or more network security policies for the particular device; receiving, at the security registrar from the authorized signing authority server, an authenticity state and the device provisioning file for the particular device; and completing, by the security registrar, authentication of the particular device based on the authenticity state and the device provisioning file. 12. The method as in claim 11 , wherein the authorized signing authority server is a Manufacturer Authorized Signing Authority (MASA) server. 13. The method as in claim 11 , wherein the security registrar is a Bootstrapping Remote Secure Key Infrastructures (BRSKI) registrar, and wherein the authenticity request is a BRSKI-based request. 14. The method as in claim 13 , wherein the security key request is a BRSKI-based request that is encapsulated within a Tunnel Extensible Authentication Protocol (TEAP) message. 15. The method as in claim 11 , wherein the security registrar is an authentication, authorization, and accounting (AAA) server. 16. The method as in claim 11 , wherein the particular device is an Internet of Things (IoT) device. 17. The method as in claim 11 , wherein the device provisioning file is a Manufacturer Usage Description (MUD) file. 18. The method as in claim 11 , wherein the authenticity request contains a Manufacturer Usage Description (MUD) uniform resource identifier (URI) for the particular device. 19. The method as in claim 11 , further comprising: provisionally authenticating the particular device prior to receiving the security key request. 20. An apparatus, comprising: one or more network interfaces configured to communicate in a computer network; a processor coupled to the network interfaces and adapted to execute one or more processes; and a memory configured to store an authorized signing authority server process executable by the processor, the process when executed operable to: receive an authenticity request from a security registrar to vouch for authenticity of a particular device; determine, based on receiving the authenticity request, an authenticity state of the particular device; request, based on receiving the authenticity request, a device provisioning file for the particular device from a device provisioning server, the device provisioning file defining one or more network security policies for the particular device; receive, from the device provisioning server, the device provisioning file; and return, to the security registrar, the authenticity state and the device provisioning file for the particular device, causing the security registrar to complete authentication of the particular device based on the authenticity state and the device provisioning file.