| draft-ietf-ace-extend-dtls-authorize-01.txt | draft-ietf-ace-extend-dtls-authorize-02.txt | |||
|---|---|---|---|---|
| Network Working Group O. Bergmann | ACE Working Group O. Bergmann | |||
| Internet-Draft TZI | Internet-Draft TZI | |||
| Updates: draft-ietf-ace-dtls-authorize (if J. Preuß Mattsson | Updates: draft-ietf-ace-dtls-authorize (if J. Preuß Mattsson | |||
| approved) G. Selander | approved) G. Selander | |||
| Intended status: Standards Track Ericsson | Intended status: Standards Track Ericsson | |||
| Expires: 8 August 2022 4 February 2022 | Expires: 8 September 2022 7 March 2022 | |||
| Extension of the ACE CoAP-DTLS Profile to TLS | Extension of the CoAP-DTLS Profile for ACE to TLS | |||
| draft-ietf-ace-extend-dtls-authorize-01 | draft-ietf-ace-extend-dtls-authorize-02 | |||
| Abstract | Abstract | |||
| This document updates the ACE CoAP-DTLS profile by specifying that | This document updates the CoAP-DTLS profile for ACE | |||
| the profile applies to TLS as well as DTLS. | [I-D.ietf-ace-dtls-authorize] by specifying that the profile applies | |||
| to TLS as well as DTLS. | ||||
| Discussion Venues | Discussion Venues | |||
| This note is to be removed before publishing as an RFC. | This note is to be removed before publishing as an RFC. | |||
| Discussion of this document takes place on the Authentication and | Discussion of this document takes place on the Authentication and | |||
| Authorization for Constrained Environments Working Group mailing list | Authorization for Constrained Environments Working Group mailing list | |||
| (ace@ietf.org), which is archived at | (ace@ietf.org), which is archived at | |||
| https://mailarchive.ietf.org/arch/browse/ace/. | https://mailarchive.ietf.org/arch/browse/ace/. | |||
| skipping to change at page 1, line 45 ¶ | skipping to change at page 1, line 46 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at https://datatracker.ietf.org/drafts/current/. | Drafts is at https://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on 8 August 2022. | This Internet-Draft will expire on 8 September 2022. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2022 IETF Trust and the persons identified as the | Copyright (c) 2022 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents (https://trustee.ietf.org/ | Provisions Relating to IETF Documents (https://trustee.ietf.org/ | |||
| license-info) in effect on the date of publication of this document. | license-info) in effect on the date of publication of this document. | |||
| Please review these documents carefully, as they describe your rights | Please review these documents carefully, as they describe your rights | |||
| and restrictions with respect to this document. Code Components | and restrictions with respect to this document. Code Components | |||
| extracted from this document must include Revised BSD License text as | extracted from this document must include Revised BSD License text as | |||
| described in Section 4.e of the Trust Legal Provisions and are | described in Section 4.e of the Trust Legal Provisions and are | |||
| provided without warranty as described in the Revised BSD License. | provided without warranty as described in the Revised BSD License. | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | |||
| 2. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 2 | 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 3. Security Considerations . . . . . . . . . . . . . . . . . . . 3 | 3. Connection Establishment . . . . . . . . . . . . . . . . . . 3 | |||
| 4. References . . . . . . . . . . . . . . . . . . . . . . . . . 3 | 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 4 | |||
| 4.1. Normative References . . . . . . . . . . . . . . . . . . 3 | 5. Security Considerations . . . . . . . . . . . . . . . . . . . 4 | |||
| 4.2. Informative References . . . . . . . . . . . . . . . . . 3 | 6. References . . . . . . . . . . . . . . . . . . . . . . . . . 4 | |||
| Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 4 | 6.1. Normative References . . . . . . . . . . . . . . . . . . 4 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 4 | 6.2. Informative References . . . . . . . . . . . . . . . . . 5 | |||
| Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 6 | ||||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 6 | ||||
| 1. Introduction | 1. Introduction | |||
| [I-D.ietf-ace-dtls-authorize] only specifies use of DTLS | [I-D.ietf-ace-dtls-authorize] only specifies the use of DTLS | |||
| [I-D.ietf-tls-dtls13] but works equally well for TLS. For many | [RFC6347] but works equally well for TLS [RFC8446]. For many | |||
| constrained implementations, CoAP over UDP [RFC7252] is the first | constrained implementations, CoAP over UDP [RFC7252] is the first | |||
| choice, but when deploying ACE in networks controlled by other | choice, but when deploying ACE in networks controlled by other | |||
| entities (such as the Internet), UDP might be blocked on the path | entities (such as the Internet), UDP might be blocked on the path | |||
| between the client and the RS, and the client might have to fall back | between the client and the RS, and the client might have to fall back | |||
| to CoAP over TCP [RFC8323] for NAT or firewall traversal. This | to CoAP over TCP [RFC8323] for NAT or firewall traversal. This | |||
| feature is supported by the OSCORE profile | feature is supported by the OSCORE profile | |||
| [I-D.ietf-ace-oscore-profile] but is lacking from the DTLS profile. | [I-D.ietf-ace-oscore-profile] but is lacking in the DTLS profile. | |||
| This document updates [I-D.ietf-ace-dtls-authorize] by specifying | This document updates [I-D.ietf-ace-dtls-authorize] by specifying | |||
| that the profile applies to TLS as well as DTLS. The same access | that the profile applies to TLS as well as DTLS. The same access | |||
| rights are valid in case transport layer security is either DTLS or | rights are valid in case transport layer security is provided by | |||
| TLS, and the same access token can be used. | either DTLS or TLS, and the same access token can be used. | |||
| Therefore, the value coap_dtls in the ace_profile parameter of an AS- | ||||
| to-Client response or in the ace_profile claim of an access token | ||||
| indicates that either DTLS or TLS can be used for transport layer | ||||
| security. | ||||
| 2. IANA Considerations | 2. Terminology | |||
| No IANA Considerations. | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||
| "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and | ||||
| "OPTIONAL" in this document are to be interpreted as described in | ||||
| BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all | ||||
| capitals, as shown here. | ||||
| 3. Security Considerations | Readers are expected to be familiar with the terms and concepts | |||
| described in [I-D.ietf-ace-oauth-authz] and | ||||
| [I-D.ietf-ace-dtls-authorize]. | ||||
| 3. Connection Establishment | ||||
| Following the procedures defined in [I-D.ietf-ace-dtls-authorize], a | ||||
| Client can retrieve an Access Token from an Authorization Server (AS) | ||||
| in order to establish a security association with a specific Resource | ||||
| Server. The ace_profile parameter in the Client-to-AS request and | ||||
| AS-to-client response is used to determine the ACE profile that the | ||||
| Client uses towards the Resource Server (RS). | ||||
| In case the ace_profile parameter indicates the use of the DTLS | ||||
| profile for ACE as defined in [I-D.ietf-ace-dtls-authorize], the | ||||
| Client MAY try to connect to the Resource Server via TLS, or try TLS | ||||
| and DTLS in parallel to accelerate the session setup. | ||||
| As resource-constrained devices are not expected to support both | ||||
| transport layer security mechanisms, a Client that implements either | ||||
| TLS or DTLS but not both might fail in establishing a secure | ||||
| communication channel with the Resource Server altogether. This | ||||
| error SHOULD be handled by the Client in the same way as unsupported | ||||
| ACE profiles. If the Client is modified accordingly or it learns | ||||
| that the Resource Server has been, the Client may try to connect to | ||||
| the Resource Server using the transport layer security mechanism that | ||||
| was previously not mutually supported. | ||||
| Note that a communication setup with an a priori unknown Resource | ||||
| Server typically employs an initial unauthorized resource request as | ||||
| illustrated in Section 2 of [I-D.ietf-ace-dtls-authorize]. If this | ||||
| message exchange succeeds, the Client SHOULD first use the same | ||||
| underlying transport protocol for the establishment of the security | ||||
| association as well (i.e., DTLS for UDP, and TLS for TCP). | ||||
| As a consequence, the selection of the transport protocol used for | ||||
| the initial unauthorized resource request also depends on the | ||||
| transport layer security mechanism supported by the Client. Clients | ||||
| that support either DTLS or TLS but not both SHOULD use the transport | ||||
| protocol underlying the supported transport layer security mechanism | ||||
| also for an initial unauthorized resource request. | ||||
| 4. IANA Considerations | ||||
| The following updates have been done for the "ACE Profiles" registry | ||||
| for the profile with Profile ID 1 and Profile name coap_dtls: | ||||
| Note to RFC Editor: Please replace all occurrences of "[RFC-XXXX]" | ||||
| with the RFC number of this specification and delete this paragraph. | ||||
| Description: Profile for delegating client Authentication and | ||||
| Authorization for Constrained Environments by establishing a Datagram | ||||
| Transport Layer Security (DTLS) or Transport Layer Security (TLS) | ||||
| channel between resource-constrained nodes. | ||||
| Change Controller: IESG | ||||
| Reference: [RFC-XXXX] | ||||
| 5. Security Considerations | ||||
| The security consideration and requirements in TLS 1.3 [RFC8446] and | The security consideration and requirements in TLS 1.3 [RFC8446] and | |||
| BCP 195 [RFC7525] [RFC8996] also apply to this document. | BCP 195 [RFC7525] [RFC8996] also apply to this document. | |||
| 4. References | 6. References | |||
| 4.1. Normative References | 6.1. Normative References | |||
| [I-D.ietf-ace-dtls-authorize] | [I-D.ietf-ace-dtls-authorize] | |||
| Gerdes, S., Bergmann, O., Bormann, C., Selander, G., and | Gerdes, S., Bergmann, O., Bormann, C., Selander, G., and | |||
| L. Seitz, "Datagram Transport Layer Security (DTLS) | L. Seitz, "Datagram Transport Layer Security (DTLS) | |||
| Profile for Authentication and Authorization for | Profile for Authentication and Authorization for | |||
| Constrained Environments (ACE)", Work in Progress, | Constrained Environments (ACE)", Work in Progress, | |||
| Internet-Draft, draft-ietf-ace-dtls-authorize-18, 4 June | Internet-Draft, draft-ietf-ace-dtls-authorize-18, 4 June | |||
| 2021, <https://www.ietf.org/archive/id/draft-ietf-ace- | 2021, <https://www.ietf.org/archive/id/draft-ietf-ace- | |||
| dtls-authorize-18.txt>. | dtls-authorize-18.txt>. | |||
| [I-D.ietf-tls-dtls13] | [I-D.ietf-ace-oauth-authz] | |||
| Rescorla, E., Tschofenig, H., and N. Modadugu, "The | Seitz, L., Selander, G., Wahlstroem, E., Erdtman, S., and | |||
| Datagram Transport Layer Security (DTLS) Protocol Version | H. Tschofenig, "Authentication and Authorization for | |||
| 1.3", Work in Progress, Internet-Draft, draft-ietf-tls- | Constrained Environments (ACE) using the OAuth 2.0 | |||
| dtls13-43, 30 April 2021, <https://www.ietf.org/internet- | Framework (ACE-OAuth)", Work in Progress, Internet-Draft, | |||
| drafts/draft-ietf-tls-dtls13-43.txt>. | draft-ietf-ace-oauth-authz-46, 8 November 2021, | |||
| <https://www.ietf.org/archive/id/draft-ietf-ace-oauth- | ||||
| authz-46.txt>. | ||||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | ||||
| Requirement Levels", BCP 14, RFC 2119, | ||||
| DOI 10.17487/RFC2119, March 1997, | ||||
| <https://www.rfc-editor.org/info/rfc2119>. | ||||
| [RFC6347] Rescorla, E. and N. Modadugu, "Datagram Transport Layer | ||||
| Security Version 1.2", RFC 6347, DOI 10.17487/RFC6347, | ||||
| January 2012, <https://www.rfc-editor.org/info/rfc6347>. | ||||
| [RFC7252] Shelby, Z., Hartke, K., and C. Bormann, "The Constrained | [RFC7252] Shelby, Z., Hartke, K., and C. Bormann, "The Constrained | |||
| Application Protocol (CoAP)", RFC 7252, | Application Protocol (CoAP)", RFC 7252, | |||
| DOI 10.17487/RFC7252, June 2014, | DOI 10.17487/RFC7252, June 2014, | |||
| <https://www.rfc-editor.org/info/rfc7252>. | <https://www.rfc-editor.org/info/rfc7252>. | |||
| [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC | ||||
| 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, | ||||
| May 2017, <https://www.rfc-editor.org/info/rfc8174>. | ||||
| [RFC8323] Bormann, C., Lemay, S., Tschofenig, H., Hartke, K., | [RFC8323] Bormann, C., Lemay, S., Tschofenig, H., Hartke, K., | |||
| Silverajan, B., and B. Raymor, Ed., "CoAP (Constrained | Silverajan, B., and B. Raymor, Ed., "CoAP (Constrained | |||
| Application Protocol) over TCP, TLS, and WebSockets", | Application Protocol) over TCP, TLS, and WebSockets", | |||
| RFC 8323, DOI 10.17487/RFC8323, February 2018, | RFC 8323, DOI 10.17487/RFC8323, February 2018, | |||
| <https://www.rfc-editor.org/info/rfc8323>. | <https://www.rfc-editor.org/info/rfc8323>. | |||
| [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol | [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol | |||
| Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, | Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, | |||
| <https://www.rfc-editor.org/info/rfc8446>. | <https://www.rfc-editor.org/info/rfc8446>. | |||
| 4.2. Informative References | 6.2. Informative References | |||
| [I-D.ietf-ace-oscore-profile] | [I-D.ietf-ace-oscore-profile] | |||
| Palombini, F., Seitz, L., Selander, G., and M. Gunnarsson, | Palombini, F., Seitz, L., Selander, G., and M. Gunnarsson, | |||
| "OSCORE Profile of the Authentication and Authorization | "OSCORE Profile of the Authentication and Authorization | |||
| for Constrained Environments Framework", Work in Progress, | for Constrained Environments Framework", Work in Progress, | |||
| Internet-Draft, draft-ietf-ace-oscore-profile-19, 6 May | Internet-Draft, draft-ietf-ace-oscore-profile-19, 6 May | |||
| 2021, <https://www.ietf.org/archive/id/draft-ietf-ace- | 2021, <https://www.ietf.org/archive/id/draft-ietf-ace- | |||
| oscore-profile-19.txt>. | oscore-profile-19.txt>. | |||
| [RFC7525] Sheffer, Y., Holz, R., and P. Saint-Andre, | [RFC7525] Sheffer, Y., Holz, R., and P. Saint-Andre, | |||
| skipping to change at page 4, line 25 ¶ | skipping to change at page 6, line 17 ¶ | |||
| Security (TLS) and Datagram Transport Layer Security | Security (TLS) and Datagram Transport Layer Security | |||
| (DTLS)", BCP 195, RFC 7525, DOI 10.17487/RFC7525, May | (DTLS)", BCP 195, RFC 7525, DOI 10.17487/RFC7525, May | |||
| 2015, <https://www.rfc-editor.org/info/rfc7525>. | 2015, <https://www.rfc-editor.org/info/rfc7525>. | |||
| [RFC8996] Moriarty, K. and S. Farrell, "Deprecating TLS 1.0 and TLS | [RFC8996] Moriarty, K. and S. Farrell, "Deprecating TLS 1.0 and TLS | |||
| 1.1", BCP 195, RFC 8996, DOI 10.17487/RFC8996, March 2021, | 1.1", BCP 195, RFC 8996, DOI 10.17487/RFC8996, March 2021, | |||
| <https://www.rfc-editor.org/info/rfc8996>. | <https://www.rfc-editor.org/info/rfc8996>. | |||
| Acknowledgments | Acknowledgments | |||
| The authors would like to thank Marco Tiloca for reviewing this | ||||
| specification. | ||||
| Authors' Addresses | Authors' Addresses | |||
| Olaf Bergmann | Olaf Bergmann | |||
| Universität Bremen TZI | Universität Bremen TZI | |||
| Bremen, D-28359 | Bremen, D-28359 | |||
| Germany | Germany | |||
| Email: bergmann@tzi.org | Email: bergmann@tzi.org | |||
| John Preuß Mattsson | John Preuß Mattsson | |||
| Ericsson AB | Ericsson AB | |||
| SE-164 80 Stockholm | SE-164 80 Stockholm | |||
| Sweden | Sweden | |||
| Email: john.mattsson@ericsson.com | Email: john.mattsson@ericsson.com | |||
| Göran Selander | Göran Selander | |||
| Ericsson AB | Ericsson AB | |||
| SE-164 80 Stockholm | SE-164 80 Stockholm | |||
| Sweden | Sweden | |||
| Email: goran.selander@ericsson.com | Email: goran.selander@ericsson.com | |||
| End of changes. 21 change blocks. | ||||
| 34 lines changed or deleted | 119 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||