| draft-ietf-ace-oscore-profile-15.txt | draft-ietf-ace-oscore-profile-16.txt | |||
|---|---|---|---|---|
| ACE Working Group F. Palombini | ACE Working Group F. Palombini | |||
| Internet-Draft Ericsson AB | Internet-Draft Ericsson AB | |||
| Intended status: Standards Track L. Seitz | Intended status: Standards Track L. Seitz | |||
| Expires: July 30, 2021 Combitech | Expires: August 1, 2021 Combitech | |||
| G. Selander | G. Selander | |||
| Ericsson AB | Ericsson AB | |||
| M. Gunnarsson | M. Gunnarsson | |||
| RISE | RISE | |||
| January 26, 2021 | January 28, 2021 | |||
| OSCORE Profile of the Authentication and Authorization for Constrained | OSCORE Profile of the Authentication and Authorization for Constrained | |||
| Environments Framework | Environments Framework | |||
| draft-ietf-ace-oscore-profile-15 | draft-ietf-ace-oscore-profile-16 | |||
| Abstract | Abstract | |||
| This memo specifies a profile for the Authentication and | This memo specifies a profile for the Authentication and | |||
| Authorization for Constrained Environments (ACE) framework. It | Authorization for Constrained Environments (ACE) framework. It | |||
| utilizes Object Security for Constrained RESTful Environments | utilizes Object Security for Constrained RESTful Environments | |||
| (OSCORE) to provide communication security and proof-of-possession | (OSCORE) to provide communication security and proof-of-possession | |||
| for a key owned by the client and bound to an OAuth 2.0 access token. | for a key owned by the client and bound to an OAuth 2.0 access token. | |||
| Status of This Memo | Status of This Memo | |||
| skipping to change at page 1, line 40 ¶ | skipping to change at page 1, line 40 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at https://datatracker.ietf.org/drafts/current/. | Drafts is at https://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on July 30, 2021. | This Internet-Draft will expire on August 1, 2021. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2021 IETF Trust and the persons identified as the | Copyright (c) 2021 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (https://trustee.ietf.org/license-info) in effect on the date of | (https://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| skipping to change at page 2, line 39 ¶ | skipping to change at page 2, line 39 ¶ | |||
| 5. Secure Communication with AS . . . . . . . . . . . . . . . . 23 | 5. Secure Communication with AS . . . . . . . . . . . . . . . . 23 | |||
| 6. Discarding the Security Context . . . . . . . . . . . . . . . 23 | 6. Discarding the Security Context . . . . . . . . . . . . . . . 23 | |||
| 7. Security Considerations . . . . . . . . . . . . . . . . . . . 24 | 7. Security Considerations . . . . . . . . . . . . . . . . . . . 24 | |||
| 8. Privacy Considerations . . . . . . . . . . . . . . . . . . . 25 | 8. Privacy Considerations . . . . . . . . . . . . . . . . . . . 25 | |||
| 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 26 | 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 26 | |||
| 9.1. ACE Profile Registry . . . . . . . . . . . . . . . . . . 26 | 9.1. ACE Profile Registry . . . . . . . . . . . . . . . . . . 26 | |||
| 9.2. OAuth Parameters Registry . . . . . . . . . . . . . . . . 26 | 9.2. OAuth Parameters Registry . . . . . . . . . . . . . . . . 26 | |||
| 9.3. OAuth Parameters CBOR Mappings Registry . . . . . . . . . 27 | 9.3. OAuth Parameters CBOR Mappings Registry . . . . . . . . . 27 | |||
| 9.4. OSCORE Security Context Parameters Registry . . . . . . . 27 | 9.4. OSCORE Security Context Parameters Registry . . . . . . . 27 | |||
| 9.5. CWT Confirmation Methods Registry . . . . . . . . . . . . 28 | 9.5. CWT Confirmation Methods Registry . . . . . . . . . . . . 28 | |||
| 9.6. JWT Confirmation Methods Registry . . . . . . . . . . . . 28 | 9.6. JWT Confirmation Methods Registry . . . . . . . . . . . . 29 | |||
| 9.7. Expert Review Instructions . . . . . . . . . . . . . . . 29 | 9.7. Expert Review Instructions . . . . . . . . . . . . . . . 29 | |||
| 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 29 | 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 30 | |||
| 10.1. Normative References . . . . . . . . . . . . . . . . . . 30 | 10.1. Normative References . . . . . . . . . . . . . . . . . . 30 | |||
| 10.2. Informative References . . . . . . . . . . . . . . . . . 31 | 10.2. Informative References . . . . . . . . . . . . . . . . . 31 | |||
| Appendix A. Profile Requirements . . . . . . . . . . . . . . . . 31 | Appendix A. Profile Requirements . . . . . . . . . . . . . . . . 31 | |||
| Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 32 | Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 32 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 32 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 32 | |||
| 1. Introduction | 1. Introduction | |||
| This memo specifies a profile of the ACE framework | This memo specifies a profile of the ACE framework | |||
| [I-D.ietf-ace-oauth-authz]. In this profile, a client and a resource | [I-D.ietf-ace-oauth-authz]. In this profile, a client and a resource | |||
| skipping to change at page 4, line 36 ¶ | skipping to change at page 4, line 36 ¶ | |||
| policy that is used as input to processing requests from those | policy that is used as input to processing requests from those | |||
| clients. | clients. | |||
| This profile requires a client to retrieve an access token from the | This profile requires a client to retrieve an access token from the | |||
| AS for the resource it wants to access on an RS, by sending an access | AS for the resource it wants to access on an RS, by sending an access | |||
| token request to the token endpoint, as specified in section 5.8 of | token request to the token endpoint, as specified in section 5.8 of | |||
| [I-D.ietf-ace-oauth-authz]. The access token request and response | [I-D.ietf-ace-oauth-authz]. The access token request and response | |||
| MUST be confidentiality-protected and ensure authenticity. This | MUST be confidentiality-protected and ensure authenticity. This | |||
| profile RECOMMENDS the use of OSCORE between client and AS, to reduce | profile RECOMMENDS the use of OSCORE between client and AS, to reduce | |||
| the number of libraries the client has to support, but other | the number of libraries the client has to support, but other | |||
| protocols (such as TLS or DTLS) can be used as well. | protocols fulfilling the security requirements defined in section 5 | |||
| of [I-D.ietf-ace-oauth-authz] (such as TLS or DTLS) MAY be used as | ||||
| well. | ||||
| Once the client has retrieved the access token, it generates a nonce | Once the client has retrieved the access token, it generates a nonce | |||
| N1, defined in this specification (see Section 4.1.1). The client | N1, defined in this specification (see Section 4.1.1). The client | |||
| also generates its own OSCORE Recipient ID ID1 (see Section 3.1 of | also generates its own OSCORE Recipient ID ID1 (see Section 3.1 of | |||
| [RFC8613]), for use with the keying material associated to the RS. | [RFC8613]), for use with the keying material associated to the RS. | |||
| The client posts the token, N1 and its Recipient ID to the RS using | The client posts the token, N1 and its Recipient ID to the RS using | |||
| the authz-info endpoint and mechanisms specified in section 5.8 of | the authz-info endpoint and mechanisms specified in section 5.8 of | |||
| [I-D.ietf-ace-oauth-authz] and Content-Format = application/ace+cbor. | [I-D.ietf-ace-oauth-authz] and Content-Format = application/ace+cbor. | |||
| When using this profile, the communication with the authz-info | When using this profile, the communication with the authz-info | |||
| endpoint is not protected, except for update of access rights. | endpoint is not protected, except for update of access rights. | |||
| skipping to change at page 23, line 11 ¶ | skipping to change at page 23, line 11 ¶ | |||
| information using the access token associated to the Security | information using the access token associated to the Security | |||
| Context. The RS then must verify that the authorization information | Context. The RS then must verify that the authorization information | |||
| covers the resource and the action requested. | covers the resource and the action requested. | |||
| 5. Secure Communication with AS | 5. Secure Communication with AS | |||
| As specified in the ACE framework (section 5.9 of | As specified in the ACE framework (section 5.9 of | |||
| [I-D.ietf-ace-oauth-authz]), the requesting entity (RS and/or client) | [I-D.ietf-ace-oauth-authz]), the requesting entity (RS and/or client) | |||
| and the AS communicates via the introspection or token endpoint. The | and the AS communicates via the introspection or token endpoint. The | |||
| use of CoAP and OSCORE ([RFC8613]) for this communication is | use of CoAP and OSCORE ([RFC8613]) for this communication is | |||
| RECOMMENDED in this profile; other protocols (such as HTTP and DTLS | RECOMMENDED in this profile; other protocols fulfilling the security | |||
| or TLS) MAY be used instead. | requirements defined in section 5 of [I-D.ietf-ace-oauth-authz] (such | |||
| as HTTP and DTLS or TLS) MAY be used instead. | ||||
| If OSCORE is used, the requesting entity and the AS are expected to | If OSCORE is used, the requesting entity and the AS are expected to | |||
| have pre-established security contexts in place. How these security | have pre-established security contexts in place. How these security | |||
| contexts are established is out of scope for this profile. | contexts are established is out of scope for this profile. | |||
| Furthermore the requesting entity and the AS communicate through the | Furthermore the requesting entity and the AS communicate through the | |||
| introspection endpoint as specified in section 5.9 of | introspection endpoint as specified in section 5.9 of | |||
| [I-D.ietf-ace-oauth-authz] and through the token endpoint as | [I-D.ietf-ace-oauth-authz] and through the token endpoint as | |||
| specified in section 5.8 of [I-D.ietf-ace-oauth-authz]. | specified in section 5.8 of [I-D.ietf-ace-oauth-authz]. | |||
| 6. Discarding the Security Context | 6. Discarding the Security Context | |||
| End of changes. 8 change blocks. | ||||
| 9 lines changed or deleted | 12 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||