draft-ietf-ace-oscore-profile-15.txt   draft-ietf-ace-oscore-profile-16.txt 
ACE Working Group F. Palombini ACE Working Group F. Palombini
Internet-Draft Ericsson AB Internet-Draft Ericsson AB
Intended status: Standards Track L. Seitz Intended status: Standards Track L. Seitz
Expires: July 30, 2021 Combitech Expires: August 1, 2021 Combitech
G. Selander G. Selander
Ericsson AB Ericsson AB
M. Gunnarsson M. Gunnarsson
RISE RISE
January 26, 2021 January 28, 2021
OSCORE Profile of the Authentication and Authorization for Constrained OSCORE Profile of the Authentication and Authorization for Constrained
Environments Framework Environments Framework
draft-ietf-ace-oscore-profile-15 draft-ietf-ace-oscore-profile-16
Abstract Abstract
This memo specifies a profile for the Authentication and This memo specifies a profile for the Authentication and
Authorization for Constrained Environments (ACE) framework. It Authorization for Constrained Environments (ACE) framework. It
utilizes Object Security for Constrained RESTful Environments utilizes Object Security for Constrained RESTful Environments
(OSCORE) to provide communication security and proof-of-possession (OSCORE) to provide communication security and proof-of-possession
for a key owned by the client and bound to an OAuth 2.0 access token. for a key owned by the client and bound to an OAuth 2.0 access token.
Status of This Memo Status of This Memo
skipping to change at page 1, line 40 skipping to change at page 1, line 40
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on July 30, 2021. This Internet-Draft will expire on August 1, 2021.
Copyright Notice Copyright Notice
Copyright (c) 2021 IETF Trust and the persons identified as the Copyright (c) 2021 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 39 skipping to change at page 2, line 39
5. Secure Communication with AS . . . . . . . . . . . . . . . . 23 5. Secure Communication with AS . . . . . . . . . . . . . . . . 23
6. Discarding the Security Context . . . . . . . . . . . . . . . 23 6. Discarding the Security Context . . . . . . . . . . . . . . . 23
7. Security Considerations . . . . . . . . . . . . . . . . . . . 24 7. Security Considerations . . . . . . . . . . . . . . . . . . . 24
8. Privacy Considerations . . . . . . . . . . . . . . . . . . . 25 8. Privacy Considerations . . . . . . . . . . . . . . . . . . . 25
9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 26 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 26
9.1. ACE Profile Registry . . . . . . . . . . . . . . . . . . 26 9.1. ACE Profile Registry . . . . . . . . . . . . . . . . . . 26
9.2. OAuth Parameters Registry . . . . . . . . . . . . . . . . 26 9.2. OAuth Parameters Registry . . . . . . . . . . . . . . . . 26
9.3. OAuth Parameters CBOR Mappings Registry . . . . . . . . . 27 9.3. OAuth Parameters CBOR Mappings Registry . . . . . . . . . 27
9.4. OSCORE Security Context Parameters Registry . . . . . . . 27 9.4. OSCORE Security Context Parameters Registry . . . . . . . 27
9.5. CWT Confirmation Methods Registry . . . . . . . . . . . . 28 9.5. CWT Confirmation Methods Registry . . . . . . . . . . . . 28
9.6. JWT Confirmation Methods Registry . . . . . . . . . . . . 28 9.6. JWT Confirmation Methods Registry . . . . . . . . . . . . 29
9.7. Expert Review Instructions . . . . . . . . . . . . . . . 29 9.7. Expert Review Instructions . . . . . . . . . . . . . . . 29
10. References . . . . . . . . . . . . . . . . . . . . . . . . . 29 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 30
10.1. Normative References . . . . . . . . . . . . . . . . . . 30 10.1. Normative References . . . . . . . . . . . . . . . . . . 30
10.2. Informative References . . . . . . . . . . . . . . . . . 31 10.2. Informative References . . . . . . . . . . . . . . . . . 31
Appendix A. Profile Requirements . . . . . . . . . . . . . . . . 31 Appendix A. Profile Requirements . . . . . . . . . . . . . . . . 31
Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 32 Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 32
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 32 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 32
1. Introduction 1. Introduction
This memo specifies a profile of the ACE framework This memo specifies a profile of the ACE framework
[I-D.ietf-ace-oauth-authz]. In this profile, a client and a resource [I-D.ietf-ace-oauth-authz]. In this profile, a client and a resource
skipping to change at page 4, line 36 skipping to change at page 4, line 36
policy that is used as input to processing requests from those policy that is used as input to processing requests from those
clients. clients.
This profile requires a client to retrieve an access token from the This profile requires a client to retrieve an access token from the
AS for the resource it wants to access on an RS, by sending an access AS for the resource it wants to access on an RS, by sending an access
token request to the token endpoint, as specified in section 5.8 of token request to the token endpoint, as specified in section 5.8 of
[I-D.ietf-ace-oauth-authz]. The access token request and response [I-D.ietf-ace-oauth-authz]. The access token request and response
MUST be confidentiality-protected and ensure authenticity. This MUST be confidentiality-protected and ensure authenticity. This
profile RECOMMENDS the use of OSCORE between client and AS, to reduce profile RECOMMENDS the use of OSCORE between client and AS, to reduce
the number of libraries the client has to support, but other the number of libraries the client has to support, but other
protocols (such as TLS or DTLS) can be used as well. protocols fulfilling the security requirements defined in section 5
of [I-D.ietf-ace-oauth-authz] (such as TLS or DTLS) MAY be used as
well.
Once the client has retrieved the access token, it generates a nonce Once the client has retrieved the access token, it generates a nonce
N1, defined in this specification (see Section 4.1.1). The client N1, defined in this specification (see Section 4.1.1). The client
also generates its own OSCORE Recipient ID ID1 (see Section 3.1 of also generates its own OSCORE Recipient ID ID1 (see Section 3.1 of
[RFC8613]), for use with the keying material associated to the RS. [RFC8613]), for use with the keying material associated to the RS.
The client posts the token, N1 and its Recipient ID to the RS using The client posts the token, N1 and its Recipient ID to the RS using
the authz-info endpoint and mechanisms specified in section 5.8 of the authz-info endpoint and mechanisms specified in section 5.8 of
[I-D.ietf-ace-oauth-authz] and Content-Format = application/ace+cbor. [I-D.ietf-ace-oauth-authz] and Content-Format = application/ace+cbor.
When using this profile, the communication with the authz-info When using this profile, the communication with the authz-info
endpoint is not protected, except for update of access rights. endpoint is not protected, except for update of access rights.
skipping to change at page 23, line 11 skipping to change at page 23, line 11
information using the access token associated to the Security information using the access token associated to the Security
Context. The RS then must verify that the authorization information Context. The RS then must verify that the authorization information
covers the resource and the action requested. covers the resource and the action requested.
5. Secure Communication with AS 5. Secure Communication with AS
As specified in the ACE framework (section 5.9 of As specified in the ACE framework (section 5.9 of
[I-D.ietf-ace-oauth-authz]), the requesting entity (RS and/or client) [I-D.ietf-ace-oauth-authz]), the requesting entity (RS and/or client)
and the AS communicates via the introspection or token endpoint. The and the AS communicates via the introspection or token endpoint. The
use of CoAP and OSCORE ([RFC8613]) for this communication is use of CoAP and OSCORE ([RFC8613]) for this communication is
RECOMMENDED in this profile; other protocols (such as HTTP and DTLS RECOMMENDED in this profile; other protocols fulfilling the security
or TLS) MAY be used instead. requirements defined in section 5 of [I-D.ietf-ace-oauth-authz] (such
as HTTP and DTLS or TLS) MAY be used instead.
If OSCORE is used, the requesting entity and the AS are expected to If OSCORE is used, the requesting entity and the AS are expected to
have pre-established security contexts in place. How these security have pre-established security contexts in place. How these security
contexts are established is out of scope for this profile. contexts are established is out of scope for this profile.
Furthermore the requesting entity and the AS communicate through the Furthermore the requesting entity and the AS communicate through the
introspection endpoint as specified in section 5.9 of introspection endpoint as specified in section 5.9 of
[I-D.ietf-ace-oauth-authz] and through the token endpoint as [I-D.ietf-ace-oauth-authz] and through the token endpoint as
specified in section 5.8 of [I-D.ietf-ace-oauth-authz]. specified in section 5.8 of [I-D.ietf-ace-oauth-authz].
6. Discarding the Security Context 6. Discarding the Security Context
 End of changes. 8 change blocks. 
9 lines changed or deleted 12 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/