[Ace] WG Review: Authentication and Authorization for Constrained Environments (ace)

2021-01-28 Thread The IESG
The Authentication and Authorization for Constrained Environments (ace) WG in
the Security Area of the IETF is undergoing rechartering. The IESG has not
made any determination yet. The following draft charter was submitted, and is
provided for informational purposes only. Please send your comments to the
IESG mailing list (i...@ietf.org) by 2021-02-07.

Authentication and Authorization for Constrained Environments (ace)
---
Current status: Active WG

Chairs:
  Daniel Migault 

Assigned Area Director:
  Benjamin Kaduk 

Security Area Directors:
  Benjamin Kaduk 
  Roman Danyliw 

Mailing list:
  Address: ace@ietf.org
  To subscribe: https://www.ietf.org/mailman/listinfo/ace
  Archive: https://mailarchive.ietf.org/arch/browse/ace/

Group page: https://datatracker.ietf.org/group/ace/

Charter: https://datatracker.ietf.org/doc/charter-ietf-ace/

The Authentication and Authorization for Constrained Environments (ace) WG
has defined a standardized solution framework for authentication and
authorization to enable authorized access to resources identified by a URI
and hosted on a resource server in constrained environments.

The access to the resource is mediated by an authorization server, which is
not considered to be constrained.

Profiles of this framework for application to security protocols commonly
used in constrained environments, including CoAP+DTLS and CoAP+OSCORE, have
also been standardized.  The Working Group is charged with maintenance of
the framework and existing profiles thereof, and may undertake work to
specify profiles of the framework for additional secure communications
protocols and for additional support services providing authorized access
to crypto keys (that are not necessarily limited to constrained endpoints,
though the focus remains on deployment in ecosystems with a substantial
portion of constrained devices).

In addition to the ongoing maintenance work, the Working Group will extend
the framework (originally designed to protect the exchange between single
client and single RS) as needed for applicability to group communications.
The initial focus will be on using (D)TLS and (Group) OSCORE as the underlying
communication security protocols. The Working Group will standardize
procedures for requesting and distributing group keying material using the ACE
framework as well as appropriated management interfaces.

The Working Group will standardize a format for expressing authorization
information for a given authenticated principal as received from an
authorization manager.

The Working Group will examine how to use Constrained Application Protocol
(CoAP) as a transport medium for certificate enrollment protocols, such as
EST and CMPv2, as well as a transport for authentication protocols such as
EAP (in coordination with the EMU WG), and standardize as needed.

Milestones:

TBD

___
Ace mailing list
Ace@ietf.org
https://www.ietf.org/mailman/listinfo/ace


Re: [Ace] draft-ietf-ace-dtls-authorize

2021-01-28 Thread Olaf Bergmann
Hi Daniel,

On 2021-01-28, Daniel Migault  
wrote:

> Apparently, the change on the DTLS profile has not been noticed by
> everyone in the WG, so I am bringing the discussion here.
>
> The change has been made as a response to a comment from the security
> directorate. Please provide your feed backs by Feb 4 (but preferably
> before)- and potentially propose the text you would like to see if you
> disagree with the change.

I agree with the change (although I do not care very much but the new
text makes more sense than the old) because the change suggested in the
secdir review is not about mandating one protocol or the other. It is
about which protocol you need to implement if you want to use that
protocol between C and AS. In short:

* the OSCORE profile mandates that "if you want to use CoAP over OSCORE
  between the C and the AS, you need to follow the steps in the
  OSCORE specification and look somewhere else if you want to use
  another protocol", and
* the DTLS profile mandates that "if you want to use CoAP over DTLS
  between the C and the AS, you need to follow the steps in the
  DTLS specification  and look somewhere else if you want to use
  another protocol"

Grüße
Olaf

___
Ace mailing list
Ace@ietf.org
https://www.ietf.org/mailman/listinfo/ace


[Ace] draft-ietf-ace-dtls-authorize

2021-01-28 Thread Daniel Migault
Apparently, the change on the DTLS profile has not been noticed by everyone in 
the WG, so I am bringing the discussion here.

The change has been made as a response to a comment from the security 
directorate. Please provide your feed backs by Feb 4 (but preferably before)- 
and potentially propose the text you would like to see if you disagree with the 
change.



This is how has just been updated.


 The use of CoAP

   and DTLS for this communication is RECOMMENDED REQUIRED in this profile, 
other profile.  Other

   protocols (such as HTTP and TLS, or CoAP and OSCORE [RFC8613]) MAY be

   used instead. will

   require specification of additional profile(s).

Yours,
Daniel
___
Ace mailing list
Ace@ietf.org
https://www.ietf.org/mailman/listinfo/ace


Re: [Ace] I-D Action: draft-ietf-ace-oscore-profile-16.txt

2021-01-28 Thread Francesca Palombini
This is a minor update, which implements a minor clarification described here: 
https://mailarchive.ietf.org/arch/msg/ace/IxrbGjbAPH7RSB5IUMEF1UI5gQc/

Francesca

On 28/01/2021, 17:38, "Ace on behalf of internet-dra...@ietf.org" 
 wrote:


A New Internet-Draft is available from the on-line Internet-Drafts 
directories.
This draft is a work item of the Authentication and Authorization for 
Constrained Environments WG of the IETF.

Title   : OSCORE Profile of the Authentication and 
Authorization for Constrained Environments Framework
Authors : Francesca Palombini
  Ludwig Seitz
  Göran Selander
  Martin Gunnarsson
Filename: draft-ietf-ace-oscore-profile-16.txt
Pages   : 33
Date: 2021-01-28

Abstract:
   This memo specifies a profile for the Authentication and
   Authorization for Constrained Environments (ACE) framework.  It
   utilizes Object Security for Constrained RESTful Environments
   (OSCORE) to provide communication security and proof-of-possession
   for a key owned by the client and bound to an OAuth 2.0 access token.


The IETF datatracker status page for this draft is:
https://datatracker.ietf.org/doc/draft-ietf-ace-oscore-profile/

There are also htmlized versions available at:
https://tools.ietf.org/html/draft-ietf-ace-oscore-profile-16
https://datatracker.ietf.org/doc/html/draft-ietf-ace-oscore-profile-16

A diff from the previous version is available at:
https://www.ietf.org/rfcdiff?url2=draft-ietf-ace-oscore-profile-16


Please note that it may take a couple of minutes from the time of submission
until the htmlized version and diff are available at tools.ietf.org.

Internet-Drafts are also available by anonymous FTP at:
ftp://ftp.ietf.org/internet-drafts/


___
Ace mailing list
Ace@ietf.org
https://www.ietf.org/mailman/listinfo/ace

___
Ace mailing list
Ace@ietf.org
https://www.ietf.org/mailman/listinfo/ace


[Ace] I-D Action: draft-ietf-ace-oscore-profile-16.txt

2021-01-28 Thread internet-drafts

A New Internet-Draft is available from the on-line Internet-Drafts directories.
This draft is a work item of the Authentication and Authorization for 
Constrained Environments WG of the IETF.

Title   : OSCORE Profile of the Authentication and 
Authorization for Constrained Environments Framework
Authors : Francesca Palombini
  Ludwig Seitz
  Göran Selander
  Martin Gunnarsson
Filename: draft-ietf-ace-oscore-profile-16.txt
Pages   : 33
Date: 2021-01-28

Abstract:
   This memo specifies a profile for the Authentication and
   Authorization for Constrained Environments (ACE) framework.  It
   utilizes Object Security for Constrained RESTful Environments
   (OSCORE) to provide communication security and proof-of-possession
   for a key owned by the client and bound to an OAuth 2.0 access token.


The IETF datatracker status page for this draft is:
https://datatracker.ietf.org/doc/draft-ietf-ace-oscore-profile/

There are also htmlized versions available at:
https://tools.ietf.org/html/draft-ietf-ace-oscore-profile-16
https://datatracker.ietf.org/doc/html/draft-ietf-ace-oscore-profile-16

A diff from the previous version is available at:
https://www.ietf.org/rfcdiff?url2=draft-ietf-ace-oscore-profile-16


Please note that it may take a couple of minutes from the time of submission
until the htmlized version and diff are available at tools.ietf.org.

Internet-Drafts are also available by anonymous FTP at:
ftp://ftp.ietf.org/internet-drafts/


___
Ace mailing list
Ace@ietf.org
https://www.ietf.org/mailman/listinfo/ace


Re: [Ace] draft-ietf-ace-oauth-authz issue #179 / PR #180

2021-01-28 Thread Daniel Migault
As we have not heard anyone opposed to the rewording I propose we proceed
to the merge and publish a new version.

Yours,
Daniel

On Fri, Jan 15, 2021 at 3:35 AM Göran Selander  wrote:

> Hi,
>
> In the interim meeting yesterday I was requested to notify the ACE mailing
> list on this point:
>
> Marco has commented that the term "overwrite" used once in
> draft-ietf-ace-oauth-authz should not be interpreted literally and it is
> proposed to be replaced with "supersede". More details in issue #179 / PR
> #180.
>
> https://github.com/ace-wg/ace-oauth/issues/179
> https://github.com/ace-wg/ace-oauth/pull/180
>
> Unless there are any objections the PR will be merged soon.
>
> Göran
>
>
>
>
> ___
> Ace mailing list
> Ace@ietf.org
> https://www.ietf.org/mailman/listinfo/ace
>


-- 
Daniel Migault
Ericsson
___
Ace mailing list
Ace@ietf.org
https://www.ietf.org/mailman/listinfo/ace