[Ace] Last Call: (EAP-based Authentication Service for CoAP) to Proposed Standard
The IESG has received a request from the Authentication and Authorization for Constrained Environments WG (ace) to consider the following document: - 'EAP-based Authentication Service for CoAP' as Proposed Standard The IESG plans to make a decision in the next few weeks, and solicits final comments on this action. Please send substantive comments to the last-c...@ietf.org mailing lists by 2024-09-19. Exceptionally, comments may be sent to i...@ietf.org instead. In either case, please retain the beginning of the Subject line to allow automated sorting. Abstract This document specifies an authentication service that uses the Extensible Authentication Protocol (EAP) transported employing Constrained Application Protocol (CoAP) messages. As such, it defines an EAP lower layer based on CoAP called CoAP-EAP. One of the main goals is to authenticate a CoAP-enabled IoT device (EAP peer) that intends to join a security domain managed by a Controller (EAP authenticator). Secondly, it allows deriving key material to protect CoAP messages exchanged between them based on Object Security for Constrained RESTful Environments (OSCORE), enabling the establishment of a security association between them. The file can be obtained via https://datatracker.ietf.org/doc/draft-ietf-ace-wg-coap-eap/ No IPR declarations have been submitted directly on this I-D. ___ Ace mailing list -- ace@ietf.org To unsubscribe send an email to ace-le...@ietf.org
[Ace] Last Call: (Notification of Revoked Access Tokens in the Authentication and Authorization for Constrained Environments (ACE) Framework) to Prop
The IESG has received a request from the Authentication and Authorization for Constrained Environments WG (ace) to consider the following document: - 'Notification of Revoked Access Tokens in the Authentication and Authorization for Constrained Environments (ACE) Framework' as Proposed Standard The IESG plans to make a decision in the next few weeks, and solicits final comments on this action. Please send substantive comments to the last-c...@ietf.org mailing lists by 2024-04-05. Exceptionally, comments may be sent to i...@ietf.org instead. In either case, please retain the beginning of the Subject line to allow automated sorting. Abstract This document specifies a method of the Authentication and Authorization for Constrained Environments (ACE) framework, which allows an Authorization Server to notify Clients and Resource Servers (i.e., registered devices) about revoked access tokens. As specified in this document, the method allows Clients and Resource Servers to access a Token Revocation List on the Authorization Server by using the Constrained Application Protocol (CoAP), with the possible additional use of resource observation. Resulting (unsolicited) notifications of revoked access tokens complement alternative approaches such as token introspection, while not requiring additional endpoints on Clients and Resource Servers. The file can be obtained via https://datatracker.ietf.org/doc/draft-ietf-ace-revoked-token-notification/ No IPR declarations have been submitted directly on this I-D. ___ Ace mailing list Ace@ietf.org https://www.ietf.org/mailman/listinfo/ace
[Ace] Protocol Action: 'Key Provisioning for Group Communication using ACE' to Proposed Standard (draft-ietf-ace-key-groupcomm-18.txt)
The IESG has approved the following document: - 'Key Provisioning for Group Communication using ACE' (draft-ietf-ace-key-groupcomm-18.txt) as Proposed Standard This document is the product of the Authentication and Authorization for Constrained Environments Working Group. The IESG contact persons are Paul Wouters and Roman Danyliw. A URL of this Internet-Draft is: https://datatracker.ietf.org/doc/draft-ietf-ace-key-groupcomm/ Technical Summary This document defines how to use the Authentication and Authorization for Constrained Environments (ACE) framework to distribute keying material and configuration parameters for secure group communication. Candidate group members acting as Clients and authorized to join a group can do so by interacting with a Key Distribution Center (KDC) acting as Resource Server, from which they obtain the keying material to communicate with other group members. While defining general message formats as well as the interface and operations available at the KDC, this document supports different approaches and protocols for secure group communication. Therefore, details are delegated to separate application profiles of this document, as specialized instances that target a particular group communication approach and define how communications in the group are protected. Compliance requirements for such application profiles are also specified. Working Group Summary No controversies. Document Quality This draft in itself cannot be implemented. The API and message template formats that it defines have to be instantiated by its profiles (such as key-groupcomm-oscore), which can rather be implemented. The latest has been implemented in the java ACE implementation for Californium https://bitbucket.org/marco-tiloca-sics/ace-java/ Personnel The Document Shepherd for this document is Daniel Migault. The Responsible Area Director is Paul Wouters. ___ Ace mailing list Ace@ietf.org https://www.ietf.org/mailman/listinfo/ace
[Ace] Last Call: (EAP-based Authentication Service for CoAP) to Proposed Standard
The IESG has received a request from the Authentication and Authorization for Constrained Environments WG (ace) to consider the following document: - 'EAP-based Authentication Service for CoAP' as Proposed Standard The IESG plans to make a decision in the next few weeks, and solicits final comments on this action. Please send substantive comments to the last-c...@ietf.org mailing lists by 2024-01-25. Exceptionally, comments may be sent to i...@ietf.org instead. In either case, please retain the beginning of the Subject line to allow automated sorting. Abstract This document specifies an authentication service that uses the Extensible Authentication Protocol (EAP) transported employing Constrained Application Protocol (CoAP) messages. As such, it defines an EAP lower layer based on CoAP called CoAP-EAP. One of the main goals is to authenticate a CoAP-enabled IoT device (EAP peer) that intends to join a security domain managed by a Controller (EAP authenticator). Secondly, it allows deriving key material to protect CoAP messages exchanged between them based on Object Security for Constrained RESTful Environments (OSCORE), enabling the establishment of a security association between them. The file can be obtained via https://datatracker.ietf.org/doc/draft-ietf-ace-wg-coap-eap/ No IPR declarations have been submitted directly on this I-D. ___ Ace mailing list Ace@ietf.org https://www.ietf.org/mailman/listinfo/ace
[Ace] Last Call: (Key Provisioning for Group Communication using ACE) to Proposed Standard
The IESG has received a request from the Authentication and Authorization for Constrained Environments WG (ace) to consider the following document: - 'Key Provisioning for Group Communication using ACE' as Proposed Standard The IESG plans to make a decision in the next few weeks, and solicits final comments on this action. Please send substantive comments to the last-c...@ietf.org mailing lists by 2023-10-20. Exceptionally, comments may be sent to i...@ietf.org instead. In either case, please retain the beginning of the Subject line to allow automated sorting. Abstract This document defines how to use the Authentication and Authorization for Constrained Environments (ACE) framework to distribute keying material and configuration parameters for secure group communication. Candidate group members acting as Clients and authorized to join a group can do so by interacting with a Key Distribution Center (KDC) acting as Resource Server, from which they obtain the keying material to communicate with other group members. While defining general message formats as well as the interface and operations available at the KDC, this document supports different approaches and protocols for secure group communication. Therefore, details are delegated to separate application profiles of this document, as specialized instances that target a particular group communication approach and define how communications in the group are protected. Compliance requirements for such application profiles are also specified. The file can be obtained via https://datatracker.ietf.org/doc/draft-ietf-ace-key-groupcomm/ No IPR declarations have been submitted directly on this I-D. The document contains these normative downward references. See RFC 3967 for additional information: rfc7967: Constrained Application Protocol (CoAP) Option for No Server Response (Informational - Independent Submission) rfc9053: CBOR Object Signing and Encryption (COSE): Initial Algorithms (Informational - Internet Engineering Task Force (IETF)) ___ Ace mailing list Ace@ietf.org https://www.ietf.org/mailman/listinfo/ace
[Ace] Protocol Action: 'CoAP Transfer for the Certificate Management Protocol' to Proposed Standard (draft-ietf-ace-cmpv2-coap-transport-10.txt)
The IESG has approved the following document: - 'CoAP Transfer for the Certificate Management Protocol' (draft-ietf-ace-cmpv2-coap-transport-10.txt) as Proposed Standard This document is the product of the Authentication and Authorization for Constrained Environments Working Group. The IESG contact persons are Paul Wouters and Roman Danyliw. A URL of this Internet-Draft is: https://datatracker.ietf.org/doc/draft-ietf-ace-cmpv2-coap-transport/ Technical Summary This document specifies an authentication service that uses the Extensible Authentication Protocol (EAP) transported employing Constrained Application Protocol (CoAP) messages. As such, it defines an EAP lower layer based on CoAP called CoAP-EAP. One of the main goals is to authenticate a CoAP-enabled IoT device (EAP peer) that intends to join a security domain managed by a Controller (EAP authenticator). Secondly, it allows deriving key material to protect CoAP messages exchanged between them based on Object Security for Constrained RESTful Environments (OSCORE), enable the establishment of a security association between them. Working Group Summary No issues, broad consensus. Document Quality No issues with the document. There is an open source implementation to support CMP over CoAP maintained by @David von Oheimb. The Shepherd believesthese do not follow the draft exactly but are based on this draft. https://github.com/siemens/LightweightCmpRa https://github.com/siemens/embeddedCMP Personnel Document Shepherd: Loganaden Velvindron and Paul Wouters Responsible Area Director? Paul Wouters 'The IANA Expert(s) for the registries in this document are Klaus Hartke (primary), Carsten Bormann (secondary), Jaime Jimenez (secondary), Alexander Pelov (secondary), Hendrik Brockhaus, David von Oheimb, John Gray, Mark Nottingham ___ Ace mailing list Ace@ietf.org https://www.ietf.org/mailman/listinfo/ace
[Ace] Last Call: (CoAP Transfer for the Certificate Management Protocol) to Proposed Standard
The IESG has received a request from the Authentication and Authorization for Constrained Environments WG (ace) to consider the following document: - 'CoAP Transfer for the Certificate Management Protocol' as Proposed Standard The IESG plans to make a decision in the next few weeks, and solicits final comments on this action. Please send substantive comments to the last-c...@ietf.org mailing lists by 2023-04-14. Exceptionally, comments may be sent to i...@ietf.org instead. In either case, please retain the beginning of the Subject line to allow automated sorting. Abstract This document specifies the use of Constrained Application Protocol (CoAP) as a transfer mechanism for the Certificate Management Protocol (CMP). CMP defines the interaction between various PKI entities for the purpose of certificate creation and management. CoAP is an HTTP-like client-server protocol used by various constrained devices in the IoT space. The file can be obtained via https://datatracker.ietf.org/doc/draft-ietf-ace-cmpv2-coap-transport/ No IPR declarations have been submitted directly on this I-D. ___ Ace mailing list Ace@ietf.org https://www.ietf.org/mailman/listinfo/ace
[Ace] Last Call: (Extension of the CoAP-DTLS Profile for ACE to TLS) to Proposed Standard
The IESG has received a request from the Authentication and Authorization for Constrained Environments WG (ace) to consider the following document: - 'Extension of the CoAP-DTLS Profile for ACE to TLS' as Proposed Standard The IESG plans to make a decision in the next few weeks, and solicits final comments on this action. Please send substantive comments to the last-c...@ietf.org mailing lists by 2023-01-24. Exceptionally, comments may be sent to i...@ietf.org instead. In either case, please retain the beginning of the Subject line to allow automated sorting. Abstract This document updates the CoAP-DTLS profile for ACE described in RFC 9202 by specifying that the profile applies to TLS as well as DTLS. The file can be obtained via https://datatracker.ietf.org/doc/draft-ietf-ace-extend-dtls-authorize/ The following IPR Declarations may be related to this I-D: https://datatracker.ietf.org/ipr/5576/ https://datatracker.ietf.org/ipr/5575/ ___ Ace mailing list Ace@ietf.org https://www.ietf.org/mailman/listinfo/ace
[Ace] Last Call: (CoAP Transfer for the Certificate Management Protocol) to Proposed Standard
The IESG has received a request from the Authentication and Authorization for Constrained Environments WG (ace) to consider the following document: - 'CoAP Transfer for the Certificate Management Protocol' as Proposed Standard The IESG plans to make a decision in the next few weeks, and solicits final comments on this action. Please send substantive comments to the last-c...@ietf.org mailing lists by 2022-10-27. Exceptionally, comments may be sent to i...@ietf.org instead. In either case, please retain the beginning of the Subject line to allow automated sorting. Abstract This document specifies the use of Constrained Application Protocol (CoAP) as a transfer mechanism for the Certificate Management Protocol (CMP). CMP defines the interaction between various PKI entities for the purpose of certificate creation and management. CoAP is an HTTP-like client-server protocol used by various constrained devices in the IoT space. The file can be obtained via https://datatracker.ietf.org/doc/draft-ietf-ace-cmpv2-coap-transport/ No IPR declarations have been submitted directly on this I-D. ___ Ace mailing list Ace@ietf.org https://www.ietf.org/mailman/listinfo/ace
[Ace] Protocol Action: 'Message Queuing Telemetry Transport (MQTT)-TLS profile of Authentication and Authorization for Constrained Environments (ACE) Framework' to Proposed Standard (draft-ietf-ace-mq
The IESG has approved the following document: - 'Message Queuing Telemetry Transport (MQTT)-TLS profile of Authentication and Authorization for Constrained Environments (ACE) Framework' (draft-ietf-ace-mqtt-tls-profile-17.txt) as Proposed Standard This document is the product of the Authentication and Authorization for Constrained Environments Working Group. The IESG contact persons are Benjamin Kaduk and Roman Danyliw. A URL of this Internet Draft is: https://datatracker.ietf.org/doc/draft-ietf-ace-mqtt-tls-profile/ Technical Summary This document specifies a profile for the ACE (Authentication and Authorization for Constrained Environments) framework to enable authorization in an Message Queuing Telemetry Transport (MQTT)-based publish-subscribe messaging system. Proof-of-possession keys, bound to OAuth2.0 access tokens, are used to authenticate and authorize MQTT Clients. The protocol relies on TLS for confidentiality and MQTT server (broker) authentication. Working Group Summary This document had an uneventful journey through the WG, gathering feedback over multiple review cycles, with progress being driven by understanding and resolving potential issues and no major points of controversy. Document Quality There are at least two known implementations: * Implementation using the HiveMQ CE is a Java-based open source MQTT broker that fully supports MQTT 3.x and MQTT 5. https://github.com/michaelg9/HiveACEclient The Media-Type registration was sent to the media-types list for review at https://mailarchive.ietf.org/arch/msg/media-types/85kGXBBKaWqIoCSU5k7GrE5FRWw/ though no comments were received. Personnel Daniel Migault is the Document Shepherd. Benjamin Kaduk is the Responsible AD. ___ Ace mailing list Ace@ietf.org https://www.ietf.org/mailman/listinfo/ace
[Ace] Protocol Action: 'An Authorization Information Format (AIF) for ACE' to Proposed Standard (draft-ietf-ace-aif-07.txt)
The IESG has approved the following document: - 'An Authorization Information Format (AIF) for ACE' (draft-ietf-ace-aif-07.txt) as Proposed Standard This document is the product of the Authentication and Authorization for Constrained Environments Working Group. The IESG contact persons are Benjamin Kaduk and Roman Danyliw. A URL of this Internet Draft is: https://datatracker.ietf.org/doc/draft-ietf-ace-aif/ Technical Summary This specification provides a generic information model and format for representing such authorization information (information about which entities are authorized to perform what operations), as well as two variants of a specific instantiation of that format for use with REST resources identified by URI path. Working Group Summary The WG was supportive of this work, which is already a normative dependency of a couple other documents. Document Quality The technical mechanisms in this document are fairly straightforward and have received ample review. It is deemed to be sufficiently well specified that other ACE documents (group-communication-related) are using it to convey their authorization information. A media type review request was posted just over a year ago for an earlier revision, https://mailarchive.ietf.org/arch/msg/media-types/sl2NFBvcaKtPH4LL7cCpTkwjy5E/ , which resulted in a (DE) reviewer saying it is mostly fine and just in need of correction in terms of a few details of the registration template. Personnel The Document Shepherd is Loganaden Velvindron. The Responsible Area Director is Benjamin Kaduk. ___ Ace mailing list Ace@ietf.org https://www.ietf.org/mailman/listinfo/ace
[Ace] Last Call: (Message Queuing Telemetry Transport (MQTT)-TLS profile of Authentication and Authorization for Constrained Environments (ACE) Framework) to P
The IESG has received a request from the Authentication and Authorization for Constrained Environments WG (ace) to consider the following document: - 'Message Queuing Telemetry Transport (MQTT)-TLS profile of Authentication and Authorization for Constrained Environments (ACE) Framework' as Proposed Standard The IESG plans to make a decision in the next few weeks, and solicits final comments on this action. Please send substantive comments to the last-c...@ietf.org mailing lists by 2022-03-03. Exceptionally, comments may be sent to i...@ietf.org instead. In either case, please retain the beginning of the Subject line to allow automated sorting. Abstract This document specifies a profile for the ACE (Authentication and Authorization for Constrained Environments) framework to enable authorization in a Message Queuing Telemetry Transport (MQTT)-based publish-subscribe messaging system. Proof-of-possession keys, bound to OAuth2.0 access tokens, are used to authenticate and authorize MQTT Clients. The protocol relies on TLS for confidentiality and MQTT server (broker) authentication. The file can be obtained via https://datatracker.ietf.org/doc/draft-ietf-ace-mqtt-tls-profile/ No IPR declarations have been submitted directly on this I-D. ___ Ace mailing list Ace@ietf.org https://www.ietf.org/mailman/listinfo/ace
[Ace] Last Call: (An Authorization Information Format (AIF) for ACE) to Proposed Standard
The IESG has received a request from the Authentication and Authorization for Constrained Environments WG (ace) to consider the following document: - 'An Authorization Information Format (AIF) for ACE' as Proposed Standard The IESG plans to make a decision in the next few weeks, and solicits final comments on this action. Please send substantive comments to the last-c...@ietf.org mailing lists by 2022-02-28. Exceptionally, comments may be sent to i...@ietf.org instead. In either case, please retain the beginning of the Subject line to allow automated sorting. Abstract Information about which entities are authorized to perform what operations on which constituents of other entities is a crucial component of producing an overall system that is secure. Conveying precise authorization information is especially critical in highly automated systems with large numbers of entities, such as the "Internet of Things". This specification provides a generic information model and format for representing such authorization information, as well as two variants of a specific instantiation of that format for use with REST resources identified by URI path. The file can be obtained via https://datatracker.ietf.org/doc/draft-ietf-ace-aif/ No IPR declarations have been submitted directly on this I-D. ___ Ace mailing list Ace@ietf.org https://www.ietf.org/mailman/listinfo/ace
[Ace] Protocol Action: 'OSCORE Profile of the Authentication and Authorization for Constrained Environments Framework' to Proposed Standard (draft-ietf-ace-oscore-profile-19.txt)
The IESG has approved the following document: - 'OSCORE Profile of the Authentication and Authorization for Constrained Environments Framework' (draft-ietf-ace-oscore-profile-19.txt) as Proposed Standard This document is the product of the Authentication and Authorization for Constrained Environments Working Group. The IESG contact persons are Benjamin Kaduk and Roman Danyliw. A URL of this Internet Draft is: https://datatracker.ietf.org/doc/draft-ietf-ace-oscore-profile/ Technical Summary The OAuth authentication and Authorization for Constrained Devices provides a message format and framework for moving keys and tokens between authority servers, clients, and resource servers. This document provides a set of security services with OSCORE so that the communication and authorizations can be performed. Working Group Summary Once the CoRE document dealing with OSCORE was finalized there was only one issue of significance. That issue was how to deal with re-use of tokens in order to make sure that the same transport key was not going to be regenerated. This has been addressed. Document Quality The document has been fairly extensively vetted. There are at least two implementations of a version of the document prior to the WGLC being done. Personnel Jim Schaad was the document shepherd. Ben Kaduk is the responsible AD. RFC Editor Note This document uses the non-BCP-14 keyword "RECOMMENDS" in a handful of locations; please help rephrase them to use the "RECOMMENDED" keyword. ___ Ace mailing list Ace@ietf.org https://www.ietf.org/mailman/listinfo/ace
[Ace] Protocol Action: 'Datagram Transport Layer Security (DTLS) Profile for Authentication and Authorization for Constrained Environments (ACE)' to Proposed Standard (draft-ietf-ace-dtls-authorize-18
The IESG has approved the following document: - 'Datagram Transport Layer Security (DTLS) Profile for Authentication and Authorization for Constrained Environments (ACE)' (draft-ietf-ace-dtls-authorize-18.txt) as Proposed Standard This document is the product of the Authentication and Authorization for Constrained Environments Working Group. The IESG contact persons are Benjamin Kaduk and Roman Danyliw. A URL of this Internet Draft is: https://datatracker.ietf.org/doc/draft-ietf-ace-dtls-authorize/ Technical Summary The ACE WG has created a framework for constrained servers to do authentication and authorization using OAuth. This document provides the details for how to use DTLS as the security for protecting and authentication the messages defined in the framework as well as the final client to resource server messages. Working Group Summary The document did not raise any issues during development. Most of the issues were focused on the framework document. Late-stage reviews revealed some issues that affected the framework and all profiles, and thus required changes in this document, but there was nothing particularly specific to this document. Document Quality At least two implementations of prior versions of this document exist. The process of doing these implementations and making sure that they were interoperable was influential in some of the content in the document. Personnel Jim Schaad was the document shepherd. Ben Kaduk is the responsible AD. ___ Ace mailing list Ace@ietf.org https://www.ietf.org/mailman/listinfo/ace
[Ace] Protocol Action: 'Additional OAuth Parameters for Authorization in Constrained Environments (ACE)' to Proposed Standard (draft-ietf-ace-oauth-params-15.txt)
The IESG has approved the following document: - 'Additional OAuth Parameters for Authorization in Constrained Environments (ACE)' (draft-ietf-ace-oauth-params-15.txt) as Proposed Standard This document is the product of the Authentication and Authorization for Constrained Environments Working Group. The IESG contact persons are Benjamin Kaduk and Roman Danyliw. A URL of this Internet Draft is: https://datatracker.ietf.org/doc/draft-ietf-ace-oauth-params/ Technical Summary This specification defines new parameters for the OAuth 2.0 token and introspection endpoints. These parameters are targeted for use with the OAuth protocol adapted for constrained devices. Working Group Summary This document was created and modified in response to issues raised by the OAuth working group. They deal with a case which the ACE OAuth protocol does not currently support, but which may be introduced in OAuth. This document represents a consensus between the two groups. Document Quality There exist at least two implementations which are using these fields as part of the overall work. As noted above there was an issue with the OAuth working group but it has been resolved. Personnel Jim Schaad was the document shepherd. Ben Kaduk is the responsible AD. ___ Ace mailing list Ace@ietf.org https://www.ietf.org/mailman/listinfo/ace
[Ace] Protocol Action: 'Authentication and Authorization for Constrained Environments (ACE) using the OAuth 2.0 Framework (ACE-OAuth)' to Proposed Standard (draft-ietf-ace-oauth-authz-43.txt)
The IESG has approved the following document: - 'Authentication and Authorization for Constrained Environments (ACE) using the OAuth 2.0 Framework (ACE-OAuth)' (draft-ietf-ace-oauth-authz-43.txt) as Proposed Standard This document is the product of the Authentication and Authorization for Constrained Environments Working Group. The IESG contact persons are Benjamin Kaduk and Roman Danyliw. A URL of this Internet Draft is: https://datatracker.ietf.org/doc/draft-ietf-ace-oauth-authz/ Technical Summary This document describes a framework for the use of OAuth 2.0 in a constrained environment. The document is mainly targeted at the protocols defined for CoAP, but other protocols can be used as well. The framework defines the fields and symmantics needed for doing authorization and authenticiation of a client. Working Group Summary The concesus on the document was generally very solid. There were some issues that arose between the ACE and OAuth working groups over a couple of issues. These issues appear to have been resolved. The WG remained fairly active at resolving issues that arose during reviews of other documents that provide "profiles" of this framework. Document Quality There have been at least four different groups who have announced an implementation at some level of the specification. While two of those implementations share a certain amount of common code, there are two implementations which have done interop tests at various times which do not share any code based on this document. The scope and issues of trying to deal with some of the OAuth 2.0 documents can be challenging at times. While it is believed that a good job has been done, there are some potential areas where different people might end up doing new things. Personnel Jim Schaad was the shepherd. Ben Kaduk is the responsible AD. ___ Ace mailing list Ace@ietf.org https://www.ietf.org/mailman/listinfo/ace
[Ace] WG Action: Rechartered Authentication and Authorization for Constrained Environments (ace)
The Authentication and Authorization for Constrained Environments (ace) WG in the Security Area of the IETF has been rechartered. For additional information, please contact the Area Directors or the WG Chairs. Authentication and Authorization for Constrained Environments (ace) --- Current status: Active WG Chairs: Daniel Migault Loganaden Velvindron Assigned Area Director: Benjamin Kaduk Security Area Directors: Benjamin Kaduk Roman Danyliw Mailing list: Address: ace@ietf.org To subscribe: https://www.ietf.org/mailman/listinfo/ace Archive: https://mailarchive.ietf.org/arch/browse/ace/ Group page: https://datatracker.ietf.org/group/ace/ Charter: https://datatracker.ietf.org/doc/charter-ietf-ace/ The Authentication and Authorization for Constrained Environments (ace) WG has defined a standardized solution framework for authentication and authorization to enable authorized access to resources identified by a URI and hosted on a resource server in constrained environments. The access to the resource is mediated by an authorization server, which is not considered to be constrained. Profiles of this framework for application to security protocols commonly used in constrained environments, including CoAP+DTLS and CoAP+OSCORE, have also been standardized. The Working Group is charged with maintenance of the framework and existing profiles thereof, and may undertake work to specify profiles of the framework for additional secure communications protocols and for additional support services providing authorized access to crypto keys (that are not necessarily limited to constrained endpoints, though the focus remains on deployment in ecosystems with a substantial portion of constrained devices). In addition to the ongoing maintenance work, the Working Group will extend the framework (originally designed to protect the exchange between single client and single RS) as needed for applicability to group communications. The initial focus will be on using (D)TLS and (Group) OSCORE as the underlying communication security protocols. The Working Group will standardize procedures for requesting and distributing group keying material using the ACE framework as well as appropriated management interfaces. The Working Group will standardize a format for expressing authorization information for a given authenticated principal as received from an authorization manager. The Working Group will examine how to use Constrained Application Protocol (CoAP) as a transport medium for certificate enrollment protocols, such as EST and CMPv2, as well as a transport for authentication protocols such as EAP (in coordination with the EMU WG), and standardize as needed. Milestones: Nov 2018 - Submit DTLS Profile for ACE to the IESG for publication as a proposed standard Sep 2020 - WGLC for Group Communications Jan 2021 - Adoption call for "CoAP Transport for CMPV2" Feb 2021 - Adoption call of "EAP-based Authentication Service for CoAP" Feb 2021 - Submission to the IESG of "OSCORE Profile of the Authentication and Authorization for Constrained Environments Framework" Feb 2021 - Call for adoption of "Protecting EST Payloads with OSCORE" Jun 2021 - Submission to IESG of "CoAP Transport for CMPV2" (if adopted) Jul 2021 - Submission to the IESG of Pub-Sub Profile for Authentication and Authorization for Constrained Environments (ACE) Jul 2021 - Submission to the IESG of "An Authorization Information Format (AIF) for ACE" Jul 2021 - Submission to the IESG of "Key Provisioning for Group Communication using ACE" Jul 2021 - Submission to the IESG of "Protecting EST Payloads with OSCORE" Aug 2021 - Submission to the IESG of "EAP-based Authentication Service for CoAP" Sep 2021 - Submission to the IESG of "Key Management for OSCORE Groups in ACE" Dec 2021 - Submission to the IESG of "Admin Interface for the OSCORE Group Manager" ___ Ace mailing list Ace@ietf.org https://www.ietf.org/mailman/listinfo/ace
[Ace] WG Review: Authentication and Authorization for Constrained Environments (ace)
The Authentication and Authorization for Constrained Environments (ace) WG in the Security Area of the IETF is undergoing rechartering. The IESG has not made any determination yet. The following draft charter was submitted, and is provided for informational purposes only. Please send your comments to the IESG mailing list (i...@ietf.org) by 2021-02-07. Authentication and Authorization for Constrained Environments (ace) --- Current status: Active WG Chairs: Daniel Migault Assigned Area Director: Benjamin Kaduk Security Area Directors: Benjamin Kaduk Roman Danyliw Mailing list: Address: ace@ietf.org To subscribe: https://www.ietf.org/mailman/listinfo/ace Archive: https://mailarchive.ietf.org/arch/browse/ace/ Group page: https://datatracker.ietf.org/group/ace/ Charter: https://datatracker.ietf.org/doc/charter-ietf-ace/ The Authentication and Authorization for Constrained Environments (ace) WG has defined a standardized solution framework for authentication and authorization to enable authorized access to resources identified by a URI and hosted on a resource server in constrained environments. The access to the resource is mediated by an authorization server, which is not considered to be constrained. Profiles of this framework for application to security protocols commonly used in constrained environments, including CoAP+DTLS and CoAP+OSCORE, have also been standardized. The Working Group is charged with maintenance of the framework and existing profiles thereof, and may undertake work to specify profiles of the framework for additional secure communications protocols and for additional support services providing authorized access to crypto keys (that are not necessarily limited to constrained endpoints, though the focus remains on deployment in ecosystems with a substantial portion of constrained devices). In addition to the ongoing maintenance work, the Working Group will extend the framework (originally designed to protect the exchange between single client and single RS) as needed for applicability to group communications. The initial focus will be on using (D)TLS and (Group) OSCORE as the underlying communication security protocols. The Working Group will standardize procedures for requesting and distributing group keying material using the ACE framework as well as appropriated management interfaces. The Working Group will standardize a format for expressing authorization information for a given authenticated principal as received from an authorization manager. The Working Group will examine how to use Constrained Application Protocol (CoAP) as a transport medium for certificate enrollment protocols, such as EST and CMPv2, as well as a transport for authentication protocols such as EAP (in coordination with the EMU WG), and standardize as needed. Milestones: TBD ___ Ace mailing list Ace@ietf.org https://www.ietf.org/mailman/listinfo/ace
[Ace] Last Call: (OSCORE profile of the Authentication and Authorization for Constrained Environments Framework) to Proposed Standard
The IESG has received a request from the Authentication and Authorization for Constrained Environments WG (ace) to consider the following document: - 'OSCORE profile of the Authentication and Authorization for Constrained Environments Framework' as Proposed Standard The IESG plans to make a decision in the next few weeks, and solicits final comments on this action. Please send substantive comments to the last-c...@ietf.org mailing lists by 2020-07-20. Exceptionally, comments may be sent to i...@ietf.org instead. In either case, please retain the beginning of the Subject line to allow automated sorting. Abstract This memo specifies a profile for the Authentication and Authorization for Constrained Environments (ACE) framework. It utilizes Object Security for Constrained RESTful Environments (OSCORE) to provide communication security, server authentication, and proof-of-possession for a key owned by the client and bound to an OAuth 2.0 access token. The file can be obtained via https://datatracker.ietf.org/doc/draft-ietf-ace-oscore-profile/ No IPR declarations have been submitted directly on this I-D. ___ Ace mailing list Ace@ietf.org https://www.ietf.org/mailman/listinfo/ace
[Ace] Last Call: (Datagram Transport Layer Security (DTLS) Profile for Authentication and Authorization for Constrained Environments (ACE)) to Proposed Standard
The IESG has received a request from the Authentication and Authorization for Constrained Environments WG (ace) to consider the following document: - 'Datagram Transport Layer Security (DTLS) Profile for Authentication and Authorization for Constrained Environments (ACE)' as Proposed Standard The IESG plans to make a decision in the next few weeks, and solicits final comments on this action. Please send substantive comments to the last-c...@ietf.org mailing lists by 2020-07-20. Exceptionally, comments may be sent to i...@ietf.org instead. In either case, please retain the beginning of the Subject line to allow automated sorting. Abstract This specification defines a profile of the ACE framework that allows constrained servers to delegate client authentication and authorization. The protocol relies on DTLS version 1.2 for communication security between entities in a constrained network using either raw public keys or pre-shared keys. A resource- constrained server can use this protocol to delegate management of authorization information to a trusted host with less severe limitations regarding processing power and memory. The file can be obtained via https://datatracker.ietf.org/doc/draft-ietf-ace-dtls-authorize/ The following IPR Declarations may be related to this I-D: https://datatracker.ietf.org/ipr/3112/ ___ Ace mailing list Ace@ietf.org https://www.ietf.org/mailman/listinfo/ace
[Ace] Protocol Action: 'EST over secure CoAP (EST-coaps)' to Proposed Standard (draft-ietf-ace-coap-est-18.txt)
The IESG has approved the following document: - 'EST over secure CoAP (EST-coaps)' (draft-ietf-ace-coap-est-18.txt) as Proposed Standard This document is the product of the Authentication and Authorization for Constrained Environments Working Group. The IESG contact persons are Benjamin Kaduk and Roman Danyliw. A URL of this Internet Draft is: https://datatracker.ietf.org/doc/draft-ietf-ace-coap-est/ Technical Summary Enrollment over Secure Transport [RFC 7030] provides a REST style interface for doing X.509 certificate enrollment as well as other operations to support the enrollments. This document provides a set of procedures to run this REST API using DTLS and CoAP rather than TLS and HTTP. Working Group Summary Following adoption of the document progress in the WG was smooth. The major issues in terms of formating and structure were worked out prior to WG adoption. Document Quality The document has been reviewed and is directly build on RFC 7030. Prior to the document going into last call three different groups of implementers got together and had a series of virtual inter-op events. These lead to several changes and clarifications in the document as problems were identified. The document mirrors EST in using the tls-unique value for channel binding, even though it is now preferred to use TLS exporters instead of tls-unique. The intent is that CoAP-EST will gain support for TLS exporters when it is defined for traditional EST, and that the ACE WG is not the correct place to do that work. Personnel The Document Shepherd is Jim Schaad. The responsible Area Director is Benjamin Kaduk ___ Ace mailing list Ace@ietf.org https://www.ietf.org/mailman/listinfo/ace
[Ace] Last Call: (Additional OAuth Parameters for Authorization in Constrained Environments (ACE)) to Proposed Standard
The IESG has received a request from the Authentication and Authorization for Constrained Environments WG (ace) to consider the following document: - 'Additional OAuth Parameters for Authorization in Constrained Environments (ACE)' as Proposed Standard The IESG plans to make a decision in the next few weeks, and solicits final comments on this action. Please send substantive comments to the last-c...@ietf.org mailing lists by 2019-12-13. Exceptionally, comments may be sent to i...@ietf.org instead. In either case, please retain the beginning of the Subject line to allow automated sorting. Abstract This specification defines new parameters for the OAuth 2.0 token and introspection endpoints when used with the framework for authentication and authorization for constrained environments (ACE). These are used to express the proof-of-possession key the client whishes to use, the proof-of-possession key that the AS has selected, and the key the RS should use to authenticate to the client. The file can be obtained via https://datatracker.ietf.org/doc/draft-ietf-ace-oauth-params/ IESG discussion can be tracked via https://datatracker.ietf.org/doc/draft-ietf-ace-oauth-params/ballot/ No IPR declarations have been submitted directly on this I-D. ___ Ace mailing list Ace@ietf.org https://www.ietf.org/mailman/listinfo/ace
[Ace] Last Call: (Authentication and Authorization for Constrained Environments (ACE) using the OAuth 2.0 Framework (ACE-OAuth)) to Proposed Standard
The IESG has received a request from the Authentication and Authorization for Constrained Environments WG (ace) to consider the following document: - 'Authentication and Authorization for Constrained Environments (ACE) using the OAuth 2.0 Framework (ACE-OAuth)' as Proposed Standard The IESG plans to make a decision in the next few weeks, and solicits final comments on this action. Please send substantive comments to the last-c...@ietf.org mailing lists by 2019-12-13. Exceptionally, comments may be sent to i...@ietf.org instead. In either case, please retain the beginning of the Subject line to allow automated sorting. Abstract This specification defines a framework for authentication and authorization in Internet of Things (IoT) environments called ACE- OAuth. The framework is based on a set of building blocks including OAuth 2.0 and CoAP, thus transforming a well-known and widely used authorization solution into a form suitable for IoT devices. Existing specifications are used where possible, but extensions are added and profiles are defined to better serve the IoT use cases. The file can be obtained via https://datatracker.ietf.org/doc/draft-ietf-ace-oauth-authz/ IESG discussion can be tracked via https://datatracker.ietf.org/doc/draft-ietf-ace-oauth-authz/ballot/ The following IPR Declarations may be related to this I-D: https://datatracker.ietf.org/ipr/3123/ The document contains these normative downward references. See RFC 3967 for additional information: rfc4949: Internet Security Glossary, Version 2 (Informational - Independent Submission Editor stream) ___ Ace mailing list Ace@ietf.org https://www.ietf.org/mailman/listinfo/ace
[Ace] Protocol Action: 'Proof-of-Possession Key Semantics for CBOR Web Tokens (CWTs)' to Proposed Standard (draft-ietf-ace-cwt-proof-of-possession-11.txt)
The IESG has approved the following document: - 'Proof-of-Possession Key Semantics for CBOR Web Tokens (CWTs)' (draft-ietf-ace-cwt-proof-of-possession-11.txt) as Proposed Standard This document is the product of the Authentication and Authorization for Constrained Environments Working Group. The IESG contact persons are Benjamin Kaduk and Roman Danyliw. A URL of this Internet Draft is: https://datatracker.ietf.org/doc/draft-ietf-ace-cwt-proof-of-possession/ Technical Summary This document specifies describes how to declare in a CBOR Web Token (CWT) that the presenter of the CWT possesses a particular proof-of-possession key. It is a functional equivalent to the proof of possession key semantics in JSON Web Tokens (JWTs) (RFC 7800) but using CBOR/CWT instead of JSON/JWT. Working Group Summary The WG has reached consensus to publish this protocol specification as a Proposed Standard so that it tracks the equivalent work with JWTs (RFC 7800). It has been subjected to review from the community of interest and the details have been testing through various CWT implementations. Document Quality This document went through the usual level of review for the WG. WGLC and AD evaluation revealed some issues to address with respect to clarity, but no major flaws were found. Personnel Roman Danyliw is the document shepherd. Benjamin Kaduk is the responsible AD. ___ Ace mailing list Ace@ietf.org https://www.ietf.org/mailman/listinfo/ace
[Ace] Last Call: (EST over secure CoAP (EST-coaps)) to Proposed Standard
The IESG has received a request from the Authentication and Authorization for Constrained Environments WG (ace) to consider the following document: - 'EST over secure CoAP (EST-coaps)' as Proposed Standard The IESG plans to make a decision in the next few weeks, and solicits final comments on this action. Please send substantive comments to the i...@ietf.org mailing lists by 2019-10-18. Exceptionally, comments may be sent to i...@ietf.org instead. In either case, please retain the beginning of the Subject line to allow automated sorting. Abstract Enrollment over Secure Transport (EST) is used as a certificate provisioning protocol over HTTPS. Low-resource devices often use the lightweight Constrained Application Protocol (CoAP) for message exchanges. This document defines how to transport EST payloads over secure CoAP (EST-coaps), which allows constrained devices to use existing EST functionality for provisioning certificates. The file can be obtained via https://datatracker.ietf.org/doc/draft-ietf-ace-coap-est/ IESG discussion can be tracked via https://datatracker.ietf.org/doc/draft-ietf-ace-coap-est/ballot/ No IPR declarations have been submitted directly on this I-D. ___ Ace mailing list Ace@ietf.org https://www.ietf.org/mailman/listinfo/ace
[Ace] Last Call: (Proof-of-Possession Key Semantics for CBOR Web Tokens (CWTs)) to Proposed Standard
The IESG has received a request from the Authentication and Authorization for Constrained Environments WG (ace) to consider the following document: - 'Proof-of-Possession Key Semantics for CBOR Web Tokens (CWTs)' as Proposed Standard The IESG plans to make a decision in the next few weeks, and solicits final comments on this action. Please send substantive comments to the i...@ietf.org mailing lists by 2019-10-09. Exceptionally, comments may be sent to i...@ietf.org instead. In either case, please retain the beginning of the Subject line to allow automated sorting. Abstract This specification describes how to declare in a CBOR Web Token (CWT) that the presenter of the CWT possesses a particular proof-of- possession key. Being able to prove possession of a key is also sometimes described as being the holder-of-key. This specification provides equivalent functionality to "Proof-of-Possession Key Semantics for JSON Web Tokens (JWTs)" (RFC 7800) but using CBOR and CWTs rather than JSON and JWTs. The file can be obtained via https://datatracker.ietf.org/doc/draft-ietf-ace-cwt-proof-of-possession/ IESG discussion can be tracked via https://datatracker.ietf.org/doc/draft-ietf-ace-cwt-proof-of-possession/ballot/ No IPR declarations have been submitted directly on this I-D. ___ Ace mailing list Ace@ietf.org https://www.ietf.org/mailman/listinfo/ace
[Ace] Protocol Action: 'CBOR Web Token (CWT)' to Proposed Standard (draft-ietf-ace-cbor-web-token-14.txt)
The IESG has approved the following document: - 'CBOR Web Token (CWT)' (draft-ietf-ace-cbor-web-token-14.txt) as Proposed Standard This document is the product of the Authentication and Authorization for Constrained Environments Working Group. The IESG contact persons are Kathleen Moriarty and Eric Rescorla. A URL of this Internet Draft is: https://datatracker.ietf.org/doc/draft-ietf-ace-cbor-web-token/ Technical Summary CBOR Web Token (CWT) is a compact means of representing claims to be transferred between two parties. The claims in a CWT are encoded in the Concise Binary Object Representation (CBOR) and CBOR Object Signing and Encryption (COSE) is used for added application layer security protection. A claim is a piece of information asserted about a subject and is represented as a name/value pair consisting of a claim name and a claim value. CWT is derived from JSON Web Token (JWT) but uses CBOR rather than JSON. Working Group Summary The document was not controversial, and received a great deal of review from many participants. A first WGLC revealed a few issues that required enough changes that a second WGLC was made. The second WGLC attracted fewer comments, but the document is largely unchanged from the first WGLC, and we believe it to be in good shape. Document Quality There are multiple implementations of this document, and the examples have been validated by at least two implementations. This document is an important part of the ecosystem, with several specifications both inside and outside the IETF already referring to it. This document requests a new media type assignment from IANA that requires expert review; this request has already been sent to media-ty...@iana.org. Personnel Benjamin Kaduk is the document shepherd; Kathleen Moriarty is the responsible Area Director. IANA Note This documents requests the creation of the CBOR Web Token (CWT) Claims registry and depending on the values requested, they will be evaluated on a Standards Track Required, Specification Required, Expert Review, or Private Use basis [RFC8126] after a three-week review period on the cwt-reg-rev...@ietf.org mailing list, on the advice of one or more Designated Experts. This document requests a new media type assignment from IANA that requires expert review; this request has already been sent to media-ty...@iana.org. This document requests a new CoAP Content-Formats assignment from IANA with a suggested value in the "Expert Review" space; this request has not yet been sent to IANA for review. This document requests a new CBOR Tag assignment from IANA; this value has already been assigned with this document as the reference. ___ Ace mailing list Ace@ietf.org https://www.ietf.org/mailman/listinfo/ace
[Ace] Last Call: (CBOR Web Token (CWT)) to Proposed Standard
The IESG has received a request from the Authentication and Authorization for Constrained Environments WG (ace) to consider the following document: - 'CBOR Web Token (CWT)' as Proposed Standard The IESG plans to make a decision in the next few weeks, and solicits final comments on this action. Please send substantive comments to the i...@ietf.org mailing lists by 2018-03-06. Exceptionally, comments may be sent to i...@ietf.org instead. In either case, please retain the beginning of the Subject line to allow automated sorting. Abstract CBOR Web Token (CWT) is a compact means of representing claims to be transferred between two parties. The claims in a CWT are encoded in the Concise Binary Object Representation (CBOR) and CBOR Object Signing and Encryption (COSE) is used for added application layer security protection. A claim is a piece of information asserted about a subject and is represented as a name/value pair consisting of a claim name and a claim value. CWT is derived from JSON Web Token (JWT) but uses CBOR rather than JSON. The file can be obtained via https://datatracker.ietf.org/doc/draft-ietf-ace-cbor-web-token/ IESG discussion can be tracked via https://datatracker.ietf.org/doc/draft-ietf-ace-cbor-web-token/ballot/ No IPR declarations have been submitted directly on this I-D. ___ Ace mailing list Ace@ietf.org https://www.ietf.org/mailman/listinfo/ace