[Ace] Re: AIF extending models vs. composite scopes

On Tue, Jul 02, 2024 at 02:10:17PM +0200, Christian Amsüss wrote: > 1. Wrap the AIF and some indicators for the extra data in some kind of >"bag" structure. With how tokens spanning groups was described in today's session, there might be overlap for these items: let

[Ace] AIF extending models vs. composite scopes

Hello AIF experts and ACE group, looking into AIF (in particular the REST-specific model) for use on embedded (RIOT OS based) systems, there are properties I'd like to express additional properties in a token, eg: a. "When responses are sent to a client authorized with this token, the server m

[Ace] Re: PoA based Device Registration (draft-vattaparambil-ace-wg-poa-device-reg): Support, suggestions

Hello Sree, On Fri, May 17, 2024 at 02:57:24PM +0200, sree lakshmi wrote: > In this draft, we have assumed a pre-established mutual authentication > step between the DO and the AS. We haven’t explained it in detail > because it is an assumption. The assumption I've been working on is that DO is e

[Ace] PoA based Device Registration (draft-vattaparambil-ace-wg-poa-device-reg): Support, suggestions

Hello Sreelakshmi, authors, ACE, I've read draft-vattaparambil-ace-wg-poa-device-reg-00 and think it provides a valuable contribution to ACE, especially if it grows to actually propose an interface to the client registration problem. I am not sure that the proposed solution has the ideal work flow

Re: [Ace] [Anima] Proposing document draft-amsuess-ace-brski-ace-00

Hi Carsten, On Sun, Jul 23, 2023 at 03:10:43PM +0200, Carsten Bormann wrote: > Whether anyone whose statements you are willing to base your > authorization on is willing to endorse the manufacturer’s claims is > one of the authorization questions hidden in attestation… As I understand there can a

Re: [Ace] Proposing document draft-amsuess-ace-brski-ace-00

Hello Michael, (Group(s): See especially PS at the bottom) thanks for your feedback, that's the very kind I was hoping for. On Wed, Jul 12, 2023 at 05:52:30PM -0400, Michael Richardson wrote: > IN section 1.1, without having given a picture of what you are doing > you start to say: > "The

Re: [Ace] Proposed document: draft-amsuess-t2trg-raytime-01

Hello Michael, On Wed, Jul 12, 2023 at 06:57:38PM -0400, Michael Richardson wrote: > I don't think this belongs in t2trg, but I don't object. > maybe it goes into ACE or IOTOPS. I'll appreciate if any of those wanted it; first people I've talked to about it pointed me to T2TRG. I'll try to get a

[Ace] Proposed document: draft-amsuess-t2trg-raytime-01

Hello T2TRG (because of its researchy character), hello ACE (because this is applied to your ecosystem), motivated by project requirements, I've written a draft[1] on how devices without reliable Internet connectivity (and thus time source) can deal with time limited tokens. > Abstract: >When

[Ace] Proposing document draft-amsuess-ace-brski-ace-00

Hello ACE and ANIMA groups, hello Ben, Michael and Russ, taking input from the "ANIMA and ACE, IDevID terminology" thread[1], where the discussion was lacking a concrete proposal, I've written up things at [2]. I'd appreciate the one or other pair of eyes, and feedback both on the direction and t

Re: [Ace] [Anima] ANIMA and ACE, IDevID terminology (was: Re: cBRSKI)

Hi Ben, On Mon, May 01, 2023 at 10:41:32PM -0700, Benjamin Kaduk wrote: > > * Does pinned-domain-pubk work also for COSE keys as used for signed > > CWTs? (If so, is there a key identifier to go with it?) > > COSE key identifiers ('kid') are not exactly what you would typically call > a "key id

[Ace] ANIMA and ACE, IDevID terminology (was: Re: cBRSKI)

Hi Michael, (CC'ing ACE list because what I think will be the larger part of the thread is hopefully relevant) > > there a generalization of the IEEE identifiers that also makes > > sense for constrained but more general-purpose-oriented devices, > > for which the ANIMA products can st

Re: [Ace] Call for adoption: draft-selander-ace-edhoc-oscore-profile-00

Hello group, On Mon, Sep 12, 2022 at 06:04:18PM +0200, Christian Amsüss wrote: > I've read this document and can review it in its working group phase. as I was asked off-list to clarify: I very much do support this document for adoption into this working group. BR c signature.asc Des

Re: [Ace] Call for adoption: draft-selander-ace-edhoc-oscore-profile-00

Hello chairs, group, On Mon, Sep 12, 2022 at 11:26:21AM -0400, Daniel Migault wrote: > This work stats a Call for adoption of the following document: > Ephemeral Diffie-Hellman Over COSE (EDHOC) and Object Security for > Constrained Environments (OSCORE) Profile for Authentication and > Authorizat

Re: [Ace] About securing last exchange CoAP-EAP

Hi, sorry for spreading this out over the sub-threads[1], just to get the pointers right and everything addressed: On Fri, Sep 03, 2021 at 08:32:59PM +0200, Rafa Marin-Lopez wrote: > 2) When the CoAP message contains the OSCORE ID that hits the OSCORE > context without any key material, we woul

Re: [Ace] About securing last exchange CoAP-EAP ( and EAP state machine - RFC 4137)

Hello Rafa, that's the mail I missed in our previous discussion -- and yes, it largely describes already just what I think can work, see comments below. On Sat, Sep 04, 2021 at 09:19:35PM +0200, Rafa Marin-Lopez wrote: > I think that is not possible because that would move the EAP peer > state ma

Re: [Ace] CoAP-EAP draft

Hello Dan & Rafa, On Fri, Sep 10, 2021 at 10:42:56AM +0200, Dan Garcia Carrillo wrote: > > * OSCORE ID derivation: > > > >    * Randomly assigned full-length ideas look like an odd choice. > > [...] > > > > Any chance something like that can still make it in? > > [Authors] Did not see

Re: [Ace] CoAP-EAP draft

Hello, (picking some easy targets to advance, not touching parallel or earlier discussion), On Fri, Sep 10, 2021 at 10:42:56AM +0200, Dan Garcia Carrillo wrote: > >     IoT device    Controller > >   ++    ++ > >   | EAP peer/  |   

Re: [Ace] About securing last exchange CoAP-EAP

Hello, On Sat, Aug 14, 2021 at 01:37:06PM +0200, Dan Garcia Carrillo wrote: > As such, CoAP server (left side) could not see the content of the CoAP > message (message 7) without deciphering it. Moreover, as the URI-path is > also ciphered we cannot point to the right application to process the >

Re: [Ace] CoAP-EAP draft

Hello CoAP-EAP authors and involved groups, (CC'ing core@ as this is a review on CoAP usage), I've read the -03 draft and accumulated a few comments; largely in sequence of occurrence. Over all, the protocol has improved a lot since I've last had my eyes on it. Several comments below are about h

Re: [Ace] Proposed charter for ACE (EAP over CoAP?)

Hello ACE, On Thu, Dec 03, 2020 at 01:20:08PM +, Daniel Migault wrote: > It seems ACE to me that ACE could be home for such a document. I am > wondering if emu core or any other WG believe there is a better place > for it. If nothing else, I'd be curious to see EAP-over-CoAP this sketched out

[Ace] oauth-authz: Introspection endpoint method

Hello ACE-OAuth authors, authors of revoked-token-notifcation, and ACE group in general, while trying to understand the necessity for revoked-token-notification, I was looking into the introspection parts of ACE (draft-ietf-ace-oauth-authz-35 Section 5.7.1) and was confused at the method used ther

Re: [Ace] OSCORE Profile status update and way forward

Hello Francesca, hello ACE group, On Mon, Sep 21, 2020 at 01:48:33PM +, Francesca Palombini wrote: > - clarified that Appendix B.2 of OSCORE can be used with this profile, > and what implementers need to think about if they do. I understand B.2 to be something that the involved parties need t

Re: [Ace] Assignment of OSCORE Sender and Recipient IDS - was RE: Review of draft-ietf-ace-oscore-profile

Hello John, Jim, and ACE in general, I agree with Jim that namespacing is the obvious solution to this problem; we've had a brief discussion in a WG meeting shared with OCF earlier this year. However, the namespacing of KIDs is a difficult matter[1] and moreover little understood so far. I'm unaw

[Ace] 4.01 Get A Token From There, discovery-/form-driven applications and tokens opaque to the client

Hello ACE, piecing together parts of the big picture of Resource Directory, CoRAL forms and ACE, I was wondering where in the whole story the client should tie its intention to the key material it uses to authorize an action. Take this -- admittedly contrived, but hopefully illustrative example:

Re: [Ace] Call for adoption draft-tiloca-ace-oscore-gm-admin (with some review items)

Hello ACE, I've read through draft-tiloca-ace-oscore-gm-admin. Its value is in that it fixes a gap in the set of current drafts on the topic: Without (something like) this, group deployment applications need application specific group managers, and as the GM is not trivial to implement, I'd expec