| rfc9594v6.txt | rfc9594.txt | |||
|---|---|---|---|---|
| Internet Engineering Task Force (IETF) F. Palombini | Internet Engineering Task Force (IETF) F. Palombini | |||
| Request for Comments: 9594 Ericsson AB | Request for Comments: 9594 Ericsson AB | |||
| Category: Standards Track M. Tiloca | Category: Standards Track M. Tiloca | |||
| ISSN: 2070-1721 RISE AB | ISSN: 2070-1721 RISE AB | |||
| August 2024 | September 2024 | |||
| Key Provisioning for Group Communication Using Authentication and | Key Provisioning for Group Communication Using Authentication and | |||
| Authorization for Constrained Environments (ACE) | Authorization for Constrained Environments (ACE) | |||
| Abstract | Abstract | |||
| This document defines how to use the Authentication and Authorization | This document defines how to use the Authentication and Authorization | |||
| for Constrained Environments (ACE) framework to distribute keying | for Constrained Environments (ACE) framework to distribute keying | |||
| material and configuration parameters for secure group communication. | material and configuration parameters for secure group communication. | |||
| Candidate group members that act as Clients and are authorized to | Candidate group members that act as Clients and are authorized to | |||
| skipping to change at line 646 ¶ | skipping to change at line 646 ¶ | |||
| scope_entries = AIF-Generic<gname, permissions> | scope_entries = AIF-Generic<gname, permissions> | |||
| scope = bstr .cbor scope_entries | scope = bstr .cbor scope_entries | |||
| Figure 4: Example of scope Using AIF | Figure 4: Example of scope Using AIF | |||
| gname = tstr | gname = tstr | |||
| role = tstr | role = tstr | |||
| scope_entry = [gname , ? ( role / [2* role] )] | scope_entry = [gname, ? ( role / [2* role] )] | |||
| scope_entries = [* scope_entry] | scope_entries = [* scope_entry] | |||
| scope = bstr .cbor scope_entries | scope = bstr .cbor scope_entries | |||
| Figure 5: Example of scope Using the Textual Format, with the | Figure 5: Example of scope Using the Textual Format, with the | |||
| Role Identifiers Encoded as Text Strings | Role Identifiers Encoded as Text Strings | |||
| 3.2. Authorization Response | 3.2. Authorization Response | |||
| skipping to change at line 3867 ¶ | skipping to change at line 3867 ¶ | |||
| * A Base IV is also included with the same size of the AEAD nonce | * A Base IV is also included with the same size of the AEAD nonce | |||
| considered by the encryption algorithm to use. | considered by the encryption algorithm to use. | |||
| First, the KDC computes a COSE_Encrypt0 object as follows. | First, the KDC computes a COSE_Encrypt0 object as follows. | |||
| * The encryption key to use is selected from the administrative | * The encryption key to use is selected from the administrative | |||
| keying material, as defined by the rekeying scheme used in the | keying material, as defined by the rekeying scheme used in the | |||
| group. | group. | |||
| * The plaintext is the actual data content of the present rekeying | * The plaintext is the actual data content of the current rekeying | |||
| message. | message. | |||
| * The Additional Authenticated Data (AAD) is empty unless otherwise | * The Additional Authenticated Data (AAD) is empty unless otherwise | |||
| specified by separate documents profiling the use of the group | specified by separate documents profiling the use of the group | |||
| rekeying scheme. | rekeying scheme. | |||
| * Since the KDC is the only sender of rekeying messages, the AEAD | * Since the KDC is the only sender of rekeying messages, the AEAD | |||
| nonce can be computed as follows, where NONCE_SIZE is the size in | nonce can be computed as follows, where NONCE_SIZE is the size in | |||
| bytes of the AEAD nonce. Separate documents profiling the use of | bytes of the AEAD nonce. Separate documents profiling the use of | |||
| the group rekeying scheme may define alternative ways to compute | the group rekeying scheme may define alternative ways to compute | |||
| skipping to change at line 3908 ¶ | skipping to change at line 3908 ¶ | |||
| encryption key, AEAD nonce). For example, this includes not using | encryption key, AEAD nonce). For example, this includes not using | |||
| the same encryption key from the administrative keying material | the same encryption key from the administrative keying material | |||
| more than 2^16 times during the same rekeying instance. | more than 2^16 times during the same rekeying instance. | |||
| * The protected header of the COSE_Encrypt0 object MUST include the | * The protected header of the COSE_Encrypt0 object MUST include the | |||
| following parameters. | following parameters. | |||
| - 'alg': specifying the used encryption algorithm. | - 'alg': specifying the used encryption algorithm. | |||
| - 'kid': specifying the identifier of the encryption key from the | - 'kid': specifying the identifier of the encryption key from the | |||
| administrative keying material used to protect the present | administrative keying material used to protect the current | |||
| rekeying message. | rekeying message. | |||
| * The unprotected header of the COSE_Encrypt0 object MUST include | * The unprotected header of the COSE_Encrypt0 object MUST include | |||
| the 'Partial IV' parameter with the value of the Partial IV | the 'Partial IV' parameter with the value of the Partial IV | |||
| computed above. | computed above. | |||
| In order to ensure source authentication, each rekeying message | In order to ensure source authentication, each rekeying message | |||
| protected with the administrative keying material MUST be signed by | protected with the administrative keying material MUST be signed by | |||
| the KDC. To this end, the KDC computes a countersignature of the | the KDC. To this end, the KDC computes a countersignature of the | |||
| COSE_Encrypt0 object, as described in Sections 3.2 and 3.3 of | COSE_Encrypt0 object, as described in Sections 3.2 and 3.3 of | |||
| skipping to change at line 4615 ¶ | skipping to change at line 4615 ¶ | |||
| Content Coding: - | Content Coding: - | |||
| ID: 261 | ID: 261 | |||
| Reference: RFC 9594 | Reference: RFC 9594 | |||
| 11.3. OAuth Parameters | 11.3. OAuth Parameters | |||
| IANA has registered the following entries in the "OAuth Parameters" | IANA has registered the following entries in the "OAuth Parameters" | |||
| registry, following the procedure specified in Section 11.2 of | registry, following the procedure specified in Section 11.2 of | |||
| [RFC6749]. | [RFC6749]. | |||
| Parameter name: sign_info | Name: sign_info | |||
| Parameter usage location: client-rs request, rs-client response | Parameter Usage Location: client-rs request, rs-client response | |||
| Change controller: IETF | Change Controller: IETF | |||
| Specification document(s): RFC 9594 | Reference: RFC 9594 | |||
| Parameter name: kdcchallenge | Name: kdcchallenge | |||
| Parameter usage location: rs-client response | Parameter Usage Location: rs-client response | |||
| Change controller: IETF | Change Controller: IETF | |||
| Specification document(s): RFC 9594 | Reference: RFC 9594 | |||
| 11.4. OAuth Parameters CBOR Mappings | 11.4. OAuth Parameters CBOR Mappings | |||
| IANA has registered the following entries in the "OAuth Parameters | IANA has registered the following entries in the "OAuth Parameters | |||
| CBOR Mappings" registry, following the procedure specified in | CBOR Mappings" registry, following the procedure specified in | |||
| Section 8.10 of [RFC9200]. | Section 8.10 of [RFC9200]. | |||
| Name: sign_info | Name: sign_info | |||
| CBOR Key: 45 | CBOR Key: 45 | |||
| Value Type: Null or array | Value Type: Null or array | |||
| Reference: RFC 9594 | Reference: RFC 9594 | |||
| Name: kdcchallenge | Name: kdcchallenge | |||
| CBOR Key: 46 | CBOR Key: 46 | |||
| Value Type: byte string | Value Type: byte string | |||
| Reference: RFC 9594 | Reference: RFC 9594 | |||
| 11.5. Interface Description (if=) Link Target Attribute Values | 11.5. Interface Description (if=) Link Target Attribute Values | |||
| IANA has registered the following entry in the "Interface Description | IANA has registered the following entry in the "Interface Description | |||
| (if=) Link Target Attribute Values" registry within the "CoRE | (if=) Link Target Attribute Values" registry within the "Constrained | |||
| Parameters" registry group. | RESTful Environments (CoRE) Parameters" registry group. | |||
| Value: ace.groups | Value: ace.groups | |||
| Description: The KDC interface at the parent resource of group- | Description: The KDC interface at the parent resource of group- | |||
| membership resources is used to retrieve names of security groups | membership resources is used to retrieve names of security groups | |||
| using the ACE framework. | using the ACE framework. | |||
| Reference: Section 4.1 of RFC 9594 | Reference: Section 4.1 of RFC 9594 | |||
| Value: ace.group | Value: ace.group | |||
| Description: The KDC interface at a group-membership resource is | Description: The KDC interface at a group-membership resource is | |||
| used to provision keying material and related information and | used to provision keying material and related information and | |||
| policies to members of the corresponding security group using the | policies to members of the corresponding security group using the | |||
| ACE framework. | ACE framework. | |||
| Reference: Section 4.1 of RFC 9594 | Reference: Section 4.1 of RFC 9594 | |||
| 11.6. Custom Problem Detail Keys Registry | 11.6. Custom Problem Detail Keys Registry | |||
| IANA has registered the following entry in the "Custom Problem Detail | IANA has registered the following entry in the "Custom Problem Detail | |||
| Keys" registry within the "CoRE Parameters" registry group. | Keys" registry within the "Constrained RESTful Environments (CoRE) | |||
| Parameters" registry group. | ||||
| Key Value: 0 | Key Value: 0 | |||
| Name: ace-groupcomm-error | Name: ace-groupcomm-error | |||
| Brief Description: Carry RFC 9594 problem details in a Concise | Brief Description: Carry RFC 9594 problem details in a Concise | |||
| Problem Details data item. | Problem Details data item. | |||
| Change Controller: IETF | Change Controller: IETF | |||
| Reference: RFC 9594, Section 4.1.2 | Reference: RFC 9594, Section 4.1.2 | |||
| 11.7. ACE Groupcomm Parameters | 11.7. ACE Groupcomm Parameters | |||
| skipping to change at line 5093 ¶ | skipping to change at line 5094 ¶ | |||
| Dijk, E., Wang, C., and M. Tiloca, "Group Communication | Dijk, E., Wang, C., and M. Tiloca, "Group Communication | |||
| for the Constrained Application Protocol (CoAP)", Work in | for the Constrained Application Protocol (CoAP)", Work in | |||
| Progress, Internet-Draft, draft-ietf-core-groupcomm-bis- | Progress, Internet-Draft, draft-ietf-core-groupcomm-bis- | |||
| 11, 24 April 2024, <https://datatracker.ietf.org/doc/html/ | 11, 24 April 2024, <https://datatracker.ietf.org/doc/html/ | |||
| draft-ietf-core-groupcomm-bis-11>. | draft-ietf-core-groupcomm-bis-11>. | |||
| [GROUP-OSCORE] | [GROUP-OSCORE] | |||
| Tiloca, M., Selander, G., Palombini, F., Preuß Mattsson, | Tiloca, M., Selander, G., Palombini, F., Preuß Mattsson, | |||
| J., and R. Höglund, "Group Object Security for Constrained | J., and R. Höglund, "Group Object Security for Constrained | |||
| RESTful Environments (Group OSCORE)", Work in Progress, | RESTful Environments (Group OSCORE)", Work in Progress, | |||
| Internet-Draft, draft-ietf-core-oscore-groupcomm-21, 4 | Internet-Draft, draft-ietf-core-oscore-groupcomm-22, 28 | |||
| March 2024, <https://datatracker.ietf.org/doc/html/draft- | August 2024, <https://datatracker.ietf.org/doc/html/draft- | |||
| ietf-core-oscore-groupcomm-21>. | ietf-core-oscore-groupcomm-21>. | |||
| [OSCORE-DISCOVERY] | [OSCORE-DISCOVERY] | |||
| Tiloca, M., Amsüss, C., and P. Van der Stok, "Discovery of | Tiloca, M., Amsüss, C., and P. Van der Stok, "Discovery of | |||
| OSCORE Groups with the CoRE Resource Directory", Work in | OSCORE Groups with the CoRE Resource Directory", Work in | |||
| Progress, Internet-Draft, draft-tiloca-core-oscore- | Progress, Internet-Draft, draft-tiloca-core-oscore- | |||
| discovery-15, 4 March 2024, | discovery-16, 4 September 2024, | |||
| <https://datatracker.ietf.org/doc/html/draft-tiloca-core- | <https://datatracker.ietf.org/doc/html/draft-tiloca-core- | |||
| oscore-discovery-15>. | oscore-discovery-16>. | |||
| [RFC2093] Harney, H. and C. Muckenhirn, "Group Key Management | [RFC2093] Harney, H. and C. Muckenhirn, "Group Key Management | |||
| Protocol (GKMP) Specification", RFC 2093, | Protocol (GKMP) Specification", RFC 2093, | |||
| DOI 10.17487/RFC2093, July 1997, | DOI 10.17487/RFC2093, July 1997, | |||
| <https://www.rfc-editor.org/info/rfc2093>. | <https://www.rfc-editor.org/info/rfc2093>. | |||
| [RFC2094] Harney, H. and C. Muckenhirn, "Group Key Management | [RFC2094] Harney, H. and C. Muckenhirn, "Group Key Management | |||
| Protocol (GKMP) Architecture", RFC 2094, | Protocol (GKMP) Architecture", RFC 2094, | |||
| DOI 10.17487/RFC2094, July 1997, | DOI 10.17487/RFC2094, July 1997, | |||
| <https://www.rfc-editor.org/info/rfc2094>. | <https://www.rfc-editor.org/info/rfc2094>. | |||
| skipping to change at line 5202 ¶ | skipping to change at line 5203 ¶ | |||
| REQ1: Specify the format and encoding of scope. This includes | REQ1: Specify the format and encoding of scope. This includes | |||
| defining the set of possible roles and their identifiers, as | defining the set of possible roles and their identifiers, as | |||
| well as the corresponding encoding to use in the scope | well as the corresponding encoding to use in the scope | |||
| entries according to the used scope format (see Section 3.1). | entries according to the used scope format (see Section 3.1). | |||
| REQ2: If scope uses AIF, register its specific instance of "Toid" | REQ2: If scope uses AIF, register its specific instance of "Toid" | |||
| and "Tperm" as media type parameters and a corresponding | and "Tperm" as media type parameters and a corresponding | |||
| Content-Format, as per the guidelines in [RFC9237]. | Content-Format, as per the guidelines in [RFC9237]. | |||
| REQ3: If used, specify the acceptable values for the 'sign_alg' | REQ3: If used, specify the acceptable values for the 'sign_alg' | |||
| parameter (see Section 3.3). | parameter (see Section 3.3.1). | |||
| REQ4: If used, specify the acceptable values and structure for the | REQ4: If used, specify the acceptable values and structure for the | |||
| 'sign_parameters' parameter (see Section 3.3). | 'sign_parameters' parameter (see Section 3.3.1). | |||
| REQ5: If used, specify the acceptable values and structure for the | REQ5: If used, specify the acceptable values and structure for the | |||
| 'sign_key_parameters' parameter (see Section 3.3). | 'sign_key_parameters' parameter (see Section 3.3.1). | |||
| REQ6: Specify the acceptable formats for authentication credentials | REQ6: Specify the acceptable formats for authentication credentials | |||
| and, if applicable, the acceptable values for the 'cred_fmt' | and, if applicable, the acceptable values for the 'cred_fmt' | |||
| parameter (see Section 3.3). | parameter (see Section 3.3.1). | |||
| REQ7: If the value of the GROUPNAME URI path and the group name in | REQ7: If the value of the GROUPNAME URI path and the group name in | |||
| the access token scope ('gname' in Section 3.1) are not | the access token scope ('gname' in Section 3.1) are not | |||
| required to coincide, specify the mechanism to map the | required to coincide, specify the mechanism to map the | |||
| GROUPNAME value in the URI to the group name (see | GROUPNAME value in the URI to the group name (see | |||
| Section 4.1). | Section 4.1). | |||
| REQ8: Define whether the KDC has an authentication credential as | REQ8: Define whether the KDC has an authentication credential as | |||
| required for the correct group operation and if this has to | required for the correct group operation and if this has to | |||
| be provided through the 'kdc_cred' parameter (see | be provided through the 'kdc_cred' parameter (see Sections | |||
| Section 4.3.1). | 4.1 and 4.3.1). | |||
| REQ9: Specify if any part of the KDC interface as defined in this | REQ9: Specify if any part of the KDC interface as defined in this | |||
| document is not supported by the KDC (see Section 4.1). | document is not supported by the KDC (see Section 4.1). | |||
| REQ10: Register a Resource Type for the group-membership resources, | REQ10: Register a Resource Type for the group-membership resources, | |||
| which is used to discover the correct URL for sending a Join | which is used to discover the correct URL for sending a Join | |||
| Request to the KDC (see Section 4.1). | Request to the KDC (see Section 4.1). | |||
| REQ11: Define what specific actions (e.g., CoAP methods) are allowed | REQ11: Define what specific actions (e.g., CoAP methods) are allowed | |||
| on each resource that are accessible through the KDC | on each resource that are accessible through the KDC | |||
| skipping to change at line 5431 ¶ | skipping to change at line 5432 ¶ | |||
| In particular, each 'sign_capab' array has the same format and | In particular, each 'sign_capab' array has the same format and | |||
| value of the COSE capabilities array for the algorithm capability | value of the COSE capabilities array for the algorithm capability | |||
| specified in 'sign_parameters'[i]. | specified in 'sign_parameters'[i]. | |||
| Such a COSE capabilities array is currently defined for the | Such a COSE capabilities array is currently defined for the | |||
| algorithm capability COSE key type in the "Capabilities" column of | algorithm capability COSE key type in the "Capabilities" column of | |||
| the "COSE Key Types" registry [COSE.Key.Types]. | the "COSE Key Types" registry [COSE.Key.Types]. | |||
| sign_info_entry = | sign_info_entry = | |||
| [ | [ | |||
| id : gname / [ + gname ], | id : gname / [+ gname], | |||
| sign_alg : int / tstr, | sign_alg : int / tstr, | |||
| sign_parameters : [ * alg_capab : any ], | sign_parameters : [* alg_capab : any], | |||
| * sign_capab : [ * capab : any ], | * sign_capab : [* capab : any], | |||
| cred_fmt : int / null | cred_fmt : int / null | |||
| ] | ] | |||
| gname = tstr | gname = tstr | |||
| Figure 38: 'sign_info_entry' with a General Format | Figure 38: 'sign_info_entry' with a General Format | |||
| Acknowledgments | Acknowledgments | |||
| The following individuals were helpful in shaping this document: | The following individuals were helpful in shaping this document: | |||
| End of changes. 18 change blocks. | ||||
| 28 lines changed or deleted | 29 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. | ||||