rfc9668.original.xml | rfc9668.xml | |||
---|---|---|---|---|
<?xml version='1.0' encoding='utf-8'?> | <?xml version='1.0' encoding='UTF-8'?> | |||
<!DOCTYPE rfc [ | <!DOCTYPE rfc [ | |||
<!ENTITY nbsp " "> | <!ENTITY nbsp " "> | |||
<!ENTITY zwsp "​"> | <!ENTITY zwsp "​"> | |||
<!ENTITY nbhy "‑"> | <!ENTITY nbhy "‑"> | |||
<!ENTITY wj "⁠"> | <!ENTITY wj "⁠"> | |||
]> | ]> | |||
<?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?> | ||||
<!-- generated by https://github.com/cabo/kramdown-rfc version (Ruby 3.1.2) --> | <rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft | |||
<rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft | -ietf-core-oscore-edhoc-11" number="9668" updates="" obsoletes="" category="std" | |||
-ietf-core-oscore-edhoc-11" category="std" consensus="true" submissionType="IETF | consensus="true" submissionType="IETF" tocInclude="true" sortRefs="true" symRef | |||
" tocInclude="true" sortRefs="true" symRefs="true" version="3"> | s="true" version="3" xml:lang="en"> | |||
<!-- xml2rfc v2v3 conversion 3.18.0 --> | ||||
<front> | <front> | |||
<title abbrev="Using EDHOC with CoAP and OSCORE">Using Ephemeral Diffie-Hell man Over COSE (EDHOC) with the Constrained Application Protocol (CoAP) and Objec t Security for Constrained RESTful Environments (OSCORE)</title> | <title abbrev="Using EDHOC with CoAP and OSCORE">Using Ephemeral Diffie-Hell man Over COSE (EDHOC) with the Constrained Application Protocol (CoAP) and Objec t Security for Constrained RESTful Environments (OSCORE)</title> | |||
<seriesInfo name="Internet-Draft" value="draft-ietf-core-oscore-edhoc-11"/> | <seriesInfo name="RFC" value="9668"/> | |||
<author initials="F." surname="Palombini" fullname="Francesca Palombini"> | <author initials="F." surname="Palombini" fullname="Francesca Palombini"> | |||
<organization>Ericsson</organization> | <organization>Ericsson AB</organization> | |||
<address> | <address> | |||
<postal> | ||||
<street>Torshamnsgatan 23</street> | ||||
<city>Kista</city> | ||||
<code>164 40</code> | ||||
<country>Sweden</country> | ||||
</postal> | ||||
<email>francesca.palombini@ericsson.com</email> | <email>francesca.palombini@ericsson.com</email> | |||
</address> | </address> | |||
</author> | </author> | |||
<author initials="M." surname="Tiloca" fullname="Marco Tiloca"> | <author initials="M." surname="Tiloca" fullname="Marco Tiloca"> | |||
<organization>RISE AB</organization> | <organization>RISE AB</organization> | |||
<address> | <address> | |||
<postal> | <postal> | |||
<street>Isafjordsgatan 22</street> | <street>Isafjordsgatan 22</street> | |||
<city>Kista</city> | <city>Kista</city> | |||
<code>16440 Stockholm</code> | <code>164 40</code> | |||
<country>Sweden</country> | <country>Sweden</country> | |||
</postal> | </postal> | |||
<email>marco.tiloca@ri.se</email> | <email>marco.tiloca@ri.se</email> | |||
</address> | </address> | |||
</author> | </author> | |||
<author initials="R." surname="Höglund" fullname="Rikard Höglund"> | <author initials="R." surname="Höglund" fullname="Rikard Höglund"> | |||
<organization>RISE AB</organization> | <organization>RISE AB</organization> | |||
<address> | <address> | |||
<postal> | <postal> | |||
<street>Isafjordsgatan 22</street> | <street>Isafjordsgatan 22</street> | |||
<city>Kista</city> | <city>Kista</city> | |||
<code>16440 Stockholm</code> | <code>164 40</code> | |||
<country>Sweden</country> | <country>Sweden</country> | |||
</postal> | </postal> | |||
<email>rikard.hoglund@ri.se</email> | <email>rikard.hoglund@ri.se</email> | |||
</address> | </address> | |||
</author> | </author> | |||
<author initials="S." surname="Hristozov" fullname="Stefan Hristozov"> | <author initials="S." surname="Hristozov" fullname="Stefan Hristozov"> | |||
<organization>Fraunhofer AISEC</organization> | <organization>Eriptic</organization> | |||
<address> | <address> | |||
<email>stefan.hristozov@eriptic.com</email> | <email>stefan.hristozov@eriptic.com</email> | |||
</address> | </address> | |||
</author> | </author> | |||
<author initials="G." surname="Selander" fullname="Göran Selander"> | <author initials="G." surname="Selander" fullname="Göran Selander"> | |||
<organization>Ericsson</organization> | <organization>Ericsson</organization> | |||
<address> | <address> | |||
<email>goran.selander@ericsson.com</email> | <email>goran.selander@ericsson.com</email> | |||
</address> | </address> | |||
</author> | </author> | |||
<date year="2024" month="April" day="09"/> | <date year="2024" month="November"/> | |||
<area>Internet</area> | <area>WIT</area> | |||
<workgroup>CoRE Working Group</workgroup> | <workgroup>core</workgroup> | |||
<keyword>Internet-Draft</keyword> | <keyword>Security</keyword> | |||
<keyword>Key agreement; Secure communication</keyword> | ||||
<keyword>Constrained enviornments</keyword> | ||||
<keyword>AKE</keyword> | ||||
<keyword>lightweight authenticated key exchange</keyword> | ||||
<keyword>IoT security</keyword> | ||||
<abstract> | <abstract> | |||
<t>The lightweight authenticated key exchange protocol Ephemeral Diffie-He llman Over COSE (EDHOC) can be run over the Constrained Application Protocol (Co AP) and used by two peers to establish a Security Context for the security proto col Object Security for Constrained RESTful Environments (OSCORE). This document details this use of the EDHOC protocol, by specifying a number of additional an d optional mechanisms. These especially include an optimization approach for com bining the execution of EDHOC with the first OSCORE transaction. This combinatio n reduces the number of round trips required to set up an OSCORE Security Contex t and to complete an OSCORE transaction using that Security Context.</t> | <t>The lightweight authenticated key exchange protocol Ephemeral Diffie-He llman Over COSE (EDHOC) can be run over the Constrained Application Protocol (Co AP) and used by two peers to establish a Security Context for the security proto col Object Security for Constrained RESTful Environments (OSCORE). This document details this use of the EDHOC protocol by specifying a number of additional and optional mechanisms, including an optimization approach for combining the execu tion of EDHOC with the first OSCORE transaction. This combination reduces the nu mber of round trips required to set up an OSCORE Security Context and to complet e an OSCORE transaction using that Security Context.</t> | |||
</abstract> | </abstract> | |||
<note removeInRFC="true"> | ||||
<name>Discussion Venues</name> | ||||
<t>Discussion of this document takes place on the | ||||
Constrained RESTful Environments Working Group mailing list (core@ietf.org), | ||||
which is archived at <eref target="https://mailarchive.ietf.org/arch/browse/co | ||||
re/"/>.</t> | ||||
<t>Source for this draft and an issue tracker can be found at | ||||
<eref target="https://github.com/core-wg/oscore-edhoc"/>.</t> | ||||
</note> | ||||
</front> | </front> | |||
<middle> | <middle> | |||
<section anchor="introduction"> | <section anchor="introduction"> | |||
<name>Introduction</name> | <name>Introduction</name> | |||
<t>Ephemeral Diffie-Hellman Over COSE (EDHOC) <xref target="RFC9528"/> is | <t>Ephemeral Diffie-Hellman Over COSE (EDHOC) <xref target="RFC9528"/> is | |||
a lightweight authenticated key exchange protocol, especially intended for use i | a lightweight authenticated key exchange protocol that is specifically intended | |||
n constrained scenarios. In particular, EDHOC messages can be transported over t | for use in constrained scenarios. In particular, EDHOC messages can be transport | |||
he Constrained Application Protocol (CoAP) <xref target="RFC7252"/> and used for | ed over the Constrained Application Protocol (CoAP) <xref target="RFC7252"/> and | |||
establishing a Security Context for Object Security for Constrained RESTful Env | used for establishing a Security Context for Object Security for Constrained RE | |||
ironments (OSCORE) <xref target="RFC8613"/>.</t> | STful Environments (OSCORE) <xref target="RFC8613"/>.</t> | |||
<t>This document details the use of the EDHOC protocol with CoAP and OSCOR | <t>This document details the use of the EDHOC protocol with CoAP and OSCOR | |||
E, and specifies a number of additional and optional mechanisms. These especiall | E and specifies a number of additional and optional mechanisms. These include an | |||
y include an optimization approach that combines the EDHOC execution with the fi | optimization approach that combines the EDHOC execution with the first OSCORE t | |||
rst OSCORE transaction (see <xref target="edhoc-in-oscore"/>). This allows for a | ransaction (see <xref target="edhoc-in-oscore"/>). This allows for a minimum num | |||
minimum number of two round trips necessary to setup the OSCORE Security Contex | ber of two round trips necessary to set up the OSCORE Security Context and compl | |||
t and complete an OSCORE transaction, e.g., when an IoT device gets configured i | ete an OSCORE transaction, e.g., when an Internet of Things (IoT) device gets co | |||
n a network for the first time.</t> | nfigured in a network for the first time.</t> | |||
<t>This optimization is desirable, since the number of message exchanges c | <t>This optimization is desirable since the number of message exchanges ca | |||
an have a substantial impact on the latency of conveying the first OSCORE reques | n have a substantial impact on the latency of conveying the first OSCORE request | |||
t, when using certain radio technologies.</t> | when using certain radio technologies.</t> | |||
<t>Without this optimization, it is not possible to achieve the minimum nu | <t>Without this optimization, it is not possible to achieve the minimum nu | |||
mber of two round trips. This optimization makes it possible, since the message_ | mber of two round trips. This optimization makes it possible since the message_3 | |||
3 of the EDHOC protocol can be made relatively small (see <xref section="1.2" se | of the EDHOC protocol can be made relatively small (see <xref section="1.2" sec | |||
ctionFormat="of" target="RFC9528"/>), thus allowing additional OSCORE-protected | tionFormat="of" target="RFC9528"/>), thus allowing additional OSCORE-protected C | |||
CoAP data within target MTU sizes.</t> | oAP data within target MTU sizes.</t> | |||
<t>The minimum number of two round trips can be achieved only if the defau | ||||
lt, forward message flow of EDHOC is used, i.e., when a CoAP client acts as EDHO | <t>The minimum number of two round trips can be achieved only if the default for | |||
C Initiator and a CoAP server acts as EDHOC Responder. The performance advantage | ward message flow of EDHOC is used, i.e., when a CoAP client acts as EDHOC Initi | |||
of using this optimization can be lost when used in combination with Block-wise | ator and a CoAP server acts as EDHOC Responder. The performance advantage of usi | |||
transfers <xref target="RFC7959"/> that rely on specific parameter values and b | ng this optimization can be lost when used in combination with Block-wise transf | |||
lock sizes.</t> | ers <xref target="RFC7959"/> that rely on specific parameter values and block si | |||
<t>Furthermore, this document defines a number of parameters corresponding | zes.</t> | |||
to different information elements of an EDHOC application profile (see <xref ta | <t>Furthermore, this document defines a number of parameters corresponding to | |||
rget="web-linking"/>). These can be specified as target attributes in the link t | different information elements of an EDHOC application profile (see <xref target | |||
o an EDHOC resource associated with that application profile, thus enabling an e | ="web-linking"/>). These parameters can be specified as target attributes in the | |||
nhanced discovery of such a resource for CoAP clients.</t> | link to an | |||
EDHOC resource associated with that application profile, thus enabling an | ||||
enhanced discovery of such a resource for CoAP clients. | ||||
</t> | ||||
<section anchor="terminology"> | <section anchor="terminology"> | |||
<name>Terminology</name> | <name>Terminology</name> | |||
<t>The key words "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp | <t>The key words "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", | |||
14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL | "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL | |||
NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>RECO | NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", | |||
MMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>", | "<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>", | |||
"<bcp14>MAY</bcp14>", and "<bcp14>OPTIONAL</bcp14>" in this document are to be i | "<bcp14>MAY</bcp14>", and "<bcp14>OPTIONAL</bcp14>" in this document | |||
nterpreted as | are to be interpreted as described in BCP 14 <xref target="RFC2119"/> | |||
described in BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and | <xref target="RFC8174"/> when, and only when, they appear in all | |||
only when, they | capitals, as shown here.</t> | |||
appear in all capitals, as shown here.</t> | <t>The reader is expected to be familiar with terms and concepts defined | |||
<t>The reader is expected to be familiar with terms and concepts defined | in CoAP <xref target="RFC7252"/>, Concise Binary Object Representation (CBOR) < | |||
in CoAP <xref target="RFC7252"/>, CBOR <xref target="RFC8949"/>, OSCORE <xref t | xref target="RFC8949"/>, OSCORE <xref target="RFC8613"/>, and EDHOC <xref target | |||
arget="RFC8613"/>, and EDHOC <xref target="RFC9528"/>.</t> | ="RFC9528"/>.</t> | |||
</section> | </section> | |||
</section> | </section> | |||
<section anchor="overview"> | <section anchor="overview"> | |||
<name>EDHOC Overview</name> | <name>EDHOC Overview</name> | |||
<t>This section is not normative and summarizes what is specified in <xref | <t>This section is not normative and summarizes what is specified in <xref | |||
target="RFC9528"/>, in particular its Appendix A.2. Thus, it provides a baselin | target="RFC9528"/> (specifically <xref target="RFC9528" sectionFormat="of" sect | |||
e for the enhancements in the subsequent sections.</t> | ion="A.2"></xref>). Thus, it provides a baseline for the enhancements in the sub | |||
<t>The EDHOC protocol specified in <xref target="RFC9528"/> allows two pee | sequent sections.</t> | |||
rs to agree on a cryptographic secret, in a mutually-authenticated way and by us | <t>The EDHOC protocol specified in <xref target="RFC9528"/> allows two pee | |||
ing Diffie-Hellman ephemeral keys to achieve forward secrecy. The two peers are | rs to agree on a cryptographic secret in a mutually-authenticated way and achiev | |||
denoted as Initiator and Responder, as the one sending or receiving the initial | es forward secrecy by using Diffie-Hellman ephemeral keys. The two peers are den | |||
EDHOC message_1, respectively.</t> | oted as the "Initiator" and "Responder", as the one sending or receiving the ini | |||
<t>After successful processing of EDHOC message_3, both peers agree on a c | tial EDHOC message_1, respectively.</t> | |||
ryptographic secret that can be used to derive further security material, and es | <t>After successful processing of EDHOC message_3, both peers agree on a c | |||
pecially to establish an OSCORE Security Context <xref target="RFC8613"/>. The R | ryptographic secret that can be used to derive further security material and est | |||
esponder can also send an optional EDHOC message_4 to achieve key confirmation, | ablish an OSCORE Security Context <xref target="RFC8613"/>. The Responder can al | |||
e.g., in deployments where no protected application message is sent from the Res | so send an optional EDHOC message_4 in order for the Initiator to achieve key co | |||
ponder to the Initiator.</t> | nfirmation, e.g., in deployments where no protected application message is sent | |||
<t><xref section="A.2" sectionFormat="of" target="RFC9528"/> specifies how | from the Responder to the Initiator.</t> | |||
to transfer EDHOC over CoAP. That is, the EDHOC data (i.e., the EDHOC message p | <t><xref section="A.2" sectionFormat="of" target="RFC9528"/> specifies how | |||
ossibly with a prepended connection identifier) are transported in the payload o | to transfer EDHOC over CoAP. That is, the EDHOC data (i.e., the EDHOC message | |||
f CoAP requests and responses. The default, forward message flow of EDHOC consis | possibly with a prepended connection identifier) is transported in the payload o | |||
ts in the CoAP client acting as Initiator and the CoAP server acting as Responde | f CoAP requests and responses. The default forward message flow of EDHOC consist | |||
r (see <xref section="A.2.1" sectionFormat="of" target="RFC9528"/>). Alternative | s in the CoAP client acting as Initiator and the CoAP server acting as Responder | |||
ly, the two roles can be reversed, as per the reverse message flow of EDHOC (see | (see <xref section="A.2.1" sectionFormat="of" target="RFC9528"/>). Alternativel | |||
<xref section="A.2.2" sectionFormat="of" target="RFC9528"/>). In the rest of th | y, the two roles can be reversed as per the reverse message flow of EDHOC (see < | |||
is document, EDHOC messages are considered to be transferred over CoAP.</t> | xref section="A.2.2" sectionFormat="of" target="RFC9528"/>). In the rest of this | |||
<t><xref target="fig-non-combined"/> shows a successful execution of EDHOC | document, EDHOC messages are considered to be transferred over CoAP.</t> | |||
, with a CoAP client and a CoAP server running EDHOC as Initiator and Responder, | <t><xref target="fig-non-combined"/> shows a successful execution of EDHOC | |||
respectively. In particular, it extends Figure 10 from <xref section="A.2.1" se | , with a CoAP client and a CoAP server running EDHOC as Initiator and Responder, | |||
ctionFormat="of" target="RFC9528"/>, by highlighting when the two peers perform | respectively. In particular, it extends Figure 10 from <xref section="A.2.1" se | |||
EDHOC verification and establish the OSCORE Security Context, and by adding an e | ctionFormat="of" target="RFC9528"/> by highlighting when the two peers perform E | |||
xchange of OSCORE-protected CoAP messages after completing the EDHOC execution.< | DHOC verification and establish the OSCORE Security Context, and by adding an ex | |||
/t> | change of OSCORE-protected CoAP messages after completing the EDHOC execution.</ | |||
<t>That is, the client sends a POST request to a reserved <em>EDHOC resour | t> | |||
ce</em> at the server, by default at the Uri-Path "/.well-known/edhoc". The requ | <t>That is, the client sends a POST request to a reserved EDHOC resource a | |||
est payload consists of the CBOR simple value <tt>true</tt> (0xf5) concatenated | t the server, by default at the Uri-Path "/.well-known/edhoc". The request paylo | |||
with EDHOC message_1, which also includes the EDHOC connection identifier C_I of | ad consists of the CBOR simple value <tt>true</tt> (0xf5) concatenated with EDHO | |||
the client encoded as per <xref section="3.3" sectionFormat="of" target="RFC952 | C message_1, which also includes the EDHOC connection identifier C_I of the clie | |||
8"/>. The request has Content-Format application/cid-edhoc+cbor-seq.</t> | nt encoded as per <xref section="3.3" sectionFormat="of" target="RFC9528"/>. The | |||
request has Content-Format application/cid-edhoc+cbor-seq.</t> | ||||
<t>This triggers the EDHOC execution at the server, which replies with a 2 .04 (Changed) response. The response payload consists of EDHOC message_2, which also includes the EDHOC connection identifier C_R of the server encoded as per < xref section="3.3" sectionFormat="of" target="RFC9528"/>. The response has Conte nt-Format application/edhoc+cbor-seq.</t> | <t>This triggers the EDHOC execution at the server, which replies with a 2 .04 (Changed) response. The response payload consists of EDHOC message_2, which also includes the EDHOC connection identifier C_R of the server encoded as per < xref section="3.3" sectionFormat="of" target="RFC9528"/>. The response has Conte nt-Format application/edhoc+cbor-seq.</t> | |||
<t>Finally, the client sends a POST request to the same EDHOC resource use | <t>Finally, the client sends a POST request to the same EDHOC resource use | |||
d earlier when it sent EDHOC message_1. The request payload consists of the EDHO | d earlier when it sent EDHOC message_1. The request payload consists of the EDHO | |||
C connection identifier C_R encoded as per <xref section="3.3" sectionFormat="of | C connection identifier C_R encoded as per <xref section="3.3" sectionFormat="of | |||
" target="RFC9528"/>, concatenated with EDHOC message_3. The request has Content | " target="RFC9528"/> concatenated with EDHOC message_3. The request has Content- | |||
-Format application/cid-edhoc+cbor-seq.</t> | Format application/cid-edhoc+cbor-seq.</t> | |||
<t>After this exchange takes place, and after successful verifications as | <t>After this exchange takes place, and after successful verifications as | |||
specified in the EDHOC protocol, the client and server can derive an OSCORE Secu | specified in the EDHOC protocol, the client and server can derive an OSCORE Secu | |||
rity Context, as defined in <xref section="A.1" sectionFormat="of" target="RFC95 | rity Context as defined in <xref section="A.1" sectionFormat="of" target="RFC952 | |||
28"/>. After that, they can use OSCORE to protect their communications as per <x | 8"/>. After that, the client and server can use OSCORE to protect their communic | |||
ref target="RFC8613"/>. Note that the EDHOC Connection Identifier C_R is used as | ations as per <xref target="RFC8613"/>. Note that the EDHOC connection identifie | |||
the OSCORE Sender ID of the client (see <xref section="A.1" sectionFormat="of" | r C_R is used as the OSCORE Sender ID of the client (see <xref section="A.1" sec | |||
target="RFC9528"/>). Therefore, C_R is transported in the 'kid' field of the OSC | tionFormat="of" target="RFC9528"/>). Therefore, C_R is transported in the 'kid' | |||
ORE Option of the OSCORE Request (see <xref section="6.1" sectionFormat="of" tar | field of the OSCORE option of the OSCORE Request (see <xref section="6.1" sectio | |||
get="RFC8613"/>).</t> | nFormat="of" target="RFC8613"/>).</t> | |||
<t>The client and server are required to agree in advance on certain infor | <t>The client and server are required to agree in advance on certain infor | |||
mation and parameters describing how they should use EDHOC. These are specified | mation and parameters describing how they should use EDHOC. These are specified | |||
in an application profile associated with the EDHOC resource addressed (see <xre | in an application profile associated with the EDHOC resource addressed (see <xre | |||
f section="3.9" sectionFormat="of" target="RFC9528"/>.</t> | f section="3.9" sectionFormat="of" target="RFC9528"/>).</t> | |||
<figure anchor="fig-non-combined"> | <figure anchor="fig-non-combined"> | |||
<name>EDHOC and OSCORE run sequentially. The optional message_4 is inclu | <name>Sequential Flow of EDHOC and OSCORE with the Optional message_4 | |||
ded in this example.</name> | Included</name> | |||
<artset> | <artset> | |||
<artwork type="svg" align="center"><svg xmlns="http://www.w3.org/2000/ svg" version="1.1" height="768" width="544" viewBox="0 0 544 768" class="diagram " text-anchor="middle" font-family="monospace" font-size="13px"> | <artwork type="svg" align="center"><svg xmlns="http://www.w3.org/2000/ svg" version="1.1" height="768" width="544" viewBox="0 0 544 768" class="diagram " text-anchor="middle" font-family="monospace" font-size="13px"> | |||
<path d="M 64,64 L 64,256" fill="none" stroke="black"/> | <path d="M 64,64 L 64,256" fill="none" stroke="black"/> | |||
<path d="M 64,288 L 64,544" fill="none" stroke="black"/> | <path d="M 64,288 L 64,544" fill="none" stroke="black"/> | |||
<path d="M 64,592 L 64,752" fill="none" stroke="black"/> | <path d="M 64,592 L 64,752" fill="none" stroke="black"/> | |||
<path d="M 488,64 L 488,384" fill="none" stroke="black"/> | <path d="M 488,64 L 488,384" fill="none" stroke="black"/> | |||
<path d="M 488,464 L 488,752" fill="none" stroke="black"/> | <path d="M 488,464 L 488,752" fill="none" stroke="black"/> | |||
<path d="M 80,96 L 208,96" fill="none" stroke="black"/> | <path d="M 80,96 L 208,96" fill="none" stroke="black"/> | |||
<path d="M 336,96 L 472,96" fill="none" stroke="black"/> | <path d="M 336,96 L 472,96" fill="none" stroke="black"/> | |||
<path d="M 80,192 L 208,192" fill="none" stroke="black"/> | <path d="M 80,192 L 208,192" fill="none" stroke="black"/> | |||
skipping to change at line 279 ¶ | skipping to change at line 291 ¶ | |||
| Payload: OSCORE-protected data | | | Payload: OSCORE-protected data | | |||
| | | | | | |||
| <--------------- OSCORE Response ----------------- | | | <--------------- OSCORE Response ----------------- | | |||
| Header: 2.04 (Changed) | | | Header: 2.04 (Changed) | | |||
| OSCORE: { ... } | | | OSCORE: { ... } | | |||
| Payload: OSCORE-protected data | | | Payload: OSCORE-protected data | | |||
| | | | | | |||
]]></artwork> | ]]></artwork> | |||
</artset> | </artset> | |||
</figure> | </figure> | |||
<t>As shown in <xref target="fig-non-combined"/>, this sequential flow whe | <t> The sequential flow of EDHOC and OSCORE (where EDHOC runs first and | |||
re EDHOC is run first and then OSCORE is used takes three round trips to complet | OSCORE is used after) takes three round trips to complete, as shown in <xref t | |||
e.</t> | arget="fig-non-combined"/>.</t> | |||
<t><xref target="edhoc-in-oscore"/> defines an optimization for combining | <t><xref target="edhoc-in-oscore"/> defines an optimization for combining | |||
EDHOC with the first OSCORE transaction. This reduces the number of round trips | EDHOC with the first OSCORE transaction. This reduces the number of round trips | |||
required to set up an OSCORE Security Context and to complete an OSCORE transact | required to set up an OSCORE Security Context and complete an OSCORE transaction | |||
ion using that Security Context.</t> | using that Security Context.</t> | |||
</section> | </section> | |||
<section anchor="edhoc-in-oscore"> | <section anchor="edhoc-in-oscore"> | |||
<name>EDHOC Combined with OSCORE</name> | <name>EDHOC Combined with OSCORE</name> | |||
<t>This section defines an optimization for combining the EDHOC message ex change with the first OSCORE transaction, thus minimizing the number of round tr ips between the two peers to the absolute possible minimum of two round trips.</ t> | <t>This section defines an optimization for combining the EDHOC message ex change with the first OSCORE transaction, thus minimizing the number of round tr ips between the two peers to the absolute possible minimum of two round trips.</ t> | |||
<t>To this end, this approach can be used only if the default, forward mes sage flow of EDHOC is used, i.e., when the client acts as Initiator and the serv er acts as Responder. The same is not possible in the case with reversed roles a s per the reverse message flow of EDHOC.</t> | <t>To this end, this approach can be used only if the default forward mess age flow of EDHOC is used, i.e., when the client acts as Initiator and the serve r acts as Responder. The same is not possible in the case with reversed roles as per the reverse message flow of EDHOC.</t> | |||
<t>When running the sequential flow of <xref target="overview"/>, the clie nt has all the information to derive the OSCORE Security Context already after r eceiving EDHOC message_2 and before sending EDHOC message_3.</t> | <t>When running the sequential flow of <xref target="overview"/>, the clie nt has all the information to derive the OSCORE Security Context already after r eceiving EDHOC message_2 and before sending EDHOC message_3.</t> | |||
<t>Hence, the client can potentially send both EDHOC message_3 and the sub sequent OSCORE Request at the same time. On a semantic level, this requires send ing two REST requests at once, as in <xref target="fig-combined"/>.</t> | <t>Hence, the client can potentially send both EDHOC message_3 and the sub sequent OSCORE Request at the same time. On a semantic level, this requires send ing two REST requests at once as shown in <xref target="fig-combined"/>.</t> | |||
<figure anchor="fig-combined"> | <figure anchor="fig-combined"> | |||
<name>EDHOC and OSCORE combined.</name> | <name>EDHOC and OSCORE Combined</name> | |||
<artset> | <artset> | |||
<artwork type="svg" align="center"><svg xmlns="http://www.w3.org/2000/ svg" version="1.1" height="576" width="552" viewBox="0 0 552 576" class="diagram " text-anchor="middle" font-family="monospace" font-size="13px"> | <artwork type="svg" align="center"><svg xmlns="http://www.w3.org/2000/ svg" version="1.1" height="576" width="552" viewBox="0 0 552 576" class="diagram " text-anchor="middle" font-family="monospace" font-size="13px"> | |||
<path d="M 64,64 L 64,240" fill="none" stroke="black"/> | <path d="M 64,64 L 64,240" fill="none" stroke="black"/> | |||
<path d="M 64,320 L 64,560" fill="none" stroke="black"/> | <path d="M 64,320 L 64,560" fill="none" stroke="black"/> | |||
<path d="M 496,64 L 496,400" fill="none" stroke="black"/> | <path d="M 496,64 L 496,400" fill="none" stroke="black"/> | |||
<path d="M 496,480 L 496,560" fill="none" stroke="black"/> | <path d="M 496,480 L 496,560" fill="none" stroke="black"/> | |||
<path d="M 80,80 L 216,80" fill="none" stroke="black"/> | <path d="M 80,80 L 216,80" fill="none" stroke="black"/> | |||
<path d="M 344,80 L 480,80" fill="none" stroke="black"/> | <path d="M 344,80 L 480,80" fill="none" stroke="black"/> | |||
<path d="M 80,176 L 216,176" fill="none" stroke="black"/> | <path d="M 80,176 L 216,176" fill="none" stroke="black"/> | |||
<path d="M 344,176 L 480,176" fill="none" stroke="black"/> | <path d="M 344,176 L 480,176" fill="none" stroke="black"/> | |||
skipping to change at line 333 ¶ | skipping to change at line 346 ¶ | |||
<text x="252" y="116">"/.well-known/edhoc"</text> | <text x="252" y="116">"/.well-known/edhoc"</text> | |||
<text x="152" y="132">Content-Format:</text> | <text x="152" y="132">Content-Format:</text> | |||
<text x="340" y="132">application/cid-edhoc+cbor-seq</text> | <text x="340" y="132">application/cid-edhoc+cbor-seq</text> | |||
<text x="124" y="148">Payload:</text> | <text x="124" y="148">Payload:</text> | |||
<text x="184" y="148">true,</text> | <text x="184" y="148">true,</text> | |||
<text x="232" y="148">EDHOC</text> | <text x="232" y="148">EDHOC</text> | |||
<text x="296" y="148">message_1</text> | <text x="296" y="148">message_1</text> | |||
<text x="248" y="180">EDHOC</text> | <text x="248" y="180">EDHOC</text> | |||
<text x="308" y="180">Response</text> | <text x="308" y="180">Response</text> | |||
<text x="160" y="196">Header:</text> | <text x="160" y="196">Header:</text> | |||
<text x="224" y="196">Changed</text> | <text x="224" y="196">2.04</text> | |||
<text x="284" y="196">(2.04)</text> | <text x="284" y="196">(Changed)</text> | |||
<text x="192" y="212">Content-Format:</text> | <text x="192" y="212">Content-Format:</text> | |||
<text x="364" y="212">application/edhoc+cbor-seq</text> | <text x="364" y="212">application/edhoc+cbor-seq</text> | |||
<text x="164" y="228">Payload:</text> | <text x="164" y="228">Payload:</text> | |||
<text x="224" y="228">EDHOC</text> | <text x="224" y="228">EDHOC</text> | |||
<text x="288" y="228">message_2</text> | <text x="288" y="228">message_2</text> | |||
<text x="24" y="260">EDHOC</text> | <text x="24" y="260">EDHOC</text> | |||
<text x="100" y="260">verification</text> | <text x="100" y="260">verification</text> | |||
<text x="64" y="276">+</text> | <text x="64" y="276">+</text> | |||
<text x="36" y="292">OSCORE</text> | <text x="36" y="292">OSCORE</text> | |||
<text x="80" y="292">Sec</text> | <text x="80" y="292">Sec</text> | |||
skipping to change at line 400 ¶ | skipping to change at line 413 ¶ | |||
CoAP client CoAP server | CoAP client CoAP server | |||
(EDHOC Initiator) (EDHOC Responder) | (EDHOC Initiator) (EDHOC Responder) | |||
| | | | | | |||
| ------------------ EDHOC Request -----------------> | | | ------------------ EDHOC Request -----------------> | | |||
| Header: 0.02 (POST) | | | Header: 0.02 (POST) | | |||
| Uri-Path: "/.well-known/edhoc" | | | Uri-Path: "/.well-known/edhoc" | | |||
| Content-Format: application/cid-edhoc+cbor-seq | | | Content-Format: application/cid-edhoc+cbor-seq | | |||
| Payload: true, EDHOC message_1 | | | Payload: true, EDHOC message_1 | | |||
| | | | | | |||
| <----------------- EDHOC Response------------------ | | | <----------------- EDHOC Response------------------ | | |||
| Header: Changed (2.04) | | | Header: 2.04 (Changed) | | |||
| Content-Format: application/edhoc+cbor-seq | | | Content-Format: application/edhoc+cbor-seq | | |||
| Payload: EDHOC message_2 | | | Payload: EDHOC message_2 | | |||
| | | | | | |||
EDHOC verification | | EDHOC verification | | |||
+ | | + | | |||
OSCORE Sec Ctx | | OSCORE Sec Ctx | | |||
Derivation | | Derivation | | |||
| | | | | | |||
| -------------- EDHOC + OSCORE Request ------------> | | | -------------- EDHOC + OSCORE Request ------------> | | |||
| Header: 0.02 (POST) | | | Header: 0.02 (POST) | | |||
skipping to change at line 428 ¶ | skipping to change at line 441 ¶ | |||
| | | | | | |||
| <--------------- OSCORE Response ------------------ | | | <--------------- OSCORE Response ------------------ | | |||
| Header: 2.04 (Changed) | | | Header: 2.04 (Changed) | | |||
| OSCORE: { ... } | | | OSCORE: { ... } | | |||
| Payload: OSCORE-protected data | | | Payload: OSCORE-protected data | | |||
| | | | | | |||
]]></artwork> | ]]></artwork> | |||
</artset> | </artset> | |||
</figure> | </figure> | |||
<t>To this end, the specific approach defined in this section consists of sending a single EDHOC + OSCORE request, which conveys the pair (C_R, EDHOC mess age_3) within an OSCORE-protected CoAP message.</t> | <t>To this end, the specific approach defined in this section consists of sending a single EDHOC + OSCORE request, which conveys the pair (C_R, EDHOC mess age_3) within an OSCORE-protected CoAP message.</t> | |||
<t>That is, the EDHOC + OSCORE request is composed of the following two pa | <t>That is, the EDHOC + OSCORE request is composed of the following two | |||
rts combined together in a single CoAP message. The steps for processing the EDH | parts combined together in a single CoAP message. The steps for | |||
OC + OSCORE request and the two parts combined in there are defined in <xref tar | processing the EDHOC + OSCORE request and the two parts combined in the | |||
get="client-processing"/> and <xref target="server-processing"/>.</t> | request itself are defined in Sections <xref target="client-processing" | |||
format="counter"/> and <xref target="server-processing" | ||||
format="counter"/>.</t> | ||||
<ul spacing="normal"> | <ul spacing="normal"> | |||
<li>The OSCORE Request from <xref target="fig-non-combined"/>, which is also in this case sent to a protected resource, with the correct CoAP method and options intended for accessing that resource.</li> | <li>The OSCORE Request from <xref target="fig-non-combined"/>, which, in this case, is also sent to a protected resource with the correct CoAP method an d options intended for accessing that resource.</li> | |||
<li> | <li> | |||
<t>EDHOC data consisting of the pair (C_R, EDHOC message_3) required f or completing the EDHOC session, transported as follows: </t> | <t>EDHOC data consisting of the pair (C_R, EDHOC message_3) required f or completing the EDHOC session transported as follows: </t> | |||
<ul spacing="normal"> | <ul spacing="normal"> | |||
<li>C_R is the OSCORE Sender ID of the client and hence transported | <li>C_R is the OSCORE Sender ID of the client; hence, it is transpor | |||
in the 'kid' field of the OSCORE Option (see <xref section="6.1" sectionFormat=" | ted in the 'kid' field of the OSCORE option (see <xref section="6.1" sectionForm | |||
of" target="RFC8613"/>). Unlike in the sequential workflow shown in <xref target | at="of" target="RFC8613"/>). Unlike the sequential workflow shown in <xref targe | |||
="fig-non-combined"/>, C_R is thus not transported in the payload of the EDHOC + | t="fig-non-combined"/>, C_R is not transported in the payload of the EDHOC + OSC | |||
OSCORE request.</li> | ORE request.</li> | |||
<li>EDHOC message_3 is transported in the payload of the EDHOC + OSC | <li>EDHOC message_3 is transported in the payload of the EDHOC + OSC | |||
ORE request, prepended to the payload of the OSCORE Request. This is because EDH | ORE request and prepended to the payload of the OSCORE Request. This is because | |||
OC message_3 may be too large to be included in a CoAP Option, e.g., when convey | EDHOC message_3 may be too large to be included in a CoAP option, e.g., when con | |||
ing a large public key certificate chain as ID_CRED_I (see <xref section="3.5.3" | veying a large public key certificate chain in the ID_CRED_I field (see <xref se | |||
sectionFormat="of" target="RFC9528"/>) or when conveying large External Authori | ction="3.5.3" sectionFormat="of" target="RFC9528"/>), or when conveying large Ex | |||
zation Data as EAD_3 (see <xref section="3.8" sectionFormat="of" target="RFC9528 | ternal Authorization Data in the EAD_3 field (see <xref section="3.8" sectionFor | |||
"/>).</li> | mat="of" target="RFC9528"/>).</li> | |||
</ul> | </ul> | |||
</li> | </li> | |||
</ul> | </ul> | |||
<t>The rest of this section specifies how to transport the data in the EDH OC + OSCORE request and their processing order. In particular, the use of this a pproach is explicitly signalled by including an EDHOC Option (see <xref target=" edhoc-option"/>) in the EDHOC + OSCORE request. The processing of the EDHOC + OS CORE request is specified in <xref target="client-processing-intro"/> for the cl ient side and in <xref target="server-processing-intro"/> for the server side.</ t> | <t>The rest of this section specifies how to transport the data in the EDH OC + OSCORE request and their processing order. In particular, the use of this a pproach is explicitly signalled by including an EDHOC option (<xref target="edho c-option"/>) in the EDHOC + OSCORE request. The processing of the EDHOC + OSCORE request is specified in <xref target="client-processing-intro"/> for the client side and in <xref target="server-processing-intro"/> for the server side.</t> | |||
<section anchor="edhoc-option"> | <section anchor="edhoc-option"> | |||
<name>EDHOC Option</name> | <name>EDHOC Option</name> | |||
<t>This section defines the EDHOC Option. The option is used in a CoAP r | <t>This section defines the EDHOC option. This option is used in a CoAP | |||
equest, to signal that the request payload conveys both an EDHOC message_3 and O | request to signal that the request payload conveys both an EDHOC message_3 and O | |||
SCORE-protected data, combined together.</t> | SCORE-protected data combined together.</t> | |||
<t>The EDHOC Option has the properties summarized in <xref target="fig-e | ||||
dhoc-option"/>, which extends Table 4 of <xref target="RFC7252"/>. The option is | <t>The EDHOC option has the properties summarized in <xref target="fig-e | |||
Critical, Safe-to-Forward, and part of the Cache-Key. The option <bcp14>MUST</b | dhoc-option"/>, which extends Table 4 of <xref target="RFC7252"/>. | |||
cp14> occur at most once and <bcp14>MUST</bcp14> be empty. If any value is sent, | The option is Critical, Safe-to-Forward, and part of the Cache-Key. The option | |||
the recipient <bcp14>MUST</bcp14> ignore it. (Future documents may update the d | <bcp14>MUST</bcp14> occur at most once and <bcp14>MUST</bcp14> be empty. If any | |||
efinition of the option, by expanding its semantics and specifying admitted valu | value is sent, the recipient <bcp14>MUST</bcp14> ignore it. (Future documents ma | |||
es.) The option is intended only for CoAP requests and is of Class U for OSCORE | y update the definition of the option by expanding its semantics and specifying | |||
<xref target="RFC8613"/>.</t> | admitted values.) The option is intended only for CoAP requests and is of Class | |||
<table align="center" anchor="fig-edhoc-option"> | U for OSCORE <xref target="RFC8613"/>.</t> | |||
<name>The EDHOC Option. C=Critical, U=Unsafe, N=NoCacheKey, R=Repeata | ||||
ble</name> | <table align="center" anchor="fig-edhoc-option"> | |||
<name>The EDHOC Option. C=Critical, U=Unsafe, N=NoCacheKey, R=Repeatab | ||||
le</name> | ||||
<thead> | <thead> | |||
<tr> | <tr> | |||
<th align="left">No.</th> | <th align="left">No.</th> | |||
<th align="left">C</th> | <th align="left">C</th> | |||
<th align="left">U</th> | <th align="left">U</th> | |||
<th align="left">N</th> | <th align="left">N</th> | |||
<th align="left">R</th> | <th align="left">R</th> | |||
<th align="left">Name</th> | <th align="left">Name</th> | |||
<th align="left">Format</th> | <th align="left">Format</th> | |||
<th align="left">Length</th> | <th align="left">Length</th> | |||
<th align="left">Default</th> | <th align="left">Default</th> | |||
</tr> | </tr> | |||
</thead> | </thead> | |||
<tbody> | <tbody> | |||
<tr> | <tr> | |||
<td align="left">21</td> | <td align="left">21</td> | |||
<td align="left">x</td> | <td align="left">x</td> | |||
<td align="left"> </td> | <td align="left"> </td> | |||
<td align="left"> </td> | <td align="left"> </td> | |||
<td align="left"> </td> | <td align="left"> </td> | |||
<td align="left">EDHOC</td> | <td align="left">EDHOC</td> | |||
<td align="left">Empty</td> | <td align="left">Empty</td> | |||
<td align="left">0</td> | <td align="left">0</td> | |||
<td align="left">(none)</td> | <td align="left">(none)</td> | |||
</tr> | </tr> | |||
</tbody> | </tbody> | |||
</table> | </table> | |||
<t>The presence of this option means that the message payload also conta | <t>The presence of this option means that the message payload also conta | |||
ins EDHOC data, which must be extracted and processed as defined in <xref target | ins EDHOC data that must be extracted and processed as defined in <xref target=" | |||
="server-processing-intro"/>, before the rest of the message can be processed.</ | server-processing-intro"/> before the rest of the message can be processed.</t> | |||
t> | <t><xref target="fig-edhoc-opt"/> shows an example of a CoAP message tha | |||
<t><xref target="fig-edhoc-opt"/> shows an example of a CoAP message tra | t is transported over UDP and that contains both the EDHOC data and the OSCORE c | |||
nsported over UDP and containing both the EDHOC data and the OSCORE ciphertext, | iphertext using the newly defined EDHOC option for signalling.</t> | |||
using the newly defined EDHOC option for signalling.</t> | ||||
<figure anchor="fig-edhoc-opt"> | <figure anchor="fig-edhoc-opt"> | |||
<name>Example of CoAP message transported over UDP, combining EDHOC da ta and OSCORE data as signalled with the EDHOC Option.</name> | <name>Example of a CoAP Message Containing the Combined EDHOC and OSCO RE Data, Signalled by the EDHOC Option and Transported over UDP</name> | |||
<artwork align="center"><![CDATA[ | <artwork align="center"><![CDATA[ | |||
0 1 2 3 | 0 1 2 3 | |||
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 | 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 | |||
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
|Ver| T | TKL | Code | Message ID | | |Ver| T | TKL | Code | Message ID | | |||
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
| Token (if any, TKL bytes) ... | | Token (if any, TKL bytes) ... | |||
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
| Observe Option| OSCORE Option ... | | Observe Option| OSCORE Option ... | |||
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
skipping to change at line 500 ¶ | skipping to change at line 521 ¶ | |||
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
]]></artwork> | ]]></artwork> | |||
</figure> | </figure> | |||
</section> | </section> | |||
<section anchor="client-processing-intro"> | <section anchor="client-processing-intro"> | |||
<name>Client Processing</name> | <name>Client Processing</name> | |||
<t>This section describes the processing on the client side.</t> | <t>This section describes the processing on the client side.</t> | |||
<section anchor="client-processing"> | <section anchor="client-processing"> | |||
<name>Processing of the EDHOC + OSCORE Request</name> | <name>Processing of the EDHOC + OSCORE Request</name> | |||
<t>The client prepares an EDHOC + OSCORE request as follows.</t> | <t>The client prepares an EDHOC + OSCORE request as follows.</t> | |||
<ol spacing="normal" type="1"><li>Compose EDHOC message_3 into EDHOC_M | <ol spacing="normal" type="Step %d." indent="9"> | |||
SG_3, as per <xref section="5.4.2" sectionFormat="of" target="RFC9528"/>.</li> | <li anchor="L1S1">Compose EDHOC message_3 into EDHOC_MSG_3 as per <xref section= | |||
<li> | "5.4.2" sectionFormat="of" target="RFC9528"/>.</li> | |||
<li anchor="L1S2"> | ||||
<t>Establish the new OSCORE Security Context and use it to encrypt the original CoAP request as per <xref section="8.1" sectionFormat="of" target= "RFC8613"/>. </t> | <t>Establish the new OSCORE Security Context and use it to encrypt the original CoAP request as per <xref section="8.1" sectionFormat="of" target= "RFC8613"/>. </t> | |||
<t> | <t> | |||
Note that the OSCORE ciphertext is not computed over EDHOC message_3, which is n ot protected by OSCORE. That is, the result of this step is the OSCORE Request a s in <xref target="fig-non-combined"/>.</t> | Note that the OSCORE ciphertext is not computed over EDHOC message_3, which is n ot protected by OSCORE. That is, the result of this step is the OSCORE Request a s in <xref target="fig-non-combined"/>.</t> | |||
</li> | </li> | |||
<li> | <li anchor="L1S3"> | |||
<t>Build COMB_PAYLOAD as the concatenation of EDHOC_MSG_3 and OSCO | ||||
RE_PAYLOAD in this order: COMB_PAYLOAD = EDHOC_MSG_3 | OSCORE_PAYLOAD, where | d | <t>Build COMB_PAYLOAD as the concatenation of EDHOC_MSG_3 and OSCO | |||
enotes byte string concatenation and: </t> | RE_PAYLOAD in the order of COMB_PAYLOAD = EDHOC_MSG_3 | OSCORE_PAYLOAD, where | | |||
denotes byte string concatenation and: </t> | ||||
<ul spacing="normal"> | <ul spacing="normal"> | |||
<li>EDHOC_MSG_3 is the binary encoding of EDHOC message_3 result | <li>EDHOC_MSG_3 is the binary encoding of EDHOC message_3 result | |||
ing from step 1. As per <xref section="5.4.1" sectionFormat="of" target="RFC9528 | ing from <xref target="L1S1" format="none">Step 1</xref>. As per <xref section=" | |||
"/>, EDHOC message_3 consists of one CBOR data item CIPHERTEXT_3, which is a CBO | 5.4.1" sectionFormat="of" target="RFC9528"/>, EDHOC message_3 consists of one CB | |||
R byte string. Therefore, EDHOC_MSG_3 is the binary encoding of CIPHERTEXT_3.</l | OR data item CIPHERTEXT_3, which is a CBOR byte string. Therefore, EDHOC_MSG_3 i | |||
i> | s the binary encoding of CIPHERTEXT_3.</li> | |||
<li>OSCORE_PAYLOAD is the OSCORE ciphertext of the OSCORE-protec | <li>OSCORE_PAYLOAD is the OSCORE ciphertext of the OSCORE-protec | |||
ted CoAP request resulting from step 2.</li> | ted CoAP request resulting from <xref target="L1S2" format="none">Step 2</xref>. | |||
</li> | ||||
</ul> | </ul> | |||
</li> | </li> | |||
<li> | <li anchor="L1S4"> | |||
<t>Compose the EDHOC + OSCORE request, as the OSCORE-protected CoA | ||||
P request resulting from step 2, where the payload is replaced with COMB_PAYLOAD | <t>Compose the EDHOC + OSCORE request, as the OSCORE-protected CoA | |||
built at step 3. </t> | P request resulting from <xref target="L1S2" format="none">Step 2</xref>, where | |||
the payload is replaced with COMB_PAYLOAD built at <xref target="L1S3" format="n | ||||
one">Step 3</xref>.</t> | ||||
<t> | <t> | |||
Note that the new payload includes EDHOC message_3, but it does not include the | Note that the new payload includes EDHOC message_3, but it does n | |||
EDHOC connection identifier C_R. As the client is the EDHOC Initiator, C_R is th | ot include the EDHOC connection identifier C_R. | |||
e OSCORE Sender ID of the client, which is already specified as 'kid' in the OSC | As the client is the EDHOC Initiator, C_R is the OSCORE Sender ID of | |||
ORE Option of the request from step 2, hence of the EDHOC + OSCORE request.</t> | the client, which is already specified as the value of the 'kid' field in the | |||
OSCORE option of the | ||||
request from <xref target="L1S2" format="none">Step 2</xref>; hence, C_R is s | ||||
pecified as the value of the 'kid' field of the EDHOC + OSCORE request.</t> | ||||
</li> | </li> | |||
<li> | <li anchor="L1S5"> | |||
<t>Include the new EDHOC Option defined in <xref target="edhoc-opt | <t>Include the new EDHOC option defined in <xref target="edhoc-opt | |||
ion"/> into the EDHOC + OSCORE request. </t> | ion"/> into the EDHOC + OSCORE request. </t> | |||
<t> | <t> | |||
The application/cid-edhoc+cbor-seq media type does not apply to this message, wh ose media type is unnamed.</t> | The application/cid-edhoc+cbor-seq media type does not apply to this message, wh ose media type is unnamed.</t> | |||
</li> | </li> | |||
<li>Send the EDHOC + OSCORE request to the server.</li> | <li anchor="L1S6">Send the EDHOC + OSCORE request to the server.</li > | |||
</ol> | </ol> | |||
<t>With the same server, the client <bcp14>SHOULD NOT</bcp14> have mul | <t>With the same server, the client <bcp14>SHOULD NOT</bcp14> have mul | |||
tiple simultaneous outstanding interactions (see <xref section="4.7" sectionForm | tiple simultaneous outstanding interactions (see <xref section="4.7" sectionForm | |||
at="of" target="RFC7252"/>) such that: they consist of an EDHOC + OSCORE request | at="of" target="RFC7252"/>), such that they consist of an EDHOC + OSCORE request | |||
; and their EDHOC data pertain to the EDHOC session with the same connection ide | and their EDHOC data pertains to the EDHOC session with the same connection ide | |||
ntifier C_R.</t> | ntifier C_R.</t> | |||
<t>(An exception might apply for clients that operate under particular | <t>An exception might apply for clients that operate under particular | |||
time constraints over particularly unreliable networks, thus raising the chance | time constraints over particularly unreliable networks, thus raising the chances | |||
s to promptly complete the EDHOC execution with the server through multiple, sim | to promptly complete the EDHOC execution with the server through multiple simul | |||
ultaneous EDHOC + OSCORE requests. As discussed in <xref target="security-consid | taneous EDHOC + OSCORE requests. As discussed in <xref target="security-consider | |||
erations"/>, this does not have any impact in terms of security.)</t> | ations"/>, this does not have any impact in terms of security.</t> | |||
</section> | </section> | |||
<section anchor="client-blockwise"> | <section anchor="client-blockwise"> | |||
<name>Supporting Block-wise</name> | <name>Supporting Block-Wise Transfers</name> | |||
<t>If Block-wise <xref target="RFC7959"/> is supported, the client may | <t>If Block-wise transfers <xref target="RFC7959"/> are supported, the | |||
fragment the first application CoAP request before protecting it as an original | client may fragment the first CoAP application request before protecting it as | |||
message with OSCORE, as defined in <xref section="4.1.3.4.1" sectionFormat="of" | an original message with OSCORE as defined in <xref section="4.1.3.4.1" sectionF | |||
target="RFC8613"/>.</t> | ormat="of" target="RFC8613"/>.</t> | |||
<t>In such a case, the OSCORE processing in step 2 of <xref target="cl | <t>In such a case, the OSCORE processing in <xref target="L1S2" format | |||
ient-processing"/> is performed on each inner block of the first application CoA | ="none">Step 2</xref> of <xref target="client-processing"/> is performed on each | |||
P request, and the following also applies.</t> | inner block of the first CoAP application request. The following also applies.< | |||
/t> | ||||
<ul spacing="normal"> | <ul spacing="normal"> | |||
<li> | <li> | |||
<t>The client takes the additional following step between steps 2 | <t>The client takes the following additional step between Steps <x | |||
and 3 of <xref target="client-processing"/>. </t> | ref target="L1S2" format="none">2</xref> and <xref target="L1S3" format="none">3 | |||
<t> | </xref> of <xref target="client-processing"/>. </t> | |||
A. If the OSCORE-protected request from step 2 conveys a non-first inner block o | <ol spacing='normal' type='Step 2.%d.' indent="10"> | |||
f the first application CoAP request (i.e., the Block1 Option processed at step | <li>If the OSCORE-protected request from <xref target="L1S2" format="none">Step | |||
2 had NUM different than 0), then the client skips the following steps and sends | 2</xref> conveys a non-first inner block of the first CoAP application request ( | |||
the OSCORE-protected request to the server. In particular, the client <bcp14>MU | i.e., the Block1 option processed at Step 2 had NUM different than 0), then the | |||
ST NOT</bcp14> include the EDHOC Option in the OSCORE-protected request.</t> | client skips the following steps and sends the OSCORE-protected request to the s | |||
erver. In particular, the client <bcp14>MUST NOT</bcp14> include the EDHOC optio | ||||
n in the OSCORE-protected request.</li></ol> | ||||
</li> | </li> | |||
<li> | <li> | |||
<t>The client takes the additional following step between steps 3 | <t>The client takes the following additional step between Steps <x | |||
and 4 of <xref target="client-processing"/>. </t> | ref target="L1S3" format="none">3</xref> and <xref target="L1S4" format="none">4 | |||
<t> | </xref> of <xref target="client-processing"/>. </t> | |||
B. If the size of COMB_PAYLOAD exceeds MAX_UNFRAGMENTED_SIZE (see <xref section= | <ol spacing='normal' type='Step 3.%d.' indent="10"><li> | |||
"4.1.3.4.2" sectionFormat="of" target="RFC8613"/>), the client <bcp14>MUST</bcp1 | If the size of COMB_PAYLOAD exceeds MAX_UNFRAGMENTED_SIZE (see <xref section="4. | |||
4> stop processing the request and <bcp14>MUST</bcp14> abandon the Block-wise tr | 1.3.4.2" sectionFormat="of" target="RFC8613"/>), the client <bcp14>MUST</bcp14> | |||
ansfer. Then, the client can continue by switching to the sequential workflow sh | stop processing the request and <bcp14>MUST</bcp14> abandon the Block-wise trans | |||
own in <xref target="fig-non-combined"/>. That is, the client first sends EDHOC | fer. Then, the client can continue by switching to the sequential workflow shown | |||
message_3 prepended by the EDHOC Connection Identifier C_R encoded as per <xref | in <xref target="fig-non-combined"/>. That is, the client first sends EDHOC mes | |||
section="3.3" sectionFormat="of" target="RFC9528"/>, and then sends the OSCORE-p | sage_3 prepended by the EDHOC connection identifier C_R encoded as per <xref sec | |||
rotected CoAP request once the EDHOC execution is completed.</t> | tion="3.3" sectionFormat="of" target="RFC9528"/>. Then, the client sends the OSC | |||
ORE-protected CoAP request once the EDHOC execution is completed. | ||||
</li> | </li> | |||
</ul> | </ol> | |||
<t>The performance advantage of using the EDHOC + OSCORE request can b | </li> | |||
e lost when used in combination with Block-wise transfers that rely on specific | </ul> | |||
parameter values and block sizes. Application policies at the CoAP client can de | <t>The performance advantage of using the EDHOC + OSCORE request can b | |||
fine when and how to detect whether the performance advantage is lost, and, if t | e lost when used in combination with Block-wise transfers that rely on specific | |||
hat is the case, whether to appropriately adjust the parameter values and block | parameter values and block sizes. Application policies at the CoAP client can de | |||
sizes, or instead to fall back on the sequential workflow of EDHOC.</t> | fine when and how to detect whether the performance advantage is lost. If that i | |||
s the case, they can also define whether to appropriately adjust the parameter v | ||||
alues and block sizes or to fall back on the sequential workflow of EDHOC.</t> | ||||
</section> | </section> | |||
</section> | </section> | |||
<section anchor="server-processing-intro"> | <section anchor="server-processing-intro"> | |||
<name>Server Processing</name> | <name>Server Processing</name> | |||
<t>This section describes the processing on the server side.</t> | <t>This section describes the processing on the server side.</t> | |||
<section anchor="server-processing"> | <section anchor="server-processing"> | |||
<name>Processing of the EDHOC + OSCORE Request</name> | <name>Processing of the EDHOC + OSCORE Request</name> | |||
<t>In order to process a request containing the EDHOC option, i.e., an EDHOC + OSCORE request, the server <bcp14>MUST</bcp14> perform the following st eps.</t> | <t>In order to process a request containing the EDHOC option, i.e., an EDHOC + OSCORE request, the server <bcp14>MUST</bcp14> perform the following st eps.</t> | |||
<ol spacing="normal" type="1"><li>Check that the EDHOC + OSCORE reques | <ol spacing="normal" type="Step %d." indent="9"> | |||
t includes the OSCORE option and that the request payload has the format defined | <li anchor="L2S1">Check that the EDHOC + OSCORE request includes the OSCORE opti | |||
at step 3 of <xref target="client-processing"/> for COMB_PAYLOAD. If this is no | on and that the request payload has the format defined at <xref target="L1S3" fo | |||
t the case, the server <bcp14>MUST</bcp14> stop processing the request and <bcp1 | rmat="none">Step 3</xref> of <xref target="client-processing"/> for COMB_PAYLOAD | |||
4>MUST</bcp14> reply with a 4.00 (Bad Request) error response.</li> | . If this is not the case, the server <bcp14>MUST</bcp14> stop processing the re | |||
<li>Extract EDHOC message_3 from the payload COMB_PAYLOAD of the EDH | quest and <bcp14>MUST</bcp14> reply with a 4.00 (Bad Request) error response.</l | |||
OC + OSCORE request, as the first element EDHOC_MSG_3 (see step 3 of <xref targe | i> | |||
t="client-processing"/>).</li> | <li anchor="L2S2">Extract EDHOC message_3 from the payload COMB_PAYL | |||
<li>Take the value of 'kid' from the OSCORE option of the EDHOC + OS | OAD of the EDHOC + OSCORE request as the first element EDHOC_MSG_3 (see <xref ta | |||
CORE request (i.e., the OSCORE Sender ID of the client), and use it as the EDHOC | rget="L1S3" format="none">Step 3</xref> of <xref target="client-processing"/>).< | |||
connection identifier C_R.</li> | /li> | |||
<li> | <li anchor="L2S3">Take the value of the 'kid' field from the OSCORE | |||
<t>Retrieve the correct EDHOC session by using the connection iden | option of the EDHOC + OSCORE request (i.e., the OSCORE Sender ID of the client), | |||
tifier C_R from step 3. </t> | and use it as the EDHOC connection identifier C_R.</li> | |||
<li anchor="L2S4"> | ||||
<t>Retrieve the correct EDHOC session by using the connection iden | ||||
tifier C_R from <xref target="L2S3" format="none">Step 3</xref>. </t> | ||||
<t> | <t> | |||
If the application profile used in the EDHOC session specifies that EDHOC messag e_4 shall be sent, the server <bcp14>MUST</bcp14> stop the EDHOC processing and consider it failed, as due to a client error. </t> | If the application profile used in the EDHOC session specifies that EDHOC messag e_4 shall be sent, the server <bcp14>MUST</bcp14> stop the EDHOC processing and consider it failed due to a client error. </t> | |||
<t> | <t> | |||
Otherwise, perform the EDHOC processing on the EDHOC message_3 extracted at step 2 as per <xref section="5.4.3" sectionFormat="of" target="RFC9528"/>, based on the protocol state of the retrieved EDHOC session. </t> | Otherwise, perform the EDHOC processing on the EDHOC message_3 extracted at <xre f target="L2S2" format="none">Step 2</xref> as per <xref section="5.4.3" section Format="of" target="RFC9528"/> based on the protocol state of the retrieved EDHO C session. </t> | |||
<t> | <t> | |||
The application profile used in the EDHOC session is the same one associated wit h the EDHOC resource where the server received the request conveying EDHOC messa ge_1 that started the session. This is relevant in case the server provides mult iple EDHOC resources, which may generally refer to different application profile s.</t> | The application profile used in the EDHOC session is the same one associated wit h the EDHOC resource where the server received the request conveying EDHOC messa ge_1 that started the session. This is relevant in case the server provides mult iple EDHOC resources that may generally refer to different application profiles .</t> | |||
</li> | </li> | |||
<li>Establish a new OSCORE Security Context associated with the clie | <li anchor="L2S5">Establish a new OSCORE Security Context associated | |||
nt as per <xref section="A.1" sectionFormat="of" target="RFC9528"/>, using the E | with the client as per <xref section="A.1" sectionFormat="of" target="RFC9528"/ | |||
DHOC output from step 4.</li> | > using the EDHOC output from <xref target="L2S4" format="none">Step 4</xref>.</ | |||
<li>Extract the OSCORE ciphertext from the payload COMB_PAYLOAD of t | li> | |||
he EDHOC + OSCORE request, as the second element OSCORE_PAYLOAD (see step 3 of < | <li anchor="L2S6">Extract the OSCORE ciphertext from the payload COM | |||
xref target="client-processing"/>).</li> | B_PAYLOAD of the EDHOC + OSCORE request as the second element OSCORE_PAYLOAD (se | |||
<li>Rebuild the OSCORE-protected CoAP request, as the EDHOC + OSCORE | e <xref target="L1S3" format="none">Step 3</xref> of <xref target="client-proces | |||
request where the payload is replaced with the OSCORE ciphertext extracted at s | sing"/>).</li> | |||
tep 6. Then, remove the EDHOC option.</li> | <li anchor="L2S7">Rebuild the OSCORE-protected CoAP request as the E | |||
<li> | DHOC + OSCORE request, where the payload is replaced with the OSCORE ciphertext | |||
<t>Decrypt and verify the OSCORE-protected CoAP request rebuilt at | extracted at <xref target="L2S6" format="none">Step 6</xref>. Then, remove the E | |||
step 7, as per <xref section="8.2" sectionFormat="of" target="RFC8613"/>, by us | DHOC option.</li> | |||
ing the OSCORE Security Context established at step 5. </t> | <li anchor="L2S8"> | |||
<t>Decrypt and verify the OSCORE-protected CoAP request rebuilt at | ||||
<xref target="L2S7" format="none">Step 7</xref> as per <xref section="8.2" sect | ||||
ionFormat="of" target="RFC8613"/> by using the OSCORE Security Context establish | ||||
ed at <xref target="L2S5" format="none">Step 5.</xref></t> | ||||
<t> | <t> | |||
When the decrypted request is checked for any critical CoAP options (as it is du ring regular CoAP processing), the presence of an EDHOC option <bcp14>MUST</bcp1 4> be regarded as an unprocessed critical option, unless it is processed by some further mechanism.</t> | When the decrypted request is checked for any critical CoAP options (as it is du ring regular CoAP processing), the presence of an EDHOC option <bcp14>MUST</bcp1 4> be regarded as an unprocessed critical option unless it is processed by some further mechanism.</t> | |||
</li> | </li> | |||
<li>Deliver the CoAP request resulting from step 8 to the applicatio n.</li> | <li anchor="L2S9">Deliver the CoAP request resulting from <xref targ et="L2S8" format="none">Step 8</xref> to the application.</li> | |||
</ol> | </ol> | |||
<t>If steps 4 (EDHOC processing) and 8 (OSCORE processing) are both su | <t>If Steps <xref target="L2S4" format="none">4</xref> (EDHOC processi | |||
ccessfully completed, the server <bcp14>MUST</bcp14> reply with an OSCORE-protec | ng) and <xref target="L2S8" format="none">8</xref> (OSCORE processing) are both | |||
ted response (see <xref section="5.4.3" sectionFormat="of" target="RFC9528"/>). | successfully completed, the server <bcp14>MUST</bcp14> reply with an OSCORE-prot | |||
The usage of EDHOC message_4 as defined in <xref section="5.5" sectionFormat="of | ected response (see <xref section="5.4.3" sectionFormat="of" target="RFC9528"/>) | |||
" target="RFC9528"/> is not applicable to the approach defined in this document. | . The usage of EDHOC message_4 as defined in <xref section="5.5" sectionFormat=" | |||
</t> | of" target="RFC9528"/> is not applicable to the approach defined in this documen | |||
<t>If step 4 (EDHOC processing) fails, the server aborts the session a | t.</t> | |||
s per <xref section="5.4.3" sectionFormat="of" target="RFC9528"/> and responds w | <t>If <xref target="L2S4" format="none">Step 4</xref> (EDHOC processin | |||
ith an EDHOC error message with error code 1, formatted as defined in <xref sect | g) fails, the server aborts the session as per <xref section="5.4.3" sectionForm | |||
ion="6.2" sectionFormat="of" target="RFC9528"/>. The server <bcp14>MUST NOT</bcp | at="of" target="RFC9528"/> and responds with an EDHOC error message with error c | |||
14> establish a new OSCORE Security Context from the present EDHOC session with | ode 1, which is formatted as defined in <xref section="6.2" sectionFormat="of" t | |||
the client. The CoAP response conveying the EDHOC error message is not protected | arget="RFC9528"/>. The server <bcp14>MUST NOT</bcp14> establish a new OSCORE Sec | |||
with OSCORE. As per <xref section="9.5" sectionFormat="of" target="RFC9528"/>, | urity Context from the present EDHOC session with the client. The CoAP response | |||
the server has to make sure that the error message does not reveal sensitive inf | conveying the EDHOC error message is not protected with OSCORE. As per <xref sec | |||
ormation. The CoAP response conveying the EDHOC error message <bcp14>MUST</bcp14 | tion="9.5" sectionFormat="of" target="RFC9528"/>, the server has to make sure th | |||
> have Content-Format set to application/edhoc+cbor-seq registered in <xref sect | at the error message does not reveal sensitive information. The CoAP response co | |||
ion="10.9" sectionFormat="of" target="RFC9528"/>.</t> | nveying the EDHOC error message <bcp14>MUST</bcp14> have Content-Format set to a | |||
<t>If step 4 (EDHOC processing) is successfully completed but step 8 ( | pplication/edhoc+cbor-seq registered in <xref section="10.9" sectionFormat="of" | |||
OSCORE processing) fails, the same OSCORE error handling as defined in <xref sec | target="RFC9528"/>.</t> | |||
tion="8.2" sectionFormat="of" target="RFC8613"/> applies.</t> | <t>If <xref target="L2S4" format="none">Step 4</xref> (EDHOC processin | |||
g) is successfully completed but <xref target="L2S8" format="none">Step 8</xref> | ||||
(OSCORE processing) fails, the same OSCORE error handling as defined in <xref s | ||||
ection="8.2" sectionFormat="of" target="RFC8613"/> applies.</t> | ||||
</section> | </section> | |||
<section anchor="server-blockwise"> | <section anchor="server-blockwise"> | |||
<name>Supporting Block-wise</name> | <name>Supporting Block-Wise Transfers</name> | |||
<t>If Block-wise <xref target="RFC7959"/> is supported, the server tak | <t>If Block-wise transfers <xref target="RFC7959"/> are supported, the | |||
es the additional following step before any other in <xref target="server-proces | server takes the additional following step before any other in <xref target="se | |||
sing"/>.</t> | rver-processing"/>.</t> | |||
<t>A. If Block-wise is present in the request, then process the Outer | <ol spacing='normal' type='Step %d.' start='0' indent="9"> | |||
Block options according to <xref target="RFC7959"/>, until all blocks of the req | <li>If a Block option is present in the request, then process the Oute | |||
uest have been received (see <xref section="4.1.3.4" sectionFormat="of" target=" | r Block options according to <xref target="RFC7959"/> until all blocks of the re | |||
RFC8613"/>).</t> | quest have been received (see <xref section="4.1.3.4" sectionFormat="of" target= | |||
"RFC8613"/>).</li></ol> | ||||
</section> | </section> | |||
</section> | </section> | |||
<section anchor="example"> | <section anchor="example"> | |||
<name>Example of EDHOC + OSCORE Request</name> | <name>Example of the EDHOC + OSCORE Request</name> | |||
<t><xref target="fig-edhoc-opt-2"/> shows an example of EDHOC + OSCORE R | <t><xref target="fig-edhoc-opt-2"/> shows an example of an EDHOC + OSCOR | |||
equest transported over UDP. In particular, the example assumes that:</t> | E request transported over UDP. In particular, the example assumes that:</t> | |||
<ul spacing="normal"> | <ul spacing="normal"> | |||
<li>The OSCORE Partial IV in use is 0, consistently with the first req uest protected with the new OSCORE Security Context.</li> | <li>The OSCORE Partial IV in use is 0 consistently with the first requ est protected with the new OSCORE Security Context.</li> | |||
<li> | <li> | |||
<t>The OSCORE Sender ID of the client is 0x01. </t> | <t>The OSCORE Sender ID of the client is 0x01. </t> | |||
<t> | <t> | |||
As per <xref section="3.3.3" sectionFormat="of" target="RFC9528"/>, this straigh tforwardly corresponds to the EDHOC connection identifier C_R 0x01. </t> | As per <xref section="3.3.3" sectionFormat="of" target="RFC9528"/>, this straigh tforwardly corresponds to the EDHOC connection identifier C_R 0x01. </t> | |||
<t> | <t> | |||
As per <xref section="3.3.2" sectionFormat="of" target="RFC9528"/>, when using t he sequential flow shown in <xref target="fig-non-combined"/>, the same C_R with value 0x01 would be encoded on the wire as the CBOR integer 1 (0x01 in CBOR enc oding), and prepended to EDHOC message_3 in the payload of the second EDHOC requ est.</t> | As per <xref section="3.3.2" sectionFormat="of" target="RFC9528"/>, when using t he sequential flow shown in <xref target="fig-non-combined"/>, the same C_R with a value of 0x01 would be encoded on the wire as the CBOR integer 1 (0x01 in CBO R encoding) and prepended to EDHOC message_3 in the payload of the second EDHOC request.</t> | |||
</li> | </li> | |||
<li>The EDHOC option is registered with CoAP option number 21.</li> | ||||
</ul> | </ul> | |||
<t>Note to RFC Editor: Please delete the last bullet point in the previo us list, since, at the time of publication, the CoAP option number will be in fa ct registered.</t> | ||||
<t>This results in the following components shown in <xref target="fig-e dhoc-opt-2"/>:</t> | <t>This results in the following components shown in <xref target="fig-e dhoc-opt-2"/>:</t> | |||
<ul spacing="normal"> | <dl spacing="normal"> | |||
<li>OSCORE option value: 0x090001 (3 bytes)</li> | <dt>OSCORE option value:</dt><dd>0x090001 (3 bytes)</dd> | |||
<li>EDHOC option value: - (0 bytes)</li> | <dt>EDHOC option value:</dt><dd>- (0 bytes)</dd> | |||
<li>EDHOC message_3: 0x52d5535f3147e85f1cfacd9e78abf9e0a81bbf (19 byte | <dt>EDHOC message_3:</dt><dd>0x52d5535f3147e85f1cfacd9e78abf9e0a81bbf | |||
s)</li> | (19 bytes)</dd> | |||
<li>OSCORE ciphertext: 0x612f1092f1776f1c1668b3825e (13 bytes)</li> | <dt>OSCORE ciphertext:</dt><dd>0x612f1092f1776f1c1668b3825e (13 bytes) | |||
</ul> | </dd></dl> | |||
<figure anchor="fig-edhoc-opt-2"> | <figure anchor="fig-edhoc-opt-2"> | |||
<name>Example of CoAP message transported over UDP, combining EDHOC da | <name>Example of a Protected CoAP Request Combining EDHOC and OSCORE D | |||
ta and OSCORE data as signalled with the EDHOC Option.</name> | ata</name> | |||
<artwork type="~" align="center"><![CDATA[ | <sourcecode type="coap"><![CDATA[ | |||
Protected CoAP request (OSCORE message): | 0x44025d1f ; CoAP 4-byte Header | |||
0x44025d1f ; CoAP 4-byte header | ||||
00003974 ; Token | 00003974 ; Token | |||
93 090001 ; OSCORE Option | 93 090001 ; OSCORE Option | |||
c0 ; EDHOC Option | c0 ; EDHOC Option | |||
ff 52d5535f3147e85f1cfacd9e78abf9e0a81bbf | ff 52d5535f3147e85f1cfacd9e78abf9e0a81bbf | |||
612f1092f1776f1c1668b3825e | 612f1092f1776f1c1668b3825e | |||
(46 bytes) | (46 bytes) | |||
]]></artwork> | ]]></sourcecode> | |||
</figure> | </figure> | |||
</section> | </section> | |||
</section> | </section> | |||
<section anchor="use-of-ids"> | <section anchor="use-of-ids"> | |||
<name>Use of EDHOC Connection Identifiers with OSCORE</name> | <name>Use of EDHOC Connection Identifiers with OSCORE</name> | |||
<t>The OSCORE Sender/Recipient IDs are the EDHOC connection identifiers (s ee <xref section="3.3.3" sectionFormat="of" target="RFC9528"/>). This applies al so to the optimized workflow defined in <xref target="edhoc-in-oscore"/> of this document.</t> | <t>The OSCORE Sender/Recipient IDs are the EDHOC connection identifiers (s ee <xref section="3.3.3" sectionFormat="of" target="RFC9528"/>). This applies al so to the optimized workflow defined in <xref target="edhoc-in-oscore"/> of this document.</t> | |||
<t>Note that, at step 3 of <xref target="server-processing"/>, the value o f 'kid' in the OSCORE Option of the EDHOC + OSCORE request is both the server's Recipient ID (i.e., the client's Sender ID) and the EDHOC Connection Identifier C_R of the server.</t> | <t>Note that the value of the 'kid' field in the OSCORE option of the EDHO C + OSCORE request is both the server's Recipient ID (i.e., the client's Sender ID) and the EDHOC connection identifier C_R of the server at <xref target="L2S3" format="none">Step 3</xref> of <xref target="server-processing"/>.</t> | |||
<section anchor="oscore-edhoc-message-processing"> | <section anchor="oscore-edhoc-message-processing"> | |||
<name>Additional Processing of EDHOC Messages</name> | <name>Additional Processing of EDHOC Messages</name> | |||
<t>When using EDHOC to establish an OSCORE Security Context, the client and server <bcp14>MUST</bcp14> perform the following additional steps during an EDHOC execution, thus extending <xref section="5" sectionFormat="of" target="RFC 9528"/>.</t> | <t>When using EDHOC to establish an OSCORE Security Context, the client and server <bcp14>MUST</bcp14> perform the following additional steps during an EDHOC execution, thus extending <xref section="5" sectionFormat="of" target="RFC 9528"/>.</t> | |||
<section anchor="initiator-processing-of-message-1"> | <section anchor="initiator-processing-of-message-1"> | |||
<name>Initiator Processing of Message 1</name> | <name>Initiator Processing of Message 1</name> | |||
<t>The Initiator selects an EDHOC Connection Identifier C_I as follows | <t>The Initiator selects an EDHOC connection identifier C_I as follows | |||
.</t> | .</t> | |||
<t>The Initiator <bcp14>MUST</bcp14> choose a C_I that is neither used | <t>The Initiator <bcp14>MUST</bcp14> choose a C_I that is neither used | |||
in any current EDHOC session as this peer's EDHOC Connection Identifier, nor th | in any current EDHOC session as this peer's EDHOC connection identifier nor the | |||
e Recipient ID in a current OSCORE Security Context where the ID Context is not | Recipient ID in a current OSCORE Security Context where the ID Context is not p | |||
present.</t> | resent.</t> | |||
<t>The chosen C_I <bcp14>SHOULD NOT</bcp14> be the Recipient ID of any | <t>The chosen C_I <bcp14>SHOULD NOT</bcp14> be the Recipient ID of any | |||
current OSCORE Security Context. Note that, unless the two peers concurrently u | current OSCORE Security Context. Note that, unless the two peers concurrently u | |||
se alternative methods to establish OSCORE Security Contexts, this allows the Re | se alternative methods to establish OSCORE Security Contexts, this allows the Re | |||
sponder to always omit the 'kid context' in the OSCORE Option of its messages se | sponder to always omit the 'kid context' in the OSCORE option of its messages se | |||
nt to the Initiator, when protecting those with an OSCORE Security Context where | nt to the Initiator when protecting those with an OSCORE Security Context where | |||
C_I is the Responder's OSCORE Sender ID (see <xref section="6.1" sectionFormat= | C_I is the Responder's OSCORE Sender ID (see <xref section="6.1" sectionFormat=" | |||
"of" target="RFC8613"/>).</t> | of" target="RFC8613"/>).</t> | |||
</section> | </section> | |||
<section anchor="responder-processing-of-message-2"> | <section anchor="responder-processing-of-message-2"> | |||
<name>Responder Processing of Message 2</name> | <name>Responder Processing of Message 2</name> | |||
<t>The Responder selects an EDHOC Connection Identifier C_R as follows | <t>The Responder selects an EDHOC connection identifier C_R as follows | |||
.</t> | .</t> | |||
<t>The Responder <bcp14>MUST</bcp14> choose a C_R that is neither used | <t>The Responder <bcp14>MUST</bcp14> choose a C_R that is none of the | |||
in any current EDHOC session as this peer's EDHOC Connection Identifier, nor is | following:</t> | |||
equal to the EDHOC Connection Identifier C_I specified in the EDHOC message_1 o | ||||
f the present EDHOC session, nor is the Recipient ID in a current OSCORE Securit | <ul><li>used in any current EDHOC session as this peer's EDHOC connecti | |||
y Context where the ID Context is not present.</t> | on identifier,</li> | |||
<t>The chosen C_R <bcp14>SHOULD NOT</bcp14> be the Recipient ID of any | <li>equal to the EDHOC connection identifier C_I specified in the EDHOC | |||
current OSCORE Security Context. Note that, for a reason analogous to the one g | message_1 of the present EDHOC session, or</li> | |||
iven above with C_I, this allows the Initiator to always omit the 'kid context' | <li>the Recipient ID in a current OSCORE Security Context where the ID | |||
in the OSCORE Option of its messages sent to the Responder, when protecting thos | Context is not present.</li></ul> | |||
e with an OSCORE Security Context where C_R is the Initiator's OSCORE Sender ID | <t>The chosen C_R <bcp14>SHOULD NOT</bcp14> be the Recipient ID of any | |||
(see <xref section="6.1" sectionFormat="of" target="RFC8613"/>).</t> | current OSCORE Security Context. Note that, for a reason analogous to the one g | |||
iven in <xref target="initiator-processing-of-message-1"/> with C_I, this allows | ||||
the Initiator to always omit the 'kid context' in the OSCORE option of its mess | ||||
ages sent to the Responder when protecting those with an OSCORE Security Context | ||||
where C_R is the Initiator's OSCORE Sender ID (see <xref section="6.1" sectionF | ||||
ormat="of" target="RFC8613"/>).</t> | ||||
</section> | </section> | |||
<section anchor="initiator-processing-of-message-2"> | <section anchor="initiator-processing-of-message-2"> | |||
<name>Initiator Processing of Message 2</name> | <name>Initiator Processing of Message 2</name> | |||
<t>If the EDHOC Connection Identifier C_I is equal to the EDHOC Connec tion Identifier C_R specified in EDHOC message_2, then the Initiator <bcp14>MUST </bcp14> abort the session and reply with an EDHOC error message with error code 1, formatted as defined in <xref section="6.2" sectionFormat="of" target="RFC95 28"/>.</t> | <t>If the EDHOC connection identifier C_I is equal to the EDHOC connec tion identifier C_R specified in EDHOC message_2, then the Initiator <bcp14>MUST </bcp14> abort the session and reply with an EDHOC error message with error code 1 formatted as defined in <xref section="6.2" sectionFormat="of" target="RFC952 8"/>.</t> | |||
</section> | </section> | |||
</section> | </section> | |||
</section> | </section> | |||
<section anchor="app-statements"> | <section anchor="app-statements"> | |||
<name>Extension and Consistency of Application Profiles</name> | <name>Extension and Consistency of Application Profiles</name> | |||
<t>It is possible to include the information below in the application prof ile referred by the client and server, according to the specified consistency ru les.</t> | <t>It is possible to include the information below in the application prof ile referred by the client and server according to the specified consistency rul es.</t> | |||
<t>If the server supports the EDHOC + OSCORE request within an EDHOC execu tion started at a certain EDHOC resource, then the application profile associate d with that resource <bcp14>SHOULD</bcp14> explicitly specify support for the ED HOC + OSCORE request.</t> | <t>If the server supports the EDHOC + OSCORE request within an EDHOC execu tion started at a certain EDHOC resource, then the application profile associate d with that resource <bcp14>SHOULD</bcp14> explicitly specify support for the ED HOC + OSCORE request.</t> | |||
<t>In case the application profile indicates that the server supports the | <t>In the case where the application profile indicates that the server sup | |||
optional EDHOC message_4 (see <xref section="5.5" sectionFormat="of" target="RFC | ports the optional EDHOC message_4 (see <xref section="5.5" sectionFormat="of" t | |||
9528"/>), it is still possible to use the optimized workflow based on the EDHOC | arget="RFC9528"/>), it is still possible to use the optimized workflow based on | |||
+ OSCORE request. However, this means the server is not going to send EDHOC mess | the EDHOC + OSCORE request. However, this means that the server is not going to | |||
age_4, since it is not applicable to the optimized workflow (see <xref target="s | send EDHOC message_4 since it is not applicable to the optimized workflow (see < | |||
erver-processing"/>).</t> | xref target="server-processing"/>).</t> | |||
<t>Also, in case the application profile indicates that the server shall s | <t>Also, in the case where the application profile indicates that the serv | |||
end EDHOC message_4, then the application profile <bcp14>MUST NOT</bcp14> specif | er shall send EDHOC message_4, the application profile <bcp14>MUST NOT</bcp14> s | |||
y support for the EDHOC + OSCORE request, and there is no point for the client t | pecify support for the EDHOC + OSCORE request. There is no point for the client | |||
o use the optimized workflow, which is bound to fail (see <xref target="server-p | to use the optimized workflow that is bound to fail (see <xref target="server-pr | |||
rocessing"/>).</t> | ocessing"/>).</t> | |||
</section> | </section> | |||
<section anchor="web-linking"> | <section anchor="web-linking"> | |||
<name>Web Linking</name> | <name>Web Linking</name> | |||
<t><xref section="10.10" sectionFormat="of" target="RFC9528"/> registers t | <t><xref section="10.10" sectionFormat="of" target="RFC9528"/> registers t | |||
he resource type "core.edhoc", which can be used as target attribute in a web li | he resource type "core.edhoc", which can be used as target attribute in a web li | |||
nk <xref target="RFC8288"/> to an EDHOC resource, e.g., using a link-format docu | nk <xref target="RFC8288"/> to an EDHOC resource, e.g., using a link-format docu | |||
ment <xref target="RFC6690"/>. This enables clients to discover the presence of | ment <xref target="RFC6690"/>. This enables clients to discover the presence of | |||
EDHOC resources at a server, possibly using the resource type as filter criterio | EDHOC resources at a server, possibly using the resource type as a filter criter | |||
n.</t> | ion.</t> | |||
<t>At the same time, the application profile associated with an EDHOC reso | <t>At the same time, the application profile associated with an EDHOC reso | |||
urce provides information describing how the EDHOC protocol can be used through | urce provides information describing how the EDHOC protocol can be used through | |||
that resource. A client may become aware of the application profile, e.g., by ob | that resource. A client may become aware of the application profile, e.g., by ob | |||
taining its information elements upon discovering the EDHOC resources at the ser | taining its information elements upon discovering the EDHOC resources at the ser | |||
ver. This allows the client to discover especially the EDHOC resources whose ass | ver. | |||
ociated application profile denotes a way of using EDHOC which is most suitable | This allows the client to discover the EDHOC resources whose associated applicat | |||
to the client, e.g., with EDHOC cipher suites or authentication methods that the | ion profile denotes a way of using EDHOC that is most suitable to the client, e. | |||
client also supports or prefers.</t> | g., with EDHOC cipher suites or authentication methods that the client also supp | |||
<t>That is, while discovering an EDHOC resource, a client can contextually | orts or prefers.</t> | |||
obtain relevant pieces of information from the application profile associated w | <t>That is, while discovering an EDHOC resource, a client can contextually | |||
ith that resource. The resource discovery can occur by means of a direct interac | obtain relevant pieces of information from the application profile associated w | |||
tion with the server, or instead by means of the CoRE Resource Directory <xref t | ith that resource. The resource discovery can occur by means of a direct interac | |||
arget="RFC9176"/>, where the server may have registered the links to its resourc | tion with the server or by means of the CoRE Resource Directory <xref target="RF | |||
es.</t> | C9176"/> where the server may have registered the links to its resources.</t> | |||
<t>In order to enable the above, this section defines a number of paramete | <t>In order to enable the above, this section defines a number of paramete | |||
rs, each of which can be optionally specified as a target attribute with the sam | rs, each of which can be optionally specified as a target attribute with the sam | |||
e name in the link to the respective EDHOC resource, or as filter criteria in a | e name in the link to the respective EDHOC resource or as filter criterion in a | |||
discovery request from the client. When specifying these parameters in a link to | discovery request from the client. When specifying these parameters in a link to | |||
an EDHOC resource, the target attribute rt="core.edhoc" <bcp14>MUST</bcp14> be | an EDHOC resource, the target attribute rt="core.edhoc" <bcp14>MUST</bcp14> be | |||
included, and the same consistency rules defined in <xref target="app-statements | included and the same consistency rules defined in <xref target="app-statements" | |||
"/> for the corresponding information elements of an application profile <bcp14> | /> for the corresponding information elements of an application profile <bcp14>M | |||
MUST</bcp14> be followed.</t> | UST</bcp14> be followed.</t> | |||
<t>The following parameters are defined.</t> | <t>The following parameters are defined.</t> | |||
<ul spacing="normal"> | <dl spacing="normal"> | |||
<li>'ed-i', specifying, if present, that the server supports the EDHOC I | <dt>'ed-i':</dt><dd>If present, specifies that the server supports the E | |||
nitiator role, hence the reverse message flow of EDHOC. A value <bcp14>MUST NOT< | DHOC Initiator role, hence the reverse message flow of EDHOC. A value <bcp14>MUS | |||
/bcp14> be given to this parameter and any present value <bcp14>MUST</bcp14> be | T NOT</bcp14> be given to this parameter and any present value <bcp14>MUST</bcp1 | |||
ignored by the recipient.</li> | 4> be ignored by the recipient.</dd> | |||
<li>'ed-r', specifying, if present, that the server supports the EDHOC R | <dt>'ed-r':</dt><dd>If present, specifies that the server supports the E | |||
esponder role, hence the forward message flow of EDHOC. A value <bcp14>MUST NOT< | DHOC Responder role, hence the forward message flow of EDHOC. A value <bcp14>MUS | |||
/bcp14> be given to this parameter and any present value <bcp14>MUST</bcp14> be | T NOT</bcp14> be given to this parameter and any present value <bcp14>MUST</bcp1 | |||
ignored by the recipient.</li> | 4> be ignored by the recipient.</dd> | |||
<li>'ed-method', specifying an authentication method supported by the se | <dt>'ed-method':</dt><dd>Specifies an authentication method supported by | |||
rver. This parameter <bcp14>MUST</bcp14> specify a single value, which is taken | the server. This parameter <bcp14>MUST</bcp14> specify a single value, which is | |||
from the 'Value' column of the "EDHOC Method Type" registry defined in <xref sec | taken from the 'Value' column of the "EDHOC Method Type" registry defined in <x | |||
tion="10.3" sectionFormat="of" target="RFC9528"/>. This parameter <bcp14>MAY</bc | ref section="10.3" sectionFormat="of" target="RFC9528"/>. This parameter <bcp14> | |||
p14> occur multiple times, with each occurrence specifying an authentication met | MAY</bcp14> occur multiple times, with each occurrence specifying an authenticat | |||
hod.</li> | ion method.</dd> | |||
<li>'ed-csuite', specifying an EDHOC cipher suite supported by the serve | <dt>'ed-csuite':</dt><dd>Specifies an EDHOC cipher suite supported by th | |||
r. This parameter <bcp14>MUST</bcp14> specify a single value, which is taken fro | e server. This parameter <bcp14>MUST</bcp14> specify a single value, which is ta | |||
m the 'Value' column of the "EDHOC Cipher Suites" registry defined in <xref sect | ken from the 'Value' column of the "EDHOC Cipher Suites" registry defined in <xr | |||
ion="10.2" sectionFormat="of" target="RFC9528"/>. This parameter <bcp14>MAY</bcp | ef section="10.2" sectionFormat="of" target="RFC9528"/>. This parameter <bcp14>M | |||
14> occur multiple times, with each occurrence specifying a cipher suite.</li> | AY</bcp14> occur multiple times, with each occurrence specifying a cipher suite. | |||
<li>'ed-cred-t', specifying a type of authentication credential supporte | </dd> | |||
d by the server. This parameter <bcp14>MUST</bcp14> specify a single value, whic | <dt>'ed-cred-t':</dt><dd>Specifies a type of authentication credential s | |||
h is taken from the 'Value' column of the "EDHOC Authentication Credential Types | upported by the server. This parameter <bcp14>MUST</bcp14> specify a single valu | |||
" Registry defined in <xref target="iana-edhoc-auth-cred-types"/> of this docume | e, which is taken from the 'Value' column of the "EDHOC Authentication Credentia | |||
nt. This parameter <bcp14>MAY</bcp14> occur multiple times, with each occurrence | l Types" Registry defined in <xref target="iana-edhoc-auth-cred-types"/> of this | |||
specifying a type of authentication credential.</li> | document. This parameter <bcp14>MAY</bcp14> occur multiple times, with each occ | |||
<li> | urrence specifying a type of authentication credential.</dd> | |||
<t>'ed-idcred-t', specifying a type of identifier supported by the ser | <dt>'ed-idcred-t':</dt><dd><t>Specifies a type of identifier supported | |||
ver for identifying authentication credentials. This parameter <bcp14>MUST</bcp1 | by the server for identifying authentication credentials. This parameter <bcp14 | |||
4> specify a single value, which is taken from the 'Label' column of the "COSE H | >MUST</bcp14> specify a single value, which is taken from the 'Label' column of | |||
eader Parameters" registry <xref target="COSE.Header.Parameters"/>. This paramet | the "COSE Header Parameters" registry <xref target="COSE.Header.Parameters"/>. T | |||
er <bcp14>MAY</bcp14> occur multiple times, with each occurrence specifying a ty | his parameter <bcp14>MAY</bcp14> occur multiple times, with each occurrence spec | |||
pe of identifier for authentication credentials. </t> | ifying a type of identifier for authentication credentials.</t> | |||
<t> | <t> | |||
Note that the values in the 'Label' column of the "COSE Header Parameters" regis | Note that the values in the 'Label' column of the "COSE Header Parameters" regis | |||
try are strongly typed. On the contrary, Link Format is weakly typed and thus do | try are strongly typed. On the contrary, CoRE Link Format is weakly typed; thus, | |||
es not distinguish between, for instance, the string value "-10" and the integer | it does not distinguish between, for instance, the string value "-10" and the i | |||
value -10. Thus, if responses in Link Format are returned, string values which | nteger value -10. Therefore, if responses in CoRE Link Format are returned, stri | |||
look like an integer are not supported. Therefore, such values <bcp14>MUST NOT</ | ng values that look like an integer are not supported. Thus, such values <bcp14> | |||
bcp14> be used in the 'ed-idcred-t' parameter.</t> | MUST NOT</bcp14> be used in the 'ed-idcred-t' parameter.</t> | |||
</li> | </dd> | |||
<li>'ed-ead', specifying the support of the server for an External Autho | <dt>'ed-ead':</dt><dd>Specifies the support of the server for an Externa | |||
rization Data (EAD) item (see <xref section="3.8" sectionFormat="of" target="RFC | l Authorization Data (EAD) item (see <xref section="3.8" sectionFormat="of" targ | |||
9528"/>). This parameter <bcp14>MUST</bcp14> specify a single value, which is ta | et="RFC9528"/>). This parameter <bcp14>MUST</bcp14> specify a single value, whic | |||
ken from the 'Label' column of the "EDHOC External Authorization Data" registry | h is taken from the 'Label' column of the "EDHOC External Authorization Data" re | |||
defined in <xref section="10.5" sectionFormat="of" target="RFC9528"/>. This para | gistry defined in <xref section="10.5" sectionFormat="of" target="RFC9528"/>. Th | |||
meter <bcp14>MAY</bcp14> occur multiple times, with each occurrence specifying t | is parameter <bcp14>MAY</bcp14> occur multiple times, with each occurrence speci | |||
he ead_label of an EAD item that the server supports.</li> | fying the ead_label of an EAD item that the server supports.</dd> | |||
<li>'ed-comb-req', specifying, if present, that the server supports the | <dt>'ed-comb-req':</dt><dd>If present, specifies that the server support | |||
EDHOC + OSCORE request defined in <xref target="edhoc-in-oscore"/>. A value <bcp | s the EDHOC + OSCORE request defined in <xref target="edhoc-in-oscore"/>. A valu | |||
14>MUST NOT</bcp14> be given to this parameter and any present value <bcp14>MUST | e <bcp14>MUST NOT</bcp14> be given to this parameter and any present value <bcp1 | |||
</bcp14> be ignored by the recipient.</li> | 4>MUST</bcp14> be ignored by the recipient.</dd> | |||
</ul> | </dl> | |||
<t>(Future documents may update the definition of the parameters 'ed-i', ' | <t>Future documents may update the definition of the parameters 'ed-i', 'e | |||
ed-r', and 'ed-comb-req', by expanding their semantics and specifying what they | d-r', and 'ed-comb-req' by expanding their semantics and specifying what they ca | |||
can take as value.)</t> | n take as value.</t> | |||
<t>The example in <xref target="fig-web-link-example"/> shows how a client | <t>The example in <xref target="fig-web-link-example"/> shows how a client | |||
discovers one EDHOC resource at a server, obtaining information elements from t | discovers one EDHOC resource at a server and obtains information elements from | |||
he respective application profile. The Link Format notation from <xref section=" | the respective application profile. The CoRE Link Format notation from <xref sec | |||
5" sectionFormat="of" target="RFC6690"/> is used.</t> | tion="5" sectionFormat="of" target="RFC6690"/> is used.</t> | |||
<figure anchor="fig-web-link-example"> | <figure anchor="fig-web-link-example"> | |||
<name>The Web Link.</name> | <name>The Web Link</name> | |||
<artwork align="center"><![CDATA[ | <artwork align="center"><![CDATA[ | |||
REQ: GET /.well-known/core | REQ: GET /.well-known/core | |||
RES: 2.05 Content | RES: 2.05 Content | |||
</sensors/temp>;osc, | </sensors/temp>;osc, | |||
</sensors/light>;if=sensor, | </sensors/light>;if=sensor, | |||
</.well-known/edhoc>;rt=core.edhoc;ed-csuite=0;ed-csuite=2; | </.well-known/edhoc>;rt=core.edhoc;ed-csuite=0;ed-csuite=2; | |||
ed-method=0;ed-cred-t=1;ed-cred-t=3;ed-idcred-t=4; | ed-method=0;ed-cred-t=0;ed-cred-t=1;ed-idcred-t=4; | |||
ed-i;ed-r;ed-comb-req | ed-i;ed-r;ed-comb-req | |||
]]></artwork> | ]]></artwork> | |||
</figure> | </figure> | |||
</section> | </section> | |||
<section anchor="security-considerations"> | <section anchor="security-considerations"> | |||
<name>Security Considerations</name> | <name>Security Considerations</name> | |||
<t>The same security considerations from OSCORE <xref target="RFC8613"/> a | <t>The same security considerations from OSCORE <xref target="RFC8613"/> a | |||
nd EDHOC <xref target="RFC9528"/> hold for this document. In addition, the follo | nd EDHOC <xref target="RFC9528"/> hold for this document. In addition, the follo | |||
wing considerations also apply.</t> | wing considerations apply.</t> | |||
<t><xref target="client-processing"/> specifies that a client <bcp14>SHOUL | <t><xref target="client-processing"/> specifies that a client <bcp14>SHOUL | |||
D NOT</bcp14> have multiple outstanding EDHOC + OSCORE requests pertaining to th | D NOT</bcp14> have multiple outstanding EDHOC + OSCORE requests pertaining to th | |||
e same EDHOC session. Even if a client did not fulfill this requirement, it woul | e same EDHOC session. Even if a client did not fulfill this requirement, it woul | |||
d not have any impact in terms of security. That is, the server would still not | d not have any impact in terms of security. That is, the server would still not | |||
process different instances of the same EDHOC message_3 more than once in the sa | process different instances of the same EDHOC message_3 more than once in the sa | |||
me EDHOC session (see <xref section="5.1" sectionFormat="of" target="RFC9528"/>) | me EDHOC session (see <xref section="5.1" sectionFormat="of" target="RFC9528"/>) | |||
, and would still enforce replay protection of the OSCORE-protected request (see | and would still enforce replay protection of the OSCORE-protected request (see | |||
Sections <xref target="RFC8613" section="7.4" sectionFormat="bare"/> and <xref | Sections <xref target="RFC8613" section="7.4" sectionFormat="bare"/> and <xref t | |||
target="RFC8613" section="8.2" sectionFormat="bare"/> of <xref target="RFC8613"/ | arget="RFC8613" section="8.2" sectionFormat="bare"/> of <xref target="RFC8613"/> | |||
>).</t> | ).</t> | |||
<t>When using the optimized workflow in <xref target="fig-combined"/>, a m | <t>When using the optimized workflow in <xref target="fig-combined"/>, a m | |||
inimum of 128-bit security against online brute force attacks is achieved after | inimum of 128-bit security against online brute-force attacks is achieved after | |||
the client receives and successfully verifies the first OSCORE-protected respons | the client receives and successfully verifies the first OSCORE-protected respons | |||
e (see Sections <xref target="RFC9528" section="9.1" sectionFormat="bare"/> and | e (see Sections <xref target="RFC9528" section="9.1" sectionFormat="bare"/> and | |||
<xref target="RFC9528" section="9.4" sectionFormat="bare"/> of <xref target="RFC | <xref target="RFC9528" section="9.4" sectionFormat="bare"/> of <xref target="RFC | |||
9528"/>). As an example, if EDHOC is used with method 3 (see <xref section="3.2" | 9528"/>). As an example, if EDHOC is used with method 3 (see <xref section="3.2" | |||
sectionFormat="of" target="RFC9528"/>) and cipher suite 2 (see <xref section="3 | sectionFormat="of" target="RFC9528"/>) and cipher suite 2 (see <xref section="3 | |||
.6" sectionFormat="of" target="RFC9528"/>), then the following holds.</t> | .6" sectionFormat="of" target="RFC9528"/>), then the following holds:</t> | |||
<ul spacing="normal"> | <ul spacing="normal"> | |||
<li>The Initiator is authenticated with 128-bit security against online attacks. As per <xref section="9.1" sectionFormat="of" target="RFC9528"/>, this results from the combination of the strength of the 64-bit MAC in EDHOC message_ 3 and of the 64-bit MAC in the AEAD of the first OSCORE-protected CoAP request, as rebuilt at step 7 of <xref target="server-processing"/>.</li> | <li>The Initiator is authenticated with 128-bit security against online attacks. As per <xref section="9.1" sectionFormat="of" target="RFC9528"/>, this results from the combination of the strength of the 64-bit Message Authenticatio n Code (MAC) in EDHOC message_3 and of the 64-bit MAC in the Authenticated Encry ption with Associated Data (AEAD) of the first OSCORE-protected CoAP request as rebuilt at <xref target="L2S7" format="none">Step 7</xref> of <xref target="serv er-processing"/>.</li> | |||
<li>The Responder is authenticated with 128-bit security against online attacks. As per <xref section="9.1" sectionFormat="of" target="RFC9528"/>, this results from the combination of the strength of the 64-bit MAC in EDHOC message_ 2 and of the 64-bit MAC in the AEAD of the first OSCORE-protected CoAP response. </li> | <li>The Responder is authenticated with 128-bit security against online attacks. As per <xref section="9.1" sectionFormat="of" target="RFC9528"/>, this results from the combination of the strength of the 64-bit MAC in EDHOC message_ 2 and of the 64-bit MAC in the AEAD of the first OSCORE-protected CoAP response. </li> | |||
</ul> | </ul> | |||
<t>With reference to the sequential workflow in <xref target="fig-non-comb | <t>With reference to the sequential workflow in <xref target="fig-non-comb | |||
ined"/>, the OSCORE request might have to undergo access control checks at the s | ined"/>, the OSCORE request might have to undergo access-control checks at the s | |||
erver, before being actually executed for accessing the target protected resourc | erver before being actually executed for accessing the target protected resource | |||
e. The same <bcp14>MUST</bcp14> hold when the optimized workflow in <xref target | . The same <bcp14>MUST</bcp14> hold when the optimized workflow in <xref target= | |||
="fig-combined"/> is used, i.e., when using the EDHOC + OSCORE request.</t> | "fig-combined"/> is used, i.e., when using the EDHOC + OSCORE request.</t> | |||
<t>That is, the rebuilt OSCORE-protected application request from step 7 i | <t>That is, the rebuilt OSCORE-protected application request from <xref ta | |||
n <xref target="server-processing"/> <bcp14>MUST</bcp14> undergo the same access | rget="L2S7" format="none">Step 7</xref> in <xref target="server-processing"/> <b | |||
control checks that would be performed on a traditional OSCORE-protected applic | cp14>MUST</bcp14> undergo the same access-control checks that would be performed | |||
ation request sent individually as shown in <xref target="fig-non-combined"/>.</ | on a traditional OSCORE-protected application request sent individually as show | |||
t> | n in <xref target="fig-non-combined"/>.</t> | |||
<t>To this end, validated information to perform access control checks (e. | ||||
g., an access token issued by a trusted party) has to be available at the server | <t>To this end, validated information to perform access-control checks (e.g., an | |||
before starting to process the rebuilt OSCORE-protected application request. Su | access token issued by a trusted party) has to be available at the server befor | |||
ch information may have been provided to the server separately before starting t | e starting to process the rebuilt OSCORE-protected application request. Such inf | |||
he EDHOC execution altogether, or instead as External Authorization Data during | ormation may have been provided to the server separately before starting the EDH | |||
the EDHOC execution (see <xref section="3.8" sectionFormat="of" target="RFC9528" | OC execution altogether, or instead as External Authorization Data during the ED | |||
/>).</t> | HOC execution (see <xref section="3.8" sectionFormat="of" target="RFC9528"/>).</ | |||
t> | ||||
<t>Thus, a successful completion of the EDHOC protocol and the following d erivation of the OSCORE Security Context at the server do not play a role in det ermining whether the rebuilt OSCORE-protected request is authorized to access th e target protected resource at the server.</t> | <t>Thus, a successful completion of the EDHOC protocol and the following d erivation of the OSCORE Security Context at the server do not play a role in det ermining whether the rebuilt OSCORE-protected request is authorized to access th e target protected resource at the server.</t> | |||
</section> | </section> | |||
<section anchor="iana-considerations"> | <section anchor="iana-considerations"> | |||
<name>IANA Considerations</name> | <name>IANA Considerations</name> | |||
<t>This document has the following actions for IANA.</t> | <t>This document has the following actions for IANA.</t> | |||
<t>Note to RFC Editor: Please replace all occurrences of "[RFC-XXXX]" with the RFC number of this specification and delete this paragraph.</t> | ||||
<section anchor="iana-coap-options"> | <section anchor="iana-coap-options"> | |||
<name>CoAP Option Numbers Registry</name> | <name>CoAP Option Numbers Registry</name> | |||
<t>IANA is asked to enter the following option number to the "CoAP Optio n Numbers" registry within the "CoRE Parameters" registry group.</t> | <t>IANA has registered the following option number in the "CoAP Option N umbers" registry within the "Constrained RESTful Environments (CoRE) Parameters" registry group.</t> | |||
<table align="center"> | <table align="center"> | |||
<name>Registrations in CoAP Option Numbers Registry</name> | <name>Registration in the "CoAP Option Numbers" Registry</name> | |||
<thead> | <thead> | |||
<tr> | <tr> | |||
<th align="left">Number</th> | <th align="left">Number</th> | |||
<th align="left">Name</th> | <th align="left">Name</th> | |||
<th align="left">Reference</th> | <th align="left">Reference</th> | |||
</tr> | </tr> | |||
</thead> | </thead> | |||
<tbody> | <tbody> | |||
<tr> | <tr> | |||
<td align="left">21</td> | <td align="left">21</td> | |||
<td align="left">EDHOC</td> | <td align="left">EDHOC</td> | |||
<td align="left">[RFC-XXXX]</td> | <td align="left">RFC 9668</td> | |||
</tr> | </tr> | |||
</tbody> | </tbody> | |||
</table> | </table> | |||
<t>Note to RFC Editor: Please delete this paragraph and all the followin | ||||
g text within the present <xref target="iana-coap-options"/>.</t> | ||||
<t>[</t> | ||||
<t>The CoAP option number 21 is consistent with the properties of the ED | ||||
HOC Option defined in <xref target="edhoc-option"/>, and it allows the EDHOC Opt | ||||
ion to always result in an overall size of 1 byte. This is because:</t> | ||||
<ul spacing="normal"> | ||||
<li>The EDHOC option is always empty, i.e., with zero-length value; an | ||||
d</li> | ||||
<li>Since the OSCORE Option with option number 9 is always present in | ||||
the EDHOC + OSCORE request, the EDHOC Option is encoded with a delta equal to at | ||||
most 12.</li> | ||||
</ul> | ||||
<t>Although the currently unassigned option number 13 would also work we | ||||
ll for the same reasons in the use case in question, different use cases or prot | ||||
ocols may make a better use of the option number 13. Hence the preference for th | ||||
e option number 21, and why it is <em>not</em> necessary to register additional | ||||
option numbers than 21.</t> | ||||
<t>]</t> | ||||
</section> | </section> | |||
<section anchor="iana-target-attributes"> | <section anchor="iana-target-attributes"> | |||
<name>Target Attributes Registry</name> | <name>Target Attributes Registry</name> | |||
<t>IANA is asked to register the following entries in the "Target Attrib | <t>IANA has registered the following entries in the "Target Attributes" | |||
utes" registry <xref target="CORE.Target.Attributes"/> within the "Constrained R | registry <xref target="CORE.Target.Attributes"/> within the "Constrained RESTful | |||
ESTful Environments (CoRE) Parameters" registry group, as per <xref target="I-D. | Environments (CoRE) Parameters" registry group as per <xref target="RFC9423"/>. | |||
ietf-core-target-attr"/>. | For all entries, the Change Controller is "IETF" and the reference is "[RFC 9668 | |||
For all entries, the Change Controller is IETF, and the reference is [RFC-XXXX]. | ]".</t> | |||
</t> | ||||
<table align="center"> | <table align="center"> | |||
<name>Registrations in Target Attributes Registry</name> | <name>Registrations in the "Target Attributes" Registry</name> | |||
<thead> | <thead> | |||
<tr> | <tr> | |||
<th align="left">Attribute Name:</th> | <th align="left">Attribute Name</th> | |||
<th align="left">Brief Description:</th> | <th align="left">Brief Description</th> | |||
</tr> | </tr> | |||
</thead> | </thead> | |||
<tbody> | <tbody> | |||
<tr> | <tr> | |||
<td align="left">ed-i</td> | <td align="left">ed-i</td> | |||
<td align="left">Hint: support for the EDHOC Initiator role</td> | <td align="left">Hint: support for the EDHOC Initiator role</td> | |||
</tr> | </tr> | |||
<tr> | <tr> | |||
<td align="left">ed-r</td> | <td align="left">ed-r</td> | |||
<td align="left">Hint: support for the EDHOC Responder role</td> | <td align="left">Hint: support for the EDHOC Responder role</td> | |||
skipping to change at line 783 ¶ | skipping to change at line 804 ¶ | |||
<tr> | <tr> | |||
<td align="left">ed-idcred-t</td> | <td align="left">ed-idcred-t</td> | |||
<td align="left">A supported type of authentication credential ide ntifier for EDHOC</td> | <td align="left">A supported type of authentication credential ide ntifier for EDHOC</td> | |||
</tr> | </tr> | |||
<tr> | <tr> | |||
<td align="left">ed-ead</td> | <td align="left">ed-ead</td> | |||
<td align="left">A supported External Authorization Data (EAD) ite m for EDHOC</td> | <td align="left">A supported External Authorization Data (EAD) ite m for EDHOC</td> | |||
</tr> | </tr> | |||
<tr> | <tr> | |||
<td align="left">ed-comb-req</td> | <td align="left">ed-comb-req</td> | |||
<td align="left">Hint: support for the EDHOC+OSCORE request</td> | <td align="left">Hint: support for the EDHOC + OSCORE request</td> | |||
</tr> | </tr> | |||
</tbody> | </tbody> | |||
</table> | </table> | |||
</section> | </section> | |||
<section anchor="iana-edhoc-auth-cred-types"> | <section anchor="iana-edhoc-auth-cred-types"> | |||
<name>EDHOC Authentication Credential Types Registry</name> | <name>EDHOC Authentication Credential Types Registry</name> | |||
<t>IANA is requested to create a new "EDHOC Authentication Credential Ty | <t>IANA has created the "EDHOC Authentication Credential Types" registry | |||
pes" registry within the "Ephemeral Diffie-Hellman Over COSE (EDHOC)" registry g | within the "Ephemeral Diffie-Hellman Over COSE (EDHOC)" registry group defined | |||
roup defined in <xref target="RFC9528"/>.</t> | in <xref target="RFC9528"/>.</t> | |||
<t>As registration policy, the registry uses either "Standards Action wi | <t>The registration policy is either "Private Use", "Standards Action wi | |||
th Expert Review", or "Specification Required" per <xref section="4.6" sectionFo | th Expert Review", or "Specification Required" per <xref target="RFC8126"/>. "Ex | |||
rmat="of" target="RFC8126"/>. Expert Review guidelines are provided in <xref tar | pert Review" guidelines are provided in <xref target="review"/>.</t> | |||
get="review"/>.</t> | <t>All assignments according to "Standards Action with Expert Review" | |||
<t>All assignments according to "Standards Action with Expert Review" ar | are made on a "Standards Action" basis per <xref section="4.9" | |||
e made on a "Standards Action" basis per <xref section="4.9" sectionFormat="of" | sectionFormat="of" target="RFC8126"/> with "Expert Review" | |||
target="RFC8126"/>, with Expert Review additionally required per <xref section=" | additionally required per <xref section="4.5" sectionFormat="of" | |||
4.5" sectionFormat="of" target="RFC8126"/>. The procedure for early IANA allocat | target="RFC8126"/>. The procedure for early IANA allocation of | |||
ion of Standards Track code points defined in <xref target="RFC7120"/> also appl | "standards track code points" defined in <xref target="RFC7120"/> also | |||
ies. When such a procedure is used, review and approval by the designated expert | applies. When such a procedure is used, IANA will ask the designated | |||
are also required, in order for the WG chairs to determine that the conditions | expert(s) to approve the early allocation before registration. In | |||
for early allocation are met (see step 2 in <xref section="3.1" sectionFormat="o | addition, working group chairs are encouraged to consult the expert(s) | |||
f" target="RFC7120"/>).</t> | early during the process outlined in <xref section="3.1" | |||
sectionFormat="of" target="RFC7120"/>.</t> | ||||
<t>The columns of this registry are:</t> | <t>The columns of this registry are:</t> | |||
<ul spacing="normal"> | <dl spacing="normal"> | |||
<li> | <dt>Value:</dt><dd><t>This field contains the value used to identify t | |||
<t>Value: This field contains the value used to identify the type of | he type of authentication credential. These values <bcp14>MUST</bcp14> be unique | |||
authentication credential. These values <bcp14>MUST</bcp14> be unique. The valu | . The value can be an unsigned integer or a negative integer. Different ranges o | |||
e can be an unsigned integer or a negative integer, in the range from -65536 to | f values use different registration policies:</t> | |||
65535. Different ranges of values use different registration policies <xref targ | ||||
et="RFC8126"/>: </t> | ||||
<ul spacing="normal"> | <ul spacing="normal"> | |||
<li>Integer values from -24 to 23 are designated as "Standards Act ion With Expert Review".</li> | <li>Integer values from -24 to 23 are designated as "Standards Act ion With Expert Review".</li> | |||
<li>Integer values from -65536 to -25 and from 24 to 65535 are des ignated as "Specification Required".</li> | <li>Integer values from -65536 to -25 and from 24 to 65535 are des ignated as "Specification Required".</li> | |||
<li>Integer values smaller than -65536 and greater than 65535 are marked as "Private Use".</li> | <li>Integer values smaller than -65536 and greater than 65535 are marked as "Private Use".</li> | |||
</ul> | </ul> | |||
</li> | </dd> | |||
<li>Description: This field contains a short description of the type o | <dt>Description:</dt><dd>This field contains a short description of th | |||
f authentication credential.</li> | e type of authentication credential.</dd> | |||
<li>Reference: This field contains a pointer to the public specificati | <dt>Reference:</dt><dd>This field contains a pointer to the public spe | |||
on for the type of authentication credential.</li> | cification for the type of authentication credential.</dd> | |||
</ul> | </dl> | |||
<t>Initial entries in this registry are as listed in <xref target="pre-r | ||||
eg"/>.</t> | ||||
<table align="center" anchor="pre-reg"> | <table align="center" anchor="pre-reg"> | |||
<name>Initial Entries in the "EDHOC Authentication Credential Types" R egistry</name> | <name>Initial Entries in the "EDHOC Authentication Credential Types" R egistry</name> | |||
<thead> | <thead> | |||
<tr> | <tr> | |||
<th align="left">Value</th> | <th align="left">Value</th> | |||
<th align="left">Description</th> | <th align="left">Description</th> | |||
<th align="left">Reference</th> | <th align="left">Reference</th> | |||
</tr> | </tr> | |||
</thead> | </thead> | |||
<tbody> | <tbody> | |||
skipping to change at line 839 ¶ | skipping to change at line 869 ¶ | |||
<tr> | <tr> | |||
<td align="left">2</td> | <td align="left">2</td> | |||
<td align="left">X.509 certificate</td> | <td align="left">X.509 certificate</td> | |||
<td align="left"> | <td align="left"> | |||
<xref target="RFC5280"/></td> | <xref target="RFC5280"/></td> | |||
</tr> | </tr> | |||
</tbody> | </tbody> | |||
</table> | </table> | |||
</section> | </section> | |||
<section anchor="review"> | <section anchor="review"> | |||
<name>Expert Review Instructions</name> | <name>Expert Review Instructions</name> | |||
<t>The IANA registry established in this document is defined as "Standar | <t>"Standards Action with Expert Review" and "Specification Required" ar | |||
ds Action with Expert Review" or "Specification Required", depending on the rang | e two of the registration policies defined for the IANA registry established in | |||
e of values for which an assignment is requested. This section gives some genera | <xref target="iana-edhoc-auth-cred-types"/>. | |||
l guidelines for what the experts should be looking for; but they are being desi | This section gives some general guidelines for what the experts should be lookin | |||
gnated as experts for a reason, so they should be given substantial latitude.</t | g for; however, they are being designated as experts for a reason, so they shoul | |||
> | d be given substantial latitude.</t> | |||
<t>Expert reviewers should take into consideration the following points: </t> | <t>Expert reviewers should take into consideration the following points: </t> | |||
<ul spacing="normal"> | <ul spacing="normal"> | |||
<li>Clarity and correctness of registrations. Experts are expected to check the clarity of purpose and use of the requested entries. Experts need to m ake sure that registered identifiers indicate a type of authentication credentia l whose format and encoding is clearly defined in the corresponding specificatio n. Identifiers of types of authentication credentials that do not meet these obj ective of clarity and completeness must not be registered.</li> | <li>Clarity and correctness of registrations. Experts are expected to check the clarity of purpose and use of the requested entries. Experts need to m ake sure that registered identifiers indicate a type of authentication credentia l whose format and encoding is clearly defined in the corresponding specificatio n. Identifiers of types of authentication credentials that do not meet these obj ectives of clarity and completeness must not be registered.</li> | |||
<li>Point squatting should be discouraged. Reviewers are encouraged to get sufficient information for registration requests to ensure that the usage i s not going to duplicate one that is already registered and that the point is li kely to be used in deployments. The zones tagged as "Private Use" are intended f or testing purposes and closed environments. Code points in other ranges should not be assigned for testing.</li> | <li>Point squatting should be discouraged. Reviewers are encouraged to get sufficient information for registration requests to ensure that the usage i s not going to duplicate one that is already registered and that the point is li kely to be used in deployments. The zones tagged as "Private Use" are intended f or testing purposes and closed environments. Code points in other ranges should not be assigned for testing.</li> | |||
<li>Specifications are required for the "Standards Action With Expert Review" range of point assignment. Specifications should exist for "Specificatio n Required" ranges, but early assignment before a specification is available is considered to be permissible. When specifications are not provided, the descript ion provided needs to have sufficient information to identify what the point is being used for.</li> | <li>Specifications are required for the "Standards Action With Expert Review" range of point assignment. Specifications should exist for "Specificatio n Required" ranges, but early assignment before a specification is available is considered to be permissible. When specifications are not provided, the descript ion provided needs to have sufficient information to identify what the point is being used for.</li> | |||
<li>Experts should take into account the expected usage of fields when | <li>Experts should take into account the expected usage of fields | |||
approving point assignment. The fact that there is a range for Standards Track | when approving point assignment. Documents published via Standards | |||
documents does not mean that a Standards Track document cannot have points assig | Action can also register points outside the Standards Action | |||
ned outside of that range. The length of the encoded value should be weighed aga | range. The length of the encoded value should be weighed against how | |||
inst how many code points of that length are left, the size of device it will be | many code points of that length are left, the size of device it will | |||
used on, and the number of code points left that encode to that size.</li> | be used on, and the number of code points left that encode to that | |||
size.</li> | ||||
</ul> | </ul> | |||
</section> | </section> | |||
</section> | </section> | |||
</middle> | </middle> | |||
<back> | <back> | |||
<references> | <references> | |||
<name>References</name> | <name>References</name> | |||
<references> | <references> | |||
<name>Normative References</name> | <name>Normative References</name> | |||
<reference anchor="RFC5280"> | ||||
<front> | <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.52 | |||
<title>Internet X.509 Public Key Infrastructure Certificate and Cert | 80.xml"/> | |||
ificate Revocation List (CRL) Profile</title> | <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.66 | |||
<author fullname="D. Cooper" initials="D." surname="Cooper"/> | 90.xml"/> | |||
<author fullname="S. Santesson" initials="S." surname="Santesson"/> | <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.71 | |||
<author fullname="S. Farrell" initials="S." surname="Farrell"/> | 20.xml"/> | |||
<author fullname="S. Boeyen" initials="S." surname="Boeyen"/> | <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.72 | |||
<author fullname="R. Housley" initials="R." surname="Housley"/> | 52.xml"/> | |||
<author fullname="W. Polk" initials="W." surname="Polk"/> | <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.79 | |||
<date month="May" year="2008"/> | 59.xml"/> | |||
<abstract> | <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.81 | |||
<t>This memo profiles the X.509 v3 certificate and X.509 v2 certif | 26.xml"/> | |||
icate revocation list (CRL) for use in the Internet. An overview of this approac | <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.82 | |||
h and model is provided as an introduction. The X.509 v3 certificate format is d | 88.xml"/> | |||
escribed in detail, with additional information regarding the format and semanti | <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.83 | |||
cs of Internet name forms. Standard certificate extensions are described and two | 92.xml"/> | |||
Internet-specific extensions are defined. A set of required certificate extensi | <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.86 | |||
ons is specified. The X.509 v2 CRL format is described in detail along with stan | 13.xml"/> | |||
dard and Internet-specific extensions. An algorithm for X.509 certification path | <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.89 | |||
validation is described. An ASN.1 module and examples are provided in the appen | 49.xml"/> | |||
dices. [STANDARDS-TRACK]</t> | <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.91 | |||
</abstract> | 76.xml"/> | |||
</front> | <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.95 | |||
<seriesInfo name="RFC" value="5280"/> | 28.xml"/> | |||
<seriesInfo name="DOI" value="10.17487/RFC5280"/> | ||||
</reference> | <reference anchor="COSE.Header.Parameters" target="https://www.iana.org/ | |||
<reference anchor="RFC6690"> | assignments/cose"> | |||
<front> | ||||
<title>Constrained RESTful Environments (CoRE) Link Format</title> | ||||
<author fullname="Z. Shelby" initials="Z." surname="Shelby"/> | ||||
<date month="August" year="2012"/> | ||||
<abstract> | ||||
<t>This specification defines Web Linking using a link format for | ||||
use by constrained web servers to describe hosted resources, their attributes, a | ||||
nd other relationships between links. Based on the HTTP Link Header field define | ||||
d in RFC 5988, the Constrained RESTful Environments (CoRE) Link Format is carrie | ||||
d as a payload and is assigned an Internet media type. "RESTful" refers to the R | ||||
epresentational State Transfer (REST) architecture. A well-known URI is defined | ||||
as a default entry point for requesting the links hosted by a server. [STANDARDS | ||||
-TRACK]</t> | ||||
</abstract> | ||||
</front> | ||||
<seriesInfo name="RFC" value="6690"/> | ||||
<seriesInfo name="DOI" value="10.17487/RFC6690"/> | ||||
</reference> | ||||
<reference anchor="RFC7120"> | ||||
<front> | ||||
<title>Early IANA Allocation of Standards Track Code Points</title> | ||||
<author fullname="M. Cotton" initials="M." surname="Cotton"/> | ||||
<date month="January" year="2014"/> | ||||
<abstract> | ||||
<t>This memo describes the process for early allocation of code po | ||||
ints by IANA from registries for which "Specification Required", "RFC Required", | ||||
"IETF Review", or "Standards Action" policies apply. This process can be used t | ||||
o alleviate the problem where code point allocation is needed to facilitate desi | ||||
red or required implementation and deployment experience prior to publication of | ||||
an RFC, which would normally trigger code point allocation. The procedures in t | ||||
his document are intended to apply only to IETF Stream documents.</t> | ||||
</abstract> | ||||
</front> | ||||
<seriesInfo name="BCP" value="100"/> | ||||
<seriesInfo name="RFC" value="7120"/> | ||||
<seriesInfo name="DOI" value="10.17487/RFC7120"/> | ||||
</reference> | ||||
<reference anchor="RFC7252"> | ||||
<front> | ||||
<title>The Constrained Application Protocol (CoAP)</title> | ||||
<author fullname="Z. Shelby" initials="Z." surname="Shelby"/> | ||||
<author fullname="K. Hartke" initials="K." surname="Hartke"/> | ||||
<author fullname="C. Bormann" initials="C." surname="Bormann"/> | ||||
<date month="June" year="2014"/> | ||||
<abstract> | ||||
<t>The Constrained Application Protocol (CoAP) is a specialized we | ||||
b transfer protocol for use with constrained nodes and constrained (e.g., low-po | ||||
wer, lossy) networks. The nodes often have 8-bit microcontrollers with small amo | ||||
unts of ROM and RAM, while constrained networks such as IPv6 over Low-Power Wire | ||||
less Personal Area Networks (6LoWPANs) often have high packet error rates and a | ||||
typical throughput of 10s of kbit/s. The protocol is designed for machine- to-ma | ||||
chine (M2M) applications such as smart energy and building automation.</t> | ||||
<t>CoAP provides a request/response interaction model between appl | ||||
ication endpoints, supports built-in discovery of services and resources, and in | ||||
cludes key concepts of the Web such as URIs and Internet media types. CoAP is de | ||||
signed to easily interface with HTTP for integration with the Web while meeting | ||||
specialized requirements such as multicast support, very low overhead, and simpl | ||||
icity for constrained environments.</t> | ||||
</abstract> | ||||
</front> | ||||
<seriesInfo name="RFC" value="7252"/> | ||||
<seriesInfo name="DOI" value="10.17487/RFC7252"/> | ||||
</reference> | ||||
<reference anchor="RFC7959"> | ||||
<front> | ||||
<title>Block-Wise Transfers in the Constrained Application Protocol | ||||
(CoAP)</title> | ||||
<author fullname="C. Bormann" initials="C." surname="Bormann"/> | ||||
<author fullname="Z. Shelby" initials="Z." role="editor" surname="Sh | ||||
elby"/> | ||||
<date month="August" year="2016"/> | ||||
<abstract> | ||||
<t>The Constrained Application Protocol (CoAP) is a RESTful transf | ||||
er protocol for constrained nodes and networks. Basic CoAP messages work well fo | ||||
r small payloads from sensors and actuators; however, applications will need to | ||||
transfer larger payloads occasionally -- for instance, for firmware updates. In | ||||
contrast to HTTP, where TCP does the grunt work of segmenting and resequencing, | ||||
CoAP is based on datagram transports such as UDP or Datagram Transport Layer Sec | ||||
urity (DTLS). These transports only offer fragmentation, which is even more prob | ||||
lematic in constrained nodes and networks, limiting the maximum size of resource | ||||
representations that can practically be transferred.</t> | ||||
<t>Instead of relying on IP fragmentation, this specification exte | ||||
nds basic CoAP with a pair of "Block" options for transferring multiple blocks o | ||||
f information from a resource representation in multiple request-response pairs. | ||||
In many important cases, the Block options enable a server to be truly stateles | ||||
s: the server can handle each block transfer separately, with no need for a conn | ||||
ection setup or other server-side memory of previous block transfers. Essentiall | ||||
y, the Block options provide a minimal way to transfer larger representations in | ||||
a block-wise fashion.</t> | ||||
<t>A CoAP implementation that does not support these options gener | ||||
ally is limited in the size of the representations that can be exchanged, so the | ||||
re is an expectation that the Block options will be widely used in CoAP implemen | ||||
tations. Therefore, this specification updates RFC 7252.</t> | ||||
</abstract> | ||||
</front> | ||||
<seriesInfo name="RFC" value="7959"/> | ||||
<seriesInfo name="DOI" value="10.17487/RFC7959"/> | ||||
</reference> | ||||
<reference anchor="RFC8126"> | ||||
<front> | ||||
<title>Guidelines for Writing an IANA Considerations Section in RFCs | ||||
</title> | ||||
<author fullname="M. Cotton" initials="M." surname="Cotton"/> | ||||
<author fullname="B. Leiba" initials="B." surname="Leiba"/> | ||||
<author fullname="T. Narten" initials="T." surname="Narten"/> | ||||
<date month="June" year="2017"/> | ||||
<abstract> | ||||
<t>Many protocols make use of points of extensibility that use con | ||||
stants to identify various protocol parameters. To ensure that the values in the | ||||
se fields do not have conflicting uses and to promote interoperability, their al | ||||
locations are often coordinated by a central record keeper. For IETF protocols, | ||||
that role is filled by the Internet Assigned Numbers Authority (IANA).</t> | ||||
<t>To make assignments in a given registry prudently, guidance des | ||||
cribing the conditions under which new values should be assigned, as well as whe | ||||
n and how modifications to existing values can be made, is needed. This document | ||||
defines a framework for the documentation of these guidelines by specification | ||||
authors, in order to assure that the provided guidance for the IANA Consideratio | ||||
ns is clear and addresses the various issues that are likely in the operation of | ||||
a registry.</t> | ||||
<t>This is the third edition of this document; it obsoletes RFC 52 | ||||
26.</t> | ||||
</abstract> | ||||
</front> | ||||
<seriesInfo name="BCP" value="26"/> | ||||
<seriesInfo name="RFC" value="8126"/> | ||||
<seriesInfo name="DOI" value="10.17487/RFC8126"/> | ||||
</reference> | ||||
<reference anchor="RFC8288"> | ||||
<front> | ||||
<title>Web Linking</title> | ||||
<author fullname="M. Nottingham" initials="M." surname="Nottingham"/ | ||||
> | ||||
<date month="October" year="2017"/> | ||||
<abstract> | ||||
<t>This specification defines a model for the relationships betwee | ||||
n resources on the Web ("links") and the type of those relationships ("link rela | ||||
tion types").</t> | ||||
<t>It also defines the serialisation of such links in HTTP headers | ||||
with the Link header field.</t> | ||||
</abstract> | ||||
</front> | ||||
<seriesInfo name="RFC" value="8288"/> | ||||
<seriesInfo name="DOI" value="10.17487/RFC8288"/> | ||||
</reference> | ||||
<reference anchor="RFC8392"> | ||||
<front> | ||||
<title>CBOR Web Token (CWT)</title> | ||||
<author fullname="M. Jones" initials="M." surname="Jones"/> | ||||
<author fullname="E. Wahlstroem" initials="E." surname="Wahlstroem"/ | ||||
> | ||||
<author fullname="S. Erdtman" initials="S." surname="Erdtman"/> | ||||
<author fullname="H. Tschofenig" initials="H." surname="Tschofenig"/ | ||||
> | ||||
<date month="May" year="2018"/> | ||||
<abstract> | ||||
<t>CBOR Web Token (CWT) is a compact means of representing claims | ||||
to be transferred between two parties. The claims in a CWT are encoded in the Co | ||||
ncise Binary Object Representation (CBOR), and CBOR Object Signing and Encryptio | ||||
n (COSE) is used for added application-layer security protection. A claim is a p | ||||
iece of information asserted about a subject and is represented as a name/value | ||||
pair consisting of a claim name and a claim value. CWT is derived from JSON Web | ||||
Token (JWT) but uses CBOR rather than JSON.</t> | ||||
</abstract> | ||||
</front> | ||||
<seriesInfo name="RFC" value="8392"/> | ||||
<seriesInfo name="DOI" value="10.17487/RFC8392"/> | ||||
</reference> | ||||
<reference anchor="RFC8613"> | ||||
<front> | ||||
<title>Object Security for Constrained RESTful Environments (OSCORE) | ||||
</title> | ||||
<author fullname="G. Selander" initials="G." surname="Selander"/> | ||||
<author fullname="J. Mattsson" initials="J." surname="Mattsson"/> | ||||
<author fullname="F. Palombini" initials="F." surname="Palombini"/> | ||||
<author fullname="L. Seitz" initials="L." surname="Seitz"/> | ||||
<date month="July" year="2019"/> | ||||
<abstract> | ||||
<t>This document defines Object Security for Constrained RESTful E | ||||
nvironments (OSCORE), a method for application-layer protection of the Constrain | ||||
ed Application Protocol (CoAP), using CBOR Object Signing and Encryption (COSE). | ||||
OSCORE provides end-to-end protection between endpoints communicating using CoA | ||||
P or CoAP-mappable HTTP. OSCORE is designed for constrained nodes and networks s | ||||
upporting a range of proxy operations, including translation between different t | ||||
ransport protocols.</t> | ||||
<t>Although an optional functionality of CoAP, OSCORE alters CoAP | ||||
options processing and IANA registration. Therefore, this document updates RFC 7 | ||||
252.</t> | ||||
</abstract> | ||||
</front> | ||||
<seriesInfo name="RFC" value="8613"/> | ||||
<seriesInfo name="DOI" value="10.17487/RFC8613"/> | ||||
</reference> | ||||
<reference anchor="RFC8949"> | ||||
<front> | ||||
<title>Concise Binary Object Representation (CBOR)</title> | ||||
<author fullname="C. Bormann" initials="C." surname="Bormann"/> | ||||
<author fullname="P. Hoffman" initials="P." surname="Hoffman"/> | ||||
<date month="December" year="2020"/> | ||||
<abstract> | ||||
<t>The Concise Binary Object Representation (CBOR) is a data forma | ||||
t whose design goals include the possibility of extremely small code size, fairl | ||||
y small message size, and extensibility without the need for version negotiation | ||||
. These design goals make it different from earlier binary serializations such a | ||||
s ASN.1 and MessagePack.</t> | ||||
<t>This document obsoletes RFC 7049, providing editorial improveme | ||||
nts, new details, and errata fixes while keeping full compatibility with the int | ||||
erchange format of RFC 7049. It does not create a new version of the format.</t> | ||||
</abstract> | ||||
</front> | ||||
<seriesInfo name="STD" value="94"/> | ||||
<seriesInfo name="RFC" value="8949"/> | ||||
<seriesInfo name="DOI" value="10.17487/RFC8949"/> | ||||
</reference> | ||||
<reference anchor="RFC9176"> | ||||
<front> | ||||
<title>Constrained RESTful Environments (CoRE) Resource Directory</t | ||||
itle> | ||||
<author fullname="C. Amsüss" initials="C." role="editor" surname="Am | ||||
süss"/> | ||||
<author fullname="Z. Shelby" initials="Z." surname="Shelby"/> | ||||
<author fullname="M. Koster" initials="M." surname="Koster"/> | ||||
<author fullname="C. Bormann" initials="C." surname="Bormann"/> | ||||
<author fullname="P. van der Stok" initials="P." surname="van der St | ||||
ok"/> | ||||
<date month="April" year="2022"/> | ||||
<abstract> | ||||
<t>In many Internet of Things (IoT) applications, direct discovery | ||||
of resources is not practical due to sleeping nodes or networks where multicast | ||||
traffic is inefficient. These problems can be solved by employing an entity cal | ||||
led a Resource Directory (RD), which contains information about resources held o | ||||
n other servers, allowing lookups to be performed for those resources. The input | ||||
to an RD is composed of links, and the output is composed of links constructed | ||||
from the information stored in the RD. This document specifies the web interface | ||||
s that an RD supports for web servers to discover the RD and to register, mainta | ||||
in, look up, and remove information on resources. Furthermore, new target attrib | ||||
utes useful in conjunction with an RD are defined.</t> | ||||
</abstract> | ||||
</front> | ||||
<seriesInfo name="RFC" value="9176"/> | ||||
<seriesInfo name="DOI" value="10.17487/RFC9176"/> | ||||
</reference> | ||||
<reference anchor="RFC9528"> | ||||
<front> | ||||
<title>Ephemeral Diffie-Hellman Over COSE (EDHOC)</title> | ||||
<author fullname="G. Selander" initials="G." surname="Selander"/> | ||||
<author fullname="J. Preuß Mattsson" initials="J." surname="Preuß Ma | ||||
ttsson"/> | ||||
<author fullname="F. Palombini" initials="F." surname="Palombini"/> | ||||
<date month="March" year="2024"/> | ||||
<abstract> | ||||
<t>This document specifies Ephemeral Diffie-Hellman Over COSE (EDH | ||||
OC), a very compact and lightweight authenticated Diffie-Hellman key exchange wi | ||||
th ephemeral keys. EDHOC provides mutual authentication, forward secrecy, and id | ||||
entity protection. EDHOC is intended for usage in constrained scenarios, and a m | ||||
ain use case is to establish an Object Security for Constrained RESTful Environm | ||||
ents (OSCORE) security context. By reusing CBOR Object Signing and Encryption (C | ||||
OSE) for cryptography, Concise Binary Object Representation (CBOR) for encoding, | ||||
and Constrained Application Protocol (CoAP) for transport, the additional code | ||||
size can be kept very low.</t> | ||||
</abstract> | ||||
</front> | ||||
<seriesInfo name="RFC" value="9528"/> | ||||
<seriesInfo name="DOI" value="10.17487/RFC9528"/> | ||||
</reference> | ||||
<reference anchor="COSE.Header.Parameters" target="https://www.iana.org/ | ||||
assignments/cose/cose.xhtml#header-parameters"> | ||||
<front> | <front> | |||
<title>COSE Header Parameters</title> | <title>COSE Header Parameters</title> | |||
<author> | <author> | |||
<organization>IANA</organization> | <organization>IANA</organization> | |||
</author> | </author> | |||
<date/> | <date/> | |||
</front> | </front> | |||
</reference> | </reference> | |||
<reference anchor="CORE.Target.Attributes" target="https://www.iana.org/ | ||||
assignments/core-parameters/core-parameters.xhtml#target-attributes"> | <reference anchor="CORE.Target.Attributes" target="https://www.iana.org/ | |||
assignments/core-parameters"> | ||||
<front> | <front> | |||
<title>Target Attributes</title> | <title>Target Attributes</title> | |||
<author> | <author> | |||
<organization>IANA</organization> | <organization>IANA</organization> | |||
</author> | </author> | |||
<date/> | <date/> | |||
</front> | </front> | |||
</reference> | </reference> | |||
<reference anchor="RFC2119"> | ||||
<front> | <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.21 | |||
<title>Key words for use in RFCs to Indicate Requirement Levels</tit | 19.xml"/> | |||
le> | <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.81 | |||
<author fullname="S. Bradner" initials="S." surname="Bradner"/> | 74.xml"/> | |||
<date month="March" year="1997"/> | ||||
<abstract> | ||||
<t>In many standards track documents several words are used to sig | ||||
nify the requirements in the specification. These words are often capitalized. T | ||||
his document defines these words as they should be interpreted in IETF documents | ||||
. This document specifies an Internet Best Current Practices for the Internet Co | ||||
mmunity, and requests discussion and suggestions for improvements.</t> | ||||
</abstract> | ||||
</front> | ||||
<seriesInfo name="BCP" value="14"/> | ||||
<seriesInfo name="RFC" value="2119"/> | ||||
<seriesInfo name="DOI" value="10.17487/RFC2119"/> | ||||
</reference> | ||||
<reference anchor="RFC8174"> | ||||
<front> | ||||
<title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</ti | ||||
tle> | ||||
<author fullname="B. Leiba" initials="B." surname="Leiba"/> | ||||
<date month="May" year="2017"/> | ||||
<abstract> | ||||
<t>RFC 2119 specifies common key words that may be used in protoco | ||||
l specifications. This document aims to reduce the ambiguity by clarifying that | ||||
only UPPERCASE usage of the key words have the defined special meanings.</t> | ||||
</abstract> | ||||
</front> | ||||
<seriesInfo name="BCP" value="14"/> | ||||
<seriesInfo name="RFC" value="8174"/> | ||||
<seriesInfo name="DOI" value="10.17487/RFC8174"/> | ||||
</reference> | ||||
</references> | </references> | |||
<references> | <references> | |||
<name>Informative References</name> | <name>Informative References</name> | |||
<reference anchor="I-D.ietf-core-target-attr"> | <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.94 | |||
<front> | 23.xml"/> | |||
<title>CoRE Target Attributes Registry</title> | ||||
<author fullname="Carsten Bormann" initials="C." surname="Bormann"> | ||||
<organization>Universität Bremen TZI</organization> | ||||
</author> | ||||
<date day="11" month="October" year="2023"/> | ||||
<abstract> | ||||
<t> The Constrained RESTful Environments (CoRE) specifications a | ||||
pply Web | ||||
technologies to constrained environments. One important such | ||||
technology is Web Linking (RFC 8288), which CoRE specifications use | ||||
as the basis for a number of discovery protocols, such as the Link | ||||
Format (RFC 6690) in CoAP's Resource Discovery Protocol (Section 7.2 | ||||
of RFC7252) and the Resource Directory (RD, RFC 9176). | ||||
Web Links can have target attributes, the names of which are not | ||||
generally coordinated by the Web Linking specification (Section 2.2 | ||||
of RFC 8288). This document introduces an IANA registry for | ||||
coordinating names of target attributes when used in CoRE. It | ||||
updates the RD Parameters IANA Registry created by RFC 9176 to | ||||
coordinate with this registry. | ||||
</t> | ||||
</abstract> | ||||
</front> | ||||
<seriesInfo name="Internet-Draft" value="draft-ietf-core-target-attr-0 | ||||
6"/> | ||||
</reference> | ||||
</references> | </references> | |||
</references> | </references> | |||
<section anchor="sec-document-updates" removeInRFC="true"> | ||||
<name>Document Updates</name> | ||||
<section anchor="sec-10-11"> | ||||
<name>Version -10 to -11</name> | ||||
<ul spacing="normal"> | ||||
<li>Avoid using quotation marks for CBOR Simple Values.</li> | ||||
<li>Early mentioning of the optimization properties.</li> | ||||
<li>Less entries of new IANA registry; made their references normative | ||||
.</li> | ||||
<li>Clarified meaning of "Standards Action with Expert Review" policy. | ||||
</li> | ||||
<li>Clarifications, simplified phrasing, and editorial improvements.</ | ||||
li> | ||||
<li>Updated references.</li> | ||||
</ul> | ||||
</section> | ||||
<section anchor="sec-09-10"> | ||||
<name>Version -09 to -10</name> | ||||
<ul spacing="normal"> | ||||
<li>Expanded acronyms in the document title.</li> | ||||
<li>Clarified transport of EDHOC C_R and EDHOC message_3.</li> | ||||
<li>Simplified text on the use of EDHOC Connection Identifiers as OSCO | ||||
RE Identifiers.</li> | ||||
<li>Added the CoAP OSCORE Option in the figures of the EDHOC message f | ||||
lows.</li> | ||||
<li>Added more pointers to the message processing, now defined in dedi | ||||
cated subsections.</li> | ||||
<li>Detecting and preventing a loss of performance advantage when usin | ||||
g Block-wise transfers is for application policies to specifiy.</li> | ||||
<li>Clarified use of EDHOC application profiles.</li> | ||||
<li>Clarified security considerations on the achieved security level.< | ||||
/li> | ||||
<li>Fixes and editorial improvements.</li> | ||||
</ul> | ||||
</section> | ||||
<section anchor="sec-08-09"> | ||||
<name>Version -08 to -09</name> | ||||
<ul spacing="normal"> | ||||
<li>Clarified meaning of "EDHOC data".</li> | ||||
<li>Improved description of entries for the new IANA registry.</li> | ||||
<li>Change Controller changed from "IESG" to "IETF".</li> | ||||
<li>Editorial: EDHOC Option number denoted as "21" instead of "TBD21". | ||||
</li> | ||||
<li>Fixed references to sections of draft-ietf-lake-edhoc</li> | ||||
<li>Clarifications and editorial improvements.</li> | ||||
</ul> | ||||
</section> | ||||
<section anchor="sec-07-08"> | ||||
<name>Version -07 to -08</name> | ||||
<ul spacing="normal"> | ||||
<li>Fixes and clarifications from the Shepherd's review.</li> | ||||
</ul> | ||||
</section> | ||||
<section anchor="sec-06-07"> | ||||
<name>Version -06 to -07</name> | ||||
<ul spacing="normal"> | ||||
<li>Changed document title.</li> | ||||
<li>The client creates the OSCORE Security Context after creating EDHO | ||||
C message_3.</li> | ||||
<li>Revised selection of EDHOC connection identifiers.</li> | ||||
<li>Use of "forward message flow" and "reverse message flow".</li> | ||||
<li>The payload of the combined request is not a CBOR sequence anymore | ||||
.</li> | ||||
<li>EDHOC error messages from the server are not protected with OSCORE | ||||
.</li> | ||||
<li>More future-proof error handling on the server side.</li> | ||||
<li>Target attribute names prefixed by "ed-".</li> | ||||
<li>Defined new target attributes "ed-i" and "ed-r".</li> | ||||
<li>Defined single target attribute "ed-ead" signaling supported EAD i | ||||
tems.</li> | ||||
<li>Security consideration on the minimally achieved 128-bit security. | ||||
</li> | ||||
<li>Defined and used the "EDHOC Authentication Credential Types" Regis | ||||
try.</li> | ||||
<li>High-level sentence replacing the appendix on Block-wise performan | ||||
ce.</li> | ||||
<li>Revised examples.</li> | ||||
<li>Editorial improvements.</li> | ||||
</ul> | ||||
</section> | ||||
<section anchor="sec-05-06"> | ||||
<name>Version -05 to -06</name> | ||||
<ul spacing="normal"> | ||||
<li>Extended figure on EDHOC sequential workflow.</li> | ||||
<li>Revised naming of target attributes.</li> | ||||
<li>Clarified semantics of target attributes 'eadx'.</li> | ||||
<li>Registration of target attributes.</li> | ||||
</ul> | ||||
</section> | ||||
<section anchor="sec-04-05"> | ||||
<name>Version -04 to -05</name> | ||||
<ul spacing="normal"> | ||||
<li>Clarifications on Web Linking parameters.</li> | ||||
<li>Added security considerations.</li> | ||||
<li>Revised IANA considerations to focus on the CoAP option number 21. | ||||
</li> | ||||
<li>Guidelines on using Block-wise moved to an appendix.</li> | ||||
<li>Editorial improvements.</li> | ||||
</ul> | ||||
</section> | ||||
<section anchor="sec-03-04"> | ||||
<name>Version -03 to -04</name> | ||||
<ul spacing="normal"> | ||||
<li>Renamed "applicability statement" to "application profile".</li> | ||||
<li>Use the latest Content-Formats.</li> | ||||
<li>Use of <bcp14>SHOULD NOT</bcp14> for multiple simultaneous outstan | ||||
ding interactions.</li> | ||||
<li>No more special conversion from OSCORE ID to EDHOC ID.</li> | ||||
<li>Considerations on using Block-wise.</li> | ||||
<li>Wed Linking signaling of multiple supported EAD labels.</li> | ||||
<li>Added security considerations.</li> | ||||
<li>Editorial improvements.</li> | ||||
</ul> | ||||
</section> | ||||
<section anchor="sec-02-03"> | ||||
<name>Version -02 to -03</name> | ||||
<ul spacing="normal"> | ||||
<li>Clarifications on transporting EDHOC message_3 in the CoAP payload | ||||
.</li> | ||||
<li>At most one simultaneous outstanding interaction as an EDHOC + OSC | ||||
ORE request with the same server for the same session with connection identifier | ||||
C_R.</li> | ||||
<li>The EDHOC option is removed from the EDHOC + OSCORE request after | ||||
processing the EDHOC data.</li> | ||||
<li>Added explicit constraints when selecting a Recipient ID as C_X.</ | ||||
li> | ||||
<li>Added processing steps for when Block-wise is used.</li> | ||||
<li>Improved error handling on the server.</li> | ||||
<li>Improved section on Web Linking.</li> | ||||
<li>Updated figures; editorial improvements.</li> | ||||
</ul> | ||||
</section> | ||||
<section anchor="sec-01-02"> | ||||
<name>Version -01 to -02</name> | ||||
<ul spacing="normal"> | ||||
<li>New title, abstract and introduction.</li> | ||||
<li>Restructured table of content.</li> | ||||
<li>Alignment with latest format of EDHOC messages.</li> | ||||
<li>Guideline on ID conversions based on application profile.</li> | ||||
<li>Clarifications, extension and consistency on application profile.< | ||||
/li> | ||||
<li>Section on web-linking.</li> | ||||
<li>RFC8126 terminology in IANA considerations.</li> | ||||
<li>Revised Appendix "Checking CBOR Encoding of Numeric Values".</li> | ||||
</ul> | ||||
</section> | ||||
<section anchor="sec-00-01"> | ||||
<name>Version -00 to -01</name> | ||||
<ul spacing="normal"> | ||||
<li>Improved background overview of EDHOC.</li> | ||||
<li>Added explicit rules for converting OSCORE Sender/Recipient IDs to | ||||
EDHOC connection identifiers following the removal of bstr_identifier from EDHO | ||||
C.</li> | ||||
<li>Revised section organization.</li> | ||||
<li>Recommended number for EDHOC option changed to 21.</li> | ||||
<li>Editorial improvements.</li> | ||||
</ul> | ||||
</section> | ||||
</section> | ||||
<section numbered="false" anchor="acknowledgments"> | <section numbered="false" anchor="acknowledgments"> | |||
<name>Acknowledgments</name> | <name>Acknowledgments</name> | |||
<t>The authors sincerely thank <contact fullname="Christian Amsüss"/>, <co ntact fullname="Emmanuel Baccelli"/>, <contact fullname="Carsten Bormann"/>, <co ntact fullname="Roman Danyliw"/>, <contact fullname="Esko Dijk"/>, <contact full name="Joel Halpern"/>, <contact fullname="Wes Hardaker"/>, <contact fullname="Kl aus Hartke"/>, <contact fullname="John Preuß Mattsson"/>, <contact fullname="Dav id Navarro"/>, <contact fullname="Shuping Peng"/>, <contact fullname="Jim Schaad "/>, <contact fullname="Jürgen Schönwälder"/>, <contact fullname="John Scudder"/ >, <contact fullname="Orie Steele"/>, <contact fullname="Gunter Van de Velde"/>, <contact fullname="Mališa Vučinić"/>, and <contact fullname="Paul Wouters"/> fo r their feedback and comments.</t> | <t>The authors sincerely thank <contact fullname="Christian Amsüss"/>, <co ntact fullname="Emmanuel Baccelli"/>, <contact fullname="Carsten Bormann"/>, <co ntact fullname="Roman Danyliw"/>, <contact fullname="Esko Dijk"/>, <contact full name="Joel Halpern"/>, <contact fullname="Wes Hardaker"/>, <contact fullname="Kl aus Hartke"/>, <contact fullname="John Preuß Mattsson"/>, <contact fullname="Dav id Navarro"/>, <contact fullname="Shuping Peng"/>, <contact fullname="Jim Schaad "/>, <contact fullname="Jürgen Schönwälder"/>, <contact fullname="John Scudder"/ >, <contact fullname="Orie Steele"/>, <contact fullname="Gunter Van de Velde"/>, <contact fullname="Mališa Vučinić"/>, and <contact fullname="Paul Wouters"/> fo r their feedback and comments.</t> | |||
<t>The work on this document has been partly supported by VINNOVA and the Celtic-Next project CRITISEC; and by the H2020 project SIFIS-Home (Grant agreeme nt 952652).</t> | <t>The work on this document has been partly supported by the Sweden's Inn ovation Agency VINNOVA and the Celtic-Next project CRITISEC, and by the H2020 pr oject SIFIS-Home (Grant agreement 952652).</t> | |||
</section> | </section> | |||
</back> | </back> | |||
<!-- ##markdown-source: | ||||
H4sIAAAAAAAAA+1923IbWZLYO76iTEVY4jSAJkBSEqnVxFIk1aKndVmS6u7x | ||||
9IS2gDoAalSowtSFFFvSvvrJ32A7wt8wT/vkXv+X83ZuVYULRc3M2mF2dDcJ | ||||
VJ1LZp68Z55er9e5Ogx2O50yLhN1GGy9LeJ0GpwuZmqu8jAJTuLJJFa9FypJ | ||||
5mEavL5SeXD8+uI0eHB68uL18XZwHZezoJyp4DhLizIP41RFwdFikcTjsIyz | ||||
NHiTZ2U2zpLgwXF29GY7CNMoeD36kxqXwYUaV3lc3gSTLPfePz+9uJxUSXCa | ||||
XsV5ls5VWhbBg9cXx6/PT7e3OuFolKsru1pcCS8Ep+AZ6NmtTpSN03AOO4vy | ||||
cFL2YlVOeuMsV72soP+paJaNe0lYqqLswIoPg6KMOkU1msdFAcsvbxbw8tnp | ||||
5fNOJ17kh0GZV0U53Nk52Bl2wlyF8GVaqjxVZec6y99P86xaHMI6zk+DH+Fv | ||||
XN93+FnnvbqBByL7fO8El9TpjLMInjoMKlja404nrMpZlh92gl4Q8NKf52E6 | ||||
VsU4DN6ESTYfxWncCeAny6dhGv9CYD4MTvN4XBRZSl+peRgnh8FEv9lf6Df/ | ||||
Uclz/XE2dyZ5GebjLLiMk2wc6tEPg/MzQPXRM/oAsKMUAOisCCd/gp0U07AE | ||||
khgO6dsx4PEw+F1clPw67ApGvTjtDR7u7e0EF0AD72dZMpcvq7TM4fmLaxUp | ||||
b8lzXEe/pHX8Yx73C+Us8jx+H+ZR8OLXv0yTKo3+nuvMaSn9WUYraaz0olQT | ||||
mPRFDhNlv2RXLQgDtFbpLJvAiTqC5R+7oxf0en+mX0esLcp4XEPad7/+BTAM | ||||
5ygBmlf5hlQxzeAlWC6/5BNEJ83yObx7pYACg/Pnx/vDxzvy68OHB/rXR4Oh | ||||
+XW4P9S/HuwfyK+PB8OH+tfh48f6190D/ezjh4Nd/evBnn7tYPBIv3YAM+Ov | ||||
yG36L1QIS+2/CXPYNxyf4pA2ZM5KYCjh7OjVEf0dwZmGExAmiBf4EQ5HzIuH | ||||
C+xw/ESYT5FwZmW5KA6//fb6+rofh2nYh4G/DYEdTJkTfTvOCkX/6X+YlfPk | ||||
3oyG6y3c4ZD99C9pxP5RWebxqAIe88XL5pECO9JtVwy8zq6v/rfsg4frhXaS | ||||
TpxOXII46530LQ91nj/sdGAiPFvw1MXp98+BO/8BsNj7CX7+uNXp9Hq9IBwh | ||||
hx8Dz7sEgZHE01l5rfC/BBF8HzgwsH9glYH6MJ6F6VQFCy0/biGUxvDpSAV5 | ||||
lQYZfnlb+VQV8NDoJiivs2ChAEBBmQUgIcJREhezILSSC0Yt1YeSJBjOUugv | ||||
zLLvJOv6weUsLgKQYhV+EUSqhCMMy8FPYZVBNqFpWQTqObu49mKhxvHkBgVQ | ||||
GKTVfARwgKfDKIpx3wBG3Gm2kD/mCuEdF/MC51QwtKIRwiS5CeJ0nFSRgjfo | ||||
hbmwlyBcwJTheEabGrOAgflwReoDbJgegkkdCY3fTeK8KEVEg0AN0wKIAh6V | ||||
3fJAPEOuogokGL1mNwECFdYOVLoo4Ik/VzE8higq4IhUC1ymDN7AE+4ZHoQp | ||||
FgmQvvOosw6ALG8jLBsj9JmU53EUJarTuYfiPM9gkfhip3MLIv34Ubjc588B | ||||
7Dq87YHo+hgqFXDziDCBhBGnsElLZcVYpWEeZ4DdszSAkw9DV0mYdwU3c1UU | ||||
4RQALUeHoLHIcpz91keIdoZyAXZmjhMuzBwhpsrWU3Sn88JTo2z5/LmPbKb9 | ||||
8KjlZ6dVj+zS73yiYlX8DQ4U0R4fBKF+XqY9VmtPU/CgUAoAwipunIrK+/mz | ||||
5iqwkuy6IACHQNBpPK/mzsaQ+bkHLVVjJJL8Rk4aHDScftVJW33MgID70343 | ||||
uAZKxyfOskvA0VU8VgGIFeQD6SSeVni2gZoB5qpEFdvwWt44QE9pVHuwRNSr | ||||
Is6B4lQ3gBMN4/psRIjeHC2m/ll4BQsOwAYAaoUjCLiM5wtYcgCD4gBoLaTj | ||||
GxwBlnilbjTP8zCBfAnoXbbHHGWsciBB4GphFGdBCRSSZkk2BZKCHfwICM2q | ||||
knm7u5NuEJe4mzQrg0UGUh02hDgAOonVFW9qLfoE5x6E5uF72HNsR3XBJMB5 | ||||
t7vknAijmIPqA3tNSEUAyi7mQFaa9IAoaKJBf4ijGH633YURK6FA4gX2EDH4 | ||||
ejgPvA24p7MIalFIJA/QY7UjeHn5Fpb7C8HuchMQ6CUL3OCspngUeXcRKNxV | ||||
AugC6rpGI0MTxwSWaGUYi90IUNJXhnR5ieMkRi4DhAIbK+T5sxT2FZZ4xGAZ | ||||
8mShcmSp/pPnwB4yVMiJXYDakZPmhegIoysgRFwMrEPLpjoyZXNJBiQoJMcH | ||||
xxWnxDSegW31vncdF8LmJ6jgMM8GBR54NjGfHLEJrwjXGwdGXQyuwqRCLgg7 | ||||
GuFYBg3Pqxxgmc+BzXR5iQ7znRArc1mnVUBhkXnOAKDdZUEE4lPl+KZRQWEx | ||||
KlHM8JHxpgK50BFFQDaTGI6HEOC1GvWSOEUzXPgeMmIBlebnESJBiMrqvgg6 | ||||
Ou3wOp02PR2sM6tyRAtYTcDPkUaFGQPYWhYjxA4CGGQfEjvsI50hZiPYJjBl | ||||
IAbiJkU1RuXSTMCiz5AWQvjeveASABwT37hhwkftAF0LRbD18u3F5VaX/x+8 | ||||
ek2/n5/+09uz89MT/P3ixdH335tfOvLExYvXb78/sb/ZN49fv3x5+uqEX4ZP | ||||
A++jztbLo99vsXDcev3m8uz1q6PvtxhwLu7DnPjVSJGaki9yVRLQO8CfxwBu | ||||
ptNnx2/+138f7AHW/gOQ4nAwQFLkPx4PHu3BH0jWPBudXP4TcHTTAairMCcx | ||||
kSBrWsQlWFBdRGwxy66BqQMtAfh+8weEzB8Pg38YjReDvd/KB7hh70MNM+9D | ||||
glnzk8bLDMSWj1qmMdD0Pq9B2l/v0e+9vzXcnQ+ZLHI2cgER6sOCWSkjYRLO | ||||
4yQGcDHVAjkVIq2BJBdlIWeVkELk5+hz3eD42etzUbPAbsdPROA5qhcjiY+L | ||||
o+Yi/cqnqA5fxeo6+Hgvk18/ixAvRGiIxDMOCdbBqvkc9FhgN4D+kMSiPcaw | ||||
Xme2Lv5tNV2QcwVqraAmxx+Co/4QuUFVkHCFg3oVR8SdRmGh4JQqo2XIUWW2 | ||||
IzwBdQMU70DbslothGpCctnatO7lGZjhNAemhVpgMM5vFmU2zcPFDDgvzAFH | ||||
psta0LwqK9Qhe76JcB3eMEO+EQlRsz+UMUyAXRSu+qAFHs0yvmHxYxeGhzdS | ||||
gAnmk75AM0KLjhqCJkvRCGY2Dg/BiCq+0gpSTC8nvs3xbtBFlockSioEQPJo | ||||
gmIG2CFqnKjsA0DxVxp0Unt9F8zdDAhZlrsaiKJYswAgCYmyRuVIXxOWXtaG | ||||
B7qDb8KEydlR331vwHJr07VGCKwGXrQEYFEZAUvbAaQA+bvbc1GFnJ60YpGH | ||||
WoMGwojUIslumEqvkdvBwQmsEuWKJa3Z0FkDEp7k2ZzQY1cHc+IHBtmAE6vN | ||||
HdW0OccwAl5L74paIXshAxI5CQKBDm3X0ShJtXvA+pT9VC9SVNMbZlYhbEkt | ||||
2NIFQKSaVUR4EGAF+TYLG8d6lSO7CG+SLIxw4cTTRD1nzseqR6HYVNtUF0T7 | ||||
Oi4sV6hpgSTq6wfGPGd1QHnOAr+mPCOrGvjqcz84SjCIIEo3w4213cTa8DmQ | ||||
TE7KKgy/EBtePlyypZaph/Wpz1IZCBRNMg0cUd9wJyA2CE6wMSOANHnk2rlA | ||||
tIEkBvZeL83Snli+ERLXDBll6HKDpm+pq8nDw0FD486rNLURo1XczGNIdZcJ | ||||
SAw43UCFRfCcDNRgsMOnaBXWyCs3i6cz8vPgMkhNLz1uK2q/rBDWjKq3+AaI | ||||
B2mus8L07mpBgFaV6JvaeQQLajewLMaI94rlrhl3zflAws45yALwgkASBm9e | ||||
g0olB4zYF4ITMRAFv/F16N+Awi1+U0QQgUhOn/7mbR733oSA3K1v+9cgzHrv | ||||
U1DoviWvxhafVz2VPuPmYIrlSipLEeOO2HYJ/rnMK/XPwYOdD5P9bVJ80Ka3 | ||||
qnxDQF2DCJkxwxbfjeuVaWVFwfG7M70CAZBKMdwU6fNoqWW3v+vRir+vGTxP | ||||
uE3L3nNSh1x+/u04jjiO+c14lOU90Ey0PwRsmemUtIsWB1IN8rxD4K4JMnI5 | ||||
TsP+zl7w4JhoJ9o2fFIvj/9qhbsPweGXQvBcQ1BO8K0hKEtcA8IG+J6DxZxo | ||||
zrqGvGl5YMjW7UNSL8AsSXArdNbjkiVujbw2o+J1gNoYNN21BL97d/pjFY6E | ||||
g2E+JfmbFkk4Vsyjwrqe5zI88o14CnRbpMPBD9kHTCYoAUWrW66ekVx0bB2X | ||||
eQ9qxKS3E5ZscdIM6ETWbk2jbOHXMTHQeZW6W2GkOArhK3ie9VG7sWOL3jMf | ||||
veJ50nq22ROpDGcnNU7TEOQNDeISlcQJeWpk+Bat6f77OLofwBqSSE8gE79e | ||||
aAHsfHguBFOb/aGZnbe+LcZSE2+oLrgBHdbm0e5BF9iYFHvtRHX9QjiE400S | ||||
vwJKL9JIEWGgR1QJxSIY1NoZhFN6VBamrR6lprenceBB3sLviKQaAHb7Bz49 | ||||
dTr/Uv8JwrC4mmLk2FFhNv1xlJzOg5rncXvt2w9qHshtiUwHnzZegPPz6Wu9 | ||||
3av/GE8pU1nj+9/6c3OU/zDY6e8MgwfItdeAwntb6x2HrYrHurd9dnm4hl/W | ||||
337DIoCyjVS3Li7WzX3rH+ftf1gKcxakDZj3mnNruNeUh7Vz888qyK2GGv4Y | ||||
yNX0j83mvtXPp06Lkn6Lt+82t3n7/58SlF/1Q7K7duW3/vmCt5sEcqcVfPNF | ||||
b1vtJzguP3zZAk5Ql7r7Bv7fZzR7m819q59PHR+Ft33bwd4XzK1/ufWrwUo2 | ||||
VVcZ/7psiic7DD4G/X4/eBKAWktsI/i8ydsG1w3XCfku17x9658Vp8RCTeza | ||||
DU6J/dngvKx424dhK+BWvL0BDO8KtYZK3fl4GNyruxQ5o/LplvgATY4PZQtK | ||||
VIe8/GwDO/k8+oTHhfZgRCbWqT6E6F7qb4E9QVkqvTCJp+nTrbHCkOfWZ7CI | ||||
dSySTM2mp1Mi5nYJ7JtlZ77JPsBVcp6JuJONeasNRLayyxlaTm72g5P2Rr7W | ||||
Rl6QjdHXspL87L7bJfP9e0zgu2eMbSEJ2owOY96rA6YWl9wMSs1IhnGDrAWd | ||||
JAxQQkv8ix6tHXojVV6rhhtZvFLhqMiSqlQ2bUgnybQkCME2MyHmNBJiNPlo | ||||
bsTsK6XNuJ4byYRpxkpqqTK1JBnyutUzo8R1MQ4LAbWOg0h0ZNNgCKZk4Tp1 | ||||
0ICX4x9OePbjRxPA/uy5o9BrhtkIHPi0vgobcFyZPpdg/P5GXGQ2jFq3a8jV | ||||
T34cE3at+/I6nRcqHStvcYjPRVZqXsdRSAqj1vVogwkb866Jbu1IRmRQNl7w | ||||
GsOvhZpj+tw4SADKiRCUHPbCLBapEFM6nYAcJtqRh7CwrNKyya/uO7mj8+Qr | ||||
e09WmnZ/ddvujsbdHa27OzpB7qhArLROvsQ8MeAXTSt4gIrXxvbJHQ2Uv6Ur | ||||
5I6+EDv7N184e3BHCym4g4309aiuleK+WWUpfd3zfmsracmBrYuQb5Yp/V8P | ||||
dBv/fGWXzN/RJ/PVvDJ3MzhXWpzBBkbn6tfXWp2rX19rdt6ZBJdbnWstTv3A | ||||
KquxppMrm49tdHMnhFm6hoobQNbqVogZ/tNE1ZmLU62AYXquaygkcyrOAXEt | ||||
PtZtnZFvjLAlWSX1fJH2yQOu/QJFXplo4yTTJQJk3ACYisDCNZsqytijxEjZ | ||||
mDcvWwmlWnCZi5NGuGIZWuNtmZFti1xJVqQTOmals2dnkNqnjx9Zs/S+wUxk | ||||
WlqNtUsOUZtvgPFCVTuUQcGoJiOHUgoozcZCX8cku9bapBT7cakBVM6yyKlY | ||||
KvwSsnBsAUXFADwcLdxJ2xMSk7zMddRiLH0xlZsZRoWiqvuuF4sOCyGD4rCD | ||||
p/U3JmC9Pg6OG5wpqmn5guj22jh28DZN4vfG5nTMQzzNZCKu8fmYrVRsxq5O | ||||
XVxOtX0BTV32tsf1Nxqy6yRbikOh9p5PvuLxidEpMQ5NoN1ZzDy8ofy/LAsS | ||||
rLcwVQHWmyYJe4wAr0LM1lqF8vaiGoFCzFmxKi9ZogPqZ5gegO6Ek3fH56cn | ||||
786a8fj9Wk7MNiYr16bhSU4/UKZlEhxR1bb29pwg+WPxztEJbKwx/uNauoVO | ||||
yXdyJjWbbs+eRXyxhwUn8pJfljGs2GNwWU5uklrqYunWProOHi4TAHCCrLoJ | ||||
sHI8TBKugmb0SCahpO9754MdZsxHEJQrVyvlTV5C92qZUEuib3DaXowluMBv | ||||
dcq+zteKIy4aoNcabLjxmvia8DWutPH2qv2Css0lTkG7E37NdSIbD60lc3PS | ||||
0PdJMLcJQS35YCSTyUtjMOE7alq1nG5TYnrVCrLBmWQWwcsLPE3opNHVFpFl | ||||
YD6ytWDS+bCXWG0Z7LFjzFSN1KFwnMdYt5B0g4twonplhjYuug+7OpOnNLmb | ||||
QJyq9zvlueMDKtrJxuMqR3fRHGveMqqUg7fpO+Aqar4oMXcXK8VuJO9TUt67 | ||||
AuBxvCBKoVcA/OhFi4FCHzyvSkzr1WnNBXGuaoHNGbTbk2oZbAZUJgxrhJXa | ||||
i5C1LSw50W6wwqkhZi4WzeMSccTldP3tGpCMPCZ/q6kF8xLXY1LujpOwKIK3 | ||||
XD7dKMYBXH8KXmV90HCP4d+38O8r+Pcc/48uO/i/JPV9Cr5X6RSo6xOYFpyE | ||||
+wneHQ7wmQ+kIdt/mXbg/whm/nCH9egHIOPUNurGWhN2aUZrw3X6g2UeP7WE | ||||
8fbp27QA4ugGr56+yogKgAi6wfnTc5BJIaZBK1Cb6+pyh5mLKkjmay4nM88V | ||||
MFZ7wEyJgRww0qzglGF2WeFoOZrG5xWQGRLWB+pioVh9EobCeoqnEi7lOF3t | ||||
sfXz6O2KxNtuhja58QaQNjE+1bEnqon01N9mFf/bkze61At3iWRI7KRWjaE1 | ||||
YG2nxAvgGZwyWRntOVXXyY3ZsVR6LEwoREQIPA2rb7GSmFpqP21uvTaH1S6+ | ||||
PoCvdoHX7AcPg0fB4+DgNp91vund8Z/Opx9U/im4RNK//N33xoI8zkDs1CzK | ||||
l4IQ0E9d2/ErrCG4zN6D1vIgJjbXpZWMbkpVbKPB/FVmeD0iSpZz+qmmI3+t | ||||
WTxZBLB7TZbdazFOZH9fbVODwPvnk3YUfKXxlzsFzAk2XgF7etee3W4jDGuO | ||||
qyAlErXUKnC1ZFVhtis8DqD4HLMC9cYqaR/vLVO7GooQl/QaXcKoeWldNyMl | ||||
6547S7sqqK3jljV89hKJ0VwJcw7NLlOVjS0Jsw/6GAJGf0PTbEpBI6MP3728 | ||||
+A5rDBtp9fv9vVpxFAw57AenXo0OcMmVsWzq1ULmO0gsLFhkbSKPp1iB4In8 | ||||
5hIe1wxSNgL9vPIGD9cBUzTAK0NdjZpK43Cg4KpRKEG/4RFrtXwAdtQXjHFT | ||||
qkXNRD+3u1hiDcPyd/vBsyoGe/z49ctn794c/f7710cnOufdli24tV+MIOcQ | ||||
mNe0l4RMoUN/yKfeyz9/qr3blbwL+IKLXwviqthcjhp5eCuBqQ9d81sGle1j | ||||
84X8hssz2gtYBXj4JXmACHhAnEdtJFcvKquP5Xr9sBiXip/YiCzVPDg+e/Pi | ||||
9Pzy9KdLD8khP+fs0asQ2Gxb7tjaH1FHSbGEKD2PQt2NqA9AG5yGMNOePcir | ||||
3Ble6cSt5tDk4PpAKJpNxSzCZD36GgEVU2icBthtO5nIGsxguiSqWdtclcgg | ||||
okzxUdStgzYoCSIKcphu7NqnJsTd3dyd5rkhOT/Ba6LBDjUx/1sLRXLX06lh | ||||
O7PK+gr31j46M+zeEXqezuDp3r6Vyux8nfMMJcmaGPVcRXEYYFNQixB85YYd | ||||
ZAAXwRxCKqPMEvMCWv8p9m1Edf5hn2C8yvOhK8vIipD+QDbRQpftOei1TSa4 | ||||
h9Ec6RhViyLGX8NUZRWwharEvkZsn6LM55yjou7D2us/Ek7DNvw2tydB6j3k | ||||
ihrhNF4vlvounjjOKUdjWUgNj4cVcf5ajYU2upy6O50HR1TaqsS8485phA7y | ||||
MHPXFD5w6NNA670iwnbaQmDGim2VhnzzynsABqvSXCUxeTakB1UhKVrwirGH | ||||
xtQnopBSMLCKkxubpmZ32dLBSxxP5SzPqunM4K3rI64dwAUdcmwjUxWFtTxZ | ||||
0+jp0muuQjM5hoZ2uddVeqM7XCFKqB8IhYx4kP4262kX1QLVUdyu00HIKGXU | ||||
CQg/Ap3sbOI94rQWQtWAx1GRR7zoYJnk4ZQaxtjkOLcSy2PTYkELE2dnC7Ig | ||||
zMrTypNWpZ30vuU1fyBZ+7uOfDUa1VmqG/NgtKXr8jZHvYWxmJ2x66stHBSb | ||||
8m5y6gSK/K5A3bm0UdIxr5U77xrr3MbGyHNBL1AbJo4tCWB1Oqhym2zZV2nR | ||||
OomQI2WcVLa7dCPMLY/ItdYqT1uYvPFehgHqfLzFW+/dbRNBBDbQzN/xwpR6 | ||||
yhnI1VdvXzqtpIATpMEOdR/zExCL95Qh6wGVgcHFiejaXLlVn1m3ed1lJt1u | ||||
qEWOy1Y88dmc6u74ZV15bw1+nxn8YncvUu9c/QbZrgKovDz66d3bV8/Pj757 | ||||
efrq8vTk3cXZfz5tyhI+W0PvbG03AVOU2aIepXWjHPRQOIJfxZxs6WVGimva | ||||
yHZEl1ecVop6owJHGM+k09gXBe5q1o/Mw9TL5FLXy20sDRvLztYX/N6intuk | ||||
gq+gVO8cZbrLX10mSQgeZVYkQYK1neiWajB3bEn3hW3ovNakiwxDWqrQSapu | ||||
gigXiaMo0C0oIx2CixSVcsPH5IUql4IB4IXbIxR0OSk6NIo2ywszSMbRtkWO | ||||
VcQJtuf4E3qU2aZYvakuhidj0FFA58aBJphYPAqRby6PPDuJzCi+WcnwfDrL | ||||
PNS39OnUA2e38uk00yNI5JLNLroUfkFNRISsrPPajqzjLywgluqjXXfBxE10 | ||||
x5UW5i8uopkCONfq9JtxSrenhXwn3nA+nUuiejrqxvnhRjUxhuNydYIiQg5L | ||||
Fn7NEXhKJTAkWN/zRmwWjVvTdmmvv7MTPHgWRhpz24HKc2rwJS1B2PfFoZEG | ||||
8zMtpvS2PVmyJgtBQ4iYq3SA9DwSJG3WgGubnUuXIC1pNI4HwtOSBKIX6KNu | ||||
dWza0UZW283bXdfXF27U+ITdGueqzE2TV53B45tLpuObuMiWtAexypg4I0S6 | ||||
t/U60Hy6aZvZZAWi6HrxYzEjxqScKGuD7uygDgVKUIqMFYTRJIR1cOeqqOJu | ||||
t6aJDtIdb4FiBCg1ut4xboyeuVuxVOkE8ozS2OrmrctbbBIY6VFts78SDUzj | ||||
6GDERT4AWz0NG8BdJApZxOjV26AbhfVY6e5XVESiIu+423SXeoI9IRj2RBEI | ||||
Hoa3YNJ8QDYrFIQk0sPCm8y0VDReCH95hYmqguE3VSm2JgR2k6sJs32rtLcA | ||||
qmB30KnTkX+ln70FWDo/rI7ueqeUbkPNyapyUbnGzR77czTva/dvfg0OCPI4 | ||||
wyZgwgJrrtVNueAj5CojcrKvVRS7PrNqcMANvKLt4GgevYdab8/VPLtytdNM | ||||
5wc87gcnioMkyC8oiftmI5eu74191BLNeVwzTro+X11GWqYhm7OTfT7kP2ob | ||||
M+I1O9YiatmoVehky/QmGEvmA69c52Q+CAtp/h1VFHjI1ZS8VvSUxayYUm7i | ||||
g1GB3JQZ6go4DXOxK7CHUWpNZ7MGrUxVaYKqF6/APocWVDa3DTNNq3vY+AHi | ||||
KIntlQFrXOuPTa2iPeZ98iCxsbqn66uczRL2H+um//43QI6U0WCbSjluuKgp | ||||
klwtpyWL2TQQq1m0TanALZWAZMQ6qovGZX6n/f6+300ztm5lgIf0ehcItSd8 | ||||
6zQlC7d2sKFQLTwQhKMsLwuXu28iAJ2emVFhYCemJGmFnueNP0JjNhh0RdEt | ||||
W/JlbJptLazKWdwO0tB/ojZk/pbx0uGoa081gcBzCdUK6v0m/23bbERJHY9j | ||||
SxjvoIZyDyVkEGTUmx+IOHfiRf6cxoeLRaxwZmFvRUx9kp1i0y/bDsGYXMO1 | ||||
rm9Ynl1mqwrRgLvEQIB5HaeDnWYLrJW0So7itiNMATFhHW0cwCVy1JbkEd4h | ||||
sKkokYarrbRXFwOOV3WVD1yM2C/1gesAwEauPPJ7o8jISql9WFZjwC5aZxXE | ||||
xfkUxLqLqzWLjReVJV6F7ohn7JwVcRSOwQTRHfqdLaGkKOOEyp0JBoVVg3UL | ||||
QaCmEfogjRba7iNsNIrDPFybIrPEjXAP03P5qc+NXLnecEm23JLB2jJvWl26 | ||||
eijQL4H/skl0WCvteIPvABrPfkCQV4yEna4OngEqtPixNq7xEfj8pJytTCep | ||||
F5UsK4nA+T/sDMSL3+JcbJg7ktGRhxhgk0J/OpK5EQJeIG+5Ebpm4mFtYufq | ||||
lJqTa5PSCsMCcGaCIBv9uIjgmroBYjanuFnFmruO8XTxEaCUCIyRTmGlA+wW | ||||
Cy9iU3z8XCc+iG3vlUo0s4k8Hdm0NCV1XttFvnff091IqTaM1d5QJF9LZ4gh | ||||
gpZTDDKEYnAKTCTLD4M3iULrLFImFJmEGEIDxqqwcUJs+QFs4yrGaCNI1lKu | ||||
g+lq5ymFSvHeDqq7CHWrCtW2mOuYHQEw7gStIrt+3ZyWtUHTPdvyOaoBSyl0 | ||||
W8Owd6TppPnuGsLvISL4YGcHcPVgV3IhbdmS/2QPkNp4xOANR9ofRvv7u/uT | ||||
3cHeI/V4fzIYw3aiA/XocTiaHKid8PFgNJoEDwYHzjgNewdHejgYTgY7B/Cf | ||||
R48ewjiDhw8fj3YfD/dBuRzYhTZSB/+l86bdrNHST9a7zTlIOx/29naG+9Fg | ||||
UsuZfcJv7/UoyYfvLOTiR4DVzu7Bo3rvqiecW8rPHOwGAtTaM16aBz87bkvt | ||||
xWfdOBc/OpkEm0FYl2kGy8GIjzzYe6ghuUEOZm/47zcLM3hbOEKqNUxUeI1r | ||||
UAaCfOllk14cFZIZ6cmCb89NxcPZCfdmX8O0G1khTfFgbhNjRYlj0SIOpD8O | ||||
7l8HJVqydNwWRPWG8oajUefdmle8Revptjl3VyUkLS87MonxPM197D5jwec6 | ||||
f1mwwgNG5G6bIP26KJ/X3prVnSOr/PlxFB7rpe7U/vGed4mxkKwfSfnRSlB+ | ||||
e8OrK5Y1Vl4RMnF0VjbdxWVhTUMdZdQXIlHNEEWirLFZNxJQ67ZtgXx46Kz6 | ||||
AdO6fawASUcdg9I18D/zE4L9UWiv41mGeVwhPayDe6mKSfc21VzowKnyvGle | ||||
hnJXJ7Zlul+sWk0Xb7ohkHpkRrVieuxlNq51w8Eb+kNjlJLCr1suY1ZaSptx | ||||
0sVGqjlxNvG2tUzpDJzjKe4iUhVMKypMleUxMJMKQWmvrpAy5Nr1qkumKnRP | ||||
Krk6Z1a7sCRMrsMbMDzmMWsrePYpVgjvLucBWKJl7j7QldSlSweihjqZRiWl | ||||
9vk+o2VIQUjHtdUCITR09A1aZuNRsDtuPwpDRrN9bOOjcN48CnaU+lE4/xsc | ||||
BaxI/XOFFZHZBpz0bFmreBvQ0BXqbX4gM+Xf7ACe/xUOIF/lmYO2T2HnMMmm | ||||
qMtraZyqYAqnLkW335UQMECuea4sD/z658q5ZOVu58rkLJvV3uFcrRMxQ3Lo | ||||
bEKGtyPbc59sa62anES1mlgix63vtyWfrOvM/us5ZKmFIkpvM/Oxdmfwvai1 | ||||
24EpZkcKKmiJPYqTUlktusk4tuBca+omxrl980YK9Ueht7boKcUOc5tg1dBe | ||||
ur4Di6BnoD92dpBXHGM8c5Uz7bRbHRAzDVHqmVU6koqXZ5g7DPyYqIPuzW4g | ||||
cDpzaG7iFvFzrbFet6lzX5oDf+aEcdsWEIO2hmUvTg1tG2iW3mTWiKH42t62 | ||||
vui2KNF54NJEJatqMSi8WPyylgMvsmsl6fKUo891wGb5wqmnmVAGdUOsrV7f | ||||
jWvv4m1GaFqWJ3tuMVWQ9RyBsdT1wue3hDvlW7QvdyUtmTDK7YjEpBrmEvQQ | ||||
71Gt88JKjDlFJCNuP5qR034NqO4FP6pR8D1f5kq8xL3c1b2fbrDTH+z4ASvt | ||||
fSrEKS1nhuoyttCG6nNPQ9P/yGl32nI5LCsFMD/fDsvF9sPHOFPbTbG6jQnb | ||||
YSG91NMJX/qSVBrk4cODHQ54xXJhLF7npusYMnNdbCPaW0uuYC6juZ65Q69y | ||||
sr1cEKDmFyd07xeIWpVzDPao1tezuzFnat6Va9JBXI7evKbFpu54l0xzX2Mp | ||||
j/AbEgVHbgXBSI0xMB1eo28jW5rgpBECgiIb6VzCuPRXZ+4arha4VoG8Hzfz | ||||
AO7Y8d4F6/7BMCh075NsGZDrhxzItgFe1yaGdP+nycnlscwxo/4YRRWXLq/S | ||||
FV3SYcdeAsVeS3peYe1k4Fw0SmU22mbTvEjLWbrNUgsC6raFArlwm3/BknDV | ||||
DixbDktYT9sGrY+uPBVk2bwj0JURVKhuOogzEd9bC1FzaRgTrb2cGVfC7UaA | ||||
ZFh8ULeFKKaEPKeOql7V42Xuui+z35xb6/F0JzRYBtPxTbGDRw8lCOLncSGh | ||||
UzzNiQmQUx/YCnEJpGRDSH0/nZaZCoMHrQDTdbzW3Lr1mu4u16zAZx6b1AI/ | ||||
qZUDhk3G6dd2pdS/2b9nW7iT3L7YIA6kxzq3CpkfW3R5BSiWRPuck+P0YCnp | ||||
Cijn5igaaOmV33LRZn1TefnUFSIm1UY02ciW7OiKNl/T9LXumorstDXy7khf | ||||
cS36UoE/0v46k9xv3XcOEJzmdhSPuq+iXny/6wCOUt3FsO2u1gZr1abUhFuX | ||||
fDKuV/XgBvbOzlyjsIy0EasrLm3uPF0pByaztvCdNxEb1N/HWAem+4/ZYn63 | ||||
LVpvSX2LK3uj/023yLzb2ycRTBuHt0kKejxPuNk1cWqv6JGmDyOtzNH1MLnB | ||||
4c33f8Dv7wNRJ9XceOO3tIubFnAJusmWcLn8pt02BWWvefGjv7yj3wvvNqmo | ||||
qM0UIvSYo43ZzTJWm0DGgHNMQrIBzqYc/TvC8piXcUHifANoNnOvvhY0PYhY | ||||
GALB9soaDFktRW7mwx8flgyAvx9Ej/w1Hds1IcECjM9bYRyHaSihGtyVbBzf | ||||
aIt7fU24rwWm5fLRanQ46RxL4E/SSh7jl5dNWnwlVH0fjlTSQNXx64tT6T2M | ||||
OTgi2hz6//gRH+nzI337yFem+RbITZo6tQuVlk4RUhSm25Z+4Y7ppssyzwCq | ||||
N7SuiG5qYNUiLfMwv+mSga37wQEQrlX4Xj8tWkzl1I9H3Py1wrCNFJmyFxo1 | ||||
3tBcOiFdU1hYbfUGO1tGI9LpNfwdfIXQrwqSvuZadty5uzC+JrSs8hSVK3f0 | ||||
QugkybL3AbVmDVMzB76Gqzak6/U4oSJvGcQVxW5RhndGLIWY8wPQ948O7V5c | ||||
K16oVxK/V7YXfXB6dLLNbVvWNhj9a54lZnsrVrqBWNn/a4kVXCGA/V2CS9eJ | ||||
79hpBsG2TG2z0iebj3pgLtxN9Wu4gVdnOfyNVL4v6GLpGAFa6deaMS6jBjGv | ||||
12VJPT6Wdru8FiiyLY10h3Yc7QUbTKAtotMpTbqXdvD1dGqnTuNEb5HxEmiz | ||||
r6AAV83v5PnBHF9Pm/FkjoFjfraYUuwkcNkR8BTH89BMZmCvnm7/2naBTef8 | ||||
9J8Og+9OLwPvohUklw58d0Ht8/d1OjblQv3Dt5jxneXFt0Doi98+AeLq1r5I | ||||
MF/zt0/iyVP+RH/fuMvlt0/AhLUW7BOj2j7dcX4fPjFJWMaUkAeIIT4dOL/v | ||||
PnFY5dM979UYv8ufOMS0IlmrTgRu/1DtEV6dSOVGEJ1uKORDXtYphSlSOu3I | ||||
6/4jjOxmu1UifKZCduOwB3qWJZFY8p6ad5aaxJmuGIs2D9KbzzT5uKF2oG0l | ||||
wbXqzHBtZyC3GdCS/jK6V48bNLOX3ZuawFNkXtik0R7LiITtpEomMV2DZa9/ | ||||
mhNjjUvJwt24E43fdEH4MY/BMSOpwqAkdltBqJUR43dzNuA0J+eOrOjpozhP | ||||
umSvzTBW7W515pXushSym7HiyrgbE/LOavent/QV8ecqgkf9Pa5+qvfS6Hu5 | ||||
XkuCUS3XaaG71bkUbjB83BvFpSX6cIrdcLFjRIKNEkY5Orx4N2FZhpjqj57u | ||||
8YyLXfm6MscrLOn+Ig/cig6+g0W5xd2bll8VwQEAHUc8MBUDRhE6ctP8SZQz | ||||
+nT3bVIoxMXR0rndt385kc8z5YfNdx7WCcDE3uxpRgZgm/NYfxhCzxoDen3r | ||||
8CCwby0uqhewlm62tXWJOj049LEoc+7/LH8/3KM1vDw6buYmcBOZ1gfxk6NT | ||||
W9W6BLeNOtNGmebSLE8DRutz+78UjMOvBUbTheFHvvKQWN/YRHva+oOsLJyo | ||||
KbTcW42YNAZ3EeTTTG4JYesRo3VY01oLhZle1yNFBvFYQjmcGNFy24jxrzcv | ||||
M3EufeQSNZSp5i7Jzfhd61WU6zrZ1O+v0ZTaQIarLja7YD1aWqzF+9FgNXKn | ||||
Hb4k2039itdSLMSEdZOGu9HypBosiq/iiFETrrmotn5TKCjxcRTy7SLeNZc6 | ||||
T7h9Gw848ohOVv6+pE7WcVFUbM/gZqoCx8XCq5ttXRoJmw6vwjihQJZvm+mb | ||||
MDHXRhQWt6btNnjrBxcV9WezWzKBNypkk5B2ZI8Ym4fYg5gb/DRWYwjMpgWF | ||||
ib6TwYsU4s0iKzwDklrdNuBGV5GggyV0xLG5jaeeGG8i8c2mc5G9Mc/TYlr6 | ||||
L3g4ijJW01ATCilWgoSGHZfyOauZbtulpShzMvVDARDjQlPTKk5SC9ejlXB2 | ||||
9OqoZiFIoZJJ0bC9ekzOu6gjyMRwgNUFWNIYgcokrTODtNKtjx//48Xp988/ | ||||
f96yMVIcwoZhOU4rbbBM42Fb1SVOg2keLmZcSODcpBO8onEK65u+h+YP+aTH | ||||
WbiQVqmUkYeAQKgW7xmgZErVNu4Xe8kJ2GqZ0HENSW6cPMm1kU0v5TTPqgXf | ||||
WcGD22sqzo1UM/dSBO5VFH8AgPV+gp8/8t0Tvi2oDUeBgFhVcboSTGhBblJS | ||||
5wKfPTZy869zgRklr1oYaH+ORAY8LCCP/fkPbIS2VvpxozZdQmpJxrm8xTvH | ||||
63vkstWC7Yls1or3rk0Fll7fnOeIrhdKQpMugQOqv2rcBXW4rLBRxqTbWoxQ | ||||
xu38ovKsl7AmRX4i6iWLw1zEOrLqpx3Taz6kDpwpaqXPqxqE+Q0ZC1MkKt2w | ||||
AO3AhE2ar76CZjCklD5gRpynpAKn8iENCywHU1FthYNdkeVk36PqEqB7xt5K | ||||
hMTPKd0mAoDJdZQxCH/Tqsl7YA1e/b2k4TALZ/cf9RUI0Vlfcta+ppP6qvrB | ||||
CxPAXlh9Ui+rTpBi9M5uJEHyHfD4d0GK+TkF9gkHMOl0FbdSyBumYPOb6lh/ | ||||
/iOxsEvm4Ec616KVgTGb75mEjFYuZmb3TyWAK49tbGWrMWEtZHR+2udH+vYR | ||||
0N983ibNhGFivNoa5etpehXnWcqOxgfI/bZXsD+nP81Z76Qfq3LSo0ovZ6fI | ||||
I56j7kz+BdqEFOPyLfPHrG0lbBudnV4+t2koFp3w1c+WbRLbNfsivnsIfPUZ | ||||
DD4JTihbj/B12FrfueoH+TV6/rzPghdxWh4uST31M0bWDZxvPrCfp7FuYHEU | ||||
6IGPnLhne9YETsYTrR6YnaqtA3vuhrXjNQYml2vrwOuj6q2zaeRFztC3HbgW | ||||
/xSRzQOjwusgzx14w/BYfdkaFOJeXk8V39Ts3eUw3lyvWM676KYqc8HcmnyC | ||||
No7XnkZguZ5sgzkfPIERH26Ts2kOQ6vWdgp0OUdxH5yArIlV7wVIqjnW6qBi | ||||
TwFobuWyXedovubhVpIc6d4GudOx9Ubb2TJGhbJMKs22LtBjHeZRERw5KZen | ||||
H1DxAWBdxep6i4yprQtPWz6X60e3aq6ePeO/ezwYPsTwnDdWMK2AeBNOi8yV | ||||
tftoKzk9wzsBTsxCntm8V2yy0app/HkYKbblG+9sYbVDXHdV7ZnWOrz+bsvQ | ||||
jsxNbrQbPmoMtF8DxOVM+r1GGEjEE6OoIz7RGSqKY2MA2rVe5tiYlsqLqDqg | ||||
aCD/0WCIATGvbbnkZnKndTuncdfkso804kZYoBLqoGekqNAeyV3xphGONLre | ||||
KRVZcBKsPvc/fkc3heaFbviL5qeTdIHNOWJr3vHGnT0TrlTp9N0b+lHvXeNC | ||||
5P3qW0A5ul4Ym85N0CA1+QduTkEaNN9Oa26lM9kgkhOfmVwbNnjXZvogSgvl | ||||
5TlgjkMaA8NgfPPwktpLHeJEb9VpFFRkmKppKN2m6NOu6ShE2gc5vXoP9/d3 | ||||
H+Ii8Zf9PnEN1lDpKQKBrAQ1UavANjkC6mgcZSPS1PftnLnpI+KW7Q33cM7h | ||||
riSyGuIApap5DH9sHsP+irHNlnrDfSJG+phnpF22TtrOh9rnKeYhaW2kC8t8 | ||||
ONGU2Lh8bqeah/l7meYNOWQUdo7YIhe5p7K1kVOInr68lEoMrzHCZkljxiRf | ||||
Nj5xAOsikCt7fTeGPpGbTMlqYeLr7bVDhMDA/jWa44D5AlrAVK7CpNNFV1za | ||||
Pd/2x/NFLFUV+ALAHbx4EzsGYbRabus7/vFy2+1jHZLwfPc7dcMZ6PfH6eR+ | ||||
ME7CeM7dhXQFD/f8oi+AZcIw1BvSslf0UTzePRj2xR2Cv/9x7RIHuEQY65jG | ||||
DS6Qqx0fX3yVJR5ffJUlDuHpn/r7OwfeVc+3wRjOBUrHzqq5MOlAqEWrdZrg | ||||
Tn1D8efNFKmfbTZoy22l1NvMldJnaDlW4lQkdU/0C+lNgWLXULrbe7TeCtKF | ||||
eSvba9M+VqhMXRhtId06MpfRWw4+oRu0MbEMXfpGD/LUUXEL6WqTKUWGqZeo | ||||
tAB2lS0eUDc/pKVSZEICH5jiR71Es/wJNQWk7KLQhJp8Hqzfd0vku0GR8Vt2 | ||||
VM7CKqoRpgwQHhMARVlRa3uBF+ME/RXyHqUz0R1TXs5GzdXAyhBJeDhoHI6k | ||||
ttfU1TtFp3U28URfoVVR1jxxD2Ot1EtXegy081jUmCunS9B0s3G/CR+qR0zE | ||||
dthU8XC1dpNuG0enGZAuRN0oQZsL2KTMEVdkropD32XC+pTXyrRe4uJJib7X | ||||
+Ah3RsbRqiVIqEwCDnOliEYQLqM/SX4XvD72cMFdJgkZdN8vvjlyS61I7L2h | ||||
qtfiz1VYUmTH0g9lo1V5OEViPzeEQuhL9TcIcTQNiwqsqDF35XML2KivvqMB | ||||
mVwc8sb7XUErtwOpqWCOKg5ocdcH3axDX9rmoNe7nEBawRWUOcuXmjkJsMAB | ||||
kuyGbBvWFH/J6MrzcDptUUBoy+YOaxLxipKFNZVySsg4yQoiTOsf6/MVumI7 | ||||
oN5OEkVURgG14MU4VZ0JCEMeHyskY1isHq1vbKQMWj7H0LGcrV+fRJamPuCt | ||||
aJNVBijvhS/3E8PCMkzd4rOmJSH+TNhTu/8jrv7LJBI8j7lm3qt084AgGVJk | ||||
wXa19WT0IGPbpnS5D4xL8c4ldOpaH9cNGmIuTMQzyThF+tRn4pZtoqlcpZbT | ||||
E5czrZRJqSzkkhay/Qw79dCBNDnhFuy8GLYfQ22TAEbqVqrNjTU57VihqfPn | ||||
lj2O5pHJWhNCtf79qkTEMPcNxdbh1SVeYoiOKrDFZXnItYqn1FBcklUw3XVO | ||||
vWCcc6FHlyERt4ma6EsXJBgTAQ1zzwLdj7HibgnWF2wDjO7oOBSPz4tk/R0z | ||||
c2BkwGWv16P7ZzByeqKB8pZSi01iZU9Dq8c5x8Vn0K+4u3uc5pMxK0A/AHtE | ||||
YuoNdsisGgxY8cEBBjvw52eknKOrLI4kT+PPlc63RduHRTop2BcxJYiSgs+p | ||||
Vqd0tnAN8LhzG43kipi8XomZ0TvfI+/X5gU8j14zT/F6wi6akhKejSsdiYcO | ||||
xhXXNpGIp0pYJCiZezM9jF1g7ihygulGQGDsNOxilocFZauTcKXAJHla53hC | ||||
OKeZxmC0RM5S+z7kQakmyO9YyO8cwJ+f5cyGxMLDMTDom7nRgM1ZIEW5tmfT | ||||
N9FpYYgtphqNKnaZW9tt8W2wNs61rgViaJr+OJ/SoEdRJJXRHOH1YoW662g8 | ||||
rfJ6sNSt03SHogxRMWhNVyX9sE3nwV5SXqNDeFeS0lCvlBRGMdB17yPpIXuF | ||||
W+AmERnrg+33TjlpS613Z8Wi6bZdhYUNTlgw3NSw5sF7yb0b7vPLUqMFfSYr | ||||
1DyXwJ/sOHgefxANYCnleiRK9wQgpVoSfQx/fl5+1GxrTnaGnPHoUd3ZoY+6 | ||||
1goa55033YiqjekTcQBtnZ1efLdFjl4MtfGMp3pnh35AWVguN29gzWk42DK5 | ||||
P7j4y2cn8JGBlHt4uUGN2IjI4/NwUvYoRpiAQOXYQJN33ALWjxjWjx1YP4I/ | ||||
P/t4G/vDm4zIi5nC8FV0vxBDqT48u89gFjv8Q/jzswVz1MZcLm1SMUc0ajcW | ||||
15OOJtwhAJ5s3m6zK86rq7gg8kxsOvaqbqjMTvmQbLVVdXNd21ZbTfuW2USt | ||||
DbROrHMzmqi9EAs1ztwcU3I8MqC+bVTstfZyMKAvd7DqXsu1BDjMS2RoE6oS | ||||
wswqPAx+m/ys7YK33+jIlu2AgI0cKMFiQsQ6ugm2VNTTTkhmhHiu6q0TCnou | ||||
FrBhHNd/R8rWGh0XtjhquCUddskEszFDqf5idF208ii9M0p956xHzazqOcPe | ||||
gsSyjiQedrt6YBrpBeh2PeKDlHpJqOXEMJ3RB4wXPS0fcI0Oc3cEgUe9kule | ||||
+Cxn5QHf5xP40DmB+/CnyHttspFoxEXo8odGCrG3DqABrWHVsdwQG7pIrO3h | ||||
4D5g9sN9GduxgpeM7O1sj3e27+xsD/783MIP0dxzOkrZ0jdH4i8RcN6+SVbU | ||||
BCC2tAIOZiThsm7tvwm+s/6urEWiz0licS8STRe3QPQug2PPAccu/PmZ10+X | ||||
kQdbuo9ZnOBOTesRlmYtWsCWYYO4tQQ5cVm7KcTjlE71EcrY211LTgO9ylj3 | ||||
ko5JfIUJ79Gtwjo7sc33z06Y6BqKSR3E9NiPAAdNCJalwNrtYj32QsWmmxLK | ||||
ZqgaMqp2HVQN4c8llGv06xbZpnVbviOKhQ0vVfLU0CW0CfDliqgVrQ5thppT | ||||
1ex85tyxs+qiw2VXHjD1G7m2ZCEs6WvXWVrtz8GSbo7o3fd+zRfnJloR97uw | ||||
AgiO3/3kjOHMw22u2U2t0tpFK1Lq6eidq2Sr/6T2j/ssyjPmxHB5sqFKN2Dq | ||||
GjrUNYA/ibpeoWBGNQssyVHBl9hRLiiquhFHI4TjcXSiIp8T+aHIbUAnn0GU | ||||
aCcW4Vx4g/iAs9qlWIXPAHG3AHB7tgvb27GtDLfNPFZeU1K30dKKQS4stJ2W | ||||
grxjjjcHnByQJdmUol8tLN8TCUdagm/R5bGIbdLlTrUHHEDxCvTbPB6Lt2Kr | ||||
jjB2huw4zpCdHfjzs0cn6IHB9JqULyegEFJmb/1tkD13m5pQ81eEMhH8qisC | ||||
DDtdcjuAk91McYY5pWXAEpCO3rk5X3iG7bqs5i2gz6dguP0SOqQGavGcFRER | ||||
mDbHS1iENsAw1j9Yw2mDozHWOycqmtJnnY+HPKyKnm5NwqRQWxJj42KCgrt9 | ||||
0u3TGHDHJo8fj2c59rsAlng0L37916L4jMk28MXpHBSaCjS6Z1h8kCSx/uI4 | ||||
zJH+gmekuKX64/MMk6ZOQKNP4mszSPE+C07iP73XH/ynDEZ8ESag+Jk3fwT8 | ||||
vQCrAwy9XH/2uySs6NPyvbLvzrDzrqp+/W/BS1CXiiIzY5yEV3EUvAqvQmBI | ||||
+sOLWbVAPL5RWI8kg8Tz4AKgHEbmk1//FRSwFD/99S/p9a//M4nsOmjOi3EV | ||||
OZ+9BtM6uCiVSszSvqsoIeAHun0bKB6G0F+9BLn7v/9HGPxQ/dt/BcX83/7L | ||||
Z52XDl++Cask+DGruEmLaYsWA2UoFdFl2BLC0VhHdFJCdVaPjmIlBxfxANSS | ||||
G7+ZzQ9nr169/uHIeEiPFegA494rtCqBqjB0FByfn12eXZweP+Gbujn75sVw | ||||
Z7hjHrk4e3520XuBwc0H3+XYrjCc5oqv7jzYHz7cH273O/8H6St0QoLbAAA= | ||||
</rfc> | </rfc> | |||
End of changes. 97 change blocks. | ||||
1434 lines changed or deleted | 637 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. |