draft-ietf-ace-dtls-authorize-13.txt   draft-ietf-ace-dtls-authorize-14.txt 
ACE Working Group S. Gerdes ACE Working Group S. Gerdes
Internet-Draft O. Bergmann Internet-Draft O. Bergmann
Intended status: Standards Track C. Bormann Intended status: Standards Track C. Bormann
Expires: March 12, 2021 Universitaet Bremen TZI Expires: May 2, 2021 Universitaet Bremen TZI
G. Selander G. Selander
Ericsson AB Ericsson AB
L. Seitz L. Seitz
Combitech Combitech
September 08, 2020 October 29, 2020
Datagram Transport Layer Security (DTLS) Profile for Authentication and Datagram Transport Layer Security (DTLS) Profile for Authentication and
Authorization for Constrained Environments (ACE) Authorization for Constrained Environments (ACE)
draft-ietf-ace-dtls-authorize-13 draft-ietf-ace-dtls-authorize-14
Abstract Abstract
This specification defines a profile of the ACE framework that allows This specification defines a profile of the ACE framework that allows
constrained servers to delegate client authentication and constrained servers to delegate client authentication and
authorization. The protocol relies on DTLS version 1.2 for authorization. The protocol relies on DTLS version 1.2 for
communication security between entities in a constrained network communication security between entities in a constrained network
using either raw public keys or pre-shared keys. A resource- using either raw public keys or pre-shared keys. A resource-
constrained server can use this protocol to delegate management of constrained server can use this protocol to delegate management of
authorization information to a trusted host with less severe authorization information to a trusted host with less severe
skipping to change at page 1, line 43 skipping to change at page 1, line 43
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on March 12, 2021. This Internet-Draft will expire on May 2, 2021.
Copyright Notice Copyright Notice
Copyright (c) 2020 IETF Trust and the persons identified as the Copyright (c) 2020 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 16, line 51 skipping to change at page 16, line 51
or Section 3.3, respectively, the client is authorized to access or Section 3.3, respectively, the client is authorized to access
resources covered by the access token it has uploaded to the authz- resources covered by the access token it has uploaded to the authz-
info resource hosted by the resource server. info resource hosted by the resource server.
With the successful establishment of the DTLS channel, the client and With the successful establishment of the DTLS channel, the client and
the resource server have proven that they can use their respective the resource server have proven that they can use their respective
keying material. An access token that is bound to the client's keying material. An access token that is bound to the client's
keying material is associated with the channel. According to keying material is associated with the channel. According to
Section 5.8.1 of [I-D.ietf-ace-oauth-authz], there should be only one Section 5.8.1 of [I-D.ietf-ace-oauth-authz], there should be only one
access token for each client. New access tokens issued by the access token for each client. New access tokens issued by the
authorization server replace previously issued access tokens for the authorization server SHOULD replace previously issued access tokens
respective client. The resource server therefore must have a common for the respective client. The resource server therefore needs a
understanding with the authorization server how access tokens are common understanding with the authorization server how access tokens
ordered. The authorization server may, e.g., specify a "cti" claim are ordered. The authorization server may, e.g., specify a "cti"
for the access token (see Section 5.8.3 of claim for the access token (see Section 5.8.3 of
[I-D.ietf-ace-oauth-authz]) to employ a strict order. [I-D.ietf-ace-oauth-authz]) to employ a strict order.
Any request that the resource server receives on a DTLS channel that Any request that the resource server receives on a DTLS channel that
is tied to an access token via its keying material MUST be checked is tied to an access token via its keying material MUST be checked
against the authorization rules that can be determined with the against the authorization rules that can be determined with the
access token. The resource server MUST check for every request if access token. The resource server MUST check for every request if
the access token is still valid. If the token has expired, the the access token is still valid. If the token has expired, the
resource server MUST remove it. Incoming CoAP requests that are not resource server MUST remove it. Incoming CoAP requests that are not
authorized with respect to any access token that is associated with authorized with respect to any access token that is associated with
the client MUST be rejected by the resource server with 4.01 the client MUST be rejected by the resource server with 4.01
skipping to change at page 24, line 7 skipping to change at page 24, line 7
nodes. nodes.
Profile ID: TBD (suggested: 1) Profile ID: TBD (suggested: 1)
Change Controller: IESG Change Controller: IESG
Reference: [RFC-XXXX] Reference: [RFC-XXXX]
10. Acknowledgments 10. Acknowledgments
Thanks to Jim Schaad for his contributions and reviews of this Special thanks to Jim Schaad for his contributions and reviews of
document. Special thanks to Ben Kaduk for his thorough reviews of this document and to Ben Kaduk for his thorough reviews of this
this document. document. Thanks also to Paul Kyzivat for his review.
Ludwig Seitz worked on this document as part of the CelticNext Ludwig Seitz worked on this document as part of the CelticNext
projects CyberWI, and CRITISEC with funding from Vinnova. projects CyberWI, and CRITISEC with funding from Vinnova.
11. References 11. References
11.1. Normative References 11.1. Normative References
[I-D.ietf-ace-oauth-authz] [I-D.ietf-ace-oauth-authz]
Seitz, L., Selander, G., Wahlstroem, E., Erdtman, S., and Seitz, L., Selander, G., Wahlstroem, E., Erdtman, S., and
skipping to change at page 24, line 32 skipping to change at page 24, line 32
Framework (ACE-OAuth)", draft-ietf-ace-oauth-authz-35 Framework (ACE-OAuth)", draft-ietf-ace-oauth-authz-35
(work in progress), June 2020. (work in progress), June 2020.
[I-D.ietf-ace-oauth-params] [I-D.ietf-ace-oauth-params]
Seitz, L., "Additional OAuth Parameters for Authorization Seitz, L., "Additional OAuth Parameters for Authorization
in Constrained Environments (ACE)", draft-ietf-ace-oauth- in Constrained Environments (ACE)", draft-ietf-ace-oauth-
params-13 (work in progress), April 2020. params-13 (work in progress), April 2020.
[I-D.ietf-cbor-7049bis] [I-D.ietf-cbor-7049bis]
Bormann, C. and P. Hoffman, "Concise Binary Object Bormann, C. and P. Hoffman, "Concise Binary Object
Representation (CBOR)", draft-ietf-cbor-7049bis-14 (work Representation (CBOR)", draft-ietf-cbor-7049bis-16 (work
in progress), June 2020. in progress), September 2020.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>. <https://www.rfc-editor.org/info/rfc2119>.
[RFC4279] Eronen, P., Ed. and H. Tschofenig, Ed., "Pre-Shared Key [RFC4279] Eronen, P., Ed. and H. Tschofenig, Ed., "Pre-Shared Key
Ciphersuites for Transport Layer Security (TLS)", Ciphersuites for Transport Layer Security (TLS)",
RFC 4279, DOI 10.17487/RFC4279, December 2005, RFC 4279, DOI 10.17487/RFC4279, December 2005,
<https://www.rfc-editor.org/info/rfc4279>. <https://www.rfc-editor.org/info/rfc4279>.
 End of changes. 7 change blocks. 
14 lines changed or deleted 14 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/