< draft-selander-ace-eals-00.txt   draft-selander-ace-eals-01.txt >
ACE Working Group G. Selander ACE Working Group G. Selander
Internet-Draft Ericsson AB Internet-Draft Ericsson AB
Intended status: Standards Track S. Raza Intended status: Standards Track S. Raza
Expires: September 14, 2017 RISE SICS Expires: March 16, 2018 RISE SICS
M. Vucinic M. Vucinic
Inria Inria
M. Furuhed M. Furuhed
Nexus Nexus
M. Richardson M. Richardson
Sandelman Software Works Sandelman Software Works
March 13, 2017 September 12, 2017
Enrollment with Application Layer Security Enrollment with Application Layer Security
draft-selander-ace-eals-00 draft-selander-ace-eals-01
Abstract Abstract
This document specifies public key certificate enrollment procedures This document specifies public key certificate enrollment procedures
authenticated with application-layer security protocols suitable for authenticated with application-layer security protocols suitable for
Internet of Things deployments. The protocols leverage existing IoT Internet of Things deployments. The protocols leverage existing IoT
standards including Constrained Application Protocol (CoAP), Concise standards including Constrained Application Protocol (CoAP), Concise
Binary Object Representation (CBOR) and the CBOR Object Signing and Binary Object Representation (CBOR) and the CBOR Object Signing and
Encryption (COSE) format. Encryption (COSE) format.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on September 14, 2017. This Internet-Draft will expire on March 16, 2018.
Copyright Notice Copyright Notice
Copyright (c) 2017 IETF Trust and the persons identified as the Copyright (c) 2017 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
skipping to change at page 3, line 25 skipping to change at page 3, line 25
Application layer security protocols suitable for constrained devices Application layer security protocols suitable for constrained devices
are in development, including the secure communication protocol are in development, including the secure communication protocol
OSCOAP [I-D.ietf-core-object-security]. OSCOAP defines an extension OSCOAP [I-D.ietf-core-object-security]. OSCOAP defines an extension
to the Constrained Application Protocol (CoAP) providing encryption, to the Constrained Application Protocol (CoAP) providing encryption,
integrity and replay protection end-to-end between CoAP client and integrity and replay protection end-to-end between CoAP client and
server based on a shared secret. The shared secret can be server based on a shared secret. The shared secret can be
established in different ways e.g. using a trusted third party such established in different ways e.g. using a trusted third party such
as in ACE [I-D.ietf-ace-oauth-authz], or using a key exchange as in ACE [I-D.ietf-ace-oauth-authz], or using a key exchange
protocol such as EDHOC [I-D.selander-ace-cose-ecdhe]. OSCOAP and protocol such as EDHOC [I-D.selander-ace-cose-ecdhe]. OSCOAP and
EDHOC can leverage other constrained device primitives developed in EDHOC can leverage other constrained device primitives developed in
the IETF: CoAP, CBOR [RFC7049] and COSE [I-D.ietf-cose-msg], and the IETF: CoAP, CBOR [RFC7049] and COSE [RFC8152], and makes only a
makes only a small additional implementation footprint. small additional implementation footprint.
Lately, there has been a discussion in several IETF working groups Lately, there has been a discussion in several IETF working groups
about certificate enrollment protocols suitable for IoT devices, to about certificate enrollment protocols suitable for IoT devices, to
support the use case of an IoT device joining a new network domain support the use case of an IoT device joining a new network domain
and establishing credentials valid in this domain. This document and establishing credentials valid in this domain. This document
describes Enrollment with Application Layer Security (EALS), a describes Enrollment with Application Layer Security (EALS), a
certificate enrollment protocol based on CMC [RFC5272] and using certificate enrollment protocol based on CMC [RFC5272] and using
OSCOAP as a secure channel. This document also describes how ACE and OSCOAP as a secure channel. This document also describes how ACE and
EDHOC can be used for establishing an authenticated and authorized EDHOC can be used for establishing an authenticated and authorized
channel. channel.
skipping to change at page 12, line 17 skipping to change at page 12, line 17
design team for discussions and input contributing to this document. design team for discussions and input contributing to this document.
10. References 10. References
10.1. Normative References 10.1. Normative References
[I-D.ietf-ace-oauth-authz] [I-D.ietf-ace-oauth-authz]
Seitz, L., Selander, G., Wahlstroem, E., Erdtman, S., and Seitz, L., Selander, G., Wahlstroem, E., Erdtman, S., and
H. Tschofenig, "Authentication and Authorization for H. Tschofenig, "Authentication and Authorization for
Constrained Environments (ACE)", draft-ietf-ace-oauth- Constrained Environments (ACE)", draft-ietf-ace-oauth-
authz-05 (work in progress), February 2017. authz-07 (work in progress), August 2017.
[I-D.ietf-core-object-security] [I-D.ietf-core-object-security]
Selander, G., Mattsson, J., Palombini, F., and L. Seitz, Selander, G., Mattsson, J., Palombini, F., and L. Seitz,
"Object Security of CoAP (OSCOAP)", draft-ietf-core- "Object Security of CoAP (OSCOAP)", draft-ietf-core-
object-security-01 (work in progress), December 2016. object-security-04 (work in progress), July 2017.
[I-D.ietf-cose-msg]
Schaad, J., "CBOR Object Signing and Encryption (COSE)",
draft-ietf-cose-msg-24 (work in progress), November 2016.
[I-D.selander-ace-cose-ecdhe] [I-D.selander-ace-cose-ecdhe]
Selander, G., Mattsson, J., and F. Palombini, "Ephemeral Selander, G., Mattsson, J., and F. Palombini, "Ephemeral
Diffie-Hellman Over COSE (EDHOC)", draft-selander-ace- Diffie-Hellman Over COSE (EDHOC)", draft-selander-ace-
cose-ecdhe-04 (work in progress), October 2016. cose-ecdhe-07 (work in progress), July 2017.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/ Requirement Levels", BCP 14, RFC 2119,
RFC2119, March 1997, DOI 10.17487/RFC2119, March 1997,
<http://www.rfc-editor.org/info/rfc2119>. <https://www.rfc-editor.org/info/rfc2119>.
[RFC7049] Bormann, C. and P. Hoffman, "Concise Binary Object [RFC7049] Bormann, C. and P. Hoffman, "Concise Binary Object
Representation (CBOR)", RFC 7049, DOI 10.17487/RFC7049, Representation (CBOR)", RFC 7049, DOI 10.17487/RFC7049,
October 2013, <http://www.rfc-editor.org/info/rfc7049>. October 2013, <https://www.rfc-editor.org/info/rfc7049>.
[RFC7252] Shelby, Z., Hartke, K., and C. Bormann, "The Constrained [RFC7252] Shelby, Z., Hartke, K., and C. Bormann, "The Constrained
Application Protocol (CoAP)", RFC 7252, DOI 10.17487/ Application Protocol (CoAP)", RFC 7252,
RFC7252, June 2014, DOI 10.17487/RFC7252, June 2014,
<http://www.rfc-editor.org/info/rfc7252>. <https://www.rfc-editor.org/info/rfc7252>.
[RFC8152] Schaad, J., "CBOR Object Signing and Encryption (COSE)",
RFC 8152, DOI 10.17487/RFC8152, July 2017,
<https://www.rfc-editor.org/info/rfc8152>.
10.2. Informative References 10.2. Informative References
[I-D.hartke-core-e2e-security-reqs] [I-D.hartke-core-e2e-security-reqs]
Selander, G., Palombini, F., and K. Hartke, "Requirements Selander, G., Palombini, F., and K. Hartke, "Requirements
for CoAP End-To-End Security", draft-hartke-core-e2e- for CoAP End-To-End Security", draft-hartke-core-e2e-
security-reqs-02 (work in progress), January 2017. security-reqs-03 (work in progress), July 2017.
[I-D.ietf-6tisch-minimal-security] [I-D.ietf-6tisch-minimal-security]
Vucinic, M., Simon, J., and K. Pister, "Minimal Security Vucinic, M., Simon, J., Pister, K., and M. Richardson,
Framework for 6TiSCH", draft-ietf-6tisch-minimal- "Minimal Security Framework for 6TiSCH", draft-ietf-
security-01 (work in progress), February 2017. 6tisch-minimal-security-03 (work in progress), June 2017.
[I-D.ietf-anima-bootstrapping-keyinfra] [I-D.ietf-anima-bootstrapping-keyinfra]
Pritikin, M., Richardson, M., Behringer, M., Bjarnason, Pritikin, M., Richardson, M., Behringer, M., Bjarnason,
S., and K. Watsen, "Bootstrapping Remote Secure Key S., and K. Watsen, "Bootstrapping Remote Secure Key
Infrastructures (BRSKI)", draft-ietf-anima-bootstrapping- Infrastructures (BRSKI)", draft-ietf-anima-bootstrapping-
keyinfra-04 (work in progress), October 2016. keyinfra-07 (work in progress), July 2017.
[I-D.seitz-ace-oscoap-profile] [I-D.seitz-ace-oscoap-profile]
Seitz, L. and F. Palombini, "OSCOAP profile of ACE", Seitz, L., Palombini, F., and M. Gunnarsson, "OSCOAP
draft-seitz-ace-oscoap-profile-01 (work in progress), profile of the Authentication and Authorization for
October 2016. Constrained Environments Framework", draft-seitz-ace-
oscoap-profile-04 (work in progress), July 2017.
[RFC5272] Schaad, J. and M. Myers, "Certificate Management over CMS [RFC5272] Schaad, J. and M. Myers, "Certificate Management over CMS
(CMC)", RFC 5272, DOI 10.17487/RFC5272, June 2008, (CMC)", RFC 5272, DOI 10.17487/RFC5272, June 2008,
<http://www.rfc-editor.org/info/rfc5272>. <https://www.rfc-editor.org/info/rfc5272>.
[RFC7030] Pritikin, M., Ed., Yee, P., Ed., and D. Harkins, Ed., [RFC7030] Pritikin, M., Ed., Yee, P., Ed., and D. Harkins, Ed.,
"Enrollment over Secure Transport", RFC 7030, DOI "Enrollment over Secure Transport", RFC 7030,
10.17487/RFC7030, October 2013, DOI 10.17487/RFC7030, October 2013,
<http://www.rfc-editor.org/info/rfc7030>. <https://www.rfc-editor.org/info/rfc7030>.
[RFC7228] Bormann, C., Ersue, M., and A. Keranen, "Terminology for [RFC7228] Bormann, C., Ersue, M., and A. Keranen, "Terminology for
Constrained-Node Networks", RFC 7228, DOI 10.17487/ Constrained-Node Networks", RFC 7228,
RFC7228, May 2014, DOI 10.17487/RFC7228, May 2014,
<http://www.rfc-editor.org/info/rfc7228>. <https://www.rfc-editor.org/info/rfc7228>.
Appendix A. Examples Appendix A. Examples
Authors' Addresses Authors' Addresses
Goeran Selander Goeran Selander
Ericsson AB Ericsson AB
Farogatan 6 Farogatan 6
Kista SE-16480 Stockholm Kista SE-16480 Stockholm
Sweden Sweden
 End of changes. 20 change blocks. 
37 lines changed or deleted 38 lines changed or added

This html diff was produced by rfcdiff 1.45. The latest version is available from http://tools.ietf.org/tools/rfcdiff/