* WGs marked with an * asterisk has had at least one new draft made available during the last 5 days

Ace Status Pages

Authentication and Authorization for Constrained Environments (Active WG)
Sec Area: Roman Danyliw, Benjamin Kaduk | 2014-Jun-16 —  

2021-01-13 charter

Authentication and Authorization for Constrained Environments (ace)


 Current Status: Active

     Daniel Migault <daniel.migault@ericsson.com>

 Security Area Directors:
     Roman Danyliw <rdd@cert.org>
     Benjamin Kaduk <kaduk@mit.edu>

 Security Area Advisor:
     Benjamin Kaduk <kaduk@mit.edu>

 Mailing Lists:
     General Discussion: ace@ietf.org
     To Subscribe:       https://www.ietf.org/mailman/listinfo/ace
     Archive:            https://mailarchive.ietf.org/arch/browse/ace/

Description of Working Group:

  The IETF has recently developed protocols for use in constrained
  environments, where network nodes are limited in CPU, memory and power.
  REST architecture is widely used for such constrained environments.
  It has been observed that Internet protocols can be applied to these
  constrained environments, often only requiring minor tweaking and
  profiling. In other cases, new protocols have been defined to address
  the specific requirements of constrained environments. An example of
  such a protocol is the Constrained Application Protocol (CoAP).

  As in other environments, authentication and authorization questions
  also arise in constrained environments. For example, a door lock has to
  authorize the person seeking access using a "digital key". Where is the
  authorization policy stored? How does the digital key communicate with
  the lock? Does the lock interact with an authorization server to obtain
  authorization information? How can access be temporarily granted to
  other persons? How can access be revoked? These types of questions have
  been answered by existing protocols for use cases outside constrained
  environments, however in constrained environments, additional and
  different requirements pose challenges for the use of various security
  protocols. In particular, the need arises for a dynamic and fine grained
  access control mechanism, where clients and/or resource servers are

  The IETF has a long history in developing three-party authentication and
  authorization protocols for distributed environments. Examples include
  Kerberos, the Public Key Infrastructure (PKI), the Authentication,
  Authorization and Accounting (AAA) infrastructure, and the Web
  Authorization Protocol (OAuth). All these protocols enjoy widespread
  deployment on the Internet. Although they all aim to solve a similar
  goal, at an abstract level, they offer quite different functions and
  utilize different message exchanges. These differences result from the
  main deployment use cases they were designed for respectively.

  Requirements derived from use cases may indicate that existing work is
  useful as basis for a solution for constrained environments. These
  protocols, however, were not optimized for constrained environments.
  Additional requirements that need to be taken into account are the lack
  of a suitable user-interface and the inability of embedded devices to
  contact an authorization server in real-time with every resource access
  request due to intermittent connectivity, etc.

  This working group therefore aims to produce a standardized solution for
  authentication and authorization to enable authorized access (Get, Put,
  Post, Delete) to resources identified by a URI and hosted on a resource
  server in constrained environments. As a starting point, the working
  group will assume that access to resources at a resource server by a
  client device takes place using CoAP and is protected by DTLS. Both
  resource server and client may be constrained. This access will be
  mediated by an authorization server, which is not considered to be

  Existing authentication and authorization protocols will be evaluated
  and used where applicable to build the constrained-environment solution.
  This requires relevant specifications to be reviewed for suitability,
  selecting a subset of them and restricting the options within each of
  the specifications. Some functionality, however, may not be available in
  existing protocols, in which case the solution may also involve new
  protocol work. Leveraging existing work means the working group benefits
  from available security analysis, implementation, and deployment
  experience. Moreover, a standardized solution for federated
  authentication and authorization will help to stimulate the deployment
  of constrained devices that provide increased security.

  Once progress in identifying suitable candidate solutions has been made,
  the working group will verify whether the same mechanisms are also
  applicable beyond the use of CoAP and DTLS, which are the two main
  protocols the group will focus on for access to resources. In
  particular, the ability to use the developed solution over HTTP and TLS
  will be investigated. Note that the initial focus is on CoAP and HTTP
  with DTLS and TLS. Other security protocols may be considered as long as
  the primary focus is maintained. The group is scoped to work only on the
  web protocols and data carried within them. Furthermore, to guarantee
  smooth transition, the integration with existing deployments will be
  studied, particularly concerning the use of protocol translation

  This work does not make the assumption that the party offering
  application layer services is always the same party offering network
  access services.  ACE will need to interact with CORE and LWIG to
  ensure coordination.

  The working group has the following tasks:

  1) Produce use cases and requirements

  2) Identify authentication and authorization mechanisms suitable for
  resource access in constrained environments.

Goals and Milestones:
  Nov 2018 - Submit DTLS Profile for ACE to the IESG for publication as a proposed standard
  Sep 2020 - WGLC for Group Communications
  Jan 2021 - Adoption call for "CoAP Transport for CMPV2"
  Feb 2021 - Adoption call of "EAP-based Authentication Service for CoAP"
  Feb 2021 - Submission to the IESG of "OSCORE Profile of the Authentication and Authorization for Constrained Environments Framework"
  Feb 2021 - Call for adoption of "Protecting EST Payloads with OSCORE"
  Jun 2021 - Submission to IESG of "CoAP Transport for CMPV2" (if adopted)
  Jul 2021 - Submission to the IESG of Pub-Sub Profile for Authentication and Authorization for Constrained Environments (ACE)
  Jul 2021 - Submission to the IESG of "An Authorization Information Format (AIF) for ACE"
  Jul 2021 - Submission to the IESG of "Key Provisioning for Group Communication using ACE"
  Jul 2021 - Submission to the IESG of "Protecting EST Payloads with OSCORE"
  Aug 2021 - Submission to the IESG of "EAP-based Authentication Service for CoAP"
  Sep 2021 - Submission to the IESG of "Key Management for OSCORE Groups in ACE"
  Dec 2021 - Submission to the IESG of "Admin Interface for the OSCORE Group Manager"
  Done     - Submit "Use cases and Requirements" as a WG item.
  Done     - Submit  "An Architecture for Authorization in Constrained Environments" as a WG item.
  Done     - Optionally, submit "Use cases and Requirements" document to the IESG for publication as an Informational RFC.
  Done     - Submit  "Authentication and Authorization for ACE" specification as a WG item.
  Done     - Submit CBOR Web Token draft to the IESG for publication
  Done     - WGLC on CWT Proof of possession
  Done     - Submit CWT Proof of Possession to IESG for publication as proposed standard
  Done     - WGLC for OAuth Authentication and Authorization Solution draft
  Done     - WGLC for DTLS Profile for ACE
  Done     - WGLC on OSCORE Profile for ACE
  Done     - Submit "Authentication and Authorization Solution" specification to the IESG for publication as a Proposed Standard.
  Done     - Submit ACE profile for OSCORE to the IESG for publication as a Proposed Standard

All charter page changes, including changes to draft-list, rfc-list and milestones:

Generated from PyHt script /wg/ace/charters.pyht Latest update: 24 Oct 2012 16:51 GMT -