draft-ietf-ace-aif-00.txt   draft-ietf-ace-aif-01.txt 
Network Working Group C. Bormann Network Working Group C. Bormann
Internet-Draft Universität Bremen TZI Internet-Draft Universität Bremen TZI
Intended status: Informational 29 July 2020 Intended status: Informational 11 February 2021
Expires: 30 January 2021 Expires: 15 August 2021
An Authorization Information Format (AIF) for ACE An Authorization Information Format (AIF) for ACE
draft-ietf-ace-aif-00 draft-ietf-ace-aif-01
Abstract Abstract
Constrained Devices as they are used in the "Internet of Things" need Constrained Devices as they are used in the "Internet of Things" need
security. One important element of this security is that devices in security. One important element of this security is that devices in
the Internet of Things need to be able to decide which operations the Internet of Things need to be able to decide which operations
requested of them should be considered authorized, need to ascertain requested of them should be considered authorized, need to ascertain
that the authorization to request the operation does apply to the that the authorization to request the operation does apply to the
actual requester, and need to ascertain that other devices they place actual requester, and need to ascertain that other devices they place
requests on are the ones they intended. requests on are the ones they intended.
skipping to change at page 1, line 44 skipping to change at page 1, line 44
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on 30 January 2021. This Internet-Draft will expire on 15 August 2021.
Copyright Notice Copyright Notice
Copyright (c) 2020 IETF Trust and the persons identified as the Copyright (c) 2021 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/ Provisions Relating to IETF Documents (https://trustee.ietf.org/
license-info) in effect on the date of publication of this document. license-info) in effect on the date of publication of this document.
Please review these documents carefully, as they describe your rights Please review these documents carefully, as they describe your rights
and restrictions with respect to this document. Code Components and restrictions with respect to this document. Code Components
extracted from this document must include Simplified BSD License text extracted from this document must include Simplified BSD License text
as described in Section 4.e of the Trust Legal Provisions and are as described in Section 4.e of the Trust Legal Provisions and are
provided without warranty as described in the Simplified BSD License. provided without warranty as described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 2 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3
2. Information Model . . . . . . . . . . . . . . . . . . . . . . 3 2. Information Model . . . . . . . . . . . . . . . . . . . . . . 3
2.1. REST-specific model . . . . . . . . . . . . . . . . . . . 4 2.1. REST-specific model . . . . . . . . . . . . . . . . . . . 4
2.2. Limitations . . . . . . . . . . . . . . . . . . . . . . . 4 2.2. Limitations . . . . . . . . . . . . . . . . . . . . . . . 4
2.3. Extended REST-specific model . . . . . . . . . . . . . . 5 2.3. Extended REST-specific model . . . . . . . . . . . . . . 5
3. Data Model . . . . . . . . . . . . . . . . . . . . . . . . . 5 3. Data Model . . . . . . . . . . . . . . . . . . . . . . . . . 5
4. Media Types . . . . . . . . . . . . . . . . . . . . . . . . . 8 4. Media Types . . . . . . . . . . . . . . . . . . . . . . . . . 8
5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8
5.1. Media Types . . . . . . . . . . . . . . . . . . . . . . . 8 5.1. Media Types . . . . . . . . . . . . . . . . . . . . . . . 8
5.2. Registries . . . . . . . . . . . . . . . . . . . . . . . 8 5.2. Registries . . . . . . . . . . . . . . . . . . . . . . . 9
5.3. Content-Format . . . . . . . . . . . . . . . . . . . . . 8 5.3. Content-Format . . . . . . . . . . . . . . . . . . . . . 9
6. Security Considerations . . . . . . . . . . . . . . . . . . . 9 6. Security Considerations . . . . . . . . . . . . . . . . . . . 10
7. References . . . . . . . . . . . . . . . . . . . . . . . . . 9 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 10
7.1. Normative References . . . . . . . . . . . . . . . . . . 9 7.1. Normative References . . . . . . . . . . . . . . . . . . 10
7.2. Informative References . . . . . . . . . . . . . . . . . 9 7.2. Informative References . . . . . . . . . . . . . . . . . 11
Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 11 Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 12
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 11 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 12
1. Introduction 1. Introduction
(See Abstract.) Constrained Devices as they are used in the "Internet of Things" need
security. One important element of this security is that devices in
the Internet of Things need to be able to decide which operations
requested of them should be considered authorized, need to ascertain
that the authorization to request the operation does apply to the
actual requester, and need to ascertain that other devices they place
requests on are the ones they intended.
To transfer detailed authorization information from an authorization
manager (such as an ACE-OAuth Authorization Server
[I-D.ietf-ace-oauth-authz]) to a device, a representation format is
needed. This document provides a suggestion for such a format, the
Authorization Information Format (AIF). AIF is defined both as a
general structure that can be used for many different applications
and as a specific refinement that describes REST resources and the
permissions on them.
1.1. Terminology 1.1. Terminology
This memo uses terms from [RFC7252] and [RFC4949]. This memo uses terms from [RFC7252] and [RFC4949].
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in "OPTIONAL" in this document are to be interpreted as described in
BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here. These words may also appear in this capitals, as shown here. These words may also appear in this
skipping to change at page 3, line 19 skipping to change at page 3, line 31
The term "byte", abbreviated by "B", is used in its now customary The term "byte", abbreviated by "B", is used in its now customary
sense as a synonym for "octet". sense as a synonym for "octet".
2. Information Model 2. Information Model
Authorizations are generally expressed through some data structures Authorizations are generally expressed through some data structures
that are cryptographically secured (or transmitted in a secure way). that are cryptographically secured (or transmitted in a secure way).
This section discusses the information model underlying the payload This section discusses the information model underlying the payload
of that data (as opposed to the cryptographic armor around it). of that data (as opposed to the cryptographic armor around it).
For the purposes of this strawman, the underlying access control For the purposes of this specification, the underlying access control
model will be that of an access matrix, which gives a set of model will be that of an access matrix, which gives a set of
permissions for each possible combination of a subject and an object. permissions for each possible combination of a subject and an object.
We do not concern the AIF format with the subject for which the AIF We do not concern the AIF format with the subject for which the AIF
object is issued, focusing the AIF object on a single row in the object is issued, focusing the AIF object on a single row in the
access matrix (such a row traditionally is also called a capability access matrix (such a row traditionally is also called a capability
list). As a consequence, AIF MUST be used in a way that the subject list). As a consequence, AIF MUST be used in a way that the subject
of the authorizations is unambiguously identified (e.g., as part of of the authorizations is unambiguously identified (e.g., as part of
the armor around it). the armor around it).
The generic model of a such a capability list is a list of pairs of The generic model of a such a capability list is a list of pairs of
skipping to change at page 4, line 8 skipping to change at page 4, line 12
represented by a bitset in turn represented as a number (see represented by a bitset in turn represented as a number (see
Section 3). Section 3).
AIF-Specific = AIF-Generic<tstr, uint> AIF-Specific = AIF-Generic<tstr, uint>
Figure 2: Likely shape of a specific AIF Figure 2: Likely shape of a specific AIF
2.1. REST-specific model 2.1. REST-specific model
In the specific instantiation of the REST resources and the In the specific instantiation of the REST resources and the
permissions on them, for the object identifiers ("Toid"), we simply permissions on them, for the object identifiers ("Toid"), we use the
use the URI of a resource on a CoAP server. More specifically, the URI of a resource on a CoAP server. More specifically, the parts of
parts of the URI that identify the server ("authority" in [RFC3986]) the URI that identify the server ("authority" in [RFC3986]) are
are considered the realm of the authentication mechanism (which are considered the realm of the authentication mechanism (which are
handled in the cryptographic armor); we therefore focus on the "path- handled in the cryptographic armor); we therefore focus on the "path-
absolute" and "query" parts of the URI (URI "local-part" in this absolute" and "query" parts of the URI (URI "local-part" in this
specification, as expressed by the Uri-Path and Uri-Query options in specification, as expressed by the Uri-Path and Uri-Query options in
CoAP). As a consequence, AIF MUST be used in a way that it is CoAP). As a consequence, AIF MUST be used in a way that it is
unambiguous who is the target (enforcement point) of these unambiguous who is the target (enforcement point) of these
authorizations. authorizations.
For the permissions ("Tperm"), we simplify the model permissions to For the permissions ("Tperm"), we simplify the model permissions to
giving the subset of the CoAP methods permitted. This model is giving the subset of the CoAP methods permitted. This model is
summarized in Table 1. summarized in Table 1.
skipping to change at page 7, line 27 skipping to change at page 7, line 27
Dynamic-POST: 33; 1 .plus Dynamic-Offset Dynamic-POST: 33; 1 .plus Dynamic-Offset
Dynamic-PUT: 34; 2 .plus Dynamic-Offset Dynamic-PUT: 34; 2 .plus Dynamic-Offset
Dynamic-DELETE: 35; 3 .plus Dynamic-Offset Dynamic-DELETE: 35; 3 .plus Dynamic-Offset
Dynamic-FETCH: 36; 4 .plus Dynamic-Offset Dynamic-FETCH: 36; 4 .plus Dynamic-Offset
Dynamic-PATCH: 37; 5 .plus Dynamic-Offset Dynamic-PATCH: 37; 5 .plus Dynamic-Offset
Dynamic-iPATCH: 38; 6 .plus Dynamic-Offset Dynamic-iPATCH: 38; 6 .plus Dynamic-Offset
) )
Figure 4: AIF in CDDL Figure 4: AIF in CDDL
A representation of this information in CBOR [RFC7049] is given in A representation of this information in CBOR [RFC8949] is given in
Figure 5; again, several optimizations/improvements are possible. Figure 5; again, several optimizations/improvements are possible.
83 # array(3) 83 # array(3)
82 # array(2) 82 # array(2)
68 # text(8) 68 # text(8)
2f732f6c69676874 # "/s/light" 2f732f6c69676874 # "/s/light"
01 # unsigned(1) 01 # unsigned(1)
82 # array(2) 82 # array(2)
66 # text(6) 66 # text(6)
2f612f6c6564 # "/a/led" 2f612f6c6564 # "/a/led"
skipping to change at page 8, line 24 skipping to change at page 8, line 24
A specification that wants to use Generic AIF with different "Toid" A specification that wants to use Generic AIF with different "Toid"
and/or "Tperm" is expected to request these as media type parameters and/or "Tperm" is expected to request these as media type parameters
(Section 5.2) and register a corresponding Content-Format (Section 5.2) and register a corresponding Content-Format
(Section 5.3). (Section 5.3).
5. IANA Considerations 5. IANA Considerations
5.1. Media Types 5.1. Media Types
See Section 4. IANA is requested to add the following Media-Type to the "Media
Types" registry.
+==========+======================+=====================+
| Name | Template | Reference |
+==========+======================+=====================+
| aif+cbor | application/aif+cbor | RFC XXXX, Section 4 |
+----------+----------------------+---------------------+
| aif+json | application/aif+json | RFC XXXX, Section 4 |
+----------+----------------------+---------------------+
Table 3
// RFC Ed.: please replace RFC XXXX with this RFC number and remove
this note.
Type name: application
Subtype name: aif+cbor
Required parameters: none
Optional parameters: none
Encoding considerations: binary (CBOR)
Security considerations: Section 6 of RFC XXXX
Published specification: Section 4 of RFC XXXX
Person & email address to contact for further information: ACE WG
mailing list (ace@ietf.org), or IETF Applications and Real-Time
Area (art@ietf.org)
Intended usage: COMMON
Restrictions on usage: none
Author/Change controller: IETF
Type name: application
Subtype name: aif+json
Required parameters: none
Optional parameters: none
Encoding considerations: binary (JSON is UTF-8-encoded text)
Security considerations: Section 6 of RFC XXXX
Published specification: Section 4 of RFC XXXX
Person & email address to contact for further information: ACE WG
mailing list (ace@ietf.org), or IETF Applications and Real-Time
Area (art@ietf.org)
Intended usage: COMMON
Restrictions on usage: none
Author/Change controller: IETF
5.2. Registries 5.2. Registries
IANA is requested to create a registry for AIF with two sub- IANA is requested to create a registry for AIF with two sub-
registries for "Toid" and "Tperm", populated with: registries for "Toid" and "Tperm", populated with:
+=============+=================+=================================+ +=============+=================+=================================+
| Subregistry | name | Description/Specification | | Subregistry | name | Description/Specification |
+=============+=================+=================================+ +=============+=================+=================================+
| Toid | local-part | local-part of URI as specified | | Toid | local-part | local-part of URI as specified |
| | | in [RFCthis] | | | | in [RFCthis] |
+-------------+-----------------+---------------------------------+ +-------------+-----------------+---------------------------------+
| Tperm | REST-method-set | set of REST methods represented | | Tperm | REST-method-set | set of REST methods represented |
| | | as specified in [RFCthis] | | | | as specified in [RFCthis] |
+-------------+-----------------+---------------------------------+ +-------------+-----------------+---------------------------------+
Table 3 Table 4
The registration policy is Specification required [RFC8126]. The The registration policy is Specification required [RFC8126]. The
designated expert will engage with the submitter to ascertain the designated expert will engage with the submitter to ascertain the
requirements of this document are addressed. requirements of this document are addressed.
5.3. Content-Format 5.3. Content-Format
IANA is requested to register Content-Format numbers in the CoRE IANA is requested to register Content-Format numbers in the "CoAP
Parameters Registry [IANA.core-parameters], as follows: Content-Formats" subregistry, within the "Constrained RESTful
Environments (CoRE) Parameters" Registry [IANA.core-parameters], as
follows:
+======================+================+======+===========+
| Media Type | Content Coding | ID | Reference |
+======================+================+======+===========+
| application/aif+cbor | - | TBD1 | RFC XXXX |
+----------------------+----------------+------+-----------+
| application/aif+json | - | TBD2 | RFC XXXX |
+----------------------+----------------+------+-----------+
Table 5
// RFC Ed.: please replace TBD1 and TBD2 with assigned IDs and remove
this note. // RFC Ed.: please replace RFC XXXX with this RFC number
and remove this note.
6. Security Considerations 6. Security Considerations
(TBD. Some issues are already discussed in the security The security considerations of [RFC7252] apply. Some wider issues
considerations of [RFC7252] and in [RFC8576].) are discussed in [RFC8576].
When applying these formats, the referencing specification must be
careful to:
* ensure that the cryptographic armor employed around this format
fulfills the security objectives, and that the armor or some
additional information included in it with the AIF information
unambiguously identifies the subject to which the authorizations
shall apply, and
* ensure that the types used for "Toid" and "Tperm" provide the
appropriate granularity so that application requirements on the
precision of the authorization information are fulfilled.
For the data formats, the security considerations of [RFC8259] and
[RFC8949] apply.
7. References 7. References
7.1. Normative References 7.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>. <https://www.rfc-editor.org/info/rfc2119>.
[RFC4949] Shirey, R., "Internet Security Glossary, Version 2",
FYI 36, RFC 4949, DOI 10.17487/RFC4949, August 2007,
<https://www.rfc-editor.org/info/rfc4949>.
[RFC7252] Shelby, Z., Hartke, K., and C. Bormann, "The Constrained [RFC7252] Shelby, Z., Hartke, K., and C. Bormann, "The Constrained
Application Protocol (CoAP)", RFC 7252, Application Protocol (CoAP)", RFC 7252,
DOI 10.17487/RFC7252, June 2014, DOI 10.17487/RFC7252, June 2014,
<https://www.rfc-editor.org/info/rfc7252>. <https://www.rfc-editor.org/info/rfc7252>.
[RFC8126] Cotton, M., Leiba, B., and T. Narten, "Guidelines for [RFC8126] Cotton, M., Leiba, B., and T. Narten, "Guidelines for
Writing an IANA Considerations Section in RFCs", BCP 26, Writing an IANA Considerations Section in RFCs", BCP 26,
RFC 8126, DOI 10.17487/RFC8126, June 2017, RFC 8126, DOI 10.17487/RFC8126, June 2017,
<https://www.rfc-editor.org/info/rfc8126>. <https://www.rfc-editor.org/info/rfc8126>.
skipping to change at page 9, line 45 skipping to change at page 11, line 22
May 2017, <https://www.rfc-editor.org/info/rfc8174>. May 2017, <https://www.rfc-editor.org/info/rfc8174>.
[RFC8610] Birkholz, H., Vigano, C., and C. Bormann, "Concise Data [RFC8610] Birkholz, H., Vigano, C., and C. Bormann, "Concise Data
Definition Language (CDDL): A Notational Convention to Definition Language (CDDL): A Notational Convention to
Express Concise Binary Object Representation (CBOR) and Express Concise Binary Object Representation (CBOR) and
JSON Data Structures", RFC 8610, DOI 10.17487/RFC8610, JSON Data Structures", RFC 8610, DOI 10.17487/RFC8610,
June 2019, <https://www.rfc-editor.org/info/rfc8610>. June 2019, <https://www.rfc-editor.org/info/rfc8610>.
7.2. Informative References 7.2. Informative References
[I-D.ietf-ace-dtls-authorize] [I-D.ietf-ace-oauth-authz]
Gerdes, S., Bergmann, O., Bormann, C., Selander, G., and Seitz, L., Selander, G., Wahlstroem, E., Erdtman, S., and
L. Seitz, "Datagram Transport Layer Security (DTLS) H. Tschofenig, "Authentication and Authorization for
Profile for Authentication and Authorization for Constrained Environments (ACE) using the OAuth 2.0
Constrained Environments (ACE)", Work in Progress, Framework (ACE-OAuth)", Work in Progress, Internet-Draft,
Internet-Draft, draft-ietf-ace-dtls-authorize-12, 6 July draft-ietf-ace-oauth-authz-36, 16 November 2020,
2020, <http://www.ietf.org/internet-drafts/draft-ietf-ace- <http://www.ietf.org/internet-drafts/draft-ietf-ace-oauth-
dtls-authorize-12.txt>. authz-36.txt>.
[I-D.ietf-ace-oscore-profile]
Palombini, F., Seitz, L., Selander, G., and M. Gunnarsson,
"OSCORE profile of the Authentication and Authorization
for Constrained Environments Framework", Work in Progress,
Internet-Draft, draft-ietf-ace-oscore-profile-11, 18 June
2020, <http://www.ietf.org/internet-drafts/draft-ietf-ace-
oscore-profile-11.txt>.
[IANA.core-parameters] [IANA.core-parameters]
IANA, "Constrained RESTful Environments (CoRE) IANA, "Constrained RESTful Environments (CoRE)
Parameters", Parameters",
<http://www.iana.org/assignments/core-parameters>. <http://www.iana.org/assignments/core-parameters>.
[RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform [RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform
Resource Identifier (URI): Generic Syntax", STD 66, Resource Identifier (URI): Generic Syntax", STD 66,
RFC 3986, DOI 10.17487/RFC3986, January 2005, RFC 3986, DOI 10.17487/RFC3986, January 2005,
<https://www.rfc-editor.org/info/rfc3986>. <https://www.rfc-editor.org/info/rfc3986>.
[RFC4949] Shirey, R., "Internet Security Glossary, Version 2",
FYI 36, RFC 4949, DOI 10.17487/RFC4949, August 2007,
<https://www.rfc-editor.org/info/rfc4949>.
[rfc5661] Shepler, S., Ed., Eisler, M., Ed., and D. Noveck, Ed., [rfc5661] Shepler, S., Ed., Eisler, M., Ed., and D. Noveck, Ed.,
"Network File System (NFS) Version 4 Minor Version 1 "Network File System (NFS) Version 4 Minor Version 1
Protocol", RFC 5661, DOI 10.17487/RFC5661, January 2010, Protocol", RFC 5661, DOI 10.17487/RFC5661, January 2010,
<https://www.rfc-editor.org/info/rfc5661>. <https://www.rfc-editor.org/info/rfc5661>.
[RFC6570] Gregorio, J., Fielding, R., Hadley, M., Nottingham, M., [RFC6570] Gregorio, J., Fielding, R., Hadley, M., Nottingham, M.,
and D. Orchard, "URI Template", RFC 6570, and D. Orchard, "URI Template", RFC 6570,
DOI 10.17487/RFC6570, March 2012, DOI 10.17487/RFC6570, March 2012,
<https://www.rfc-editor.org/info/rfc6570>. <https://www.rfc-editor.org/info/rfc6570>.
[RFC7049] Bormann, C. and P. Hoffman, "Concise Binary Object
Representation (CBOR)", RFC 7049, DOI 10.17487/RFC7049,
October 2013, <https://www.rfc-editor.org/info/rfc7049>.
[RFC7231] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer [RFC7231] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer
Protocol (HTTP/1.1): Semantics and Content", RFC 7231, Protocol (HTTP/1.1): Semantics and Content", RFC 7231,
DOI 10.17487/RFC7231, June 2014, DOI 10.17487/RFC7231, June 2014,
<https://www.rfc-editor.org/info/rfc7231>. <https://www.rfc-editor.org/info/rfc7231>.
[RFC7493] Bray, T., Ed., "The I-JSON Message Format", RFC 7493, [RFC7493] Bray, T., Ed., "The I-JSON Message Format", RFC 7493,
DOI 10.17487/RFC7493, March 2015, DOI 10.17487/RFC7493, March 2015,
<https://www.rfc-editor.org/info/rfc7493>. <https://www.rfc-editor.org/info/rfc7493>.
[RFC8132] van der Stok, P., Bormann, C., and A. Sehgal, "PATCH and [RFC8132] van der Stok, P., Bormann, C., and A. Sehgal, "PATCH and
skipping to change at page 11, line 15 skipping to change at page 12, line 34
[RFC8259] Bray, T., Ed., "The JavaScript Object Notation (JSON) Data [RFC8259] Bray, T., Ed., "The JavaScript Object Notation (JSON) Data
Interchange Format", STD 90, RFC 8259, Interchange Format", STD 90, RFC 8259,
DOI 10.17487/RFC8259, December 2017, DOI 10.17487/RFC8259, December 2017,
<https://www.rfc-editor.org/info/rfc8259>. <https://www.rfc-editor.org/info/rfc8259>.
[RFC8576] Garcia-Morchon, O., Kumar, S., and M. Sethi, "Internet of [RFC8576] Garcia-Morchon, O., Kumar, S., and M. Sethi, "Internet of
Things (IoT) Security: State of the Art and Challenges", Things (IoT) Security: State of the Art and Challenges",
RFC 8576, DOI 10.17487/RFC8576, April 2019, RFC 8576, DOI 10.17487/RFC8576, April 2019,
<https://www.rfc-editor.org/info/rfc8576>. <https://www.rfc-editor.org/info/rfc8576>.
[RFC8949] Bormann, C. and P. Hoffman, "Concise Binary Object
Representation (CBOR)", STD 94, RFC 8949,
DOI 10.17487/RFC8949, December 2020,
<https://www.rfc-editor.org/info/rfc8949>.
Acknowledgements Acknowledgements
Jim Schaad and Francesca Palombini provided comments that shaped the Jim Schaad and Francesca Palombini provided comments that shaped the
direction of this document. direction of this document.
Author's Address Author's Address
Carsten Bormann Carsten Bormann
Universität Bremen TZI Universität Bremen TZI
Postfach 330440 Postfach 330440
 End of changes. 19 change blocks. 
51 lines changed or deleted 132 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/