draft-ietf-ace-dtls-authorize-15.txt   draft-ietf-ace-dtls-authorize-16.txt 
ACE Working Group S. Gerdes ACE Working Group S. Gerdes
Internet-Draft O. Bergmann Internet-Draft O. Bergmann
Intended status: Standards Track C. Bormann Intended status: Standards Track C. Bormann
Expires: 24 July 2021 Universit├Ąt Bremen TZI Expires: 9 September 2021 Universit├Ąt Bremen TZI
G. Selander G. Selander
Ericsson AB Ericsson AB
L. Seitz L. Seitz
Combitech Combitech
20 January 2021 8 March 2021
Datagram Transport Layer Security (DTLS) Profile for Authentication and Datagram Transport Layer Security (DTLS) Profile for Authentication and
Authorization for Constrained Environments (ACE) Authorization for Constrained Environments (ACE)
draft-ietf-ace-dtls-authorize-15 draft-ietf-ace-dtls-authorize-16
Abstract Abstract
This specification defines a profile of the ACE framework that allows This specification defines a profile of the ACE framework that allows
constrained servers to delegate client authentication and constrained servers to delegate client authentication and
authorization. The protocol relies on DTLS version 1.2 for authorization. The protocol relies on DTLS version 1.2 for
communication security between entities in a constrained network communication security between entities in a constrained network
using either raw public keys or pre-shared keys. A resource- using either raw public keys or pre-shared keys. A resource-
constrained server can use this protocol to delegate management of constrained server can use this protocol to delegate management of
authorization information to a trusted host with less severe authorization information to a trusted host with less severe
skipping to change at page 1, line 43 skipping to change at page 1, line 43
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on 24 July 2021. This Internet-Draft will expire on 9 September 2021.
Copyright Notice Copyright Notice
Copyright (c) 2021 IETF Trust and the persons identified as the Copyright (c) 2021 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/ Provisions Relating to IETF Documents (https://trustee.ietf.org/
license-info) in effect on the date of publication of this document. license-info) in effect on the date of publication of this document.
Please review these documents carefully, as they describe your rights Please review these documents carefully, as they describe your rights
skipping to change at page 20, line 11 skipping to change at page 20, line 11
resource server MUST notify the client with an error response with resource server MUST notify the client with an error response with
code 4.01 (Unauthorized) for any long running request before code 4.01 (Unauthorized) for any long running request before
terminating the association. terminating the association.
6. Secure Communication with an Authorization Server 6. Secure Communication with an Authorization Server
As specified in the ACE framework (Sections 5.6 and 5.7 of As specified in the ACE framework (Sections 5.6 and 5.7 of
[I-D.ietf-ace-oauth-authz]), the requesting entity (the resource [I-D.ietf-ace-oauth-authz]), the requesting entity (the resource
server and/or the client) and the authorization server communicate server and/or the client) and the authorization server communicate
via the token endpoint or introspection endpoint. The use of CoAP via the token endpoint or introspection endpoint. The use of CoAP
and DTLS for this communication is REQUIRED in this profile. Other and DTLS for this communication is RECOMMENDED in this profile.
protocols (such as HTTP and TLS, or CoAP and OSCORE [RFC8613]) will Other protocols fulfilling the security requirements defined in
require specification of additional profile(s). Section 5 of [I-D.ietf-ace-oauth-authz] MAY be used instead.
How credentials (e.g., PSK, RPK, X.509 cert) for using DTLS with the How credentials (e.g., PSK, RPK, X.509 cert) for using DTLS with the
authorization server are established is out of scope for this authorization server are established is out of scope for this
profile. profile.
If other means of securing the communication with the authorization If other means of securing the communication with the authorization
server are used, the communication security requirements from server are used, the communication security requirements from
Section 6.2 of [I-D.ietf-ace-oauth-authz] remain applicable. Section 6.2 of [I-D.ietf-ace-oauth-authz] remain applicable.
7. Security Considerations 7. Security Considerations
 End of changes. 5 change blocks. 
7 lines changed or deleted 7 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/