draft-ietf-ace-dtls-authorize-17.txt   draft-ietf-ace-dtls-authorize-18.txt 
ACE Working Group S. Gerdes ACE Working Group S. Gerdes
Internet-Draft O. Bergmann Internet-Draft O. Bergmann
Intended status: Standards Track C. Bormann Intended status: Standards Track C. Bormann
Expires: 12 November 2021 Universit├Ąt Bremen TZI Expires: 6 December 2021 Universit├Ąt Bremen TZI
G. Selander G. Selander
Ericsson AB Ericsson AB
L. Seitz L. Seitz
Combitech Combitech
11 May 2021 4 June 2021
Datagram Transport Layer Security (DTLS) Profile for Authentication and Datagram Transport Layer Security (DTLS) Profile for Authentication and
Authorization for Constrained Environments (ACE) Authorization for Constrained Environments (ACE)
draft-ietf-ace-dtls-authorize-17 draft-ietf-ace-dtls-authorize-18
Abstract Abstract
This specification defines a profile of the ACE framework that allows This specification defines a profile of the ACE framework that allows
constrained servers to delegate client authentication and constrained servers to delegate client authentication and
authorization. The protocol relies on DTLS version 1.2 for authorization. The protocol relies on DTLS version 1.2 for
communication security between entities in a constrained network communication security between entities in a constrained network
using either raw public keys or pre-shared keys. A resource- using either raw public keys or pre-shared keys. A resource-
constrained server can use this protocol to delegate management of constrained server can use this protocol to delegate management of
authorization information to a trusted host with less severe authorization information to a trusted host with less severe
skipping to change at page 1, line 43 skipping to change at page 1, line 43
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on 12 November 2021. This Internet-Draft will expire on 6 December 2021.
Copyright Notice Copyright Notice
Copyright (c) 2021 IETF Trust and the persons identified as the Copyright (c) 2021 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/ Provisions Relating to IETF Documents (https://trustee.ietf.org/
license-info) in effect on the date of publication of this document. license-info) in effect on the date of publication of this document.
Please review these documents carefully, as they describe your rights Please review these documents carefully, as they describe your rights
skipping to change at page 2, line 33 skipping to change at page 2, line 33
3.2.1. Access Token Retrieval from the Authorization 3.2.1. Access Token Retrieval from the Authorization
Server . . . . . . . . . . . . . . . . . . . . . . . 7 Server . . . . . . . . . . . . . . . . . . . . . . . 7
3.2.2. DTLS Channel Setup Between Client and Resource 3.2.2. DTLS Channel Setup Between Client and Resource
Server . . . . . . . . . . . . . . . . . . . . . . . 9 Server . . . . . . . . . . . . . . . . . . . . . . . 9
3.3. PreSharedKey Mode . . . . . . . . . . . . . . . . . . . . 10 3.3. PreSharedKey Mode . . . . . . . . . . . . . . . . . . . . 10
3.3.1. Access Token Retrieval from the Authorization 3.3.1. Access Token Retrieval from the Authorization
Server . . . . . . . . . . . . . . . . . . . . . . . 11 Server . . . . . . . . . . . . . . . . . . . . . . . 11
3.3.2. DTLS Channel Setup Between Client and Resource 3.3.2. DTLS Channel Setup Between Client and Resource
Server . . . . . . . . . . . . . . . . . . . . . . . 15 Server . . . . . . . . . . . . . . . . . . . . . . . 15
3.4. Resource Access . . . . . . . . . . . . . . . . . . . . . 17 3.4. Resource Access . . . . . . . . . . . . . . . . . . . . . 17
4. Dynamic Update of Authorization Information . . . . . . . . . 18 4. Dynamic Update of Authorization Information . . . . . . . . . 19
5. Token Expiration . . . . . . . . . . . . . . . . . . . . . . 20 5. Token Expiration . . . . . . . . . . . . . . . . . . . . . . 20
6. Secure Communication with an Authorization Server . . . . . . 20 6. Secure Communication with an Authorization Server . . . . . . 20
7. Security Considerations . . . . . . . . . . . . . . . . . . . 20 7. Security Considerations . . . . . . . . . . . . . . . . . . . 21
7.1. Reuse of Existing Sessions . . . . . . . . . . . . . . . 22 7.1. Reuse of Existing Sessions . . . . . . . . . . . . . . . 23
7.2. Multiple Access Tokens . . . . . . . . . . . . . . . . . 22 7.2. Multiple Access Tokens . . . . . . . . . . . . . . . . . 23
7.3. Out-of-Band Configuration . . . . . . . . . . . . . . . . 23 7.3. Out-of-Band Configuration . . . . . . . . . . . . . . . . 23
8. Privacy Considerations . . . . . . . . . . . . . . . . . . . 23 8. Privacy Considerations . . . . . . . . . . . . . . . . . . . 24
9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 24 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 24
10. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 24 10. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 25
11. References . . . . . . . . . . . . . . . . . . . . . . . . . 24 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 25
11.1. Normative References . . . . . . . . . . . . . . . . . . 24 11.1. Normative References . . . . . . . . . . . . . . . . . . 25
11.2. Informative References . . . . . . . . . . . . . . . . . 26 11.2. Informative References . . . . . . . . . . . . . . . . . 27
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 27 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 28
1. Introduction 1. Introduction
This specification defines a profile of the ACE framework This specification defines a profile of the ACE framework
[I-D.ietf-ace-oauth-authz]. In this profile, a client and a resource [I-D.ietf-ace-oauth-authz]. In this profile, a client and a resource
server use CoAP [RFC7252] over DTLS version 1.2 [RFC6347] to server use CoAP [RFC7252] over DTLS version 1.2 [RFC6347] to
communicate. This specification uses DTLS 1.2 terminology, but later communicate. This specification uses DTLS 1.2 terminology, but later
versions such as DTLS 1.3 can be used instead. The client obtains an versions such as DTLS 1.3 can be used instead. The client obtains an
access token, bound to a key (the proof-of-possession key), from an access token, bound to a key (the proof-of-possession key), from an
authorization server to prove its authorization to access protected authorization server to prove its authorization to access protected
skipping to change at page 15, line 44 skipping to change at page 15, line 44
between both peers. Therefore, the resource server must be able to between both peers. Therefore, the resource server must be able to
determine the shared secret from the access token. Following the determine the shared secret from the access token. Following the
general ACE authorization framework, the client can upload the access general ACE authorization framework, the client can upload the access
token to the resource server's authz-info resource before starting token to the resource server's authz-info resource before starting
the DTLS handshake. The client then needs to indicate during the the DTLS handshake. The client then needs to indicate during the
DTLS handshake which previously uploaded access token it intends to DTLS handshake which previously uploaded access token it intends to
use. To do so, it MUST create a "COSE_Key" structure with the "kid" use. To do so, it MUST create a "COSE_Key" structure with the "kid"
that was conveyed in the "rs_cnf" claim in the token response from that was conveyed in the "rs_cnf" claim in the token response from
the authorization server and the key type "symmetric". This the authorization server and the key type "symmetric". This
structure then is included as the only element in the "cnf" structure structure then is included as the only element in the "cnf" structure
that is used as value for "psk_identity" as shown in Figure 9. whose CBOR serialization is used as value for "psk_identity" as shown
in Figure 9.
{ cnf : { { cnf : {
COSE_Key : { COSE_Key : {
kty: symmetric, kty: symmetric,
kid : h'3d027833fc6267ce' kid : h'3d027833fc6267ce'
} }
} }
} }
Figure 9: Access token containing a single kid parameter Figure 9: Access token containing a single kid parameter
The actual CBOR serialization for the data structure from Figure 9 as
sequence of bytes in hexadecimal notation will be:
A1 08 A1 01 A2 01 04 02 48 3D 02 78 33 FC 62 67 CE
As an alternative to the access token upload, the client can provide As an alternative to the access token upload, the client can provide
the most recent access token in the "psk_identity" field of the the most recent access token in the "psk_identity" field of the
ClientKeyExchange message. To do so, the client MUST treat the ClientKeyExchange message. To do so, the client MUST treat the
contents of the "access_token" field from the AS-to-Client response contents of the "access_token" field from the AS-to-Client response
as opaque data as specified in Section 4.2 of [RFC7925] and not as opaque data as specified in Section 4.2 of [RFC7925] and not
perform any re-coding. This allows the resource server to retrieve perform any re-coding. This allows the resource server to retrieve
the shared secret directly from the "cnf" claim of the access token. the shared secret directly from the "cnf" claim of the access token.
If a resource server receives a ClientKeyExchange message that If a resource server receives a ClientKeyExchange message that
contains a "psk_identity" with a length greater than zero, it MUST contains a "psk_identity" with a length greater than zero, it MUST
skipping to change at page 24, line 31 skipping to change at page 25, line 19
Profile ID: TBD (suggested: 1) Profile ID: TBD (suggested: 1)
Change Controller: IESG Change Controller: IESG
Reference: [RFC-XXXX] Reference: [RFC-XXXX]
10. Acknowledgments 10. Acknowledgments
Special thanks to Jim Schaad for his contributions and reviews of Special thanks to Jim Schaad for his contributions and reviews of
this document and to Ben Kaduk for his thorough reviews of this this document and to Ben Kaduk for his thorough reviews of this
document. Thanks also to Paul Kyzivat for his review. document. Thanks also to Paul Kyzivat for his review. The authors
also would like to thank Marco Tiloca for his contributions.
Ludwig Seitz worked on this document as part of the CelticNext Ludwig Seitz worked on this document as part of the CelticNext
projects CyberWI, and CRITISEC with funding from Vinnova. projects CyberWI, and CRITISEC with funding from Vinnova.
11. References 11. References
11.1. Normative References 11.1. Normative References
[I-D.ietf-ace-oauth-authz] [I-D.ietf-ace-oauth-authz]
Seitz, L., Selander, G., Wahlstroem, E., Erdtman, S., and Seitz, L., Selander, G., Wahlstroem, E., Erdtman, S., and
 End of changes. 12 change blocks. 
16 lines changed or deleted 24 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/