| rfc9203v5.txt | rfc9203.txt | |||
|---|---|---|---|---|
| Internet Engineering Task Force (IETF) F. Palombini | Internet Engineering Task Force (IETF) F. Palombini | |||
| Request for Comments: 9203 Ericsson AB | Request for Comments: 9203 Ericsson AB | |||
| Category: Standards Track L. Seitz | Category: Standards Track L. Seitz | |||
| ISSN: 2070-1721 Combitech | ISSN: 2070-1721 Combitech | |||
| G. Selander | G. Selander | |||
| Ericsson AB | Ericsson AB | |||
| M. Gunnarsson | M. Gunnarsson | |||
| RISE | RISE | |||
| May 2022 | August 2022 | |||
| The Object Security for Constrained RESTful Environments (OSCORE) | The Object Security for Constrained RESTful Environments (OSCORE) | |||
| Profile of the Authentication and Authorization for Constrained | Profile of the Authentication and Authorization for Constrained | |||
| Environments (ACE) Framework | Environments (ACE) Framework | |||
| Abstract | Abstract | |||
| This document specifies a profile for the Authentication and | This document specifies a profile for the Authentication and | |||
| Authorization for Constrained Environments (ACE) framework. It | Authorization for Constrained Environments (ACE) framework. It | |||
| utilizes Object Security for Constrained RESTful Environments | utilizes Object Security for Constrained RESTful Environments | |||
| skipping to change at line 126 ¶ | skipping to change at line 126 ¶ | |||
| "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and | "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and | |||
| "OPTIONAL" in this document are to be interpreted as described in | "OPTIONAL" in this document are to be interpreted as described in | |||
| BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all | BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all | |||
| capitals, as shown here. | capitals, as shown here. | |||
| Certain security-related terms such as "authentication", | Certain security-related terms such as "authentication", | |||
| "authorization", "confidentiality", "(data) integrity", "Message | "authorization", "confidentiality", "(data) integrity", "Message | |||
| Authentication Code (MAC)", "Hash-based Message Authentication Code | Authentication Code (MAC)", "Hash-based Message Authentication Code | |||
| (HMAC)", and "verify" are taken from [RFC4949]. | (HMAC)", and "verify" are taken from [RFC4949]. | |||
| RESTful terminology follows HTTP [RFC7231]. | RESTful terminology follows HTTP [RFC9110]. | |||
| Readers are expected to be familiar with the terms and concepts | Readers are expected to be familiar with the terms and concepts | |||
| defined in OSCORE [RFC8613], such as "security context" and | defined in OSCORE [RFC8613], such as "security context" and | |||
| "Recipient ID". | "Recipient ID". | |||
| Terminology for entities in the architecture is defined in OAuth 2.0 | Terminology for entities in the architecture is defined in OAuth 2.0 | |||
| [RFC6749], such as client (C), resource server (RS), and | [RFC6749], such as client (C), resource server (RS), and | |||
| authorization server (AS). It is assumed in this document that a | authorization server (AS). It is assumed in this document that a | |||
| given resource on a specific RS is associated to a unique AS. | given resource on a specific RS is associated to a unique AS. | |||
| skipping to change at line 1397 ¶ | skipping to change at line 1397 ¶ | |||
| "Object Security for Constrained RESTful Environments | "Object Security for Constrained RESTful Environments | |||
| (OSCORE)", RFC 8613, DOI 10.17487/RFC8613, July 2019, | (OSCORE)", RFC 8613, DOI 10.17487/RFC8613, July 2019, | |||
| <https://www.rfc-editor.org/info/rfc8613>. | <https://www.rfc-editor.org/info/rfc8613>. | |||
| [RFC8949] Bormann, C. and P. Hoffman, "Concise Binary Object | [RFC8949] Bormann, C. and P. Hoffman, "Concise Binary Object | |||
| Representation (CBOR)", STD 94, RFC 8949, | Representation (CBOR)", STD 94, RFC 8949, | |||
| DOI 10.17487/RFC8949, December 2020, | DOI 10.17487/RFC8949, December 2020, | |||
| <https://www.rfc-editor.org/info/rfc8949>. | <https://www.rfc-editor.org/info/rfc8949>. | |||
| [RFC9052] Schaad, J., "CBOR Object Signing and Encryption (COSE): | [RFC9052] Schaad, J., "CBOR Object Signing and Encryption (COSE): | |||
| Structures and Process", RFC 9052, DOI 10.17487/RFC9052, | Structures and Process", STD 96, RFC 9052, | |||
| May 2022, <https://www.rfc-editor.org/info/rfc9052>. | DOI 10.17487/RFC9052, August 2022, | |||
| <https://www.rfc-editor.org/info/rfc9052>. | ||||
| [RFC9053] Schaad, J., "CBOR Object Signing and Encryption (COSE): | [RFC9053] Schaad, J., "CBOR Object Signing and Encryption (COSE): | |||
| Initial Algorithms", RFC 9053, DOI 10.17487/RFC9053, May | Initial Algorithms", RFC 9053, DOI 10.17487/RFC9053, | |||
| 2022, <https://www.rfc-editor.org/info/rfc9053>. | August 2022, <https://www.rfc-editor.org/info/rfc9053>. | |||
| [RFC9200] Seitz, L., Selander, G., Wahlstroem, E., Erdtman, S., and | [RFC9200] Seitz, L., Selander, G., Wahlstroem, E., Erdtman, S., and | |||
| H. Tschofenig, "Authentication and Authorization for | H. Tschofenig, "Authentication and Authorization for | |||
| Constrained Environments Using the OAuth 2.0 Framework | Constrained Environments Using the OAuth 2.0 Framework | |||
| (ACE-OAuth)", RFC 9200, DOI 10.17487/RFC9200, May 2022, | (ACE-OAuth)", RFC 9200, DOI 10.17487/RFC9200, August 2022, | |||
| <https://www.rfc-editor.org/info/rfc9200>. | <https://www.rfc-editor.org/info/rfc9200>. | |||
| [RFC9201] Seitz, L., "Additional OAuth Parameters for Authentication | [RFC9201] Seitz, L., "Additional OAuth Parameters for Authentication | |||
| and Authorization for Constrained Environments (ACE)", | and Authorization for Constrained Environments (ACE)", | |||
| RFC 9201, DOI 10.17487/RFC9201, May 2022, | RFC 9201, DOI 10.17487/RFC9201, August 2022, | |||
| <https://www.rfc-editor.org/info/rfc9201>. | <https://www.rfc-editor.org/info/rfc9201>. | |||
| 10.2. Informative References | 10.2. Informative References | |||
| [RFC4949] Shirey, R., "Internet Security Glossary, Version 2", | [RFC4949] Shirey, R., "Internet Security Glossary, Version 2", | |||
| FYI 36, RFC 4949, DOI 10.17487/RFC4949, August 2007, | FYI 36, RFC 4949, DOI 10.17487/RFC4949, August 2007, | |||
| <https://www.rfc-editor.org/info/rfc4949>. | <https://www.rfc-editor.org/info/rfc4949>. | |||
| [RFC6749] Hardt, D., Ed., "The OAuth 2.0 Authorization Framework", | [RFC6749] Hardt, D., Ed., "The OAuth 2.0 Authorization Framework", | |||
| RFC 6749, DOI 10.17487/RFC6749, October 2012, | RFC 6749, DOI 10.17487/RFC6749, October 2012, | |||
| <https://www.rfc-editor.org/info/rfc6749>. | <https://www.rfc-editor.org/info/rfc6749>. | |||
| [RFC7231] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer | ||||
| Protocol (HTTP/1.1): Semantics and Content", RFC 7231, | ||||
| DOI 10.17487/RFC7231, June 2014, | ||||
| <https://www.rfc-editor.org/info/rfc7231>. | ||||
| [RFC7800] Jones, M., Bradley, J., and H. Tschofenig, "Proof-of- | [RFC7800] Jones, M., Bradley, J., and H. Tschofenig, "Proof-of- | |||
| Possession Key Semantics for JSON Web Tokens (JWTs)", | Possession Key Semantics for JSON Web Tokens (JWTs)", | |||
| RFC 7800, DOI 10.17487/RFC7800, April 2016, | RFC 7800, DOI 10.17487/RFC7800, April 2016, | |||
| <https://www.rfc-editor.org/info/rfc7800>. | <https://www.rfc-editor.org/info/rfc7800>. | |||
| [RFC8126] Cotton, M., Leiba, B., and T. Narten, "Guidelines for | [RFC8126] Cotton, M., Leiba, B., and T. Narten, "Guidelines for | |||
| Writing an IANA Considerations Section in RFCs", BCP 26, | Writing an IANA Considerations Section in RFCs", BCP 26, | |||
| RFC 8126, DOI 10.17487/RFC8126, June 2017, | RFC 8126, DOI 10.17487/RFC8126, June 2017, | |||
| <https://www.rfc-editor.org/info/rfc8126>. | <https://www.rfc-editor.org/info/rfc8126>. | |||
| [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol | [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol | |||
| Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, | Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, | |||
| <https://www.rfc-editor.org/info/rfc8446>. | <https://www.rfc-editor.org/info/rfc8446>. | |||
| [RFC8747] Jones, M., Seitz, L., Selander, G., Erdtman, S., and H. | [RFC8747] Jones, M., Seitz, L., Selander, G., Erdtman, S., and H. | |||
| Tschofenig, "Proof-of-Possession Key Semantics for CBOR | Tschofenig, "Proof-of-Possession Key Semantics for CBOR | |||
| Web Tokens (CWTs)", RFC 8747, DOI 10.17487/RFC8747, March | Web Tokens (CWTs)", RFC 8747, DOI 10.17487/RFC8747, March | |||
| 2020, <https://www.rfc-editor.org/info/rfc8747>. | 2020, <https://www.rfc-editor.org/info/rfc8747>. | |||
| [RFC9110] Fielding, R., Ed., Nottingham, M., Ed., and J. Reschke, | ||||
| Ed., "HTTP Semantics", STD 97, RFC 9110, | ||||
| DOI 10.17487/RFC9110, June 2022, | ||||
| <https://www.rfc-editor.org/info/rfc9110>. | ||||
| [RFC9147] Rescorla, E., Tschofenig, H., and N. Modadugu, "The | [RFC9147] Rescorla, E., Tschofenig, H., and N. Modadugu, "The | |||
| Datagram Transport Layer Security (DTLS) Protocol Version | Datagram Transport Layer Security (DTLS) Protocol Version | |||
| 1.3", RFC 9147, DOI 10.17487/RFC9147, April 2022, | 1.3", RFC 9147, DOI 10.17487/RFC9147, April 2022, | |||
| <https://www.rfc-editor.org/info/rfc9147>. | <https://www.rfc-editor.org/info/rfc9147>. | |||
| Appendix A. Profile Requirements | Appendix A. Profile Requirements | |||
| This section lists the specifications of this profile based on the | This section lists the specifications of this profile based on the | |||
| requirements of the framework, as requested in Appendix C of | requirements of the framework, as requested in Appendix C of | |||
| [RFC9200]. | [RFC9200]. | |||
| End of changes. 8 change blocks. | ||||
| 13 lines changed or deleted | 14 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. | ||||