Dear Ace, I've submitted a v5 of the MQTT profile making the following updates as discussed in the April interim (the changes should be able to close all the remaining 6 issues in the github repo). After Jim and Carsten's e-mails, I've been thinking also how to add support for AIF in the draft.
List of changes: * Clarified that MQTT v5.0 Brokers may implement username/password option for transporting the ACE token only for MQTT v.3.1.1 clients. This option is not recommended for MQTT v.5.0 clients. * Changed Clean Session requirement both for MQTT v.5.0 and v.3.1.1. The Broker SHOULD NOT, instead of MUST NOT, continue sessions. Clarified expected behaviour if session continuation is supported. Added to the Security Considerations the potential misuse of session continuation. * Added that client re-authentication is accepted only for the challenge/response PoP. * Also important for misuse of re-authentication messages, clarified that the Broker should not accept any other packets from Client after CONNECT and before sending CONNACK. Other including some minor changes: * Added Ed25519 as mandatory to implement * Fixed the Authentication Data to include token length for the Challenge/Response PoP. * Added that Authorisation Server Discovery is triggered if a token is invalid and not only missing. * Did some reorganisation in Section 2 so that "Unauthorised Request: Authorisation Server Discovery" is presented under Section 2.6 as part of the broker's response to the client. *Fixed Figure 2 to remove the "empty" word from the CONNECT format. Thanks, --Cigdem On Thu, May 28, 2020 at 9:42 PM <[email protected]> wrote: > > A New Internet-Draft is available from the on-line Internet-Drafts > directories. > This draft is a work item of the Authentication and Authorization for > Constrained Environments WG of the IETF. > > Title : MQTT-TLS profile of ACE > Authors : Cigdem Sengul > Anthony Kirby > Paul Fremantle > Filename : draft-ietf-ace-mqtt-tls-profile-05.txt > Pages : 29 > Date : 2020-05-28 > > Abstract: > This document specifies a profile for the ACE (Authentication and > Authorization for Constrained Environments) framework to enable > authorization in an MQTT-based publish-subscribe messaging system. > Proof-of-possession keys, bound to OAuth2.0 access tokens, are used > to authenticate and authorize MQTT Clients. The protocol relies on > TLS for confidentiality and MQTT server (broker) authentication. > > > The IETF datatracker status page for this draft is: > https://datatracker.ietf.org/doc/draft-ietf-ace-mqtt-tls-profile/ > > There are also htmlized versions available at: > https://tools.ietf.org/html/draft-ietf-ace-mqtt-tls-profile-05 > https://datatracker.ietf.org/doc/html/draft-ietf-ace-mqtt-tls-profile-05 > > A diff from the previous version is available at: > https://www.ietf.org/rfcdiff?url2=draft-ietf-ace-mqtt-tls-profile-05 > > > Please note that it may take a couple of minutes from the time of > submission > until the htmlized version and diff are available at tools.ietf.org. > > Internet-Drafts are also available by anonymous FTP at: > ftp://ftp.ietf.org/internet-drafts/ > > > _______________________________________________ > Ace mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/ace >
_______________________________________________ Ace mailing list [email protected] https://www.ietf.org/mailman/listinfo/ace
