Hi, I think AIF-GROUP-COM as defined below works well for ace-key-groupcomm-oscore.
It sounds safe to also have a register for the role integer values. Thanks, /Marco On 2020-06-23 22:27, Cigdem Sengul wrote: > This looks what I expected from the MQTT point of view. Thanks, Jim. > I will look into adding the change to the profile document now. > Kind regards, > --Cigdem > > > On Tue, Jun 23, 2020 at 4:48 PM Jim Schaad <[email protected] > <mailto:[email protected]>> wrote: > > > > > -----Original Message----- > > From: Ace <[email protected] <mailto:[email protected]>> > On Behalf Of Francesca Palombini > > Sent: Tuesday, June 23, 2020 6:45 AM > > To: Carsten Bormann <[email protected] <mailto:[email protected]>>; Ace Wg > <[email protected] <mailto:[email protected]>> > > Cc: Marco Tiloca <[email protected] <mailto:[email protected]>> > > Subject: Re: [Ace] AIF as discussed today (Re: I-D Action: > draft-bormann-core- > > ace-aif-08.txt) > > > > Hi Carsten, > > > > Thanks for this quick update! Just some short high level > comments, to make > > sure we can use this for ace-key-groupcomm-oscore. > > > > In ace-key-groupcomm-oscore, we would say that Toid is the > identifier of the > > OSCORE group, so the OSCORE "group name", which is encoded as a > bstr. For > > Tperm, it's a bit further away from what the aif document > specifies (which is > > why I want to check with you), but we would go for array of > tstr, since we can't > > really encode the permission to be a "monitor" node (for example) by > > indicating a REST method. This is a bit stretched from the > document right now, > > but it should work. > > > > We would have to register a media type (and content format) for > this, so what > > would this be? You use aif+cbor for the default, so maybe > something like "aif- > > ace-group+cbor". For section 5.3, we would have to register Toid > and Tperm > > with something like: > > > > Toid registry: > > * name: gname > > * description: group name of the OSCORE group as specified in > ace-key- > > groupcomm-oscore > > > > Tperm registry: > > * name: roles > > * description: role of the group member as specified in > ace-key-groupcomm- > > oscore > > > > I think we are missing some form of "encoding" column in the > registries above. > > In that case it would be "bstr" for Toid gname and "CBOR array > of tstr" for > > Tperm role. It would also be "tstr" for local-part Toid and > "int" for Tperm REST- > > method-set. (also, minor, but you sometimes use "local-part" and > sometimes > > "local-uri", see section 4). Even better, the description or the > encoding in the > > registry could point to "path" and "permissions" cddl, for the > default values in > > the aif doc. > > > > Using "array of tstr" for roles allows us to express what we > need for "set of > > roles". I don't see this being in contrast with the aif document > right now. > > This follows what I would expect, for MQTT I would see > > AIF-MQTT = AIF_Generic<filter, permissions> > filter = tstr > permissions = [ +permission ] > permission = "publish" / "subscribe" > > For the group comm draft, I think that > > AIF-GROUP-COM = AIF_Generic<path, permisions> > path = tstr ; group name > permissions = uint . bits methods > methods = &( > requester = 1, > responder = 2, > monitor = 3, > verifier = 4 > ) > > This does require a registry if we ever expect this to grow. > > > So all in all, I think this can work for > ace-key-groupcomm-oscore. Please let me > > know if you see anything that bothers you in my summary. > > > > Thanks, > > Francesca > > > > On 23/06/2020, 00:17, "Ace on behalf of Carsten Bormann" <ace- > > [email protected] <mailto:[email protected]> on behalf of > [email protected] <mailto:[email protected]>> wrote: > > > > I went ahead and quickly implemented what we had discussed > today. > > > > https://www.ietf.org/id/draft-bormann-core-ace-aif-08.html > > > > Lots more editing to do, but the gist of what I was trying > to say should be > > there. > > Comments welcome! > > > > Grüße, Carsten > > > > > > > On 2020-06-23, at 00:12, [email protected] > <mailto:[email protected]> wrote: > > > > > > > > > A New Internet-Draft is available from the on-line > Internet-Drafts > > directories. > > > This draft is a work item of the Authentication and > Authorization for > > Constrained Environments WG of the IETF. > > > > > > Title : An Authorization Information > Format (AIF) for ACE > > > Author : Carsten Bormann > > > Filename : draft-bormann-core-ace-aif-08.txt > > > Pages : 9 > > > Date : 2020-06-22 > > > > > > Abstract: > > > Constrained Devices as they are used in the "Internet of > Things" need > > > security. One important element of this security is > that devices in > > > the Internet of Things need to be able to decide which > operations > > > requested of them should be considered authorized, need > to ascertain > > > that the authorization to request the operation does > apply to the > > > actual requester, and need to ascertain that other > devices they place > > > requests on are the ones they intended. > > > > > > To transfer detailed authorization information from an > authorization > > > manager (such as an ACE-OAuth Authorization Server) to a > device, a > > > representation format is needed. This document provides > a suggestion > > > for such a format, the Authorization Information Format > (AIF). AIF > > > is defined both as a general structure that can be used > for many > > > different applications and as a specific refinement that > describes > > > REST resources and the permissions on them. > > > > > > > > > The IETF datatracker status page for this draft is: > > > https://datatracker.ietf.org/doc/draft-bormann-core-ace-aif/ > > > > > > There are also htmlized versions available at: > > > https://tools.ietf.org/html/draft-bormann-core-ace-aif-08 > > > > https://datatracker.ietf.org/doc/html/draft-bormann-core-ace-aif-08 > > > > > > A diff from the previous version is available at: > > > > https://www.ietf.org/rfcdiff?url2=draft-bormann-core-ace-aif-08 > > > > > > > > > Please note that it may take a couple of minutes from the > time of > > submission > > > until the htmlized version and diff are available at > tools.ietf.org <http://tools.ietf.org>. > > > > > > Internet-Drafts are also available by anonymous FTP at: > > > ftp://ftp.ietf.org/internet-drafts/ > > > > > > > > > _______________________________________________ > > > I-D-Announce mailing list > > > [email protected] <mailto:[email protected]> > > > https://www.ietf.org/mailman/listinfo/i-d-announce > > > Internet-Draft directories: http://www.ietf.org/shadow.html > > > or ftp://ftp.ietf.org/ietf/1shadow-sites.txt > > > > _______________________________________________ > > Ace mailing list > > [email protected] <mailto:[email protected]> > > https://www.ietf.org/mailman/listinfo/ace > > > > _______________________________________________ > > Ace mailing list > > [email protected] <mailto:[email protected]> > > https://www.ietf.org/mailman/listinfo/ace > > _______________________________________________ > Ace mailing list > [email protected] <mailto:[email protected]> > https://www.ietf.org/mailman/listinfo/ace > -- Marco Tiloca Ph.D., Senior Researcher RISE Research Institutes of Sweden Division ICT Isafjordsgatan 22 / Kistagången 16 SE-164 40 Kista (Sweden) Phone: +46 (0)70 60 46 501 https://www.ri.se
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Ace mailing list [email protected] https://www.ietf.org/mailman/listinfo/ace
