Hi, I propose that we use the following text for the ACE framework (as originally proposed by Göran):
Section 6.2: OLD "Profiles MUST specify how communication security according to the requirements in Section 5 is provided." NEW "The requirements for communication security of profiles are specified in Section 5." Section 5: OLD "Profiles MUST specify a communication security protocol that provides the features required above." NEW "Profiles MUST specify at least one communication security protocol that provides the features required above." For the DTLS profile, I propose the following text: OLD "The use of CoAP and DTLS for this communication is REQUIRED in this profile. Other protocols (such as HTTP and TLS, or CoAP and OSCORE [RFC8613]) will require specification of additional profile(s)." NEW "The use of CoAP and and DTLS for this communication is RECOMMENDED in this profile. Other protocols fulfilling the security requirements defined in Section 5 of [I-D.ietf-ace-oauth-authz] MAY be used instead." additional explanation: one proposal was to state as the reason for recommending DTLS that it reduces the number of libraries the client has to support. But the reason why the ACE framework requires that the profiles specify a security protocol for the communication between C and AS is to provide security for the data that is transmitted between these two parties. Without a protocol that fulfills the requirements listed in the ACE framework, the solution would not be secure. Requiring that the profiles must specify at least one protocol ensures that implementers have an idea how to implement the profile securely (instead of leaving them in the dark about that). It is also nice if the number of libraries on the client can be reduced, but I am not that comfortable with stating that as the main the reason for recommending DTLS. Viele Grüße Steffi _______________________________________________ Ace mailing list [email protected] https://www.ietf.org/mailman/listinfo/ace
