Hi all, Cigdem and I would also like to chime in as co-authors.
I have recently submitted a new version of the other ACE application profile for group key provisioning, i.e., draft-ietf-ace-key-groupcomm-oscore [0]. That was the result of addressing the IETF Last Call comments for that document, some of which unsurprisingly do apply also to the present pubsub profile. We think that it would be good to address those comments also in the present pubsub profile, and it's quite likely that we will receive those comments later on anyway. Please find such comments and some accompanying side-points at the end of this message. If there are no objections, we would like to address those points in the next version of the document, after the WG Last Call is completed. Best, /Marco [0] https://datatracker.ietf.org/doc/html/draft-ietf-ace-key-groupcomm-oscore === START COMMENTS === * Improving Section 1 "Introduction", to show in a more effective way the relationships between the document in question and the many related documents that it builds on. In Section 1 of [0], that was addressed by means of both additional text and a figure with a diagram. * Adding a new section "Operational Considerations", right before the section "Security Considerations", aligned with the recommendations in draft-opsarea-rfc5706bis. In the present pubsub profile, such a section would be very similar to the corresponding one in [0]. After all, just like in [0], we have a KDC managing security groups, with group members that here are specifically pubsub Clients. * Section 4.1.1.1 says about an optimized Join Request: > In this case, the joining node MAY choose not to provide again its authentication credential to the KDC in order to limit the size of the Join Request. However, it's not obvious how that is actually achieved, so we need some more text about that. The case in question is such that: - It's fine to omit the parameter 'client_cred_verify' (i.e., the PoP evidence) from the Join Request. - We cannot just omit the parameter 'client_cred' altogether. That would be a violation of Section 4.3.1 of RFC 9594, which says: > This parameter MUST be present if the KDC is managing (collecting from and distributing to Clients) the authentication credentials of the group members and the Client's role in the group will require the Client to send messages to one or more group members. This can be solved just like in Section 4 of [0]: in the considered optimized Join Request, the parameter 'client_cred' is included, but it takes a short sentinel value to enforce the optimization (i.e., the empty CBOR byte string that is encoded as 0x40). This can be a new paragraph in Section 4.1.1.1, right after the quoted text above. Consistently, some paragraphs in Sections 4.1.2 and 4.1.3 also need to be rephrased, by replacing the possible absence of 'client_cred' with its possible encoding of the empty CBOR byte string. * Section 2 says: > All communications between the involved entities MUST be secured. Again based on feedback from a review of [0], this should be expanded as below: > All communications between the involved entities (Clients, Broker, KDC, Authorization Server) rely on CoAP. Except for the end-to-end protection of published topic data (see Section 6.1), all such communications MUST occur and be secured in accordance with the protocol-specific transport profile of ACE used. * When mentioning the computing/use of a PoP evidence, it is better to explicitly say that the PoP evidence is intended to prove possession of one's own private key. === END COMMENTS === ________________________________ From: Tim Hollebeek <[email protected]> Sent: Wednesday, January 28, 2026 5:49 PM To: Göran Selander <[email protected]>; Tim Hollebeek <[email protected]>; Rikard Höglund <[email protected]>; [email protected] <[email protected]>; [email protected] <[email protected]>; [email protected] <[email protected]> Subject: Re: [Ace] Re: WG Last Call: draft-ietf-ace-coap-pubsub-profile-02 (Ends 2026-01-23) Confirmed, thank you for catching that error. -Tim ________________________________ From: Göran Selander <[email protected]> Sent: Wednesday, January 28, 2026 7:59 AM To: Tim Hollebeek <[email protected]>; Rikard Höglund <[email protected]>; [email protected] <[email protected]>; [email protected] <[email protected]>; [email protected] <[email protected]> Subject: Re: [Ace] Re: WG Last Call: draft-ietf-ace-coap-pubsub-profile-02 (Ends 2026-01-23) Hi, I haven’t reviewed this version in detail, but looked through the draft and it looks ready to me. Just found what I think is a nit, but maybe some English native can confirm: OLD This pertains operations NEW This pertains to operations Göran From: Tim Hollebeek <[email protected]> Date: Tuesday, 27 January 2026 at 19:51 To: Rikard Höglund <[email protected]>, [email protected] <[email protected]>, [email protected] <[email protected]>, [email protected] <[email protected]> Subject: [Ace] Re: WG Last Call: draft-ietf-ace-coap-pubsub-profile-02 (Ends 2026-01-23) Thank you very much for the review Rikard. If anyone else is planning on doing a review, please get it in by this Friday. I plan to close the call then unless issues come up. For the chairs, -Tim ________________________________ From: Rikard Höglund <[email protected]> Sent: Saturday, January 24, 2026 6:01 AM To: [email protected] <[email protected]>; [email protected] <[email protected]>; [email protected] <[email protected]>; Tim Hollebeek <[email protected]> Subject: Re: [Ace] WG Last Call: draft-ietf-ace-coap-pubsub-profile-02 (Ends 2026-01-23) Hello. I have not done an in-depth review of the document, but I have checked it and can find no major issues. I support this document proceeding, and it is also important for the related work in draft-ietf-core-coap-pubsub. Best Rikard Höglund ________________________________ From: Tim Hollebeek via Datatracker <[email protected]> Sent: Thursday, January 8, 2026 18:24 To: [email protected] <[email protected]>; [email protected] <[email protected]>; [email protected] <[email protected]> Subject: [Ace] WG Last Call: draft-ietf-ace-coap-pubsub-profile-02 (Ends 2026-01-23) This message starts a WG Last Call for: draft-ietf-ace-coap-pubsub-profile-02 This Working Group Last Call ends on 2026-01-23 Abstract: This document defines an application profile of the Authentication and Authorization for Constrained Environments (ACE) framework, to enable secure group communication in the Publish-Subscribe (Pub-Sub) architecture for the Constrained Application Protocol (CoAP) [draft- ietf-core-coap-pubsub], where Publishers and Subscribers communicate through a Broker. This profile relies on protocol-specific transport profiles of ACE to achieve communication security, server authentication, and proof of possession of a key owned by the Client and bound to an OAuth 2.0 access token. This document specifies the provisioning and enforcement of authorization information for Clients to act as Publishers and/or Subscribers, as well as the provisioning of keying material and security parameters that Clients use for protecting their communications end-to-end through the Broker. Please review and indicate your support or objection to proceed with the publication of this document by replying to this email keeping [email protected] in copy. Support for the document, along with objections, should be explained, and suggestions to resolve objections are highly appreciated. Authors, and WG participants in general, are reminded of the Intellectual Property Rights (IPR) disclosure obligations described in BCP 79 [1]. Appropriate IPR disclosures required for full conformance with the provisions of BCP 78 [1] and BCP 79 [2] must be filed, if you are aware of any. Sanctions available for application to violators of IETF IPR Policy can be found at [3]. Thank you. [1] https://eur05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fbcp78%2F&data=05%7C02%7Crikard.hoglund%40ri.se%7Ca8ba2e45135a450b94ca08de4edaeb3e%7C5a9809cf0bcb413a838a09ecc40cc9e8%7C0%7C0%7C639034899327385812%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=EdEFn6oWhbkjwSXZnpkhJzXj3r03EhQM1HE9XxPlEys%3D&reserved=0<https://datatracker.ietf.org/doc/bcp78/> [2] https://eur05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fbcp79%2F&data=05%7C02%7Crikard.hoglund%40ri.se%7Ca8ba2e45135a450b94ca08de4edaeb3e%7C5a9809cf0bcb413a838a09ecc40cc9e8%7C0%7C0%7C639034899327409236%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=tXSnFb0iSmTyM89xDgVjVxJ9NGQQO56sFeXSd3ThNLk%3D&reserved=0<https://datatracker.ietf.org/doc/bcp79/> [3] https://eur05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Frfc6701%2F&data=05%7C02%7Crikard.hoglund%40ri.se%7Ca8ba2e45135a450b94ca08de4edaeb3e%7C5a9809cf0bcb413a838a09ecc40cc9e8%7C0%7C0%7C639034899327425336%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=OjJanLeM8xLJnyBZwRU%2FrDZ7rJK9OZ9eKvl4rCJU0CE%3D&reserved=0<https://datatracker.ietf.org/doc/rfc6701/> The IETF datatracker status page for this Internet-Draft is: https://eur05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fdraft-ietf-ace-coap-pubsub-profile%2F&data=05%7C02%7Crikard.hoglund%40ri.se%7Ca8ba2e45135a450b94ca08de4edaeb3e%7C5a9809cf0bcb413a838a09ecc40cc9e8%7C0%7C0%7C639034899327443551%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=sksGaljoUFmeeuZ7EsE%2FEzP26mDEGrhN1EqHaV52otg%3D&reserved=0<https://datatracker.ietf.org/doc/draft-ietf-ace-coap-pubsub-profile/> There is also an HTML version available at: https://eur05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Farchive%2Fid%2Fdraft-ietf-ace-coap-pubsub-profile-02.html&data=05%7C02%7Crikard.hoglund%40ri.se%7Ca8ba2e45135a450b94ca08de4edaeb3e%7C5a9809cf0bcb413a838a09ecc40cc9e8%7C0%7C0%7C639034899327459831%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=fT6p4QDuUnzhjDy8%2BbsC6Uu0ZF4ul8x%2BPI8DnfZlXQU%3D&reserved=0<https://www.ietf.org/archive/id/draft-ietf-ace-coap-pubsub-profile-02.html> A diff from the previous version is available at: https://eur05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fauthor-tools.ietf.org%2Fiddiff%3Furl2%3Ddraft-ietf-ace-coap-pubsub-profile-02&data=05%7C02%7Crikard.hoglund%40ri.se%7Ca8ba2e45135a450b94ca08de4edaeb3e%7C5a9809cf0bcb413a838a09ecc40cc9e8%7C0%7C0%7C639034899327475416%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=1lV%2FSu9VMmJH1pcDDoNu%2BIW2WahEjq5hzMvR2KswiLo%3D&reserved=0<https://author-tools.ietf.org/iddiff?url2=draft-ietf-ace-coap-pubsub-profile-02> _______________________________________________ Ace mailing list -- [email protected] To unsubscribe send an email to [email protected]
_______________________________________________ Ace mailing list -- [email protected] To unsubscribe send an email to [email protected]
