Hi Francesca,
I took a look through the updates and we are looking in quite good shape.
I filed https://github.com/ace-wg/ace-oscore-profile/pull/30 with a few
final suggested tweaks, though I cannot quite say that they are all just
editorial. In particular, I remove text about "the client MUST include the
access token using the correct CBOR label (e.g., "cwt" for CWT, "jwt" for
JWT")" since I didn't understand how that was expected to work and it
wasn't reflected in the example. I also propose to remove "verification of
access rights" from the discussion of the procedure to upload a token that
updates the access rights on a given security context -- the "verification
of access rights" is superficially parallel to the procedures specified in
the previous paragraph, but the previous paragraph talks about regular
OSCORE exchanges (that do operations that have access control applied to
them), whereas the text in question is just for the one-shot "upload new
token" operation.
Once the text from Jim arrives, then we should be all set on this one ...
to wait for the DTLS profile, that is, so the group of four documents goes
to the IESG as a unit.
Thanks!
-Ben
On Tue, Mar 10, 2020 at 09:08:11AM +, Francesca Palombini wrote:
> Hi Ben, ace,
>
> These 2 updates (09 and 10) address almost all the AD review comments of v-08.
>
> V-09 covers the majority of them, as we discussed in this thread:
> https://mailarchive.ietf.org/arch/msg/ace/rgVfs3dzcWQnNlXn331DdpQfwwQ/ and
> listed in this issue: https://github.com/ace-wg/ace-oscore-profile/issues/26
>
> v-10 covers the remaining:
>
> * The mechanism of letting the RS pick the identifier of the client is not
> worth the additional complexity.
> 6, 7, 32, 61, 65,
> * Define and register 2 new ACE parameters to transport the nonces used in
> the exchange, instead of using "cnonce".
> 3, 53, 60
>
> The following issue is still open (during the interim meeting Jim volunteered
> to give a try to draft some text, and we really appreciate his help) and we
> should pinpoint what we need to include in the document about:
>
> * Recommendation about length of nonces N1 and N2 to use.
> 5, 52
>
>
> Thanks,
> Francesca
>
>
> On 09/03/2020, 17:44, "Ace on behalf of internet-dra...@ietf.org"
> wrote:
>
>
> A New Internet-Draft is available from the on-line Internet-Drafts
> directories.
> This draft is a work item of the Authentication and Authorization for
> Constrained Environments WG of the IETF.
>
> Title : OSCORE profile of the Authentication and
> Authorization for Constrained Environments Framework
> Authors : Francesca Palombini
> Ludwig Seitz
> Göran Selander
> Martin Gunnarsson
> Filename: draft-ietf-ace-oscore-profile-10.txt
> Pages : 30
> Date: 2020-03-09
>
> Abstract:
>This memo specifies a profile for the Authentication and
>Authorization for Constrained Environments (ACE) framework. It
>utilizes Object Security for Constrained RESTful Environments
>(OSCORE) to provide communication security, server authentication,
>and proof-of-possession for a key owned by the client and bound to an
>OAuth 2.0 access token.
>
>
> The IETF datatracker status page for this draft is:
> https://datatracker.ietf.org/doc/draft-ietf-ace-oscore-profile/
>
> There are also htmlized versions available at:
> https://tools.ietf.org/html/draft-ietf-ace-oscore-profile-10
> https://datatracker.ietf.org/doc/html/draft-ietf-ace-oscore-profile-10
>
> A diff from the previous version is available at:
> https://www.ietf.org/rfcdiff?url2=draft-ietf-ace-oscore-profile-10
>
>
> Please note that it may take a couple of minutes from the time of
> submission
> until the htmlized version and diff are available at tools.ietf.org.
>
> Internet-Drafts are also available by anonymous FTP at:
> ftp://ftp.ietf.org/internet-drafts/
>
>
> ___
> Ace mailing list
> Ace@ietf.org
> https://www.ietf.org/mailman/listinfo/ace
>
>
___
Ace mailing list
Ace@ietf.org
https://www.ietf.org/mailman/listinfo/ace
