IETF Logo Mail Archive

Re: [Ace] WGLC for draft-ietf-ace-oscore-gm-admin

Marco Tiloca <marco.tiloca@ri.se> Tue, 05 March 2024 18:12 UTC

Return-Path: <marco.tiloca@ri.se>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 70805C14F6BD for <ace@ietfa.amsl.com>; Tue, 5 Mar 2024 10:12:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.007
X-Spam-Level:
X-Spam-Status: No, score=-7.007 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ri.se
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0BvaBKS4LMaO for <ace@ietfa.amsl.com>; Tue, 5 Mar 2024 10:12:45 -0800 (PST)
Received: from GVZP280CU001.outbound.protection.outlook.com (mail-swedencentralazon11021007.outbound.protection.outlook.com [52.101.75.7]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1A493C14F69E for <ace@ietf.org>; Tue, 5 Mar 2024 10:12:44 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=TvI7UTPvYwttQtWtteNiPGr0R6bDNaeJETT/jOQFdFOjnM8wKNOUs0vSHSxKmiYTjX2wOj6eFTS/YDaMXqsFR7ADWU8TRWAke9MmBpYBtOd3VoSe0mrW7VsC2MuN7CYzsCEgyxY1LulsBCHZh59IAxIM4h8CGJr6UMBIo6mTD/gD2AHVF7TGvr9vBsI1iyJbFc0YVfAaPlmCxyULUkt4t/QM1viyHftP/XF17cdDvDwhqdsYuzWmg5iPcfyOl+nAVHb/mG3rsDBxFvAnyiOFf1x/rBIYxi/NusecfrbqS/4vyAIwG3gIZ52oku2HI6775t95yTKo5GZzDcSNaW8E8g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=p7wuV4rbUVUOVZ8A3U7/ugTMyCSkz8ehVUFKgVHzMTc=; b=IhHdQIRFm6PtjpQQ6WzYK9dXafWzYuSckKuYWJTd8M0o6KVsjv7GvjIniMJMYffXs8uPz14gx1OmudidecjgksSwc090i9SpqDsed1pz4nahSDbobWR7f9aO8BH8/LYhTNCXfBO5d+bFqcB06MS4putfMj5vDe3siU8TFPMR9wrWjhQsynGysc8Jr472ERkHBTPKo8hwwrEqLAHZfDowkKAi2oGZWT2FXF078T3p47RwnGTe4sWbEWzO/s51T6x7J7xozcnueR1vHQBnGjwAEmV5dXWa/EgbZ7lDjXOOEdqoIafWqC0snGvdcRbMmv0Za0yCAjdLlIG2Dmwnh6nUeg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ri.se; dmarc=pass action=none header.from=ri.se; dkim=pass header.d=ri.se; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ri.se; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=p7wuV4rbUVUOVZ8A3U7/ugTMyCSkz8ehVUFKgVHzMTc=; b=dGin6ggzVTlO+LtrasMw1Fu4U/2KoAIt3du5T04BY1epX1SeMUKYCO9DAsWFRH42xwdXBMsPDG3Y/tKxRwoG34d1WAisEBHuIld4iQldSo9B0OCShqVM1IentdDvThoOpKUXvXUBmNvotjtaBoNUYL5ksxsniBY6WwtjoDX7+s0=
Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=ri.se;
Received: from GVYP280MB0464.SWEP280.PROD.OUTLOOK.COM (2603:10a6:150:37::17) by GVYP280MB0608.SWEP280.PROD.OUTLOOK.COM (2603:10a6:150:1a::19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7339.39; Tue, 5 Mar 2024 18:12:40 +0000
Received: from GVYP280MB0464.SWEP280.PROD.OUTLOOK.COM ([fe80::b06f:2a2b:8cbf:608d]) by GVYP280MB0464.SWEP280.PROD.OUTLOOK.COM ([fe80::b06f:2a2b:8cbf:608d%7]) with mapi id 15.20.7339.035; Tue, 5 Mar 2024 18:12:40 +0000
Message-ID: <dcdf8f36-f606-4cc5-ba3b-5086fa16cb81@ri.se>
Date: Tue, 05 Mar 2024 19:12:37 +0100
User-Agent: Mozilla Thunderbird
Content-Language: en-US
To: Göran Selander <goran.selander=40ericsson.com@dmarc.ietf.org>, Cigdem Sengul <cigdem.sengul@gmail.com>, "ace@ietf.org" <ace@ietf.org>
Cc: Tim Hollebeek <tim.hollebeek=40digicert.com@dmarc.ietf.org>
References: <SN7PR14MB64923C9DDDB116F7D6512B9783472@SN7PR14MB6492.namprd14.prod.outlook.com> <SN7PR14MB6492D843C3596805AB0B1826834C2@SN7PR14MB6492.namprd14.prod.outlook.com> <CAA7SwCPSQTZV4WD_b6pCQY=kPjUEiYxFSmfOxHmrtjOiUL5Pjw@mail.gmail.com> <PAXPR07MB88445B4BE7D5D379AB9A336DF4522@PAXPR07MB8844.eurprd07.prod.outlook.com>
From: Marco Tiloca <marco.tiloca@ri.se>
Autocrypt: addr=marco.tiloca@ri.se; keydata= xsBNBFSNeRUBCAC44iazWzj/PE3TiAlBsaWna0JbdIAJFHB8PLrqthI0ZG7GnCLNR8ZhDz6Z aRDPC4FR3UcMhPgZpJIqa6Zi8yWYCqF7A7QhT7E1WdQR1G0+6xUEd0ZD+QBdf29pQadrVZAt 0G4CkUnq5H+Sm05aw2Cpv3JfsATVaemWmujnMTvZ3dFudCGNdsY6kPSVzMRyedX7ArLXyF+0 Kh1T4WUW6NHfEWltnzkcqRhn2NcZtADsxWrMBgZXkLE/dP67SnyFjWYpz7aNpxxA+mb5WBT+ NrSetJlljT0QOXrXMGh98GLfNnLAl6gJryE6MZazN5oxkJgkAep8SevFXzglj7CAsh4PABEB AAHNNk1hcmNvIFRpbG9jYSAobWFyY28udGlsb2NhQHJpLnNlKSA8bWFyY28udGlsb2NhQHJp LnNlPsLAdwQTAQgAIQUCWkAnkAIbAwULCQgHAgYVCAkKCwIEFgIDAQIeAQIXgAAKCRDuJmS0 DljaQwEvCACJKPJIPGH0oGnLJY4G1I2DgNiyVKt1H4kkc/eT8Bz9OSbAxgZo3Jky382e4Dba ayWrQRFen0aLSFuzbU4BX4O/YRSaIqUO3KwUNO1iTC65OHz0XirGohPUOsc0SEMtpm+4zfYG 7G8p35MK0h9gpwgGMG0j0mZX4RDjuywC88i1VxCwMWGaZRlUrPXkC3nqDDRcPtuEGpncWhAV Qt2ZqeyITv9KCUmDntmXLPe6vEXtOfI9Z3HeqeI8OkGwXpotVobgLa/mVmFj6EALDzj7HC2u tfgxECBJddmcDInrvGgTkZtXEVbyLQuiK20lJmYnmPWN8DXaVVaQ4XP/lXUrzoEzzsBNBFSN eRUBCACWmp+k6LkY4/ey7eA7umYVc22iyVqAEXmywDYzEjewYwRcjTrH/Nx1EqwjIDuW+BBE oMLRZOHCgmjo6HRmWIutcYVCt9ieokultkor9BBoQVPiI+Tp51Op02ifkGcrEQNZi7q3fmOt hFZwZ6NJnUbA2bycaKZ8oClvDCQj6AjEydBPnS73UaEoDsqsGVjZwChfOMg5OyFm90QjpIw8 m0uDVcCzKKfxq3T/z7tyRgucIUe84EzBuuJBESEjK/hF0nR2LDh1ShD29FWrFZSNVVCVu1UY ZLAayf8oKKHHpM+whfjEYO4XsDpV4zQ15A+D15HRiHR6Adf4PDtPM1DCwggjABEBAAHCwF8E GAECAAkFAlSNeRUCGwwACgkQ7iZktA5Y2kPGEwf/WNjTy3z74vLmHycVsFXXoQ8W1+858mRy Ad0a8JYzY3xB7CVtqI3Hy894Qcw4H6G799A1OL9B1EeA8Yj3aOz0NbUyf5GW+iotr3h8+KIC OYZ34/BQaOLzdvDNmRoGHn+NeTzhF7eSeiPKi2jex+NVodhjOVGXw8EhYGkeZLvynHEboiLM 4TbyPbVR9HsdVqKGVTDxKSE3namo3kvtY6syRFIiUz5WzJfYAuqbt6m3TxDEb8sA9pzaLuhm fnJRc12H5NVZEZmE/EkJFTlkP4wnZyOSf/r2/Vd0iHauBwv57cpY6HFFMe7rvK4s7ME5zctO Ely5C6NCu1ZaNtdUuqDSPA==
In-Reply-To: <PAXPR07MB88445B4BE7D5D379AB9A336DF4522@PAXPR07MB8844.eurprd07.prod.outlook.com>
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="------------CSnC4QBBNWufKNT062nxE2yU"
X-ClientProxiedBy: FR2P281CA0036.DEUP281.PROD.OUTLOOK.COM (2603:10a6:d10:14::23) To GVYP280MB0464.SWEP280.PROD.OUTLOOK.COM (2603:10a6:150:37::17)
MIME-Version: 1.0
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: GVYP280MB0464:EE_|GVYP280MB0608:EE_
X-MS-Office365-Filtering-Correlation-Id: bbb4f446-e0b0-441a-dff1-08dc3d3fd852
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: 0UDc3lBQLPy801/5CrwZBWt/P4Jonjyxn0gKUMFrgonFufmkB0txyO8alW0DJwizbwngJAK4P4EL41YEETvWiKHBJaVup240jkI4JCiRoLqnatxD5ZQL4Z6rRTJeofRa2c1muHIz612KpM3iU6XU4bJu3pkx9EfUWy6xhK5ja9ls799Ju/57RNKoc3Z89xgPU9KtlU/5VfnOhhFhJtRKpbCeg1cj0FDZ0yvlmqIOdkLE/ivvgJeR6M2kvCE76wCovSYpiXPL6HSARC82v81kJRVMmiihp8F7B+rPthi5Ua1rgPbwY4AdBNLYV9o5kvTu4i20HCv6FN6E7A29tNwOe93iDdt+GV4oeynTso0BDrNTRXk/hiLkuEtJMG4CsaM4rWXMeeed/VGcuBC6+wgObmz64A0ejwPKDVmodcoZffXBv1hJrGxjwL8qXQz3B1NHoV3bkQ7rWdoZL69HgqjcIhG2OkkYXBpTiZyTQcE8623zrPaOaZ3uFNOFyqM5Rp73gaKuAO2jdN0LM8TJnNVi2IUgaiLXgk8jmqYNtCkelJcX5adYwdiZgWHbveLilUKszHEs/xcig0mGA9Jcphp1Sz3lkFGbuDcwBsjJDosyPWg=
X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:GVYP280MB0464.SWEP280.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230031)(376005); DIR:OUT; SFP:1102;
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: 6bYbdKf6TNw4430FmoMREGb5Hdx+eLe/+KmJuprB4Ef3PpQF0eM0y3ePnb3V+HSJ4lTjFoTmY+AtLQN4zuDEOgcVNiCbB+k/pWYoX5UNeg9aP6xOtEwyxssJNC2iF8M1IWNNXNC7YnT7JC1VO9M27HRwmiv/My6aRArcnny/GTWMO1Jmu1bd5W3lg3Bf1ORem1E2b0KL7hEvK4Shb9uijC6TXIX0ADsyaO0/8xO19soRQ42Wv1iRsxzNrRzbdbzPMKgMF2jWu5uNghCOP8Mw+NphlPVksTSmHPsVPuVud5SR7qtt9Lrf+76IFYPx03aUM/+GSBoBrJrlEgQwpZw+ZJ61m/7rQVDfbhw8wqQV9+rYdGLp3FkURq4pyrcomCG14XQMKm46dSpmKsiaC2S9OfbGPdWph7Bl8OdR8Tx7KwwhH1ljvByIk1vq1zn6kaW7Puhw6d+YFIgAyGHJ8W20OVWtHpsDHZ+0fimpOj645ucFrcbqZTLfJ7eq1YCbogvYs7rj7+fJSUwZ96izYTY+8pF4kOU2P8V6yLDBChavB5JjR1XgJM1qh6wYlJ1cebJ1ch2zImEphLr77GOMjJSQScrg+sWfiQUbmDES1b8ivsTV9bBVmNK/lMG3O3d0s5T6lJeOaqQzTPJPyw+a68zLoa216hWpPNsAwn3yxSuMA5Xc9zR+BRdE4SNWCjE9zM/l9XAsh7sh0XhM8o/U918KsKkk/s1nOcthWv3lZm5IgySSdaEBabzoHxRjMc7gaaK9EalFK14BpE2wwl1uYIl+vZpERmjZM+dbBsJZ0bj5wof7ClehRieVZJWcxP8oVeXVv9JI0CmjaV9NrkufqAaQeJDOanqgr3x9wRQRg5En+rJTR/kS4VHkMP6AK/xVRfw6s2A65sb2fkozebnflDPuw4zXWSf91InnoBXDJy0w8SOdYcVOk0FBxzkjVqvZvqZke8sHEhTtQlS416tB9FTbhOg96VjC8Ku175GmeC4LM/w2UimH+qSV7mOGzL8A0zrlR975mou4Wjz9620FKwJBYA+Sn5FcivJozQ9zUOwa3QnNZV11ZSgLoyjDdsZVSZXPajLsyzxcAQ6ZY/vPlyEJIQUvfNyCtz8rkgzJlGjHyICKvxmg63qx5Tn3SVVWgrAtP9bEby8KRs49pza3GzEGgH2WcN5HsGq6AZXc7yq5/tH1rIJXLC/NIhYStWT4y0j7HAw8XrDz8IIG3rjL0awzOA4zLsPg/A05DSE0vhmkori7EcXLGUtrng+0PCy5HPfsNGpN0gfdJEK36MhzprZlRBgVrHR/jaB2WAiNtH1GE31RYIZBR10Cm0CjdxZ9VbV+1O0tLPBrdf6+8ZzCSNaKKTzQ2Yw4PAtDrLhEfCK13FenBOYSnL+pxJK8cr9W0M2DutA+4e6IIZrYncxYvXVi9suRHXv4j95XrGMB/T1KEZztl0I3wuLOlKaG9Qq+Sw75MYOT5zKKx1ExPlZUltbWNSZgDZrMjldFvBuKLxsQU+XIVECy1E+IOYdvNyrWO+FbN0ZspwEvdViCEdoLpdbZ9NA3IXb7rRDIMKLp/TEe3Ekj2YvNajvF736T1O92N4tp
X-OriginatorOrg: ri.se
X-MS-Exchange-CrossTenant-Network-Message-Id: bbb4f446-e0b0-441a-dff1-08dc3d3fd852
X-MS-Exchange-CrossTenant-AuthSource: GVYP280MB0464.SWEP280.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 05 Mar 2024 18:12:40.2851 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 5a9809cf-0bcb-413a-838a-09ecc40cc9e8
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: Fx2JA6GtGp7bpxYl5qI/ChEQdHu2JsH4jUk3Iahs7nHlbsIllXexSD+ppnygRFU0cMZI59mRyPzrOKP3ZwUfAw==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: GVYP280MB0608
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/KPPogqg7G25Pbao-0bIhXCT24Jw>
Subject: Re: [Ace] WGLC for draft-ietf-ace-oscore-gm-admin
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 05 Mar 2024 18:12:49 -0000

Hello Göran,

Thanks a lot for your review and comments!

We have addressed them in the latest version -11 submitted before the 
IETF 119 cut-off.

Please find our answers to your comments inline below.

Best,
/Marco

On 2024-02-18 09:52, Göran Selander wrote:
>
> Hi,
>
> I’ve been following the development of this draft and think it is 
> ready in the working group. In addition to some comments already made 
> by Cigdem, I found only a few nits in the latest version:
>
> Section 3
>
> ’In the rest of this section, these are referred to as "user scope 
> entries".’
>
> …
>
> ’In the rest of this section, these are referred to as "admin scope 
> entries".’
>
>   * Remove “In the rest of this section”in these sentences, as the
>     terms are used throughout the document.
>   * Move the text about the convention toabbreviate “admin scope
>     entry” with “scope entry” from the end of section 3.0 to where the
>     former is defined, to keep definitions of “scope” together in the
>     document.
>

==>MT

Yes. Taking both comments above into account, we have made the following 
three changes in Section 3.0.

OLD
 > In the rest of this section, these are referred to as "user scope 
entries".
NEW
 > Hereafter, these are referred to as "user scope entries".

OLD
 > In the rest of this section, these are referred to as "admin scope 
entries".
NEW
 > Hereafter, these are referred to as "admin scope entries", or simply 
as "scope entries" unless otherwise indicated.

Removed the sentence:
 > Throughout the rest of this document, the term "scope entry" is used 
as referred to "admin scope entry", unless otherwise indicated.

<==

> Thanks,
>
> Göran
>
> *From: *Ace <ace-bounces@ietf.org> on behalf of Cigdem Sengul 
> <cigdem.sengul@gmail.com>
> *Date: *Friday, 16 February 2024 at 23:36
> *To: *ace@ietf.org <ace@ietf.org>
> *Cc: *Tim Hollebeek <tim.hollebeek=40digicert.com@dmarc.ietf.org>
> *Subject: *Re: [Ace] WGLC for draft-ietf-ace-oscore-gm-admin
>
> Hello ace,
>
> I've reviewed the document and found it largely ready.
>
> Below, I make some suggestions to improve clarity and list a few 
> editorial comments, hope it helps.
>
> Kind regards,
>
> --Cigdem
>
> Section 2. Group Administration
> "The AS MAY release Access Tokens to the Administrator for other 
> purposes than accessing admin resources of registered Group Managers"
>
> => Reading further into the document, it becomes clear later that " 
> Building on the above, the same single scope can include user scope 
> entries as well as admin scope entries"
>
>
> i.e., tokens may express permissions for user resources). It would be 
> good to clarify this earlier.
>
> Section 3. Format of Scope
>
> => The object identifier ("Toid") examples for wildcard patterns and 
> complex patterns would be useful.
> => Can the Create permission be paired with a "literal" Toid? So, the 
> admin has the right to create a specific config for a specific group name?
>
> Figure 2:
> Write  | 3     | Change group configurations
>
> =>Instread of "Change", Update group configurations?
>
> Section 3.1
>
> "The Administrator may have established a secure communication 
> association with the Group Manager based on a first Access Token   T1, 
> and then created an OSCORE group G.  Following the
>       invalidation of T1 (e.g., due to expiration) and the 
> establishment of a new secure communication association with the Group 
> Manager based on a new Access Token T2, the Administrator can 
> seamlessly perform authorized operations on the previously created 
> group G."
>
> The example is not clear to me. Why does the G having a wildcard or 
> complex pattern help in this case?
>
> 5.1.2
>
> 'group_title', with value either a human-readable description of the 
> OSCORE group encoded as a CBOR text string, or the CBOR simple value 
> "null" (0xf6) if no description is specified.
>
> ==>If this is group description, group_desc sounds more fitting than 
> group_title?
>
> 5.2
> "A possible reason for the Group Manager to consider default values 
> different from those recommended in this section is to ensure that 
> each of those are consistent with what the Group Manager supports, 
> e.g., in terms of signature algorithm and format of authentication 
> credentials used in the OSCORE group."
>
> Is this mainly saying, "The Group Manager MAY choose different default 
> values instead of those recommended in this section ... "
>
>
> 6.2 Retrieve a List of Group Configurations by Filters
>
>
> It would be good to give an example with status filters as well. For 
> example, is it possible to use a complex pattern for group_name filter?
>
> 6.3 Create a New Group Configuration (and also 6.6.)
>
> "Alternatively, the Administrator can perform the registration in 
> the Resource Directory on behalf of the Group Manager, acting 
> as  Commissioning Tool."
>
> Why consider this option when
>
> "Therefore, it is RECOMMENDED that registrations of links to 
> group-membership resources in the Resource Directory are made (and 
> possibly updated) directly by the Group Manager, rather than by the 
> Administrator."
>
>
> Editorial
> Abstract
> OLD:
> A Group Manager is responsible to handle the joining of new group
>   members, as well as to manage and distribute the group keying
>    material.
>
> NEW:
> A Group Manager is responsible for handling the joining of new group
>    members, as well as managing and distributing the group keying
>    material.
>
> OLD:
> This document defines a RESTful admin interface at the
>    Group Manager, that
>
> NEW:
> This document defines a RESTful admin interface at the
> Group Manager that
>
> Introduction
> OLD:
>  When group communication for CoAP is protected with Group OSCORE,
>    nodes are required to explicitly join the correct OSCORE group.
>
> NEW:
> When group communication for CoAP is protected with Group OSCORE,
>    nodes are required to join the correct OSCORE group explicitly.
>
> OLD:
> e.g., based on
>    the current application state or on pre-installed policies.
>
> NEW:
> e.g., based on
>    the current application state or pre-installed policies.
>
> TERMINOLOGY
> OLD:
> An OSCORE group is used as security group for
>          one or many application groups.
>
> NEW:
> An OSCORE group is usedas a security group for
>          one or many application groups.
>
> 3.1
> OLD:
> When relying on wildcard patterns and complex patterns, the 
> Administrator and the AS do not need to know exact group names for
>       requesting and issuing an Access Token, respectively (see
>       Section 4).
>
> NEW:
> When relying on wildcard patterns and complex patterns, the 
> Administrator and the AS do not need to know the exact group names for
>       requesting and issuing an Access Token, respectively (see
>       Section 4).
>
> 4.1
> OLD:
> With respect to the main Administrator, such assistant Administrators
>    are expected to have less permissions to perform administrative
>    operations related to the OSCORE group at the Group Manager.
>
> NEW:
> With respect to the main Administrator, such assistant Administrators
>    are expected to have fewer permissions to perform administrative
>    operations related to the OSCORE group at the Group Manager.
>
> OLD:  For
>    example, they may not be authorized to create the OSCORE group if not
>    existing already, or to delete the OSCORE group and its
>    configuration.
>
> NEW:
>  For example, they may not be authorized to create an OSCORE group, or 
> to delete an OSCORE group and its
>    configuration.
>
> 6.3
> OLD: "If the POST request did not specify certain parameters and the 
> Group Manager used default values different from the ones recommended 
> in Section 5.2, then the response payload MUST include also those
>    parameters, specifying the values chosen by the Group Manager for the
>    current group configuration."
>
> NEW: "If the POST request did not specify certain parameters and the 
> Group Manager used default values different from the ones recommended 
> in Section 5.2, then the response payloadMUST also include those
>    parameters, specifying the values chosen by the Group Manager for the
>    current group configuration.
>
> 6.6.2
> OLD: "Retrieve from the Group Manager the new Group Manager's
>             authentication credential "
>
> NEW: Retrieve from the Group Manager the Group Manager's new
>             authentication credential
>
> 8.
>
> Sentence hard to parse:
> "This option
>          fundamentally relies on the Group Manager freeing up group
>          names, hence it is not viable if considerably or indefinitely
>          postponing the creation of the group is not acceptable."
>
> On Fri, 16 Feb 2024 at 19:48, Tim Hollebeek 
> <tim.hollebeek=40digicert.com@dmarc.ietf.org> wrote:
>
>     Just as a reminder, this WGLC closes in three days.  Please
>     provide feedback
>
>     as to whether this document is ready to be sent to IESG or not.
>
>     -Tim
>
>     *From:*Tim Hollebeek
>     *Sent:* Monday, February 5, 2024 2:18 PM
>     *To:* ace@ietf.org
>     *Subject:* WGLC for draft-ietf-ace-oscore-gm-admin
>
>     Hello ACE Working Group members,
>
>     We’re finally ready to do a Working Group Last Call for the document
>
>     draft-ietf-ace-oscore-gm-admin:
>
>     https://datatracker.ietf.org/doc/draft-ietf-ace-oscore-gm-admin/
>     <https://eur05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fdraft-ietf-ace-oscore-gm-admin%2F&data=05%7C02%7Cmarco.tiloca%40ri.se%7Cea30fb6873634b149f1608dc305ef72a%7C5a9809cf0bcb413a838a09ecc40cc9e8%7C0%7C0%7C638438431642439559%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=NFLFDXUh0Z5TlWQy1hiYXITs5kP4NTzJzoGGVDPbxa0%3D&reserved=0>
>
>     Admin Interface for the OSCORE Group Manager
>
>     draft-ietf-ace-oscore-gm-admin-10
>
>     Abstract
>
>        Group communication for CoAP can be secured using Group Object
>
>        Security for Constrained RESTful Environments (Group OSCORE).  A
>
>        Group Manager is responsible to handle the joining of new group
>
>        members, as well as to manage and distribute the group keying
>
>        material.  This document defines a RESTful admin interface at the
>
>        Group Manager, that allows an Administrator entity to create and
>
>        delete OSCORE groups, as well as to retrieve and update their
>
>        configuration.  The ACE framework for Authentication and
>
>        Authorization is used to enforce authentication and
>     authorization of
>
>        the Administrator at the Group Manager.  Protocol-specific
>     transport
>
>        profiles of ACE are used to achieve communication security,
>     proof-of-
>
>        possession, and server authentication.
>
>     Please review the document and provide feedback to the list by
>
>     19 February 2024.
>
>     For the chairs,
>
>     -Tim
>
>     _______________________________________________
>     Ace mailing list
>     Ace@ietf.org
>     https://www.ietf.org/mailman/listinfo/ace
>     <https://eur05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Face&data=05%7C02%7Cmarco.tiloca%40ri.se%7Cea30fb6873634b149f1608dc305ef72a%7C5a9809cf0bcb413a838a09ecc40cc9e8%7C0%7C0%7C638438431642449729%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=zzCnMLwvE94s7xrG5zOz%2FezCLlVGWxO11uWssBIvRQQ%3D&reserved=0>
>
>
> _______________________________________________
> Ace mailing list
> Ace@ietf.org
> https://www.ietf.org/mailman/listinfo/ace

-- 
Marco Tiloca
Ph.D., Senior Researcher

Phone: +46 (0)70 60 46 501

RISE Research Institutes of Sweden AB
Box 1263
164 29 Kista (Sweden)

Division: Digital Systems
Department: Computer Science
Unit: Cybersecurity

https://www.ri.se

v2.23.0 | Report a Bug | By Email