Re: [Ace] New Version Notification for draft-tiloca-ace-group-oscore-profile-11.txt
Rikard Höglund <rikard.hoglund@ri.se> Tue, 11 July 2023 15:10 UTC
Return-Path: <rikard.hoglund@ri.se>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0CC84C15198E for <ace@ietfa.amsl.com>; Tue, 11 Jul 2023 08:10:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.996
X-Spam-Level:
X-Spam-Status: No, score=-1.996 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ri.se
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id J7VJjNWpbvIR for <ace@ietfa.amsl.com>; Tue, 11 Jul 2023 08:10:42 -0700 (PDT)
Received: from GV3P280CU006.outbound.protection.outlook.com (mail-swedencentralazon11010006.outbound.protection.outlook.com [52.101.75.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D3536C14CF17 for <ace@ietf.org>; Tue, 11 Jul 2023 08:09:53 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=XQJGpB8ssRc0Ahlifx6HmTzHtBMEWxsIhHNpiJizlW3ognlv1sgdkHGVMLVWhYvUA3sfiU82pu3/RU6h7hlcuYAS0VLAQIxM4VPvbnVFu0TJEfHaOKj/FiW0GBeyCl0ySrAO06f+gQrBwyNq8A6Gn+jJadIg1su1bU5jSya6pakW0CgP+d82+RbnOy2Y/HGT9N/6pNZkfk6V2D1AP2GlQxQCyQ4GImGk+Gkx4MH9jA3qrjH7+dLr3wNylxXArJrcj/oxEw/MZNIw+j3RbxAtn6qCU/uadXMA+o5lRI1TeLW/5vfFmKyGVYIVkxBlq4UhA4Uv2Pr9NWFIuQMRjVvScA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=5ia19KmupuCT3X1JnJivReW32vGBpUHutQfZaQLBKmA=; b=RPuKokiWWKnzOShBAvQPI7e1plHYMGgSyttnBnJgbCBXMRKWX036eQuNCxLpa5t1w8ZnKo33sXToF2WG9w9lVZOuDLOGWWQwcP7gSBCIhx2kPYhYdNLHp/+jZN8Yn9qKOIJe1yLvbIHSNSPdDSbkpegKqQFjT4XD+7cqzcUedW0O4NLhZ25chWjc8dXh2Jzk2ripaQwG55Z6G4NN+uhvee8exu6N73goWc86GLypYqkFtemeQumbWyJcblDxTjA6A51Yva1QVGM5TqL1ggxyxx/6XcmxdAxe6rE0J30Q4saIojTV0sKAGjCt/jmqOS4w40RHUDGI+H7ynBZp8jzc8Q==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ri.se; dmarc=pass action=none header.from=ri.se; dkim=pass header.d=ri.se; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ri.se; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=5ia19KmupuCT3X1JnJivReW32vGBpUHutQfZaQLBKmA=; b=ZZnn6wGwhXn4mvGgleZiN1+6XD8gS5CXIUP2Zh1emaTWm2wAvdiiYGKOTYvU3oCexTtqLAu6bYSGxvtAko4UoCzeM9zHKcWtofv8qSxApfp/pBqpS0xnr7OoSwrpt21ivnlRGO9sVDWESIiY014pt2bQFwgLFsQVwZP5kcRnfVI=
Received: from MM0P280MB0118.SWEP280.PROD.OUTLOOK.COM (2603:10a6:190:d::13) by GVYP280MB1053.SWEP280.PROD.OUTLOOK.COM (2603:10a6:150:ee::8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6588.20; Tue, 11 Jul 2023 15:09:50 +0000
Received: from MM0P280MB0118.SWEP280.PROD.OUTLOOK.COM ([fe80::ffc9:2ff3:cb32:ccb3]) by MM0P280MB0118.SWEP280.PROD.OUTLOOK.COM ([fe80::ffc9:2ff3:cb32:ccb3%7]) with mapi id 15.20.6565.028; Tue, 11 Jul 2023 15:09:50 +0000
From: Rikard Höglund <rikard.hoglund@ri.se>
To: "ace@ietf.org" <ace@ietf.org>
CC: Marco Tiloca <marco.tiloca@ri.se>
Thread-Topic: New Version Notification for draft-tiloca-ace-group-oscore-profile-11.txt
Thread-Index: AQHZs0vRjuHKKpE9IE+NROKSC8O296+0qeDb
Date: Tue, 11 Jul 2023 15:09:50 +0000
Message-ID: <MM0P280MB011890F13A63FFF3255686CA8331A@MM0P280MB0118.SWEP280.PROD.OUTLOOK.COM>
References: <168900661629.33372.10225507122121707983@ietfa.amsl.com>
In-Reply-To: <168900661629.33372.10225507122121707983@ietfa.amsl.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=ri.se;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: MM0P280MB0118:EE_|GVYP280MB1053:EE_
x-ms-office365-filtering-correlation-id: 01113191-4c53-4f28-06cf-08db8220df8e
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: LxbgeD/saWZk9OU/beteCzqGFlcksLkETrJGn0LvXnFLGZGKze3TzyERIUAB+eNgJ22YYYHoLczyTK7MIDcoAkS/Jf4eL4iBdUf2t10CH751zG2AJqQ9F2NFjQ8O3driyM/FMnKPcQJATUs6Y0jjsDXYZtNBtL/U+GWGB+oUMVFuXPWsE+FtZBqsts2OWCK3a0l8SYWAHr7TQH7nm9l1aaKGpj6sB5pfxQyoVLcHk/7y8xZ0RIBo3PIGCmU2pi4BSJC1mX+5GAkGLT5VFRy57wkInkk+gpWNPptvZRpZiOH43N8qdptyAxb2sTb2/hrjOQ0hJeQs+VsHGKjvSqfJi1tJYT37DmWBI6/mmHEi9w4Uk7dR2XHr/OqqQqr3hQOHx8JoTwpe3Y+0kd64C925gdZ27acU/0QC73pCBdQI9mKxLZM3LrZxsApCn3AyUvLprwEV5lqVw4XGUz5rWueFAZpHPrUBKxHHWV1qbBa4DDxQ63PwK8frUu9weCmvV5pSblsUr3tWhDkKpDozyAwLCLz/5XHdDndBbmBl47zefz32eD+ZcoSBuxYs9q4oyBTBwsamH6U8jlcaed88kIb6BK17ktTs0XDFhfpNCB92oYw=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:MM0P280MB0118.SWEP280.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230028)(4636009)(366004)(346002)(396003)(376002)(136003)(39860400002)(451199021)(41300700001)(8676002)(8936002)(5660300002)(26005)(52536014)(6506007)(9686003)(53546011)(38070700005)(316002)(15650500001)(66946007)(6916009)(64756008)(66446008)(66476007)(66556008)(91956017)(76116006)(4326008)(2906002)(38100700002)(19627405001)(83380400001)(966005)(33656002)(66574015)(66899021)(55016003)(7696005)(122000001)(186003)(166002)(478600001)(86362001)(71200400001)(45080400002); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: 68HUHqmcevFpJ4m4VuGVSyBzlF0MCDmtGTeNCoUKrlsoP6GB7u/Cl+S6/uw/vg8DROxIqbliM8B0lcUC9Q0Ywoecf0tQpDC3JldQVtDsfh1hIdUz5chQCP9lutY7RYZqtS2R3GTKUGjjk9xmXcdrXTOXQOe9AsDBQmz8Uz4sPs7YZbsXwZcJYAdVnHmW9bHw14vd7G2Rf7hsW7isl+iMzZIgUMIF+IkRryoIsNFRSjeYKCyRTrxQmE3NaqEddgNOq4hcu+0WI55ENgYKiy20FIp0LeiIOR/9mWl65tom3xF3/cRepnWwOQbTMQEK1uSMrCo4h6BmpMg+zOF7FjEp2tTwqoyS/w3RrlcbzDJA/dJcZNbuZwcsP3tUcHCXDEC94pmsFHieeX+95u8VB34jk8I3y91ioaIcjZE3OT0fUBHtmrVAGOaSazV4RAzmCdCl3MzGw8alPcxHU1vCbItfN3olT7u7hbFO3KOit3oLvhTR+jVHKx1Vrv9NwJcs3UadaqZkNcXFVKb2Pg22rH9kZY7zPWJGyDA4bedV74+n9ljQgYOH1sxgCN6XckIoLcvZrFVc9sMOsnDKaNsUWgAifpRq/DRLNAR6n2KcM2uQutxNMCpTWjkwcX0vwoAyA4DeZs3MdeJfd86GBc2licpo49Tx1FHVP5ttZIXdXKE5SR6SyIp8Ek/UALaOwdDY63aJtUGCeQ1u+p8d7w1DWeq9RjXLSB970Dt6V/YK/R+PGzMWXxhaShFa+P/89l3PLHgmHqultN61rZlM1NlE11epwXbwTYRpSnMGVrfTtuu+ZWgpuh4eAiyftd12rZEtUEQ2g4X354U2H9T1GAaI3N8GKa8eK5rt6oPF0jxiXaTBymVMWjeuR3Pk3EVco4bxELRqRvKdePmZTTw08Nu8RWytfh2XTIOPKCjXpdhwLqDYeYj3eP3b3TJ5HCg0jPDI+lSGdkcjd97Zuyv1Xvf9ME+Ef+hFRAcpq5NN0bDemkjh1/NPw78wCjoH8n2yD6WVgw/5oCZo7c+UY825qbdPBh28TfbzDFZ8fsZnntsc9G3YOU37l6fuKgLCitZ3vOTcXntjzMZOCVEroPeExYf86vnbfhwrPcdpnLtHfXeQ0CgKO4vg++xpDGlbjSET3K3bwq2UdrP1+g97xF/X9S1mruF4iZZK++B685jLxk0kQhBScwjHF03m79+HwKLdVZ4eDNtXVy3evXKC/uhqXXkpWR8sQQ6j6tYCm5XHcKZYRkJKoZiK2RWZZcaTAUKzPaJPdxdzHVV1USh0XiCu/uVfVP8cTWA29EgD138XRK5j4zwUNDpT5OkNZy7l+VvrUURXZ88jcGQbSiIaM2vhnDa6baiuAdkN10KNuzyUmkKsZQrcJHlJ4hiJziEZMxL1si8BQS2E7+Rxlp+KXgy6EZsvIunx1MvTw3LpvoQiPedYhlRGVjAUgOXBdbe3h9Z47DNnBB5x8eFC9aEmB01D1LRuuddJedYIjv21UYhQonYOW9s1NAy1Uhf2QVtrGldRhqFnk5Y5rvFafMxYL8zVO5Me7OaJQrKNzHhd81HWLQ7THrzU49Q=
Content-Type: multipart/alternative; boundary="_000_MM0P280MB011890F13A63FFF3255686CA8331AMM0P280MB0118SWEP_"
MIME-Version: 1.0
X-OriginatorOrg: ri.se
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: MM0P280MB0118.SWEP280.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 01113191-4c53-4f28-06cf-08db8220df8e
X-MS-Exchange-CrossTenant-originalarrivaltime: 11 Jul 2023 15:09:50.4233 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5a9809cf-0bcb-413a-838a-09ecc40cc9e8
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: bHpmK7YxrvbGd5shiUsVUOg6q2Ev70AGfxXuU1ZLQ7hGbSp6FB/JOLBFMMO1QRbbEIOzHj+HsvAttDNW2RJ/DQ==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: GVYP280MB1053
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/OAjmIr4U5uFZlUaXe-VPKXdI4aQ>
Subject: Re: [Ace] New Version Notification for draft-tiloca-ace-group-oscore-profile-11.txt
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 11 Jul 2023 15:10:47 -0000
Hello. We have recently submitted a revision of the Group OSCORE profile of ACE [1]. This profile is analogous to the OSCORE profile (RFC9203), but uses Group OSCORE [2] as security protocol and ensures fine-grained access control *within* an OSCORE group, while building on the *separate* enforcement of access control for nodes attempting to join the group [3]. Although we have postponed a presentation of this document for a long while, the two latest versions combined have brought especially the following updates: * The Client and RS public authentication credentials exchanged via the AS during the ACE workflow now have formats compatible with the Group OSCORE protocol, e.g., certificates and CWT Claims Sets (CCSs). * We have removed the cumbersome and obsoleted "Dual-Mode", which originally tried to combine the use of OSCORE and Group OSCORE for the same Access Token. Now the focus is only on Group OSCORE, and the document is greatly shortened and simplified. * We have stressed that this profile makes it seamless and actually possible to issue an Access Token for a group-audience (i.e., an audience including multiple RSs). * We have highlighted how using this profile effectively enables fine-grained access control paired with secure group communication, in accordance with the Zero Trust principles [4]. Any comments are welcome! Best Rikard Höglund [1] https://datatracker.ietf.org/doc/draft-tiloca-ace-group-oscore-profile/ [2] https://datatracker.ietf.org/doc/draft-ietf-core-oscore-groupcomm/ [3] https://datatracker.ietf.org/doc/draft-ietf-ace-key-groupcomm-oscore/ [4] https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-207.pdf ________________________________ From: internet-drafts@ietf.org <internet-drafts@ietf.org> Sent: Monday, July 10, 2023 18:30 To: Rikard Höglund <rikard.hoglund@ri.se>; Francesca Palombini <francesca.palombini@ericsson.com>; Ludwig Seitz <ludwig.seitz@combitech.com>; Marco Tiloca <marco.tiloca@ri.se>; Rikard Höglund <rikard.hoglund@ri.se> Subject: New Version Notification for draft-tiloca-ace-group-oscore-profile-11.txt A new version of I-D, draft-tiloca-ace-group-oscore-profile-11.txt has been successfully submitted by Marco Tiloca and posted to the IETF repository. Name: draft-tiloca-ace-group-oscore-profile Revision: 11 Title: The Group Object Security for Constrained RESTful Environments (Group OSCORE) Profile of the Authentication and Authorization for Constrained Environments (ACE) Framework Document date: 2023-07-10 Group: Individual Submission Pages: 39 URL: https://eur05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Farchive%2Fid%2Fdraft-tiloca-ace-group-oscore-profile-11.txt&data=05%7C01%7Crikard.hoglund%40ri.se%7Cfa5b5062566c4c24f53e08db8162f2e5%7C5a9809cf0bcb413a838a09ecc40cc9e8%7C0%7C0%7C638246034204163825%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=Ia4P2BnzENb3%2FUAG9%2FBc%2BoktxH%2FejR5Be2PhSB8gYT0%3D&reserved=0<https://www.ietf.org/archive/id/draft-tiloca-ace-group-oscore-profile-11.txt> Status: https://eur05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fdraft-tiloca-ace-group-oscore-profile%2F&data=05%7C01%7Crikard.hoglund%40ri.se%7Cfa5b5062566c4c24f53e08db8162f2e5%7C5a9809cf0bcb413a838a09ecc40cc9e8%7C0%7C0%7C638246034204163825%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=CF%2FtEoF9lGLooiVcw1IvnSvE8M9FsISMleTliJxtBv0%3D&reserved=0<https://datatracker.ietf.org/doc/draft-tiloca-ace-group-oscore-profile/> Html: https://eur05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Farchive%2Fid%2Fdraft-tiloca-ace-group-oscore-profile-11.html&data=05%7C01%7Crikard.hoglund%40ri.se%7Cfa5b5062566c4c24f53e08db8162f2e5%7C5a9809cf0bcb413a838a09ecc40cc9e8%7C0%7C0%7C638246034204163825%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=9RXrtZvkD4RzR%2BbyZuR6w57lRELKmR4OBmKQQpz9kTk%3D&reserved=0<https://www.ietf.org/archive/id/draft-tiloca-ace-group-oscore-profile-11.html> Htmlized: https://eur05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fhtml%2Fdraft-tiloca-ace-group-oscore-profile&data=05%7C01%7Crikard.hoglund%40ri.se%7Cfa5b5062566c4c24f53e08db8162f2e5%7C5a9809cf0bcb413a838a09ecc40cc9e8%7C0%7C0%7C638246034204163825%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=8C69Wgnl2xHCvi4F0UXISUOwx%2F259Kw6h7uyGhTt2S0%3D&reserved=0<https://datatracker.ietf.org/doc/html/draft-tiloca-ace-group-oscore-profile> Diff: https://eur05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fauthor-tools.ietf.org%2Fiddiff%3Furl2%3Ddraft-tiloca-ace-group-oscore-profile-11&data=05%7C01%7Crikard.hoglund%40ri.se%7Cfa5b5062566c4c24f53e08db8162f2e5%7C5a9809cf0bcb413a838a09ecc40cc9e8%7C0%7C0%7C638246034204163825%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=3CMBWkW%2Bx4pFXT6KljPj1LChyhzhBaxzp5EUEYxFPac%3D&reserved=0<https://author-tools.ietf.org/iddiff?url2=draft-tiloca-ace-group-oscore-profile-11> Abstract: This document specifies a profile for the Authentication and Authorization for Constrained Environments (ACE) framework. The profile uses Group Object Security for Constrained RESTful Environments (Group OSCORE) to provide communication security between a Client and one or multiple Resource Servers that are members of an OSCORE group. The profile securely binds an OAuth 2.0 Access Token to the public key of the Client associated with the private key used by that Client in the OSCORE group. The profile uses Group OSCORE to achieve server authentication, as well as proof-of-possession for the Client's public key. Also, it provides proof of the Client's membership to the OSCORE group by binding the Access Token to information from the Group OSCORE Security Context, thus allowing the Resource Server(s) to verify the Client's membership upon receiving a message protected with Group OSCORE from the Client. Effectively, the profile enables fine-grained access control paired with secure group communication, in accordance with the Zero Trust principles. The IETF Secretariat
- Re: [Ace] New Version Notification for draft-tilo… Rikard Höglund