Return-Path: X-Original-To: ace@ietfa.amsl.com Delivered-To: ace@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7B03AC15155B; Tue, 17 Sep 2024 03:11:04 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.846 X-Spam-Level: X-Spam-Status: No, score=-1.846 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_FILL_THIS_FORM_SHORT=0.01, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LYdJhFKIIOwf; Tue, 17 Sep 2024 03:11:00 -0700 (PDT) Received: from mail-pf1-x434.google.com (mail-pf1-x434.google.com [IPv6:2607:f8b0:4864:20::434]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1A01DC14F6AB; Tue, 17 Sep 2024 03:11:00 -0700 (PDT) Received: by mail-pf1-x434.google.com with SMTP id d2e1a72fcca58-717911ef035so3611730b3a.3; Tue, 17 Sep 2024 03:11:00 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1726567859; x=1727172659; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=VRMdPCY2833VAgl0QRYyq1ezSaRYRohUsSBd0MfMqJI=; b=GPI143EEJcFGrcfgeqMxShNlempLOM52vh3z5Z5fit0ibB87hXGlS0LSjfHKYKolr6 PnloeA8Ct8a52bKgHKLOC3KRTufJveP61Sat31vA/c2b2mq/b1UtjhwREwHxc2jY4pIk rVQ3N8a6/cg/bP/Nb1fG5hxQlHSaIPWci9RDN0pUtCo9EF461RZ8AAQCnszlsVihv7Bo PdjQkxg2jeEDxPh4spxemg7OsvUkDIcdMab+E2ZjfPAgTQrqJ4Z3YWXEV9mxnHKJiOh3 MGD/mPoW8tclyON+A/16DS8TCRWNb3YYK9gy8w24OGotVilcFd4giF2l/aA5u+UouURd 4VjQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1726567859; x=1727172659; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=VRMdPCY2833VAgl0QRYyq1ezSaRYRohUsSBd0MfMqJI=; b=w1dQjfFDjMmN3PQy/s0x/nJZMpdQJWbbbH3waIaLLkNtHKgTOSuryoWT+kUqqHudwZ FAgyNtJe2f2sHf3yTaPquwSS0UVox/PLWjyoHUp4pDC6DO2IqxJHQvOb5A+PIBVlCI7h eBxdnqHsTK0hdLGHAS8Cj82Okyf4iM+2qglPQC7zWDUxjwXz25jpmUTtZdAqx2Gm1S8z i8E4JM2P60TQZjLcoLVGVDZDL/BGQ09tsedLrC/hb6LR5tzh9E6zCElCNZGHn9otn6mO OZSpyxKvdvekcjRxtupVn9a8jHZUvAWO05egr0clRZm8bUmnkra3ZoJaSDjTcMcgJNTL ycJQ== X-Forwarded-Encrypted: i=1; AJvYcCUFE1H7Esv2QUiz1dfQXrdv+oMq7Wexaf/rOXG3Jj07HU71epZvdOG7Tql50XH6/P9biwUBC3E5PBrMfKQl071theh9YYkFUlxCu2giYkcNPulE3yXAm9ClJ+Q=@ietf.org, AJvYcCUgWb+JdOq/XSbbk4qXiRMY3DlcX8mf9MoRietQMNfJiT8RZbuGeA+yYpYYfvlWNCWoLN9AXxRu1/Mu@ietf.org, AJvYcCW3aU+y12aK1JdFSWqaSA5d2BFZGLsYq10TZPWS9m0DjXUibjKxCO+OcS11YgnEZA82Eh9l@ietf.org X-Gm-Message-State: AOJu0YzKpEsER53d4IdFtKL1d/LgEFnejiB1clgkeQb1sYSNVoA7uQv1 OtSuYZFzLqZ3f7vnmQ3JSK2VGDCXFZfGBn5coFTAGoFtRHU13nwGChNnPoAIGJRPFQP0kbi3pMq W8fukeAlsNuF7fj0T09pu9rLR1J9s X-Google-Smtp-Source: AGHT+IFyOIJhFyJ+tjSpv4UmHUU4hVBL0S0dzDRX5spx0CRzcZ5AeMhgpAsD5yr+5WIs118Il9ZbQ3iINP6soSlLCi4= X-Received: by 2002:a05:6a00:1ad1:b0:70e:8d35:7ba3 with SMTP id d2e1a72fcca58-71926084e86mr27486070b3a.14.1726567859143; Tue, 17 Sep 2024 03:10:59 -0700 (PDT) MIME-Version: 1.0 References: <172027272722.187.13479071893671944281@dt-datatracker-5f88556585-j5r2h> In-Reply-To: From: Deb Cooley Date: Tue, 17 Sep 2024 06:10:45 -0400 Message-ID: To: Marco Tiloca Content-Type: multipart/alternative; boundary="000000000000ecced506224de70d" Message-ID-Hash: KWS7H56RKFRWRQUIGR2BU3ZOR3X76RUY X-Message-ID-Hash: KWS7H56RKFRWRQUIGR2BU3ZOR3X76RUY X-MailFrom: debcooley1@gmail.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-ace.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: The IESG , draft-ietf-ace-revoked-token-notification@ietf.org, ace-chairs@ietf.org, ace@ietf.org, goran.selander@ericsson.com X-Mailman-Version: 3.3.9rc4 Precedence: list Subject: =?utf-8?q?=5BAce=5D_Re=3A_Deb_Cooley=27s_No_Objection_on_draft-ietf-ace-revo?= =?utf-8?q?ked-token-notification-08=3A_=28with_COMMENT=29?= List-Id: "Authentication and Authorization for Constrained Environments (ace)" Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: --000000000000ecced506224de70d Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable TYVM for this clarification and addition. It has answered my question completely. Deb On Wed, Sep 11, 2024 at 5:29=E2=80=AFPM Marco Tiloca w= rote: > Hello Deb, > > Thanks a lot for your review! Please find in line below our detailed > replies to your comments. > > A Github PR where we have addressed your comments is available at [PR]. > > Unless any concern is raised, we plan to soon merge this PR (and the othe= r > ones related to other received reviews), and to submit the result as > version -09 of the document. > > Thanks, > /Marco > > [PR] https://github.com/ace-wg/ace-revoked-token-notification/pull/17 > > > On 2024-07-06 15:32, Deb Cooley via Datatracker wrote: > > Deb Cooley has entered the following ballot position for > draft-ietf-ace-revoked-token-notification-08: No Objection > > When responding, please keep the subject line intact and reply to all > email addresses included in the To and CC lines. (Feel free to cut this > introductory paragraph, however.) > > > Please refer to https://eur05.safelinks.protection.outlook.com/?url=3Dhtt= ps%3A%2F%2Fwww.ietf.org%2Fabout%2Fgroups%2Fiesg%2Fstatements%2Fhandling-bal= lot-positions%2F&data=3D05%7C02%7Cmarco.tiloca%40ri.se%7C970c5fc6a6de4b05ba= 7308dc9dc00998%7C5a9809cf0bcb413a838a09ecc40cc9e8%7C0%7C0%7C638558695329472= 322%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1= haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=3DAV32d%2FHdDlzyyMg2xyB67jrY3Seopa2j= HLtsso28F%2F4%3D&reserved=3D0 > for more information about how to handle DISCUSS and COMMENT positions. > > > The document, along with other ballot positions, can be found here:https:= //eur05.safelinks.protection.outlook.com/?url=3Dhttps%3A%2F%2Fdatatracker.i= etf.org%2Fdoc%2Fdraft-ietf-ace-revoked-token-notification%2F&data=3D05%7C02= %7Cmarco.tiloca%40ri.se%7C970c5fc6a6de4b05ba7308dc9dc00998%7C5a9809cf0bcb41= 3a838a09ecc40cc9e8%7C0%7C0%7C638558695329482887%7CUnknown%7CTWFpbGZsb3d8eyJ= WIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7= C&sdata=3D28GU%2F3gyDtFwfsJ6jbpFXXsEJeLdFUW1KszKlicjH%2BY%3D&reserved=3D0 > > > > ---------------------------------------------------------------------- > COMMENT: > ---------------------------------------------------------------------- > > Thank you to Kyle Rose for doing the secdir review of this draft. Also t= hanks > to the authors for the discussions and improvements. > > I have one last (easy?) question: > > Section 13: I expected to see some discussion on whether it is possible = for an > attacker to remove a revoked access token from the TRL allowing a registe= red > device with a revoked access token to continue to participate. Conversel= y, is > it possible for an attacker to add an access token to the TRL, which woul= d deny > service to the registered device. If these situations are not possible, = what > feature protects the TRL both at the AS and in transit? > > > =3D=3D>MT > > Just to clarify and be sure: the AS indeed stores active **access tokens*= * > that it has issued (e.g., in order to serve requests of token introspecti= on > from Resource Servers). However, the TRL specifically includes **token > hashes** corresponding to issued access tokens, i.e., those that have bee= n > revoked and are not expired yet. > > > If we consider an external adversary that is not in control of the AS, > then the attacks suggested in the comment are not possible. > > First of all, a registered device or an administrator always relies on > secure communications when interacting with the AS, as per Section 5 "The > TRL Endpoint" and Section 9 "Registration at the Authorization Server". > This is also aligned with Section 5 of RFC 9200 and with the security > considerations of RFC 9200 that are simply inherited by this document as > stated in its Section 13.0. > > Furthermore, as per the interface at the AS defined in Section 5, > registered devices and administrators can access the TRL endpoint at the = AS > exclusively in read-only mode. That is, the TRL endpoint at the AS suppor= ts > only the GET method (see the fourth paragraph of Section 5). > > It follows that accesses to the TRL are performed exclusively by sending > protected and authenticated GET requests to the TRL endpoint, which by > definition are safe in the REST sense and do not alter the content of the > TRL. > > In fact, the content of the TRL can be updated only internally by the AS, > in the two circumstances described in Section 4.1 "Update of the TRL". > > > An adversary that has compromised and taken control of the AS is indeed > able to update the content of the TRL, just like the AS would normally do= . > In particular, by appropriately updating the TRL content to become not > aligned with the current set of access tokens that have been revoked but > are not expired yet, such an adversary can practically perform the attack= s > suggested in the comment above. > > However, an adversary in control of the AS would be able to perform > actions with considerably more severe and harmful consequences, such as > revoking access tokens for no good reasons, issuing access token > inconsistently with the installed access control policies, or providing > wrong information to Resource Servers that ask the AS to perform token > introspection. > > > In the document, we have extended Section 13.1 "Content Retrieval from th= e > TRL" by adding the following new text at its end. > > NEW: > > Note that the TRL endpoint supports only the GET method (see Section 5)= . > Therefore, as detailed in Section 6 and Section 7, accesses to the TRL > endpoint are performed only by means of protected and authenticated GET > requests, which by definition are safe in the REST sense and do not alter > the content of the TRL. That is, registered devices and administrators ca= n > perform exclusively read-only operations when accessing the TRL endpoint. > > > > In fact, the content of the TRL can be updated only internally by the > AS, in the two circumstances described in Section 4.1. Therefore, an > adversary that is not in control of the AS cannot manipulate the content = of > the TRL, e.g., by removing a token hash and thereby fraudulently allowing= a > Client to access protected resources in spite of a revoked access token, = or > by adding a token hash and thereby fraudulently stopping a Client from > accessing protected resources in spite of an access token being still val= id. > > <=3D=3D > > > Received: from GVZP280MB0975.SWEP280.PROD.OUTLOOK.COM (2603:10a6:150:f7::= 17) > by GVYP280MB0464.SWEP280.PROD.OUTLOOK.COM with HTTPS; Sun, 7 Jul 2024 > 07:00:37 +0000 > Received: from DU2PR04CA0026.eurprd04.prod.outlook.com (2603:10a6:10:3b::= 31) > by GVZP280MB0975.SWEP280.PROD.OUTLOOK.COM (2603:10a6:150:f7::17) with > Microsoft SMTP Server (version=3DTLS1_2, > cipher=3DTLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7741.35; Sun, 7= Jul > 2024 07:00:35 +0000 > Received: from DU6PEPF0000B622.eurprd02.prod.outlook.com > (2603:10a6:10:3b:cafe::b8) by DU2PR04CA0026.outlook.office365.com > (2603:10a6:10:3b::31) with Microsoft SMTP Server (version=3DTLS1_2, > cipher=3DTLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7741.35 via Fro= ntend > Transport; Sun, 7 Jul 2024 07:00:35 +0000 > Authentication-Results: spf=3Dpass (sender IP is 50.223.129.194) > smtp.mailfrom=3Dietf.org; dkim=3Dnone (message not signed) > header.d=3Dnone;dmarc=3Dpass action=3Dnone header.from=3Dietf.org;compau= th=3Dpass > reason=3D100 > Received-SPF: Pass (protection.outlook.com: domain of ietf.org designates > 50.223.129.194 as permitted sender) receiver=3Dprotection.outlook.com; > client-ip=3D50.223.129.194; helo=3Dmail.ietf.org; pr=3DC > Received: from mail.ietf.org (50.223.129.194) by > DU6PEPF0000B622.mail.protection.outlook.com (10.167.8.139) with Microsof= t > SMTP Server (version=3DTLS1_3, cipher=3DTLS_AES_256_GCM_SHA384) id 15.20= .7762.17 > via Frontend Transport; Sun, 7 Jul 2024 07:00:34 +0000 > Received: by ietfa.amsl.com (Postfix, from userid 65534) > id 82C92C151991; Sun, 7 Jul 2024 00:00:32 -0700 (PDT) > X-Original-To: draft-tiloca-ace-authcred-dtls-profile@ietf.org > Delivered-To: xfilter-draft-tiloca-ace-authcred-dtls-profile@ietfa.amsl.c= om > Received: from [10.244.2.27] (unknown [104.131.183.230]) > by ietfa.amsl.com (Postfix) with ESMTP id 42B9CC1516E1 > for ; Sun, 7 Jul 2024 00:00:32 -0700 (PDT) > Content-Type: text/plain; charset=3D"utf-8" > Content-Transfer-Encoding: 8bit > To: > Subject: Expiration impending: > X-Test-IDTracker: no > X-IETF-IDTracker: 12.17.1 > Auto-Submitted: auto-generated > Precedence: bulk > Message-ID: <172033563194.274.5459272935872629627@dt-celery-86db7666db-4x= kn5> > Date: Sun, 07 Jul 2024 00:00:31 -0700 > From: IETF Secretariat > Resent-From: > Resent-To: john.mattsson@ericsson.com, marco.tiloca@ri.se > Resent-Message-Id: <20240707070032.82C92C151991@ietfa.amsl.com> <20240707= 070032.82C92C151991@ietfa.amsl.com> > Resent-Date: Sun, 7 Jul 2024 00:00:32 -0700 (PDT) > Return-Path: forwardingalgorithm@ietf.org > X-MS-Exchange-Organization-ExpirationStartTime: 07 Jul 2024 07:00:34.5120 > (UTC) > X-MS-Exchange-Organization-ExpirationStartTimeReason: OriginalSubmit > X-MS-Exchange-Organization-ExpirationInterval: 1:00:00:00.0000000 > X-MS-Exchange-Organization-ExpirationIntervalReason: OriginalSubmit > X-MS-Exchange-Organization-Network-Message-Id: > 5abb92d8-e10c-4736-b7f3-08dc9e527f9a > X-EOPAttributedMessage: 0 > X-EOPTenantAttributedMessage: 5a9809cf-0bcb-413a-838a-09ecc40cc9e8:0 > X-MS-Exchange-Organization-MessageDirectionality: Incoming > X-MS-PublicTrafficType: Email > X-MS-TrafficTypeDiagnostic: > DU6PEPF0000B622:EE_|GVZP280MB0975:EE_|GVYP280MB0464:EE_ > X-MS-Exchange-Organization-AuthSource: > DU6PEPF0000B622.eurprd02.prod.outlook.com > X-MS-Exchange-Organization-AuthAs: Anonymous > X-MS-Office365-Filtering-Correlation-Id: 5abb92d8-e10c-4736-b7f3-08dc9e52= 7f9a > X-MS-Exchange-AtpMessageProperties: SA|SL > X-MS-Exchange-Organization-SCL: 1 > X-Microsoft-Antispam: BCL:0;ARA:13230040|12012899012|2092899012; > X-Forefront-Antispam-Report: > CIP:50.223.129.194;CTRY:US;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:mail.ie= tf.org;PTR:mail.ietf.org;CAT:NONE;SFS:(13230040)(12012899012)(2092899012);D= IR:INB; > X-MS-Exchange-CrossTenant-OriginalArrivalTime: 07 Jul 2024 07:00:34.1995 > (UTC) > X-MS-Exchange-CrossTenant-Network-Message-Id: 5abb92d8-e10c-4736-b7f3-08d= c9e527f9a > X-MS-Exchange-CrossTenant-Id: 5a9809cf-0bcb-413a-838a-09ecc40cc9e8 > X-MS-Exchange-CrossTenant-AuthSource: > DU6PEPF0000B622.eurprd02.prod.outlook.com > X-MS-Exchange-CrossTenant-AuthAs: Anonymous > X-MS-Exchange-CrossTenant-FromEntityHeader: Internet > X-MS-Exchange-Transport-CrossTenantHeadersStamped: GVZP280MB0975 > X-MS-Exchange-Transport-EndToEndLatency: 00:00:03.0584539 > X-MS-Exchange-Processed-By-BccFoldering: 15.20.7741.016 > X-Microsoft-Antispam-Mailbox-Delivery: > dwl:1;ucf:0;jmr:0;auth:0;dest:I;ENG:(910001)(944506478)(944626604)(92009= 7)(831239)(255002)(410001)(930097)(140003)(1420198); > X-Microsoft-Antispam-Message-Info: > =3D?utf-8?B?NnNUdHBLRDFrWlY3U3FBZFQ4QkhXaHFieDdxdUN4NnpjaS9HNXFPbGNoNzFV= ?=3D > =3D?utf-8?B?SHFCTTl0WnZMODNmV3pLK2NWVEFMYmxtSEIxNWhQdWpXWDJMTDVwNm11M21p= ?=3D > =3D?utf-8?B?dzRwVklva29nR1VSbkI0ZDJVdGpHVjU2OTVpYWxHWUoyUG02UE9pVlltNys3= ?=3D > =3D?utf-8?B?TUE5bkZIWllrTUNPZW05aE4zeXhZOE1Qdm9KM0J4ZDVzdUFFVGlxWHhKTFNE= ?=3D > =3D?utf-8?B?THMzNTd1djg3MEdPbCtiNXlZeFJJajJsRU5PazRTb25iM1VGWS9mYnZzVEFu= ?=3D > =3D?utf-8?B?bmQyQ3FjcStSQ1RJdGdnTmZ6TUJPYThOSjZpUkdsN1o1TWdaSlB4QnVnVGQ3= ?=3D > =3D?utf-8?B?U09QSkdDaXFCVld0S0pwMEhlNlJJem1LWFRlLy9wcTVtZmpNcnBWVTRYby9p= ?=3D > =3D?utf-8?B?eW5EOHM2NHpCNGlTa0h1ZGhLR2VVY1ZFa3cyTHN6cnhvd0VBYmc1UW9BZEpQ= ?=3D > =3D?utf-8?B?ME9id240UGJlUS9qU1p4N0JNMHhNWmpwOTZMMmU5bVFjUVI5ZXJ2YWhPQkhZ= ?=3D > =3D?utf-8?B?Y1dFQ2d5WUdIb2RIMmtab29Qb0RJRlVNaXBnWkIva0l4a3ZKSHNDMXkxRjhq= ?=3D > =3D?utf-8?B?NVFWR214ZUdEaEpTQnRoWUhIbFFCOHhsQjMzdFJXWVU3bXc5UVAreTc4Vlpn= ?=3D > =3D?utf-8?B?LzA1UUFFdEY4eHI4QTdLbFhpN2hnMyt0RVZYZk5iMDhkM3hMMndPZUdzTUds= ?=3D > =3D?utf-8?B?ajBoOXNSUW1QaWY1bWZlcm8rT3lId29iMWxHWGQ3RkpsYW5abUFrc2tCdm1a= ?=3D > =3D?utf-8?B?Zkg2WXJTaU8zWHlPZUZKTFhqMEtMdVUxeXhHK0pud3ZGU0IwNUlHNlNaV2xz= ?=3D > =3D?utf-8?B?SkR2MnVPWjNCQVVxa2lIS3ZsMms2VmhNcklFOVNwUzBCQ21COTFJaHNQdG5N= ?=3D > =3D?utf-8?B?OWl1MWxtdW9HcUJlUGZ0TkxoUzI3b2tDa21ndUZaTHpQQ0lZUW9nd3o3YVkx= ?=3D > =3D?utf-8?B?VzBCdWVyV3ljOEExRVMyTy96a0tSS082SXFOdXRIQm8xQ3oxdCtIQXJKTE15= ?=3D > =3D?utf-8?B?S2xCNllLT25FbmhlMDUrbC9NMElYMXM3S2ZaS1Rnck9TVUp6TzlrVXJEUlQ3= ?=3D > =3D?utf-8?B?ZnNXY3VDWnZxZzVCQWRMQ01tdE5Nakg4RnNaMUFyU2dvSE9MMjZCK3BLOFBj= ?=3D > =3D?utf-8?B?YTd6b3MzM3UyVTF2a0s2WTdrRnJMMkFuU3BsTUhScWhiUkppdjNaQXFENjBE= ?=3D > =3D?utf-8?B?by9EVEdKYjBJeFlPd0p0cTRTZHgwbFlaOEtGeVFaUlI2SDdOa1FXeTRJYzU3= ?=3D > =3D?utf-8?B?S2dqU3lSbzVvM3lqdFdLMmFwdzNyNlVkbDJHRXA2ZmJkZFFwQVZEVllTWTcy= ?=3D > =3D?utf-8?B?cTRhSkFMeThhZSswb0FCNHVoWWRucW1WN3E3VnV6MDlaSDBtYWl1WkJuRnJH= ?=3D > =3D?utf-8?B?T1NUamhGb1dya1c3dTdrR3NxZGFNSUlkczN2SXd5OFEwVHdOcS9JSjRzeG5i= ?=3D > =3D?utf-8?B?eHNjWGUzdWU4MXBiaDlpTGloZnFoRVdHZVphZ3dKQWVnanJEbGtLWjh5NWJ5= ?=3D > =3D?utf-8?B?MUNLUW1UV0VXS1oxNko2czNVQVRvZmRVMG1lR2FPUSs5Mnk4eloycHZ6SEh2= ?=3D > =3D?utf-8?B?c3N5WTNwL2Y1OFdBa1JidSs2ZTMvb3l0SDFZMnlKUkNLZVozdkNaQ2RRREtL= ?=3D > =3D?utf-8?B?WldCUkl6SXlWamY5T0pVVFI0SXc1S3RsYmJtT1pMb0V2dDl1T0NldXFERTVz= ?=3D > =3D?utf-8?B?NHRKQUFxVUxJQWdSUmgxVlg2WjNMeVluQzNSV2d6aWZ3a05OVjZtYW56M1d1= ?=3D > =3D?utf-8?B?UCtvZkpGbG9HOU5rclVzUWdpQ2ROSk41L3U0aitUL2pYNTNreFB2VDh1YUdE= ?=3D > =3D?utf-8?B?d2ZQY2dscDNZSXFMczBYSkswYWpnak5RaG5HSlhQOTNCZGR3dGU5YWlpbjRK= ?=3D > =3D?utf-8?B?ZDZKTDNhWldSdHN2YTMvOU95RUFtRG5Dd09XdHFId3dUUEJ6dURHdEsyMit6= ?=3D > =3D?utf-8?B?THV0N1dsYzVVcDVxZTh5Y0VvTVRIcHJhQk9MdzdFOVdpcnAxbGpxRFBZQ3dY= ?=3D > =3D?utf-8?B?KzFaUDJIaGozSXpqQkZCNUczRk9MMllrZCtNcGs0RjNyRFl6VlphV0dITUNi= ?=3D > =3D?utf-8?B?MVl5eG5LdUZXdkVMWWt6NzgyTHBtM2Ixcnp4RWJXd21mTXBNRTRBYzZHRU1y= ?=3D > =3D?utf-8?B?RHM4ZEpWNnowRzRKSWM0d2FIWjlqQ1oxK2R3VzZTUm11cER0QWR5Slh0Y09D= ?=3D > =3D?utf-8?B?WnpWWlQrRC85RzJkUjVZYjBkUkFNOEJ0cCtucStmQWNGV0VrRGV1RVFHdXZE= ?=3D > =3D?utf-8?B?bWtpNks2MVhtcmdnSkdNRWtzdEFueHNBWmdhcW5scWlrWGx5eVdQQ3YwQW44= ?=3D > =3D?utf-8?B?YW5jWVlCeDJkV2U3aEJjekVFd0tTZWt5QVdPVlplQkVWanNHRkRZcG5lNmFN= ?=3D > =3D?utf-8?B?UlZNTldWQ0hIWkxVUWpSOElGb1V6TFcxekNzVUFvQzYyaDE2MDFvbkI5N0ZW= ?=3D > =3D?utf-8?B?VTV0T3VtUkFPWnRYL3pWK25kdmlZWkN5M01tOWxZMlBvL0dQVlkrRXYyZmk5= ?=3D > =3D?utf-8?B?TmVWN01LcHVDbCttSWVGckN3Tm5jSXUxR3FEQ3F4ZFM4V2xVLzFrYXlPOU9Z= ?=3D > =3D?utf-8?B?d3ZvSmJUcDI4Y1dpbFNleVlaZjY5NmRhOTZ0eUpEc2FtNTZ3cFMyY3ZkOGZw= ?=3D > =3D?utf-8?B?TVpTUWFIZEFjL1BLUnY1YVVINzRoNWNVV29keWIxK1Vsc0JvNTkwTjZGRFE1= ?=3D > =3D?utf-8?B?bnBaUTRITTM5WDJSL3ZCL0VnK01nVUVBSGpJZ0xIaktnL3FKY21Ga1pwQ1Fj= ?=3D > =3D?utf-8?B?dTVPZFM1OUhaMGVJVFBORFJpL0p0S0tCZDRFUG4wODRJV21VR0tGTytBRDBn= ?=3D > =3D?utf-8?B?PT0=3D?=3D > MIME-Version: 1.0 > > The following Internet-Draft will expire soon: > > Name: draft-tiloca-ace-authcred-dtls-profile > Title: Additional Formats of Authentication Credentials for the Datagr= am Transport Layer Security (DTLS) Profile for Authentication and Authoriza= tion for Constrained Environments (ACE) > State: I-D Exists > Expires: 2024-07-13 (in 5 days, 23 hours) > > > Received: from GV3P280MB0827.SWEP280.PROD.OUTLOOK.COM (2603:10a6:150:f2::= 5) by > GVYP280MB0464.SWEP280.PROD.OUTLOOK.COM with HTTPS; Sun, 7 Jul 2024 07:00= :37 > +0000 > Received: from AS9P251CA0015.EURP251.PROD.OUTLOOK.COM (2603:10a6:20b:50f:= :29) > by GV3P280MB0827.SWEP280.PROD.OUTLOOK.COM (2603:10a6:150:f2::5) with > Microsoft SMTP Server (version=3DTLS1_2, > cipher=3DTLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7741.35; Sun, 7= Jul > 2024 07:00:35 +0000 > Received: from AMS1EPF00000041.eurprd04.prod.outlook.com > (2603:10a6:20b:50f:cafe::a7) by AS9P251CA0015.outlook.office365.com > (2603:10a6:20b:50f::29) with Microsoft SMTP Server (version=3DTLS1_2, > cipher=3DTLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7741.34 via Fro= ntend > Transport; Sun, 7 Jul 2024 07:00:35 +0000 > Authentication-Results: spf=3Dpass (sender IP is 50.223.129.194) > smtp.mailfrom=3Dietf.org; dkim=3Dnone (message not signed) > header.d=3Dnone;dmarc=3Dpass action=3Dnone header.from=3Dietf.org;compau= th=3Dpass > reason=3D100 > Received-SPF: Pass (protection.outlook.com: domain of ietf.org designates > 50.223.129.194 as permitted sender) receiver=3Dprotection.outlook.com; > client-ip=3D50.223.129.194; helo=3Dmail.ietf.org; pr=3DC > Received: from mail.ietf.org (50.223.129.194) by > AMS1EPF00000041.mail.protection.outlook.com (10.167.16.38) with Microsof= t > SMTP Server (version=3DTLS1_3, cipher=3DTLS_AES_256_GCM_SHA384) id 15.20= .7762.17 > via Frontend Transport; Sun, 7 Jul 2024 07:00:34 +0000 > Received: by ietfa.amsl.com (Postfix, from userid 65534) > id 4C4B8C16940C; Sun, 7 Jul 2024 00:00:33 -0700 (PDT) > X-Original-To: draft-ietf-ace-oscore-gm-admin-coral@ietf.org > Delivered-To: xfilter-draft-ietf-ace-oscore-gm-admin-coral@ietfa.amsl.com > Received: from [10.244.2.27] (unknown [104.131.183.230]) > by ietfa.amsl.com (Postfix) with ESMTP id DB046C1522B9; > Sun, 7 Jul 2024 00:00:32 -0700 (PDT) > Content-Type: text/plain; charset=3D"utf-8" > Content-Transfer-Encoding: 8bit > To: > Cc: ace-chairs@ietf.org, paul.wouters@aiven.io > Subject: Expiration impending: > X-Test-IDTracker: no > X-IETF-IDTracker: 12.17.1 > Auto-Submitted: auto-generated > Precedence: bulk > Message-ID: <172033563255.274.9265451665620885998@dt-celery-86db7666db-4x= kn5> > Date: Sun, 07 Jul 2024 00:00:32 -0700 > From: IETF Secretariat > Resent-From: > Resent-To: marco.tiloca@ri.se, rikard.hoglund@ri.se > Resent-Message-Id: <20240707070033.4C4B8C16940C@ietfa.amsl.com> <20240707= 070033.4C4B8C16940C@ietfa.amsl.com> > Resent-Date: Sun, 7 Jul 2024 00:00:33 -0700 (PDT) > Return-Path: forwardingalgorithm@ietf.org > X-MS-Exchange-Organization-ExpirationStartTime: 07 Jul 2024 07:00:35.2287 > (UTC) > X-MS-Exchange-Organization-ExpirationStartTimeReason: OriginalSubmit > X-MS-Exchange-Organization-ExpirationInterval: 1:00:00:00.0000000 > X-MS-Exchange-Organization-ExpirationIntervalReason: OriginalSubmit > X-MS-Exchange-Organization-Network-Message-Id: > 26f577d6-a8a7-41bc-125e-08dc9e528008 > X-EOPAttributedMessage: 0 > X-EOPTenantAttributedMessage: 5a9809cf-0bcb-413a-838a-09ecc40cc9e8:0 > X-MS-Exchange-Organization-MessageDirectionality: Incoming > X-MS-PublicTrafficType: Email > X-MS-TrafficTypeDiagnostic: > AMS1EPF00000041:EE_|GV3P280MB0827:EE_|GVYP280MB0464:EE_ > X-MS-Exchange-Organization-AuthSource: > AMS1EPF00000041.eurprd04.prod.outlook.com > X-MS-Exchange-Organization-AuthAs: Anonymous > X-MS-Office365-Filtering-Correlation-Id: 26f577d6-a8a7-41bc-125e-08dc9e52= 8008 > X-MS-Exchange-AtpMessageProperties: SA|SL > X-MS-Exchange-Organization-SCL: 1 > X-Microsoft-Antispam: BCL:0;ARA:13230040|12012899012|2092899012; > X-Forefront-Antispam-Report: > CIP:50.223.129.194;CTRY:US;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:mail.ie= tf.org;PTR:mail.ietf.org;CAT:NONE;SFS:(13230040)(12012899012)(2092899012);D= IR:INB; > X-MS-Exchange-CrossTenant-OriginalArrivalTime: 07 Jul 2024 07:00:34.9006 > (UTC) > X-MS-Exchange-CrossTenant-Network-Message-Id: 26f577d6-a8a7-41bc-125e-08d= c9e528008 > X-MS-Exchange-CrossTenant-Id: 5a9809cf-0bcb-413a-838a-09ecc40cc9e8 > X-MS-Exchange-CrossTenant-AuthSource: > AMS1EPF00000041.eurprd04.prod.outlook.com > X-MS-Exchange-CrossTenant-AuthAs: Anonymous > X-MS-Exchange-CrossTenant-FromEntityHeader: Internet > X-MS-Exchange-Transport-CrossTenantHeadersStamped: GV3P280MB0827 > X-MS-Exchange-Transport-EndToEndLatency: 00:00:02.7249057 > X-MS-Exchange-Processed-By-BccFoldering: 15.20.7741.016 > X-Microsoft-Antispam-Mailbox-Delivery: > dwl:1;ucf:0;jmr:0;auth:0;dest:I;ENG:(910001)(944506478)(944626604)(92009= 7)(831239)(255002)(410001)(930097)(140003)(1420198); > X-Microsoft-Antispam-Message-Info: > =3D?utf-8?B?cXE1V3V2a252cTlwYWR2SlpTaGdJL1VRMk9CaGNxekJuUC9hL3FxdEhqZk5q= ?=3D > =3D?utf-8?B?L0FDa0hPOGJtQjZkZitxMVBocVY3R05mTTJkbXIyekFEQXAvOHU2Z043aWVo= ?=3D > =3D?utf-8?B?VjkxbnIrUGdVTEFjeFlKemlDNUJoL0pGOHI4V3BvWnpkb1ZhVlJQOGJnV2ZR= ?=3D > =3D?utf-8?B?Z0ttRHUzS0ozRGlockMxaFdFQk5ZdTZjSkpYL2R3bDhXdEh0VGRNSVpWb045= ?=3D > =3D?utf-8?B?akx5RC9LOHpWQ2kzTEQyeXgvQnBaZWF5QS9iNHZjQmNCMmR1bS9jWmZ4SURJ= ?=3D > =3D?utf-8?B?SlVrbEMyNFZWclBkN28xQkNaaklZdkRRdG91TXFNRTB6MDRUaVVHUnVSeUM3= ?=3D > =3D?utf-8?B?MnBDbFArWTlLSzhIR29RWXRNSnROVm4wYnZpRkNuRW9RMWFFYjZSdFl4VWt2= ?=3D > =3D?utf-8?B?ejdJKzZDQldEcXI5UlRnUW1Rb3RBWU15YXlyTmRYemRzcDRobm4rdTUwYTVy= ?=3D > =3D?utf-8?B?dm54MTVKNHJsbzNBVkNsMEEyTmREOHFjelNKRk1XaTc5Mi9RdEs3blBCTXZU= ?=3D > =3D?utf-8?B?dFo1M2c5U3V4bUVWb2h3bG84Q0Nkalh5eEoyYjk1SXl2RjY4TFBLbS9OZkdK= ?=3D > =3D?utf-8?B?UFZPcGNRV0RxZ29KNXRDaWVNNkJuL0JRZDl5cVN0WjRQeUJVVmVhY05xUkdT= ?=3D > =3D?utf-8?B?ejZpbmpWWHJaaFZXb0ZZM1hXTTdzRHlPdmZ1TGpKcjJPT0FMNUU4R2k2c2Zt= ?=3D > =3D?utf-8?B?NzRlZGpXRThyTmJ1VldPVkpJdWt1OGpBbGtjZElxQTcxWU00ZmdWS09YbTNJ= ?=3D > =3D?utf-8?B?U1NIS1pkSnBvS1o5Q0FSRkRIeDI5dGVBNU1ZenQyZ2hnWHp4OVB1cG5aRzlI= ?=3D > =3D?utf-8?B?VnArSHFPbVVjbDJoUXlidG1zMVRKNTYxOGF5TzUwWEIzTUNTejdlanNiVjhS= ?=3D > =3D?utf-8?B?Z2pGYkpDck90Q2twNzY4dlJ4SFBuUjFMWjliN08rR3l1NEJqczAzUnJKeVl4= ?=3D > =3D?utf-8?B?WEdldTF5VjBXWkswdjI3cjYvSVE0T1hxSzE2NlZjTExUT0djR3M4MWVIblpD= ?=3D > =3D?utf-8?B?QVo1ZWl0bUp0R1BpakRGYkdQUmxGMHY0RXp5S0Z3VjhJOWxFTkpQSXRuNnFY= ?=3D > =3D?utf-8?B?L2duWmZaR0hPRUNtN2s3VDZKWDM3bVJ1ZjNVbGFpMEl5NmxVR084RC9LMmtX= ?=3D > =3D?utf-8?B?Qk5BdUZkUmMrUzhXenF4eUhkck1uWThMWHh6L2ROUVZCUE0zY2M2WmZOdWIz= ?=3D > =3D?utf-8?B?eFZWMnE3aFR2SXc4eFlZaHVWdkJ5YWE2WXVvazBMVWdISldiOE42UU15L3pk= ?=3D > =3D?utf-8?B?dU8vWmprOEwyclBRQ3FtMkVsOGNzaG5FNjl3VzNlbEp6L05DKytFRG56azlw= ?=3D > =3D?utf-8?B?S2NZUGphbS82OEtVL2dTb25Sa0pzYWU3aVo0SHY4UFhWOXNYMHc0T1BDNWh6= ?=3D > =3D?utf-8?B?UjNUb0dvbTFNNWZHckhpMkRsUkFQNHZpdUJkV0pyL01vVGhLTno5b2J3cTAy= ?=3D > =3D?utf-8?B?S2U3dFJvZWtDa25kR2JSZzBpL2pqb0FYZ0I3RytzNXZhUGZOMEJiYTMreHFV= ?=3D > =3D?utf-8?B?b2xrczVmSnpNYWZ2TDduWndjZkMvdnNYZ3NzeVVyWVZDMXlSUk9iM3N4Zmp4= ?=3D > =3D?utf-8?B?V3dnMi9STFhTZDMrb3Rta0JpVHZCbmUyTnN3bGcvK2RYWTE3VGdzdmdBMUdB= ?=3D > =3D?utf-8?B?cGFnVWR0YjF5MnBsdTBwSko0RHRJdnpld1NIT1YwcGwvc09KNjB5Qm8yd3VK= ?=3D > =3D?utf-8?B?YlhPOVJWbDNnUUp3THRPcjR0eXh0RTlaWWVBQnpCOC9nUlJRbGIyL3VPZGoz= ?=3D > =3D?utf-8?B?UGJ5N1ozTlZsaTZpMXhZRDRZd2QvSWh6M25Nd1VuNzNpVEplcVZUMGxsRWRN= ?=3D > =3D?utf-8?B?R2J1NzVoUzdNSUdqTkN2T0lzak5YNXRUQVFXQmhUb3RXUFMwVmsrR1JlczVv= ?=3D > =3D?utf-8?B?N3RSZk9QZjRVWUhBTVNGT3plY3BqWEFCbklNYWtLa3JLMitQYVdJd2ttTlEy= ?=3D > =3D?utf-8?B?WXZ3d0tLZk5hYmdicTRGUmlNM3g2MzNMVXh0aDdRSm9UTXhZVExuTFVpNkZW= ?=3D > =3D?utf-8?B?TVJpNEhpdElxb3pxSDVqZXNBU21vb3ZuaDlZV1gxTThQY2RnbS9Sd1R5R1Ev= ?=3D > =3D?utf-8?B?MlJNZGNnYTgxamhyemEyZjRERU9IZS9DRVEya1JlaW9YQzAxRk8rQTNSZXlP= ?=3D > =3D?utf-8?B?bENWKy8wOG1qTVFGUzNOR0l4R21PR1FNcVhXejgyWk5LdDRweXU5Wlc3ZFZH= ?=3D > =3D?utf-8?B?UVAxcEdOQ3puKzJuVGFMVGI3LzVodjJXVzU0cVMxRFNISkV3eE1lVzlBYWJ0= ?=3D > =3D?utf-8?B?TmUyamNqamVlSHJvdmdENlFiNWNYOExGWFBqV1Irdmk2VjFpRDBKS3FWOXk3= ?=3D > =3D?utf-8?B?S2tKM2N4RG1HaVQyQVpmcnEzYVpLWUlsWFR4cG5mYk1oSFAydXZObEJweEFE= ?=3D > =3D?utf-8?B?cXQ1L081dUc4Ukl6SmY3c3hJMTNsL1I1NXZyeTlRNkw5OEpCbWJqSjA5Qmp0= ?=3D > =3D?utf-8?B?OHVBS2MxSzdSZnYrUStoU3dSL0xIa21KajJTdGFqL3RFN1BVNXgraE5pc3Ni= ?=3D > =3D?utf-8?B?alR1VG1rK1RTRFZ1L2RoK1R1cUg4N3JpUlZmcE5QSGs2aXJCbDdFSjNjdUJM= ?=3D > =3D?utf-8?B?OWhYVjFPL05zakxmaEFHWmd4cEVOOWMyVmxlR0dORlJxM05aRmY3aGZURit3= ?=3D > =3D?utf-8?B?dy9CaVZFU3Zad212T1RYRC9jSGlxNG9lMld5LzdlMEtOOUN1Vzg5dVlYTVU0= ?=3D > =3D?utf-8?B?c3BpL1VhSmpaTXpyN0tXaXhNdFduSFN0SmJFbHlxeHVlMFFySW9yY3JRSFgz= ?=3D > =3D?utf-8?B?bHZnYjhEb1VwY2lpSEdpVUp3bGpTSTdHQkF2K2RoNDMwTDFsVFdTNlpEZStB= ?=3D > =3D?utf-8?B?PT0=3D?=3D > MIME-Version: 1.0 > > The following Internet-Draft will expire soon: > > Name: draft-ietf-ace-oscore-gm-admin-coral > Title: Using the Constrained RESTful Application Language (CoRAL) with= the Admin Interface for the OSCORE Group Manager > State: I-D Exists > Expires: 2024-07-17 (in 1 week, 2 days) > > > > -- > Marco Tiloca > Ph.D., Senior Researcher > > Phone: +46 (0)70 60 46 501 > > RISE Research Institutes of Sweden AB > Box 1263 > 164 29 Kista (Sweden) > > Division: Digital Systems > Department: Computer Science > Unit: Cybersecurity > https://www.ri.se > > --000000000000ecced506224de70d Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
TYVM for this clarification and addition.=C2=A0 It ha= s answered my question completely.

Deb

On= Wed, Sep 11, 2024 at 5:29=E2=80=AFPM Marco Tiloca <marco.tiloca@ri.se> wrote:
=20 =20 =20
Hello Deb,

Thanks a lot for your review! Please find in line below our detailed replies to your comments.

A Github PR where we have addressed your comments is available at [PR].

Unless any concern is raised, we plan to soon merge this PR (and the other ones related to other received reviews), and to submit the result as version -09 of the document.

Thanks,
/Marco

[PR] https://github.com/ace-wg/ace-revoked-token-notif= ication/pull/17


On 2024-07-06 15:32, Deb Cooley via Datatracker wrote:
Deb Cooley has entered the following ballot position for
draft-ietf-ace-revoked-token-notification-08: No Objection

When responding, please keep the subject line intact and reply to all
email addresses included in the To and CC lines. (Feel free to cut this
introductory paragraph, however.)


Please refer to https=
://eur05.safelinks.protection.outlook.com/?url=3Dhttps%3A%2F%2Fwww.ietf.org=
%2Fabout%2Fgroups%2Fiesg%2Fstatements%2Fhandling-ballot-positions%2F&da=
ta=3D05%7C02%7Cmarco.tiloca%40ri.se%7C970c5fc6a6de4b05ba7308dc9dc00998%7C5a=
9809cf0bcb413a838a09ecc40cc9e8%7C0%7C0%7C638558695329472322%7CUnknown%7CTWF=
pbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D=
%7C0%7C%7C%7C&sdata=3DAV32d%2FHdDlzyyMg2xyB67jrY3Seopa2jHLtsso28F%2F4%3=
D&reserved=3D0=20
for more information about how to handle DISCUSS and COMMENT positions.


The document, along with other ballot positions, can be found here:
https://eur05.safelinks.prot=
ection.outlook.com/?url=3Dhttps%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fdraft-=
ietf-ace-revoked-token-notification%2F&data=3D05%7C02%7Cmarco.tiloca%40=
ri.se%7C970c5fc6a6de4b05ba7308dc9dc00998%7C5a9809cf0bcb413a838a09ecc40cc9e8=
%7C0%7C0%7C638558695329482887%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiL=
CJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=3D28GU=
%2F3gyDtFwfsJ6jbpFXXsEJeLdFUW1KszKlicjH%2BY%3D&reserved=3D0



----------------------------------------------------------------------
COMMENT:
----------------------------------------------------------------------

Thank you to Kyle Rose for doing the secdir review of this draft.  Also tha=
nks
to the authors for the discussions and improvements.

I have one last (easy?) question:

Section 13:  I expected to see some discussion on whether it is possible fo=
r an
attacker to remove a revoked access token from the TRL allowing a registere=
d
device with a revoked access token to continue to participate.  Conversely,=
 is
it possible for an attacker to add an access token to the TRL, which would =
deny
service to the registered device.  If these situations are not possible, wh=
at
feature protects the TRL both at the AS and in transit?

=3D=3D>MT

Just to clarify and be sure: the AS indeed stores active **access tokens** that it has issued (e.g., in order to serve requests of token introspection from Resource Servers). However, the TRL specifically includes **token hashes** corresponding to issued access tokens, i.e., those that have been revoked and are not expired yet.


If we consider an external adversary that is not in control of the AS, then the attacks suggested in the comment are not possible.

First of all, a registered device or an administrator always relies on secure communications when interacting with the AS, as per Section 5 "The TRL Endpoint" and Section 9 "Registration= at the Authorization Server". This is also aligned with Section 5 of RFC 9200 and with the security considerations of RFC 9200 that are simply inherited by this document as stated in its Section 13.0.

Furthermore, as per the interface at the AS defined in Section 5, registered devices and administrators can access the TRL endpoint at the AS exclusively in read-only mode. That is, the TRL endpoint at the AS supports only the GET method (see the fourth paragraph of Section 5).

It follows that accesses to the TRL are performed exclusively by sending protected and authenticated GET requests to the TRL endpoint, which by definition are safe in the REST sense and do not alter the content of the TRL.

In fact, the content of the TRL can be updated only internally by the AS, in the two circumstances described in Section 4.1 "Update = of the TRL".


An adversary that has compromised and taken control of the AS is indeed able to update the content of the TRL, just like the AS would normally do. In particular, by appropriately updating the TRL content to become not aligned with the current set of access tokens that have been revoked but are not expired yet, such an adversary can practically perform the attacks suggested in the comment above.

However, an adversary in control of the AS would be able to perform actions with considerably more severe and harmful consequences, such as revoking access tokens for no good reasons, issuing access token inconsistently with the installed access control policies, or providing wrong information to Resource Servers that ask the AS to perform token introspection.


In the document, we have extended Section 13.1 "Content Retrieval from the TRL" by adding the following new text at its end.

NEW:
> Note that the TRL endpoint supports only the GET method (see Section 5). Therefore, as detailed in Section 6 and Section 7, accesses to the TRL endpoint are performed only by means of protected and authenticated GET requests, which by definition are safe in the REST sense and do not alter the content of the TRL. That is, registered devices and administrators can perform exclusively read-only operations when accessing the TRL endpoint.
>
> In fact, the content of the TRL can be updated only internally by the AS, in the two circumstances described in Section 4.1. Therefore, an adversary that is not in control of the AS cannot manipulate the content of the TRL, e.g., by removing a token hash and thereby fraudulently allowing a Client to access protected resources in spite of a revoked access token, or by adding a token hash and thereby fraudulently stopping a Client from accessing protected resources in spite of an access token being still valid.

<=3D=3D

Received: from GVZP280MB0975.SWEP280.PROD.OUTLOOK.COM (2603:10a6:150:<=
a>f7::17)
 by GVYP280MB0464.SWEP280.PROD.OUTLOOK.COM with HTTPS; Sun, 7 Jul 2024
 07:00:37 +0000
Received: from DU2PR04CA0026.eurprd04.prod.outlook.com (2603:10a6:10:=
3b::31)
 by GVZP280MB0975.SWEP280.PROD.OUTLOOK.COM (2603:10a6:150:f7::17) with
 Microsoft SMTP Server (version=3DTLS1_2,
 cipher=3DTLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7741.35; Sun, 7 J=
ul
 2024 07:00:35 +0000
Received: from DU6PEPF0000B622.eurprd02.prod.outlook.com
 (2603:10a6:10:3b:cafe::b8) by DU2PR04CA0026.outlook.office365.com
 (2603:10a6:10:3b::31) with Microsoft SMTP Server (version=3DTLS1_2,
 cipher=3DTLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7741.35 via Front=
end
 Transport; Sun, 7 Jul 2024 07:00:35 +0000
Authentication-Results: spf=3Dpass (sender IP is 50.223.129.194)
 smtp.mailfrom=3Dietf.org=
; dkim=3Dnone (message not signed)
 header.d=3Dnone;dmarc=3Dpass action=3Dnone header.from=3Dietf.org;compauth=3Dpass
 reason=3D100
Received-SPF: Pass (protection.outlook.com: domain of ietf.org designates
 50.223.129.194 as permitted sender) receiver=3Dprotection.outlook.com;
 client-ip=3D50.223.129.194; helo=3Dmail.ietf.org; pr=3DC
Received: from mail.ietf=
.org (50.223.129.194) by
 DU6PEPF0000B622.mail.protection.outlook.com (10.167.8.139) with =
Microsoft
 SMTP Server (version=3DTLS1_3, cipher=3DTLS_AES_256_GCM_SHA384) id 15.20.7=
762.17
 via Frontend Transport; Sun, 7 Jul 2024 07:00:34 +0000
Received: by ietfa.amsl=
.com (Postfix, from userid 65534)
	id 82C92C151991; Sun,  7 Jul 2024 00:00:32 -0700 (PDT)
X-Original-To: draft-tiloca-ace-authcred-dtls-profile@ietf.org
Delivered-To: xfilter-draft-tiloca-ace-authcred-dtl=
s-profile@ietfa.amsl.com
Received: from [10.244.2.27] (unknown [104.131.183.230])
	by ietfa.amsl.com =
(Postfix) with ESMTP id 42B9CC1516E1
	for <draft-tiloca-ace-authcred-dtls-profile@ietf.org>;=
 Sun,  7 Jul 2024 00:00:32 -0700 (PDT)
Content-Type: text/plain; charset=3D"utf-8"
Content-Transfer-Encoding: 8bit
To: <draft-tiloca-ace-authcred-dtls-profile@ietf.org>
Subject: Expiration impending: <draft-tiloca-ace-authcred-dtls-profile-0=
1.txt>
X-Test-IDTracker: no
X-IETF-IDTracker: 12.17.1
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <172033563194.274.5459272935872629627@dt-celery-86db7666db-4=
xkn5>
Date: Sun, 07 Jul 2024 00:00:31 -0700
From: IETF Secretariat <ietf-secretariat-reply@ietf.org>
Resent-From: &l=
t;alias-bounces@ietf.org>
Resent-To: =
john.mattsson@ericsson.com, marco.tiloca@ri.se
Resent-Message-Id: <20240707070032.82C92C151991@ietfa.amsl.com><=
/a>
Resent-Date: Sun,  7 Jul 2024 00:00:32 -0700 (PDT)
Return-Path: forwardingalgorithm@ietf.org
X-MS-Exchange-Organization-ExpirationStartTime: 07 Jul 2024 07:00:34.5120
 (UTC)
X-MS-Exchange-Organization-ExpirationStartTimeReason: OriginalSubmit
X-MS-Exchange-Organization-ExpirationInterval: 1:00:00:00.0000000
X-MS-Exchange-Organization-ExpirationIntervalReason: OriginalSubmit
X-MS-Exchange-Organization-Network-Message-Id:
 5abb92d8-e10c-4736-b7f3-08dc9e527f9a
X-EOPAttributedMessage: 0
X-EOPTenantAttributedMessage: 5a9809cf-0bcb-413a-838a-09ecc40cc9e8:0
X-MS-Exchange-Organization-MessageDirectionality: Incoming
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic:
 DU6PEPF0000B622:EE_|GVZP280MB0975:EE_|GVYP280MB0464:EE_
X-MS-Exchange-Organization-AuthSource:
 DU6PEPF0000B622.eurprd02.prod.outlook.com
X-MS-Exchange-Organization-AuthAs: Anonymous
X-MS-Office365-Filtering-Correlation-Id: 5abb92d8-e10c-4736-b7f3-08dc9e527f=
9a
X-MS-Exchange-AtpMessageProperties: SA|SL
X-MS-Exchange-Organization-SCL: 1
X-Microsoft-Antispam: BCL:0;ARA:13230040|12012899012|2092899012;
X-Forefront-Antispam-Report:
 CIP:50.223.129.194;CTRY:US;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:mail.i=
etf.org;PTR:mail.ietf.org;CAT:NONE;SFS:(13230040)(12012899012)(2092899012);=
DIR:INB;
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 07 Jul 2024 07:00:34.1995
 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 5abb92d8-e10c-4736-b7f3-08dc9=
e527f9a
X-MS-Exchange-CrossTenant-Id: 5a9809cf-0bcb-413a-838a-09ecc40cc9e8
X-MS-Exchange-CrossTenant-AuthSource:
 DU6PEPF0000B622.eurprd02.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: Internet
X-MS-Exchange-Transport-CrossTenantHeadersStamped: GVZP280MB0975
X-MS-Exchange-Transport-EndToEndLatency: 00:00:03.0584539
X-MS-Exchange-Processed-By-BccFoldering: 15.20.7741.016
X-Microsoft-Antispam-Mailbox-Delivery:
	dwl:1;ucf:0;jmr:0;auth:0;dest:I;ENG:(910001)(944506478)(944626604)(9200=
97)(831239)(255002)(410001)(930097)(140003)(1420198);
X-Microsoft-Antispam-Message-Info:
	=3D?utf-8?B?NnNUdHBLRDFrWlY3U3FBZFQ4QkhXaHFieDdxdUN4NnpjaS9HNXFPbGNoNzFV?=
=3D
 =3D?utf-8?B?SHFCTTl0WnZMODNmV3pLK2NWVEFMYmxtSEIxNWhQdWpXWDJMTDVwNm11M21p?=
=3D
 =3D?utf-8?B?dzRwVklva29nR1VSbkI0ZDJVdGpHVjU2OTVpYWxHWUoyUG02UE9pVlltNys3?=
=3D
 =3D?utf-8?B?TUE5bkZIWllrTUNPZW05aE4zeXhZOE1Qdm9KM0J4ZDVzdUFFVGlxWHhKTFNE?=
=3D
 =3D?utf-8?B?THMzNTd1djg3MEdPbCtiNXlZeFJJajJsRU5PazRTb25iM1VGWS9mYnZzVEFu?=
=3D
 =3D?utf-8?B?bmQyQ3FjcStSQ1RJdGdnTmZ6TUJPYThOSjZpUkdsN1o1TWdaSlB4QnVnVGQ3?=
=3D
 =3D?utf-8?B?U09QSkdDaXFCVld0S0pwMEhlNlJJem1LWFRlLy9wcTVtZmpNcnBWVTRYby9p?=
=3D
 =3D?utf-8?B?eW5EOHM2NHpCNGlTa0h1ZGhLR2VVY1ZFa3cyTHN6cnhvd0VBYmc1UW9BZEpQ?=
=3D
 =3D?utf-8?B?ME9id240UGJlUS9qU1p4N0JNMHhNWmpwOTZMMmU5bVFjUVI5ZXJ2YWhPQkhZ?=
=3D
 =3D?utf-8?B?Y1dFQ2d5WUdIb2RIMmtab29Qb0RJRlVNaXBnWkIva0l4a3ZKSHNDMXkxRjhq?=
=3D
 =3D?utf-8?B?NVFWR214ZUdEaEpTQnRoWUhIbFFCOHhsQjMzdFJXWVU3bXc5UVAreTc4Vlpn?=
=3D
 =3D?utf-8?B?LzA1UUFFdEY4eHI4QTdLbFhpN2hnMyt0RVZYZk5iMDhkM3hMMndPZUdzTUds?=
=3D
 =3D?utf-8?B?ajBoOXNSUW1QaWY1bWZlcm8rT3lId29iMWxHWGQ3RkpsYW5abUFrc2tCdm1a?=
=3D
 =3D?utf-8?B?Zkg2WXJTaU8zWHlPZUZKTFhqMEtMdVUxeXhHK0pud3ZGU0IwNUlHNlNaV2xz?=
=3D
 =3D?utf-8?B?SkR2MnVPWjNCQVVxa2lIS3ZsMms2VmhNcklFOVNwUzBCQ21COTFJaHNQdG5N?=
=3D
 =3D?utf-8?B?OWl1MWxtdW9HcUJlUGZ0TkxoUzI3b2tDa21ndUZaTHpQQ0lZUW9nd3o3YVkx?=
=3D
 =3D?utf-8?B?VzBCdWVyV3ljOEExRVMyTy96a0tSS082SXFOdXRIQm8xQ3oxdCtIQXJKTE15?=
=3D
 =3D?utf-8?B?S2xCNllLT25FbmhlMDUrbC9NMElYMXM3S2ZaS1Rnck9TVUp6TzlrVXJEUlQ3?=
=3D
 =3D?utf-8?B?ZnNXY3VDWnZxZzVCQWRMQ01tdE5Nakg4RnNaMUFyU2dvSE9MMjZCK3BLOFBj?=
=3D
 =3D?utf-8?B?YTd6b3MzM3UyVTF2a0s2WTdrRnJMMkFuU3BsTUhScWhiUkppdjNaQXFENjBE?=
=3D
 =3D?utf-8?B?by9EVEdKYjBJeFlPd0p0cTRTZHgwbFlaOEtGeVFaUlI2SDdOa1FXeTRJYzU3?=
=3D
 =3D?utf-8?B?S2dqU3lSbzVvM3lqdFdLMmFwdzNyNlVkbDJHRXA2ZmJkZFFwQVZEVllTWTcy?=
=3D
 =3D?utf-8?B?cTRhSkFMeThhZSswb0FCNHVoWWRucW1WN3E3VnV6MDlaSDBtYWl1WkJuRnJH?=
=3D
 =3D?utf-8?B?T1NUamhGb1dya1c3dTdrR3NxZGFNSUlkczN2SXd5OFEwVHdOcS9JSjRzeG5i?=
=3D
 =3D?utf-8?B?eHNjWGUzdWU4MXBiaDlpTGloZnFoRVdHZVphZ3dKQWVnanJEbGtLWjh5NWJ5?=
=3D
 =3D?utf-8?B?MUNLUW1UV0VXS1oxNko2czNVQVRvZmRVMG1lR2FPUSs5Mnk4eloycHZ6SEh2?=
=3D
 =3D?utf-8?B?c3N5WTNwL2Y1OFdBa1JidSs2ZTMvb3l0SDFZMnlKUkNLZVozdkNaQ2RRREtL?=
=3D
 =3D?utf-8?B?WldCUkl6SXlWamY5T0pVVFI0SXc1S3RsYmJtT1pMb0V2dDl1T0NldXFERTVz?=
=3D
 =3D?utf-8?B?NHRKQUFxVUxJQWdSUmgxVlg2WjNMeVluQzNSV2d6aWZ3a05OVjZtYW56M1d1?=
=3D
 =3D?utf-8?B?UCtvZkpGbG9HOU5rclVzUWdpQ2ROSk41L3U0aitUL2pYNTNreFB2VDh1YUdE?=
=3D
 =3D?utf-8?B?d2ZQY2dscDNZSXFMczBYSkswYWpnak5RaG5HSlhQOTNCZGR3dGU5YWlpbjRK?=
=3D
 =3D?utf-8?B?ZDZKTDNhWldSdHN2YTMvOU95RUFtRG5Dd09XdHFId3dUUEJ6dURHdEsyMit6?=
=3D
 =3D?utf-8?B?THV0N1dsYzVVcDVxZTh5Y0VvTVRIcHJhQk9MdzdFOVdpcnAxbGpxRFBZQ3dY?=
=3D
 =3D?utf-8?B?KzFaUDJIaGozSXpqQkZCNUczRk9MMllrZCtNcGs0RjNyRFl6VlphV0dITUNi?=
=3D
 =3D?utf-8?B?MVl5eG5LdUZXdkVMWWt6NzgyTHBtM2Ixcnp4RWJXd21mTXBNRTRBYzZHRU1y?=
=3D
 =3D?utf-8?B?RHM4ZEpWNnowRzRKSWM0d2FIWjlqQ1oxK2R3VzZTUm11cER0QWR5Slh0Y09D?=
=3D
 =3D?utf-8?B?WnpWWlQrRC85RzJkUjVZYjBkUkFNOEJ0cCtucStmQWNGV0VrRGV1RVFHdXZE?=
=3D
 =3D?utf-8?B?bWtpNks2MVhtcmdnSkdNRWtzdEFueHNBWmdhcW5scWlrWGx5eVdQQ3YwQW44?=
=3D
 =3D?utf-8?B?YW5jWVlCeDJkV2U3aEJjekVFd0tTZWt5QVdPVlplQkVWanNHRkRZcG5lNmFN?=
=3D
 =3D?utf-8?B?UlZNTldWQ0hIWkxVUWpSOElGb1V6TFcxekNzVUFvQzYyaDE2MDFvbkI5N0ZW?=
=3D
 =3D?utf-8?B?VTV0T3VtUkFPWnRYL3pWK25kdmlZWkN5M01tOWxZMlBvL0dQVlkrRXYyZmk5?=
=3D
 =3D?utf-8?B?TmVWN01LcHVDbCttSWVGckN3Tm5jSXUxR3FEQ3F4ZFM4V2xVLzFrYXlPOU9Z?=
=3D
 =3D?utf-8?B?d3ZvSmJUcDI4Y1dpbFNleVlaZjY5NmRhOTZ0eUpEc2FtNTZ3cFMyY3ZkOGZw?=
=3D
 =3D?utf-8?B?TVpTUWFIZEFjL1BLUnY1YVVINzRoNWNVV29keWIxK1Vsc0JvNTkwTjZGRFE1?=
=3D
 =3D?utf-8?B?bnBaUTRITTM5WDJSL3ZCL0VnK01nVUVBSGpJZ0xIaktnL3FKY21Ga1pwQ1Fj?=
=3D
 =3D?utf-8?B?dTVPZFM1OUhaMGVJVFBORFJpL0p0S0tCZDRFUG4wODRJV21VR0tGTytBRDBn?=
=3D
 =3D?utf-8?B?PT0=3D?=3D
MIME-Version: 1.0

The following Internet-Draft will expire soon:

Name:     draft-tiloca-ace-authcred-dtls-profile
Title:    Additional Formats of Authentication Credentials for the Datagram=
 Transport Layer Security (DTLS) Profile for Authentication and Authorizati=
on for Constrained Environments (ACE)
State:    I-D Exists
Expires:  2024-07-13 (in 5=C2=A0days, 23=C2=A0hours)


Received: from GV3P280MB0827.SWEP280.PROD.OUTLOOK.COM (2603:10a6:150:<=
a>f2::5) by
 GVYP280MB0464.SWEP280.PROD.OUTLOOK.COM with HTTPS; Sun, 7 Jul 2024 07=
:00:37
 +0000
Received: from AS9P251CA0015.EURP251.PROD.OUTLOOK.COM (2603:10a6:20b:5=
0f::29)
 by GV3P280MB0827.SWEP280.PROD.OUTLOOK.COM (2603:10a6:150:f2::5=
) with
 Microsoft SMTP Server (version=3DTLS1_2,
 cipher=3DTLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7741.35; Sun, 7 J=
ul
 2024 07:00:35 +0000
Received: from AMS1EPF00000041.eurprd04.prod.outlook.com
 (2603:10a6:20b:50f:cafe::a7) by AS9P251CA0015.outlook.office365.com
 (2603:10a6:20b:50f::29) with Microsoft SMTP Server (version=3DTLS1_2,
 cipher=3DTLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7741.34 via Front=
end
 Transport; Sun, 7 Jul 2024 07:00:35 +0000
Authentication-Results: spf=3Dpass (sender IP is 50.223.129.194)
 smtp.mailfrom=3Dietf.org=
; dkim=3Dnone (message not signed)
 header.d=3Dnone;dmarc=3Dpass action=3Dnone header.from=3Dietf.org;compauth=3Dpass
 reason=3D100
Received-SPF: Pass (protection.outlook.com: domain of ietf.org designates
 50.223.129.194 as permitted sender) receiver=3Dprotection.outlook.com;
 client-ip=3D50.223.129.194; helo=3Dmail.ietf.org; pr=3DC
Received: from mail.ietf=
.org (50.223.129.194) by
 AMS1EPF00000041.mail.protection.outlook.com (10.167.16.38) with =
Microsoft
 SMTP Server (version=3DTLS1_3, cipher=3DTLS_AES_256_GCM_SHA384) id 15.20.7=
762.17
 via Frontend Transport; Sun, 7 Jul 2024 07:00:34 +0000
Received: by ietfa.amsl=
.com (Postfix, from userid 65534)
	id 4C4B8C16940C; Sun,  7 Jul 2024 00:00:33 -0700 (PDT)
X-Original-To: draft-ietf-ace-oscore-gm-admin-coral@ietf.org
Delivered-To: xfilter-draft-ietf-ace-oscore-gm-admin-=
coral@ietfa.amsl.com
Received: from [10.244.2.27] (unknown [104.131.183.230])
	by ietfa.amsl.com =
(Postfix) with ESMTP id DB046C1522B9;
	Sun,  7 Jul 2024 00:00:32 -0700 (PDT)
Content-Type: text/plain; charset=3D"utf-8"
Content-Transfer-Encoding: 8bit
To: <draft-ietf-ace-oscore-gm-admin-coral@ietf.org>
Cc: ace-chairs@iet=
f.org, paul.=
wouters@aiven.io
Subject: Expiration impending: <draft-ietf-ace-oscore-gm-admin-coral-01.=
txt>
X-Test-IDTracker: no
X-IETF-IDTracker: 12.17.1
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <172033563255.274.9265451665620885998@dt-celery-86db7666db-4=
xkn5>
Date: Sun, 07 Jul 2024 00:00:32 -0700
From: IETF Secretariat <ietf-secretariat-reply@ietf.org>
Resent-From: &l=
t;alias-bounces@ietf.org>
Resent-To: marco.ti=
loca@ri.se, r=
ikard.hoglund@ri.se
Resent-Message-Id: <20240707070033.4C4B8C16940C@ietfa.amsl.com><=
/a>
Resent-Date: Sun,  7 Jul 2024 00:00:33 -0700 (PDT)
Return-Path: forwardingalgorithm@ietf.org
X-MS-Exchange-Organization-ExpirationStartTime: 07 Jul 2024 07:00:35.2287
 (UTC)
X-MS-Exchange-Organization-ExpirationStartTimeReason: OriginalSubmit
X-MS-Exchange-Organization-ExpirationInterval: 1:00:00:00.0000000
X-MS-Exchange-Organization-ExpirationIntervalReason: OriginalSubmit
X-MS-Exchange-Organization-Network-Message-Id:
 26f577d6-a8a7-41bc-125e-08dc9e528008
X-EOPAttributedMessage: 0
X-EOPTenantAttributedMessage: 5a9809cf-0bcb-413a-838a-09ecc40cc9e8:0
X-MS-Exchange-Organization-MessageDirectionality: Incoming
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic:
 AMS1EPF00000041:EE_|GV3P280MB0827:EE_|GVYP280MB0464:EE_
X-MS-Exchange-Organization-AuthSource:
 AMS1EPF00000041.eurprd04.prod.outlook.com
X-MS-Exchange-Organization-AuthAs: Anonymous
X-MS-Office365-Filtering-Correlation-Id: 26f577d6-a8a7-41bc-125e-08dc9e5280=
08
X-MS-Exchange-AtpMessageProperties: SA|SL
X-MS-Exchange-Organization-SCL: 1
X-Microsoft-Antispam: BCL:0;ARA:13230040|12012899012|2092899012;
X-Forefront-Antispam-Report:
 CIP:50.223.129.194;CTRY:US;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:mail.i=
etf.org;PTR:mail.ietf.org;CAT:NONE;SFS:(13230040)(12012899012)(2092899012);=
DIR:INB;
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 07 Jul 2024 07:00:34.9006
 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 26f577d6-a8a7-41bc-125e-08dc9=
e528008
X-MS-Exchange-CrossTenant-Id: 5a9809cf-0bcb-413a-838a-09ecc40cc9e8
X-MS-Exchange-CrossTenant-AuthSource:
 AMS1EPF00000041.eurprd04.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: Internet
X-MS-Exchange-Transport-CrossTenantHeadersStamped: GV3P280MB0827
X-MS-Exchange-Transport-EndToEndLatency: 00:00:02.7249057
X-MS-Exchange-Processed-By-BccFoldering: 15.20.7741.016
X-Microsoft-Antispam-Mailbox-Delivery:
	dwl:1;ucf:0;jmr:0;auth:0;dest:I;ENG:(910001)(944506478)(944626604)(9200=
97)(831239)(255002)(410001)(930097)(140003)(1420198);
X-Microsoft-Antispam-Message-Info:
	=3D?utf-8?B?cXE1V3V2a252cTlwYWR2SlpTaGdJL1VRMk9CaGNxekJuUC9hL3FxdEhqZk5q?=
=3D
 =3D?utf-8?B?L0FDa0hPOGJtQjZkZitxMVBocVY3R05mTTJkbXIyekFEQXAvOHU2Z043aWVo?=
=3D
 =3D?utf-8?B?VjkxbnIrUGdVTEFjeFlKemlDNUJoL0pGOHI4V3BvWnpkb1ZhVlJQOGJnV2ZR?=
=3D
 =3D?utf-8?B?Z0ttRHUzS0ozRGlockMxaFdFQk5ZdTZjSkpYL2R3bDhXdEh0VGRNSVpWb045?=
=3D
 =3D?utf-8?B?akx5RC9LOHpWQ2kzTEQyeXgvQnBaZWF5QS9iNHZjQmNCMmR1bS9jWmZ4SURJ?=
=3D
 =3D?utf-8?B?SlVrbEMyNFZWclBkN28xQkNaaklZdkRRdG91TXFNRTB6MDRUaVVHUnVSeUM3?=
=3D
 =3D?utf-8?B?MnBDbFArWTlLSzhIR29RWXRNSnROVm4wYnZpRkNuRW9RMWFFYjZSdFl4VWt2?=
=3D
 =3D?utf-8?B?ejdJKzZDQldEcXI5UlRnUW1Rb3RBWU15YXlyTmRYemRzcDRobm4rdTUwYTVy?=
=3D
 =3D?utf-8?B?dm54MTVKNHJsbzNBVkNsMEEyTmREOHFjelNKRk1XaTc5Mi9RdEs3blBCTXZU?=
=3D
 =3D?utf-8?B?dFo1M2c5U3V4bUVWb2h3bG84Q0Nkalh5eEoyYjk1SXl2RjY4TFBLbS9OZkdK?=
=3D
 =3D?utf-8?B?UFZPcGNRV0RxZ29KNXRDaWVNNkJuL0JRZDl5cVN0WjRQeUJVVmVhY05xUkdT?=
=3D
 =3D?utf-8?B?ejZpbmpWWHJaaFZXb0ZZM1hXTTdzRHlPdmZ1TGpKcjJPT0FMNUU4R2k2c2Zt?=
=3D
 =3D?utf-8?B?NzRlZGpXRThyTmJ1VldPVkpJdWt1OGpBbGtjZElxQTcxWU00ZmdWS09YbTNJ?=
=3D
 =3D?utf-8?B?U1NIS1pkSnBvS1o5Q0FSRkRIeDI5dGVBNU1ZenQyZ2hnWHp4OVB1cG5aRzlI?=
=3D
 =3D?utf-8?B?VnArSHFPbVVjbDJoUXlidG1zMVRKNTYxOGF5TzUwWEIzTUNTejdlanNiVjhS?=
=3D
 =3D?utf-8?B?Z2pGYkpDck90Q2twNzY4dlJ4SFBuUjFMWjliN08rR3l1NEJqczAzUnJKeVl4?=
=3D
 =3D?utf-8?B?WEdldTF5VjBXWkswdjI3cjYvSVE0T1hxSzE2NlZjTExUT0djR3M4MWVIblpD?=
=3D
 =3D?utf-8?B?QVo1ZWl0bUp0R1BpakRGYkdQUmxGMHY0RXp5S0Z3VjhJOWxFTkpQSXRuNnFY?=
=3D
 =3D?utf-8?B?L2duWmZaR0hPRUNtN2s3VDZKWDM3bVJ1ZjNVbGFpMEl5NmxVR084RC9LMmtX?=
=3D
 =3D?utf-8?B?Qk5BdUZkUmMrUzhXenF4eUhkck1uWThMWHh6L2ROUVZCUE0zY2M2WmZOdWIz?=
=3D
 =3D?utf-8?B?eFZWMnE3aFR2SXc4eFlZaHVWdkJ5YWE2WXVvazBMVWdISldiOE42UU15L3pk?=
=3D
 =3D?utf-8?B?dU8vWmprOEwyclBRQ3FtMkVsOGNzaG5FNjl3VzNlbEp6L05DKytFRG56azlw?=
=3D
 =3D?utf-8?B?S2NZUGphbS82OEtVL2dTb25Sa0pzYWU3aVo0SHY4UFhWOXNYMHc0T1BDNWh6?=
=3D
 =3D?utf-8?B?UjNUb0dvbTFNNWZHckhpMkRsUkFQNHZpdUJkV0pyL01vVGhLTno5b2J3cTAy?=
=3D
 =3D?utf-8?B?S2U3dFJvZWtDa25kR2JSZzBpL2pqb0FYZ0I3RytzNXZhUGZOMEJiYTMreHFV?=
=3D
 =3D?utf-8?B?b2xrczVmSnpNYWZ2TDduWndjZkMvdnNYZ3NzeVVyWVZDMXlSUk9iM3N4Zmp4?=
=3D
 =3D?utf-8?B?V3dnMi9STFhTZDMrb3Rta0JpVHZCbmUyTnN3bGcvK2RYWTE3VGdzdmdBMUdB?=
=3D
 =3D?utf-8?B?cGFnVWR0YjF5MnBsdTBwSko0RHRJdnpld1NIT1YwcGwvc09KNjB5Qm8yd3VK?=
=3D
 =3D?utf-8?B?YlhPOVJWbDNnUUp3THRPcjR0eXh0RTlaWWVBQnpCOC9nUlJRbGIyL3VPZGoz?=
=3D
 =3D?utf-8?B?UGJ5N1ozTlZsaTZpMXhZRDRZd2QvSWh6M25Nd1VuNzNpVEplcVZUMGxsRWRN?=
=3D
 =3D?utf-8?B?R2J1NzVoUzdNSUdqTkN2T0lzak5YNXRUQVFXQmhUb3RXUFMwVmsrR1JlczVv?=
=3D
 =3D?utf-8?B?N3RSZk9QZjRVWUhBTVNGT3plY3BqWEFCbklNYWtLa3JLMitQYVdJd2ttTlEy?=
=3D
 =3D?utf-8?B?WXZ3d0tLZk5hYmdicTRGUmlNM3g2MzNMVXh0aDdRSm9UTXhZVExuTFVpNkZW?=
=3D
 =3D?utf-8?B?TVJpNEhpdElxb3pxSDVqZXNBU21vb3ZuaDlZV1gxTThQY2RnbS9Sd1R5R1Ev?=
=3D
 =3D?utf-8?B?MlJNZGNnYTgxamhyemEyZjRERU9IZS9DRVEya1JlaW9YQzAxRk8rQTNSZXlP?=
=3D
 =3D?utf-8?B?bENWKy8wOG1qTVFGUzNOR0l4R21PR1FNcVhXejgyWk5LdDRweXU5Wlc3ZFZH?=
=3D
 =3D?utf-8?B?UVAxcEdOQ3puKzJuVGFMVGI3LzVodjJXVzU0cVMxRFNISkV3eE1lVzlBYWJ0?=
=3D
 =3D?utf-8?B?TmUyamNqamVlSHJvdmdENlFiNWNYOExGWFBqV1Irdmk2VjFpRDBKS3FWOXk3?=
=3D
 =3D?utf-8?B?S2tKM2N4RG1HaVQyQVpmcnEzYVpLWUlsWFR4cG5mYk1oSFAydXZObEJweEFE?=
=3D
 =3D?utf-8?B?cXQ1L081dUc4Ukl6SmY3c3hJMTNsL1I1NXZyeTlRNkw5OEpCbWJqSjA5Qmp0?=
=3D
 =3D?utf-8?B?OHVBS2MxSzdSZnYrUStoU3dSL0xIa21KajJTdGFqL3RFN1BVNXgraE5pc3Ni?=
=3D
 =3D?utf-8?B?alR1VG1rK1RTRFZ1L2RoK1R1cUg4N3JpUlZmcE5QSGs2aXJCbDdFSjNjdUJM?=
=3D
 =3D?utf-8?B?OWhYVjFPL05zakxmaEFHWmd4cEVOOWMyVmxlR0dORlJxM05aRmY3aGZURit3?=
=3D
 =3D?utf-8?B?dy9CaVZFU3Zad212T1RYRC9jSGlxNG9lMld5LzdlMEtOOUN1Vzg5dVlYTVU0?=
=3D
 =3D?utf-8?B?c3BpL1VhSmpaTXpyN0tXaXhNdFduSFN0SmJFbHlxeHVlMFFySW9yY3JRSFgz?=
=3D
 =3D?utf-8?B?bHZnYjhEb1VwY2lpSEdpVUp3bGpTSTdHQkF2K2RoNDMwTDFsVFdTNlpEZStB?=
=3D
 =3D?utf-8?B?PT0=3D?=3D
MIME-Version: 1.0

The following Internet-Draft will expire soon:

Name:     draft-ietf-ace-oscore-gm-admin-coral
Title:    Using the Constrained RESTful Application Language (CoRAL) with t=
he Admin Interface for the OSCORE Group Manager
State:    I-D Exists
Expires:  2024-07-17 (in 1=C2=A0week, 2=C2=A0days)



--=20
Marco Tiloca
Ph.D., Senior Researcher

Phone: +46 (0)70 60 46 501

RISE Research Institutes of Sweden AB
Box 1263
164 29 Kista (Sweden)

Division: Digital Systems
Department: Computer Science
Unit: Cybersecurity

https://www.ri.se
--000000000000ecced506224de70d--