Re: [core] I-D Action: draft-ietf-core-object-security-13.txt

Göran Selander <> Wed, 27 June 2018 13:21 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 88B8412D949 for <>; Wed, 27 Jun 2018 06:21:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -3.332
X-Spam-Status: No, score=-3.332 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FROM_EXCESS_BASE64=0.979, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id z0w0W4uKHZnA for <>; Wed, 27 Jun 2018 06:21:20 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 73D661277C8 for <>; Wed, 27 Jun 2018 06:21:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256;; s=mailgw201801; c=relaxed/simple; q=dns/txt;; t=1530105678; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:Cc:MIME-Version:Content-Type: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=5177mEi7EXT07GjhYp9ibHhnDvzqqNVjP6zpCUUfcVE=; b=UPDS4O2M+8lsHbbXNejviaA/tEjP8z+iNwiYYmXZ03fbSqz9Di3WWc28442lLv8J c5fWUDo9HmL7nm61U4zayWpyGNB+c4/0ulYoFOq6AZ/ndI2vhvYPJ+omYFTmgiLd 5OtT9hGpkNqXNKUISSJrldk1cuR4UVwqfIDRrwN+VUY=;
X-AuditID: c1b4fb30-93dff70000000a77-bd-5b338f4ed6d0
Received: from (Unknown_Domain []) by (Symantec Mail Security) with SMTP id C3.B0.02679.E4F833B5; Wed, 27 Jun 2018 15:21:18 +0200 (CEST)
Received: from ( by ( with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1466.3; Wed, 27 Jun 2018 15:21:18 +0200
Received: from ([]) by ([]) with mapi id 15.01.1466.003; Wed, 27 Jun 2018 15:21:18 +0200
From: =?utf-8?B?R8O2cmFuIFNlbGFuZGVy?= <>
To: "" <>
Thread-Topic: [core] I-D Action: draft-ietf-core-object-security-13.txt
Thread-Index: AQHUDhkYa6UWoLuxpUK3W5XgBcSvgqR0F0IA
Date: Wed, 27 Jun 2018 13:21:18 +0000
Message-ID: <>
References: <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
user-agent: Microsoft-MacOutlook/
x-originating-ip: []
Content-Type: text/plain; charset="utf-8"
Content-ID: <>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFupjkeLIzCtJLcpLzFFi42KZGbG9Utev3zjaoG2ZgsW+t+uZHRg9liz5 yRTAGMVlk5Kak1mWWqRvl8CVcWD7PMaCDVoVs/tMGxiXaHYxcnBICJhIvLxf38XIxSEkcJRR YuuFXyxdjJxAzjdGicWT6yDsZYwSjfMyQGw2AReJBw2PmEBsEQFlic1nXjOC2MICbhL77+9h 62JkB4q7SzTUgEwXETCSuH+gDMRkEVCV2PrVCaSWV8BC4v+kr6wQs50l7lw5BjaDE2j2+Vff wPYzCohJfD+1BmwPs4C4xK0n88FsCQEBiSV7zjND2KISLx//A5sjKqAnsbennQ0iriSxpXcL E8haZgFNifW79CHGWEvs+n6SDcJWlJjS/ZAd4hxBiZMzn7BMYBSfhWTbLITuWUi6ZyHpnoWk ewEj6ypG0eLU4qTcdCMjvdSizOTi4vw8vbzUkk2MwFg6uOW3wQ7Gl88dDzEKcDAq8fD+6TGO FmJNLCuuzD3EKMHBrCTCa5kGFOJNSaysSi3Kjy8qzUktPsQozcGiJM5r4bc5SkggPbEkNTs1 tSC1CCbLxMEp1cC4LjNF5HhmRmZq08xfmy34l81tnvna2NO591238JPMz7KZOb7PL+XPVbVN c/ab/aepNWgvX7eBfmVoGqNzYtTihdpb2c//Ytda3Z+7dEe4TzY394UE4Z0390gESU8olROY /XJ74WWTrDVXAwrMY9f9C/rewW7513veW2uPx2/Ufr3Yt71gV4wSS3FGoqEWc1FxIgBQTjSu oQIAAA==
Archived-At: <>
Subject: Re: [core] I-D Action: draft-ietf-core-object-security-13.txt
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: "Constrained RESTful Environments \(CoRE\) Working Group list" <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 27 Jun 2018 13:21:23 -0000

Dear all,

We have submitted a new version of OSCORE. One of the review comments from
IESG was to provide more details of the security properties to simplify
the review. The basic content for this was already in version -12, but in
the process of completing this exercise, we went back to the assumptions
made on the protection of the CoAP options and made some reassessments as
is described below. This work involved the authors, some old and new
implementors. Meanwhile we also received further reviews which were
integrated in this version.

The following changes were made to the options:

* Observe is now additionally Inner, which enables the endpoints to verify
each others intent and simplifies the processing at the cost of making
some of the proxy processing out of scope. This resulted in a change of
Observe processing and we then took the opportunity to split out
option-specific processing which simplified the specification.

* No-Response is now essentially Inner, i.e. protected end-to-end,
resulting from a review from Jim Schaad. The processing is rewritten

* Uri-Host/Port processing is clarified in a separate subsection.

A corresponding change of the analysis of unprotected header fields was
made in appendix D.

We also did the following updates:

* HTTP processing updated based on comments from Martin Thomson.

* CoAP-to-CoAP Forwarding Proxy description is expanded.

* ID Context added to the security context. The message format already
contained the COSE header parameter 'kid context', and this is now
dedicated for transporting the ID Context. Such a parameter was already in
use by Group OSCORE and 6tisch Minimal Security and they can now apply
this in a common way.

* Updated deployment examples and test vectors (appendices B and C)

* Updated references

Best regards,

On 2018-06-27, 15:16, "core on behalf of"
< on behalf of> wrote:

>A New Internet-Draft is available from the on-line Internet-Drafts
>This draft is a work item of the Constrained RESTful Environments WG of
>the IETF.
>        Title           : Object Security for Constrained RESTful
>Environments (OSCORE)
>        Authors         : Göran Selander
>                          John Mattsson
>                          Francesca Palombini
>                          Ludwig Seitz
>	Filename        : draft-ietf-core-object-security-13.txt
>	Pages           : 78
>	Date            : 2018-06-27
>   This document defines Object Security for Constrained RESTful
>   Environments (OSCORE), a method for application-layer protection of
>   the Constrained Application Protocol (CoAP), using CBOR Object
>   Signing and Encryption (COSE).  OSCORE provides end-to-end protection
>   between endpoints communicating using CoAP or CoAP-mappable HTTP.
>   OSCORE is designed for constrained nodes and networks supporting a
>   range of proxy operations, including translation between different
>   transport protocols.
>The IETF datatracker status page for this draft is:
>There are also htmlized versions available at:
>A diff from the previous version is available at:
>Please note that it may take a couple of minutes from the time of
>until the htmlized version and diff are available at
>Internet-Drafts are also available by anonymous FTP at:
>core mailing list