Hello. We have recently submitted a revision of the Group OSCORE profile of ACE [1].
This profile is analogous to the OSCORE profile (RFC9203), but uses Group OSCORE [2] as security protocol and ensures fine-grained access control *within* an OSCORE group, while building on the *separate* enforcement of access control for nodes attempting to join the group [3]. Although we have postponed a presentation of this document for a long while, the two latest versions combined have brought especially the following updates: * The Client and RS public authentication credentials exchanged via the AS during the ACE workflow now have formats compatible with the Group OSCORE protocol, e.g., certificates and CWT Claims Sets (CCSs). * We have removed the cumbersome and obsoleted "Dual-Mode", which originally tried to combine the use of OSCORE and Group OSCORE for the same Access Token. Now the focus is only on Group OSCORE, and the document is greatly shortened and simplified. * We have stressed that this profile makes it seamless and actually possible to issue an Access Token for a group-audience (i.e., an audience including multiple RSs). * We have highlighted how using this profile effectively enables fine-grained access control paired with secure group communication, in accordance with the Zero Trust principles [4]. Any comments are welcome! Best Rikard Höglund [1] https://datatracker.ietf.org/doc/draft-tiloca-ace-group-oscore-profile/ [2] https://datatracker.ietf.org/doc/draft-ietf-core-oscore-groupcomm/ [3] https://datatracker.ietf.org/doc/draft-ietf-ace-key-groupcomm-oscore/ [4] https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-207.pdf ________________________________ From: internet-dra...@ietf.org <internet-dra...@ietf.org> Sent: Monday, July 10, 2023 18:30 To: Rikard Höglund <rikard.hogl...@ri.se>; Francesca Palombini <francesca.palomb...@ericsson.com>; Ludwig Seitz <ludwig.se...@combitech.com>; Marco Tiloca <marco.til...@ri.se>; Rikard Höglund <rikard.hogl...@ri.se> Subject: New Version Notification for draft-tiloca-ace-group-oscore-profile-11.txt A new version of I-D, draft-tiloca-ace-group-oscore-profile-11.txt has been successfully submitted by Marco Tiloca and posted to the IETF repository. Name: draft-tiloca-ace-group-oscore-profile Revision: 11 Title: The Group Object Security for Constrained RESTful Environments (Group OSCORE) Profile of the Authentication and Authorization for Constrained Environments (ACE) Framework Document date: 2023-07-10 Group: Individual Submission Pages: 39 URL: https://eur05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Farchive%2Fid%2Fdraft-tiloca-ace-group-oscore-profile-11.txt&data=05%7C01%7Crikard.hoglund%40ri.se%7Cfa5b5062566c4c24f53e08db8162f2e5%7C5a9809cf0bcb413a838a09ecc40cc9e8%7C0%7C0%7C638246034204163825%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=Ia4P2BnzENb3%2FUAG9%2FBc%2BoktxH%2FejR5Be2PhSB8gYT0%3D&reserved=0<https://www.ietf.org/archive/id/draft-tiloca-ace-group-oscore-profile-11.txt> Status: https://eur05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fdraft-tiloca-ace-group-oscore-profile%2F&data=05%7C01%7Crikard.hoglund%40ri.se%7Cfa5b5062566c4c24f53e08db8162f2e5%7C5a9809cf0bcb413a838a09ecc40cc9e8%7C0%7C0%7C638246034204163825%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=CF%2FtEoF9lGLooiVcw1IvnSvE8M9FsISMleTliJxtBv0%3D&reserved=0<https://datatracker.ietf.org/doc/draft-tiloca-ace-group-oscore-profile/> Html: https://eur05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Farchive%2Fid%2Fdraft-tiloca-ace-group-oscore-profile-11.html&data=05%7C01%7Crikard.hoglund%40ri.se%7Cfa5b5062566c4c24f53e08db8162f2e5%7C5a9809cf0bcb413a838a09ecc40cc9e8%7C0%7C0%7C638246034204163825%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=9RXrtZvkD4RzR%2BbyZuR6w57lRELKmR4OBmKQQpz9kTk%3D&reserved=0<https://www.ietf.org/archive/id/draft-tiloca-ace-group-oscore-profile-11.html> Htmlized: https://eur05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fhtml%2Fdraft-tiloca-ace-group-oscore-profile&data=05%7C01%7Crikard.hoglund%40ri.se%7Cfa5b5062566c4c24f53e08db8162f2e5%7C5a9809cf0bcb413a838a09ecc40cc9e8%7C0%7C0%7C638246034204163825%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=8C69Wgnl2xHCvi4F0UXISUOwx%2F259Kw6h7uyGhTt2S0%3D&reserved=0<https://datatracker.ietf.org/doc/html/draft-tiloca-ace-group-oscore-profile> Diff: https://eur05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fauthor-tools.ietf.org%2Fiddiff%3Furl2%3Ddraft-tiloca-ace-group-oscore-profile-11&data=05%7C01%7Crikard.hoglund%40ri.se%7Cfa5b5062566c4c24f53e08db8162f2e5%7C5a9809cf0bcb413a838a09ecc40cc9e8%7C0%7C0%7C638246034204163825%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=3CMBWkW%2Bx4pFXT6KljPj1LChyhzhBaxzp5EUEYxFPac%3D&reserved=0<https://author-tools.ietf.org/iddiff?url2=draft-tiloca-ace-group-oscore-profile-11> Abstract: This document specifies a profile for the Authentication and Authorization for Constrained Environments (ACE) framework. The profile uses Group Object Security for Constrained RESTful Environments (Group OSCORE) to provide communication security between a Client and one or multiple Resource Servers that are members of an OSCORE group. The profile securely binds an OAuth 2.0 Access Token to the public key of the Client associated with the private key used by that Client in the OSCORE group. The profile uses Group OSCORE to achieve server authentication, as well as proof-of-possession for the Client's public key. Also, it provides proof of the Client's membership to the OSCORE group by binding the Access Token to information from the Group OSCORE Security Context, thus allowing the Resource Server(s) to verify the Client's membership upon receiving a message protected with Group OSCORE from the Client. Effectively, the profile enables fine-grained access control paired with secure group communication, in accordance with the Zero Trust principles. The IETF Secretariat
_______________________________________________ Ace mailing list Ace@ietf.org https://www.ietf.org/mailman/listinfo/ace
