Hi Göran, Maybe you can then answer the question whether this is useful / applicable to a HTTP. Asked differently, under what conditions does the OSCORE not work for HTTP. This would help the folks in the group, including me, to determine whether this actually something we should be looking into at all. Note that typical applications that use OAuth do not use CoAP -- only HTTP.
In OAuth we had for several years tried to get HTTP message protection working and we have, unfortunately, failed to find a suitable solution. Ciao Hannes -----Original Message----- From: Göran Selander [mailto:goran.selan...@ericsson.com] Sent: 07 February 2018 15:37 To: Hannes Tschofenig; OAuth@ietf.org Cc: draft-ietf-core-object-secur...@ietf.org Subject: [OAUTH-WG] OSCORE Hi Hannes, and all Thanks for the announcement. To be a little bit more precise, the statement is that a CoAP-mappable HTTP message can be mapped to CoAP (using RFC 8075), protected with OSCORE (as specified in the referenced draft) and transported with HTTP (as exemplified in the referenced draft). The main use case is in conjunction with an HTTP-CoAP translational proxy (RFC 8075), and the mapping would with this construction result in a CoAP-mappable HTTP request being protected by an HTTP client and verified by a CoAP server. This functionality was proposed by OCF for their end-to-end REST use cases. Happy to hear any comments on the construction as described in the draft. Note that Hannes referenced the wrong version of the draft, here is the latest: https://tools.ietf.org/html/draft-ietf-core-object-security-08 Göran On 2018-02-07 11:06, Hannes Tschofenig wrote: > Hi guys, > > You may be interested to hear that a group of people working on > Internet of Things security believe they have found a solution to deal > with the challenges we had in protecting HTTP requests/responses. > > Here is the draft: > https://tools.ietf.org/html/draft-ietf-core-object-security-07 > > (The draft is mostly focused on CoAP but it is supposed to be > applicable also to HTTP.) > > Ciao > Hannes > > IMPORTANT NOTICE: The contents of this email and any attachments are > confidential and may also be privileged. If you are not the intended > recipient, please notify the sender immediately and do not disclose > the contents to any other person, use it for any purpose, or store or > copy the information in any medium. Thank you. > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you. _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
