Authentication and Authorization for Constrained Environments (ace) Internet Drafts


      
 Key Management for OSCORE Groups in ACE
 
 draft-ietf-ace-key-groupcomm-oscore-16.txt
 Date: 06/03/2023
 Authors: Marco Tiloca, Jiye Park, Francesca Palombini
 Working Group: Authentication and Authorization for Constrained Environments (ace)
This document defines an application profile of the ACE framework for Authentication and Authorization, to request and provision keying material in group communication scenarios that are based on CoAP and are secured with Group Object Security for Constrained RESTful Environments (Group OSCORE). This application profile delegates the authentication and authorization of Clients, that join an OSCORE group through a Resource Server acting as Group Manager for that group. This application profile leverages protocol-specific transport profiles of ACE to achieve communication security, server authentication and proof-of-possession for a key owned by the Client and bound to an OAuth 2.0 Access Token.
 Publish-Subscribe Profile for Authentication and Authorization for Constrained Environments (ACE)
 
 draft-ietf-ace-pubsub-profile-10.txt
 Date: 07/07/2024
 Authors: Francesca Palombini, Cigdem Sengul, Marco Tiloca
 Working Group: Authentication and Authorization for Constrained Environments (ace)
This document defines an application profile of the Authentication and Authorization for Constrained Environments (ACE) framework, to enable secure group communication in the Publish-Subscribe (Pub-Sub) architecture for the Constrained Application Protocol (CoAP) [draft- ietf-core-coap-pubsub], where Publishers and Subscribers communicate through a Broker. This profile relies on protocol-specific transport profiles of ACE to achieve communication security, server authentication, and proof-of-possession for a key owned by the Client and bound to an OAuth 2.0 access token. This document specifies the provisioning and enforcement of authorization information for Clients to act as Publishers and/or Subscribers, as well as the provisioning of keying material and security parameters that Clients use for protecting their communications end-to-end through the Broker. Note to RFC Editor: Please replace "[draft-ietf-core-coap-pubsub]" with the RFC number of that document and delete this paragraph.
 Admin Interface for the OSCORE Group Manager
 
 draft-ietf-ace-oscore-gm-admin-12.txt
 Date: 08/07/2024
 Authors: Marco Tiloca, Rikard Hoeglund, Peter van der Stok, Francesca Palombini
 Working Group: Authentication and Authorization for Constrained Environments (ace)
Group communication for CoAP can be secured using Group Object Security for Constrained RESTful Environments (Group OSCORE). A Group Manager is responsible for handling the joining of new group members, as well as managing and distributing the group keying material. This document defines a RESTful admin interface at the Group Manager that allows an Administrator entity to create and delete OSCORE groups, as well as to retrieve and update their configuration. The ACE framework for Authentication and Authorization is used to enforce authentication and authorization of the Administrator at the Group Manager. Protocol-specific transport profiles of ACE are used to achieve communication security, proof-of- possession, and server authentication.
 EAP-based Authentication Service for CoAP
 
 draft-ietf-ace-wg-coap-eap-12.txt
 Date: 13/12/2024
 Authors: Rafael Marin-Lopez, Dan Garcia-Carrillo
 Working Group: Authentication and Authorization for Constrained Environments (ace)
This document specifies an authentication service that uses the Extensible Authentication Protocol (EAP) transported employing Constrained Application Protocol (CoAP) messages. As such, it defines an EAP lower layer based on CoAP called CoAP-EAP. One of the main goals is to authenticate a CoAP-enabled IoT device (EAP peer) that intends to join a security domain managed by a Controller (EAP authenticator). Secondly, it allows deriving key material to protect CoAP messages exchanged between them based on Object Security for Constrained RESTful Environments (OSCORE), enabling the establishment of a security association between them.
 Notification of Revoked Access Tokens in the Authentication and Authorization for Constrained Environments (ACE) Framework
 
 draft-ietf-ace-revoked-token-notification-09.txt
 Date: 22/09/2024
 Authors: Marco Tiloca, Francesca Palombini, Sebastian Echeverria, Grace Lewis
 Working Group: Authentication and Authorization for Constrained Environments (ace)
This document specifies a method of the Authentication and Authorization for Constrained Environments (ACE) framework, which allows an authorization server to notify clients and resource servers (i.e., registered devices) about revoked access tokens. As specified in this document, the method allows clients and resource servers to access a Token Revocation List on the authorization server by using the Constrained Application Protocol (CoAP), with the possible additional use of resource observation. Resulting (unsolicited) notifications of revoked access tokens complement alternative approaches such as token introspection, while not requiring additional endpoints on clients and resource servers.
 Ephemeral Diffie-Hellman Over COSE (EDHOC) and Object Security for Constrained Environments (OSCORE) Profile for Authentication and Authorization for Constrained Environments (ACE)
 
 draft-ietf-ace-edhoc-oscore-profile-06.txt
 Date: 21/10/2024
 Authors: Goeran Selander, John Mattsson, Marco Tiloca, Rikard Hoeglund
 Working Group: Authentication and Authorization for Constrained Environments (ace)
This document specifies a profile for the Authentication and Authorization for Constrained Environments (ACE) framework. It utilizes Ephemeral Diffie-Hellman Over COSE (EDHOC) for achieving mutual authentication between an ACE-OAuth Client and Resource Server, and it binds an authentication credential of the Client to an ACE-OAuth access token. EDHOC also establishes an Object Security for Constrained RESTful Environments (OSCORE) Security Context, which is used to secure communications when accessing protected resources according to the authorization information indicated in the access token. This profile can be used to delegate management of authorization information from a resource-constrained server to a trusted host with less severe limitations regarding processing power and memory.
 Protecting EST Payloads with OSCORE
 
 draft-ietf-ace-coap-est-oscore-06.txt
 Date: 21/10/2024
 Authors: Goeran Selander, Shahid Raza, Martin Furuhed, Malisa Vucinic, Timothy Claeys
 Working Group: Authentication and Authorization for Constrained Environments (ace)
Enrollment over Secure Transport (EST) is a certificate provisioning protocol over HTTPS [RFC7030] or CoAPs [RFC9148]. This document specifies how to carry EST over the Constrained Application Protocol (CoAP) protected with Object Security for Constrained RESTful Environments (OSCORE). The specification builds on the EST-coaps [RFC9148] specification, but uses OSCORE and Ephemeral Diffie-Hellman over COSE (EDHOC) instead of DTLS. The specification also leverages the certificate structures defined in [I-D.ietf-cose-cbor-encoded-cert], which can be optionally used alongside X.509 certificates.
 Using the Constrained RESTful Application Language (CoRAL) with the Admin Interface for the OSCORE Group Manager
 
 draft-ietf-ace-oscore-gm-admin-coral-02.txt
 Date: 08/07/2024
 Authors: Marco Tiloca, Rikard Hoeglund
 Working Group: Authentication and Authorization for Constrained Environments (ace)
Group communication for CoAP can be secured using Group Object Security for Constrained RESTful Environments (Group OSCORE). A Group Manager is responsible to handle the joining of new group members, as well as to manage and distribute the group keying material. The Group Manager can provide a RESTful admin interface that allows an Administrator entity to create and delete OSCORE groups, as well as to retrieve and update their configuration. This document specifies how an Administrator interacts with the admin interface at the Group Manager by using the Constrained RESTful Application Language (CoRAL). The ACE framework for Authentication and Authorization is used to enforce authentication and authorization of the Administrator at the Group Manager. Protocol-specific transport profiles of ACE are used to achieve communication security, proof-of-possession, and server authentication.
 Alternative Workflow and OAuth Parameters for the Authentication and Authorization for Constrained Environments (ACE) Framework
 
 draft-ietf-ace-workflow-and-params-03.txt
 Date: 21/10/2024
 Authors: Marco Tiloca, Goeran Selander
 Working Group: Authentication and Authorization for Constrained Environments (ace)
This document updates the Authentication and Authorization for Constrained Environments Framework (ACE, RFC 9200) as follows. First, it defines a new, alternative workflow that the authorization server can use for uploading an access token to a resource server on behalf of the client. Second, it defines new parameters and encodings for the OAuth 2.0 token endpoint at the authorization server. Third, it defines a method for the ACE framework to enforce bidirectional access control by means of a single access token. Fourth, it amends two of the requirements on profiles of the framework. Finally, it deprecates the original payload format of error responses that convey an error code, when CBOR is used to encode message payloads. For such error responses, it defines a new payload format aligned with RFC 9290, thus updating in this respect also the profiles of ACE defined in RFC 9202, RFC 9203, and RFC 9431.
 The Group Object Security for Constrained RESTful Environments (Group OSCORE) Profile of the Authentication and Authorization for Constrained Environments (ACE) Framework
 
 draft-ietf-ace-group-oscore-profile-03.txt
 Date: 21/10/2024
 Authors: Marco Tiloca, Rikard Hoeglund, Francesca Palombini
 Working Group: Authentication and Authorization for Constrained Environments (ace)
This document specifies a profile for the Authentication and Authorization for Constrained Environments (ACE) framework. The profile uses Group Object Security for Constrained RESTful Environments (Group OSCORE) to provide communication security between a client and one or multiple resource servers that are members of an OSCORE group. The profile securely binds an OAuth 2.0 access token to the public key of the client associated with the private key used by that client in the OSCORE group. The profile uses Group OSCORE to achieve server authentication, as well as proof-of-possession for the client's public key. Also, it provides proof of the client's membership to the OSCORE group by binding the access token to information from the Group OSCORE Security Context, thus allowing the resource server(s) to verify the client's membership upon receiving a message protected with Group OSCORE from the client. Effectively, the profile enables fine-grained access control paired with secure group communication, in accordance with the Zero Trust principles.


data-group-menu-data-url="/group/groupmenu.json">

Skip to main content

Authentication and Authorization for Constrained Environments (ace)

WG Name Authentication and Authorization for Constrained Environments
Acronym ace
Area Security Area (sec)
State Active
Charter charter-ietf-ace-02 Approved
Status update Show Changed 2018-03-22
Document dependencies
Additional resources Issue tracker, Wiki, Zulip stream
Personnel Chairs Loganaden Velvindron, Tim Hollebeek
Area Director Paul Wouters
Delegate Paul Wouters
Mailing list Address ace@ietf.org
To subscribe https://www.ietf.org/mailman/listinfo/ace
Archive https://mailarchive.ietf.org/arch/browse/ace/
Chat Room address https://zulip.ietf.org/#narrow/stream/ace

Charter for Working Group

The Authentication and Authorization for Constrained Environments (ace) WG
has defined a standardized solution framework for authentication and
authorization to enable authorized access to resources identified by a URI
and hosted on a resource server in constrained environments.

The access to the resource is mediated by an authorization server, which is
not considered to be constrained.

Profiles of this framework for application to security protocols commonly
used in constrained environments, including CoAP+DTLS and CoAP+OSCORE, have
also been standardized. The Working Group is charged with maintenance of
the framework and existing profiles thereof, and may undertake work to
specify profiles of the framework for additional secure communications
protocols and for additional support services providing authorized access
to crypto keys (that are not necessarily limited to constrained endpoints,
though the focus remains on deployment in ecosystems with a substantial
portion of constrained devices).

In addition to the ongoing maintenance work, the Working Group will extend
the framework (originally designed to protect the exchange between single
client and single RS) as needed for applicability to group communications.
The initial focus will be on using (D)TLS and (Group) OSCORE as the underlying
communication security protocols. The Working Group will standardize
procedures for requesting and distributing group keying material using the ACE
framework as well as appropriated management interfaces.

The Working Group will standardize a format for expressing authorization
information for a given authenticated principal as received from an
authorization manager.

The Working Group will examine how to use Constrained Application Protocol
(CoAP) as a transport medium for certificate enrollment protocols, such as
EST and CMPv2, as well as a transport for authentication protocols such as
EAP (in coordination with the EMU WG), and standardize as needed.

Milestones

Date Milestone Associated documents
Dec 2021 Submission to the IESG of "Admin Interface for the OSCORE Group Manager" draft-ietf-ace-oscore-gm-admin
Sep 2021 Submission to the IESG of "Key Management for OSCORE Groups in ACE" draft-ietf-ace-key-groupcomm-oscore
Aug 2021 Submission to the IESG of "EAP-based Authentication Service for CoAP" draft-marin-ace-wg-coap-eap
Jul 2021 Submission to the IESG of "Key Provisioning for Group Communication using ACE" rfc9594 (was draft-ietf-ace-key-groupcomm)
Jul 2021 Submission to the IESG of Pub-Sub Profile for Authentication and Authorization for Constrained Environments (ACE) draft-ietf-ace-pubsub-profile
Jul 2021 Submission to the IESG of "Protecting EST Payloads with OSCORE" draft-selander-ace-coap-est-oscore
Jul 2021 Submission to the IESG of "An Authorization Information Format (AIF) for ACE" rfc9237 (was draft-ietf-ace-aif)
Jun 2021 Submission to IESG of "CoAP Transport for CMPV2" (if adopted) draft-msahni-ace-cmpv2-coap-transport
Feb 2021 Call for adoption of "Protecting EST Payloads with OSCORE" draft-selander-ace-coap-est-oscore

Done milestones

Date Milestone Associated documents
Done Submit DTLS Profile for ACE to the IESG for publication as a proposed standard rfc9202 (was draft-ietf-ace-dtls-authorize)
Done Adoption call of "EAP-based Authentication Service for CoAP" draft-marin-ace-wg-coap-eap
Done Submission to the IESG of "OSCORE Profile of the Authentication and Authorization for Constrained Environments Framework" rfc9203 (was draft-ietf-ace-oscore-profile)
Done Adoption call for "CoAP Transport for CMPV2" draft-msahni-ace-cmpv2-coap-transport