Internet DRAFT - draft-ietf-ace-oscore-gm-admin-coral

draft-ietf-ace-oscore-gm-admin-coral







ACE Working Group                                              M. Tiloca
Internet-Draft                                                R. Höglund
Intended status: Standards Track                                 RISE AB
Expires: 17 July 2024                                    14 January 2024


  Using the Constrained RESTful Application Language (CoRAL) with the
              Admin Interface for the OSCORE Group Manager
                draft-ietf-ace-oscore-gm-admin-coral-01

Abstract

   Group communication for CoAP can be secured using Group Object
   Security for Constrained RESTful Environments (Group OSCORE).  A
   Group Manager is responsible to handle the joining of new group
   members, as well as to manage and distribute the group keying
   material.  The Group Manager can provide a RESTful admin interface
   that allows an Administrator entity to create and delete OSCORE
   groups, as well as to retrieve and update their configuration.  This
   document specifies how an Administrator entity interacts with the
   admin interface at the Group Manager by using the Constrained RESTful
   Application Language (CoRAL).  The ACE framework for Authentication
   and Authorization is used to enforce authentication and authorization
   of the Administrator at the Group Manager.  Protocol-specific
   transport profiles of ACE are used to achieve communication security,
   proof-of-possession and server authentication.

Discussion Venues

   This note is to be removed before publishing as an RFC.

   Discussion of this document takes place on the Authentication and
   Authorization for Constrained Environments Working Group mailing list
   (ace@ietf.org), which is archived at
   https://mailarchive.ietf.org/arch/browse/ace/.

   Source for this draft and an issue tracker can be found at
   https://github.com/ace-wg/ace-oscore-gm-admin-coral.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at https://datatracker.ietf.org/drafts/current/.



Tiloca & Höglund          Expires 17 July 2024                  [Page 1]

Internet-Draft   CoRAL Admin Interface for the OSCORE GM    January 2024


   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on 17 July 2024.

Copyright Notice

   Copyright (c) 2024 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents (https://trustee.ietf.org/
   license-info) in effect on the date of publication of this document.
   Please review these documents carefully, as they describe your rights
   and restrictions with respect to this document.  Code Components
   extracted from this document must include Revised BSD License text as
   described in Section 4.e of the Trust Legal Provisions and are
   provided without warranty as described in the Revised BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   3
     1.1.  Terminology . . . . . . . . . . . . . . . . . . . . . . .   4
     1.2.  Notation and Assumptions in the Examples  . . . . . . . .   6
   2.  Group Administration  . . . . . . . . . . . . . . . . . . . .   7
     2.1.  Managing OSCORE Groups  . . . . . . . . . . . . . . . . .   7
     2.2.  Collection Representation . . . . . . . . . . . . . . . .   7
     2.3.  Discovery . . . . . . . . . . . . . . . . . . . . . . . .   7
   3.  Format of Scope . . . . . . . . . . . . . . . . . . . . . . .   7
   4.  Getting Access to the Group Manager . . . . . . . . . . . . .   8
     4.1.  Multiple Administrators for the Same OSCORE Group . . . .   8
   5.  Group Configurations  . . . . . . . . . . . . . . . . . . . .   8
     5.1.  Group Configuration Representation  . . . . . . . . . . .   8
       5.1.1.  Configuration Properties  . . . . . . . . . . . . . .   9
       5.1.2.  Status Properties . . . . . . . . . . . . . . . . . .   9
     5.2.  Default Values  . . . . . . . . . . . . . . . . . . . . .   9
   6.  Interactions with the Group Manager . . . . . . . . . . . . .   9
     6.1.  Retrieve the Full List of Group Configurations  . . . . .  10
     6.2.  Retrieve a List of Group Configurations by Filters  . . .  10
     6.3.  Create a New Group Configuration  . . . . . . . . . . . .  12
     6.4.  Retrieve a Group Configuration  . . . . . . . . . . . . .  14
     6.5.  Retrieve Part of a Group Configuration by Filters . . . .  16
     6.6.  Overwrite a Group Configuration . . . . . . . . . . . . .  17
       6.6.1.  Effects on Joining Nodes  . . . . . . . . . . . . . .  18
       6.6.2.  Effects on the Group Members  . . . . . . . . . . . .  18
     6.7.  Selective Update of a Group Configuration . . . . . . . .  18



Tiloca & Höglund          Expires 17 July 2024                  [Page 2]

Internet-Draft   CoRAL Admin Interface for the OSCORE GM    January 2024


       6.7.1.  Effects on Joining Nodes  . . . . . . . . . . . . . .  20
       6.7.2.  Effects on the Group Members  . . . . . . . . . . . .  20
     6.8.  Delete a Group Configuration  . . . . . . . . . . . . . .  20
       6.8.1.  Effects on the Group Members  . . . . . . . . . . . .  21
   7.  Support of Top-Level Link Elements  . . . . . . . . . . . . .  21
   8.  Error Identifiers . . . . . . . . . . . . . . . . . . . . . .  22
   9.  Security Considerations . . . . . . . . . . . . . . . . . . .  22
   10. IANA Considerations . . . . . . . . . . . . . . . . . . . . .  22
   11. References  . . . . . . . . . . . . . . . . . . . . . . . . .  22
     11.1.  Normative References . . . . . . . . . . . . . . . . . .  22
     11.2.  Informative References . . . . . . . . . . . . . . . . .  25
   Appendix A.  Shared item tables for Packed CBOR . . . . . . . . .  26
     A.1.  Compression of CoRAL predicates . . . . . . . . . . . . .  26
     A.2.  Compression of Values of the rt= Target Attribute . . . .  28
   Appendix B.  Document Updates . . . . . . . . . . . . . . . . . .  28
     B.1.  Version -00 to -01  . . . . . . . . . . . . . . . . . . .  28
     B.2.  Version -00 . . . . . . . . . . . . . . . . . . . . . . .  29
   Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . .  29
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .  29

1.  Introduction

   The Constrained Application Protocol (CoAP) [RFC7252] can also be
   used for group communication [I-D.ietf-core-groupcomm-bis], where
   messages are exchanged between members of a group, e.g., over IP
   multicast.  Applications relying on CoAP can achieve end-to-end
   security at the application layer by using Object Security for
   Constrained RESTful Environments (OSCORE) [RFC8613], and especially
   Group OSCORE [I-D.ietf-core-oscore-groupcomm] in group communication
   scenarios.

   When group communication for CoAP is protected with Group OSCORE,
   nodes are required to explicitly join the correct OSCORE group.  To
   this end, a joining node interacts with a Group Manager (GM) entity
   responsible for that group, and retrieves the required keying
   material to securely communicate with other group members using Group
   OSCORE.

   The method in [I-D.ietf-ace-key-groupcomm-oscore] specifies how nodes
   can join an OSCORE group through the respective Group Manager.  Such
   a method builds on the ACE framework for Authentication and
   Authorization [RFC9200], so ensuring a secure joining process as well
   as authentication and authorization of joining nodes (clients) at the
   Group Manager (resource server).







Tiloca & Höglund          Expires 17 July 2024                  [Page 3]

Internet-Draft   CoRAL Admin Interface for the OSCORE GM    January 2024


   [I-D.ietf-ace-oscore-gm-admin] specifies a RESTful admin interface at
   the Group Manager, intended for an Administrator as a separate entity
   external to the Group Manager and its application.  The interface
   allows the Administrator to create and delete OSCORE groups, as well
   as to configure and update their configuration.

   This document builds on [I-D.ietf-ace-oscore-gm-admin], and specifies
   how an Administrator interacts with the same RESTful admin interface
   by using the Constrained RESTful Application Language (CoRAL)
   [I-D.ietf-core-coral].  Compared to [I-D.ietf-ace-oscore-gm-admin],
   there is no change in the admin interface and its operations, nor in
   the way the group configurations are organized and represented.

   Interaction examples using Packed CBOR [I-D.ietf-cbor-packed] are
   provided, and are expressed in CBOR diagnostic notation [RFC8949].
   Section 1.2 provides the notation and assumptions used in the
   examples.

   The ACE framework is used to ensure authentication and authorization
   of the Administrator (client) at the Group Manager (resource server).
   In order to achieve communication security, proof-of-possession and
   server authentication, the Administrator and the Group Manager
   leverage protocol-specific transport profiles of ACE, such as
   [RFC9202][RFC9203].  These include also possible forthcoming
   transport profiles that comply with the requirements in Appendix C of
   [RFC9200].

1.1.  Terminology

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
   "OPTIONAL" in this document are to be interpreted as described in BCP
   14 [RFC2119] [RFC8174] when, and only when, they appear in all
   capitals, as shown here.

   Readers are expected to be familiar with the terms and concepts from
   the following specifications.

   *  CBOR [RFC8949], Packed CBOR [I-D.ietf-cbor-packed], and COSE
      [RFC9052][RFC9053].

   *  The Constrained RESTful Application Language (CoRAL)
      [I-D.ietf-core-coral] and Constrained Resource Identifiers (CRIs)
      [I-D.ietf-core-href].

   *  The CoAP protocol [RFC7252], also in group communication scenarios
      [I-D.ietf-core-groupcomm-bis].  These include the concepts of:




Tiloca & Höglund          Expires 17 July 2024                  [Page 4]

Internet-Draft   CoRAL Admin Interface for the OSCORE GM    January 2024


      -  "application group", as a set of CoAP nodes that share a common
         set of resources; and of

      -  "security group", as a set of CoAP nodes that share the same
         security material, and use it to protect and verify exchanged
         messages.

   *  The OSCORE [RFC8613] and Group OSCORE
      [I-D.ietf-core-oscore-groupcomm] security protocols.  These
      especially include the concepts of:

      -  Group Manager, as the entity responsible for a set of OSCORE
         groups where communications among members are secured using
         Group OSCORE.  An OSCORE group is used as security group for
         one or many application groups.

      -  Authentication credential, as the set of information associated
         with an entity, including that entity's public key and
         parameters associated with the public key.  Examples of
         authentication credentials are CBOR Web Tokens (CWTs) and CWT
         Claims Sets (CCSs) [RFC8392], X.509 certificates [RFC5280] and
         C509 certificates [I-D.ietf-cose-cbor-encoded-cert].

   *  The ACE framework for authentication and authorization [RFC9200].
      The terminology for entities in the considered architecture is
      defined in OAuth 2.0 [RFC6749].  In particular, this includes
      Client (C), Resource Server (RS), and Authorization Server (AS).

   *  The management of keying material for groups in ACE
      [I-D.ietf-ace-key-groupcomm] and specifically for OSCORE groups
      [I-D.ietf-ace-key-groupcomm-oscore].  These include the concept of
      group-membership resource hosted by the Group Manager, that new
      members access to join the OSCORE group, while current members can
      access to retrieve updated keying material.

   Readers are also expected to be familiar with the terms and concepts
   used in [I-D.ietf-ace-oscore-gm-admin], with particular reference to:
   "Administrator", "group name", "group-collection resource", and
   "group-configuration resource".

   Like in [I-D.ietf-ace-oscore-gm-admin], the url-path to a group-
   configuration resource has GROUPNAME as last segment, with GROUPNAME
   the invariant group name assigned upon its creation.  Building on the
   considered url-path of the group-collection resource, this document
   uses /manage/GROUPNAME as the url-path of a group-configuration
   resource; implementations are not required to use this name, and can
   define their own instead.




Tiloca & Höglund          Expires 17 July 2024                  [Page 5]

Internet-Draft   CoRAL Admin Interface for the OSCORE GM    January 2024


   Note that, unless otherwise indicated, the term "endpoint" is used
   here following its OAuth definition, aimed at denoting resources such
   as /token and /introspect at the AS, and /authz-info at the RS.  This
   document does not use the CoAP definition of "endpoint", which is "An
   entity participating in the CoAP protocol".

1.2.  Notation and Assumptions in the Examples

   As per Section 2.4 of [I-D.ietf-core-coral], CoRAL expresses Uniform
   Resource Identifiers (URIs) [RFC3986] as Constrained Resource
   Identifier (CRI) references [I-D.ietf-core-href].

   The examples in this document use the following notation.

   When using the CURIE syntax [CURIE-20101216], the following applies.

   *  'core.osc.gcoll' stands for http://coreapps.org/core.osc.gcoll#

   *  'core.osc.gconf' stands for http://coreapps.org/core.osc.gconf#

   *  'linkformat' stands for http://www.iana.org/assignments/linkformat

      This URI is to be defined with IANA, together with other URIs that
      build on it through further path segments, e.g.,
      http://www.iana.org/assignments/linkformat/rt

   When using a URI http://www.iana.org/assignments/linkformat/SEG1/SEG2

   *  The path segment SEG1 is the name of a web link target attribute.

      Names of target attributes used in Link Format [RFC6690] are
      expected to be coordinated through the "Target Attributes"
      registry defined in [I-D.ietf-core-target-attr].

   *  The path segment SEG2 is the value of the target attribute.

   The application-extension identifier "cri" defined in Appendix C of
   [I-D.ietf-core-href] is used to notate a CBOR Extended Diagnostic
   Notation (EDN) literal for a CRI or CRI reference.  This format is
   not expected to be sent over the network.

   Packed CBOR [I-D.ietf-cbor-packed] is also used, thus reducing
   representation size.  The examples especially refer to the values
   from the two shared item tables in Appendix A.

   Finally, the examples consider a Group Manager with address
   [2001:db8::ab], and use the CoAP Content-Format ID 65087 for the
   media-type application/coral+cbor.



Tiloca & Höglund          Expires 17 July 2024                  [Page 6]

Internet-Draft   CoRAL Admin Interface for the OSCORE GM    January 2024


2.  Group Administration

   The group administration is enforced as defined in Section 2 of
   [I-D.ietf-ace-oscore-gm-admin].

2.1.  Managing OSCORE Groups

   The same resource model defined in Section 2.1 of
   [I-D.ietf-ace-oscore-gm-admin] as based on a group-collection
   resource and multiple group-configuration resources is used in this
   document.

   When accessing such resources, the Administrator relies on the same
   interface defined in Section 6 of [I-D.ietf-ace-oscore-gm-admin], for
   which differences that apply when using CoRAL are compiled in
   Section 6 of this document.

2.2.  Collection Representation

   A collection of group configurations is represented as a CoRAL
   document containing the list of corresponding group-configuration
   resources.

   Each group configuration is represented as a top-level link element,
   with the URI of the group-configuration resource as link target, and
   with http://coreapps.org/core.osc.gcoll#item as relation type.

2.3.  Discovery

   The Administrator can discover the group-collection resource from a
   Resource Directory (see, for instance [I-D.hartke-t2trg-coral-reef])
   or from .well-known/core, by using the resource type "core.osc.gcoll"
   defined in Section 10.3 of [I-D.ietf-ace-oscore-gm-admin].

   The Administrator can discover group-configuration resources for the
   group-collection resource as specified in Section 6.1 and
   Section 6.2.

3.  Format of Scope

   In order to express authorization information for the Administrator
   (see Section 4), the same format and encoding of scope defined in
   Section 3 of [I-D.ietf-ace-oscore-gm-admin] is used, as relying on
   the Authorization Information Format (AIF) [RFC9237] and the extended
   AIF data model AIF-OSCORE-GROUPCOMM defined in Section 3 of
   [I-D.ietf-ace-key-groupcomm-oscore].





Tiloca & Höglund          Expires 17 July 2024                  [Page 7]

Internet-Draft   CoRAL Admin Interface for the OSCORE GM    January 2024


4.  Getting Access to the Group Manager

   All communications between the involved entities rely on the CoAP
   protocol and MUST be secured.

   In particular, communications between the Administrator and the Group
   Manager leverage protocol-specific transport profiles of ACE to
   achieve communication security, proof-of-possession and server
   authentication.  To this end, the AS may explicitly signal the
   specific transport profile to use, consistently with requirements and
   assumptions defined in the ACE framework [RFC9200].

   With reference to the AS, communications between the Administrator
   and the AS (/token endpoint) as well as between the Group Manager and
   the AS (/introspect endpoint) can be secured by different means, for
   instance using DTLS [RFC9147] or OSCORE [RFC8613].  Further details
   on how the AS secures communications (with the Administrator and the
   Group Manager) depend on the specifically used transport profile of
   ACE, and are out of the scope of this document.

   The Administrator requests access to the Group Manager as per Steps
   1-3 in Section 4 of [I-D.ietf-ace-oscore-gm-admin].

   The Administrator accesses the admin interface at the Group Manager
   as per Step 4 in Section 4 of [I-D.ietf-ace-oscore-gm-admin], with
   the difference that administrative operations are performed not as
   defined in Section 6 of [I-D.ietf-ace-oscore-gm-admin], but instead
   as defined in Section 6 of this document.

4.1.  Multiple Administrators for the Same OSCORE Group

   What is defined in Section 4.1 of [I-D.ietf-ace-oscore-gm-admin]
   holds for this document, with the following difference.

   The Administrator performs administrative operations at the Group
   Manager not as defined in Section 6 of
   [I-D.ietf-ace-oscore-gm-admin], but instead as defined in Section 6
   of this document.

5.  Group Configurations

   A group configuration consists of a set of parameters.

5.1.  Group Configuration Representation

   The same group configuration representation defined in Section 5.1 of
   [I-D.ietf-ace-oscore-gm-admin] is used, as including configuration
   properties and status properties.



Tiloca & Höglund          Expires 17 July 2024                  [Page 8]

Internet-Draft   CoRAL Admin Interface for the OSCORE GM    January 2024


5.1.1.  Configuration Properties

   The same configuration properties defined in Section 5.1.1 of
   [I-D.ietf-ace-oscore-gm-admin] are used.

5.1.2.  Status Properties

   The same status properties defined in Section 5.1.2 of
   [I-D.ietf-ace-oscore-gm-admin] are used.

5.2.  Default Values

   The Group manager refers to the same default values defined in
   Section 5.2 of [I-D.ietf-ace-oscore-gm-admin].

6.  Interactions with the Group Manager

   The same as defined in Section 6 of [I-D.ietf-ace-oscore-gm-admin]
   holds, with the following differences.

   *  The Content-Format in messages containing a payload is set to
      application/coral+cbor, defined in Section 7.2 of
      [I-D.ietf-core-coral].

   *  The parameters 'sign_params', 'ecdh_params', 'app_groups' and
      'group_policies' are referred to as "structured parameters".

   *  If a message payload specifies a link element corresponding to a
      structured parameter, then:

      -  The payload MUST NOT include any link element corresponding to
         an inner information element of that structured parameter.

      -  The link element MUST have the link target with value "false"
         (0xf4) for indicating the structured parameter with no
         elements.

         Editor's note: this should change to using an empty CBOR array
         or an empty CBOR map as appropriate, once this is made
         explicitly possible in the binary format of link items in CoRAL
         (see Section 3.1.4 of [I-D.ietf-core-coral]).

   *  If a message payload specifies an information element of a
      structured parameter from the group configuration, then that
      information element MUST be specified by means of the
      corresponding link element.





Tiloca & Höglund          Expires 17 July 2024                  [Page 9]

Internet-Draft   CoRAL Admin Interface for the OSCORE GM    January 2024


6.1.  Retrieve the Full List of Group Configurations

   This operation MUST be supported by the Group Manager and an
   Administrator.

   The Administrator can send a GET request to the group-collection
   resource, in order to retrieve a list of the existing OSCORE groups
   at the Group Manager.

   The same as defined in Section 6.1 of [I-D.ietf-ace-oscore-gm-admin]
   holds.

   An example of message exchange is shown below.

   => 0.01 GET
      Uri-Path: manage

   <= 2.05 Content
      Content-Format: 65087 (application/coral+cbor)

      Payload:

      [
        [1, cri'coap://[2001:db8::ab]/manage'],
        [2, 6(17) / item 50 for core.osc.gcoll:item /, cri'/gp1', [
          [2, simple(6) / item 6 for linkformat:rt /,
           6(-200) / item 415 for cri'http://www.iana.org/assignments
                                      /linkformat/rt/core.osc.gconf' /]
        ]],
        [2, 6(17) / item 50 for core.osc.gcoll:item /, cri'/gp2', [
          [2, simple(6) / item 6 for linkformat:rt /,
           6(-200) / item 415 for cri'http://www.iana.org/assignments
                                      /linkformat/rt/core.osc.gconf' /]
        ]],
        [2, 6(17) / item 50 for core.osc.gcoll:item /, cri'/gp3', [
          [2, simple(6) / item 6 for linkformat:rt /,
           6(-200) / item 415 for cri'http://www.iana.org/assignments
                                      /linkformat/rt/core.osc.gconf' /]
        ]]
      ]

6.2.  Retrieve a List of Group Configurations by Filters

   This operation MUST be supported by the Group Manager and MAY be
   supported by an Administrator.






Tiloca & Höglund          Expires 17 July 2024                 [Page 10]

Internet-Draft   CoRAL Admin Interface for the OSCORE GM    January 2024


   The Administrator can send a FETCH request to the group-collection
   resource, in order to retrieve a list of the existing OSCORE groups
   that fully match a set of specified filter criteria.

   The same as defined in Section 6.2 of [I-D.ietf-ace-oscore-gm-admin]
   holds, with the following differences.

   *  The filter criteria are specified in the request payload with top-
      level link elements, each of which corresponds to an entry of the
      group configuration (see Section 5.1), with the exception of non-
      empty structured parameters.

   *  If names of application groups are used as filter criteria, each
      element of the 'app_groups' array from the status properties is
      included as a separate link element with name 'app_group'.

   *  With the exception of the 'app_group' element, a valid request
      MUST NOT include the same element multiple times.  Element values
      are the ones admitted for the corresponding labels in the POST
      request for creating a group configuration (see Section 6.3).

   An example of message exchange is shown below.





























Tiloca & Höglund          Expires 17 July 2024                 [Page 11]

Internet-Draft   CoRAL Admin Interface for the OSCORE GM    January 2024


   => 0.05 FETCH
      Uri-Path: manage
      Content-Format: 65087 (application/coral+cbor)

      Payload:

      [
        [2, 6(27) / item 70 for core.osc.gconf:group_mode /, true],
        [2, 6(-28) / item 71 for core.osc.gconf:gp_enc_alg /, 10],
        [2, 6(26) / item 68 for core.osc.gconf:hkdf /, 5]
      ]

   <= 2.05 Content
      Content-Format: 65087 (application/coral+cbor)

      Payload:

      [
       [1, cri'coap://[2001:db8::ab]/manage'],
       [2, 6(17) / item 50 for core.osc.gcoll:item /, cri'/gp1', [
         [2, simple(6) / item 6 for linkformat:rt /,
          6(-200) / item 415 for cri'http://www.iana.org/assignments
                                     /linkformat/rt/core.osc.gconf' /]
       ]],
       [2, 6(17) / item 50 for core.osc.gcoll:item /, cri'/gp2', [
         [2, simple(6) / item 6 for linkformat:rt /,
          6(-200) / item 415 for cri'http://www.iana.org/assignments
                                     /linkformat/rt/core.osc.gconf' /]
       ]],
       [2, 6(17) / item 50 for core.osc.gcoll:item /, cri'/gp3', [
         [2, simple(6) / item 6 for linkformat:rt /,
          6(-200) / item 415 for cri'http://www.iana.org/assignments
                                     /linkformat/rt/core.osc.gconf' /]
       ]]
      ]

6.3.  Create a New Group Configuration

   This operation MUST be supported by the Group Manager and an
   Administrator.

   The Administrator can send a POST request to the group-collection
   resource, in order to create a new OSCORE group at the Group Manager.

   The same as defined in Section 6.3 of [I-D.ietf-ace-oscore-gm-admin]
   holds, with the following differences.





Tiloca & Höglund          Expires 17 July 2024                 [Page 12]

Internet-Draft   CoRAL Admin Interface for the OSCORE GM    January 2024


   *  In the request payload, each link element corresponds to an entry
      of the group configuration (see Section 5.1), with the exception
      of non-empty structured parameters.

   *  In the request payload, each element of the 'app_groups' array
      from the status properties is included as a separate element with
      name 'app_group'.

   *  The Group Manager MUST respond with a 4.00 (Bad Request) response
      if any link element is specified multiple times in the payload of
      the POST request, with the exception of the 'app_group' link
      element.

   *  The response payload includes one link element for each specified
      parameter, with the exception of non-empty structured parameters.

   *  In the response payload, each element of the 'app_groups' array
      from the status properties is included as a separate element with
      name 'app_group'.

   *  If the Administrator performs the registration of the group-
      membership resource to a Resource Directory on behalf of the Group
      Manager, then the names of the application groups using the OSCORE
      group MUST take the values possibly specified by the different
      'app_group' link elements in the POST request.

   An example of message exchange is shown below.
























Tiloca & Höglund          Expires 17 July 2024                 [Page 13]

Internet-Draft   CoRAL Admin Interface for the OSCORE GM    January 2024


   => 0.02 POST
      Uri-Path: manage
      Content-Format: 65087 (application/coral+cbor)

      Payload:

      [
        [2, 6(-28) / item 71 for core.osc.gconf:gp_enc_alg /, 10],
        [2, 6(26) / item 68 for core.osc.gconf:hkdf /, 5],
        [2, 6(-31) / item 77 for core.osc.gconf:pairwise_mode /, true],
        [2, 6(-36) / item 87 for core.osc.gconf:active /, true],
        [2, 6(36) / item 88 for core.osc.gconf:group_name /, "gp4"],
        [2, 6(-37) / item 89 for core.osc.gconf:group_title /,
         "rooms 1 and 2"],
        [2, 6(39) / item 94 for core.osc.gconf:app_group /, "room 1"],
        [2, 6(39) / item 94 for core.osc.gconf:app_group /, "room 2"],
        [2, 6(43) / item 102 for core.osc.gconf:as_uri /,
         cri'coap://as.example.com/token']
      ]

   <= 2.01 Created
      Location-Path: manage
      Location-Path: gp4
      Content-Format: 65087 (application/coral+cbor)

      Payload:

      [
        [2, 6(36) / item 88 for core.osc.gconf:group_name /, "gp4"],
        [2, 6(-41) / item 97 for core.osc.gconf:joining_uri /,
         cri'coap://[2001:db8::ab]/ace-group/gp4/'],
        [2, 6(43) / item 102 for core.osc.gconf:as_uri /,
         cri'coap://as.example.com/token']
      ]

6.4.  Retrieve a Group Configuration

   This operation MUST be supported by the Group Manager and an
   Administrator.

   The Administrator can send a GET request to the group-configuration
   resource manage/GROUPNAME associated with an OSCORE group with group
   name GROUPNAME, in order to retrieve the complete current
   configuration of that group.

   The same as defined in Section 6.4 of [I-D.ietf-ace-oscore-gm-admin]
   holds, with the following differences.




Tiloca & Höglund          Expires 17 July 2024                 [Page 14]

Internet-Draft   CoRAL Admin Interface for the OSCORE GM    January 2024


   *  The response payload includes one link element for each entry of
      the group configuration (see Section 5.1), with the exception of
      non-empty status parameters.

   *  Each element of the 'app_groups' array from the status properties
      is included as a separate link element with name 'app_group'.

   An example of message exchange is shown below.

   => 0.01 GET
      Uri-Path: manage
      Uri-Path: gp4

   <= 2.05 Content
      Content-Format: 65087 (application/coral+cbor)

      Payload:

      [
        [2, 6(26) / item 68 for core.osc.gconf:hkdf /, 5],
        [2, 6(-27) / item 69 for core.osc.gconf:cred_fmt /, 33],
        [2, 6(27) / item 70 for core.osc.gconf:group_mode /, true],
        [2, 6(-28) / item 71 for core.osc.gconf:gp_enc_alg /, 10],
        [2, 6(28) / item 72 for core.osc.gconf:sign_alg /, -8],
        [2, 6(29) / item 74 for
         core.osc.gconf:sign_params.alg_capab.key_type /, 1],
        [2, 6(-30) / item 75 for
         core.osc.gconf:sign_params.key_type_capab.key_type /, 1],
        [2, 6(30) / item 76 for
         core.osc.gconf:sign_params.key_type_capab.curve /, 6],
        [2, 6(-31) / item 77 for core.osc.gconf:pairwise_mode /, true],
        [2, 6(31) / item 78 for core.osc.gconf:alg /, 10],
        [2, 6(-32) / item 79 for core.osc.gconf:ecdh_alg /, -27],
        [2, 6(-33) / item 81 for
         core.osc.gconf:ecdh_params.alg_capab.key_type /, 1],
        [2, 6(33) / item 82 for
         core.osc.gconf:ecdh_params.key_type_capab.key_type /, 1],
        [2, 6(-34) / item 83 for
         core.osc.gconf:ecdh_params.key_type_capab.curve /, 6],
        [2, 6(34) / item 84 for core.osc.gconf:det_req /, false],
        [2, 6(35) / item 86 for core.osc.gconf:rt /, "core.osc.gconf"],
        [2, 6(-36) / item 87 for core.osc.gconf:active /, true],
        [2, 6(36) / item 88 for core.osc.gconf:group_name /, "gp4"],
        [2, 6(-37) / item 89 for core.osc.gconf:group_title /,
         "rooms 1 and 2"],
        [2, 6(37) / item 90 for core.osc.gconf:ace_groupcomm_profile /,
         "coap_group_oscore_app"],
        [2, 6(-38) / item 91 for core.osc.gconf:max_stale_sets /, 3],



Tiloca & Höglund          Expires 17 July 2024                 [Page 15]

Internet-Draft   CoRAL Admin Interface for the OSCORE GM    January 2024


        [2, 6(38) / item 92 for core.osc.gconf:exp /, 1360289224],
        [2, 6(-39) / item 93 for core.osc.gconf:gid_reuse /, false],
        [2, 6(39) / item 94 for core.osc.gconf:app_group /, "room 1"],
        [2, 6(39) / item 94 for core.osc.gconf:app_group /, "room 2"],
        [2, 6(-41) / item 97 for core.osc.gconf:joining_uri /,
         cri'coap://[2001:db8::ab]/ace-group/gp4/'],
        [2, 6(43) / item 102 for core.osc.gconf:as_uri /,
         cri'coap://as.example.com/token']
      ]

6.5.  Retrieve Part of a Group Configuration by Filters

   This operation MUST be supported by the Group Manager and MAY be
   supported by an Administrator.

   The Administrator can send a FETCH request to the group-configuration
   resource manage/GROUPNAME associated with an OSCORE group with group
   name GROUPNAME, in order to retrieve part of the current
   configuration of that group.

   The same as defined in Section 6.5 of [I-D.ietf-ace-oscore-gm-admin]
   holds, with the following differences.

   *  The request payload includes one link element for each requested
      configuration parameter or status parameter of the current group
      configuration (see Section 5.1).  All the specified link elements
      MUST have the link target with value "null".

   *  The request payload MUST NOT include any link element
      corresponding to an inner information element of a structured
      parameter.

   *  The response payload includes the requested configuration
      parameters and status parameters, and is formatted as in the
      response payload of a GET request to a group-configuration
      resource (see Section 6.4).

      If the request payload specifies a parameter that is not included
      in the group configuration, then the response payload MUST NOT
      include a corresponding link element.

   An example of message exchange is shown below.









Tiloca & Höglund          Expires 17 July 2024                 [Page 16]

Internet-Draft   CoRAL Admin Interface for the OSCORE GM    January 2024


   => 0.05 FETCH
      Uri-Path: manage
      Uri-Path: gp4
      Content-Format: 65087 (application/coral+cbor)

      Payload:

      [
        [2, 6(-28) / item 71 for core.osc.gconf:gp_enc_alg /, null],
        [2, 6(26) / item 68 for core.osc.gconf:hkdf /, null],
        [2, 6(-31) / item 77 for core.osc.gconf:pairwise_mode /, null],
        [2, 6(-36) / item 87 for core.osc.gconf:active /, null],
        [2, 6(-37) / item 89 for core.osc.gconf:group_title /, null],
        [2, 6(41) / item 98 for core.osc.gconf:app_groups /, null]
      ]

   <= 2.05 Content
      Content-Format: 65087 (application/coral+cbor)

      Payload:

      [
        [2, 6(-28) / item 71 for core.osc.gconf:gp_enc_alg /, 10],
        [2, 6(26) / item 68 for core.osc.gconf:hkdf /, 5],
        [2, 6(-31) / item 77 for core.osc.gconf:pairwise_mode /, true],
        [2, 6(-36) / item 87 for core.osc.gconf:active /, true],
        [2, 6(-37) / item 89 for core.osc.gconf:group_title /,
         "rooms 1 and 2"],
        [2, 6(39) / item 94 for core.osc.gconf:app_group /, "room 1"],
        [2, 6(39) / item 94 for core.osc.gconf:app_group /, "room 2"]
      ]

6.6.  Overwrite a Group Configuration

   This operation MAY be supported by the Group Manager and an
   Administrator.

   The Administrator can send a PUT request to the group-configuration
   resource manage/GROUPNAME associated with an OSCORE group with group
   name GROUPNAME, in order to overwrite the current configuration of
   that group with a new one.

   The same as defined in Section 6.6 of [I-D.ietf-ace-oscore-gm-admin]
   holds, with the following difference.







Tiloca & Höglund          Expires 17 July 2024                 [Page 17]

Internet-Draft   CoRAL Admin Interface for the OSCORE GM    January 2024


   *  If the Administrator updates the registration of the group-
      membership resource in the Resource Directory on behalf of the
      Group Manager, then the names of the application groups using the
      OSCORE group MUST take the values possibly specified by the
      different 'app_group' link elements in the PUT request.

   An example of message exchange is shown below.

   => 0.03 PUT
      Uri-Path: manage
      Uri-Path: gp4
      Content-Format: 65087 (application/coral+cbor)

      Payload:

      [
        [2, 6(-28) / item 71 for core.osc.gconf:gp_enc_alg /, 11],
        [2, 6(26) / item 68 for core.osc.gconf:hkdf /, 5]
      ]

   <= 2.04 Changed
      Content-Format: 65087 (application/coral+cbor)

      Payload:

      [
        [2, 6(36) / item 88 for core.osc.gconf:group_name /, "gp4"],
        [2, 6(-41) / item 97 for core.osc.gconf:joining_uri /,
         cri'coap://[2001:db8::ab]/ace-group/gp4/'],
        [2, 6(43) / item 102 for core.osc.gconf:as_uri /,
         cri'coap://as.example.com/token']
      ]

6.6.1.  Effects on Joining Nodes

   The same as defined in Section 6.6.1 of
   [I-D.ietf-ace-oscore-gm-admin] holds.

6.6.2.  Effects on the Group Members

   The same as defined in Section 6.6.2 of
   [I-D.ietf-ace-oscore-gm-admin] holds.

6.7.  Selective Update of a Group Configuration

   This operation MAY be supported by the Group Manager and an
   Administrator.




Tiloca & Höglund          Expires 17 July 2024                 [Page 18]

Internet-Draft   CoRAL Admin Interface for the OSCORE GM    January 2024


   The Administrator can send a PATCH/iPATCH request [RFC8132] to the
   group-configuration resource manage/GROUPNAME associated with an
   OSCORE group with group name GROUPNAME, in order to update the value
   of only part of the group configuration.

   The same as defined in Section 6.7 of [I-D.ietf-ace-oscore-gm-admin]
   holds, with the following differences.

   *  If the request payload specifies names of application groups to be
      removed from or added to the 'app_groups' status parameter, then
      such names are specified by means of the following top-level link
      elements.

      -  'app_group_del', with value a text string specifying the name
         of an application group to remove from the 'app_groups' status
         parameter.  This link element can be included multiple times.

      -  'app_group_add', with value a text string specifying the name
         of an application group to add to the 'app_groups' status
         parameter.  This link element can be included multiple times.

      The Group Manager MUST respond with a 4.00 (Bad Request) response,
      in case the request payload includes both any 'app_group' link
      element as well as any 'app_group_del' and/or 'app_group_add' link
      element.

   *  The Group Manager MUST respond with a 4.00 (Bad Request) response,
      if the request payload includes no link elements.

   *  When the request uses specifically the iPATCH method, the Group
      Manager MUST respond with a 4.00 (Bad Request) response, in case
      any link element 'app_group_del' and/or 'app_group_add' is
      included.

   *  When updating the 'app_groups' status parameter by difference, the
      Group Manager:

      -  Deletes from the 'app_groups' status parameter the names of the
         application groups specified in the different 'app_group_del'
         link elements.

      -  Adds to the 'app_groups' status parameter the names of the
         application groups specified in the different 'app_group_add'
         link elements.

   An example of message exchange is shown below.





Tiloca & Höglund          Expires 17 July 2024                 [Page 19]

Internet-Draft   CoRAL Admin Interface for the OSCORE GM    January 2024


 => 0.06 PATCH
    Uri-Path: manage
    Uri-Path: gp4
    Content-Format: 65087 (application/coral+cbor)

    Payload:

    [
      [2, 6(-28) / item 71 for core.osc.gconf:gp_enc_alg /, 10],
      [2, 6(-40) / item 95 for core.osc.gconf:app_group_del /, "room1"],
      [2, 6(40) / item 96 for core.osc.gconf:app_group_add /, "room3"],
      [2, 6(40) / item 96 for core.osc.gconf:app_group_add /, "room4"]
    ]

 <= 2.04 Changed
    Content-Format: 65087 (application/coral+cbor)

    Payload:

    [
      [2, 6(36) / item 88 for core.osc.gconf:group_name /, "gp4"],
      [2, 6(-41) / item 97 for core.osc.gconf:joining_uri /,
       cri'coap://[2001:db8::ab]/ace-group/gp4/'],
      [2, 6(43) / item 102 for core.osc.gconf:as_uri /,
       cri'coap://as.example.com/token']
    ]

6.7.1.  Effects on Joining Nodes

   The same as defined in Section 6.7.1 of
   [I-D.ietf-ace-oscore-gm-admin] holds.

6.7.2.  Effects on the Group Members

   The same as defined in Section 6.7.2 of
   [I-D.ietf-ace-oscore-gm-admin] holds.

6.8.  Delete a Group Configuration

   This operation MUST be supported by the Group Manager and an
   Administrator.

   The Administrator can send a DELETE request to the group-
   configuration resource manage/GROUPNAME associated with an OSCORE
   group with group name GROUPNAME, in order to delete that OSCORE
   group.





Tiloca & Höglund          Expires 17 July 2024                 [Page 20]

Internet-Draft   CoRAL Admin Interface for the OSCORE GM    January 2024


   The same as defined in Section 6.8 of [I-D.ietf-ace-oscore-gm-admin]
   holds.

6.8.1.  Effects on the Group Members

   The same as defined in Section 6.8.1 of
   [I-D.ietf-ace-oscore-gm-admin] holds.

7.  Support of Top-Level Link Elements

   Consistently with Section 7 of [I-D.ietf-ace-oscore-gm-admin], the
   following holds for the Group Manager.

   *  It MUST support the top-level link elements 'error',
      'error_description', 'ace_groupcomm_profile', 'exp', and
      'group_policies' corresponding to the ACE Groupcomm Parameters
      defined in Section 8 of [I-D.ietf-ace-key-groupcomm].

      This is consistent with what is defined in Section 8 of
      [I-D.ietf-ace-key-groupcomm] for the Key Distribution Center, of
      which the Group Manager defined in
      [I-D.ietf-ace-key-groupcomm-oscore] is a specific instance.

   *  It MUST support the top-level link elements corresponding to all
      the parameters listed in Section 7 of
      [I-D.ietf-ace-oscore-gm-admin], with the exception of
      'app_groups_diff' that MUST be supported only if the Group Manager
      supports the selective update of a group configuration (see
      Section 6.7).

   The following holds for an Administrator.

   *  It MUST support the top-level link elements 'error',
      'error_description', 'ace_groupcomm_profile', 'exp', and
      'group_policies' corresponding to the ACE Groupcomm Parameters
      defined in Section 8 of [I-D.ietf-ace-key-groupcomm].

   *  It MUST support the top-level link elements corresponding to all
      the parameters listed in Section 7 of
      [I-D.ietf-ace-oscore-gm-admin], with the following exceptions.

      -  'conf_filter', which MUST be supported only if the
         Administrator supports the partial retrieval of a group
         configuration by filters (see Section 6.5).

      -  'app_groups_diff' parameter, which MUST be supported only if
         the Administrator supports the selective update of a group
         configuration (see Section 6.7).



Tiloca & Höglund          Expires 17 July 2024                 [Page 21]

Internet-Draft   CoRAL Admin Interface for the OSCORE GM    January 2024


8.  Error Identifiers

   If the Group Manager sends an error response including the link
   element 'error', this can specify any of the values defined in
   Section 8 of [I-D.ietf-ace-oscore-gm-admin].

   The same guidelines in Section 8 of [I-D.ietf-ace-oscore-gm-admin]
   for the Administrator to handle such error identifiers holds.

9.  Security Considerations

   Security considerations are inherited from the ACE framework for
   Authentication and Authorization [RFC9200], and from the specific
   transport profile of ACE used between the Administrator and the Group
   Manager, such as [RFC9202] and [RFC9203].

   The same security considerations from [I-D.ietf-ace-key-groupcomm]
   and [I-D.ietf-ace-key-groupcomm-oscore] also apply, with particular
   reference to the process of rekeying OSCORE groups.

   The same security considerations from [I-D.ietf-ace-oscore-gm-admin]
   also apply, as well for the security considerations for CoRAL
   [I-D.ietf-core-coral] and Packed CBOR [I-D.ietf-cbor-packed].

10.  IANA Considerations

   This document has no actions for IANA.

11.  References

11.1.  Normative References

   [CURIE-20101216]
              Birbeck, M. and S. McCarron, "CURIE Syntax 1.0 - A syntax
              for expressing Compact URIs - W3C Working Group Note", 16
              December 2010,
              <http://www.w3.org/TR/2010/NOTE-curie-20101216>.

   [I-D.ietf-ace-key-groupcomm]
              Palombini, F. and M. Tiloca, "Key Provisioning for Group
              Communication using ACE", Work in Progress, Internet-
              Draft, draft-ietf-ace-key-groupcomm-17, 6 October 2023,
              <https://datatracker.ietf.org/doc/html/draft-ietf-ace-key-
              groupcomm-17>.

   [I-D.ietf-ace-key-groupcomm-oscore]
              Tiloca, M., Park, J., and F. Palombini, "Key Management
              for OSCORE Groups in ACE", Work in Progress, Internet-



Tiloca & Höglund          Expires 17 July 2024                 [Page 22]

Internet-Draft   CoRAL Admin Interface for the OSCORE GM    January 2024


              Draft, draft-ietf-ace-key-groupcomm-oscore-16, 6 March
              2023, <https://datatracker.ietf.org/doc/html/draft-ietf-
              ace-key-groupcomm-oscore-16>.

   [I-D.ietf-ace-oscore-gm-admin]
              Tiloca, M., Höglund, R., Van der Stok, P., and F.
              Palombini, "Admin Interface for the OSCORE Group Manager",
              Work in Progress, Internet-Draft, draft-ietf-ace-oscore-
              gm-admin-10, 23 October 2023,
              <https://datatracker.ietf.org/doc/html/draft-ietf-ace-
              oscore-gm-admin-10>.

   [I-D.ietf-cbor-packed]
              Bormann, C., "Packed CBOR", Work in Progress, Internet-
              Draft, draft-ietf-cbor-packed-10, 9 January 2024,
              <https://datatracker.ietf.org/doc/html/draft-ietf-cbor-
              packed-10>.

   [I-D.ietf-core-coral]
              Amsüss, C. and T. Fossati, "The Constrained RESTful
              Application Language (CoRAL)", Work in Progress, Internet-
              Draft, draft-ietf-core-coral-05, 7 March 2022,
              <https://datatracker.ietf.org/doc/html/draft-ietf-core-
              coral-05>.

   [I-D.ietf-core-groupcomm-bis]
              Dijk, E., Wang, C., and M. Tiloca, "Group Communication
              for the Constrained Application Protocol (CoAP)", Work in
              Progress, Internet-Draft, draft-ietf-core-groupcomm-bis-
              10, 23 October 2023,
              <https://datatracker.ietf.org/doc/html/draft-ietf-core-
              groupcomm-bis-10>.

   [I-D.ietf-core-href]
              Bormann, C. and H. Birkholz, "Constrained Resource
              Identifiers", Work in Progress, Internet-Draft, draft-
              ietf-core-href-14, 9 January 2024,
              <https://datatracker.ietf.org/doc/html/draft-ietf-core-
              href-14>.

   [I-D.ietf-core-oscore-groupcomm]
              Tiloca, M., Selander, G., Palombini, F., Mattsson, J. P.,
              and J. Park, "Group Object Security for Constrained
              RESTful Environments (Group OSCORE)", Work in Progress,
              Internet-Draft, draft-ietf-core-oscore-groupcomm-20, 2
              September 2023, <https://datatracker.ietf.org/doc/html/
              draft-ietf-core-oscore-groupcomm-20>.




Tiloca & Höglund          Expires 17 July 2024                 [Page 23]

Internet-Draft   CoRAL Admin Interface for the OSCORE GM    January 2024


   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119,
              DOI 10.17487/RFC2119, March 1997,
              <https://www.rfc-editor.org/rfc/rfc2119>.

   [RFC3986]  Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform
              Resource Identifier (URI): Generic Syntax", STD 66,
              RFC 3986, DOI 10.17487/RFC3986, January 2005,
              <https://www.rfc-editor.org/rfc/rfc3986>.

   [RFC6690]  Shelby, Z., "Constrained RESTful Environments (CoRE) Link
              Format", RFC 6690, DOI 10.17487/RFC6690, August 2012,
              <https://www.rfc-editor.org/rfc/rfc6690>.

   [RFC6749]  Hardt, D., Ed., "The OAuth 2.0 Authorization Framework",
              RFC 6749, DOI 10.17487/RFC6749, October 2012,
              <https://www.rfc-editor.org/rfc/rfc6749>.

   [RFC7252]  Shelby, Z., Hartke, K., and C. Bormann, "The Constrained
              Application Protocol (CoAP)", RFC 7252,
              DOI 10.17487/RFC7252, June 2014,
              <https://www.rfc-editor.org/rfc/rfc7252>.

   [RFC8132]  van der Stok, P., Bormann, C., and A. Sehgal, "PATCH and
              FETCH Methods for the Constrained Application Protocol
              (CoAP)", RFC 8132, DOI 10.17487/RFC8132, April 2017,
              <https://www.rfc-editor.org/rfc/rfc8132>.

   [RFC8174]  Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
              2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
              May 2017, <https://www.rfc-editor.org/rfc/rfc8174>.

   [RFC8613]  Selander, G., Mattsson, J., Palombini, F., and L. Seitz,
              "Object Security for Constrained RESTful Environments
              (OSCORE)", RFC 8613, DOI 10.17487/RFC8613, July 2019,
              <https://www.rfc-editor.org/rfc/rfc8613>.

   [RFC8949]  Bormann, C. and P. Hoffman, "Concise Binary Object
              Representation (CBOR)", STD 94, RFC 8949,
              DOI 10.17487/RFC8949, December 2020,
              <https://www.rfc-editor.org/rfc/rfc8949>.

   [RFC9052]  Schaad, J., "CBOR Object Signing and Encryption (COSE):
              Structures and Process", STD 96, RFC 9052,
              DOI 10.17487/RFC9052, August 2022,
              <https://www.rfc-editor.org/rfc/rfc9052>.





Tiloca & Höglund          Expires 17 July 2024                 [Page 24]

Internet-Draft   CoRAL Admin Interface for the OSCORE GM    January 2024


   [RFC9053]  Schaad, J., "CBOR Object Signing and Encryption (COSE):
              Initial Algorithms", RFC 9053, DOI 10.17487/RFC9053,
              August 2022, <https://www.rfc-editor.org/rfc/rfc9053>.

   [RFC9200]  Seitz, L., Selander, G., Wahlstroem, E., Erdtman, S., and
              H. Tschofenig, "Authentication and Authorization for
              Constrained Environments Using the OAuth 2.0 Framework
              (ACE-OAuth)", RFC 9200, DOI 10.17487/RFC9200, August 2022,
              <https://www.rfc-editor.org/rfc/rfc9200>.

   [RFC9202]  Gerdes, S., Bergmann, O., Bormann, C., Selander, G., and
              L. Seitz, "Datagram Transport Layer Security (DTLS)
              Profile for Authentication and Authorization for
              Constrained Environments (ACE)", RFC 9202,
              DOI 10.17487/RFC9202, August 2022,
              <https://www.rfc-editor.org/rfc/rfc9202>.

   [RFC9203]  Palombini, F., Seitz, L., Selander, G., and M. Gunnarsson,
              "The Object Security for Constrained RESTful Environments
              (OSCORE) Profile of the Authentication and Authorization
              for Constrained Environments (ACE) Framework", RFC 9203,
              DOI 10.17487/RFC9203, August 2022,
              <https://www.rfc-editor.org/rfc/rfc9203>.

   [RFC9237]  Bormann, C., "An Authorization Information Format (AIF)
              for Authentication and Authorization for Constrained
              Environments (ACE)", RFC 9237, DOI 10.17487/RFC9237,
              August 2022, <https://www.rfc-editor.org/rfc/rfc9237>.

11.2.  Informative References

   [I-D.hartke-t2trg-coral-reef]
              Hartke, K., "Resource Discovery in Constrained RESTful
              Environments (CoRE) using the Constrained RESTful
              Application Language (CoRAL)", Work in Progress, Internet-
              Draft, draft-hartke-t2trg-coral-reef-04, 9 May 2020,
              <https://datatracker.ietf.org/doc/html/draft-hartke-t2trg-
              coral-reef-04>.

   [I-D.ietf-core-target-attr]
              Bormann, C., "CoRE Target Attributes Registry", Work in
              Progress, Internet-Draft, draft-ietf-core-target-attr-06,
              11 October 2023, <https://datatracker.ietf.org/doc/html/
              draft-ietf-core-target-attr-06>.

   [I-D.ietf-cose-cbor-encoded-cert]
              Mattsson, J. P., Selander, G., Raza, S., Höglund, J., and
              M. Furuhed, "CBOR Encoded X.509 Certificates (C509



Tiloca & Höglund          Expires 17 July 2024                 [Page 25]

Internet-Draft   CoRAL Admin Interface for the OSCORE GM    January 2024


              Certificates)", Work in Progress, Internet-Draft, draft-
              ietf-cose-cbor-encoded-cert-07, 20 October 2023,
              <https://datatracker.ietf.org/doc/html/draft-ietf-cose-
              cbor-encoded-cert-07>.

   [RFC5280]  Cooper, D., Santesson, S., Farrell, S., Boeyen, S.,
              Housley, R., and W. Polk, "Internet X.509 Public Key
              Infrastructure Certificate and Certificate Revocation List
              (CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008,
              <https://www.rfc-editor.org/rfc/rfc5280>.

   [RFC8392]  Jones, M., Wahlstroem, E., Erdtman, S., and H. Tschofenig,
              "CBOR Web Token (CWT)", RFC 8392, DOI 10.17487/RFC8392,
              May 2018, <https://www.rfc-editor.org/rfc/rfc8392>.

   [RFC9147]  Rescorla, E., Tschofenig, H., and N. Modadugu, "The
              Datagram Transport Layer Security (DTLS) Protocol Version
              1.3", RFC 9147, DOI 10.17487/RFC9147, April 2022,
              <https://www.rfc-editor.org/rfc/rfc9147>.

Appendix A.  Shared item tables for Packed CBOR

   This appendix defines the two shared item tables that the examples in
   this document refer to for using Packed CBOR [I-D.ietf-cbor-packed].

   The application-extension identifier "cri" defined in Appendix C of
   [I-D.ietf-core-href] is used to notate a CBOR Extended Diagnostic
   Notation (EDN) literal for a CRI.

A.1.  Compression of CoRAL predicates

   The following shared item table is used for compressing CoRAL
   predicates, as per Section 2.2 of [I-D.ietf-cbor-packed].

    +-------+--------------------------------------------------------+
    | Index | Item                                                   |
    +-------+--------------------------------------------------------+
    | 6     | cri'http://www.iana.org/assignments/linkformat/rt'     |
    +-------+--------------------------------------------------------+
    | 50    | cri'http://coreapps.org/core.osc.gcoll#item'           |
    +-------+--------------------------------------------------------+
    | 68    | cri'http://coreapps.org/core.osc.gconf#hkdf'           |
    +-------+--------------------------------------------------------+
    | 69    | cri'http://coreapps.org/core.osc.gconf#cred_fmt'       |
    +-------+--------------------------------------------------------+
    | 70    | cri'http://coreapps.org/core.osc.gconf#group_mode'     |
    +-------+--------------------------------------------------------+
    | 71    | cri'http://coreapps.org/core.osc.gconf#gp_enc_alg'     |



Tiloca & Höglund          Expires 17 July 2024                 [Page 26]

Internet-Draft   CoRAL Admin Interface for the OSCORE GM    January 2024


    +-------+--------------------------------------------------------+
    | 72    | cri'http://coreapps.org/core.osc.gconf#sign_alg'       |
    +-------+--------------------------------------------------------+
    | 73    | cri'http://coreapps.org/core.osc.gconf#sign_params'    |
    +-------+--------------------------------------------------------+
    | 74    | cri'http://coreapps.org/core.osc.gconf#sign_params     |
    |       |     .alg_capab.key_type'                               |
    +-------+--------------------------------------------------------+
    | 75    | cri'http://coreapps.org/core.osc.gconf#sign_params     |
    |       |     .key_type_capab.key_type'                          |
    +-------+--------------------------------------------------------+
    | 76    | cri'http://coreapps.org/core.osc.gconf#sign_params     |
    |       |     .key_type_capab.curve'                             |
    +-------+--------------------------------------------------------+
    | 77    | cri'http://coreapps.org/core.osc.gconf#pairwise_mode'  |
    +-------+--------------------------------------------------------+
    | 78    | cri'http://coreapps.org/core.osc.gconf#alg'            |
    +-------+--------------------------------------------------------+
    | 79    | cri'http://coreapps.org/core.osc.gconf#ecdh_alg'       |
    +-------+--------------------------------------------------------+
    | 80    | cri'http://coreapps.org/core.osc.gconf#ecdh_params'    |
    +-------+--------------------------------------------------------+
    | 81    | cri'http://coreapps.org/core.osc.gconf#ecdh_params     |
    |       |     .alg_capab.key_type'                               |
    +-------+--------------------------------------------------------+
    | 82    | cri'http://coreapps.org/core.osc.gconf#ecdh_params     |
    |       |     .key_type_capab.key_type'                          |
    +-------+--------------------------------------------------------+
    | 83    | cri'http://coreapps.org/core.osc.gconf#ecdh_params     |
    |       |     .key_type_capab.curve'                             |
    +-------+--------------------------------------------------------+
    | 84    | cri'http://coreapps.org/core.osc.gconf#det_req'        |
    +-------+--------------------------------------------------------+
    | 85    | cri'http://coreapps.org/core.osc.gconf#det_hash_alg'   |
    +-------+--------------------------------------------------------+
    | 86    | cri'http://coreapps.org/core.osc.gconf#rt'             |
    +-------+--------------------------------------------------------+
    | 87    | cri'http://coreapps.org/core.osc.gconf#active'         |
    +-------+--------------------------------------------------------+
    | 88    | cri'http://coreapps.org/core.osc.gconf#group_name'     |
    +-------+--------------------------------------------------------+
    | 89    | cri'http://coreapps.org/core.osc.gconf#group_title'    |
    +-------+--------------------------------------------------------+
    | 90    | cri'http://coreapps.org/core.osc.gconf                 |
    |       |     #ace_groupcomm_profile'                            |
    +-------+--------------------------------------------------------+
    | 91    | cri'http://coreapps.org/core.osc.gconf#max_stale_sets' |
    +-------+--------------------------------------------------------+



Tiloca & Höglund          Expires 17 July 2024                 [Page 27]

Internet-Draft   CoRAL Admin Interface for the OSCORE GM    January 2024


    | 92    | cri'http://coreapps.org/core.osc.gconf#exp'            |
    +-------+--------------------------------------------------------+
    | 93    | cri'http://coreapps.org/core.osc.gconf#gid_reuse'      |
    +-------+--------------------------------------------------------+
    | 94    | cri'http://coreapps.org/core.osc.gconf#app_group'      |
    +-------+--------------------------------------------------------+
    | 95    | cri'http://coreapps.org/core.osc.gconf#app_group_del'  |
    +-------+--------------------------------------------------------+
    | 96    | cri'http://coreapps.org/core.osc.gconf#app_group_add'  |
    +-------+--------------------------------------------------------+
    | 97    | cri'http://coreapps.org/core.osc.gconf#joining_uri'    |
    +-------+--------------------------------------------------------+
    | 98    | cri'http://coreapps.org/core.osc.gconf#app_groups'     |
    +-------+--------------------------------------------------------+
    | 99    | cri'http://coreapps.org/core.osc.gconf#group_policies' |
    +-------+--------------------------------------------------------+
    | 100   | cri'http://coreapps.org/core.osc.gconf#group_policies  |
    |       |     .key_update_check_interval'                        |
    +-------+--------------------------------------------------------+
    | 101   | cri'http://coreapps.org/core.osc.gconf#group_policies  |
    |       |     .exp_delta'                                        |
    +-------+--------------------------------------------------------+
    | 102   | cri'http://coreapps.org/core.osc.gconf#as_uri'         |
    +-------+--------------------------------------------------------+

       Figure 1: Shared item table for compressing CoRAL predicates.

A.2.  Compression of Values of the rt= Target Attribute

   The following shared item table is used for compressing values of the
   rt= target attribute, as per Section 2.2 of [I-D.ietf-cbor-packed].

    +-------+--------------------------------------------------------+
    | Index | Item                                                   |
    +-------+--------------------------------------------------------+
    | 415   | cri'http://www.iana.org/assignments/linkformat/rt      |
    |       |     /core.osc.gconf'                                   |
    +-------+--------------------------------------------------------+

       Figure 2: Shared item table for compressing values of the rt=
                             target attribute.

Appendix B.  Document Updates

   RFC EDITOR: PLEASE REMOVE THIS SECTION.

B.1.  Version -00 to -01




Tiloca & Höglund          Expires 17 July 2024                 [Page 28]

Internet-Draft   CoRAL Admin Interface for the OSCORE GM    January 2024


   *  Updated reference and introductory text for the CBOR EDN
      application-extension identifier "cri".

B.2.  Version -00

   *  CoRAL content taken out from draft-ietf-ace-oscore-gm-admin-08.

Acknowledgments

   Most of the content in this document was originally specified in
   draft-ietf-ace-oscore-gm-admin, which is co-authored also by Peter
   van der Stok and Francesca Palombini, and where Klaus Hartke
   contributed in the initial definition of the resource model and
   interactions using CoRAL.

   The authors sincerely thank Christian Amsüss, Carsten Bormann, and
   Jim Schaad for their comments and feedback.  The work on this
   document has been partly supported by VINNOVA and the Celtic-Next
   project CRITISEC; and by the H2020 project SIFIS-Home (Grant
   agreement 952652).

Authors' Addresses

   Marco Tiloca
   RISE AB
   Isafjordsgatan 22
   SE-16440 Stockholm Kista
   Sweden
   Email: marco.tiloca@ri.se


   Rikard Höglund
   RISE AB
   Isafjordsgatan 22
   SE-16440 Stockholm Kista
   Sweden
   Email: rikard.hoglund@ri.se














Tiloca & Höglund          Expires 17 July 2024                 [Page 29]