Diff: rfc9528v3.txt - rfc9528.txt

	rfc9528v3.txt	rfc9528.txt

	skipping to change at line 3303 ¶	skipping to change at line 3303 ¶

	[CNSA] Wikipedia, "Commercial National Security Algorithm Suite",	[CNSA] Wikipedia, "Commercial National Security Algorithm Suite",
	October 2023, <https://en.wikipedia.org/w/index.php?title=	October 2023, <https://en.wikipedia.org/w/index.php?title=
	Commercial_National_Security_Algorithm_Suite&oldid=1181333	Commercial_National_Security_Algorithm_Suite&oldid=1181333
	611>.	611>.

	[CoAP-SEC-PROT]	[CoAP-SEC-PROT]
	Mattsson, J. P., Palombini, F., and M. Vučinić,	Mattsson, J. P., Palombini, F., and M. Vučinić,
	"Comparison of CoAP Security Protocols", Work in Progress,	"Comparison of CoAP Security Protocols", Work in Progress,
	Internet-Draft, draft-ietf-iotops-security-protocol-	Internet-Draft, draft-ietf-iotops-security-protocol-

	comparison-03, 23 October 2023,	comparison-04, 4 March 2024,
	<https://datatracker.ietf.org/doc/html/draft-ietf-iotops-	<https://datatracker.ietf.org/doc/html/draft-ietf-iotops-

	security-protocol-comparison-03>.	security-protocol-comparison-04>.

	[CottierPointcheval22]	[CottierPointcheval22]
	Cottier, B. and D. Pointcheval, "Security Analysis of the	Cottier, B. and D. Pointcheval, "Security Analysis of the
	EDHOC protocol", September 2022,	EDHOC protocol", September 2022,
	<https://arxiv.org/abs/2209.03599>.	<https://arxiv.org/abs/2209.03599>.

	[CURVE-REPR]	[CURVE-REPR]
	Struik, R., "Alternative Elliptic Curve Representations",	Struik, R., "Alternative Elliptic Curve Representations",
	Work in Progress, Internet-Draft, draft-ietf-lwig-curve-	Work in Progress, Internet-Draft, draft-ietf-lwig-curve-
	representations-23, 21 January 2022,	representations-23, 21 January 2022,

	skipping to change at line 3368 ¶	skipping to change at line 3368 ¶
	<https://eprint.iacr.org/2010/264.pdf>.	<https://eprint.iacr.org/2010/264.pdf>.

	[Jacomme23]	[Jacomme23]
	Jacomme, C., Klein, E., Kremer, S., and M. Racouchot, "A	Jacomme, C., Klein, E., Kremer, S., and M. Racouchot, "A
	comprehensive, formal and automated analysis of the EDHOC	comprehensive, formal and automated analysis of the EDHOC
	protocol", October 2022,	protocol", October 2022,
	<https://hal.inria.fr/hal-03810102/>.	<https://hal.inria.fr/hal-03810102/>.

	[KUDOS] Höglund, R. and M. Tiloca, "Key Update for OSCORE	[KUDOS] Höglund, R. and M. Tiloca, "Key Update for OSCORE
	(KUDOS)", Work in Progress, Internet-Draft, draft-ietf-	(KUDOS)", Work in Progress, Internet-Draft, draft-ietf-

	core-oscore-key-update-06, 23 October 2023,	core-oscore-key-update-07, 4 March 2024,
	<https://datatracker.ietf.org/doc/html/draft-ietf-core-	<https://datatracker.ietf.org/doc/html/draft-ietf-core-

	oscore-key-update-06>.	oscore-key-update-07>.

	[LAKE-AUTHZ]	[LAKE-AUTHZ]
	Selander, G., Mattsson, J. P., Vučinić, M., Fedrecheski,	Selander, G., Mattsson, J. P., Vučinić, M., Fedrecheski,
	G., and M. Richardson, "Lightweight Authorization using	G., and M. Richardson, "Lightweight Authorization using
	Ephemeral Diffie-Hellman Over COSE", Work in Progress,	Ephemeral Diffie-Hellman Over COSE", Work in Progress,
	Internet-Draft, draft-ietf-lake-authz-01, 4 March 2024,	Internet-Draft, draft-ietf-lake-authz-01, 4 March 2024,
	<https://datatracker.ietf.org/doc/html/draft-ietf-lake-	<https://datatracker.ietf.org/doc/html/draft-ietf-lake-
	authz-01>.	authz-01>.

	[LAKE-REQS]	[LAKE-REQS]

	skipping to change at line 3402 ¶	skipping to change at line 3402 ¶

	[Noise] Perrin, T., "The Noise Protocol Framework", Revision 34,	[Noise] Perrin, T., "The Noise Protocol Framework", Revision 34,
	July 2018, <https://noiseprotocol.org/noise.html>.	July 2018, <https://noiseprotocol.org/noise.html>.

	[Norrman20]	[Norrman20]
	Norrman, K., Sundararajan, V., and A. Bruni, "Formal	Norrman, K., Sundararajan, V., and A. Bruni, "Formal
	Analysis of EDHOC Key Establishment for Constrained IoT	Analysis of EDHOC Key Establishment for Constrained IoT
	Devices", September 2020,	Devices", September 2020,
	<https://arxiv.org/abs/2007.11427>.	<https://arxiv.org/abs/2007.11427>.


	[PreußMattsson23]
	Preuß Mattsson, J., "Hidden Stream Ciphers and TMTO
	Attacks on TLS 1.3, DTLS 1.3, QUIC, and Signal",
	DOI 10.1007/978-981-99-7563-1_12, December 2023,
	<https://eprint.iacr.org/2023/913>.

	[PreußMattsson24]
	Preuß Mattsson, J., "Security of Symmetric Ratchets and
	Key Chains - Implications for Protocols like TLS 1.3,
	Signal, and PQ3", February 2024,
	<https://eprint.iacr.org/2024/220>.

	[RFC2986] Nystrom, M. and B. Kaliski, "PKCS #10: Certification	[RFC2986] Nystrom, M. and B. Kaliski, "PKCS #10: Certification
	Request Syntax Specification Version 1.7", RFC 2986,	Request Syntax Specification Version 1.7", RFC 2986,
	DOI 10.17487/RFC2986, November 2000,	DOI 10.17487/RFC2986, November 2000,
	<https://www.rfc-editor.org/info/rfc2986>.	<https://www.rfc-editor.org/info/rfc2986>.

	[RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S.,	[RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S.,
	Housley, R., and W. Polk, "Internet X.509 Public Key	Housley, R., and W. Polk, "Internet X.509 Public Key
	Infrastructure Certificate and Certificate Revocation List	Infrastructure Certificate and Certificate Revocation List
	(CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008,	(CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008,
	<https://www.rfc-editor.org/info/rfc5280>.	<https://www.rfc-editor.org/info/rfc5280>.

	skipping to change at line 4069 ¶	skipping to change at line 4057 ¶
	where protected, external_aad, and payload are specified in	where protected, external_aad, and payload are specified in
	Sections 5.3 and 5.4.	Sections 5.3 and 5.4.

	Different header parameters to identify X.509 or C509 certificates by	Different header parameters to identify X.509 or C509 certificates by
	reference are defined in [RFC9360] and [C509-CERTS]:	reference are defined in [RFC9360] and [C509-CERTS]:

	* by a hash value with the 'x5t' or 'c5t' parameters, respectively:	* by a hash value with the 'x5t' or 'c5t' parameters, respectively:

	- ID_CRED_x = { 34 : COSE_CertHash }, for x = I or R and	- ID_CRED_x = { 34 : COSE_CertHash }, for x = I or R and


	- ID_CRED_x = { TBD3 : COSE_CertHash }, for x = I or R,	- ID_CRED_x = { 22 : COSE_CertHash }, for x = I or R,

	* or by a URI with the 'x5u' or 'c5u' parameters, respectively:	* or by a URI with the 'x5u' or 'c5u' parameters, respectively:

	- ID_CRED_x = { 35 : uri }, for x = I or R, and	- ID_CRED_x = { 35 : uri }, for x = I or R, and


	- ID_CRED_x = { TBD4 : uri }, for x = I or R.	- ID_CRED_x = { 23 : uri }, for x = I or R.

	When ID_CRED_x does not contain the actual credential, it may be very	When ID_CRED_x does not contain the actual credential, it may be very
	short, e.g., if the endpoints have agreed to use a key identifier	short, e.g., if the endpoints have agreed to use a key identifier
	parameter 'kid':	parameter 'kid':

	* ID_CRED_x = { 4 : kid_x }, where kid_x : kid, for x = I or R. For	* ID_CRED_x = { 4 : kid_x }, where kid_x : kid, for x = I or R. For
	further optimization, see Section 3.5.3.	further optimization, see Section 3.5.3.

	Note that ID_CRED_x can contain several header parameters, for	Note that ID_CRED_x can contain several header parameters, for
	example, { x5u, x5t } or { kid, kid_context }.	example, { x5u, x5t } or { kid, kid_context }.

	skipping to change at line 4441 ¶	skipping to change at line 4429 ¶
	algorithm of the selected cipher suite.	algorithm of the selected cipher suite.

	The EDHOC_KeyUpdate takes the context as input to enable binding of	The EDHOC_KeyUpdate takes the context as input to enable binding of
	the updated PRK_out to some event that triggered the key update. The	the updated PRK_out to some event that triggered the key update. The
	Initiator and Responder need to agree on the context, which can,	Initiator and Responder need to agree on the context, which can,
	e.g., be a counter, a pseudorandom number, or a hash. To provide	e.g., be a counter, a pseudorandom number, or a hash. To provide
	forward secrecy, the old PRK_out and keys derived from it (old	forward secrecy, the old PRK_out and keys derived from it (old
	PRK_exporter and old application keys) must be deleted as soon as	PRK_exporter and old application keys) must be deleted as soon as
	they are not needed. When to delete the old keys and how to verify	they are not needed. When to delete the old keys and how to verify
	that they are not needed is up to the application. Note that the	that they are not needed is up to the application. Note that the

	security properties depends on the type of context and the number of	security properties depend on the type of context and the number of
	KeyUpdate iterations [PreußMattsson23] [PreußMattsson24].	KeyUpdate iterations.

	An application using EDHOC_KeyUpdate needs to store PRK_out.	An application using EDHOC_KeyUpdate needs to store PRK_out.
	Compromise of PRK_out leads to compromise of all keying material	Compromise of PRK_out leads to compromise of all keying material
	derived with the EDHOC_Exporter since the last invocation of the	derived with the EDHOC_Exporter since the last invocation of the
	EDHOC_KeyUpdate function.	EDHOC_KeyUpdate function.

	While this key update method provides forward secrecy, it does not	While this key update method provides forward secrecy, it does not
	give as strong security properties as re-running EDHOC.	give as strong security properties as re-running EDHOC.
	EDHOC_KeyUpdate can be used to meet cryptographic limits and provide	EDHOC_KeyUpdate can be used to meet cryptographic limits and provide
	partial protection against key leakage, but it provides significantly	partial protection against key leakage, but it provides significantly

End of changes. 8 change blocks.
	20 lines changed or deleted	8 lines changed or added
This html diff was produced by rfcdiff 1.48.