Authentication and Authorization for Constrained Environments (ace) Internet Drafts


      
 Key Provisioning for Group Communication using ACE
 
 draft-ietf-ace-key-groupcomm-18.txt
 Date: 16/01/2024
 Authors: Francesca Palombini, Marco Tiloca
 Working Group: Authentication and Authorization for Constrained Environments (ace)
This document defines how to use the Authentication and Authorization for Constrained Environments (ACE) framework to distribute keying material and configuration parameters for secure group communication. Candidate group members acting as Clients and authorized to join a group can do so by interacting with a Key Distribution Center (KDC) acting as Resource Server, from which they obtain the keying material to communicate with other group members. While defining general message formats as well as the interface and operations available at the KDC, this document supports different approaches and protocols for secure group communication. Therefore, details are delegated to separate application profiles of this document, as specialized instances that target a particular group communication approach and define how communications in the group are protected. Compliance requirements for such application profiles are also specified.
 Key Management for OSCORE Groups in ACE
 
 draft-ietf-ace-key-groupcomm-oscore-16.txt
 Date: 06/03/2023
 Authors: Marco Tiloca, Jiye Park, Francesca Palombini
 Working Group: Authentication and Authorization for Constrained Environments (ace)
This document defines an application profile of the ACE framework for Authentication and Authorization, to request and provision keying material in group communication scenarios that are based on CoAP and are secured with Group Object Security for Constrained RESTful Environments (Group OSCORE). This application profile delegates the authentication and authorization of Clients, that join an OSCORE group through a Resource Server acting as Group Manager for that group. This application profile leverages protocol-specific transport profiles of ACE to achieve communication security, server authentication and proof-of-possession for a key owned by the Client and bound to an OAuth 2.0 Access Token.
 Publish-Subscribe Profile for Authentication and Authorization for Constrained Environments (ACE)
 
 draft-ietf-ace-pubsub-profile-09.txt
 Date: 04/03/2024
 Authors: Francesca Palombini, Cigdem Sengul, Marco Tiloca
 Working Group: Authentication and Authorization for Constrained Environments (ace)
This document defines an application profile of the Authentication and Authorization for Constrained Environments (ACE) framework, to enable secure group communication in the Publish-Subscribe (pub/sub) architecture for the Constrained Application Protocol (CoAP) [draft- ietf-core-coap-pubsub], where Publishers and Subscribers communicate through a Broker. This profile relies on protocol-specific transport profiles of ACE to achieve communication security, server authentication, and proof-of-possession for a key owned by the Client and bound to an OAuth 2.0 Access Token. This document specifies the provisioning and enforcement of authorization information for Clients to act as Publishers and/or Subscribers, as well as the provisioning of keying material and security parameters that Clients use for protecting their communications end-to-end through the Broker. Note to RFC Editor: Please replace "[draft-ietf-core-coap-pubsub]" with the RFC number of that document and delete this paragraph.
 Admin Interface for the OSCORE Group Manager
 
 draft-ietf-ace-oscore-gm-admin-11.txt
 Date: 04/03/2024
 Authors: Marco Tiloca, Rikard Hoeglund, Peter van der Stok, Francesca Palombini
 Working Group: Authentication and Authorization for Constrained Environments (ace)
Group communication for CoAP can be secured using Group Object Security for Constrained RESTful Environments (Group OSCORE). A Group Manager is responsible for handling the joining of new group members, as well as managing and distributing the group keying material. This document defines a RESTful admin interface at the Group Manager that allows an Administrator entity to create and delete OSCORE groups, as well as to retrieve and update their configuration. The ACE framework for Authentication and Authorization is used to enforce authentication and authorization of the Administrator at the Group Manager. Protocol-specific transport profiles of ACE are used to achieve communication security, proof-of- possession, and server authentication.
 EAP-based Authentication Service for CoAP
 
 draft-ietf-ace-wg-coap-eap-10.txt
 Date: 04/03/2024
 Authors: Rafael Marin-Lopez, Dan Garcia-Carrillo
 Working Group: Authentication and Authorization for Constrained Environments (ace)
This document specifies an authentication service that uses the Extensible Authentication Protocol (EAP) transported employing Constrained Application Protocol (CoAP) messages. As such, it defines an EAP lower layer based on CoAP called CoAP-EAP. One of the main goals is to authenticate a CoAP-enabled IoT device (EAP peer) that intends to join a security domain managed by a Controller (EAP authenticator). Secondly, it allows deriving key material to protect CoAP messages exchanged between them based on Object Security for Constrained RESTful Environments (OSCORE), enabling the establishment of a security association between them.
 Notification of Revoked Access Tokens in the Authentication and Authorization for Constrained Environments (ACE) Framework
 
 draft-ietf-ace-revoked-token-notification-06.txt
 Date: 02/06/2023
 Authors: Marco Tiloca, Francesca Palombini, Sebastian Echeverria, Grace Lewis
 Working Group: Authentication and Authorization for Constrained Environments (ace)
This document specifies a method of the Authentication and Authorization for Constrained Environments (ACE) framework, which allows an Authorization Server to notify Clients and Resource Servers (i.e., registered devices) about revoked access tokens. As specified in this document, the method allows Clients and Resource Servers to access a Token Revocation List on the Authorization Server by using the Constrained Application Protocol (CoAP), with the possible additional use of resource observation. Resulting (unsolicited) notifications of revoked access tokens complement alternative approaches such as token introspection, while not requiring additional endpoints on Clients and Resource Servers.
 Ephemeral Diffie-Hellman Over COSE (EDHOC) and Object Security for Constrained Environments (OSCORE) Profile for Authentication and Authorization for Constrained Environments (ACE)
 
 draft-ietf-ace-edhoc-oscore-profile-04.txt
 Date: 04/03/2024
 Authors: Goeran Selander, John Mattsson, Marco Tiloca, Rikard Hoeglund
 Working Group: Authentication and Authorization for Constrained Environments (ace)
This document specifies a profile for the Authentication and Authorization for Constrained Environments (ACE) framework. It utilizes Ephemeral Diffie-Hellman Over COSE (EDHOC) for achieving mutual authentication between an ACE-OAuth Client and Resource Server, and it binds an authentication credential of the Client to an ACE-OAuth access token. EDHOC also establishes an Object Security for Constrained RESTful Environments (OSCORE) Security Context, which is used to secure communications when accessing protected resources according to the authorization information indicated in the access token. This profile can be used to delegate management of authorization information from a resource-constrained server to a trusted host with less severe limitations regarding processing power and memory.
 Protecting EST Payloads with OSCORE
 
 draft-ietf-ace-coap-est-oscore-04.txt
 Date: 04/03/2024
 Authors: Goeran Selander, Shahid Raza, Martin Furuhed, Malisa Vucinic, Timothy Claeys
 Working Group: Authentication and Authorization for Constrained Environments (ace)
This document specifies public-key certificate enrollment procedures protected with lightweight application-layer security protocols suitable for Internet of Things (IoT) deployments. The protocols leverage payload formats defined in Enrollment over Secure Transport (EST) and existing IoT standards including the Constrained Application Protocol (CoAP), Concise Binary Object Representation (CBOR), and the CBOR Object Signing and Encryption (COSE) format.
 Using the Constrained RESTful Application Language (CoRAL) with the Admin Interface for the OSCORE Group Manager
 
 draft-ietf-ace-oscore-gm-admin-coral-01.txt
 Date: 14/01/2024
 Authors: Marco Tiloca, Rikard Hoeglund
 Working Group: Authentication and Authorization for Constrained Environments (ace)
Group communication for CoAP can be secured using Group Object Security for Constrained RESTful Environments (Group OSCORE). A Group Manager is responsible to handle the joining of new group members, as well as to manage and distribute the group keying material. The Group Manager can provide a RESTful admin interface that allows an Administrator entity to create and delete OSCORE groups, as well as to retrieve and update their configuration. This document specifies how an Administrator entity interacts with the admin interface at the Group Manager by using the Constrained RESTful Application Language (CoRAL). The ACE framework for Authentication and Authorization is used to enforce authentication and authorization of the Administrator at the Group Manager. Protocol-specific transport profiles of ACE are used to achieve communication security, proof-of-possession and server authentication.
 Alternative Workflow and OAuth Parameters for the Authentication and Authorization for Constrained Environments (ACE) Framework
 
 draft-ietf-ace-workflow-and-params-01.txt
 Date: 04/03/2024
 Authors: Marco Tiloca, Goeran Selander
 Working Group: Authentication and Authorization for Constrained Environments (ace)
This document updates the Authentication and Authorization for Constrained Environments Framework (ACE, RFC 9200) as follows. First, it defines a new, alternative workflow that the Authorization Server can use for uploading an access token to a Resource Server on behalf of the Client. Second, it defines new parameters and encodings for the OAuth 2.0 token endpoint at the Authorization Server. Third, it amends two of the requirements on profiles of the framework. Finally, it deprecates the original payload format of error responses that convey an error code, when CBOR is used to encode message payloads. For such error responses, it defines a new payload format aligned with RFC 9290, thus updating in this respect also the profiles of ACE defined in RFC 9202, RFC 9203, and RFC 9431.
 The Group Object Security for Constrained RESTful Environments (Group OSCORE) Profile of the Authentication and Authorization for Constrained Environments (ACE) Framework
 
 draft-ietf-ace-group-oscore-profile-01.txt
 Date: 04/03/2024
 Authors: Marco Tiloca, Rikard Hoeglund, Francesca Palombini
 Working Group: Authentication and Authorization for Constrained Environments (ace)
This document specifies a profile for the Authentication and Authorization for Constrained Environments (ACE) framework. The profile uses Group Object Security for Constrained RESTful Environments (Group OSCORE) to provide communication security between a Client and one or multiple Resource Servers that are members of an OSCORE group. The profile securely binds an OAuth 2.0 Access Token to the public key of the Client associated with the private key used by that Client in the OSCORE group. The profile uses Group OSCORE to achieve server authentication, as well as proof-of-possession for the Client's public key. Also, it provides proof of the Client's membership to the OSCORE group by binding the Access Token to information from the Group OSCORE Security Context, thus allowing the Resource Server(s) to verify the Client's membership upon receiving a message protected with Group OSCORE from the Client. Effectively, the profile enables fine-grained access control paired with secure group communication, in accordance with the Zero Trust principles.


data-group-menu-data-url="/group/groupmenu.json"> Skip to main content

Authentication and Authorization for Constrained Environments (ace)

WG Name Authentication and Authorization for Constrained Environments
Acronym ace
Area Security Area (sec)
State Active
Charter charter-ietf-ace-02 Approved
Status update Show Changed 2018-03-22
Document dependencies
Additional resources Issue tracker, Wiki, Zulip stream
Personnel Chairs Loganaden Velvindron, Tim Hollebeek
Area Director Paul Wouters
Delegate Paul Wouters
Mailing list Address ace@ietf.org
To subscribe https://www.ietf.org/mailman/listinfo/ace
Archive https://mailarchive.ietf.org/arch/browse/ace/
Chat Room address https://zulip.ietf.org/#narrow/stream/ace

Charter for Working Group

The Authentication and Authorization for Constrained Environments (ace) WG
has defined a standardized solution framework for authentication and
authorization to enable authorized access to resources identified by a URI
and hosted on a resource server in constrained environments.

The access to the resource is mediated by an authorization server, which is
not considered to be constrained.

Profiles of this framework for application to security protocols commonly
used in constrained environments, including CoAP+DTLS and CoAP+OSCORE, have
also been standardized. The Working Group is charged with maintenance of
the framework and existing profiles thereof, and may undertake work to
specify profiles of the framework for additional secure communications
protocols and for additional support services providing authorized access
to crypto keys (that are not necessarily limited to constrained endpoints,
though the focus remains on deployment in ecosystems with a substantial
portion of constrained devices).

In addition to the ongoing maintenance work, the Working Group will extend
the framework (originally designed to protect the exchange between single
client and single RS) as needed for applicability to group communications.
The initial focus will be on using (D)TLS and (Group) OSCORE as the underlying
communication security protocols. The Working Group will standardize
procedures for requesting and distributing group keying material using the ACE
framework as well as appropriated management interfaces.

The Working Group will standardize a format for expressing authorization
information for a given authenticated principal as received from an
authorization manager.

The Working Group will examine how to use Constrained Application Protocol
(CoAP) as a transport medium for certificate enrollment protocols, such as
EST and CMPv2, as well as a transport for authentication protocols such as
EAP (in coordination with the EMU WG), and standardize as needed.

Milestones

Date Milestone Associated documents
Dec 2021 Submission to the IESG of "Admin Interface for the OSCORE Group Manager" draft-ietf-ace-oscore-gm-admin
Sep 2021 Submission to the IESG of "Key Management for OSCORE Groups in ACE" draft-ietf-ace-key-groupcomm-oscore
Aug 2021 Submission to the IESG of "EAP-based Authentication Service for CoAP" draft-marin-ace-wg-coap-eap
Jul 2021 Submission to the IESG of "Key Provisioning for Group Communication using ACE" draft-ietf-ace-key-groupcomm
Jul 2021 Submission to the IESG of Pub-Sub Profile for Authentication and Authorization for Constrained Environments (ACE) draft-ietf-ace-pubsub-profile
Jul 2021 Submission to the IESG of "Protecting EST Payloads with OSCORE" draft-selander-ace-coap-est-oscore
Jul 2021 Submission to the IESG of "An Authorization Information Format (AIF) for ACE" draft-ietf-ace-aif
Jun 2021 Submission to IESG of "CoAP Transport for CMPV2" (if adopted) draft-msahni-ace-cmpv2-coap-transport
Feb 2021 Call for adoption of "Protecting EST Payloads with OSCORE" draft-selander-ace-coap-est-oscore

Done milestones

Date Milestone Associated documents
Done Submit DTLS Profile for ACE to the IESG for publication as a proposed standard draft-ietf-ace-dtls-authorize
Done Adoption call of "EAP-based Authentication Service for CoAP" draft-marin-ace-wg-coap-eap
Done Submission to the IESG of "OSCORE Profile of the Authentication and Authorization for Constrained Environments Framework" draft-ietf-ace-oscore-profile
Done Adoption call for "CoAP Transport for CMPV2" draft-msahni-ace-cmpv2-coap-transport