Skip to content

Commit

Permalink
The KDC might not have to store the 'cnonce' from a Join Request.
Browse files Browse the repository at this point in the history
  • Loading branch information
@marco-tiloca-sics
marco-tiloca-sics committed Oct 26, 2023
1 parent 402dcc0 commit 924308c
Showing 1 changed file with 3 additions and 1 deletion.
4 changes: 3 additions & 1 deletion draft-ietf-ace-key-groupcomm.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -963,7 +963,7 @@ PoP input:
~~~~~~~~~~~~~~~~~~~~
{: #fig-kdc-cred-input title="Example of PoP input to compute 'kdc_cred_verify' using CBOR encoding"}

After sending the Join Response, the KDC MUST store the N_C value specified in the 'cnonce' parameter of the Join Request, as a 'clientchallenge' value associated with the Client. If, as a group member, the Client later sends a GET request to the /ace-group/GROUPNAME/kdc-cred resource for retrieving the latest KDC's authentication credential (see {{kdc-pub-key-get}}), then the KDC is able to use the stored 'clientchallenge' for computing a PoP evidence to include in the response sent to the Client, hence proving the possession of its own private key.
After sending the Join Response, if the KDC has an associated authentication credential, the KDC MUST store the N_C value specified in the 'cnonce' parameter of the Join Request, as a clientchallenge value associated with the Client. If, as a group member, the Client later sends a GET request to the /ace-group/GROUPNAME/kdc-cred resource for retrieving the latest KDC's authentication credential (see {{kdc-pub-key-get}}), then the KDC is able to use the stored 'clientchallenge' for computing a PoP evidence to include in the response sent to the Client, hence proving the possession of its own private key.

If the Join Response includes the 'kdc_cred_verify' parameter, the Client verifies the conveyed PoP evidence and considers the group joining unsuccessful in case of failed verification. Application profiles of this specification MUST specify the exact approaches used by the Client to verify the PoP evidence in 'kdc_cred_verify', and MUST specify which of those approaches is used in which case (REQ21).

Expand Down Expand Up @@ -2499,6 +2499,8 @@ RFC EDITOR: PLEASE REMOVE THIS SECTION.

* Consistency fix: Clients always support the 'cnonce' parameter.

* The KDC might not have to store the 'cnonce' from a Join Request.

* Fixes and editorial improvements.

## Version -16 to -17 ## {#sec-16-17}
Expand Down

0 comments on commit 924308c

Please sign in to comment.