From 786abf07bdebb0da1fe32a521ab5e7979785816f Mon Sep 17 00:00:00 2001 From: crimson Date: Thu, 26 Oct 2023 17:02:15 +0200 Subject: [PATCH 1/5] Fixed typo --- draft-ietf-ace-key-groupcomm.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/draft-ietf-ace-key-groupcomm.md b/draft-ietf-ace-key-groupcomm.md index 472c34f..b130b7b 100644 --- a/draft-ietf-ace-key-groupcomm.md +++ b/draft-ietf-ace-key-groupcomm.md @@ -867,7 +867,7 @@ Note to RFC Editor: In {{ace-groupcomm-profile-0}}, please replace "{{&SELF}}" w | Number | | | group members to | | | Synchroniza- | | | synchronize with | | | tion Method | | | sequence numbers of | | -| | | | of sender group | | +| | | | sender group | | | | | | members. Its value | | | | | | is taken from the | | | | | | 'Value' column of | | From 2ae8ba6925b8dce1dfa681fb79aa2e90bc033fcc Mon Sep 17 00:00:00 2001 From: crimson Date: Thu, 26 Oct 2023 17:04:58 +0200 Subject: [PATCH 2/5] Column names of the "CoAP Content-Formats" registry --- draft-ietf-ace-key-groupcomm.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/draft-ietf-ace-key-groupcomm.md b/draft-ietf-ace-key-groupcomm.md index b130b7b..4076c24 100644 --- a/draft-ietf-ace-key-groupcomm.md +++ b/draft-ietf-ace-key-groupcomm.md @@ -2159,9 +2159,9 @@ This specification registers the 'application/ace-groupcomm+cbor' media type for IANA is asked to register the following entry to the "CoAP Content-Formats" registry within the "CoRE Parameters" registry group. -Media Type: application/ace-groupcomm+cbor +Content Type: application/ace-groupcomm+cbor -Encoding: - +Content Coding: - ID: TBD From 23aee77c45411942e57bdedb0692dcec902cbad0 Mon Sep 17 00:00:00 2001 From: crimson Date: Thu, 26 Oct 2023 17:10:50 +0200 Subject: [PATCH 3/5] Revised registration in the Interface Description (if=) Link Target Attribute Values registry --- draft-ietf-ace-key-groupcomm.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/draft-ietf-ace-key-groupcomm.md b/draft-ietf-ace-key-groupcomm.md index 4076c24..24cd634 100644 --- a/draft-ietf-ace-key-groupcomm.md +++ b/draft-ietf-ace-key-groupcomm.md @@ -2204,11 +2204,11 @@ Mappings" registry following the procedure specified in {{Section 8.10 of RFC920 IANA is asked to register the following entry in the "Interface Description (if=) Link Target Attribute Values" registry within the "CoRE Parameters" registry group. -* Attribute Value: ace.group +* Value: ace.group -* Description: The 'ace group' interface is used to provision keying material and related information and policies to members of a group using the ACE framework. +* Description: The KDC interface is used to provision keying material and related information and policies to members of a security group using the ACE framework. -* Reference: {{&SELF}} +* Reference: {{kdc-if}} of {{&SELF}} ## ACE Groupcomm Parameters {#iana-reg} From 4eaa82d74d8f91cd55a756a3e969472027f95004 Mon Sep 17 00:00:00 2001 From: crimson Date: Tue, 12 Dec 2023 15:47:24 +0100 Subject: [PATCH 4/5] Fixed CBOR Type of the 'exp' parameter --- draft-ietf-ace-key-groupcomm.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/draft-ietf-ace-key-groupcomm.md b/draft-ietf-ace-key-groupcomm.md index 24cd634..be61f1f 100644 --- a/draft-ietf-ace-key-groupcomm.md +++ b/draft-ietf-ace-key-groupcomm.md @@ -1942,7 +1942,7 @@ Note that the media type application/ace-groupcomm+cbor MUST be used when these +-----------------------+------+---------------------+------------+ | ace_groupcomm_profile | TBD | int | [RFC-XXXX] | +-----------------------+------+---------------------+------------+ -| exp | TBD | int | [RFC-XXXX] | +| exp | TBD | uint | [RFC-XXXX] | +-----------------------+------+---------------------+------------+ | creds | TBD | array | [RFC-XXXX] | +-----------------------+------+---------------------+------------+ From b48810e9c8771b08d8eb226917f0e409b73601c6 Mon Sep 17 00:00:00 2001 From: crimson Date: Tue, 12 Dec 2023 17:31:23 +0100 Subject: [PATCH 5/5] IANA registration of two CoRE if= values: "ace.group" and "ace.groups" --- draft-ietf-ace-key-groupcomm.md | 59 ++++++++++++++++++++++++++++++--- 1 file changed, 55 insertions(+), 4 deletions(-) diff --git a/draft-ietf-ace-key-groupcomm.md b/draft-ietf-ace-key-groupcomm.md index be61f1f..eb0fd8f 100644 --- a/draft-ietf-ace-key-groupcomm.md +++ b/draft-ietf-ace-key-groupcomm.md @@ -39,6 +39,7 @@ author: normative: RFC2119: + RFC6690: RFC6749: RFC6838: RFC8126: @@ -495,18 +496,60 @@ Later on as a group member, the Client can also rely on the interface at the KDC ## Interface at the KDC {#kdc-if} -The KDC provides its interface by hosting the following resources. Note that the root url-path "/ace-group" used hereafter is a default name; implementations are not required to use this name, and can define their own instead. The Interface Description (if=) Link Target Attribute value "ace.group" is registered in {{if-ace-group}} and can be used to describe this interface. +The KDC provides its interface by hosting the following resources. Note that the root url-path "ace-group" used hereafter is a default name; implementations are not required to use this name, and can define their own instead. If request messages sent to the KDC as well as success response messages from the KDC include a payload and specify a Content-Format, those messages MUST have Content-Format set to application/ace-groupcomm+cbor, defined in {{content-type}}. CBOR labels for the message parameters are defined in {{params}}. -* /ace-group : the path of this resource is invariant once the resource is established, and indicates that this specification is used. If other applications run on a KDC implementing this specification and use this same path, those applications will collide, and a mechanism will be needed to differentiate the endpoints. +* /ace-group : the path of this root resource is invariant once the resource is established, and indicates that this specification is used. If other applications run on a KDC implementing this specification and use this same path, those applications will collide, and a mechanism will be needed to differentiate the endpoints. A Client can access this resource in order to retrieve a set of group names, each corresponding to one of the specified group identifiers. This operation is described in {{retrieval-gnames}}. -* /ace-group/GROUPNAME : one such sub-resource to /ace-group is hosted for each group with name GROUPNAME that the KDC manages, and contains the symmetric group keying material for that group. + The Interface Description (if=) Link Target Attribute value "ace.groups" is registered in {{if-ace-group}} and can be used to describe the interface provided by this root resource. + + The example below shows an exchange with a KDC with address 2001:db8::ab that hosts the resource /ace-group and returns a link to such a resource in link-format {{RFC6690}}. + + ~~~~~~~~~~~ + Request: + + Header: GET (Code=0.01) + Uri-Host: "kdc.example.com" + Uri-Path: ".well-known" + Uri-Path: "core" + Uri-Query: "if=ace.groups" + + Response: + + Header: Content (Code=2.05) + Content-Format: 40 (application/link-format) + Payload: + ;if="ace.groups" + ~~~~~~~~~~~ + +* /ace-group/GROUPNAME : one such sub-resource to /ace-group is hosted for each group with name GROUPNAME that the KDC manages. In particular, it is the group-membership resource associated with that group, of which it contains the symmetric group keying material. A Client can access this resource in order to join the group with name GROUPNAME, or later as a group member to retrieve the current group keying material. These operations are described in {{ssec-key-distribution-exchange}} and {{ssec-key-material-retrieval}}, respectively. + The Interface Description (if=) Link Target Attribute value "ace.group" is registered in {{if-ace-group}} and can be used to describe the interface provided by a group-membership resource. + + The example below shows an exchange with a KDC with address 2001:db8::ab that hosts the group-membership resource /ace-group/gp1 and returns a link to such a resource in link-format {{RFC6690}}. + + ~~~~~~~~~~~ + Request: + + Header: GET (Code=0.01) + Uri-Host: "kdc.example.com" + Uri-Path: ".well-known" + Uri-Path: "core" + Uri-Query: "if=ace.group" + + Response: + + Header: Content (Code=2.05) + Content-Format: 40 (application/link-format) + Payload: + ;if="ace.group" + ~~~~~~~~~~~ + If the value of the GROUPNAME URI path and the group name in the access token scope ('gname' in {{ssec-authorization-response}}) are not required to coincide, the KDC MUST implement a mechanism to map the GROUPNAME value in the URI to the group name, in order to refer to the correct group (REQ7). * /ace-group/GROUPNAME/creds : the path of this resource is invariant once the resource is established. This resource contains the authentication credentials of all the members of the group with name GROUPNAME. @@ -2204,9 +2247,17 @@ Mappings" registry following the procedure specified in {{Section 8.10 of RFC920 IANA is asked to register the following entry in the "Interface Description (if=) Link Target Attribute Values" registry within the "CoRE Parameters" registry group. +* Value: ace.groups + +* Description: The KDC interface at the parent resource of group-membership resources is used to retrieve names of security groups using the ACE framework. + +* Reference: {{kdc-if}} of {{&SELF}} + +  + * Value: ace.group -* Description: The KDC interface is used to provision keying material and related information and policies to members of a security group using the ACE framework. +* Description: The KDC interface at a group-membership resource is used to provision keying material and related information and policies to members of the corresponding security group using the ACE framework. * Reference: {{kdc-if}} of {{&SELF}}