diff --git a/draft-ietf-ace-key-groupcomm.md b/draft-ietf-ace-key-groupcomm.md index fb65693..1e9d9d7 100644 --- a/draft-ietf-ace-key-groupcomm.md +++ b/draft-ietf-ace-key-groupcomm.md @@ -123,7 +123,9 @@ Candidate group members acting as ACE Clients and authorized to join a group can In particular, this document defines the operations and interface available at the KDC, as well as general message formats for the interactions between Clients and KDC. At the same time, communications in the group can rely on different approaches, e.g., based on multicast {{I-D.ietf-core-groupcomm-bis}} or on publish-subscribe messaging {{I-D.ietf-core-coap-pubsub}}, and can be protected in different ways. -Therefore, this document delegates details on the communication and security approaches used in a group to separate application profiles. These are specialized instances of this document, targeting a particular group communication approach and defining how communications in the group are protected, as well as the specific keying material and configuration parameters provided to group members. In order to ensure consistency and aid the development of such application profiles, this document defines a number of related compliance requirements (see {{req}}). +Therefore, this document delegates details on the communication and security approaches used in a group to separate application profiles. These are specialized instances of this document, targeting a particular group communication approach and defining how communications in the group are protected, as well as the specific keying material and configuration parameters provided to group members. + +In order to ensure consistency and aid the development of such application profiles, {{req}} of this document defines a number of related compliance requirements. In particular, {{req-mandatory}} compiles the requirements that application profiles are REQUIRED to fulfill; these are referred to by an identifier that starts with "REQ". Instead, {{req-optional}} compiles the requirements that application profiles MAY fulfill; these are referred to by an identifier that starts with "OPT". New keying material is generated and distributed to the group upon membership changes (rekeying), if the application requires backward security (i.e., new group members must be prevented from accessing communications in the group prior to their joining) and forward security (i.e., former group members must be prevented from accessing communications in the group after their leaving). @@ -1889,8 +1891,8 @@ After that, the KDC sends one rekeying message addressed individually to C4 and | C1 | | C2 | | C3 | | C4 | '--------' '--------' '-----------' '---------------------------' [TO BE EVICTED] - | | - \______________ Stored group keying material (num=5) ________________/ +| | +\_______________ Stored group keying material (num=5) ________________/ ~~~~~~~~~~~ {: #fig-rekeying-example-2 title="Example of Message Exchanges for a One-to-Many Group Rekeying" artwork-align="center"} @@ -2485,7 +2487,7 @@ Expert reviewers should take into consideration the following points: This section lists the requirements on application profiles of this specification, for the convenience of application profile designers. -## Mandatory-to-Address Requirements +## Mandatory-to-Address Requirements {#req-mandatory} * REQ1: Specify the format and encoding of 'scope'. This includes defining the set of possible roles and their identifiers, as well as the corresponding encoding to use in the scope entries according to the used scope format (see {{ssec-authorization-request}}). @@ -2547,7 +2549,7 @@ This section lists the requirements on application profiles of this specificatio * REQ30: Define whether Clients must, should, or may support the conditional parameters defined in {{params}}, and under which circumstances. -## Optional-to-Address Requirements +## Optional-to-Address Requirements {#req-optional} * OPT1: Optionally, if the textual format of 'scope' is used, specify CBOR values to use for abbreviating the role identifiers in the group (see {{ssec-authorization-request}}).