]> Ericsson

goran.selander@ericsson.com

Ericsson

john.mattsson@ericsson.com

RISE

marco.tiloca@ri.se

RISE

rikard.hoglund@ri.se

Security ACE Working Group Internet-Draft This document specifies a profile for the Authentication and Authorization for Constrained Environments (ACE) framework. It utilizes Ephemeral Diffie-Hellman Over COSE (EDHOC) for achieving mutual authentication between an OAuth 2.0 Client and Resource Server, and it binds an authentication credential of the Client to an OAuth 2.0 access token. EDHOC also establishes an Object Security for Constrained RESTful Environments (OSCORE) Security Context, which is used to secure communications when accessing protected resources according to the authorization information indicated in the access token. This profile can be used to delegate management of authorization information from a resource-constrained server to a trusted host with less severe limitations regarding processing power and memory.

Introduction This document defines the "coap_edhoc_oscore" profile of the ACE framework . This profile addresses a "zero-touch" constrained setting where trusted operations can be performed with low overhead without endpoint specific configurations. Like in the "coap_oscore" profile , also in this profile a client (C) and a resource server (RS) use the Constrained Application Protocol (CoAP) to communicate, and Object Security for Constrained RESTful Environments (OSCORE) to protect their communications, but this profile uses the Ephemeral Diffie-Hellman Over COSE (EDHOC) protocol to establish the OSCORE Security Context. The processing of requests for specific protected resources is identical to what is defined in the "coap_oscore" profile. When using this profile, C accesses protected resources hosted at RS with the use of an access token issued by a trusted authorization server (AS) and bound to an authentication credential of C. This differs from the "coap_oscore" profile, where the access token is bound to a symmetric key used to derive the OSCORE Security Context. As recommended in , this document recommends the use of CBOR Web Tokens (CWTs) as access tokens. An authentication credential can be a raw public key, e.g., encoded as a CWT Claims Set (CCS, ); or a public key certificate, e.g., encoded as an X.509 certificate or as a CBOR encoded X.509 certificate (C509, ); or a different type of data structure containing the public key of the peer in question. The ACE protocol establishes what those authentication credentials are, and may transport the actual authentication credentials by value or uniquely refer to them. If an authentication credential is pre-provisioned or can be obtained over less constrained links, then it suffices that ACE provides a unique reference such as a certificate hash (e.g., by using the COSE header parameter "x5t", see ). This is in the same spirit as EDHOC, where the authentication credentials may be transported or referenced in the ID_CRED_x message fields (see Section 3.5.3 of ). In general, AS and RS are likely to have trusted access to each other's authentication credentials, since AS acts on behalf of RS as per the trust model of ACE. Also, AS needs to have some information about C, including the relevant authentication credential, in order to identify C when it requests an access token and to determine what access rights it can be granted. However, the authentication credential of C may potentially be conveyed (or uniquely referred to) within the request for access that C makes to AS. The establishment of an association between RS and AS in an ACE ecosystem is out of scope, but one solution is to build on the same primitives as used in this document, i.e., EDHOC for authentication and OSCORE for communication security, using for example for onboarding RS with AS, and for establishing a trust anchor in RS. A similar procedure can also be applied between C and AS for registering a client and for the establishment of a trust anchor.

Terminology The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here. Certain security-related terms such as "authentication", "authorization", "confidentiality", "(data) integrity", "Message Authentication Code (MAC)", "Hash-based Message Authentication Code (HMAC)", and "verify" are taken from . RESTful terminology follows HTTP . Readers are expected to be familiar with the terms and concepts defined in CoAP , OSCORE , and EDHOC . Readers are also expected to be familiar with the terms and concepts of the ACE framework described in and in . Terminology for entities in the architecture is defined in OAuth 2.0 , such as the client (C), the resource server (RS), and the authorization server (AS). It is assumed in this document that a given resource on a specific RS is associated with a unique AS. Note that the term "endpoint" is used here, as in , following its OAuth definition, which is to denote resources such as /token and /introspect at AS and /authz-info at RS. The CoAP definition, which is "An entity participating in the CoAP protocol" is not used in this document. The authorization information (authz-info) resource refers to the authorization information endpoint as specified in . The term "claim" is used in this document with the same semantics as in , i.e., it denotes information carried in the access token or returned from introspection. Concise Binary Object Representation (CBOR) and Concise Data Definition Language (CDDL) are used in this document. CDDL predefined type names, especially bstr for CBOR byte strings and tstr for CBOR text strings, are used extensively in this document. Examples throughout this document are expressed in CBOR diagnostic notation without the tag and value abbreviations.

Protocol Overview This section gives an overview of how to use the ACE framework together with the authenticated key establishment protocol EDHOC . By doing so, the client (C) and the resource server (RS) generate an OSCORE Security Context associated with authorization information, and use that Security Context to protect their communications. The parameters needed by C to negotiate the use of this profile with the authorization server (AS), as well as the OSCORE setup process, are described in detail in the following sections. RS maintains a collection of authentication credentials. These are associated with OSCORE Security Contexts and with authorization information for all clients that RS is communicating with. The authorization information is used to enforce polices for processing requests from those clients. This profile specifies how C requests an access token from AS for the resources it wants to access on RS, by sending an access token request to the /token endpoint, as specified in . This profile also supports the alternative workflow where AS uploads the access token to RS, as defined in . If C has retrieved an access token, there are two options for C to upload it to RS, as further detailed in this document.

1. C posts the access token to the /authz-info endpoint by using the mechanisms specified in . If the access token is valid, RS responds to the request with a 2.01 (Created) response, after which C initiates the EDHOC protocol with RS. The communication with the /authz-info endpoint is not protected, except for the update of access rights (see ).
2. C initiates the EDHOC protocol and includes the access token as External Authorization Data (EAD), see . In this case, the access token is validated in parallel with the EDHOC session. This option cannot be used for the update of access rights.

When running the EDHOC protocol, C uses the authentication credential of RS specified by AS together with the access token, while RS uses the authentication credential of C bound to and specified within the access token. If C and RS complete the EDHOC session successfully, they are mutually authenticated and they derive an OSCORE Security Context as per . Also, RS associates the two used authentication credentials and the completed EDHOC session with the derived Security Context. The latter is in turn associated with the access token and the access rights of C specified therein. From then on, C effectively gains authorized and secure access to protected resources on RS with the established OSCORE Security Context, for as long as the access token is valid. The Security Context is discarded when an access token (whether the same or a different one) is used to successfully derive a new Security Context for C. After the whole procedure has completed and while the access token is valid, C can contact AS to request an update of its access rights, by sending a similar request to the /token endpoint. This request also includes an EDHOC session identifier (see ), which allows AS to find the data it has previously shared with C. The session identifier is assigned by AS and used to identify a series of access tokens, called a "token series" (see ). Upon a successful update of access rights (see ), the new issued access token becomes the latest in its token series. When the latest access token of a token series becomes invalid (e.g., when it expires or gets revoked), that token series ends. An overview of the profile flow for the "coap_edhoc_oscore" profile in case of option 1 above is given in . The names of messages coincide with those of when applicable.

Protocol Overview Example | | | | | ------- POST /token ------------------------------> | | | | | <-------------------------------- Access Token ----- | | + Access Information | | | | | ---- POST /authz-info ---> | | | (access_token) | | | | | | <----- 2.01 Created ------ | | | | | | <========= EDHOC ========> | | | Mutual authentication | | | and derivation of an | | | OSCORE Security Context | | | | | | /Proof-of-possession and | | Security Context storage/ | | | | | ---- OSCORE Request -----> | | | | | | <--- OSCORE Response ----- | | | | | /Proof-of-possession | | and Security Context | | storage (latest)/ | | | | | | ---- OSCORE Request -----> | | | | | | <--- OSCORE Response ----- | | | | | | ... | | ]]>

Client-AS Communication The following subsections describe the details of the POST request and response to the /token endpoint between C and AS. In this exchange, AS provides C with the access token, together with a set of parameters that enable C to run EDHOC with RS. In particular, these include information about the authorization credential of RS, AUTH_CRED_RS, transported by value or uniquely referred to. The access token is securely associated with the authentication credential of C, AUTH_CRED_C, by including it or uniquely referring to it in the access token. AUTH_CRED_C is specified in the "req_cnf" parameter defined in of the POST request to the /token endpoint from C to AS, either transported by value or uniquely referred to. The request to the /token endpoint and the corresponding response can include EDHOC_Information, which is a CBOR map object containing information related to an EDHOC session, in particular the identifier "session_id", see . This object is transported in the "edhoc_info" parameter registered in and .

C-to-AS: POST to /token endpoint The client-to-AS request is specified in . The client MUST send this POST request to the /token endpoint over a secure channel that guarantees authentication, message integrity, and confidentiality (see ). This document describes the use of CoAP, EDHOC and OSCORE to reduce the number of libraries that C has to support. An example of such a request is shown in . In this example, C specifies its own authentication credential by reference, as the hash of an X.509 certificate carried in the "x5t" field of the "req_cnf" parameter. In fact, it is expected that C can typically specify its own authentication credential by reference, since AS is expected to obtain the actual authentication credential during a previous client registration process or secure association establishment with C.

Example of C-to-AS POST /token request for an access token.

If C wants to update its access rights without changing an existing OSCORE Security Context, it MUST include EDHOC_Information in its POST request to the /token endpoint. The EDHOC_Information MUST include the "session_id" field. This POST request MUST omit the "req_cnf" parameter. An example of such a request is shown in . The identifier "session_id" is assigned by AS as discussed in , and, together with other information such as audience (see ), can be used by AS to determine the token series to which the new requested access token has to be added. AS MUST verify that the received "session_id" identifies a token series to which a still valid access token issued for C and RS belongs. If that is not the case, the Client-to-AS request MUST be declined with the error code "invalid_request" as defined in .

Example of C-to-AS POST /token request for updating access rights to an access token.

Token Series This document refers to "token series" as a series of access tokens sorted in chronological order as they are released, characterized by the following properties:

• issued by the same AS
• issued to the same C, and associated with the same authentication credential of C
• issued for the same RS, identified by the same authentication credential

Upon a successful update of access rights, the new issued access token becomes the latest in its token series. When the latest access token of a token series becomes invalid (e.g., due to its expiration or revocation), the token series it belongs to ends. A more general token series concept is described in Appendix B of ). In this profile, a token series is characterized by the access tokens associated with an EDHOC session between C and RS, and identified by the session_id of the EDHOC_Information, see . All access tokens belonging to the same token series are associated with the same session_id, which does not change throughout the series lifetime. AS assigns the session_id to the EDHOC_Information when issuing the first access token of a new series. When assigning the identifier, AS MUST ensure that it was not used in a previous series whose access tokens share the following properties with the access tokens of the new series:

• i) issued for the same RS; and
• ii) bound to the same authentication credential AUTH_CRED_C of the requesting client (irrespectively of how the AUTH_CRED_C is identified in the access tokens).

The session_id MUST identify the pair (AUTH_CRED_C, AUTH_CRED_RS) associated with a still valid access token previously issued for C and RS by AS. In case the access token is issued for a group-audience (see ), what is defined above applies, with the difference that the token series is associated with: all the RSs in the group-audience; all the EDHOC sessions between C and each RS; and the AUTH_CRED_RS of each RS.

AS-to-C: Response After verifying the POST request to the /token endpoint and that C is authorized to access, AS responds as defined in , with potential modifications as detailed below. If the request from C was invalid, or not authorized, AS returns an error response as described in . AS can signal that the use of EDHOC and OSCORE as per this profile is REQUIRED for a specific access token, by including the "ace_profile" parameter with the value "coap_edhoc_oscore" in the access token response. This means that C MUST use EDHOC with RS and derive an OSCORE Security Context, as specified in . After that, C MUST use the established OSCORE Security Context to protect communications with RS, when accessing protected resources at RS according to the authorization information indicated in the access token. Usually, it is assumed that constrained devices will be pre-configured with the necessary profile, so that this kind of profile signaling can be omitted. The access token may be sent in the access token response to C for subsequent provisioning to RS, or the access token may be uploaded by AS directly to RS, as specified in .

• In the former case, AS provides the access token to C, by specifying it in the "access_token" parameter of the access token response.
• In the latter case, AS uploads the access token to the /authz-info endpoint at RS, similarly to what is defined for C in and . In case of successful token upload, the access token response to C does not include the parameter "access_token", and includes the parameter "token_uploaded" encoding the CBOR simple value "true" (0xf5). An example is given in .

When issuing any access token, AS MUST send the following data in the response to C.

• The "session_id" field of EDHOC_Information, which is the identifier of the token series which the issued access token belongs to.

When issuing the first access token of a token series, AS MUST send the following data in the response to C.

• A unique identification of the authentication credential of RS, AUTH_CRED_RS. This is specified in the "rs_cnf" parameter defined in . AUTH_CRED_RS can be transported by value or referred to by means of an appropriate identifier. When issuing the first access token ever to a pair (C, RS) using a pair of corresponding authentication credentials (AUTH_CRED_C, AUTH_CRED_RS), it is typically expected that the response to C may include AUTH_CRED_RS by value. When later issuing further access tokens to the same pair (C, RS) using the same AUTH_CRED_RS, it is expected that the response to C includes AUTH_CRED_RS by reference.

When issuing the first access token of a token series, AS MAY send EDHOC_Information related to RS, see , in corresponding fields of the response to C. This information is based on knowledge that AS have about RS, e.g., from a previous onboarding process, with particular reference to what RS supports as EDHOC peer. shows an example of an AS response. The "rs_cnf" parameter specifies the authentication credential of RS, as an X.509 certificate transported by value in the "x5chain" field. The access token and the authentication credential of RS have been truncated for readability.

Example of AS-to-C Access Token response with EDHOC and OSCORE profile.

Access Token When issuing any access token of a token series, AS MUST specify the following data in the claims associated with the access token.

• The "session_id" field of EDHOC_Information, with the same value specified in the response to C from the /token endpoint.
• The authentication credential that C specified in its POST request to the /token endpoint (see ), AUTH_CRED_C. If the access token is a CWT, this information MUST be specified in the "cnf" claim. In the access token, AUTH_CRED_C can be transported by value or uniquely referred to by means of an appropriate identifier, regardless of how C specified it in the request to the /token endpoint. Thus, the specific field carried in the access token claim and specifying AUTH_CRED_C depends on the specific way used by AS. When issuing the first access token ever to a pair (C, RS) using a pair of corresponding authentication credentials (AUTH_CRED_C, AUTH_CRED_RS), it is typically expected that AUTH_CRED_C is included by value. When later issuing further access tokens to the same pair (C, RS) using the same AUTH_CRED_C, it is expected that AUTH_CRED_C is identified by reference.

When issuing the first access token of a token series, AS MAY specify the following EDHOC_Information (see ) in the claims associated with the access token. If these data are specified in the response to C from the /token endpoint, they MUST be included with the same values in the access token.

• osc_ms_len: The size of the OSCORE Master Secret. If it is not included, the default value from is assumed.
• osc_salt_len: The size of the OSCORE Master Salt. If it is not included, the default value from is assumed.
• osc_version: The OSCORE version. If it is not included, the default value of 1 (see ) is assumed.

When CWTs are used as access tokens, EDHOC_Information MUST be transported in the "edhoc_info" claim, defined in . Since the access token does not contain secret information, only its integrity and source authentication are strictly necessary to ensure. Therefore, AS can protect the access token with either of the means discussed in . Nevertheless, when using this profile, it is RECOMMENDED that the access token is a CBOR web token (CWT) protected with COSE_Encrypt/COSE_Encrypt0 as specified in . shows an example CWT Claims Set, including the relevant EDHOC parameters in the "edhoc_info" claim. The "cnf" claim specifies the authentication credential of C, as an X.509 certificate transported by value in the "x5chain" field. The authentication credential of C has been truncated for readability.

Example of CWT Claims Set with EDHOC parameters.

Processing in C When receiving an Access Token response including the "rs_cnf" parameter, C checks whether it is already storing the authentication credential of RS, namely AUTH_CRED_RS, specified in "rs_cnf" by value or reference. If this is not the case, C retrieves AUTH_CRED_RS, either using the "rs_cnf" parameter or some other trusted source. After that, C validates the actual AUTH_CRED_RS. In case of successful validation, C stores AUTH_CRED_RS as a valid authentication credential. Otherwise, C MUST delete the access token.

Update of Access Rights If C has requested an update to its access rights using the same OSCORE Security Context, which is valid and authorized, then:

• The response MUST NOT include the "rs_cnf" parameter.
• The EDHOC_Information in the response MUST include only the "session_id" field.
• The EDHOC_Information in the access token MUST include only the "session_id" field. In particular, if the access token is a CWT, the "edhoc_info" claim MUST include only the "session_id" field.

The "session_id" needs to be included in the new access token in order for RS to identify the old access token to supersede, as well as the OSCORE Security Context already shared between C and RS and to be associated with the new access token.

EDHOC_Information EDHOC_Information is an object including information that guides two peers towards executing the EDHOC protocol. In particular, the EDHOC_Information is defined to be serialized and transported between nodes, as specified by this document, but it can also be used by other specifications if needed. The EDHOC_Information can either be encoded as a JSON object or as a CBOR map. The set of common fields that can appear in an EDHOC_Information can be found in the IANA "EDHOC Information" registry (see ), defined for extensibility, and the initial set of parameters defined in this document is specified below. All parameters are optional. provides a summary of the EDHOC_Information parameters defined in this section.

EDHOC_Information Parameters

• session_id: This parameter identifies an EDHOC session and is encoded as a byte string. In JSON, the "session_id" value is a Base64 encoded byte string. In CBOR, the "session_id" type is a byte string, and has label 0.
• methods: This parameter specifies a set of supported EDHOC methods (see ). If the set is composed of a single EDHOC method, this is encoded as an integer. Otherwise, the set is encoded as an array of integers, where each array element encodes one EDHOC method. In JSON, the "methods" value is an integer or an array of integers. In CBOR, the "methods" is an integer or an array of integers, and has label 1.
• cipher_suites: This parameter specifies a set of supported EDHOC cipher suites (see ). If the set is composed of a single EDHOC cipher suite, this is encoded as an integer. Otherwise, the set is encoded as an array of integers, where each array element encodes one EDHOC cipher suite. In JSON, the "cipher_suites" value is an integer or an array of integers. In CBOR, the "cipher_suites" is an integer or an array of integers, and has label 2.
• message_4: This parameter indicates whether the EDHOC message_4 (see ) is supported. In JSON, the "message_4" value is a boolean. In CBOR, "message_4" is the simple value "true" or "false", and has label 4.
• comb_req: This parameter indicates whether the combined EDHOC + OSCORE request defined in ) is supported. In JSON, the "comb_req" value is a boolean. In CBOR, "comb_req" is the simple value "true" or "false", and has label 5.
• uri_path: This parameter specifies the path component of the URI of the EDHOC resource where EDHOC messages have to be sent as requests. In JSON, the "uri_path" value is a string. In CBOR, "uri_path" is a text string, and has label 6.
• osc_ms_len: This parameter specifies the size in bytes of the OSCORE Master Secret to derive after the EDHOC session, as per . In JSON, the "osc_ms_len" value is an integer. In CBOR, the "osc_ms_len" type is unsigned integer, and has label 7.
• osc_salt_len: This parameter specifies the size in bytes of the OSCORE Master Salt to derive after the EDHOC session, as per . In JSON, the "osc_salt_len" value is an integer. In CBOR, the "osc_salt_len" type is unsigned integer, and has label 8.
• osc_version: This parameter specifies the OSCORE Version number that the two EDHOC peers have to use when using OSCORE. For more information about this parameter, see . In JSON, the "osc_version" value is an integer. In CBOR, the "osc_version" type is unsigned integer, and has label 9.

An example of JSON EDHOC_Information is given in .

Example of JSON EDHOC_Information

The CDDL grammar describing the CBOR EDHOC_Information is: bstr, ; id ? 1 => int / array, ; methods ? 2 => int / array, ; cipher_suites ? 3 => true / false, ; message_4 ? 4 => true / false, ; comb_req ? 5 => tstr, ; uri_path ? 6 => uint, ; osc_ms_len ? 7 => uint, ; osc_salt_len ? 8 => uint, ; osc_version * int / tstr => any } ]]>

Client-RS Communication This section describes the exchanges between C and RS, which comprise the token uploading to RS, and the execution of the EDHOC protocol. Note that AS may have uploaded the access token directly to RS (see ). In order to upload the access token to RS, C can send a POST request to the /authz-info endpoint at RS. This is detailed in and , and shown by the example in . Alternatively, C can upload the access token while executing the EDHOC protocol, by transporting the access token in an EAD field of an EDHOC message sent to RS. This is further discussed in and , and shown by the example in . In either case, C and RS run the EDHOC protocol by exchanging POST requests and related responses to a dedicated EDHOC resource at RS (see ). Once completed the EDHOC session, C and RS have agreed on a common secret key PRK_out (see ), from which they establish an OSCORE Security Context (see ). After that, C and RS use the established OSCORE Security Context to protect their communications when accessing protected resources at RS, as per the access rights specified in the access token (see ). C and RS are mutually authenticated once they have successfully completed the EDHOC protocol. RS gets key confirmation of PRK_out by C at the end of the successful EDHOC session. Conversely, C get key confirmation of PRK_out by RS either when receiving and successfully verifying the optional EDHOC message_4 from RS, or when successfully verifying a response from RS protected with the generated OSCORE Security Context.

C-to-RS: POST to /authz-info endpoint The access token can be uploaded to RS by using the /authz-info endpoint at RS. To this end, C uses CoAP and the Authorization Information endpoint described in in order to transport the access token. That is, C sends a POST request to the /authz-info endpoint at RS, with the request payload conveying the access token without any CBOR wrapping. As per , the Content-Format of the POST request has to reflect the format of the transported access token. In particular, if the access token is a CWT, the Content-Format MUST be "application/cwt". The communication with the /authz-info endpoint is in general not protected, except in the case of updating the access rights (see ).

RS-to-C: 2.01 (Created) Upon receiving an access token from C, RS MUST follow the procedures defined in . That is, RS must verify the validity of the access token. RS may make an introspection request (see ) to validate the access token. If the access token is valid, RS proceeds as follows. RS checks whether it is already storing the authentication credential of C, AUTH_CRED_C, specified in the "cnf" claim of the access token by value or by reference. If not, RS retrieves AUTH_CRED_C, either using the "cnf" claim or some other trusted source. If RS fails to find or validate AUTH_CRED_C, then RS MUST respond with an error response code equivalent to the CoAP code 4.00 (Bad Request). RS may provide additional information in the payload of the error response, in order to clarify what went wrong. If, instead, the access token is valid but associated with claims that RS cannot process (e.g., an unknown scope), or if any of the expected parameters is missing (e.g., any of the mandatory parameters from AS or the identifier "session_id"), or if any parameters received in the EDHOC_Information is unrecognized, then RS MUST respond with an error response code equivalent to the CoAP code 4.00 (Bad Request). In the latter two cases, RS may provide additional information in the payload of the error response, in order to clarify what went wrong. If all validations are successful, RS MUST reply to the POST request with a 2.01 (Created) response. When an access token becomes invalid (e.g., due to its expiration or revocation), RS MUST delete the access token and the associated OSCORE Security Context, and MUST notify C with an error response with code 4.01 (Unauthorized) for any long running request, as specified in .

Access Token in External Authorization Data Instead of uploading the access token to the /authz-info endpoint at RS as described in , C MAY include the access token either in EDHOC message_1 or message_3 by making use of the External Authorization Data fields (see ). The former is shown by the example in . In the latter case, the access token is encrypted between C and RS, which provides an alternative for protecting potential sensitive information in the access token. Editor's note: Shall we remove the EAD_1 case? The case POST /token offers already early abort, and the EAD_3 case is equally efficient but offers better protection of the access token. This document defines the EAD item EAD_ACCESS_TOKEN = (ead_label, ead_value), where:

• ead_label is the integer value TBD registered in , and
• ead_value is a CBOR byte string equal to the value of the "access_token" field of the access token response from AS (see ).

This EAD item, which may be used either in EAD_1 or EAD_3, is critical, i.e., it is used only with the negative value of its ead_label, indicating that the receiving RS must either process the access token or abort the EDHOC session (see ). Access tokens are only transported in EAD fields for the first access token of a token series and not for the update of access rights.

EDHOC Session and OSCORE Security Context In order to mutually authenticate and establish a secure association, C and RS run the EDHOC protocol with C as EDHOC Initiator and RS as EDHOC Responder. As per , C sends EDHOC message_1 and EDHOC message_3 to an EDHOC resource at RS, as CoAP POST requests. RS sends EDHOC message_2 and (optionally) EDHOC message_4 as 2.04 (Changed) CoAP responses. C MUST target the EDHOC resource at RS with the URI path specified in the "uri_path" field of the EDHOC_Information in the access token response received from AS (see ), if present. In order to seamlessly run EDHOC, a client does not have to first upload to RS an access token whose scope explicitly indicates authorized access to the EDHOC resource. At the same time, RS has to ensure that attackers cannot perform requests on the EDHOC resource, other than sending EDHOC messages. Specifically, it SHOULD NOT be possible to perform anything else than POST on an EDHOC resource.

EDHOC message_1 The processing of EDHOC message_1 is specified in . Additionally, the following applies:

• The EDHOC method MUST be one of the EDHOC methods specified in the "methods" field (if present) in the EDHOC_Information of the access token response to C.
• The selected cipher suite MUST be an EDHOC cipher suite specified in the "cipher_suites" field (if present) in the EDHOC_Information of the access token response to C.
• If the access token is provisioned with EDHOC message_1 as specified in , then C adds the EAD item EAD_ACCESS_TOKEN = (-ead_label, ead_value) to the EAD_1 field. If EAD_1 includes EAD_ACCESS_TOKEN, then RS MUST process the access token carried in ead_value as specified in . If this processing fails, RS MUST reply to C with an EDHOC error message with ERR_CODE 1 (see ), and it MUST abort the EDHOC session. RS MUST have successfully completed the processing of the access token before continuing the EDHOC session by sending EDHOC message_2.

EDHOC message_2 The processing of EDHOC message_2 is specified in with the following additions:

• The authentication credential CRED_R indicated by the message field ID_CRED_R is AUTH_CRED_RS.

EDHOC message_3 The processing of EDHOC message_3 is specified in with the following additions:

• The authentication credential CRED_I indicated by the message field ID_CRED_I is AUTH_CRED_C.
• If the access token is provisioned with EDHOC message_3 as specified in , then C adds the EAD item EAD_ACCESS_TOKEN = (-ead_label, ead_value) to the EAD_3 field. If EAD_3 includes EAD_ACCESS_TOKEN, then RS MUST process the access token carried in ead_value as specified in . If such a process fails, RS MUST reply to C with an EDHOC error message with ERR_CODE 1 (see ), and it MUST abort the EDHOC session. RS MUST have successfully completed the processing of the access token before completing the EDHOC session.

OSCORE Security Context Once successfully completed the EDHOC session, C and RS derive an OSCORE Security Context, as defined in . In addition, the following applies.

• The length in bytes of the OSCORE Master Secret (i.e., the oscore_key_length parameter, see ) MUST be the value specified in the "osc_ms_size" field (if present) in the EDHOC_Information of the access token response to C, and of the access token provisioned to RS, respectively.
• The length in bytes of the OSCORE Master Salt (i.e., the oscore_salt_length parameter, see ) MUST be the value specified in the "osc_salt_size" field (if present) in the EDHOC_Information of the access token response to C, and of the access token provisioned to RS, respectively.
• C and RS MUST use the OSCORE version specified in the "osc_version" field (if present) in the EDHOC_Information of the access token response to C, and of the access token provisioned to RS, respectively.
• RS associates the derived OSCORE Security Context with the stored access token, which is bound to the authentication credential (AUTH_CRED_C = CRED_I) used in the EDHOC session.

If supported by C, C MAY use the EDHOC + OSCORE combined request defined in , unless the "comb_req" field of the EDHOC_Information was present in the access token response and set to the CBOR simple value "false" (0xf4). In the combined request, both EDHOC message_3 and the first OSCORE-protected application request are combined together in a single OSCORE-protected CoAP request, thus saving one round trip. For an example, see . This requires C to derive the OSCORE Security Context with RS already after having successfully processed the received EDHOC message_2 and before sending EDHOC message_3.

Update of Access Rights If C has already established access rights and an OSCORE Security Context with RS, then C can update its access rights by posting a new access token to the /authz-info endpoint. The new access token contains the updated access rights for C to access protected resources at RS, and C has to obtain it from AS as a new access token in the same token series of the current one (see ). When posting the new access token to the /authz-info endpoint, C MUST protect the POST request using the current OSCORE Security Context shared with RS. After successful verification (see ), RS will replace the old access token with the new one, while preserving the same OSCORE Security Context. In particular, C and RS do not re-run the EDHOC protocol and they do not establish a new OSCORE Security Context. Editor's note: Add description about the alternative when the AS uploads the new access token to RS. If RS receives an access token in an OSCORE protected request, it means that C is requesting an update of access rights. In this case, RS MUST check the following conditions:

• RS checks whether it stores an access token T_OLD, such that the "session_id" field of EDHOC_Information matches the "session_id" field of EDHOC_Information in the new access token T_NEW.
• RS checks whether the OSCORE Security Context CTX used to protect the request matches the OSCORE Security Context associated with the stored access token T_OLD.

If both the conditions above hold, RS MUST replace the old access token T_OLD with the new access token T_NEW, and associate T_NEW with the OSCORE Security Context CTX. Then, RS MUST respond with a 2.01 (Created) response protected with the same OSCORE Security Context, with no payload. Otherwise, RS MUST respond with a 4.01 (Unauthorized) error response. RS may provide additional information in the payload of the error response, in order to clarify what went wrong. As specified in , when receiving an updated access token with updated authorization information from C (see ), it is recommended that RS overwrites the previous access token. That is, only the latest authorization information in the access token received by RS is valid. This simplifies the process needed by RS to keep track of authorization information for a given client.

Discarding the Security Context There are a number of cases where C or RS have to discard the OSCORE Security Context, and possibly establish a new one. C MUST discard the current OSCORE Security Context shared with RS when any of the following occurs.

• The OSCORE Sender Sequence Number space of C is exhausted.
• The access token associated with the OSCORE Security Context becomes invalid, for example due to expiration or revocation.
• C receives a number of unprotected 4.01 (Unauthorized) responses to OSCORE-protected requests, which are sent to RS and protected using the same OSCORE Security Context. The exact number of such received responses needs to be specified by the application. This may for example happen due to lack of storage in RS, which then sends the "AS Request Creation Hints" message (see ).
• The authentication credential of C (of RS) becomes invalid, e.g., due to expiration or revocation, and it was used as CRED_I (CRED_R) in the EDHOC session to establish the OSCORE Security Context.

RS MUST discard the current OSCORE Security Context shared with C when any of the following occurs:

• The OSCORE Sender Sequence Number space of RS is exhausted.
• The access token associated with the OSCORE Security Context becomes invalid, for example due to expiration or revocation.
• The authentication credential of C (of RS) becomes invalid (e.g., due to expiration or revocation), and it was used as CRED_I (CRED_R) in the EDHOC session to establish the OSCORE Security Context.

After a new access token is successfully uploaded to RS, and a new OSCORE Security Context is established between C and RS, messages still in transit that were protected with the previous OSCORE Security Context might not be successfully verified by the recipient, since the old OSCORE Security Context might have been discarded. This means that messages sent shortly before C has uploaded the new access token to RS might not be successfully accepted by the recipient. Furthermore, implementations may want to cancel CoAP observations at RS, if registered before the new OSCORE Security Context has been established. Alternatively, applications need to implement a mechanism to ensure that, from then on, messages exchanged within those observations are going to be protected with the newly derived OSCORE Security Context.

Cases of Establishing a New OSCORE Security Context The procedure of provisioning a new access token to RS specified in this section applies to various cases when an OSCORE Security Context shared between C and RS has been deleted, for example as described in . Another exceptional case is when there is still a valid OSCORE Security Context but it needs to be updated, e.g., due to a policy limiting its use in terms of time or amount of processed data, or to the imminent exhaustion of the OSCORE Sender Sequence Number space. In this case, C and RS SHALL attempt to run the KUDOS key update protocol , which is a lightweight alternative independent of ACE and EDHOC that does not require the posting of an access token. If KUDOS is not supported, then C and RS falls back to EDHOC as outlined above. In either case, C and RS establish a new OSCORE Security Context that replaces the old one and will be used for protecting their communications from then on. In particular, RS MUST associate the new OSCORE Security Context with the current (potentially re-posted) access token. Unless C and RS re-run the EDHOC protocol, they preserve their OSCORE identifiers, i.e., the OSCORE Sender/Recipient IDs.

Access Rights Verification RS MUST follow the procedures defined in . That is, if RS receives an OSCORE-protected request targeting a protected resource from C, then RS processes the request according to , when Version 1 of OSCORE is used. Future specifications may define new versions of OSCORE, which AS can indicate C and RS to use by means of the "osc_version" field of EDHOC_Information (see ). If OSCORE verification succeeds and the target resource requires authorization, RS retrieves the authorization information using the access token associated with the OSCORE Security Context. Then, RS must verify that the authorization information covers the target resource and the action intended by C on it.

Secure Communication with AS As specified in the ACE framework (see Sections and of ), the requesting entity (RS and/or C) and AS communicates via the /token or /introspect endpoint. When using this profile, the use of CoAP and OSCORE for this communication is RECOMMENDED. Other protocols fulfilling the security requirements defined in (such as HTTP and DTLS or TLS ) MAY be used instead. If OSCORE is used, the requesting entity and AS need to have an OSCORE Security Context in place. While this can be pre-installed, the requesting entity and AS can establish such an OSCORE Security Context, for example, by running the EDHOC protocol, as shown between C and AS by the examples in , , and . Furthermore, as discussed in and shown by the example in , AS may upload an access token directly to the /authz-info endpoint at RS. Unless encryption is applied, that exchange between AS and RS discloses the plain text token, just like when C uses the /authz-info endpoint at RS to upload a first token in a series. Editor's note: Elaborate on how to encrypt the token from AS to RS, since there is a pre-established security context.

CWT Confirmation Metods This document defines a number of new CWT confirmation methods (see ). The semantics of each confirmation method is defined below.

Ordered Chain of X.509 Certificates The confirmation method "x5chain" specifies an ordered array of X.509 certificates . The semantics of "x5chain" is like that of the "x5chain" COSE Header Parameter specified in .

Unordered Bag of X.509 Certificates The confirmation method "x5bag" specifies a bag of X.509 certificates . The semantics of "x5bag" is like that of the "x5bag" COSE Header Parameter specified in .

Hash of an X.509 Certificate The confirmation method "x5t" specifies the hash value of the end-entity X.509 certificate . The semantics of "x5t" is like that of the "x5t" COSE Header Parameter specified in .

URI Pointing to an Ordered Chain of X.509 Certificates The confirmation method "x5u" specifies the URI of an ordered chain of X.509 certificates . The semantics of "x5u" is like that of the "x5u" COSE Header Parameter specified in .

Ordered Chain of C509 Certificates The confirmation method "c5c" specifies an ordered array of C509 certificates . The semantics of "c5c" is like that of the "c5c" COSE Header Parameter specified in .

Unordered Bag of C509 Certificates The confirmation method "c5b" specifies a bag of C509 certificates . The semantics of "c5b" is like that of the "c5b" COSE Header Parameter specified in .

Hash of a C509 Certificate The confirmation method "c5t" specifies the hash value of the end-entity C509 certificate . The semantics of "c5t" is like that of the "c5t" COSE Header Parameter specified in .

URI Pointing to an Ordered Chain of C509 Certificates The confirmation method "c5u" specifies the URI of a COSE_C509 containing an ordered chain of C509 certificates . COSE_C509 is defined in . The semantics of "c5u" is like that of the "c5u" COSE Header Parameter specified in .

CWT Containing a COSE_Key The confirmation method "kcwt" specifies a CBOR Web Token (CWT) containing a COSE_Key in a 'cnf' claim and possibly other claims. The semantics of "kcwt" is like that of the "kcwt" COSE Header Parameter specified in .

CCS Containing a COSE_Key The confirmation method "kccs" specifies a CWT Claims Set (CCS) containing a COSE_Key in a 'cnf' claim and possibly other claims. The semantics of "kccs" is like that of the "kccs" COSE Header Parameter specified in .

JWT Confirmation Metods This document defines a number of new JWT confirmation methods (see ). The semantics of each confirmation method is defined below.

Ordered Chain of X.509 Certificates The confirmation method "x5c" specifies an ordered array of X.509 certificates . The semantics of "x5c" is like that of the "x5c" JSON Web Signature and Encryption Header Parameter specified in , with the following difference. The public key contained in the first certificate is the proof-of-possession key and does not have to correspond to a key used to digitally sign the JWS.

Unordered Bag of X.509 Certificates The confirmation method "x5b" specifies a bag of X.509 certificates . The semantics of the "x5b" is like that of the "x5c" JWT confirmation method defined in , with the following differences. First, the set of certificates is unordered and may contain self-signed certificates. Second, the composition and processing of "x5b" are like for the "x5bag" COSE Header Parameter defined in .

Hash of an X.509 Certificate The confirmation method "x5t" specifies the hash value of the end-entity X.509 certificate . The semantics of "x5t" is like that of the "x5t" JSON Web Signature and Encryption Header Parameter specified in .

URI Pointing to an Ordered Chain of X.509 Certificates The confirmation method "x5u" specifies the URI of an ordered chain of X.509 certificates . The semantics of "x5u" is like that of the "x5u" COSE Header Parameter specified in , with the following difference. The public key contained in the first certificate is the proof-of-possession key and does not have to correspond to a key used to digitally sign the JWS.

Ordered Chain of C509 Certificates The confirmation method "c5c" specifies an ordered array of C509 certificates . The semantics of "c5c" is like that of the "x5c" JWT confirmation method defined in , with the following difference. Each string in the JSON array is a base64-encoded ( - not base64url-encoded) C509 certificate.

Unordered Bag of C509 Certificates The confirmation method "c5b" specifies a bag of C509 certificates . The semantics of "c5b" is like that of the "c5c" JWT confirmation method defined in , with the following differences. First, the set of certificates is unordered and may contain self-signed certificates. Second, the composition and processing of "c5b" is like for the "c5b" COSE Header Parameter defined in .

Hash of a C09 Certificate The confirmation method "c5t" specifies the hash value of the end-entity C509 certificate . The semantics of "c5t" is like that of the "x5t" JWT confirmation method defined in , with the following differences. First, the base64url-encoded SHA-1 thumbprint is computed over the C509 certificate. Second, the public key contained in the C509 certificate does not have to correspond to a key used to digitally sign the JWS.

URI Pointing to an Ordered Chain of C509 Certificates The confirmation method "c5u" specifies the URI of COSE_C509 containing an ordered chain of C509 certificates . COSE_C509 is defined in . The semantics of "c5u" is like that of the "x5u" JWT confirmation method defined in , with the following differences. First, the URI refers to a resource for the C509 certificate chain. Second, the public key contained in one of the C509 certificates and acting as proof-of-possession key does not have to correspond to a key used to digitally sign the JWS.

CWT Containing a COSE_Key The confirmation method "kcwt" specifies a CBOR Web Token (CWT) containing a COSE_Key in a 'cnf' claim and possibly other claims. The format of "kcwt" is the base64url-encoded serialization of the CWT.

CCS Containing a COSE_Key The confirmation method "kccs" specifies a CWT Claims Set (CCS) containing a COSE_Key in a 'cnf' claim and possibly other claims. The format of "kcwt" is the base64url-encoded serialization of the CWT.

Security Considerations This document specifies a profile for the Authentication and Authorization for Constrained Environments (ACE) framework . Thus, the general security considerations from the ACE framework also apply to this profile. Furthermore, the security considerations from OSCORE and from EDHOC also apply to this specific use of the OSCORE and EDHOC protocols. As previously stated, once completed the EDHOC session, C and RS are mutually authenticated through their respective authentication credentials, whose retrieval has been facilitated by AS. Also once completed the EDHOC session, C and RS have established a long-term secret key PRK_out enjoying forward secrecy. This is in turn used by C and RS to establish an OSCORE Security Context. Furthermore, RS achieves confirmation that C has PRK_out (proof-of-possession) when completing the EDHOC session. Rather, C achieves confirmation that RS has PRK_out (proof-of-possession) either when receiving the optional EDHOC message_4 from RS, or when successfully verifying a response from RS protected with the established OSCORE Security Context. OSCORE is designed to secure point-to-point communication, providing a secure binding between a request and the corresponding response(s). Thus, the basic OSCORE protocol is not intended for use in point-to-multipoint communication (e.g., enforced via multicast or a publish-subscribe model). Implementers of this profile should make sure that their use case of OSCORE corresponds to the expected one, in order to prevent weakening the security assurances provided by OSCORE. When using this profile, it is RECOMMENDED that RS stores only one access token per client. The use of multiple access tokens for a single client increases the strain on RS, since it must consider every access token associated with the client and calculate the actual permissions that client has. Also, access tokens indicating different or disjoint permissions from each other may lead RS to enforce wrong permissions. If one of the access tokens expires earlier than others, the resulting permissions may offer insufficient protection. Developers SHOULD avoid using multiple access tokens for a same client. Furthermore, RS MUST NOT store more than one access token per client per PoP-key (i.e., per client's authentication credential).

Privacy Considerations This document specifies a profile for the Authentication and Authorization for Constrained Environments (ACE) framework . Thus, the general privacy considerations from the ACE framework also apply to this profile. Furthermore, the privacy considerations from OSCORE and from EDHOC also apply to this specific use of the OSCORE and EDHOC protocols. An unprotected response to an unauthorized request may disclose information about RS and/or its existing relationship with C. It is advisable to include as little information as possible in an unencrypted response. When an OSCORE Security Context already exists between C and RS, more detailed information may be included. Except for the case where C attempts to update its access rights, the (encrypted) access token is sent in an unprotected POST request to the /authz-info endpoint at RS. Thus, if C uses the same single access token from multiple locations, it can risk being tracked by the access token's value even when the access token is encrypted. The identifiers used in OSCORE, i.e., the OSCORE Sender/Recipient IDs, are negotiated by C and RS during the EDHOC session. That is, the EDHOC Connection Identifier C_I of C is going to be the OSCORE Recipient ID of C (the OSCORE Sender ID of RS). Conversely, the EDHOC Connection Identifier C_R of RS is going to be the OSCORE Recipient ID of RS (the OSCORE Sender ID of C). These OSCORE identifiers are privacy sensitive (see ). In particular, they could reveal information about C, or may be used for correlating different requests from C, e.g., across different networks that C has joined and left over time. This can be mitigated if C and RS dynamically update their OSCORE identifiers, e.g., by using the method defined in .

IANA Considerations This document has the following actions for IANA. Note to RFC Editor: Please replace all occurrences of "[RFC-XXXX]" with the RFC number of this specification and delete this paragraph.

ACE OAuth Profile Registry IANA is asked to add the following entry to the "ACE OAuth Profile" Registry following the procedure specified in .

• Profile name: coap_edhoc_oscore
• Profile Description: Profile for delegating client authentication and authorization in a constrained environment by establishing an OSCORE Security Context between resource-constrained nodes, through the execution of the authenticated key establishment protocol EDHOC .
• Profile ID: TBD (value between 1 and 255)
• Change Controller: IESG
• Reference: [RFC-XXXX]

OAuth Parameters Registry IANA is asked to add the following entries to the "OAuth Parameters" registry.

• Name: "edhoc_info"
• Parameter Usage Location: token request, token response
• Change Controller: IESG
• Reference: [RFC-XXXX]

OAuth Parameters CBOR Mappings Registry IANA is asked to add the following entries to the "OAuth Parameters CBOR Mappings" following the procedure specified in .

• Name: "edhoc_info"
• CBOR Key: TBD
• Value Type: map
• Reference: [RFC-XXXX]

JSON Web Token Claims Registry IANA is asked to add the following entries to the "JSON Web Token Claims" registry following the procedure specified in .

• Claim Name: "edhoc_info"
• Claim Description: Information for EDHOC session
• Change Controller: IETF
• Reference: [RFC-XXXX]

CBOR Web Token Claims Registry IANA is asked to add the following entries to the "CBOR Web Token Claims" registry following the procedure specified in .

• Claim Name: "edhoc_info"
• Claim Description: Information for EDHOC session
• JWT Claim Name: "edhoc_info"
• Claim Key: TBD
• Claim Value Type(s): map
• Change Controller: IESG
• Specification Document(s): [RFC-XXXX]

JWT Confirmation Methods Registry IANA is asked to add the following entries to the "JWT Confirmation Methods" registry following the procedure specified in .

• Confirmation Method Value: "x5c"
• Confirmation Method Description: An ordered chain of X.509 certificates
• Change Controller: IESG
• Specification Document(s): of [RFC-XXXX]

 

• Confirmation Method Value: "x5b"
• Confirmation Method Description: An unordered bag of X.509 certificates
• Change Controller: IESG
• Specification Document(s): of [RFC-XXXX]

 

• Confirmation Method Value: "x5t"
• Confirmation Method Description: Hash of an X.509 certificate
• Change Controller: IESG
• Specification Document(s): of [RFC-XXXX]

 

• Confirmation Method Value: "x5u"
• Confirmation Method Description: URI pointing to an ordered chain of X.509 certificates
• Change Controller: IESG
• Specification Document(s): of [RFC-XXXX]

 

• Confirmation Method Value: "c5c"
• Confirmation Method Description: An ordered chain of C509 certificates
• Change Controller: IESG
• Specification Document(s): of [RFC-XXXX]

 

• Confirmation Method Value: "c5b"
• Confirmation Method Description: An unordered bag of C509 certificates
• Change Controller: IESG
• Specification Document(s): of [RFC-XXXX]

 

• Confirmation Method Value: "c5t"
• Confirmation Method Description: Hash of a C509 certificate
• Change Controller: IESG
• Specification Document(s): of [RFC-XXXX]

 

• Confirmation Method Value: "c5u"
• Confirmation Method Description: URI pointing to a COSE_C509 containing an ordered chain of C509 certificates
• Change Controller: IESG
• Specification Document(s): of [RFC-XXXX]

 

• Confirmation Method Value: "kcwt"
• Confirmation Method Description: A CBOR Web Token (CWT) containing a COSE_Key in a 'cnf' claim and possibly other claims
• Change Controller: IESG
• Specification Document(s): of [RFC-XXXX]

 

• Confirmation Method Value: "kccs"
• Confirmation Method Description: A CWT Claims Set (CCS) containing a COSE_Key in a 'cnf' claim and possibly other claims
• Change Controller: IESG
• Specification Document(s): of [RFC-XXXX]

CWT Confirmation Methods Registry IANA is asked to add the following entries to the "CWT Confirmation Methods" registry following the procedure specified in .

• Confirmation Method Name: x5chain
• Confirmation Method Description: An ordered chain of X.509 certificates
• JWT Confirmation Method Name: "x5c"
• Confirmation Key: TBD
• Confirmation Value Type(s): COSE_X509
• Change Controller: IESG
• Specification Document(s): of [RFC-XXXX]

 

• Confirmation Method Name: x5bag
• Confirmation Method Description: An unordered bag of X.509 certificates
• JWT Confirmation Method Name: "x5b"
• Confirmation Key: TBD
• Confirmation Value Type(s): COSE_X509
• Change Controller: IESG
• Specification Document(s): of [RFC-XXXX]

 

• Confirmation Method Name: x5t
• Confirmation Method Description: Hash of an X.509 certificate
• JWT Confirmation Method Name: "x5t"
• Confirmation Key: TBD
• Confirmation Value Type(s): COSE_CertHash
• Change Controller: IESG
• Specification Document(s): of [RFC-XXXX]

 

• Confirmation Method Name: x5u
• Confirmation Method Description: URI pointing to an ordered chain of X.509 certificates
• JWT Confirmation Method Name: "x5u"
• Confirmation Key: TBD
• Confirmation Value Type(s): uri
• Change Controller: IESG
• Specification Document(s): of [RFC-XXXX]

 

• Confirmation Method Name: c5c
• Confirmation Method Description: An ordered chain of C509 certificates
• JWT Confirmation Method Name: "c5c"
• Confirmation Key: TBD
• Confirmation Value Type(s): COSE_C509
• Change Controller: IESG
• Specification Document(s): of [RFC-XXXX]

 

• Confirmation Method Name: c5b
• Confirmation Method Description: An unordered bag of C509 certificates
• JWT Confirmation Method Name: "c5b"
• Confirmation Key: TBD
• Confirmation Value Type(s): COSE_C509
• Change Controller: IESG
• Specification Document(s): of [RFC-XXXX]

 

• Confirmation Method Name: c5t
• Confirmation Method Description: Hash of a C509 certificate
• JWT Confirmation Method Name: "c5t"
• Confirmation Key: TBD
• Confirmation Value Type(s): COSE_CertHash
• Change Controller: IESG
• Specification Document(s): of [RFC-XXXX]

 

• Confirmation Method Name: c5u
• Confirmation Method Description: URI pointing to a COSE_C509 containing an ordered chain of C509 certificates
• JWT Confirmation Method Name: "c5u"
• Confirmation Key: TBD
• Confirmation Value Type(s): uri
• Change Controller: IESG
• Specification Document(s): of [RFC-XXXX]

 

• Confirmation Method Name: kcwt
• Confirmation Method Description: A CBOR Web Token (CWT) containing a COSE_Key in a 'cnf' claim and possibly other claims
• JWT Confirmation Method Name: "kcwt"
• Confirmation Key: TBD
• Confirmation Value Type(s): COSE_Messages
• Change Controller: IESG
• Specification Document(s): of [RFC-XXXX]

 

• Confirmation Method Name: kccs
• Confirmation Method Description: A CWT Claims Set (CCS) containing a COSE_Key in a 'cnf' claim and possibly other claims
• JWT Confirmation Method Name: "kccs"
• Confirmation Key: TBD
• Confirmation Value Type(s): map / #6(map)
• Change Controller: IESG
• Specification Document(s): of [RFC-XXXX]

EDHOC External Authorization Data Registry IANA is asked to add the following entry to the "EDHOC External Authorization Data" registry defined in . The ead_label = TBD and the ead_value defines an access token in EAD_1 or EAD_3, with processing specified in .

• Label: TBD
• Value Type: bstr
• Description: Access Token
• Reference: [RFC-XXXX]

EDHOC Information Registry It is requested that IANA create a new registry entitled "EDHOC Information" registry. The registry is to be created with registration policy Expert Review . Guidelines for the experts are provided in . It should be noted that in addition to the expert review, some portions of the registry require a specification, potentially on Standards Track, be supplied as well. The columns of the registry are:

• Name: A descriptive name that enables easier reference to this item. Because a core goal of this document is for the resulting representations to be compact, it is RECOMMENDED that the name be short. This name is case sensitive. Names may not match other registered names in a case-insensitive manner unless the Designated Experts determine that there is a compelling reason to allow an exception. The name is not used in the CBOR encoding.
• CBOR Value: The value to be used as CBOR abbreviation of the item. The value MUST be unique. The value can be a positive integer, a negative integer or a string. Integer values between -256 and 255 and strings of length 1 are to be registered by Standards Track documents (Standards Action). Integer values from -65536 to -257 and from 256 to 65535 and strings of maximum length 2 are to be registered by public specifications (Specification Required). Integer values greater than 65535 and strings of length greater than 2 are subject to the Expert Review policy. Integer values less than -65536 are marked as private use.
• CBOR Type: The CBOR type of the item, or a pointer to the registry that defines its type, when that depends on another item.
• Registry: The registry that values of the item may come from, if one exists.
• Description: A brief description of this item.
• Specification: A pointer to the public specification for the item, if one exists.

This registry will be initially populated by the values in . The "Specification" column for all of these entries will be this document and .

Expert Review Instructions The IANA registry established in this document is defined to use the registration policy Expert Review. This section gives some general guidelines for what the experts should be looking for, but they are being designated as experts for a reason so they should be given substantial latitude. Expert reviewers should take into consideration the following points:

• Point squatting should be discouraged. Reviewers are encouraged to get sufficient information for registration requests to ensure that the usage is not going to duplicate one that is already registered and that the point is likely to be used in deployments. The zones tagged as private use are intended for testing purposes and closed environments; code points in other ranges should not be assigned for testing.
• Specifications are required for the Standards Action range of point assignment. Specifications should exist for Specification Required ranges, but early assignment before a specification is available is considered to be permissible. Specifications are needed for the first-come, first-serve range if they are expected to be used outside of closed environments in an interoperable way. When specifications are not provided, the description provided needs to have sufficient information to identify what the point is being used for.
• Experts should take into account the expected usage of fields when approving point assignment. The fact that there is a range for Standards Track documents does not mean that a Standards Track document cannot have points assigned outside of that range. The length of the encoded value should be weighed against how many code points of that length are left, the size of device it will be used on, and the number of code points left that encode to that size.

References Normative References In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. A Uniform Resource Identifier (URI) is a compact sequence of characters that identifies an abstract or physical resource. This specification defines the generic URI syntax and a process for resolving URI references that might be in relative form, along with guidelines and security considerations for the use of URIs on the Internet. The URI syntax defines a grammar that is a superset of all valid URIs, allowing an implementation to parse the common components of a URI reference without knowing the scheme-specific requirements of every possible identifier. This specification does not define a generative grammar for URIs; that task is performed by the individual specifications of each URI scheme. [STANDARDS-TRACK] This document describes the commonly used base 64, base 32, and base 16 encoding schemes. It also discusses the use of line-feeds in encoded data, use of padding in encoded data, use of non-alphabet characters in encoded data, use of different encoding alphabets, and canonical encodings. [STANDARDS-TRACK] This memo profiles the X.509 v3 certificate and X.509 v2 certificate revocation list (CRL) for use in the Internet. An overview of this approach and model is provided as an introduction. The X.509 v3 certificate format is described in detail, with additional information regarding the format and semantics of Internet name forms. Standard certificate extensions are described and two Internet-specific extensions are defined. A set of required certificate extensions is specified. The X.509 v2 CRL format is described in detail along with standard and Internet-specific extensions. An algorithm for X.509 certification path validation is described. An ASN.1 module and examples are provided in the appendices. [STANDARDS-TRACK] RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings. The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, or by allowing the third-party application to obtain access on its own behalf. This specification replaces and obsoletes the OAuth 1.0 protocol described in RFC 5849. [STANDARDS-TRACK] The Constrained Application Protocol (CoAP) is a specialized web transfer protocol for use with constrained nodes and constrained (e.g., low-power, lossy) networks. The nodes often have 8-bit microcontrollers with small amounts of ROM and RAM, while constrained networks such as IPv6 over Low-Power Wireless Personal Area Networks (6LoWPANs) often have high packet error rates and a typical throughput of 10s of kbit/s. The protocol is designed for machine- to-machine (M2M) applications such as smart energy and building automation. CoAP provides a request/response interaction model between application endpoints, supports built-in discovery of services and resources, and includes key concepts of the Web such as URIs and Internet media types. CoAP is designed to easily interface with HTTP for integration with the Web while meeting specialized requirements such as multicast support, very low overhead, and simplicity for constrained environments. JSON Web Signature (JWS) represents content secured with digital signatures or Message Authentication Codes (MACs) using JSON-based data structures. Cryptographic algorithms and identifiers for use with this specification are described in the separate JSON Web Algorithms (JWA) specification and an IANA registry defined by that specification. Related encryption capabilities are described in the separate JSON Web Encryption (JWE) specification. JSON Web Token (JWT) is a compact, URL-safe means of representing claims to be transferred between two parties. The claims in a JWT are encoded as a JSON object that is used as the payload of a JSON Web Signature (JWS) structure or as the plaintext of a JSON Web Encryption (JWE) structure, enabling the claims to be digitally signed or integrity protected with a Message Authentication Code (MAC) and/or encrypted. This specification describes how to declare in a JSON Web Token (JWT) that the presenter of the JWT possesses a particular proof-of- possession key and how the recipient can cryptographically confirm proof of possession of the key by the presenter. Being able to prove possession of a key is also sometimes described as the presenter being a holder-of-key. Many protocols make use of points of extensibility that use constants to identify various protocol parameters. To ensure that the values in these fields do not have conflicting uses and to promote interoperability, their allocations are often coordinated by a central record keeper. For IETF protocols, that role is filled by the Internet Assigned Numbers Authority (IANA). To make assignments in a given registry prudently, guidance describing the conditions under which new values should be assigned, as well as when and how modifications to existing values can be made, is needed. This document defines a framework for the documentation of these guidelines by specification authors, in order to assure that the provided guidance for the IANA Considerations is clear and addresses the various issues that are likely in the operation of a registry. This is the third edition of this document; it obsoletes RFC 5226. CBOR Web Token (CWT) is a compact means of representing claims to be transferred between two parties. The claims in a CWT are encoded in the Concise Binary Object Representation (CBOR), and CBOR Object Signing and Encryption (COSE) is used for added application-layer security protection. A claim is a piece of information asserted about a subject and is represented as a name/value pair consisting of a claim name and a claim value. CWT is derived from JSON Web Token (JWT) but uses CBOR rather than JSON. This document proposes a notational convention to express Concise Binary Object Representation (CBOR) data structures (RFC 7049). Its main goal is to provide an easy and unambiguous way to express structures for protocol messages and data formats that use CBOR or JSON. This document defines Object Security for Constrained RESTful Environments (OSCORE), a method for application-layer protection of the Constrained Application Protocol (CoAP), using CBOR Object Signing and Encryption (COSE). OSCORE provides end-to-end protection between endpoints communicating using CoAP or CoAP-mappable HTTP. OSCORE is designed for constrained nodes and networks supporting a range of proxy operations, including translation between different transport protocols. Although an optional functionality of CoAP, OSCORE alters CoAP options processing and IANA registration. Therefore, this document updates RFC 7252. This document describes the Concise Binary Object Representation (CBOR) Sequence format and associated media type "application/cbor-seq". A CBOR Sequence consists of any number of encoded CBOR data items, simply concatenated in sequence. Structured syntax suffixes for media types allow other media types to build on them and make it explicit that they are built on an existing media type as their foundation. This specification defines and registers "+cbor-seq" as a structured syntax suffix for CBOR Sequences. This specification describes how to declare in a CBOR Web Token (CWT) (which is defined by RFC 8392) that the presenter of the CWT possesses a particular proof-of-possession key. Being able to prove possession of a key is also sometimes described as being the holder-of-key. This specification provides equivalent functionality to "Proof-of-Possession Key Semantics for JSON Web Tokens (JWTs)" (RFC 7800) but using Concise Binary Object Representation (CBOR) and CWTs rather than JavaScript Object Notation (JSON) and JSON Web Tokens (JWTs). The Concise Binary Object Representation (CBOR) is a data format whose design goals include the possibility of extremely small code size, fairly small message size, and extensibility without the need for version negotiation. These design goals make it different from earlier binary serializations such as ASN.1 and MessagePack. This document obsoletes RFC 7049, providing editorial improvements, new details, and errata fixes while keeping full compatibility with the interchange format of RFC 7049. It does not create a new version of the format. Concise Binary Object Representation (CBOR) is a data format designed for small code size and small message size. There is a need to be able to define basic security services for this data format. This document defines a set of algorithms that can be used with the CBOR Object Signing and Encryption (COSE) protocol (RFC 9052). This document, along with RFC 9052, obsoletes RFC 8152. This specification defines a framework for authentication and authorization in Internet of Things (IoT) environments called ACE-OAuth. The framework is based on a set of building blocks including OAuth 2.0 and the Constrained Application Protocol (CoAP), thus transforming a well-known and widely used authorization solution into a form suitable for IoT devices. Existing specifications are used where possible, but extensions are added and profiles are defined to better serve the IoT use cases. This specification defines new parameters and encodings for the OAuth 2.0 token and introspection endpoints when used with the framework for Authentication and Authorization for Constrained Environments (ACE). These are used to express the proof-of-possession (PoP) key the client wishes to use, the PoP key that the authorization server has selected, and the PoP key the resource server uses to authenticate to the client. This document specifies a profile for the Authentication and Authorization for Constrained Environments (ACE) framework. It utilizes Object Security for Constrained RESTful Environments (OSCORE) to provide communication security and proof-of-possession for a key owned by the client and bound to an OAuth 2.0 access token. The CBOR Object Signing and Encryption (COSE) message structure uses references to keys in general. For some algorithms, additional properties are defined that carry parameters relating to keys as needed. The COSE Key structure is used for transporting keys outside of COSE messages. This document extends the way that keys can be identified and transported by providing attributes that refer to or contain X.509 certificates. Ericsson AB Ericsson AB Ericsson AB This document specifies Ephemeral Diffie-Hellman Over COSE (EDHOC), a very compact and lightweight authenticated Diffie-Hellman key exchange with ephemeral keys. EDHOC provides mutual authentication, forward secrecy, and identity protection. EDHOC is intended for usage in constrained scenarios and a main use case is to establish an OSCORE security context. By reusing COSE for cryptography, CBOR for encoding, and CoAP for transport, the additional code size can be kept very low. Ericsson RISE AB RISE AB Fraunhofer AISEC Ericsson The lightweight authenticated key exchange protocol EDHOC can be run over CoAP and used by two peers to establish an OSCORE Security Context. This document details this use of the EDHOC protocol, by specifying a number of additional and optional mechanisms. These especially include an optimization approach for combining the execution of EDHOC with the first OSCORE transaction. This combination reduces the number of round trips required to set up an OSCORE Security Context and to complete an OSCORE transaction using that Security Context. Ericsson AB Ericsson AB RISE AB RISE AB Nexus Group This document specifies a CBOR encoding of X.509 certificates. The resulting certificates are called C509 Certificates. The CBOR encoding supports a large subset of RFC 5280 and all certificates compatible with the RFC 7925, IEEE 802.1AR (DevID), CNSA, RPKI, GSMA eUICC, and CA/Browser Forum Baseline Requirements profiles. When used to re-encode DER encoded X.509 certificates, the CBOR encoding can in many cases reduce the size of RFC 7925 profiled certificates with over 50%. The CBOR encoded structure can alternatively be signed directly ("natively signed"), which does not require re- encoding for the signature to be verified. The document also specifies C509 COSE headers, a C509 TLS certificate type, and a C509 file format. RISE AB Ericsson AB This document updates the Authentication and Authorization for Constrained Environments Framework (ACE, RFC 9200) as follows. First, it defines a new, alternative workflow that the Authorization Server can use for uploading an access token to a Resource Server on behalf of the Client. Second, it defines new parameters and encodings for the OAuth 2.0 token endpoint at the Authorization Server. Informative References This Glossary provides definitions, abbreviations, and explanations of terminology for information system security. The 334 pages of entries offer recommendations to improve the comprehensibility of written material that is generated in the Internet Standards Process (RFC 2026). The recommendations follow the principles that such writing should (a) use the same term or definition whenever the same concept is mentioned; (b) use terms in their plainest, dictionary sense; (c) use terms that are already well-established in open publications; and (d) avoid terms that either favor a particular vendor or favor a particular technology or mechanism over other, competing techniques that already exist or could be developed. This memo provides information for the Internet community. This document specifies version 1.3 of the Transport Layer Security (TLS) protocol. TLS allows client/server applications to communicate over the Internet in a way that is designed to prevent eavesdropping, tampering, and message forgery. This document updates RFCs 5705 and 6066, and obsoletes RFCs 5077, 5246, and 6961. This document also specifies new requirements for TLS 1.2 implementations. The Hypertext Transfer Protocol (HTTP) is a stateless application-level protocol for distributed, collaborative, hypertext information systems. This document describes the overall architecture of HTTP, establishes common terminology, and defines aspects of the protocol that are shared by all versions. In this definition are core protocol elements, extensibility mechanisms, and the "http" and "https" Uniform Resource Identifier (URI) schemes. This document updates RFC 3864 and obsoletes RFCs 2818, 7231, 7232, 7233, 7235, 7538, 7615, 7694, and portions of 7230. This document specifies version 1.3 of the Datagram Transport Layer Security (DTLS) protocol. DTLS 1.3 allows client/server applications to communicate over the Internet in a way that is designed to prevent eavesdropping, tampering, and message forgery. The DTLS 1.3 protocol is based on the Transport Layer Security (TLS) 1.3 protocol and provides equivalent security guarantees with the exception of order protection / non-replayability. Datagram semantics of the underlying transport are preserved by the DTLS protocol. This document obsoletes RFC 6347. RISE AB RISE AB This document defines Key Update for OSCORE (KUDOS), a lightweight procedure that two CoAP endpoints can use to update their keying material by establishing a new OSCORE Security Context. Accordingly, it updates the use of the OSCORE flag bits in the CoAP OSCORE Option as well as the protection of CoAP response messages with OSCORE, and it deprecates the key update procedure specified in Appendix B.2 of RFC 8613. Thus, this document updates RFC 8613. Also, this document defines a procedure that two endpoints can use to update their OSCORE identifiers, run either stand-alone or during a KUDOS execution. Ericsson AB Ericsson AB INRIA Sandelman Software Works Institute of Embedded Systems, ZHAW This document describes a procedure for authorizing enrollment of new devices using the lightweight authenticated key exchange protocol Ephemeral Diffie-Hellman Over COSE (EDHOC). The procedure is applicable to zero-touch onboarding of new devices to a constrained network leveraging trust anchors installed at manufacture time. Ericsson AB RISE Nexus Inria This document specifies public-key certificate enrollment procedures protected with lightweight application-layer security protocols suitable for Internet of Things (IoT) deployments. The protocols leverage payload formats defined in Enrollment over Secure Transport (EST) and existing IoT standards including the Constrained Application Protocol (CoAP), Concise Binary Object Representation (CBOR) and the CBOR Object Signing and Encryption (COSE) format.

Examples This appendix provides examples where this profile of ACE is used. In particular:

• does not make use of use of any optimization.
• makes use of the optimizations defined in this specification, hence reducing the roundtrips of the interactions between the Client and the Resource Server.
• considers an alternative workflow where AS uploads the access token to RS.

All these examples build on the following assumptions, as relying on expected early procedures performed at AS. These include the registration of RSs by the respective Resource Owners as well as the registrations of Clients authorized to request access token for those RSs.

• AS knows the authentication credential AUTH_CRED_C of the Client C.
• The Client knows the authentication credential AUTH_CRED_AS of AS.
• AS knows the authentication credential AUTH_CRED_RS of RS.
• RS knows the authentication credential AUTH_CRED_AS of AS. This is relevant in case AS and RS actually require a secure association (e.g., for RS to perform token introspection at AS, or for AS to upload an access token to RS on behalf of the Client).

As a result of the assumptions above, it is possible to limit the transport of AUTH_CRED_C and AUTH_CRED_RS by value only to the following two cases, and only when the Client requests an access token for RS in question for the first time when considering the pair (AUTH_CRED_C, AUTH_CRED_RS).

• In the Token Response from AS to the Client, where AUTH_CRED_RS is specified by the 'rs_cnf' parameter.
• In the access token, where AUTH_CRED_C is specified by the 'cnf' claim.

Note that, even under the circumstances mentioned above, AUTH_CRED_C might rather be indicated by reference. This is possible if RS can effectively use such a reference from the access token to retrieve AUTH_CRED_C (e.g., from a trusted repository of authentication credentials reachable through a non-constrained link), and if AS is in turn aware of that. In any other case, it is otherwise possible to indicate both AUTH_CRED_C and AUTH_CRED_RS by reference, when performing the ACE access control workflow as well as later on when the Client and RS run EDHOC.

Workflow without Optimizations The example below considers the simplest (though least efficient) interaction between the Client and RS. That is: first C uploads the access token to RS; then C and RS run EDHOC; and, finally, the Client accesses the protected resource at RS. | | | | | | | | | EDHOC message_2 | | M02 |<---------------------------------| | | ID_CRED_R identifies | | | CRED_R = AUTH_CRED_AS | | | by reference | | | | | | | | | EDHOC message_3 to /edhoc | | M03 |--------------------------------->| | | ID_CRED_I identifies | | | CRED_I = AUTH_CRED_C | | | by reference | | | | | | | | | Token request to /token | | | (OSCORE-protected message) | | M04 |--------------------------------->| | | 'req_cnf' identifies | | | AUTH_CRED_C by reference | | | | | | | | | Token response | | | (OSCORE-protected message) | | M05 |<---------------------------------| | | 'rs_cnf' specifies | | | AUTH_CRED_RS by value | | | | | | 'ace_profile' = | | | coap_edhoc_oscore | | | | | | 'edhoc_info' specifies: | | | { | | | session_id : h'01', | | | cipher_suites : 2, | | | methods : 3 | | | } | | | | | | In the access token: | | | * the 'cnf' claim specifies | | | AUTH_CRED_C by value | | | * the 'edhoc_info' claim | | | specifies the same as | | | 'edhoc_info' above | | | | | // Possibly after chain verification, the Client adds AUTH_CRED_RS // to the set of its trusted peer authentication credentials, // relying on AS as trusted provider | | | | Token upload to /authz-info | | | (unprotected message) | | M06 |---------------------------------------------------------------->| | | | // Possibly after chain verification, RS adds AUTH_CRED_C // to the set of its trusted peer authentication credentials, // relying on AS as trusted provider | | | | 2.01 (Created) | | | (unprotected message) | | M07 |<----------------------------------------------------------------| | | | | | | | EDHOC message_1 to /edhoc | | | (no access control is enforced) | | M08 |---------------------------------------------------------------->| | | | | | | | EDHOC message_2 | | M09 |<----------------------------------------------------------------| | ID_CRED_R identifies | | | CRED_R = AUTH_CRED_RS | | | by reference | | | | | | | | | EDHOC message_3 to /edhoc | | | (no access control is enforced) | | M10 |---------------------------------------------------------------->| | ID_CRED_I identifies | | | CRED_I = AUTH_CRED_C | | | by reference | | | | | | | | | Access to protected resource | | | (OSCORE-protected message) | | | (access control is enforced) | | M11 |---------------------------------------------------------------->| | | | | Response | | | (OSCORE-protected message) | | M12 |<----------------------------------------------------------------| | | | // Later on, the access token expires ... // - The Client and RS delete their OSCORE Security Context and // purge the EDHOC session used to derive it (unless the same // session is also used for other reasons). // - RS retains AUTH_CRED_C as still valid, // and AS knows about it. // - The Client retains AUTH_CRED_RS as still valid, // and AS knows about it. | | | | | | // Time passes ... | | | | | | // The Client asks for a new access token; now all the // authentication credentials can be indicated by reference // The price to pay is on AS, about remembering that at least // one access token has been issued for the pair (Client, RS) // and considering the pair (AUTH_CRED_C, AUTH_CRED_RS) | | | | Token request to /token | | | (OSCORE-protected message) | | M13 |--------------------------------->| | | 'req_cnf' identifies | | | CRED_I = AUTH_CRED_C | | | by reference | | | | | | | | | Token response | | | (OSCORE-protected message) | | M14 |<---------------------------------| | | 'rs_cnf' identifies | | | AUTH_CRED_RS by reference | | | | | | 'ace_profile' = | | | coap_edhoc_oscore | | | | | | 'edhoc_info' specifies: | | | { | | | session_id : h'05', | | | cipher_suites : 2, | | | methods : 3 | | | } | | | | | | In the access token: | | | * the 'cnf' claim specifies | | | AUTH_CRED_C by reference | | | * the 'edhoc_info' claim | | | specifies the same as | | | 'edhoc_info' above | | | | | | | | | Token upload to /authz-info | | | (unprotected message) | | M15 |---------------------------------------------------------------->| | | | | | | | 2.01 (Created) | | | (unprotected message) | | M16 |<----------------------------------------------------------------| | | | | | | | EDHOC message_1 to /edhoc | | | (no access control is enforced) | | M17 |---------------------------------------------------------------->| | | | | | | | EDHOC message_2 | | | (no access control is enforced) | | M18 |<----------------------------------------------------------------| | ID_CRED_R specifies | | | CRED_R = AUTH_CRED_RS | | | by reference | | | | | | | | | EDHOC message_3 to /edhoc | | | (no access control is enforced) | | M19 |---------------------------------------------------------------->| | ID_CRED_I identifies | | | CRED_I = AUTH_CRED_C | | | by reference | | | | | | | | | Access to protected resource /r | | | (OSCORE-protected message) | | | (access control is enforced) | | M20 |---------------------------------------------------------------->| | | | | | | | Response | | | (OSCORE-protected message) | | M21 |<----------------------------------------------------------------| | | | ]]>

Workflow with Optimizations The example below builds on the example in , while additionally relying on the two following optimizations.

• The access token is not separately uploaded to the /authz-info endpoint at RS, but rather included in the EAD_1 field of EDHOC message_1 sent by C to RS.
• The Client uses the EDHOC+OSCORE request defined in is used, when running EDHOC both with AS and with RS.

These two optimizations used together result in the most efficient interaction between C and RS, as consisting of only two roundtrips to upload the access token, run EDHOC and access the protected resource at RS. | | | | | | | | | EDHOC message_2 | | M02 |<---------------------------------| | | ID_CRED_R identifies | | | CRED_R = AUTH_CRED_AS | | | by reference | | | | | | | | | EDHOC+OSCORE request to /token | | M03 |--------------------------------->| | | * EDHOC message_3 | | | ID_CRED_I identifies | | | CRED_I = AUTH_CRED_C | | | by reference | | | --- --- --- | | | * OSCORE-protected part | | | Token request | | | 'req_cnf' identifies | | | AUTH_CRED_C by reference | | | | | | | | | Token response | | | (OSCORE-protected message) | | M04 |<---------------------------------| | | 'rs_cnf' specifies | | | AUTH_CRED_RS by value | | | | | | 'ace_profile' = | | | coap_edhoc_oscore | | | | | | 'edhoc_info' specifies: | | | { | | | session_id : h'01', | | | cipher_suites : 2, | | | methods : 3 | | | } | | | | | | In the access token: | | | * the 'cnf' claim specifies | | | AUTH_CRED_C by value | | | * the 'edhoc_info' claim | | | specifies the same as | | | 'edhoc_info' above | | | | | // Possibly after chain verification, the Client adds AUTH_CRED_RS // to the set of its trusted peer authentication credentials, // relying on AS as trusted provider | | | | EDHOC message_1 to /edhoc | | | (no access control is enforced) | | M05 |---------------------------------------------------------------->| | Access token specified in EAD_1 | | | | | // Possibly after chain verification, RS adds AUTH_CRED_C // to the set of its trusted peer authentication credentials, // relying on AS as trusted provider | | | | EDHOC message_2 | | M06 |<----------------------------------------------------------------| | ID_CRED_R identifies | | | CRED_R = AUTH_CRED_RS | | | by reference | | | | | | | | | EDHOC+OSCORE request to /r | | M07 |---------------------------------------------------------------->| | * EDHOC message_3 | | | ID_CRED_I identifies | | | CRED_I = AUTH_CRED_C | | | by reference | | | --- --- --- | | | * OSCORE-protected part | | | Application request to /r | | | | | // After the EDHOC processing is completed, access control // is enforced on the rebuilt OSCORE-protected request, // like if it had been sent stand-alone | | | | Response | | | (OSCORE-protected message) | | M08 |<----------------------------------------------------------------| | | | ]]>

Alternative Workflow (AS token posting) The example below builds on the example in , but assumes that AS is uploading the access token to RS as specified in . | | | | | | | | | EDHOC message_2 | | M02 |<---------------------------------| | | ID_CRED_R identifies | | | CRED_R = AUTH_CRED_AS | | | by reference | | | | | | | | | EDHOC+OSCORE request to /token | | M03 |--------------------------------->| | | * EDHOC message_3 | | | ID_CRED_I identifies | | | CRED_I = AUTH_CRED_C | | | by reference | | | --- --- --- | | | * OSCORE-protected part | | | Token request | | | 'req_cnf' identifies | | | AUTH_CRED_C by reference | | | | | | | | | | Token upload to /authz-info | M04 | |----------------------------->| | | In the access token: | | | * the 'cnf' claim | | | specifies AUTH_CRED_C | | | by value | | | * the 'edhoc_info' | | | claim specifies | | | { | | | session_id : h'01', | | | cipher_suites : 2, | | | methods: 3 | | | } | | | | // Possibly after chain verification, RS adds AUTH_CRED_C // to the set of its trusted peer authentication credentials, // relying on AS as trusted provider | | | | | 2.01 (Created) | M05 | |<-----------------------------| | | | | | | | Token response | | | (OSCORE-protected message) | | M06 |<---------------------------------| | | 'rs_cnf' specifies | | | AUTH_CRED_RS by value | | | | | | 'ace_profile' = | | | coap_edhoc_oscore | | | | | | 'token_uploaded' = true | | | | | | 'edhoc_info' specifies: | | | { | | | session_id : h'01', | | | cipher_suites : 2, | | | methods : 3 | | | } | | | | | // Possibly after chain verification, the Client adds AUTH_CRED_RS // to the set of its trusted peer authentication credentials, // relying on AS as trusted provider | | | | EDHOC message_1 to /edhoc | | | (no access control is enforced) | | M07 |---------------------------------------------------------------->| | | | | | | | EDHOC message_2 | | M08 |<----------------------------------------------------------------| | ID_CRED_R identifies | | | CRED_R = AUTH_CRED_RS | | | by reference | | | | | | | | | EDHOC+OSCORE request to /r | | M09 |---------------------------------------------------------------->| | * EDHOC message_3 | | | ID_CRED_I identifies | | | CRED_I = AUTH_CRED_C | | | by reference | | | --- --- --- | | | * OSCORE-protected part | | | Application request to /r | | | | | // After the EDHOC processing is completed, access control // is enforced on the rebuilt OSCORE-protected request, // like if it had been sent stand-alone | | | | Response | | | (OSCORE-protected message) | | M10 |<----------------------------------------------------------------| | | | ]]>

Profile Requirements This section lists the specifications of this profile based on the requirements of the framework, as requested in .

• Optionally, define new methods for the client to discover the necessary permissions and AS for accessing a resource, different from the one proposed in : Not specified
• Optionally, specify new grant types: Not specified
• Optionally, define the use of client certificates as client credential type: C can use authentication credentials of any type admitted by the EDHOC protocol, including public key certificates such as X.509 and C509 certificates.
• Specify the communication protocol the client and RS must use: CoAP
• Specify the security protocol the client and RS must use to protect their communication: OSCORE
• Specify how the client and RS mutually authenticate: Explicitly, by successfully executing the EDHOC protocol, after which a common OSCORE Security Context is exported from the EDHOC session. As per the EDHOC authentication method used during the EDHOC session, authentication is provided by digital signatures, or by Message Authentication Codes (MACs) computed from an ephemeral-static ECDH shared secret.
• Specify the proof-of-possession protocol(s) and how to select one, if several are available. Also specify which key types (e.g., symmetric/asymmetric) are supported by a specific proof-of- possession protocol: proof-of-possession is first achieved by RS when successfully processing EDHOC message_3 during the EDHOC session with C, through EDHOC algorithms and symmetric EDHOC session keys. Also, proof-of-possession is later achieved by C when receiving from RS: i) the optional EDHOC message_4 during the EDHOC session with RS, through EDHOC algorithms and symmetric EDHOC session keys; or ii) the first response protected with the OSCORE Security Context established after the EDHOC session with RS, through OSCORE algorithms and OSCORE symmetric keys derived from the completed EDHOC session.
• Specify a unique ace_profile identifier: coap_edhoc_oscore
• If introspection is supported, specify the communication and security protocol for introspection: HTTP/CoAP (+ TLS/DTLS/OSCORE)
• Specify the communication and security protocol for interactions between client and AS: HTTP/CoAP (+ TLS/DTLS/OSCORE)
• Specify if/how the authz-info endpoint is protected, including how error responses are protected: Not protected
• Optionally, define methods of token transport other than the authz-info endpoint: C can upload the access token when executing EDHOC with RS, by including the access token in the EAD_1 field of EDHOC message_1 (see ).

Document Updates RFC EDITOR: PLEASE REMOVE THIS SECTION.

Version -02 to -03

• Restructured presentation of content.
• Simplified description of the use of EDHOC_Information.
• Merged the concepts of EDHOC "session_id" and identifier of token series.
• Enabled the transport of the access token also in EDHOC EAD_3.
• Defined semantics of the newly defined CWT/JWT Confirmation Methods.
• Clarifications and editorial improvements.

Version -01 to -02

• Removed use of EDHOC_KeyUpdate.
• The Security Context is updated either by KUDOS or a rerun of EDHOC.
• The alternative workflow (AS token posting) is specified in separate draft.
• Fixed and updated examples.
• Editorial improvements.

Version -00 to -01

• Fixed semantics of the ead_value for transporting an Access Token in the EAD_1 field.
• Error handling aligned with EDHOC.
• Precise characterization of the EDHOC execution considered for EDHOC-KeyUpdate.
• Fixed message exchange examples.
• Added appendix with profile requirements.
• Updated references.
• Clarifications and editorial improvements.

Acknowledgments The authors sincerely thank and for their comments and feedback. Work on this document has in part been supported by the H2020 project SIFIS-Home (grant agreement 952652).