Markdown Version | Session Recording

Session Date/Time: 19 Mar 2024 07:30

ace

Summary

The ACE working group meeting at IETF 119 covered several draft updates and ongoing discussions related to authentication and authorization in constrained environments. The presentations included updates on OScore Group Management, Workflow and Params updates for RFC9200, Group OScore Profile, EST over OScore, and EDHOC over OScore Profile.

Key Discussion Points

• OScore Group Management (OScoregmadmin):
  • Addressed comments from Sigdom and Karsten regarding parameter renaming, clarifications, tutorial improvements, and examples.
  • Made changes for alignment with the keygroupcom document and problem details usage.
  • Remaining actions include addressing Carsten's comments regarding examples, atomicity of operations, and better CBORTAG usage.
• Workflow and Params:
  • Updated RFC9200 with a new execution workflow where the AS uploads the access token to the resource server.
  • Introduced the "token upload" parameter to facilitate the new workflow.
  • Discussed aligning with problem details for error responses.
  • Ongoing discussion on whether the client should be required to opt-in to the token upload workflow.
• Group OScore Profile:
  • Focuses on access control for resources at group members using Group OScore.
  • Clarified access token deletion and its impact on Group OScore security context.
  • Updated the naming of "export rates pop input client AS."
  • Specified requirements for the AS to verify proof of possession evidence.
• EST over OScore:
  • Updates to RFC 9148 equivalent using OScore for certificate enrollment.
  • Addressed the use of seaborne encoded objects in payload formats.
  • Discussed the normative requirements and content format support for SN1 or CBAR.
  • Debated whether the client should support both single (287) and multiple (228) certificate formats, as suggested in the ANIMA working group's constrained voucher draft.
• EDHOC over OScore Profile:
  • Profile of the ACE framework, using EDHOC and OSCORE between client and resource server.
  • The access token or session identifier is transported within the message.
  • Discussed identifying public keys in EDHOC and potentially registering COSE header parameters for hash of CCS.
  • Identified work going on in the COZY working group for CWT identifier hashing.

Decisions and Action Items

• OScoregmadmin: Marco to address remaining comments from Karsten and submit a new version before the IETF 120 cutoff.
• Workflow and Params: Further discussion needed on the client opt-in requirement for token upload, to be continued on the mailing list.
• EST over OScore: Working group to provide feedback on the open issues, and Melissa to follow up with chairs for next steps.

Next Steps

• Continue discussions on the mailing lists for open issues.
• Authors to address feedback and prepare updated drafts.
• Aim for last calls and IESG submission for documents nearing completion.