Session Date/Time: 19 Mar 2025 08:30

ace

Summary

The ACE working group session at IETF 122 in Bangkok covered updates on several key drafts: EST OS core, ACE Workflow and Params, off-cred D-T-E-L-S, HAC-OS Core Profile, and the Pub Sub profile. Discussions focused on interoperability, parameter definitions, security considerations, and future directions. A key decision was made to remove MQTT support from the Pub Sub profile, focusing solely on CoAP.

Key Discussion Points

EST OS core: Discussion on interoperability during enrollment, specifically regarding certificate reference types and the use of the CoAP Accept option. Also discussed interoperability after enrollment and considerations for retrieving certificates by reference.
ACE Workflow and Params: Review of the new workflow for the ACE framework where the AS uploads the access token to the DRS, new parameters for group audiences, and the handling of authentication credentials of CNRS by value or by reference.
off-cred D-T-E-L-S: Update on the draft extending the existing RPK mode to support CWT claim sets and cozy keys by reference, as well as introducing a new certificate mode.
HAC-OS Core Profile: Revisions to session ID assignment rules, enforcement of client authentication credential validation, clarification on ad hoc info inclusion, and the interaction between authentication credentials in IDCred X and the EAD item. Discussed implications for identity protection with ACE request creation hints.
Pub Sub Profile: Addressing that current MQTT specification implementation is not at the same level as the CoAP implementation and proposed removing MQTT from the document. Discussion regarding motivations for the PubSub profile.

Decisions and Action Items

Pub Sub Profile:
- Decision: Remove MQTT support from the Pub Sub profile.
- Decision: Rename the document to "CoAP PubSub Profile of ACE" or "Key management and end-to-end message protection for the PubSub architecture for the constraint application protocol using authentication authorization authorization for constraint environments ACE". The first option is preferred by the presenter due to its brevity.
- Action: Francesca Palombini to repost the proposal about removing MQTT and renaming the document to the mailing list for final confirmation.

Next Steps

EST OS core: Close open issues and proceed to working group last call.
ACE Workflow and Params: Provide more examples using the latest features and address open points in the queue regarding ANCNF and dynamic update of access rights.
off-cred D-T-E-L-S: Address placeholder numeric identifiers, add informative reference to Workflow and Params document, include security consideration of CCS validation, and add more examples in hybrid settings.
HAC-OS Core Profile: Look into code point allocation for CWT confirmation methods, investigate adding an edoc item for conveying ACE request creation hints, define how to do proof of possession of the client's private key at AS, and compare security and privacy properties of different ad hoc message inclusions.
Group of Score Profile: Add considerations about group re-keying, enable dynamic update of access rights, and explore setups with multiple application groups and security groups.