Internet-Draft | CoRAL Admin Interface for the OSCORE GM | July 2023 |
Tiloca & Höglund | Expires 2 January 2024 | [Page] |
Group communication for CoAP can be secured using Group Object Security for Constrained RESTful Environments (Group OSCORE). A Group Manager is responsible to handle the joining of new group members, as well as to manage and distribute the group keying material. The Group Manager can provide a RESTful admin interface that allows an Administrator entity to create and delete OSCORE groups, as well as to retrieve and update their configuration. This document specifies how an Administrator entity interacts with the admin interface at the Group Manager by using the Constrained RESTful Application Language (CoRAL). The ACE framework for Authentication and Authorization is used to enforce authentication and authorization of the Administrator at the Group Manager. Protocol-specific transport profiles of ACE are used to achieve communication security, proof-of-possession and server authentication.¶
This note is to be removed before publishing as an RFC.¶
Discussion of this document takes place on the Authentication and Authorization for Constrained Environments Working Group mailing list ([email protected]), which is archived at https://mailarchive.ietf.org/arch/browse/ace/.¶
Source for this draft and an issue tracker can be found at https://github.com/ace-wg/ace-oscore-gm-admin-coral.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 2 January 2024.¶
Copyright (c) 2023 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
The Constrained Application Protocol (CoAP) [RFC7252] can also be used for group communication [I-D.ietf-core-groupcomm-bis], where messages are exchanged between members of a group, e.g., over IP multicast. Applications relying on CoAP can achieve end-to-end security at the application layer by using Object Security for Constrained RESTful Environments (OSCORE) [RFC8613], and especially Group OSCORE [I-D.ietf-core-oscore-groupcomm] in group communication scenarios.¶
When group communication for CoAP is protected with Group OSCORE, nodes are required to explicitly join the correct OSCORE group. To this end, a joining node interacts with a Group Manager (GM) entity responsible for that group, and retrieves the required keying material to securely communicate with other group members using Group OSCORE.¶
The method in [I-D.ietf-ace-key-groupcomm-oscore] specifies how nodes can join an OSCORE group through the respective Group Manager. Such a method builds on the ACE framework for Authentication and Authorization [RFC9200], so ensuring a secure joining process as well as authentication and authorization of joining nodes (clients) at the Group Manager (resource server).¶
[I-D.ietf-ace-oscore-gm-admin] specifies a RESTful admin interface at the Group Manager, intended for an Administrator as a separate entity external to the Group Manager and its application. The interface allows the Administrator to create and delete OSCORE groups, as well as to configure and update their configuration.¶
This document builds on [I-D.ietf-ace-oscore-gm-admin], and specifies how an Administrator interacts with the same RESTful admin interface by using the Constrained RESTful Application Language (CoRAL) [I-D.ietf-core-coral]. Compared to [I-D.ietf-ace-oscore-gm-admin], there is no change in the admin interface and its operations, nor in the way the group configurations are organized and represented.¶
Interaction examples using Packed CBOR [I-D.ietf-cbor-packed] are provided, and are expressed in CBOR diagnostic notation [RFC8949]. Section 1.2 provides the notation and assumptions used in the examples.¶
The ACE framework is used to ensure authentication and authorization of the Administrator (client) at the Group Manager (resource server). In order to achieve communication security, proof-of-possession and server authentication, the Administrator and the Group Manager leverage protocol-specific transport profiles of ACE, such as [RFC9202][RFC9203]. These include also possible forthcoming transport profiles that comply with the requirements in Appendix C of [RFC9200].¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.¶
Readers are expected to be familiar with the terms and concepts from the following specifications.¶
The CoAP protocol [RFC7252], also in group communication scenarios [I-D.ietf-core-groupcomm-bis]. These include the concepts of:¶
The OSCORE [RFC8613] and Group OSCORE [I-D.ietf-core-oscore-groupcomm] security protocols. These especially include the concepts of:¶
Readers are also expected to be familiar with the terms and concepts used in [I-D.ietf-ace-oscore-gm-admin], with particular reference to: "Administrator", "group name", "group-collection resource", and "group-configuration resource".¶
Like in [I-D.ietf-ace-oscore-gm-admin], the url-path to a group-configuration resource has GROUPNAME as last segment, with GROUPNAME the invariant group name assigned upon its creation. Building on the considered url-path of the group-collection resource, this document uses /manage/GROUPNAME as the url-path of a group-configuration resource; implementations are not required to use this name, and can define their own instead.¶
Note that, unless otherwise indicated, the term "endpoint" is used here following its OAuth definition, aimed at denoting resources such as /token and /introspect at the AS, and /authz-info at the RS. This document does not use the CoAP definition of "endpoint", which is "An entity participating in the CoAP protocol".¶
As per Section 2.4 of [I-D.ietf-core-coral], CoRAL expresses Uniform Resource Identifiers (URIs) [RFC3986] as Constrained Resource Identifier (CRI) references [I-D.ietf-core-href].¶
The examples in this document use the following notation.¶
When using the CURIE syntax [CURIE-20101216], the following applies.¶
'linkformat' stands for http://www.iana.org/assignments/linkformat¶
This URI is to be defined with IANA, together with other URIs that build on it through further path segments, e.g., http://www.iana.org/assignments/linkformat/rt¶
When using a URI http://www.iana.org/assignments/linkformat/SEG1/SEG2¶
The path segment SEG1 is the name of a web link target attribute.¶
Names of target attributes used in Link Format [RFC6690] are expected to be coordinated through the "Target Attributes" registry defined in [I-D.ietf-core-target-attr].¶
The notation cri'' introduced in [I-D.ietf-cbor-edn-literals] is used to represent CRIs [I-D.ietf-core-href]. This format is not expected to be sent over the network.¶
Packed CBOR [I-D.ietf-cbor-packed] is also used, thus reducing representation size. The examples especially refer to the values from the two shared item tables in Appendix A.¶
Finally, the examples consider a Group Manager with address [2001:db8::ab], and use the CoAP Content-Format ID 65087 for the media-type application/coral+cbor.¶
The group administration is enforced as defined in Section 2 of [I-D.ietf-ace-oscore-gm-admin].¶
The same resource model defined in Section 2.1 of [I-D.ietf-ace-oscore-gm-admin] as based on a group-collection resource and multiple group-configuration resources is used in this document.¶
When accessing such resources, the Administrator relies on the same interface defined in Section 6 of [I-D.ietf-ace-oscore-gm-admin], for which differences that apply when using CoRAL are compiled in Section 6 of this document.¶
A collection of group configurations is represented as a CoRAL document containing the list of corresponding group-configuration resources.¶
Each group configuration is represented as a top-level link element, with the URI of the group-configuration resource as link target, and with http://coreapps.org/core.osc.gcoll#item as relation type.¶
The Administrator can discover the group-collection resource from a Resource Directory (see, for instance [I-D.hartke-t2trg-coral-reef]) or from .well-known/core, by using the resource type "core.osc.gcoll" defined in Section 10.3 of [I-D.ietf-ace-oscore-gm-admin].¶
The Administrator can discover group-configuration resources for the group-collection resource as specified in Section 6.1 and Section 6.2.¶
In order to express authorization information for the Administrator (see Section 4), the same format and encoding of scope defined in Section 3 of [I-D.ietf-ace-oscore-gm-admin] is used, as relying on the Authorization Information Format (AIF) [RFC9237] and the extended AIF data model AIF-OSCORE-GROUPCOMM defined in Section 3 of [I-D.ietf-ace-key-groupcomm-oscore].¶
All communications between the involved entities rely on the CoAP protocol and MUST be secured.¶
In particular, communications between the Administrator and the Group Manager leverage protocol-specific transport profiles of ACE to achieve communication security, proof-of-possession and server authentication. To this end, the AS may explicitly signal the specific transport profile to use, consistently with requirements and assumptions defined in the ACE framework [RFC9200].¶
With reference to the AS, communications between the Administrator and the AS (/token endpoint) as well as between the Group Manager and the AS (/introspect endpoint) can be secured by different means, for instance using DTLS [RFC9147] or OSCORE [RFC8613]. Further details on how the AS secures communications (with the Administrator and the Group Manager) depend on the specifically used transport profile of ACE, and are out of the scope of this document.¶
The Administrator requests access to the Group Manager as per Steps 1-3 in Section 4 of [I-D.ietf-ace-oscore-gm-admin].¶
The Administrator accesses the admin interface at the Group Manager as per Step 4 in Section 4 of [I-D.ietf-ace-oscore-gm-admin], with the difference that administrative operations are performed not as defined in Section 6 of [I-D.ietf-ace-oscore-gm-admin], but instead as defined in Section 6 of this document.¶
What is defined in Section 4.1 of [I-D.ietf-ace-oscore-gm-admin] holds for this document, with the following difference.¶
The Administrator performs administrative operations at the Group Manager not as defined in Section 6 of [I-D.ietf-ace-oscore-gm-admin], but instead as defined in Section 6 of this document.¶
A group configuration consists of a set of parameters.¶
The same group configuration representation defined in Section 5.1 of [I-D.ietf-ace-oscore-gm-admin] is used, as including configuration properties and status properties.¶
The same configuration properties defined in Section 5.1.1 of [I-D.ietf-ace-oscore-gm-admin] are used.¶
The same status properties defined in Section 5.1.2 of [I-D.ietf-ace-oscore-gm-admin] are used.¶
The Group manager refers to the same default values defined in Section 5.2 of [I-D.ietf-ace-oscore-gm-admin].¶
The same as defined in Section 6 of [I-D.ietf-ace-oscore-gm-admin] holds, with the following differences.¶
If a message payload specifies a link element corresponding to a structured parameter, then:¶
The link element MUST have the link target with value "false" (0xf4) for indicating the structured parameter with no elements.¶
Editor's note: this should change to using an empty CBOR array or an empty CBOR map as appropriate, once this is made explicitly possible in the binary format of link items in CoRAL (see Section 3.1.4 of [I-D.ietf-core-coral]).¶
This operation MUST be supported by the Group Manager and an Administrator.¶
The Administrator can send a GET request to the group-collection resource, in order to retrieve a list of the existing OSCORE groups at the Group Manager.¶
The same as defined in Section 6.1 of [I-D.ietf-ace-oscore-gm-admin] holds.¶
An example of message exchange is shown below.¶
=> 0.01 GET Uri-Path: manage <= 2.05 Content Content-Format: 65087 (application/coral+cbor) Payload: [ [1, cri'coap://[2001:db8::ab]/manage'], [2, 6(17) / item 50 for core.osc.gcoll:item /, cri'/gp1', [ [2, simple(6) / item 6 for linkformat:rt /, 6(-200) / item 415 for cri'http://www.iana.org/assignments /linkformat/rt/core.osc.gconf' /] ]], [2, 6(17) / item 50 for core.osc.gcoll:item /, cri'/gp2', [ [2, simple(6) / item 6 for linkformat:rt /, 6(-200) / item 415 for cri'http://www.iana.org/assignments /linkformat/rt/core.osc.gconf' /] ]], [2, 6(17) / item 50 for core.osc.gcoll:item /, cri'/gp3', [ [2, simple(6) / item 6 for linkformat:rt /, 6(-200) / item 415 for cri'http://www.iana.org/assignments /linkformat/rt/core.osc.gconf' /] ]] ]¶
This operation MUST be supported by the Group Manager and MAY be supported by an Administrator.¶
The Administrator can send a FETCH request to the group-collection resource, in order to retrieve a list of the existing OSCORE groups that fully match a set of specified filter criteria.¶
The same as defined in Section 6.2 of [I-D.ietf-ace-oscore-gm-admin] holds, with the following differences.¶
An example of message exchange is shown below.¶
=> 0.05 FETCH Uri-Path: manage Content-Format: 65087 (application/coral+cbor) Payload: [ [2, 6(27) / item 70 for core.osc.gconf:group_mode /, true], [2, 6(-28) / item 71 for core.osc.gconf:gp_enc_alg /, 10], [2, 6(26) / item 68 for core.osc.gconf:hkdf /, 5] ] <= 2.05 Content Content-Format: 65087 (application/coral+cbor) Payload: [ [1, cri'coap://[2001:db8::ab]/manage'], [2, 6(17) / item 50 for core.osc.gcoll:item /, cri'/gp1', [ [2, simple(6) / item 6 for linkformat:rt /, 6(-200) / item 415 for cri'http://www.iana.org/assignments /linkformat/rt/core.osc.gconf' /] ]], [2, 6(17) / item 50 for core.osc.gcoll:item /, cri'/gp2', [ [2, simple(6) / item 6 for linkformat:rt /, 6(-200) / item 415 for cri'http://www.iana.org/assignments /linkformat/rt/core.osc.gconf' /] ]], [2, 6(17) / item 50 for core.osc.gcoll:item /, cri'/gp3', [ [2, simple(6) / item 6 for linkformat:rt /, 6(-200) / item 415 for cri'http://www.iana.org/assignments /linkformat/rt/core.osc.gconf' /] ]] ]¶
This operation MUST be supported by the Group Manager and an Administrator.¶
The Administrator can send a POST request to the group-collection resource, in order to create a new OSCORE group at the Group Manager.¶
The same as defined in Section 6.3 of [I-D.ietf-ace-oscore-gm-admin] holds, with the following differences.¶
An example of message exchange is shown below.¶
=> 0.02 POST Uri-Path: manage Content-Format: 65087 (application/coral+cbor) Payload: [ [2, 6(-28) / item 71 for core.osc.gconf:gp_enc_alg /, 10], [2, 6(26) / item 68 for core.osc.gconf:hkdf /, 5], [2, 6(-31) / item 77 for core.osc.gconf:pairwise_mode /, true], [2, 6(-36) / item 87 for core.osc.gconf:active /, true], [2, 6(36) / item 88 for core.osc.gconf:group_name /, "gp4"], [2, 6(-37) / item 89 for core.osc.gconf:group_title /, "rooms 1 and 2"], [2, 6(39) / item 94 for core.osc.gconf:app_group /, "room 1"], [2, 6(39) / item 94 for core.osc.gconf:app_group /, "room 2"], [2, 6(43) / item 102 for core.osc.gconf:as_uri /, cri'coap://as.example.com/token'] ] <= 2.01 Created Location-Path: manage Location-Path: gp4 Content-Format: 65087 (application/coral+cbor) Payload: [ [2, 6(36) / item 88 for core.osc.gconf:group_name /, "gp4"], [2, 6(-41) / item 97 for core.osc.gconf:joining_uri /, cri'coap://[2001:db8::ab]/ace-group/gp4/'], [2, 6(43) / item 102 for core.osc.gconf:as_uri /, cri'coap://as.example.com/token'] ]¶
This operation MUST be supported by the Group Manager and an Administrator.¶
The Administrator can send a GET request to the group-configuration resource manage/GROUPNAME associated with an OSCORE group with group name GROUPNAME, in order to retrieve the complete current configuration of that group.¶
The same as defined in Section 6.4 of [I-D.ietf-ace-oscore-gm-admin] holds, with the following differences.¶
An example of message exchange is shown below.¶
=> 0.01 GET Uri-Path: manage Uri-Path: gp4 <= 2.05 Content Content-Format: 65087 (application/coral+cbor) Payload: [ [2, 6(26) / item 68 for core.osc.gconf:hkdf /, 5], [2, 6(-27) / item 69 for core.osc.gconf:cred_fmt /, 33], [2, 6(27) / item 70 for core.osc.gconf:group_mode /, true], [2, 6(-28) / item 71 for core.osc.gconf:gp_enc_alg /, 10], [2, 6(28) / item 72 for core.osc.gconf:sign_alg /, -8], [2, 6(29) / item 74 for core.osc.gconf:sign_params.alg_capab.key_type /, 1], [2, 6(-30) / item 75 for core.osc.gconf:sign_params.key_type_capab.key_type /, 1], [2, 6(30) / item 76 for core.osc.gconf:sign_params.key_type_capab.curve /, 6], [2, 6(-31) / item 77 for core.osc.gconf:pairwise_mode /, true], [2, 6(31) / item 78 for core.osc.gconf:alg /, 10], [2, 6(-32) / item 79 for core.osc.gconf:ecdh_alg /, -27], [2, 6(-33) / item 81 for core.osc.gconf:ecdh_params.alg_capab.key_type /, 1], [2, 6(33) / item 82 for core.osc.gconf:ecdh_params.key_type_capab.key_type /, 1], [2, 6(-34) / item 83 for core.osc.gconf:ecdh_params.key_type_capab.curve /, 6], [2, 6(34) / item 84 for core.osc.gconf:det_req /, false], [2, 6(35) / item 86 for core.osc.gconf:rt /, "core.osc.gconf"], [2, 6(-36) / item 87 for core.osc.gconf:active /, true], [2, 6(36) / item 88 for core.osc.gconf:group_name /, "gp4"], [2, 6(-37) / item 89 for core.osc.gconf:group_title /, "rooms 1 and 2"], [2, 6(37) / item 90 for core.osc.gconf:ace_groupcomm_profile /, "coap_group_oscore_app"], [2, 6(-38) / item 91 for core.osc.gconf:max_stale_sets /, 3], [2, 6(38) / item 92 for core.osc.gconf:exp /, 1360289224], [2, 6(-39) / item 93 for core.osc.gconf:gid_reuse /, false], [2, 6(39) / item 94 for core.osc.gconf:app_group /, "room 1"], [2, 6(39) / item 94 for core.osc.gconf:app_group /, "room 2"], [2, 6(-41) / item 97 for core.osc.gconf:joining_uri /, cri'coap://[2001:db8::ab]/ace-group/gp4/'], [2, 6(43) / item 102 for core.osc.gconf:as_uri /, cri'coap://as.example.com/token'] ]¶
This operation MUST be supported by the Group Manager and MAY be supported by an Administrator.¶
The Administrator can send a FETCH request to the group-configuration resource manage/GROUPNAME associated with an OSCORE group with group name GROUPNAME, in order to retrieve part of the current configuration of that group.¶
The same as defined in Section 6.5 of [I-D.ietf-ace-oscore-gm-admin] holds, with the following differences.¶
The response payload includes the requested configuration parameters and status parameters, and is formatted as in the response payload of a GET request to a group-configuration resource (see Section 6.4).¶
If the request payload specifies a parameter that is not included in the group configuration, then the response payload MUST NOT include a corresponding link element.¶
An example of message exchange is shown below.¶
=> 0.05 FETCH Uri-Path: manage Uri-Path: gp4 Content-Format: 65087 (application/coral+cbor) Payload: [ [2, 6(-28) / item 71 for core.osc.gconf:gp_enc_alg /, null], [2, 6(26) / item 68 for core.osc.gconf:hkdf /, null], [2, 6(-31) / item 77 for core.osc.gconf:pairwise_mode /, null], [2, 6(-36) / item 87 for core.osc.gconf:active /, null], [2, 6(-37) / item 89 for core.osc.gconf:group_title /, null], [2, 6(41) / item 98 for core.osc.gconf:app_groups /, null] ] <= 2.05 Content Content-Format: 65087 (application/coral+cbor) Payload: [ [2, 6(-28) / item 71 for core.osc.gconf:gp_enc_alg /, 10], [2, 6(26) / item 68 for core.osc.gconf:hkdf /, 5], [2, 6(-31) / item 77 for core.osc.gconf:pairwise_mode /, true], [2, 6(-36) / item 87 for core.osc.gconf:active /, true], [2, 6(-37) / item 89 for core.osc.gconf:group_title /, "rooms 1 and 2"], [2, 6(39) / item 94 for core.osc.gconf:app_group /, "room 1"], [2, 6(39) / item 94 for core.osc.gconf:app_group /, "room 2"] ]¶
This operation MAY be supported by the Group Manager and an Administrator.¶
The Administrator can send a PUT request to the group-configuration resource manage/GROUPNAME associated with an OSCORE group with group name GROUPNAME, in order to overwrite the current configuration of that group with a new one.¶
The same as defined in Section 6.6 of [I-D.ietf-ace-oscore-gm-admin] holds, with the following difference.¶
An example of message exchange is shown below.¶
=> 0.03 PUT Uri-Path: manage Uri-Path: gp4 Content-Format: 65087 (application/coral+cbor) Payload: [ [2, 6(-28) / item 71 for core.osc.gconf:gp_enc_alg /, 11], [2, 6(26) / item 68 for core.osc.gconf:hkdf /, 5] ] <= 2.04 Changed Content-Format: 65087 (application/coral+cbor) Payload: [ [2, 6(36) / item 88 for core.osc.gconf:group_name /, "gp4"], [2, 6(-41) / item 97 for core.osc.gconf:joining_uri /, cri'coap://[2001:db8::ab]/ace-group/gp4/'], [2, 6(43) / item 102 for core.osc.gconf:as_uri /, cri'coap://as.example.com/token'] ]¶
The same as defined in Section 6.6.1 of [I-D.ietf-ace-oscore-gm-admin] holds.¶
The same as defined in Section 6.6.2 of [I-D.ietf-ace-oscore-gm-admin] holds.¶
This operation MAY be supported by the Group Manager and an Administrator.¶
The Administrator can send a PATCH/iPATCH request [RFC8132] to the group-configuration resource manage/GROUPNAME associated with an OSCORE group with group name GROUPNAME, in order to update the value of only part of the group configuration.¶
The same as defined in Section 6.7 of [I-D.ietf-ace-oscore-gm-admin] holds, with the following differences.¶
If the request payload specifies names of application groups to be removed from or added to the 'app_groups' status parameter, then such names are specified by means of the following top-level link elements.¶
The Group Manager MUST respond with a 4.00 (Bad Request) response, in case the request payload includes both any 'app_group' link element as well as any 'app_group_del' and/or 'app_group_add' link element.¶
When updating the 'app_groups' status parameter by difference, the Group Manager:¶
An example of message exchange is shown below.¶
=> 0.06 PATCH Uri-Path: manage Uri-Path: gp4 Content-Format: 65087 (application/coral+cbor) Payload: [ [2, 6(-28) / item 71 for core.osc.gconf:gp_enc_alg /, 10], [2, 6(-40) / item 95 for core.osc.gconf:app_group_del /, "room1"], [2, 6(40) / item 96 for core.osc.gconf:app_group_add /, "room3"], [2, 6(40) / item 96 for core.osc.gconf:app_group_add /, "room4"] ] <= 2.04 Changed Content-Format: 65087 (application/coral+cbor) Payload: [ [2, 6(36) / item 88 for core.osc.gconf:group_name /, "gp4"], [2, 6(-41) / item 97 for core.osc.gconf:joining_uri /, cri'coap://[2001:db8::ab]/ace-group/gp4/'], [2, 6(43) / item 102 for core.osc.gconf:as_uri /, cri'coap://as.example.com/token'] ]¶
The same as defined in Section 6.7.1 of [I-D.ietf-ace-oscore-gm-admin] holds.¶
The same as defined in Section 6.7.2 of [I-D.ietf-ace-oscore-gm-admin] holds.¶
This operation MUST be supported by the Group Manager and an Administrator.¶
The Administrator can send a DELETE request to the group-configuration resource manage/GROUPNAME associated with an OSCORE group with group name GROUPNAME, in order to delete that OSCORE group.¶
The same as defined in Section 6.8 of [I-D.ietf-ace-oscore-gm-admin] holds.¶
The same as defined in Section 6.8.1 of [I-D.ietf-ace-oscore-gm-admin] holds.¶
Consistently with Section 7 of [I-D.ietf-ace-oscore-gm-admin], the following holds for the Group Manager.¶
It MUST support the top-level link elements 'error', 'error_description', 'ace_groupcomm_profile', 'exp', and 'group_policies' corresponding to the ACE Groupcomm Parameters defined in Section 8 of [I-D.ietf-ace-key-groupcomm].¶
This is consistent with what is defined in Section 8 of [I-D.ietf-ace-key-groupcomm] for the Key Distribution Center, of which the Group Manager defined in [I-D.ietf-ace-key-groupcomm-oscore] is a specific instance.¶
The following holds for an Administrator.¶
It MUST support the top-level link elements corresponding to all the parameters listed in Section 7 of [I-D.ietf-ace-oscore-gm-admin], with the following exceptions.¶
If the Group Manager sends an error response including the link element 'error', this can specify any of the values defined in Section 8 of [I-D.ietf-ace-oscore-gm-admin].¶
The same guidelines in Section 8 of [I-D.ietf-ace-oscore-gm-admin] for the Administrator to handle such error identifiers holds.¶
Security considerations are inherited from the ACE framework for Authentication and Authorization [RFC9200], and from the specific transport profile of ACE used between the Administrator and the Group Manager, such as [RFC9202] and [RFC9203].¶
The same security considerations from [I-D.ietf-ace-key-groupcomm] and [I-D.ietf-ace-key-groupcomm-oscore] also apply, with particular reference to the process of rekeying OSCORE groups.¶
The same security considerations from [I-D.ietf-ace-oscore-gm-admin] also apply, as well for the security considerations for CoRAL [I-D.ietf-core-coral] and Packed CBOR [I-D.ietf-cbor-packed].¶
This document has no actions for IANA.¶
This appendix defines the two shared item tables that the examples in this document refer to for using Packed CBOR [I-D.ietf-cbor-packed].¶
The notation cri'' introduced in [I-D.ietf-cbor-edn-literals] is used to represent CRIs [I-D.ietf-core-href].¶
The following shared item table is used for compressing CoRAL predicates, as per Section 2.2 of [I-D.ietf-cbor-packed].¶
The following shared item table is used for compressing values of the rt= target attribute, as per Section 2.2 of [I-D.ietf-cbor-packed].¶
RFC EDITOR: PLEASE REMOVE THIS SECTION.¶
Most of the content in this document was originally specified in draft-ietf-ace-oscore-gm-admin, which is co-authored also by Peter van der Stok and Francesca Palombini, and where Klaus Hartke contributed in the initial definition of the resource model and interactions using CoRAL.¶
The authors sincerely thank Christian Amsüss, Carsten Bormann, and Jim Schaad for their comments and feedback. The work on this document has been partly supported by VINNOVA and the Celtic-Next project CRITISEC; and by the H2020 project SIFIS-Home (Grant agreement 952652).¶