Skip to main content

Notification of Revoked Access Tokens in the Authentication and Authorization for Constrained Environments (ACE) Framework
draft-ietf-ace-revoked-token-notification-09

Revision differences

Document history

Date Rev. By Action
2024-10-28
09 (System) IANA Action state changed to RFC-Ed-Ack from Waiting on RFC Editor
2024-10-28
09 (System) IANA Action state changed to Waiting on RFC Editor from In Progress
2024-10-28
09 (System) IANA Action state changed to In Progress from Waiting on Authors
2024-10-25
09 (System) IANA Action state changed to Waiting on Authors from In Progress
2024-10-22
09 (System) RFC Editor state changed to EDIT
2024-10-22
09 (System) IESG state changed to RFC Ed Queue from Approved-announcement sent
2024-10-22
09 (System) Announcement was received by RFC Editor
2024-10-18
09 (System) IANA Action state changed to In Progress
2024-10-18
09 Cindy Morgan IESG state changed to Approved-announcement sent from Approved-announcement to be sent
2024-10-18
09 Cindy Morgan IESG has approved the document
2024-10-18
09 Cindy Morgan Closed "Approve" ballot
2024-10-18
09 Cindy Morgan Ballot approval text was generated
2024-10-18
09 Paul Wouters document is good to go after a 2nd WGLC to verify the changes based on IESG review
2024-10-18
09 (System) Removed all action holders (IESG state changed)
2024-10-18
09 Paul Wouters IESG state changed to Approved-announcement to be sent from IESG Evaluation::AD Followup
2024-09-28
09 Barry Leiba Closed request for Last Call review by ARTART with state 'Overtaken by Events': Document has finished IESG processing
2024-09-28
09 Barry Leiba Assignment of request for Last Call review by ARTART to Tara Whalen was marked no-response
2024-09-22
09 (System) Changed action holders to Paul Wouters (IESG state changed)
2024-09-22
09 (System) Sub state has been changed to AD Followup from Revised I-D Needed
2024-09-22
09 (System) IANA Review state changed to Version Changed - Review Needed from IANA OK - Actions Needed
2024-09-22
09 Marco Tiloca New version available: draft-ietf-ace-revoked-token-notification-09.txt
2024-09-22
09 Marco Tiloca New version accepted (logged-in submitter: Marco Tiloca)
2024-09-22
09 Marco Tiloca Uploaded new revision
2024-09-09
08 Orie Steele
[Ballot comment]
Thanks to the authors for their detailed response.

https://mailarchive.ietf.org/arch/msg/ace/Zikt4Dg8qwg6mELohY2tZ-bxjsE/

I believe the pull request addresses my discuss, and other comments.

I have left …
[Ballot comment]
Thanks to the authors for their detailed response.

https://mailarchive.ietf.org/arch/msg/ace/Zikt4Dg8qwg6mELohY2tZ-bxjsE/

I believe the pull request addresses my discuss, and other comments.

I have left a few more nits for their consideration, and am switching to no objection.
2024-09-09
08 Orie Steele [Ballot Position Update] Position for Orie Steele has been changed to No Objection from Discuss
2024-08-02
08 Kyle Rose Request for Telechat review by SECDIR Completed: Ready. Reviewer: Kyle Rose. Sent review to list.
2024-07-11
08 (System) Changed action holders to Francesca Palombini, Marco Tiloca, Grace Lewis, Sebastian Echeverria (IESG state changed)
2024-07-11
08 Cindy Morgan IESG state changed to IESG Evaluation::Revised I-D Needed from IESG Evaluation
2024-07-11
08 Zaheduzzaman Sarker
[Ballot comment]
Thanks for working on this specification. Thanks to Joerg Ott for the TSVART review.

My review did not surface transport protocol related issues.However …
[Ballot comment]
Thanks for working on this specification. Thanks to Joerg Ott for the TSVART review.

My review did not surface transport protocol related issues.However - can we define/refer/describe "diff queries" in this document? The meaning might be very obvious to the experts but describing it will improve the readablity of this specification and avoid misconceptions.
2024-07-11
08 Zaheduzzaman Sarker [Ballot Position Update] New position, No Objection, has been recorded for Zaheduzzaman Sarker
2024-07-10
08 Amanda Baber Custom Problem Detail Keys expert has approved the new registration. Passed on editorial note.
2024-07-10
08 Amanda Baber IANA Experts State changed to Expert Reviews OK from Reviews assigned
2024-07-10
08 Amanda Baber IANA Review state changed to IANA OK - Actions Needed from IANA - Not OK
2024-07-10
08 John Scudder [Ballot Position Update] New position, No Objection, has been recorded for John Scudder
2024-07-10
08 Amanda Baber Waiting for experts to approve the Custom Problem Detail Key registration added after last call.
2024-07-10
08 Amanda Baber IANA Review state changed to IANA - Not OK from Version Changed - Review Needed
2024-07-10
08 (System) IANA Review state changed to IANA - Not OK from IANA OK - Actions Needed
2024-07-10
08 Roman Danyliw
[Ballot comment]
Thank you to Dale Worley for the GENART review.

** Section 3.4
  The specifically used hash function MUST be collision-resistant on
  …
[Ballot comment]
Thank you to Dale Worley for the GENART review.

** Section 3.4
  The specifically used hash function MUST be collision-resistant on
  byte-strings, and MUST be selected from the "Named Information Hash
  Algorithm" Registry [Named.Information.Hash.Algorithm].

Is there isn’t any mandatory to implement algorithm, how is interoperability expected?

** Section 6.  I’m having trouble understanding who the “full TRL” download is for.

-- Section 13.1 says “The AS MUST ensure that ... only authorized and    authenticated administrators can retrieve the full TRL (see Section 9).”

-- Section 13.2 cautions:

  If many non-expired access tokens associated with a registered device
  are revoked, the pertaining subset of the TRL could grow to a size
  bigger than what the registered device is prepared to handle upon
  reception of a response from the TRL endpoint, especially if relying
  on a full query of the TRL (see Section 6).


It is there an assumption that administrators are operating on constrained devices to create issues with downloading the full TRL?

** Section 13.3

  In order to avoid this, a requester SHOULD NOT rely solely on the
  CoAP Observe notifications.  In particular, a requester SHOULD also
  regularly poll the AS for the most current information about revoked
  access tokens, by sending GET requests to the TRL endpoint according
  to a related application policy.

Are the requestors going to be constrained devices?  If so, both of these approaches seem problematic for device will limited battery power – either the device needs to stay awake to watch Observe notifications or it needs to poll.

** Section 13.5

  In order to minimize such a risk, if an RS relies solely on polling
  through individual requests to the TRL endpoint to learn of revoked
  access tokens, the RS SHOULD implement an adequate trade-off between
  the polling frequency and the maximum length of the vulnerable time
  window.

As above.  Would an RS ever be constrained because polling would impact the battery life.
2024-07-10
08 Roman Danyliw [Ballot Position Update] New position, No Objection, has been recorded for Roman Danyliw
2024-07-09
08 Warren Kumari
[Ballot comment]
Thank you for writing this document -- I found it an interesting read (well, as much of it as I understood :-)). I …
[Ballot comment]
Thank you for writing this document -- I found it an interesting read (well, as much of it as I understood :-)). I especially liked the Examples section, which helped me a bunch...

Also, much much thanks to Dhruv Dhody for the initial OpsDir review (https://datatracker.ietf.org/doc/review-ietf-ace-revoked-token-notification-06-opsdir-lc-dhody-2024-04-01/), and then the followup "Ready" one (https://datatracker.ietf.org/doc/review-ietf-ace-revoked-token-notification-08-opsdir-telechat-dhody-2024-07-07/)

Much appreciated!
2024-07-09
08 Warren Kumari [Ballot Position Update] New position, No Objection, has been recorded for Warren Kumari
2024-07-08
08 Gunter Van de Velde [Ballot Position Update] New position, No Objection, has been recorded for Gunter Van de Velde
2024-07-08
08 Jim Guichard [Ballot Position Update] New position, No Objection, has been recorded for Jim Guichard
2024-07-08
08 Éric Vyncke
[Ballot comment]
Thanks for the work done on this document and thanks as well to Niklas Widell for his IoT directorate review (https://datatracker.ietf.org/doc/review-ietf-ace-revoked-token-notification-08-iotdir-telechat-widell-2024-07-04/), …
[Ballot comment]
Thanks for the work done on this document and thanks as well to Niklas Widell for his IoT directorate review (https://datatracker.ietf.org/doc/review-ietf-ace-revoked-token-notification-08-iotdir-telechat-widell-2024-07-04/), may I suggest to the authors to reply to Niklas' comments ?

Just a nit on this I-D: the text often uses Capitalisation, which is probably not required and is just an eye distraction (e.g., "Client" or "Server") and as noted by Niklas, some acronyms are introduced several times and/or never used.

As a side note, I am unsure whether the whole section 3.1 is useful as it seems to repeat what is specified in other documents.

Also, unsure whether using CBOR only on the TRL when the actual tokens can be CBOR or JSON is a simplification for the RS.

In section 6, is there a specification of an "administrator" in `If the requester is an administrator` ?

Kudos for using SVG graphics ;-)
2024-07-08
08 Éric Vyncke [Ballot Position Update] New position, No Objection, has been recorded for Éric Vyncke
2024-07-07
08 Dhruv Dhody Request for Telechat review by OPSDIR Completed: Ready. Reviewer: Dhruv Dhody. Sent review to list.
2024-07-06
08 Deb Cooley
[Ballot comment]
Thank you to Kyle Rose for doing the secdir review of this draft.  Also thanks to the authors for the discussions and improvements. …
[Ballot comment]
Thank you to Kyle Rose for doing the secdir review of this draft.  Also thanks to the authors for the discussions and improvements.

I have one last (easy?) question:

Section 13:  I expected to see some discussion on whether it is possible for an attacker to remove a revoked access token from the TRL allowing a registered device with a revoked access token to continue to participate.  Conversely, is it possible for an attacker to add an access token to the TRL, which would deny service to the registered device.  If these situations are not possible, what feature protects the TRL both at the AS and in transit?
2024-07-06
08 Deb Cooley [Ballot Position Update] New position, No Objection, has been recorded for Deb Cooley
2024-07-05
08 Erik Kline [Ballot Position Update] New position, No Objection, has been recorded for Erik Kline
2024-07-04
08 Niklas Widell Request for Telechat review by IOTDIR Completed: Ready with Nits. Reviewer: Niklas Widell. Sent review to list.
2024-07-02
08 Amanda Baber IANA Experts State changed to Reviews assigned from Expert Reviews OK
2024-07-02
08 Carlos Pignataro Request for Telechat review by OPSDIR is assigned to Dhruv Dhody
2024-06-30
08 Francesca Palombini [Ballot Position Update] New position, Recuse, has been recorded for Francesca Palombini
2024-06-28
08 Tero Kivinen Request for Telechat review by SECDIR is assigned to Kyle Rose
2024-06-25
08 Orie Steele
[Ballot discuss]
# Orie Steele, ART AD, comments for draft-ietf-ace-revoked-token-notification-08
CC @OR13

https://author-tools.ietf.org/api/idnits?url=https://www.ietf.org/archive/id/draft-ietf-ace-revoked-token-notification-08.txt&submitcheck=True

## Discuss

### token hashes aren't always hashes of tokens

Compression or …
[Ballot discuss]
# Orie Steele, ART AD, comments for draft-ietf-ace-revoked-token-notification-08
CC @OR13

https://author-tools.ietf.org/api/idnits?url=https://www.ietf.org/archive/id/draft-ietf-ace-revoked-token-notification-08.txt&submitcheck=True

## Discuss

### token hashes aren't always hashes of tokens

Compression or encoding (inflation for readability) are a separate concern from identifying access tokens by digest.

```
557       Note that BYTES is the binary representation of the access token,
558       irrespective of this being a CWT or a JWT.

560   *  HASH_INPUT_TEXT is the base64url-encoded text string that encodes
561       BYTES.

563   *  HASH_INPUT is the binary representation of HASH_INPUT_TEXT.

```

This also creates a mismatch in what the hash is of:

cbor access_token -> cwt -> base64url -> hash
cbor access_token -> jwt -> base64url -> hash

json access_token -> jwt -> hash
json access_token -> cwt -> base64url -> hash

Why not make hash input always the bytes of the jwt or cwt (no compression, no encoding)?

It seems this might simplify the sections that follow as well.

The general guidance should be that the token hash identifies the bytes that are input to the token verification process.
2024-06-25
08 Orie Steele Ballot discuss text updated for Orie Steele
2024-06-25
08 Orie Steele
[Ballot discuss]
# Orie Steele, ART AD, comments for draft-ietf-ace-revoked-token-notification-08
CC @OR13

https://author-tools.ietf.org/api/idnits?url=https://www.ietf.org/archive/id/draft-ietf-ace-revoked-token-notification-08.txt&submitcheck=True

## Discuss

### token hashes aren't always hashes of tokens

The current …
[Ballot discuss]
# Orie Steele, ART AD, comments for draft-ietf-ace-revoked-token-notification-08
CC @OR13

https://author-tools.ietf.org/api/idnits?url=https://www.ietf.org/archive/id/draft-ietf-ace-revoked-token-notification-08.txt&submitcheck=True

## Discuss

### token hashes aren't always hashes of tokens

The current guidance uses the word "token hash" to refer to "access_token" (the response parameter), but implementations will need to store and process the decoded result in the case of CWT, and in the case of JWT, the "access_token" is a "json web token", in the case of CWT, the "access_token" is a text encoded cbor web token, and in the case of CBOR conveyance of a JWT, the "access_token" is base64url encoded json web token.

Compression or encoding (inflation for readability) are a separate concern from identifying tokens.

```
557       Note that BYTES is the binary representation of the access token,
558       irrespective of this being a CWT or a JWT.

560   *  HASH_INPUT_TEXT is the base64url-encoded text string that encodes
561       BYTES.

563   *  HASH_INPUT is the binary representation of HASH_INPUT_TEXT.

```

This also creates a mismatch in what the hash is of:

cbor access_token -> cwt -> base64url -> hash
cbor access_token -> jwt -> base64url -> hash

json access_token -> jwt -> hash
json access_token -> cwt -> base64url -> hash

Why not make hash input always the bytes of the jwt or cwt (no compression, no encoding)?

It seems this might simplify the sections that follow as well.

The general guidance should be that the token hash identifies the bytes that are input to the token verification process.
2024-06-25
08 Orie Steele
[Ballot comment]

## Comments

### commented bytes not elided

```
1296           [ h'01fa51cc/...
1297             …
[Ballot comment]

## Comments

### commented bytes not elided

```
1296           [ h'01fa51cc/...
1297               (remainder of the token hash omitted for brevity)/',
1298             h'01748190/...
1299               (remainder of the token hash omitted for brevity)/'
```

It could be just me, but I find this style of EDN confusing.

I prefer to see elision and comments not mixed, and instead see:

```
1296           [ h'01fa51...4819', / elided for brevity /
```


### not a token hash

```
1726   The RS MUST NOT delete the stored token hashes whose corresponding
1727   access tokens do not fulfill both the two conditions above, unless it
1728   becomes necessary due to memory limitations.  In such a case, the RS
1729   MUST delete the earliest stored token hashes first.
```

Related to my discuss point, hashes of encoded or compressed tokens are different than hashes of tokens (as bytes).

I don't think saying token or encoded token hashes whose corresponding access_token ... everywhere would be an improvement.


### cti is the new jti

```
1747   When, due to the stored and corresponding token hash th2, an access
1748   token t2 that includes the 'exi' claim is expunged or is not accepted
1749   upon its upload, the RS retrieves the sequence number sn2 encoded in
1750   the 'cti' claim (see Section 5.10.3 of [RFC9200]).  Then, the RS
1751   stores sn2 as associated with th2.  If expunging or not accepting t2
1752   yields the deletion of th2, then the RS MUST associate sn2 with th2
1753   before continuing with the deletion of th2.
```

Should you comment on jti (and JWT) here?
Does this section only apply to CWT ?

### No reference to JWT BCP?

https://datatracker.ietf.org/doc/html/rfc8725

Consider if the JWT BCP is a useful reference to add to security considerations.

### warn users about mutability

Signatures can have different forms (upper / lower s), unprotected headers can change the token hash, without invalidating the signature.

Some of these techniques could be used to mount resource exhaustian attacks.

### How should unavailability be treated?

```
1862   In order to avoid this, a requester SHOULD NOT rely solely on the
1863   CoAP Observe notifications.  In particular, a requester SHOULD also
1864   regularly poll the AS for the most current information about revoked
1865   access tokens, by sending GET requests to the TRL endpoint according
1866   to a related application policy.
```

If the GET request fails, the client assumes there are no revoked tokens?
2024-06-25
08 Orie Steele [Ballot Position Update] New position, Discuss, has been recorded for Orie Steele
2024-06-25
08 Ines Robles Request for Telechat review by IOTDIR is assigned to Niklas Widell
2024-06-25
08 Éric Vyncke Requested Telechat review by IOTDIR
2024-06-24
08 Jenny Bui Placed on agenda for telechat - 2024-07-11
2024-06-24
08 Paul Wouters Ballot has been issued
2024-06-24
08 Paul Wouters [Ballot Position Update] New position, Yes, has been recorded for Paul Wouters
2024-06-24
08 Paul Wouters Created "Approve" ballot
2024-06-24
08 Paul Wouters IESG state changed to IESG Evaluation from Waiting for AD Go-Ahead::External Party
2024-06-24
08 Paul Wouters Ballot writeup was changed
2024-06-24
08 Marco Tiloca New version available: draft-ietf-ace-revoked-token-notification-08.txt
2024-06-24
08 Marco Tiloca New version accepted (logged-in submitter: Marco Tiloca)
2024-06-24
08 Marco Tiloca Uploaded new revision
2024-05-27
07 Paul Wouters Due to the size difference during AD review and directorate reviews, the WG will do another WGLC on the document first.
2024-05-27
07 Paul Wouters IESG state changed to Waiting for AD Go-Ahead::External Party from Waiting for AD Go-Ahead::AD Followup
2024-05-27
07 (System) Changed action holders to Paul Wouters (IESG state changed)
2024-05-27
07 (System) Sub state has been changed to AD Followup from Revised I-D Needed
2024-05-27
07 (System) IANA Review state changed to Version Changed - Review Needed from IANA OK - Actions Needed
2024-05-27
07 Marco Tiloca New version available: draft-ietf-ace-revoked-token-notification-07.txt
2024-05-27
07 Marco Tiloca New version accepted (logged-in submitter: Marco Tiloca)
2024-05-27
07 Marco Tiloca Uploaded new revision
2024-04-26
06 Paul Wouters
Marco:

While addressing the received IETF Last Call comments, the authors would also like to make a change for using Problem Details (RFC 9290 …
Marco:

While addressing the received IETF Last Call comments, the authors would also like to make a change for using Problem Details (RFC 9290 [1]) as payload format for error responses.

Other than being appropriate per se, the same change:

* has recently happened in draft-ietf-ace-key-groupcomm and draft-ietf-ace-oscore-gm-admin

* has happened in draft-ietf-ace-workflow-and-params as part of updating RFC 9200; and

* is planned for draft-ietf-ace-key-groupcomm-oscore, also consistent and aligned with draft-ietf-ace-key-groupcomm

Absent objections, the authors plan to make this change and use the Problem Details format, when addressing the comments received during the IETF Last Call and producing version -07 of the draft.

(there were no objections, so waiting on revised ID)
2024-04-26
06 (System) Changed action holders to Marco Tiloca, Francesca Palombini, Sebastian Echeverria, Grace Lewis (IESG state changed)
2024-04-26
06 Paul Wouters IESG state changed to Waiting for AD Go-Ahead::Revised I-D Needed from Waiting for AD Go-Ahead
2024-04-08
06 Joerg Ott Request for Last Call review by TSVART Completed: Ready with Nits. Reviewer: Joerg Ott. Sent review to list.
2024-04-05
06 (System) IESG state changed to Waiting for AD Go-Ahead from In Last Call
2024-04-03
06 Dale Worley
Request for Last Call review by GENART Completed: Ready with Issues. Reviewer: Dale Worley. Sent review to list. Submission of review completed at an earlier …
Request for Last Call review by GENART Completed: Ready with Issues. Reviewer: Dale Worley. Sent review to list. Submission of review completed at an earlier date.
2024-04-03
06 Dale Worley Request for Last Call review by GENART Completed: Ready with Issues. Reviewer: Dale Worley.
2024-04-02
06 (System) IANA Review state changed to IANA OK - Actions Needed from IANA - Review Needed
2024-04-02
06 David Dong
(Via drafts-lastcall@iana.org): IESG/Authors/WG Chairs:

IANA has completed its review of draft-ietf-ace-revoked-token-notification-06. If any part of this review is inaccurate, please let us know.

IANA …
(Via drafts-lastcall@iana.org): IESG/Authors/WG Chairs:

IANA has completed its review of draft-ietf-ace-revoked-token-notification-06. If any part of this review is inaccurate, please let us know.

IANA understands that, upon approval of this document, there are four actions which we must complete.

First, in the application namespace of the Media Types registry located at:

https://www.iana.org/assignments/media-types/

a single new registration will be made as follows:

Name: ace-trl+cbor
Template: [ TBD-at-Registration ]
Reference: [ RFC-to-be ]

Second, in the CoAP Content-Formats registry in the Constrained RESTful Environments (CoRE) Parameters registry group located at:

https://www.iana.org/assignments/core-parameters/

a single new registration will be made as follows:

Content Type: application/ace-trl+cbor
Content Coding:
ID: [ TBD-at-Registration ]
Reference: [ RFC-to-be ]

IANA Comment --> We will allocate the next available number from the 261-270 range.

Third, a new registry is to be created called the ACE Token Revocation List Parameters registry. The new registry will be located in the Authentication and Authorization for Constrained Environments (ACE) registry group located at:

https://www.iana.org/assignments/ace/

The new registry is to be managed via the following rules as defined in RFC8126:

CBOR Values Registration Policy
-------------+-------------------
< -65536 Private Use
-65536 to -257 Specification Required
-256 to 255 Standards Action with Expert Review
256 to 65535 Specification Required

There are initial values to be registered upon creation of the new registry as follows:

| Name | CBOR Value | CBOR Type | Reference |
| full_set | 0 | array | [ RFC-to-be ] |
| diff_set | 1 | array | [ RFC-to-be ] |
| cursor | 2 | unsigned integer / simple value "null" | [ RFC-to-be ] |
| more | 3 | simple value "false" / simple value "true" | [ RFC-to-be ] |
| error | 4 | integer | [ RFC-to-be ] |
| error_description | 5 | text string | [ RFC-to-be ] |

Fourth, a new registry is to be created called the ACE Token Revocation List Errors registry. The new registry will also be located in the Authentication and Authorization for Constrained Environments (ACE) registry group located at:

https://www.iana.org/assignments/ace/

The new registry is to be managed via the following rules as defined in RFC8126:

CBOR Values Registration Policy
-------------+-------------------
< -65536 Private Use
-65536 to -257 Specification Required
-256 to 255 Standards Action with Expert Review
256 to 65535 Specification Required

There are initial values to be registered upon creation of the new registry as follows:

| Value | Description | Reference |
| 0 | Invalid parameter value | [ RFC-to-be ] |
| 1 | Invalid set of parameters | [ RFC-to-be ] |
| 2 | Out of bound cursor value | [ RFC-to-be ] |

We understand that these are the only actions required to be completed upon approval of this document.

NOTE: The actions requested in this document will not be completed until the document has been approved for publication as an RFC. This message is meant only to confirm the list of actions that will be performed.

For definitions of IANA review states, please see:

https://datatracker.ietf.org/help/state/draft/iana-review

Thank you,

David Dong
IANA Services Sr. Specialist
2024-04-01
06 Dhruv Dhody Request for Last Call review by OPSDIR Completed: Has Issues. Reviewer: Dhruv Dhody. Sent review to list.
2024-04-01
06 Kyle Rose Request for Last Call review by SECDIR Completed: Has Issues. Reviewer: Kyle Rose. Sent review to list.
2024-03-30
06 Tero Kivinen Request for Last Call review by SECDIR is assigned to Kyle Rose
2024-03-21
06 Magnus Westerlund Request for Last Call review by TSVART is assigned to Joerg Ott
2024-03-21
06 Yoshifumi Nishida Assignment of request for Last Call review by TSVART to Yoshifumi Nishida was rejected
2024-03-21
06 Carlos Pignataro Request for Last Call review by OPSDIR is assigned to Dhruv Dhody
2024-03-19
06 Jean Mahoney Request for Last Call review by GENART is assigned to Dale Worley
2024-03-19
06 David Dong IANA Experts State changed to Expert Reviews OK from Reviews assigned
2024-03-15
06 Magnus Westerlund Request for Last Call review by TSVART is assigned to Yoshifumi Nishida
2024-03-15
06 Barry Leiba Request for Last Call review by ARTART is assigned to Tara Whalen
2024-03-15
06 David Dong IANA Experts State changed to Reviews assigned
2024-03-14
06 Cindy Morgan IANA Review state changed to IANA - Review Needed
2024-03-14
06 Cindy Morgan
The following Last Call announcement was sent out (ends 2024-04-05):

From: The IESG
To: IETF-Announce
CC: ace-chairs@ietf.org, ace@ietf.org, draft-ietf-ace-revoked-token-notification@ietf.org, goran.selander@ericsson.com, paul.wouters@aiven.io …
The following Last Call announcement was sent out (ends 2024-04-05):

From: The IESG
To: IETF-Announce
CC: ace-chairs@ietf.org, ace@ietf.org, draft-ietf-ace-revoked-token-notification@ietf.org, goran.selander@ericsson.com, paul.wouters@aiven.io
Reply-To: last-call@ietf.org
Sender:
Subject: Last Call:  (Notification of Revoked Access Tokens in the Authentication and Authorization for Constrained Environments (ACE) Framework) to Proposed Standard


The IESG has received a request from the Authentication and Authorization for
Constrained Environments WG (ace) to consider the following document: -
'Notification of Revoked Access Tokens in the Authentication and
  Authorization for Constrained Environments (ACE) Framework'
  as Proposed Standard

The IESG plans to make a decision in the next few weeks, and solicits final
comments on this action. Please send substantive comments to the
last-call@ietf.org mailing lists by 2024-04-05. Exceptionally, comments may
be sent to iesg@ietf.org instead. In either case, please retain the beginning
of the Subject line to allow automated sorting.

Abstract


  This document specifies a method of the Authentication and
  Authorization for Constrained Environments (ACE) framework, which
  allows an Authorization Server to notify Clients and Resource Servers
  (i.e., registered devices) about revoked access tokens.  As specified
  in this document, the method allows Clients and Resource Servers to
  access a Token Revocation List on the Authorization Server by using
  the Constrained Application Protocol (CoAP), with the possible
  additional use of resource observation.  Resulting (unsolicited)
  notifications of revoked access tokens complement alternative
  approaches such as token introspection, while not requiring
  additional endpoints on Clients and Resource Servers.




The file can be obtained via
https://datatracker.ietf.org/doc/draft-ietf-ace-revoked-token-notification/



No IPR declarations have been submitted directly on this I-D.




2024-03-14
06 Cindy Morgan IESG state changed to In Last Call from Last Call Requested
2024-03-14
06 Cindy Morgan Last call announcement was changed
2024-03-14
06 Paul Wouters Last call was requested
2024-03-14
06 Paul Wouters Ballot approval text was generated
2024-03-14
06 Paul Wouters Ballot writeup was generated
2024-03-14
06 Paul Wouters IESG state changed to Last Call Requested from AD Evaluation
2024-03-14
06 Paul Wouters Last call announcement was generated
2024-03-14
06 Paul Wouters Last call announcement was generated
2024-03-02
06 (System) Changed action holders to Paul Wouters (IESG state changed)
2024-03-02
06 Paul Wouters IESG state changed to AD Evaluation from Publication Requested
2023-06-02
06 Daniel Migault
Here is my shepherd review of draft-ietf-ace-revoked-token-notification.



1. The working group consensus represents a strong concurrence of 7+ individuals with others being silent.



2-3. No …
Here is my shepherd review of draft-ietf-ace-revoked-token-notification.



1. The working group consensus represents a strong concurrence of 7+ individuals with others being silent.



2-3. No controversy / discontent regarding particular points has been recorded.



4.  There is an existing implementation by Marco Rasori, CNR:



https://bitbucket.org/marco-rasori-iit/ace-java/src/ucs/



5. The contents relate to the constrained RESTful cluster of work which covers several working groups, but is essentially a "leaf-draft" which provides a feature for the ACE framework.



6. MIB and YANG seems not relevant. Media type and CoAP content-format review criteria are met.



7. The document does not contain YANG



8. No formal review tools have been used. Two simple examples of CDDL are included.



9. The draft is ready for AD review



10. No areas have identified any issues, area reviews still to come



11. The draft aims to be Proposed Standard, which is the proper type of RFC for this kind of protocol.

The datatracker state attributes correctly reflect this intent.



12. None of the authors of the current version (-05) are aware of any IPR that affects this draft. (Question asked by ACE chair earlier this year.)



13. All authors of the current version (-05) are willing to be listed as an author. (Question asked by ACE chair earlier this year.)



14. No remaining nits were found.



15. Normative and Informative References seems to be correctly attributed.



16. All normative references are freely available to anyone.



17. No normative downward references. All normative references are either BCP, Proposed Standard or Internet Standard.



18. No normative references to documents that are not ready to be submitted to the IESG for publication or otherwise in unclear state.



19. Publication of this document will not change the status of any existing RFCs.



20. IANA considerations



The required IANA assignments are complete and appropriate. The IANA considerations contain two registrations:

- media type for messages defined in this protocol and

- the associated CoAP content format.

and two new registries, listed in the next point.



The required IANA assignments are associated with the appropriate reservations in IANA registries. The referenced IANA registries have been clearly identified. Each newly created IANA registry specifies initial contents,

allocations procedures, and have a reasonable name .



21. The following new IANA registries are requested:



- ACE Token Revocation List Parameters

- ACE Token Revocation List Errors



The instructions to the Designated Expert are clear, but there are seem to be duplicate instructions in bullets 2 and 4:



- 'Specifications are needed for the "Expert Review" range if they are expected to be used outside of closed environments in an interoperable way.  When specifications are not provided, the description provided needs to have sufficient information to identify what the point is being used for.'



- ‘When specifications are not provided for a request where "Expert Review" is the assignment policy, the description provided needs to have sufficient information to verify the code points above.'



Some of the authors should be request to be designated experts.







In summary, with possible exception for the duplicate instructions mentioned in item 21, the document is ready to progress.



Göran
2023-06-02
06 Daniel Migault Responsible AD changed to Paul Wouters
2023-06-02
06 Daniel Migault IETF WG state changed to Submitted to IESG for Publication from WG Consensus: Waiting for Write-Up
2023-06-02
06 Daniel Migault IESG state changed to Publication Requested from I-D Exists
2023-06-02
06 Daniel Migault Document is now in IESG state Publication Requested
2023-06-02
06 Daniel Migault Changed consensus to Yes from Unknown
2023-06-02
06 Daniel Migault Intended Status changed to Proposed Standard from None
2023-06-02
06 Daniel Migault Notification list changed to goran.selander@ericsson.com because the document shepherd was set
2023-06-02
06 Daniel Migault Document shepherd changed to Göran Selander
2023-06-02
06 Daniel Migault
Here is my shepherd review of draft-ietf-ace-revoked-token-notification.



1. The working group consensus represents a strong concurrence of 7+ individuals with others being silent.



2-3. No …
Here is my shepherd review of draft-ietf-ace-revoked-token-notification.



1. The working group consensus represents a strong concurrence of 7+ individuals with others being silent.



2-3. No controversy / discontent regarding particular points has been recorded.



4.  There is an existing implementation by Marco Rasori, CNR:



https://bitbucket.org/marco-rasori-iit/ace-java/src/ucs/



5. The contents relate to the constrained RESTful cluster of work which covers several working groups, but is essentially a "leaf-draft" which provides a feature for the ACE framework.



6. MIB and YANG seems not relevant. Media type and CoAP content-format review criteria are met.



7. The document does not contain YANG



8. No formal review tools have been used. Two simple examples of CDDL are included.



9. The draft is ready for AD review



10. No areas have identified any issues, area reviews still to come



11. The draft aims to be Proposed Standard, which is the proper type of RFC for this kind of protocol.

The datatracker state attributes correctly reflect this intent.



12. None of the authors of the current version (-05) are aware of any IPR that affects this draft. (Question asked by ACE chair earlier this year.)



13. All authors of the current version (-05) are willing to be listed as an author. (Question asked by ACE chair earlier this year.)



14. No remaining nits were found.



15. Normative and Informative References seems to be correctly attributed.



16. All normative references are freely available to anyone.



17. No normative downward references. All normative references are either BCP, Proposed Standard or Internet Standard.



18. No normative references to documents that are not ready to be submitted to the IESG for publication or otherwise in unclear state.



19. Publication of this document will not change the status of any existing RFCs.



20. IANA considerations



The required IANA assignments are complete and appropriate. The IANA considerations contain two registrations:

- media type for messages defined in this protocol and

- the associated CoAP content format.

and two new registries, listed in the next point.



The required IANA assignments are associated with the appropriate reservations in IANA registries. The referenced IANA registries have been clearly identified. Each newly created IANA registry specifies initial contents,

allocations procedures, and have a reasonable name .



21. The following new IANA registries are requested:



- ACE Token Revocation List Parameters

- ACE Token Revocation List Errors



The instructions to the Designated Expert are clear, but there are seem to be duplicate instructions in bullets 2 and 4:



- 'Specifications are needed for the "Expert Review" range if they are expected to be used outside of closed environments in an interoperable way.  When specifications are not provided, the description provided needs to have sufficient information to identify what the point is being used for.'



- ‘When specifications are not provided for a request where "Expert Review" is the assignment policy, the description provided needs to have sufficient information to verify the code points above.'



Some of the authors should be request to be designated experts.







In summary, with possible exception for the duplicate instructions mentioned in item 21, the document is ready to progress.



Göran
2023-06-02
06 Marco Tiloca New version available: draft-ietf-ace-revoked-token-notification-06.txt
2023-06-02
06 Marco Tiloca New version accepted (logged-in submitter: Marco Tiloca)
2023-06-02
06 Marco Tiloca Uploaded new revision
2023-04-20
05 Marco Tiloca New version available: draft-ietf-ace-revoked-token-notification-05.txt
2023-04-20
05 Marco Tiloca New version accepted (logged-in submitter: Marco Tiloca)
2023-04-20
05 Marco Tiloca Uploaded new revision
2023-04-19
04 Daniel Migault IETF WG state changed to WG Consensus: Waiting for Write-Up from WG Document
2023-03-15
04 Mališa Vučinić Added to session: IETF-116: lake  Thu-0030
2023-03-13
04 Marco Tiloca New version available: draft-ietf-ace-revoked-token-notification-04.txt
2023-03-13
04 Marco Tiloca New version accepted (logged-in submitter: Marco Tiloca)
2023-03-13
04 Marco Tiloca Uploaded new revision
2022-10-24
03 Marco Tiloca New version available: draft-ietf-ace-revoked-token-notification-03.txt
2022-10-24
03 (System) New version approved
2022-10-24
03 (System) Request for posting confirmation emailed to previous authors: Francesca Palombini , Grace Lewis , Ludwig Seitz , Marco Tiloca , Sebastian Echeverria
2022-10-24
03 Marco Tiloca Uploaded new revision
2022-07-11
02 Marco Tiloca New version available: draft-ietf-ace-revoked-token-notification-02.txt
2022-07-11
02 Marco Tiloca New version accepted (logged-in submitter: Marco Tiloca)
2022-07-11
02 Marco Tiloca Uploaded new revision
2022-03-07
01 Marco Tiloca New version available: draft-ietf-ace-revoked-token-notification-01.txt
2022-03-07
01 (System) New version accepted (logged-in submitter: Marco Tiloca)
2022-03-07
01 Marco Tiloca Uploaded new revision
2021-11-26
00 Daniel Migault This document now replaces draft-tiloca-ace-revoked-token-notification instead of None
2021-11-26
00 Marco Tiloca New version available: draft-ietf-ace-revoked-token-notification-00.txt
2021-11-26
00 (System) WG -00 approved
2021-11-26
00 Marco Tiloca Set submitter to "Marco Tiloca ", replaces to draft-tiloca-ace-revoked-token-notification and sent approval email to group chairs: ace-chairs@ietf.org
2021-11-26
00 Marco Tiloca Uploaded new revision