Minutes IETF109: ace
Authentication and Authorization for Constrained Environments
||Minutes IETF109: ace
# IETF 109 ACE Meeting
WEDNESDAY, November 18, 2020 12:00-14:00
* agenda bashing 10 min Daniel
* document status update
dtls-authorize, oauth-authz, oauth-params are waiting to be sent to the IESG;
OSCORE profile had WGLC but needs some more reviews, Christian and Marco
offer to review; aif needs more reviews; mqtt-tls-profile being updated after
WGLC; pubsub-profile needs to add MQTT, Francesca will coordinate with Cigdem
* groupcom drafts:
10 min Francesca
Issue with scope: how does the KDC know the format of the scope? Candidate
solutions: 1. Prefix with byte agreed between RS and AS, if same scope is
reused needs to sync with AS. 2. Register CBOR tag, one for each application
profile (currently only one) 3. Register a new Token claim. Discussion: Do we
need to add something inband to disambiguate, or can we agree out of band. Ben:
It seems we need to add something inband, a CBOR Tag seems architecturally
"cleaner", but does not say anything about implementation. Carsten: need to
think more. 1-byte CBOR tag registration is restricted. Francesca brings this
to the list.
10 min Marco
10 Min Marco
Christian: General question: ACE documents make use of resources starting with
"/", how is entry point discovered? Preference for less static method. Ben:
BCP190 allow for fixed strings once parent is discovered.
* charter 30 min
Discusson of what certificate enrolment work is in scope.
Goeran: coap-est is done; est protected by oscore+edhoc is not done
Merge of paragraphs mentioning EST and CMPv2. No objections from the meeting.
Chair confirms the proposal on the list.
* New topics
10-15 min Marco
ACE profile for resources accessed with Group OSCORE.
Michael Richardson will review
* draft-selander-ace-coap-est-oscore 10 min Goran
Follows draft-ietf-ace-coap-est, but replaces DTLS with OSCORE/EDHOC.
One key features is that the CoAP/HTTP proxy does not need to do anything
EST-related, and thus does not need to be trusted. Who plans to review? Michael
Richardson has been involved but is not currently listed as an author. Please
provide any additional comments if you have any. Francesca and Michael will
* draft-selander-ace-ake-authz 10 min Goran
Doing authentication, authorization, and certificate enrolment in sequence is
inefficient. Ben: the authenticator V serves a role similar to a BRSKI join
proxy? Goeran: V is more of a registrar than a proxy Michael: the join proxy is
on the constrained link; not shown in this figure. Olle: any implementations?
Goeran: multiple authors have plans; Michael may be able to say more Ben: the
voucher RFC 8366 is not just a BRSKI thing Michael: yes, I am implementing.
10-15 min Marco
Last words from chair on next steps:
* monthly interim meetings going forward
* need to finalize the work in progress before adopting new work
* also need to finalize the rechartering