From 242df5548e34416666cc6a6d801f258dc13ec511 Mon Sep 17 00:00:00 2001 From: crimson Date: Fri, 6 Oct 2023 09:47:22 +0200 Subject: [PATCH 01/14] Acknowledgments --- draft-ietf-core-oscore-edhoc.md | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/draft-ietf-core-oscore-edhoc.md b/draft-ietf-core-oscore-edhoc.md index d42883c..bf74e39 100644 --- a/draft-ietf-core-oscore-edhoc.md +++ b/draft-ietf-core-oscore-edhoc.md @@ -156,7 +156,8 @@ OSCORE Sec Ctx | | | ~~~~~~~~~~~~~~~~~ {: #fig-non-combined title="EDHOC and OSCORE run sequentially. -
The optional message_4 is included in this example, without which that message needs no payload." artwork-align="center"} + +The optional message_4 is included in this example, without which that message needs no payload." artwork-align="center"} As shown in {{fig-non-combined}}, this purely-sequential flow where EDHOC is run first and then OSCORE is used takes three round trips to complete. @@ -229,7 +230,8 @@ The EDHOC Option has the properties summarized in {{fig-edhoc-option}}, which ex | No. | C | U | N | R | Name | Format | Length | Default | | TBD21 | x | | | | EDHOC | Empty | 0 | (none) | {: #fig-edhoc-option title="The EDHOC Option. -
C=Critical, U=Unsafe, N=NoCacheKey, R=Repeatable" align="center"} + +C=Critical, U=Unsafe, N=NoCacheKey, R=Repeatable" align="center"} Note to RFC Editor: Following the registration of the CoAP Option Number 21 as per {{iana-coap-options}}, please replace "TBD21" with "21" in the figure above. Then, please delete this paragraph. @@ -707,6 +709,6 @@ Expert reviewers should take into consideration the following points: # Acknowledgments {:numbered="false"} -The authors sincerely thank {{{Christian Amsüss}}}, {{{Carsten Bormann}}}, {{{Esko Dijk}}}, {{{Klaus Hartke}}}, {{{John Preuß Mattsson}}}, {{{David Navarro}}}, {{{Jim Schaad}}}, and {{{Mališa Vučinić}}} for their feedback and comments. +The authors sincerely thank {{{Christian Amsüss}}}, {{{Carsten Bormann}}}, {{{Esko Dijk}}}, {{{Klaus Hartke}}}, {{{John Preuß Mattsson}}}, {{{David Navarro}}}, {{{Jim Schaad}}}, {{{Mališa Vučinić}}}, and {{{Paul Wouters}}} for their feedback and comments. The work on this document has been partly supported by VINNOVA and the Celtic-Next project CRITISEC; and by the H2020 project SIFIS-Home (Grant agreement 952652). From 1b831b64e0140e4e312701d6766bbb9784c101ab Mon Sep 17 00:00:00 2001 From: crimson Date: Fri, 6 Oct 2023 09:56:32 +0200 Subject: [PATCH 02/14] Editorial: EDHOC Option number denoted as "21" instead of "TBD21". --- draft-ietf-core-oscore-edhoc.md | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/draft-ietf-core-oscore-edhoc.md b/draft-ietf-core-oscore-edhoc.md index bf74e39..e60a32f 100644 --- a/draft-ietf-core-oscore-edhoc.md +++ b/draft-ietf-core-oscore-edhoc.md @@ -227,15 +227,13 @@ This section defines the EDHOC Option. The option is used in a CoAP request, to The EDHOC Option has the properties summarized in {{fig-edhoc-option}}, which extends Table 4 of {{RFC7252}}. The option is Critical, Safe-to-Forward, and part of the Cache-Key. The option MUST occur at most once and MUST be empty. If any value is sent, the recipient MUST ignore it. (Future documents may update the definition of the option, by expanding its semantics and specifying admitted values.) The option is intended only for CoAP requests and is of Class U for OSCORE {{RFC8613}}. -| No. | C | U | N | R | Name | Format | Length | Default | -| TBD21 | x | | | | EDHOC | Empty | 0 | (none) | +| No. | C | U | N | R | Name | Format | Length | Default | +| 21 | x | | | | EDHOC | Empty | 0 | (none) | {: #fig-edhoc-option title="The EDHOC Option. C=Critical, U=Unsafe, N=NoCacheKey, R=Repeatable" align="center"} -Note to RFC Editor: Following the registration of the CoAP Option Number 21 as per {{iana-coap-options}}, please replace "TBD21" with "21" in the figure above. Then, please delete this paragraph. - The presence of this option means that the message payload also contains EDHOC data, which must be extracted and processed as defined in {{server-processing}}, before the rest of the message can be processed. {{fig-edhoc-opt}} shows an example of a CoAP message transported over UDP and containing both the EDHOC data and the OSCORE ciphertext, using the newly defined EDHOC option for signalling. @@ -502,10 +500,10 @@ Note to RFC Editor: Please replace all occurrences of "{{&SELF}}" with the RFC n IANA is asked to enter the following option number to the "CoAP Option Numbers" registry within the "CoRE Parameters" registry group. | Number | Name | Reference | -| TBD21 | EDHOC | [RFC-XXXX] | +| 21 | EDHOC | [RFC-XXXX] | {: align="center" title="Registrations in CoAP Option Numbers Registry"} -Note to RFC Editor: Following the registration of the CoAP Option Number 21, please replace "TBD21" with "21" in the table above. Then, please delete this paragraph and all the following text within the present {{iana-coap-options}}. +Note to RFC Editor: Please delete this paragraph and all the following text within the present {{iana-coap-options}}. \[ @@ -515,7 +513,7 @@ The CoAP option number 21 is consistent with the properties of the EDHOC Option * Since the OSCORE Option with option number 9 is always present in the EDHOC + OSCORE request, the EDHOC Option is encoded with a delta equal to at most 12. -Therefore, this document suggests 21 (TBD21) as option number to be assigned to the new EDHOC Option. Although the currently unassigned option number 13 would also work well for the same reasons in the use case in question, different use cases or protocols may make a better use of the option number 13. Hence the preference for the option number 21, and why it is _not_ necessary to register additional option numbers than 21. +Although the currently unassigned option number 13 would also work well for the same reasons in the use case in question, different use cases or protocols may make a better use of the option number 13. Hence the preference for the option number 21, and why it is _not_ necessary to register additional option numbers than 21. \] @@ -582,6 +580,10 @@ Expert reviewers should take into consideration the following points: # Document Updates # {#sec-document-updates} {:removeinrfc} +## Version -08 to -09 ## {#sec-08-09} + +* Editorial: EDHOC Option number denoted as "21" instead of "TBD21". + ## Version -07 to -08 ## {#sec-07-08} * Fixes and clarifications from the Shepherd's review. From 1b42f87b48fa7b081adc07052878c602ee5c45de Mon Sep 17 00:00:00 2001 From: crimson Date: Fri, 6 Oct 2023 10:05:04 +0200 Subject: [PATCH 03/14] Improved description of entries for the new IANA registry --- draft-ietf-core-oscore-edhoc.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/draft-ietf-core-oscore-edhoc.md b/draft-ietf-core-oscore-edhoc.md index e60a32f..06fa65c 100644 --- a/draft-ietf-core-oscore-edhoc.md +++ b/draft-ietf-core-oscore-edhoc.md @@ -555,8 +555,8 @@ The columns of this registry are: Initial entries in this registry are as listed in {{pre-reg}}. | Value | Description | Reference | -| 0 | CBOR Web Token (CWT) containing a COSE_Key in a 'cnf' claim | [RFC8392] | -| 1 | CWT Claims Set (CCS) containing a COSE_Key in a 'cnf' claim | [RFC8392] | +| 0 | CBOR Web Token (CWT) containing a COSE_Key in a 'cnf' claim and possibly other claims. CWT is defined in RFC 8392. | [RFC8392] | +| 1 | CWT Claims Set (CCS) containing a COSE_Key in a 'cnf' claim and possibly other claims. CCS is defined in RFC 8392. | [RFC8392] | | 2 | X.509 certificate | [RFC5280] | | 3 | C509 certificate | [I-D.ietf-cose-cbor-encoded-cert] | {: #pre-reg title="Initial Entries in the \"EDHOC Authentication Credential Types\" Registry" align="center"} @@ -582,6 +582,8 @@ Expert reviewers should take into consideration the following points: ## Version -08 to -09 ## {#sec-08-09} +* Improved description of entries for the new IANA registry. + * Editorial: EDHOC Option number denoted as "21" instead of "TBD21". ## Version -07 to -08 ## {#sec-07-08} From 0e3ab3800565a6f90bfd2cfdad38c0bd42a9b02e Mon Sep 17 00:00:00 2001 From: crimson Date: Fri, 6 Oct 2023 11:13:12 +0200 Subject: [PATCH 04/14] Change Controller changed from "IESG" to "IETF" --- draft-ietf-core-oscore-edhoc.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/draft-ietf-core-oscore-edhoc.md b/draft-ietf-core-oscore-edhoc.md index 06fa65c..384d368 100644 --- a/draft-ietf-core-oscore-edhoc.md +++ b/draft-ietf-core-oscore-edhoc.md @@ -520,7 +520,7 @@ Although the currently unassigned option number 13 would also work well for the ## Target Attributes Registry ## {#iana-target-attributes} IANA is asked to register the following entries in the "Target Attributes" registry within the "CoRE Parameters" registry group, as per {{I-D.ietf-core-target-attr}}. -For all entries, the Change Controller is IESG, and the reference is \[RFC-XXXX]. +For all entries, the Change Controller is IETF, and the reference is \[RFC-XXXX]. | Attribute Name: | Brief Description: | | ed-i | Hint: support for the EDHOC Initiator role | @@ -584,6 +584,8 @@ Expert reviewers should take into consideration the following points: * Improved description of entries for the new IANA registry. +* Change Controller changed from "IESG" to "IETF". + * Editorial: EDHOC Option number denoted as "21" instead of "TBD21". ## Version -07 to -08 ## {#sec-07-08} From 6fb3e25c9ee6339c3544109c3c6848f91a761a1c Mon Sep 17 00:00:00 2001 From: crimson Date: Fri, 6 Oct 2023 11:19:41 +0200 Subject: [PATCH 05/14] Editorial: clarified "admitted values" --- draft-ietf-core-oscore-edhoc.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/draft-ietf-core-oscore-edhoc.md b/draft-ietf-core-oscore-edhoc.md index 384d368..4824cdf 100644 --- a/draft-ietf-core-oscore-edhoc.md +++ b/draft-ietf-core-oscore-edhoc.md @@ -453,7 +453,7 @@ The following parameters are defined. * 'ed-comb-req', specifying, if present, that the server supports the EDHOC + OSCORE request defined in {{edhoc-in-oscore}}. A value MUST NOT be given to this parameter and any present value MUST be ignored by the recipient. -(Future documents may update the definition of the parameters 'ed-i', 'ed-r', and 'ed-comb-req', by expanding their semantics and specifying admitted values.) +(Future documents may update the definition of the parameters 'ed-i', 'ed-r', and 'ed-comb-req', by expanding their semantics and specifying what they can take as value.) The example in {{fig-web-link-example}} shows how a client discovers one EDHOC resource at a server, obtaining information elements from the respective application profile. The Link Format notation from {{Section 5 of RFC6690}} is used. @@ -588,6 +588,8 @@ Expert reviewers should take into consideration the following points: * Editorial: EDHOC Option number denoted as "21" instead of "TBD21". +* Clarifications and editorial improvements. + ## Version -07 to -08 ## {#sec-07-08} * Fixes and clarifications from the Shepherd's review. From 4a69c22b7b81cd385bcf47fdd87cfd9001309d9b Mon Sep 17 00:00:00 2001 From: crimson Date: Fri, 6 Oct 2023 11:43:47 +0200 Subject: [PATCH 06/14] Fixed references to sections of draft-ietf-lake-edhoc --- draft-ietf-core-oscore-edhoc.md | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/draft-ietf-core-oscore-edhoc.md b/draft-ietf-core-oscore-edhoc.md index 4824cdf..f4ae8d7 100644 --- a/draft-ietf-core-oscore-edhoc.md +++ b/draft-ietf-core-oscore-edhoc.md @@ -334,7 +334,7 @@ In order to process a request containing the EDHOC option, i.e., an EDHOC + OSCO If steps 4 (EDHOC processing) and 8 (OSCORE processing) are both successfully completed, the server MUST reply with an OSCORE-protected response (see {{Section 5.4.3 of I-D.ietf-lake-edhoc}}). The usage of EDHOC message_4 as defined in {{Section 5.5 of I-D.ietf-lake-edhoc}} is not applicable to the approach defined in this document. -If step 4 (EDHOC processing) fails, the server discontinues the protocol as per {{Section 5.4.3 of I-D.ietf-lake-edhoc}} and responds with an EDHOC error message with error code 1, formatted as defined in {{Section 6.2 of I-D.ietf-lake-edhoc}}. The server MUST NOT establish a new OSCORE Security Context from the present EDHOC session with the client, hence the CoAP response conveying the EDHOC error message is not protected with OSCORE. As per {{Section 8.5 of I-D.ietf-lake-edhoc}}, the server has to make sure that the error message does not reveal sensitive information. The CoAP response conveying the EDHOC error message MUST have Content-Format set to application/edhoc+cbor-seq defined in {{Section 9.9 of I-D.ietf-lake-edhoc}}. +If step 4 (EDHOC processing) fails, the server discontinues the protocol as per {{Section 5.4.3 of I-D.ietf-lake-edhoc}} and responds with an EDHOC error message with error code 1, formatted as defined in {{Section 6.2 of I-D.ietf-lake-edhoc}}. The server MUST NOT establish a new OSCORE Security Context from the present EDHOC session with the client, hence the CoAP response conveying the EDHOC error message is not protected with OSCORE. As per {{Section 9.5 of I-D.ietf-lake-edhoc}}, the server has to make sure that the error message does not reveal sensitive information. The CoAP response conveying the EDHOC error message MUST have Content-Format set to application/edhoc+cbor-seq defined in {{Section 10.9 of I-D.ietf-lake-edhoc}}. If step 4 (EDHOC processing) is successfully completed but step 8 (OSCORE processing) fails, the same OSCORE error handling as defined in {{Section 8.2 of RFC8613}} applies. @@ -425,7 +425,7 @@ In case the application profile indicates that the server supports the optional # Web Linking # {#web-linking} -{{Section 9.10 of I-D.ietf-lake-edhoc}} registers the resource type "core.edhoc", which can be used as target attribute in a web link {{RFC8288}} to an EDHOC resource, e.g., using a link-format document {{RFC6690}}. This enables clients to discover the presence of EDHOC resources at a server, possibly using the resource type as filter criterion. +{{Section 10.10 of I-D.ietf-lake-edhoc}} registers the resource type "core.edhoc", which can be used as target attribute in a web link {{RFC8288}} to an EDHOC resource, e.g., using a link-format document {{RFC6690}}. This enables clients to discover the presence of EDHOC resources at a server, possibly using the resource type as filter criterion. At the same time, the application profile associated with an EDHOC resource provides information describing how the EDHOC protocol can be used through that resource. While a client may become aware of the application profile through several means, it would be convenient to obtain its information elements upon discovering the EDHOC resources at the server. This might aim at discovering especially the EDHOC resources whose associated application profile denotes a way of using EDHOC which is most suitable to the client, e.g., with EDHOC cipher suites or authentication methods that the client also supports or prefers. @@ -439,9 +439,9 @@ The following parameters are defined. * 'ed-r', specifying, if present, that the server supports the EDHOC Responder role, hence the forward message flow of EDHOC. A value MUST NOT be given to this parameter and any present value MUST be ignored by the recipient. -* 'ed-method', specifying an authentication method supported by the server. This parameter MUST specify a single value, which is taken from the 'Value' column of the "EDHOC Method Type" registry defined in {{Section 9.3 of I-D.ietf-lake-edhoc}}. This parameter MAY occur multiple times, with each occurrence specifying an authentication method. +* 'ed-method', specifying an authentication method supported by the server. This parameter MUST specify a single value, which is taken from the 'Value' column of the "EDHOC Method Type" registry defined in {{Section 10.3 of I-D.ietf-lake-edhoc}}. This parameter MAY occur multiple times, with each occurrence specifying an authentication method. -* 'ed-csuite', specifying an EDHOC cipher suite supported by the server. This parameter MUST specify a single value, which is taken from the 'Value' column of the "EDHOC Cipher Suites" registry defined in {{Section 9.2 of I-D.ietf-lake-edhoc}}. This parameter MAY occur multiple times, with each occurrence specifying a cipher suite. +* 'ed-csuite', specifying an EDHOC cipher suite supported by the server. This parameter MUST specify a single value, which is taken from the 'Value' column of the "EDHOC Cipher Suites" registry defined in {{Section 10.2 of I-D.ietf-lake-edhoc}}. This parameter MAY occur multiple times, with each occurrence specifying a cipher suite. * 'ed-cred-t', specifying a type of authentication credential supported by the server. This parameter MUST specify a single value, which is taken from the 'Value' column of the "EDHOC Authentication Credential Types" Registry defined in {{iana-edhoc-auth-cred-types}} of this document. This parameter MAY occur multiple times, with each occurrence specifying a type of authentication credential. @@ -449,7 +449,7 @@ The following parameters are defined. Note that the values in the 'Label' column of the "COSE Header Parameters" registry are strongly typed. On the contrary, Link Format is weakly typed and thus does not distinguish between, for instance, the string value "-10" and the integer value -10. Thus, if responses in Link Format are returned, string values which look like an integer are not supported. Therefore, such values MUST NOT be used in the 'ed-idcred-t' parameter. -* 'ed-ead', specifying the support of the server for an External Authorization Data (EAD) item (see {{Section 3.8 of I-D.ietf-lake-edhoc}}). This parameter MUST specify a single value, which is taken from the 'Label' column of the "EDHOC External Authorization Data" registry defined in {{Section 9.5 of I-D.ietf-lake-edhoc}}. This parameter MAY occur multiple times, with each occurrence specifying the ead_label of an EAD item that the server supports. +* 'ed-ead', specifying the support of the server for an External Authorization Data (EAD) item (see {{Section 3.8 of I-D.ietf-lake-edhoc}}). This parameter MUST specify a single value, which is taken from the 'Label' column of the "EDHOC External Authorization Data" registry defined in {{Section 10.5 of I-D.ietf-lake-edhoc}}. This parameter MAY occur multiple times, with each occurrence specifying the ead_label of an EAD item that the server supports. * 'ed-comb-req', specifying, if present, that the server supports the EDHOC + OSCORE request defined in {{edhoc-in-oscore}}. A value MUST NOT be given to this parameter and any present value MUST be ignored by the recipient. @@ -475,7 +475,7 @@ The same security considerations from OSCORE {{RFC8613}} and EDHOC {{I-D.ietf-la {{client-processing}} specifies that a client SHOULD NOT have multiple outstanding EDHOC + OSCORE requests pertaining to the same EDHOC session. Even if a client did not fulfill this requirement, it would not have any impact in terms of security. That is, the server would still not process different instances of the same EDHOC message_3 more than once in the same EDHOC session (see {{Section 5.1 of I-D.ietf-lake-edhoc}}), and would still enforce replay protection of the OSCORE-protected request (see {{Sections 7.4 and 8.2 of RFC8613}}). -When using the optimized workflow in Figure 2, a minimum of 128-bit security against online brute force attacks is achieved after the client receives and successfully verifies the first OSCORE-protected response (see {{Section 8.1 of I-D.ietf-lake-edhoc}}). As an example, if EDHOC is used with method 3 (see {{Section 3.2 of I-D.ietf-lake-edhoc}}) and cipher suite 2 (see {{Section 3.6 of I-D.ietf-lake-edhoc}}), then the following holds. +When using the optimized workflow in Figure 2, a minimum of 128-bit security against online brute force attacks is achieved after the client receives and successfully verifies the first OSCORE-protected response (see {{Section 9.1 of I-D.ietf-lake-edhoc}}). As an example, if EDHOC is used with method 3 (see {{Section 3.2 of I-D.ietf-lake-edhoc}}) and cipher suite 2 (see {{Section 3.6 of I-D.ietf-lake-edhoc}}), then the following holds. * The Initiator is authenticated with 128-bit security against online attacks. This is the sum of the 64-bit MACs in EDHOC message_3 and of the MAC in the AEAD of the first OSCORE-protected CoAP request, as rebuilt at step 7 of {{server-processing}}. @@ -588,6 +588,8 @@ Expert reviewers should take into consideration the following points: * Editorial: EDHOC Option number denoted as "21" instead of "TBD21". +* Fixed references to sections of draft-ietf-lake-edhoc + * Clarifications and editorial improvements. ## Version -07 to -08 ## {#sec-07-08} From be21d74a5466c634a78ccc834a557c5382743739 Mon Sep 17 00:00:00 2001 From: crimson Date: Fri, 6 Oct 2023 17:22:18 +0200 Subject: [PATCH 07/14] Avoid repetitions on encoding of connection identifiers --- draft-ietf-core-oscore-edhoc.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/draft-ietf-core-oscore-edhoc.md b/draft-ietf-core-oscore-edhoc.md index f4ae8d7..9e8a3f1 100644 --- a/draft-ietf-core-oscore-edhoc.md +++ b/draft-ietf-core-oscore-edhoc.md @@ -405,7 +405,7 @@ The chosen C_I SHOULD NOT be the Recipient ID of any current OSCORE Security Con The Responder selects an EDHOC Connection Identifier C_R as follows. -The Responder MUST choose a C_R that is neither used in any current EDHOC session as this peer's EDHOC Connection Identifier, nor is equal to the EDHOC Connection Identifier C_I specified in the EDHOC message_1 of the present EDHOC session (i.e., after its decoding as per {{Section 3.3 of I-D.ietf-lake-edhoc}}), nor is the Recipient ID in a current OSCORE Security Context where the ID Context is not present. +The Responder MUST choose a C_R that is neither used in any current EDHOC session as this peer's EDHOC Connection Identifier, nor is equal to the EDHOC Connection Identifier C_I specified in the EDHOC message_1 of the present EDHOC session, nor is the Recipient ID in a current OSCORE Security Context where the ID Context is not present. The chosen C_R SHOULD NOT be the Recipient ID of any current OSCORE Security Context. Note that, for a reason analogous to the one given above with C_I, this allows the Initiator to always omit the 'kid context' in the OSCORE Option of its messages sent to the Responder, when protecting those with an OSCORE Security Context where C_R is the Initiator's OSCORE Sender ID (see {{Section 6.1 of RFC8613}}). @@ -413,7 +413,7 @@ The chosen C_R SHOULD NOT be the Recipient ID of any current OSCORE Security Con If the following condition holds, the Initiator MUST discontinue the protocol and reply with an EDHOC error message with error code 1, formatted as defined in {{Section 6.2 of I-D.ietf-lake-edhoc}}. -* The EDHOC Connection Identifier C_I is equal to the EDHOC Connection Identifier C_R specified in EDHOC message_2 (i.e., after its decoding as per {{Section 3.3 of I-D.ietf-lake-edhoc}}). +* The EDHOC Connection Identifier C_I is equal to the EDHOC Connection Identifier C_R specified in EDHOC message_2. # Extension and Consistency of Application Profiles # {#app-statements} From 4697195793bc13fd0fb50c0bebdc16c7a29761e2 Mon Sep 17 00:00:00 2001 From: crimson Date: Fri, 6 Oct 2023 17:26:59 +0200 Subject: [PATCH 08/14] Editorial --- draft-ietf-core-oscore-edhoc.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/draft-ietf-core-oscore-edhoc.md b/draft-ietf-core-oscore-edhoc.md index 9e8a3f1..be8f3c2 100644 --- a/draft-ietf-core-oscore-edhoc.md +++ b/draft-ietf-core-oscore-edhoc.md @@ -334,7 +334,7 @@ In order to process a request containing the EDHOC option, i.e., an EDHOC + OSCO If steps 4 (EDHOC processing) and 8 (OSCORE processing) are both successfully completed, the server MUST reply with an OSCORE-protected response (see {{Section 5.4.3 of I-D.ietf-lake-edhoc}}). The usage of EDHOC message_4 as defined in {{Section 5.5 of I-D.ietf-lake-edhoc}} is not applicable to the approach defined in this document. -If step 4 (EDHOC processing) fails, the server discontinues the protocol as per {{Section 5.4.3 of I-D.ietf-lake-edhoc}} and responds with an EDHOC error message with error code 1, formatted as defined in {{Section 6.2 of I-D.ietf-lake-edhoc}}. The server MUST NOT establish a new OSCORE Security Context from the present EDHOC session with the client, hence the CoAP response conveying the EDHOC error message is not protected with OSCORE. As per {{Section 9.5 of I-D.ietf-lake-edhoc}}, the server has to make sure that the error message does not reveal sensitive information. The CoAP response conveying the EDHOC error message MUST have Content-Format set to application/edhoc+cbor-seq defined in {{Section 10.9 of I-D.ietf-lake-edhoc}}. +If step 4 (EDHOC processing) fails, the server discontinues the protocol as per {{Section 5.4.3 of I-D.ietf-lake-edhoc}} and responds with an EDHOC error message with error code 1, formatted as defined in {{Section 6.2 of I-D.ietf-lake-edhoc}}. The server MUST NOT establish a new OSCORE Security Context from the present EDHOC session with the client. The CoAP response conveying the EDHOC error message is not protected with OSCORE. As per {{Section 9.5 of I-D.ietf-lake-edhoc}}, the server has to make sure that the error message does not reveal sensitive information. The CoAP response conveying the EDHOC error message MUST have Content-Format set to application/edhoc+cbor-seq defined in {{Section 10.9 of I-D.ietf-lake-edhoc}}. If step 4 (EDHOC processing) is successfully completed but step 8 (OSCORE processing) fails, the same OSCORE error handling as defined in {{Section 8.2 of RFC8613}} applies. From 2f09448be56a220705038f946d39324a4e549f0d Mon Sep 17 00:00:00 2001 From: crimson Date: Fri, 6 Oct 2023 17:28:59 +0200 Subject: [PATCH 09/14] Editorial --- draft-ietf-core-oscore-edhoc.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/draft-ietf-core-oscore-edhoc.md b/draft-ietf-core-oscore-edhoc.md index be8f3c2..afdccc9 100644 --- a/draft-ietf-core-oscore-edhoc.md +++ b/draft-ietf-core-oscore-edhoc.md @@ -334,7 +334,7 @@ In order to process a request containing the EDHOC option, i.e., an EDHOC + OSCO If steps 4 (EDHOC processing) and 8 (OSCORE processing) are both successfully completed, the server MUST reply with an OSCORE-protected response (see {{Section 5.4.3 of I-D.ietf-lake-edhoc}}). The usage of EDHOC message_4 as defined in {{Section 5.5 of I-D.ietf-lake-edhoc}} is not applicable to the approach defined in this document. -If step 4 (EDHOC processing) fails, the server discontinues the protocol as per {{Section 5.4.3 of I-D.ietf-lake-edhoc}} and responds with an EDHOC error message with error code 1, formatted as defined in {{Section 6.2 of I-D.ietf-lake-edhoc}}. The server MUST NOT establish a new OSCORE Security Context from the present EDHOC session with the client. The CoAP response conveying the EDHOC error message is not protected with OSCORE. As per {{Section 9.5 of I-D.ietf-lake-edhoc}}, the server has to make sure that the error message does not reveal sensitive information. The CoAP response conveying the EDHOC error message MUST have Content-Format set to application/edhoc+cbor-seq defined in {{Section 10.9 of I-D.ietf-lake-edhoc}}. +If step 4 (EDHOC processing) fails, the server aborts the session as per {{Section 5.4.3 of I-D.ietf-lake-edhoc}} and responds with an EDHOC error message with error code 1, formatted as defined in {{Section 6.2 of I-D.ietf-lake-edhoc}}. The server MUST NOT establish a new OSCORE Security Context from the present EDHOC session with the client. The CoAP response conveying the EDHOC error message is not protected with OSCORE. As per {{Section 9.5 of I-D.ietf-lake-edhoc}}, the server has to make sure that the error message does not reveal sensitive information. The CoAP response conveying the EDHOC error message MUST have Content-Format set to application/edhoc+cbor-seq defined in {{Section 10.9 of I-D.ietf-lake-edhoc}}. If step 4 (EDHOC processing) is successfully completed but step 8 (OSCORE processing) fails, the same OSCORE error handling as defined in {{Section 8.2 of RFC8613}} applies. @@ -411,7 +411,7 @@ The chosen C_R SHOULD NOT be the Recipient ID of any current OSCORE Security Con ### Initiator Processing of Message 2 -If the following condition holds, the Initiator MUST discontinue the protocol and reply with an EDHOC error message with error code 1, formatted as defined in {{Section 6.2 of I-D.ietf-lake-edhoc}}. +If the following condition holds, the Initiator MUST abort the session and reply with an EDHOC error message with error code 1, formatted as defined in {{Section 6.2 of I-D.ietf-lake-edhoc}}. * The EDHOC Connection Identifier C_I is equal to the EDHOC Connection Identifier C_R specified in EDHOC message_2. From 718cbd218e380418225b8a5d572ac6eec3c75d48 Mon Sep 17 00:00:00 2001 From: crimson Date: Fri, 6 Oct 2023 17:32:34 +0200 Subject: [PATCH 10/14] Editorial --- draft-ietf-core-oscore-edhoc.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/draft-ietf-core-oscore-edhoc.md b/draft-ietf-core-oscore-edhoc.md index afdccc9..4d72cfd 100644 --- a/draft-ietf-core-oscore-edhoc.md +++ b/draft-ietf-core-oscore-edhoc.md @@ -260,7 +260,7 @@ The presence of this option means that the message payload also contains EDHOC d The client prepares an EDHOC + OSCORE request as follows. -1. Compose EDHOC message_3 as per {{Section 5.4.2 of I-D.ietf-lake-edhoc}}. +1. Compose EDHOC message_3 into EDHOC_MSG_3, as per {{Section 5.4.2 of I-D.ietf-lake-edhoc}}. 2. Establish the new OSCORE Security Context and use it to encrypt the original CoAP request as per {{Section 8.1 of RFC8613}}. From d2e8277975c483590417cebc2c008be5754cb723 Mon Sep 17 00:00:00 2001 From: crimson Date: Fri, 6 Oct 2023 17:35:28 +0200 Subject: [PATCH 11/14] Editorial --- draft-ietf-core-oscore-edhoc.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/draft-ietf-core-oscore-edhoc.md b/draft-ietf-core-oscore-edhoc.md index 4d72cfd..f2df607 100644 --- a/draft-ietf-core-oscore-edhoc.md +++ b/draft-ietf-core-oscore-edhoc.md @@ -103,7 +103,7 @@ After successful processing of EDHOC message_3, both peers agree on a cryptograp This triggers the EDHOC execution at the server, which replies with a 2.04 (Changed) response. The response payload consists of EDHOC message_2, which also includes the EDHOC connection identifier C_R of the server encoded as per {{Section 3.3 of I-D.ietf-lake-edhoc}}. The Content-Format of the response can be set to application/edhoc+cbor-seq. -Finally, the client sends a POST request to the same EDHOC resource used earlier to send EDHOC message_1. The request payload consists of the EDHOC connection identifier C_R encoded as per {{Section 3.3 of I-D.ietf-lake-edhoc}}, concatenated with EDHOC message_3. The Content-Format of the request can be set to application/cid-edhoc+cbor-seq. +Finally, the client sends a POST request to the same EDHOC resource used earlier when it sent EDHOC message_1. The request payload consists of the EDHOC connection identifier C_R encoded as per {{Section 3.3 of I-D.ietf-lake-edhoc}}, concatenated with EDHOC message_3. The Content-Format of the request can be set to application/cid-edhoc+cbor-seq. After this exchange takes place, and after successful verifications as specified in the EDHOC protocol, the client and server can derive an OSCORE Security Context, as defined in {{Section A.1 of I-D.ietf-lake-edhoc}}. After that, they can use OSCORE to protect their communications as per {{RFC8613}}. From 567b3e355d6c67aa8a73d60a42e123ffbf8c7840 Mon Sep 17 00:00:00 2001 From: crimson Date: Fri, 6 Oct 2023 17:43:04 +0200 Subject: [PATCH 12/14] Clarified meaning of "EDHOC data" --- draft-ietf-core-oscore-edhoc.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/draft-ietf-core-oscore-edhoc.md b/draft-ietf-core-oscore-edhoc.md index f2df607..2ec7cfa 100644 --- a/draft-ietf-core-oscore-edhoc.md +++ b/draft-ietf-core-oscore-edhoc.md @@ -97,7 +97,7 @@ The EDHOC protocol specified in {{I-D.ietf-lake-edhoc}} allows two peers to agre After successful processing of EDHOC message_3, both peers agree on a cryptographic secret that can be used to derive further security material, and especially to establish an OSCORE Security Context {{RFC8613}}. The Responder can also send an optional EDHOC message_4 to achieve key confirmation, e.g., in deployments where no protected application message is sent from the Responder to the Initiator. -{{Section A.2 of I-D.ietf-lake-edhoc}} specifies how to transfer EDHOC over CoAP. That is, the EDHOC data (referred to as "EDHOC messages") are transported in the payload of CoAP requests and responses. The default, forward message flow of EDHOC consists in the CoAP client acting as Initiator and the CoAP server acting as Responder. Alternatively, the two roles can be reversed, as per the reverse message flow of EDHOC. In the rest of this document, EDHOC messages are considered to be transferred over CoAP. +{{Section A.2 of I-D.ietf-lake-edhoc}} specifies how to transfer EDHOC over CoAP. That is, the EDHOC data (i.e., the EDHOC message possibly with a prepended connection identifier) are transported in the payload of CoAP requests and responses. The default, forward message flow of EDHOC consists in the CoAP client acting as Initiator and the CoAP server acting as Responder. Alternatively, the two roles can be reversed, as per the reverse message flow of EDHOC. In the rest of this document, EDHOC messages are considered to be transferred over CoAP. {{fig-non-combined}} shows a CoAP client and a CoAP server running EDHOC as Initiator and Responder, respectively. That is, the client sends a POST request to a reserved *EDHOC resource* at the server, by default at the Uri-Path "/.well-known/edhoc". The request payload consists of the CBOR simple value "true" (0xf5) concatenated with EDHOC message_1, which also includes the EDHOC connection identifier C_I of the client encoded as per {{Section 3.3 of I-D.ietf-lake-edhoc}}. The Content-Format of the request can be set to application/cid-edhoc+cbor-seq. @@ -582,6 +582,8 @@ Expert reviewers should take into consideration the following points: ## Version -08 to -09 ## {#sec-08-09} +* Clarified meaning of "EDHOC data". + * Improved description of entries for the new IANA registry. * Change Controller changed from "IESG" to "IETF". From 11a357418fd624a206cf7d57138bb27f9dc6dae1 Mon Sep 17 00:00:00 2001 From: crimson Date: Fri, 6 Oct 2023 17:46:16 +0200 Subject: [PATCH 13/14] Editorial --- draft-ietf-core-oscore-edhoc.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/draft-ietf-core-oscore-edhoc.md b/draft-ietf-core-oscore-edhoc.md index 2ec7cfa..50763c2 100644 --- a/draft-ietf-core-oscore-edhoc.md +++ b/draft-ietf-core-oscore-edhoc.md @@ -77,9 +77,9 @@ Ephemeral Diffie-Hellman Over COSE (EDHOC) {{I-D.ietf-lake-edhoc}} is a lightwei This document details this use of the EDHOC protocol, and specifies a number of additional and optional mechanisms. These especially include an optimization approach that combines the EDHOC execution with the first OSCORE transaction (see {{edhoc-in-oscore}}). This allows for a minimum number of round trips necessary to setup the OSCORE Security Context and complete an OSCORE transaction, e.g., when an IoT device gets configured in a network for the first time. -This optimization is desirable, since the number of protocol round trips influences the minimum number of flights, which in turn can have a substantial impact on the latency of conveying the first OSCORE request, when using certain radio technologies. +This optimization is desirable, since the number of message exchanges can have a substantial impact on the latency of conveying the first OSCORE request, when using certain radio technologies. -Without this optimization, it is not possible, not even in theory, to achieve the minimum number of flights. This optimization makes it possible also in practice, since the last message of the EDHOC protocol can be made relatively small (see {{Section 1.2 of I-D.ietf-lake-edhoc}}), thus allowing additional OSCORE-protected CoAP data within target MTU sizes. +Without this optimization, it is not possible, not even in theory, to achieve the minimum number of round trips. This optimization makes it possible also in practice, since the message_3 of the EDHOC protocol can be made relatively small (see {{Section 1.2 of I-D.ietf-lake-edhoc}}), thus allowing additional OSCORE-protected CoAP data within target MTU sizes. Furthermore, this document defines a number of parameters corresponding to different information elements of an EDHOC application profile (see {{web-linking}}). These can be specified as target attributes in the link to an EDHOC resource associated with that application profile, thus enabling an enhanced discovery of such a resource for CoAP clients. From 3cec52a94d926c66ab7a7e0fd8d80c649d88fff4 Mon Sep 17 00:00:00 2001 From: crimson Date: Tue, 10 Oct 2023 15:57:43 +0200 Subject: [PATCH 14/14] Further clarified that Figure 1 overviews EDHOC as-is --- draft-ietf-core-oscore-edhoc.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/draft-ietf-core-oscore-edhoc.md b/draft-ietf-core-oscore-edhoc.md index 50763c2..e1b2ead 100644 --- a/draft-ietf-core-oscore-edhoc.md +++ b/draft-ietf-core-oscore-edhoc.md @@ -97,9 +97,11 @@ The EDHOC protocol specified in {{I-D.ietf-lake-edhoc}} allows two peers to agre After successful processing of EDHOC message_3, both peers agree on a cryptographic secret that can be used to derive further security material, and especially to establish an OSCORE Security Context {{RFC8613}}. The Responder can also send an optional EDHOC message_4 to achieve key confirmation, e.g., in deployments where no protected application message is sent from the Responder to the Initiator. -{{Section A.2 of I-D.ietf-lake-edhoc}} specifies how to transfer EDHOC over CoAP. That is, the EDHOC data (i.e., the EDHOC message possibly with a prepended connection identifier) are transported in the payload of CoAP requests and responses. The default, forward message flow of EDHOC consists in the CoAP client acting as Initiator and the CoAP server acting as Responder. Alternatively, the two roles can be reversed, as per the reverse message flow of EDHOC. In the rest of this document, EDHOC messages are considered to be transferred over CoAP. +{{Section A.2 of I-D.ietf-lake-edhoc}} specifies how to transfer EDHOC over CoAP. That is, the EDHOC data (i.e., the EDHOC message possibly with a prepended connection identifier) are transported in the payload of CoAP requests and responses. The default, forward message flow of EDHOC consists in the CoAP client acting as Initiator and the CoAP server acting as Responder (see {{Section A.2.1 of I-D.ietf-lake-edhoc}}). Alternatively, the two roles can be reversed, as per the reverse message flow of EDHOC (see {{Section A.2.2 of I-D.ietf-lake-edhoc}}). In the rest of this document, EDHOC messages are considered to be transferred over CoAP. -{{fig-non-combined}} shows a CoAP client and a CoAP server running EDHOC as Initiator and Responder, respectively. That is, the client sends a POST request to a reserved *EDHOC resource* at the server, by default at the Uri-Path "/.well-known/edhoc". The request payload consists of the CBOR simple value "true" (0xf5) concatenated with EDHOC message_1, which also includes the EDHOC connection identifier C_I of the client encoded as per {{Section 3.3 of I-D.ietf-lake-edhoc}}. The Content-Format of the request can be set to application/cid-edhoc+cbor-seq. +{{fig-non-combined}} shows a CoAP client and a CoAP server running EDHOC as Initiator and Responder, respectively. In particular, it extends Figure 18 from {{Section A.2.1 of I-D.ietf-lake-edhoc}}, by highlighting when the two peers perform EDHOC verification and establish the OSCORE Security Context, and by adding an exchange of OSCORE-protected CoAP messages after completing the EDHOC execution. + +That is, the client sends a POST request to a reserved *EDHOC resource* at the server, by default at the Uri-Path "/.well-known/edhoc". The request payload consists of the CBOR simple value "true" (0xf5) concatenated with EDHOC message_1, which also includes the EDHOC connection identifier C_I of the client encoded as per {{Section 3.3 of I-D.ietf-lake-edhoc}}. The Content-Format of the request can be set to application/cid-edhoc+cbor-seq. This triggers the EDHOC execution at the server, which replies with a 2.04 (Changed) response. The response payload consists of EDHOC message_2, which also includes the EDHOC connection identifier C_R of the server encoded as per {{Section 3.3 of I-D.ietf-lake-edhoc}}. The Content-Format of the response can be set to application/edhoc+cbor-seq. @@ -155,9 +157,7 @@ OSCORE Sec Ctx | | Payload: OSCORE-protected data | | | ~~~~~~~~~~~~~~~~~ -{: #fig-non-combined title="EDHOC and OSCORE run sequentially. - -The optional message_4 is included in this example, without which that message needs no payload." artwork-align="center"} +{: #fig-non-combined title="EDHOC and OSCORE run sequentially. The optional message_4 is included in this example, without which that message needs no payload." artwork-align="center"} As shown in {{fig-non-combined}}, this purely-sequential flow where EDHOC is run first and then OSCORE is used takes three round trips to complete.