From d684fa6ce1b1923e9b603a1d29abea2066f0fc33 Mon Sep 17 00:00:00 2001 From: ID Bot Date: Tue, 9 Apr 2024 07:42:11 +0000 Subject: [PATCH] Script updating gh-pages from 881a08f. [ci skip] --- .../draft-ietf-core-oscore-edhoc.html | 505 +++++++++--------- .../draft-ietf-core-oscore-edhoc.txt | 410 +++++++------- 2 files changed, 474 insertions(+), 441 deletions(-) diff --git a/john-scudder-review/draft-ietf-core-oscore-edhoc.html b/john-scudder-review/draft-ietf-core-oscore-edhoc.html index e79f0f8..321cde5 100644 --- a/john-scudder-review/draft-ietf-core-oscore-edhoc.html +++ b/john-scudder-review/draft-ietf-core-oscore-edhoc.html @@ -1033,7 +1033,7 @@ Palombini, et al. -Expires 6 October 2024 +Expires 11 October 2024 [Page] @@ -1046,12 +1046,12 @@
draft-ietf-core-oscore-edhoc-latest
Published:
- +
Intended Status:
Standards Track
Expires:
-
+
Authors:
@@ -1112,7 +1112,7 @@

time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."

- This Internet-Draft will expire on 6 October 2024.

+ This Internet-Draft will expire on 11 October 2024.

As shown in Figure 1, this sequential flow where EDHOC is run first and then OSCORE is used takes three round trips to complete.

@@ -1466,8 +1469,8 @@

3. EDHOC Combined with OSCORE

-

This section defines an optimization for combining the EDHOC message exchange with the first OSCORE transaction, thus minimizing the number of round trips between the two peers.

-

This approach can be used only if the default, forward message flow of EDHOC is used, i.e., when the client acts as Initiator and the server acts as Responder. That is, it cannot be used in the case with reversed roles as per the reverse message flow of EDHOC.

+

This section defines an optimization for combining the EDHOC message exchange with the first OSCORE transaction, thus minimizing the number of round trips between the two peers to the absolute possible minimum of two round trips.

+

To this end, this approach can be used only if the default, forward message flow of EDHOC is used, i.e., when the client acts as Initiator and the server acts as Responder. The same is not possible in the case with reversed roles as per the reverse message flow of EDHOC.

When running the sequential flow of Section 2, the client has all the information to derive the OSCORE Security Context already after receiving EDHOC message_2 and before sending EDHOC message_3.

Hence, the client can potentially send both EDHOC message_3 and the subsequent OSCORE Request at the same time. On a semantic level, this requires sending two REST requests at once, as in Figure 2.

@@ -1590,7 +1593,7 @@

C_R is the OSCORE Sender ID of the client and hence transported in the 'kid' field of the OSCORE Option (see Section 6.1 of [RFC8613]). Unlike in the sequential workflow shown in Figure 1, C_R is thus not transported in the payload of the EDHOC + OSCORE request.

  • -

    EDHOC message_3 is transported in the payload of the EDHOC + OSCORE request, prepended to the payload of the OSCORE Request. This is because EDHOC message_3 may be too large to be included in a CoAP Option, e.g., when conveying a large public key certificate chain as ID_CRED_I (see Section 3.5.3 of [I-D.ietf-lake-edhoc]) or when conveying large External Authorization Data as EAD_3 (see Section 3.8 of [I-D.ietf-lake-edhoc]).

    +

    EDHOC message_3 is transported in the payload of the EDHOC + OSCORE request, prepended to the payload of the OSCORE Request. This is because EDHOC message_3 may be too large to be included in a CoAP Option, e.g., when conveying a large public key certificate chain as ID_CRED_I (see Section 3.5.3 of [RFC9528]) or when conveying large External Authorization Data as EAD_3 (see Section 3.8 of [RFC9528]).

    • @@ -1602,7 +1605,7 @@

    3.1. EDHOC Option

    This section defines the EDHOC Option. The option is used in a CoAP request, to signal that the request payload conveys both an EDHOC message_3 and OSCORE-protected data, combined together.

    -

    The EDHOC Option has the properties summarized in Table 1, which extends Table 4 of [RFC7252]. The option is Critical, Safe-to-Forward, and part of the Cache-Key. The option MUST occur at most once and MUST be empty. If any value is sent, the recipient MUST ignore it. (Future documents may update the definition of the option, by expanding its semantics and specifying admitted values.) The option is intended only for CoAP requests and is of Class U for OSCORE [RFC8613].

    +

    The EDHOC Option has the properties summarized in Table 1, which extends Table 4 of [RFC7252]. The option is Critical, Safe-to-Forward, and part of the Cache-Key. The option MUST occur at most once and MUST be empty. If any value is sent, the recipient MUST ignore it. (Future documents may update the definition of the option, by expanding its semantics and specifying admitted values.) The option is intended only for CoAP requests and is of Class U for OSCORE [RFC8613].

    @@ -1678,7 +1681,7 @@

    The client prepares an EDHOC + OSCORE request as follows.

    1. -

      Compose EDHOC message_3 into EDHOC_MSG_3, as per Section 5.4.2 of [I-D.ietf-lake-edhoc].

      +

      Compose EDHOC message_3 into EDHOC_MSG_3, as per Section 5.4.2 of [RFC9528].

    2. Establish the new OSCORE Security Context and use it to encrypt the original CoAP request as per Section 8.1 of [RFC8613].

      @@ -1689,7 +1692,7 @@

      Build COMB_PAYLOAD as the concatenation of EDHOC_MSG_3 and OSCORE_PAYLOAD in this order: COMB_PAYLOAD = EDHOC_MSG_3 | OSCORE_PAYLOAD, where | denotes byte string concatenation and:

      • -

        EDHOC_MSG_3 is the binary encoding of EDHOC message_3 resulting from step 1. As per Section 5.4.1 of [I-D.ietf-lake-edhoc], EDHOC message_3 consists of one CBOR data item CIPHERTEXT_3, which is a CBOR byte string. Therefore, EDHOC_MSG_3 is the binary encoding of CIPHERTEXT_3.

        +

        EDHOC_MSG_3 is the binary encoding of EDHOC message_3 resulting from step 1. As per Section 5.4.1 of [RFC9528], EDHOC message_3 consists of one CBOR data item CIPHERTEXT_3, which is a CBOR byte string. Therefore, EDHOC_MSG_3 is the binary encoding of CIPHERTEXT_3.

      • OSCORE_PAYLOAD is the OSCORE ciphertext of the OSCORE-protected CoAP request resulting from step 2.

        @@ -1710,7 +1713,7 @@

        Send the EDHOC + OSCORE request to the server.

    -

    With the same server, the client SHOULD NOT have multiple simultaneous outstanding interactions (see Section 4.7 of [RFC7252]) such that: they consist of an EDHOC + OSCORE request; and their EDHOC data pertain to the EDHOC session with the same connection identifier C_R.

    +

    With the same server, the client SHOULD NOT have multiple simultaneous outstanding interactions (see Section 4.7 of [RFC7252]) such that: they consist of an EDHOC + OSCORE request; and their EDHOC data pertain to the EDHOC session with the same connection identifier C_R.

    (An exception might apply for clients that operate under particular time constraints over particularly unreliable networks, thus raising the chances to promptly complete the EDHOC execution with the server through multiple, simultaneous EDHOC + OSCORE requests. As discussed in Section 7, this does not have any impact in terms of security.)

    @@ -1725,12 +1728,12 @@

  • The client takes the additional following step between steps 2 and 3 of Section 3.2.1.

    -A. If the OSCORE-protected request from step 2 conveys a non-first inner block of the first application CoAP request (i.e., the Block1 Option processed at step 2 had NUM different than 0), then the client skips the following steps and sends the OSCORE-protected request to the server. In particular, the client MUST NOT include the EDHOC Option in the OSCORE-protected request.

    +A. If the OSCORE-protected request from step 2 conveys a non-first inner block of the first application CoAP request (i.e., the Block1 Option processed at step 2 had NUM different than 0), then the client skips the following steps and sends the OSCORE-protected request to the server. In particular, the client MUST NOT include the EDHOC Option in the OSCORE-protected request.

  • The client takes the additional following step between steps 3 and 4 of Section 3.2.1.

    -B. If the size of COMB_PAYLOAD exceeds MAX_UNFRAGMENTED_SIZE (see Section 4.1.3.4.2 of [RFC8613]), the client MUST stop processing the request and MUST abandon the Block-wise transfer. Then, the client can continue by switching to the sequential workflow shown in Figure 1. That is, the client first sends EDHOC message_3 prepended by the EDHOC Connection Identifier C_R encoded as per Section 3.3 of [I-D.ietf-lake-edhoc], and then sends the OSCORE-protected CoAP request once the EDHOC execution is completed.

    +B. If the size of COMB_PAYLOAD exceeds MAX_UNFRAGMENTED_SIZE (see Section 4.1.3.4.2 of [RFC8613]), the client MUST stop processing the request and MUST abandon the Block-wise transfer. Then, the client can continue by switching to the sequential workflow shown in Figure 1. That is, the client first sends EDHOC message_3 prepended by the EDHOC Connection Identifier C_R encoded as per Section 3.3 of [RFC9528], and then sends the OSCORE-protected CoAP request once the EDHOC execution is completed.

    • The performance advantage of using the EDHOC + OSCORE request can be lost when used in combination with Block-wise transfers that rely on specific parameter values and block sizes. Application policies at the CoAP client can define when and how to detect whether the performance advantage is lost, and, if that is the case, whether to appropriately adjust the parameter values and block sizes, or instead to fall back on the sequential workflow of EDHOC.

    @@ -1749,10 +1752,10 @@

    3.3.1. Processing of the EDHOC + OSCORE Request

    -

    In order to process a request containing the EDHOC option, i.e., an EDHOC + OSCORE request, the server MUST perform the following steps.

    +

    In order to process a request containing the EDHOC option, i.e., an EDHOC + OSCORE request, the server MUST perform the following steps.

    1. -

      Check that the EDHOC + OSCORE request includes the OSCORE option and that the request payload has the format defined at step 3 of Section 3.2.1 for COMB_PAYLOAD. If this is not the case, the server MUST stop processing the request and MUST reply with a 4.00 (Bad Request) error response.

      +

      Check that the EDHOC + OSCORE request includes the OSCORE option and that the request payload has the format defined at step 3 of Section 3.2.1 for COMB_PAYLOAD. If this is not the case, the server MUST stop processing the request and MUST reply with a 4.00 (Bad Request) error response.

    2. Extract EDHOC message_3 from the payload COMB_PAYLOAD of the EDHOC + OSCORE request, as the first element EDHOC_MSG_3 (see step 3 of Section 3.2.1).

      @@ -1763,14 +1766,14 @@

    3. Retrieve the correct EDHOC session by using the connection identifier C_R from step 3.

      -If the application profile used in the EDHOC session specifies that EDHOC message_4 shall be sent, the server MUST stop the EDHOC processing and consider it failed, as due to a client error.

      +If the application profile used in the EDHOC session specifies that EDHOC message_4 shall be sent, the server MUST stop the EDHOC processing and consider it failed, as due to a client error.

      -Otherwise, perform the EDHOC processing on the EDHOC message_3 extracted at step 2 as per Section 5.4.3 of [I-D.ietf-lake-edhoc], based on the protocol state of the retrieved EDHOC session.

      +Otherwise, perform the EDHOC processing on the EDHOC message_3 extracted at step 2 as per Section 5.4.3 of [RFC9528], based on the protocol state of the retrieved EDHOC session.

      The application profile used in the EDHOC session is the same one associated with the EDHOC resource where the server received the request conveying EDHOC message_1 that started the session. This is relevant in case the server provides multiple EDHOC resources, which may generally refer to different application profiles.

    4. -

      Establish a new OSCORE Security Context associated with the client as per Appendix A.1 of [I-D.ietf-lake-edhoc], using the EDHOC output from step 4.

      +

      Establish a new OSCORE Security Context associated with the client as per Appendix A.1 of [RFC9528], using the EDHOC output from step 4.

    5. Extract the OSCORE ciphertext from the payload COMB_PAYLOAD of the EDHOC + OSCORE request, as the second element OSCORE_PAYLOAD (see step 3 of Section 3.2.1).

      @@ -1781,14 +1784,14 @@

    6. Decrypt and verify the OSCORE-protected CoAP request rebuilt at step 7, as per Section 8.2 of [RFC8613], by using the OSCORE Security Context established at step 5.

      -When the decrypted request is checked for any critical CoAP options (as it is during regular CoAP processing), the presence of an EDHOC option MUST be regarded as an unprocessed critical option, unless it is processed by some further mechanism.

      +When the decrypted request is checked for any critical CoAP options (as it is during regular CoAP processing), the presence of an EDHOC option MUST be regarded as an unprocessed critical option, unless it is processed by some further mechanism.

    7. Deliver the CoAP request resulting from step 8 to the application.

    -

    If steps 4 (EDHOC processing) and 8 (OSCORE processing) are both successfully completed, the server MUST reply with an OSCORE-protected response (see Section 5.4.3 of [I-D.ietf-lake-edhoc]). The usage of EDHOC message_4 as defined in Section 5.5 of [I-D.ietf-lake-edhoc] is not applicable to the approach defined in this document.

    -

    If step 4 (EDHOC processing) fails, the server aborts the session as per Section 5.4.3 of [I-D.ietf-lake-edhoc] and responds with an EDHOC error message with error code 1, formatted as defined in Section 6.2 of [I-D.ietf-lake-edhoc]. The server MUST NOT establish a new OSCORE Security Context from the present EDHOC session with the client. The CoAP response conveying the EDHOC error message is not protected with OSCORE. As per Section 9.5 of [I-D.ietf-lake-edhoc], the server has to make sure that the error message does not reveal sensitive information. The CoAP response conveying the EDHOC error message MUST have Content-Format set to application/edhoc+cbor-seq defined in Section 10.9 of [I-D.ietf-lake-edhoc].

    +

    If steps 4 (EDHOC processing) and 8 (OSCORE processing) are both successfully completed, the server MUST reply with an OSCORE-protected response (see Section 5.4.3 of [RFC9528]). The usage of EDHOC message_4 as defined in Section 5.5 of [RFC9528] is not applicable to the approach defined in this document.

    +

    If step 4 (EDHOC processing) fails, the server aborts the session as per Section 5.4.3 of [RFC9528] and responds with an EDHOC error message with error code 1, formatted as defined in Section 6.2 of [RFC9528]. The server MUST NOT establish a new OSCORE Security Context from the present EDHOC session with the client. The CoAP response conveying the EDHOC error message is not protected with OSCORE. As per Section 9.5 of [RFC9528], the server has to make sure that the error message does not reveal sensitive information. The CoAP response conveying the EDHOC error message MUST have Content-Format set to application/edhoc+cbor-seq registered in Section 10.9 of [RFC9528].

    If step 4 (EDHOC processing) is successfully completed but step 8 (OSCORE processing) fails, the same OSCORE error handling as defined in Section 8.2 of [RFC8613] applies.

    @@ -1816,9 +1819,9 @@

  • The OSCORE Sender ID of the client is 0x01.

    -As per Section 3.3.3 of [I-D.ietf-lake-edhoc], this straightforwardly corresponds to the EDHOC connection identifier C_R 0x01.

    +As per Section 3.3.3 of [RFC9528], this straightforwardly corresponds to the EDHOC connection identifier C_R 0x01.

    -As per Section 3.3.2 of [I-D.ietf-lake-edhoc], when using the sequential flow shown in Figure 1, the same C_R with value 0x01 would be encoded on the wire as the CBOR integer 1 (0x01 in CBOR encoding), and prepended to EDHOC message_3 in the payload of the second EDHOC request.

    +As per Section 3.3.2 of [RFC9528], when using the sequential flow shown in Figure 1, the same C_R with value 0x01 would be encoded on the wire as the CBOR integer 1 (0x01 in CBOR encoding), and prepended to EDHOC message_3 in the payload of the second EDHOC request.

  • The EDHOC option is registered with CoAP option number 21.

    @@ -1868,22 +1871,22 @@

    4. Use of EDHOC Connection Identifiers with OSCORE

    -

    The OSCORE Sender/Recipient IDs are the EDHOC connection identifiers (see Section 3.3.3 of [I-D.ietf-lake-edhoc]). This applies also to the optimized workflow defined in Section 3 of this document.

    +

    The OSCORE Sender/Recipient IDs are the EDHOC connection identifiers (see Section 3.3.3 of [RFC9528]). This applies also to the optimized workflow defined in Section 3 of this document.

    Note that, at step 3 of Section 3.3.1, the value of 'kid' in the OSCORE Option of the EDHOC + OSCORE request is both the server's Recipient ID (i.e., the client's Sender ID) and the EDHOC Connection Identifier C_R of the server.

    4.1. Additional Processing of EDHOC Messages

    -

    When using EDHOC to establish an OSCORE Security Context, the client and server MUST perform the following additional steps during an EDHOC execution, thus extending Section 5 of [I-D.ietf-lake-edhoc].

    +

    When using EDHOC to establish an OSCORE Security Context, the client and server MUST perform the following additional steps during an EDHOC execution, thus extending Section 5 of [RFC9528].

    4.1.1. Initiator Processing of Message 1

    The Initiator selects an EDHOC Connection Identifier C_I as follows.

    -

    The Initiator MUST choose a C_I that is neither used in any current EDHOC session as this peer's EDHOC Connection Identifier, nor the Recipient ID in a current OSCORE Security Context where the ID Context is not present.

    -

    The chosen C_I SHOULD NOT be the Recipient ID of any current OSCORE Security Context. Note that, unless the two peers concurrently use alternative methods to establish OSCORE Security Contexts, this allows the Responder to always omit the 'kid context' in the OSCORE Option of its messages sent to the Initiator, when protecting those with an OSCORE Security Context where C_I is the Responder's OSCORE Sender ID (see Section 6.1 of [RFC8613]).

    +

    The Initiator MUST choose a C_I that is neither used in any current EDHOC session as this peer's EDHOC Connection Identifier, nor the Recipient ID in a current OSCORE Security Context where the ID Context is not present.

    +

    The chosen C_I SHOULD NOT be the Recipient ID of any current OSCORE Security Context. Note that, unless the two peers concurrently use alternative methods to establish OSCORE Security Contexts, this allows the Responder to always omit the 'kid context' in the OSCORE Option of its messages sent to the Initiator, when protecting those with an OSCORE Security Context where C_I is the Responder's OSCORE Sender ID (see Section 6.1 of [RFC8613]).

    @@ -1892,8 +1895,8 @@

    4.1.2. Responder Processing of Message 2

    The Responder selects an EDHOC Connection Identifier C_R as follows.

    -

    The Responder MUST choose a C_R that is neither used in any current EDHOC session as this peer's EDHOC Connection Identifier, nor is equal to the EDHOC Connection Identifier C_I specified in the EDHOC message_1 of the present EDHOC session, nor is the Recipient ID in a current OSCORE Security Context where the ID Context is not present.

    -

    The chosen C_R SHOULD NOT be the Recipient ID of any current OSCORE Security Context. Note that, for a reason analogous to the one given above with C_I, this allows the Initiator to always omit the 'kid context' in the OSCORE Option of its messages sent to the Responder, when protecting those with an OSCORE Security Context where C_R is the Initiator's OSCORE Sender ID (see Section 6.1 of [RFC8613]).

    +

    The Responder MUST choose a C_R that is neither used in any current EDHOC session as this peer's EDHOC Connection Identifier, nor is equal to the EDHOC Connection Identifier C_I specified in the EDHOC message_1 of the present EDHOC session, nor is the Recipient ID in a current OSCORE Security Context where the ID Context is not present.

    +

    The chosen C_R SHOULD NOT be the Recipient ID of any current OSCORE Security Context. Note that, for a reason analogous to the one given above with C_I, this allows the Initiator to always omit the 'kid context' in the OSCORE Option of its messages sent to the Responder, when protecting those with an OSCORE Security Context where C_R is the Initiator's OSCORE Sender ID (see Section 6.1 of [RFC8613]).

    @@ -1901,7 +1904,7 @@

    4.1.3. Initiator Processing of Message 2

    -

    If the EDHOC Connection Identifier C_I is equal to the EDHOC Connection Identifier C_R specified in EDHOC message_2, then the Initiator MUST abort the session and reply with an EDHOC error message with error code 1, formatted as defined in Section 6.2 of [I-D.ietf-lake-edhoc].

    +

    If the EDHOC Connection Identifier C_I is equal to the EDHOC Connection Identifier C_R specified in EDHOC message_2, then the Initiator MUST abort the session and reply with an EDHOC error message with error code 1, formatted as defined in Section 6.2 of [RFC9528].

    @@ -1914,9 +1917,9 @@

    5. Extension and Consistency of Application Profiles

    It is possible to include the information below in the application profile referred by the client and server, according to the specified consistency rules.

    -

    If the server supports the EDHOC + OSCORE request within an EDHOC execution started at a certain EDHOC resource, then the application profile associated with that resource SHOULD explicitly specify support for the EDHOC + OSCORE request.

    -

    In case the application profile indicates that the server supports the optional EDHOC message_4 (see Section 5.5 of [I-D.ietf-lake-edhoc]), it is still possible to use the optimized workflow based on the EDHOC + OSCORE request. However, this means the server is not going to send EDHOC message_4, since it is not applicable to the optimized workflow (see Section 3.3.1).

    -

    Also, in case the application profile indicates that the server shall send EDHOC message_4, then the application profile MUST NOT specify support for the EDHOC + OSCORE request, and there is no point for the client to use the optimized workflow, which is bound to fail (see Section 3.3.1).

    +

    If the server supports the EDHOC + OSCORE request within an EDHOC execution started at a certain EDHOC resource, then the application profile associated with that resource SHOULD explicitly specify support for the EDHOC + OSCORE request.

    +

    In case the application profile indicates that the server supports the optional EDHOC message_4 (see Section 5.5 of [RFC9528]), it is still possible to use the optimized workflow based on the EDHOC + OSCORE request. However, this means the server is not going to send EDHOC message_4, since it is not applicable to the optimized workflow (see Section 3.3.1).

    +

    Also, in case the application profile indicates that the server shall send EDHOC message_4, then the application profile MUST NOT specify support for the EDHOC + OSCORE request, and there is no point for the client to use the optimized workflow, which is bound to fail (see Section 3.3.1).

    @@ -1924,37 +1927,37 @@

    6. Web Linking

    -

    Section 10.10 of [I-D.ietf-lake-edhoc] registers the resource type "core.edhoc", which can be used as target attribute in a web link [RFC8288] to an EDHOC resource, e.g., using a link-format document [RFC6690]. This enables clients to discover the presence of EDHOC resources at a server, possibly using the resource type as filter criterion.

    -

    At the same time, the application profile associated with an EDHOC resource provides information describing how the EDHOC protocol can be used through that resource. While a client may become aware of the application profile through several means, it would be convenient to obtain its information elements upon discovering the EDHOC resources at the server. This might aim at discovering especially the EDHOC resources whose associated application profile denotes a way of using EDHOC which is most suitable to the client, e.g., with EDHOC cipher suites or authentication methods that the client also supports or prefers.

    -

    That is, it would be convenient that a client discovering an EDHOC resource contextually obtains relevant pieces of information from the application profile associated with that resource. The resource discovery can occur by means of a direct interaction with the server, or instead by means of the CoRE Resource Directory [RFC9176], where the server may have registered the links to its resources.

    -

    In order to enable the above, this section defines a number of parameters, each of which can be optionally specified as a target attribute with the same name in the link to the respective EDHOC resource, or as filter criteria in a discovery request from the client. When specifying these parameters in a link to an EDHOC resource, the target attribute rt="core.edhoc" MUST be included, and the same consistency rules defined in Section 5 for the corresponding information elements of an application profile MUST be followed.

    +

    Section 10.10 of [RFC9528] registers the resource type "core.edhoc", which can be used as target attribute in a web link [RFC8288] to an EDHOC resource, e.g., using a link-format document [RFC6690]. This enables clients to discover the presence of EDHOC resources at a server, possibly using the resource type as filter criterion.

    +

    At the same time, the application profile associated with an EDHOC resource provides information describing how the EDHOC protocol can be used through that resource. A client may become aware of the application profile, e.g., by obtaining its information elements upon discovering the EDHOC resources at the server. This allows the client to discover especially the EDHOC resources whose associated application profile denotes a way of using EDHOC which is most suitable to the client, e.g., with EDHOC cipher suites or authentication methods that the client also supports or prefers.

    +

    That is, while discovering an EDHOC resource, a client can contextually obtain relevant pieces of information from the application profile associated with that resource. The resource discovery can occur by means of a direct interaction with the server, or instead by means of the CoRE Resource Directory [RFC9176], where the server may have registered the links to its resources.

    +

    In order to enable the above, this section defines a number of parameters, each of which can be optionally specified as a target attribute with the same name in the link to the respective EDHOC resource, or as filter criteria in a discovery request from the client. When specifying these parameters in a link to an EDHOC resource, the target attribute rt="core.edhoc" MUST be included, and the same consistency rules defined in Section 5 for the corresponding information elements of an application profile MUST be followed.

    The following parameters are defined.

    • -

      'ed-i', specifying, if present, that the server supports the EDHOC Initiator role, hence the reverse message flow of EDHOC. A value MUST NOT be given to this parameter and any present value MUST be ignored by the recipient.

      +

      'ed-i', specifying, if present, that the server supports the EDHOC Initiator role, hence the reverse message flow of EDHOC. A value MUST NOT be given to this parameter and any present value MUST be ignored by the recipient.

    • -

      'ed-r', specifying, if present, that the server supports the EDHOC Responder role, hence the forward message flow of EDHOC. A value MUST NOT be given to this parameter and any present value MUST be ignored by the recipient.

      +

      'ed-r', specifying, if present, that the server supports the EDHOC Responder role, hence the forward message flow of EDHOC. A value MUST NOT be given to this parameter and any present value MUST be ignored by the recipient.

    • -

      'ed-method', specifying an authentication method supported by the server. This parameter MUST specify a single value, which is taken from the 'Value' column of the "EDHOC Method Type" registry defined in Section 10.3 of [I-D.ietf-lake-edhoc]. This parameter MAY occur multiple times, with each occurrence specifying an authentication method.

      +

      'ed-method', specifying an authentication method supported by the server. This parameter MUST specify a single value, which is taken from the 'Value' column of the "EDHOC Method Type" registry defined in Section 10.3 of [RFC9528]. This parameter MAY occur multiple times, with each occurrence specifying an authentication method.

    • -

      'ed-csuite', specifying an EDHOC cipher suite supported by the server. This parameter MUST specify a single value, which is taken from the 'Value' column of the "EDHOC Cipher Suites" registry defined in Section 10.2 of [I-D.ietf-lake-edhoc]. This parameter MAY occur multiple times, with each occurrence specifying a cipher suite.

      +

      'ed-csuite', specifying an EDHOC cipher suite supported by the server. This parameter MUST specify a single value, which is taken from the 'Value' column of the "EDHOC Cipher Suites" registry defined in Section 10.2 of [RFC9528]. This parameter MAY occur multiple times, with each occurrence specifying a cipher suite.

    • -

      'ed-cred-t', specifying a type of authentication credential supported by the server. This parameter MUST specify a single value, which is taken from the 'Value' column of the "EDHOC Authentication Credential Types" Registry defined in Section 8.3 of this document. This parameter MAY occur multiple times, with each occurrence specifying a type of authentication credential.

      +

      'ed-cred-t', specifying a type of authentication credential supported by the server. This parameter MUST specify a single value, which is taken from the 'Value' column of the "EDHOC Authentication Credential Types" Registry defined in Section 8.3 of this document. This parameter MAY occur multiple times, with each occurrence specifying a type of authentication credential.

    • -

      'ed-idcred-t', specifying a type of identifier supported by the server for identifying authentication credentials. This parameter MUST specify a single value, which is taken from the 'Label' column of the "COSE Header Parameters" registry [COSE.Header.Parameters]. This parameter MAY occur multiple times, with each occurrence specifying a type of identifier for authentication credentials.

      +

      'ed-idcred-t', specifying a type of identifier supported by the server for identifying authentication credentials. This parameter MUST specify a single value, which is taken from the 'Label' column of the "COSE Header Parameters" registry [COSE.Header.Parameters]. This parameter MAY occur multiple times, with each occurrence specifying a type of identifier for authentication credentials.

      -Note that the values in the 'Label' column of the "COSE Header Parameters" registry are strongly typed. On the contrary, Link Format is weakly typed and thus does not distinguish between, for instance, the string value "-10" and the integer value -10. Thus, if responses in Link Format are returned, string values which look like an integer are not supported. Therefore, such values MUST NOT be used in the 'ed-idcred-t' parameter.

      +Note that the values in the 'Label' column of the "COSE Header Parameters" registry are strongly typed. On the contrary, Link Format is weakly typed and thus does not distinguish between, for instance, the string value "-10" and the integer value -10. Thus, if responses in Link Format are returned, string values which look like an integer are not supported. Therefore, such values MUST NOT be used in the 'ed-idcred-t' parameter.

    • -

      'ed-ead', specifying the support of the server for an External Authorization Data (EAD) item (see Section 3.8 of [I-D.ietf-lake-edhoc]). This parameter MUST specify a single value, which is taken from the 'Label' column of the "EDHOC External Authorization Data" registry defined in Section 10.5 of [I-D.ietf-lake-edhoc]. This parameter MAY occur multiple times, with each occurrence specifying the ead_label of an EAD item that the server supports.

      +

      'ed-ead', specifying the support of the server for an External Authorization Data (EAD) item (see Section 3.8 of [RFC9528]). This parameter MUST specify a single value, which is taken from the 'Label' column of the "EDHOC External Authorization Data" registry defined in Section 10.5 of [RFC9528]. This parameter MAY occur multiple times, with each occurrence specifying the ead_label of an EAD item that the server supports.

    • -

      'ed-comb-req', specifying, if present, that the server supports the EDHOC + OSCORE request defined in Section 3. A value MUST NOT be given to this parameter and any present value MUST be ignored by the recipient.

      +

      'ed-comb-req', specifying, if present, that the server supports the EDHOC + OSCORE request defined in Section 3. A value MUST NOT be given to this parameter and any present value MUST be ignored by the recipient.

    (Future documents may update the definition of the parameters 'ed-i', 'ed-r', and 'ed-comb-req', by expanding their semantics and specifying what they can take as value.)

    @@ -1984,20 +1987,20 @@

    7. Security Considerations

    -

    The same security considerations from OSCORE [RFC8613] and EDHOC [I-D.ietf-lake-edhoc] hold for this document. In addition, the following considerations also apply.

    -

    Section 3.2.1 specifies that a client SHOULD NOT have multiple outstanding EDHOC + OSCORE requests pertaining to the same EDHOC session. Even if a client did not fulfill this requirement, it would not have any impact in terms of security. That is, the server would still not process different instances of the same EDHOC message_3 more than once in the same EDHOC session (see Section 5.1 of [I-D.ietf-lake-edhoc]), and would still enforce replay protection of the OSCORE-protected request (see Sections 7.4 and 8.2 of [RFC8613]).

    -

    When using the optimized workflow in Figure 2, a minimum of 128-bit security against online brute force attacks is achieved after the client receives and successfully verifies the first OSCORE-protected response (see Section 9.1 of [I-D.ietf-lake-edhoc]). As an example, if EDHOC is used with method 3 (see Section 3.2 of [I-D.ietf-lake-edhoc]) and cipher suite 2 (see Section 3.6 of [I-D.ietf-lake-edhoc]), then the following holds.

    +

    The same security considerations from OSCORE [RFC8613] and EDHOC [RFC9528] hold for this document. In addition, the following considerations also apply.

    +

    Section 3.2.1 specifies that a client SHOULD NOT have multiple outstanding EDHOC + OSCORE requests pertaining to the same EDHOC session. Even if a client did not fulfill this requirement, it would not have any impact in terms of security. That is, the server would still not process different instances of the same EDHOC message_3 more than once in the same EDHOC session (see Section 5.1 of [RFC9528]), and would still enforce replay protection of the OSCORE-protected request (see Sections 7.4 and 8.2 of [RFC8613]).

    +

    When using the optimized workflow in Figure 2, a minimum of 128-bit security against online brute force attacks is achieved after the client receives and successfully verifies the first OSCORE-protected response (see Sections 9.1 and 9.4 of [RFC9528]). As an example, if EDHOC is used with method 3 (see Section 3.2 of [RFC9528]) and cipher suite 2 (see Section 3.6 of [RFC9528]), then the following holds.

    • -

      The Initiator is authenticated with 128-bit security against online attacks. As per Section 9.1 of [I-D.ietf-lake-edhoc], this results from the combination of the strength of the 64-bit MAC in EDHOC message_3 and of the 64-bit MAC in the AEAD of the first OSCORE-protected CoAP request, as rebuilt at step 7 of Section 3.3.1.

      +

      The Initiator is authenticated with 128-bit security against online attacks. As per Section 9.1 of [RFC9528], this results from the combination of the strength of the 64-bit MAC in EDHOC message_3 and of the 64-bit MAC in the AEAD of the first OSCORE-protected CoAP request, as rebuilt at step 7 of Section 3.3.1.

    • -

      The Responder is authenticated with 128-bit security against online attacks. As per Section 9.1 of [I-D.ietf-lake-edhoc], this results from the combination of the strength of the 64-bit MAC in EDHOC message_2 and of the 64-bit MAC in the AEAD of the first OSCORE-protected CoAP response.

      +

      The Responder is authenticated with 128-bit security against online attacks. As per Section 9.1 of [RFC9528], this results from the combination of the strength of the 64-bit MAC in EDHOC message_2 and of the 64-bit MAC in the AEAD of the first OSCORE-protected CoAP response.

    -

    With reference to the sequential workflow in Figure 1, the OSCORE request might have to undergo access control checks at the server, before being actually executed for accessing the target protected resource. The same MUST hold when the optimized workflow in Figure 2 is used, i.e., when using the EDHOC + OSCORE request.

    -

    That is, the rebuilt OSCORE-protected application request from step 7 in Section 3.3.1 MUST undergo the same access control checks that would be performed on a traditional OSCORE-protected application request sent individually as shown in Figure 1.

    -

    To this end, validated information to perform access control checks (e.g., an access token issued by a trusted party) has to be available at the server before starting to process the rebuilt OSCORE-protected application request. Such information may have been provided to the server separately before starting the EDHOC execution altogether, or instead as External Authorization Data during the EDHOC execution (see Section 3.8 of [I-D.ietf-lake-edhoc]).

    +

    With reference to the sequential workflow in Figure 1, the OSCORE request might have to undergo access control checks at the server, before being actually executed for accessing the target protected resource. The same MUST hold when the optimized workflow in Figure 2 is used, i.e., when using the EDHOC + OSCORE request.

    +

    That is, the rebuilt OSCORE-protected application request from step 7 in Section 3.3.1 MUST undergo the same access control checks that would be performed on a traditional OSCORE-protected application request sent individually as shown in Figure 1.

    +

    To this end, validated information to perform access control checks (e.g., an access token issued by a trusted party) has to be available at the server before starting to process the rebuilt OSCORE-protected application request. Such information may have been provided to the server separately before starting the EDHOC execution altogether, or instead as External Authorization Data during the EDHOC execution (see Section 3.8 of [RFC9528]).

    Thus, a successful completion of the EDHOC protocol and the following derivation of the OSCORE Security Context at the server do not play a role in determining whether the rebuilt OSCORE-protected request is authorized to access the target protected resource at the server.

    @@ -2054,7 +2057,7 @@

    8.2. Target Attributes Registry

    -

    IANA is asked to register the following entries in the "Target Attributes" registry within the "CoRE Parameters" registry group, as per [I-D.ietf-core-target-attr]. +

    IANA is asked to register the following entries in the "Target Attributes" registry [CORE.Target.Attributes] within the "Constrained RESTful Environments (CoRE) Parameters" registry group, as per [I-D.ietf-core-target-attr]. For all entries, the Change Controller is IETF, and the reference is [RFC-XXXX].

    @@ -2109,13 +2112,13 @@

    8.3. EDHOC Authentication Credential Types Registry

    -

    IANA is requested to create a new "EDHOC Authentication Credential Types" registry within the "Ephemeral Diffie-Hellman Over COSE (EDHOC)" registry group defined in [I-D.ietf-lake-edhoc].

    +

    IANA is requested to create a new "EDHOC Authentication Credential Types" registry within the "Ephemeral Diffie-Hellman Over COSE (EDHOC)" registry group defined in [RFC9528].

    As registration policy, the registry uses either "Standards Action with Expert Review", or "Specification Required" per Section 4.6 of [RFC8126]. Expert Review guidelines are provided in Section 8.4.

    All assignments according to "Standards Action with Expert Review" are made on a "Standards Action" basis per Section 4.9 of [RFC8126], with Expert Review additionally required per Section 4.5 of [RFC8126]. The procedure for early IANA allocation of Standards Track code points defined in [RFC7120] also applies. When such a procedure is used, review and approval by the designated expert are also required, in order for the WG chairs to determine that the conditions for early allocation are met (see step 2 in Section 3.1 of [RFC7120]).

    The columns of this registry are:

    • -

      Value: This field contains the value used to identify the type of authentication credential. These values MUST be unique. The value can be an unsigned integer or a negative integer, in the range from -65536 to 65535. Different ranges of values use different registration policies [RFC8126]:

      +

      Value: This field contains the value used to identify the type of authentication credential. These values MUST be unique. The value can be an unsigned integer or a negative integer, in the range from -65536 to 65535. Different ranges of values use different registration policies [RFC8126]:

      • Integer values from -24 to 23 are designated as "Standards Action With Expert Review".

        @@ -2218,17 +2221,13 @@

        9.1. Normative References

        -
        [COSE.Header.Parameters]
        +
        [CORE.Target.Attributes]
        -IANA, "COSE Header Parameters", <https://www.iana.org/assignments/cose/cose.xhtml#header-parameters>.
        -
        -
        [I-D.ietf-core-target-attr]
        -
        -Bormann, C., "CoRE Target Attributes Registry", Work in Progress, Internet-Draft, draft-ietf-core-target-attr-06, , <https://datatracker.ietf.org/doc/html/draft-ietf-core-target-attr-06>.
        +IANA, "Target Attributes", <https://www.iana.org/assignments/core-parameters/core-parameters.xhtml#target-attributes>.
        -
        [I-D.ietf-lake-edhoc]
        +
        [COSE.Header.Parameters]
        -Selander, G., Mattsson, J. P., and F. Palombini, "Ephemeral Diffie-Hellman Over COSE (EDHOC)", Work in Progress, Internet-Draft, draft-ietf-lake-edhoc-23, , <https://datatracker.ietf.org/doc/html/draft-ietf-lake-edhoc-23>.
        +IANA, "COSE Header Parameters", <https://www.iana.org/assignments/cose/cose.xhtml#header-parameters>.
        [RFC2119]
        @@ -2271,9 +2270,13 @@

        Bormann, C. and P. Hoffman, "Concise Binary Object Representation (CBOR)", STD 94, RFC 8949, DOI 10.17487/RFC8949, , <https://www.rfc-editor.org/rfc/rfc8949>.

        [RFC9176]
        -
        +
        Amsüss, C., Ed., Shelby, Z., Koster, M., Bormann, C., and P. van der Stok, "Constrained RESTful Environments (CoRE) Resource Directory", RFC 9176, DOI 10.17487/RFC9176, , <https://www.rfc-editor.org/rfc/rfc9176>.
        +
        [RFC9528]
        +
        +Selander, G., Preuß Mattsson, J., and F. Palombini, "Ephemeral Diffie-Hellman Over COSE (EDHOC)", RFC 9528, DOI 10.17487/RFC9528, , <https://www.rfc-editor.org/rfc/rfc9528>.
        +
        @@ -2283,6 +2286,10 @@

        9.2. Informative References

        +
        [I-D.ietf-core-target-attr]
        +
        +Bormann, C., "CoRE Target Attributes Registry", Work in Progress, Internet-Draft, draft-ietf-core-target-attr-06, , <https://datatracker.ietf.org/doc/html/draft-ietf-core-target-attr-06>.
        +
        [I-D.ietf-cose-cbor-encoded-cert]
        Mattsson, J. P., Selander, G., Raza, S., Höglund, J., and M. Furuhed, "CBOR Encoded X.509 Certificates (C509 Certificates)", Work in Progress, Internet-Draft, draft-ietf-cose-cbor-encoded-cert-09, , <https://datatracker.ietf.org/doc/html/draft-ietf-cose-cbor-encoded-cert-09>.
        @@ -2305,299 +2312,317 @@

        Appendix A. Document Updates

        This section is to be removed before publishing as an RFC.

        -
        +
        -

        -A.1. Version -09 to -10 +

        +A.1. Version -10 to -11

        • -

          Expanded acronyms in the document title.

          +

          Avoid using quotation marks for CBOR Simple Values.

        • -

          Clarified transport of EDHOC C_R and EDHOC message_3.

          +

          Clarifications and editorial improvements.

        • -

          Simplified text on the use of EDHOC Connection Identifiers as OSCORE Identifiers.

          +

          Updated references.

          • -
        • -

          Added the CoAP OSCORE Option in the figures of the EDHOC message flows.

          +
        +
        +
        +
        +
        +

        +A.2. Version -09 to -10 +

        +
          +
        • +

          Expanded acronyms in the document title.

          • -
        • -

          Added more pointers to the message processing, now defined in dedicated subsections.

          +
        • +

          Clarified transport of EDHOC C_R and EDHOC message_3.

          +
          • +
        • +

          Simplified text on the use of EDHOC Connection Identifiers as OSCORE Identifiers.

          +
          • +
        • +

          Added the CoAP OSCORE Option in the figures of the EDHOC message flows.

          +
          • +
        • +

          Added more pointers to the message processing, now defined in dedicated subsections.

          • -
        • -

          Detecting and preventing a loss of performance advantage when using Block-wise transfers is for application policies to specifiy.

          +
        • +

          Detecting and preventing a loss of performance advantage when using Block-wise transfers is for application policies to specifiy.

          • -
        • -

          Clarified use of EDHOC application profiles.

          +
        • +

          Clarified use of EDHOC application profiles.

          • -
        • -

          Clarified security considerations on the achieved security level.

          +
        • +

          Clarified security considerations on the achieved security level.

          • -
        • -

          Fixes and editorial improvements.

          +
        • +

          Fixes and editorial improvements.

        -
        +

        -A.2. Version -08 to -09 +A.3. Version -08 to -09

          -
        • -

          Clarified meaning of "EDHOC data".

          +
        • +

          Clarified meaning of "EDHOC data".

          • -
        • -

          Improved description of entries for the new IANA registry.

          +
        • +

          Improved description of entries for the new IANA registry.

          • -
        • -

          Change Controller changed from "IESG" to "IETF".

          +
        • +

          Change Controller changed from "IESG" to "IETF".

          • -
        • -

          Editorial: EDHOC Option number denoted as "21" instead of "TBD21".

          +
        • +

          Editorial: EDHOC Option number denoted as "21" instead of "TBD21".

          • -
        • -

          Fixed references to sections of draft-ietf-lake-edhoc

          +
        • +

          Fixed references to sections of draft-ietf-lake-edhoc

          • -
        • -

          Clarifications and editorial improvements.

          +
        • +

          Clarifications and editorial improvements.

        -
        +

        -A.3. Version -07 to -08 +A.4. Version -07 to -08

          -
        • -

          Fixes and clarifications from the Shepherd's review.

          +
        • +

          Fixes and clarifications from the Shepherd's review.

        -
        +

        -A.4. Version -06 to -07 +A.5. Version -06 to -07

          -
        • -

          Changed document title.

          +
        • +

          Changed document title.

          • -
        • -

          The client creates the OSCORE Security Context after creating EDHOC message_3.

          +
        • +

          The client creates the OSCORE Security Context after creating EDHOC message_3.

          • -
        • -

          Revised selection of EDHOC connection identifiers.

          +
        • +

          Revised selection of EDHOC connection identifiers.

          • -
        • -

          Use of "forward message flow" and "reverse message flow".

          +
        • +

          Use of "forward message flow" and "reverse message flow".

          • -
        • -

          The payload of the combined request is not a CBOR sequence anymore.

          +
        • +

          The payload of the combined request is not a CBOR sequence anymore.

          • -
        • -

          EDHOC error messages from the server are not protected with OSCORE.

          +
        • +

          EDHOC error messages from the server are not protected with OSCORE.

          • -
        • -

          More future-proof error handling on the server side.

          +
        • +

          More future-proof error handling on the server side.

          • -
        • -

          Target attribute names prefixed by "ed-".

          +
        • +

          Target attribute names prefixed by "ed-".

          • -
        • -

          Defined new target attributes "ed-i" and "ed-r".

          +
        • +

          Defined new target attributes "ed-i" and "ed-r".

          • -
        • -

          Defined single target attribute "ed-ead" signaling supported EAD items.

          +
        • +

          Defined single target attribute "ed-ead" signaling supported EAD items.

          • -
        • -

          Security consideration on the minimally achieved 128-bit security.

          +
        • +

          Security consideration on the minimally achieved 128-bit security.

          • -
        • -

          Defined and used the "EDHOC Authentication Credential Types" Registry.

          +
        • +

          Defined and used the "EDHOC Authentication Credential Types" Registry.

          • -
        • -

          High-level sentence replacing the appendix on Block-wise performance.

          +
        • +

          High-level sentence replacing the appendix on Block-wise performance.

          • -
        • -

          Revised examples.

          +
        • +

          Revised examples.

          • -
        • -

          Editorial improvements.

          +
        • +

          Editorial improvements.

        -
        -

        -A.5. Version -05 to -06 -

        -
          -
        • -

          Extended figure on EDHOC sequential workflow.

          -
          • -
        • -

          Revised naming of target attributes.

          -
          • -
        • -

          Clarified semantics of target attributes 'eadx'.

          -
          • -
        • -

          Registration of target attributes.

          -
          • -
        -
        -
        -
        -

        -A.6. Version -04 to -05 +

        +A.6. Version -05 to -06

        • -

          Clarifications on Web Linking parameters.

          +

          Extended figure on EDHOC sequential workflow.

        • -

          Added security considerations.

          +

          Revised naming of target attributes.

        • -

          Revised IANA considerations to focus on the CoAP option number 21.

          +

          Clarified semantics of target attributes 'eadx'.

        • -

          Guidelines on using Block-wise moved to an appendix.

          -
          • -
        • -

          Editorial improvements.

          +

          Registration of target attributes.

        -
        +
        -

        -A.7. Version -03 to -04 +

        +A.7. Version -04 to -05

        • -

          Renamed "applicability statement" to "application profile".

          +

          Clarifications on Web Linking parameters.

        • -

          Use the latest Content-Formats.

          +

          Added security considerations.

        • -

          Use of SHOULD NOT for multiple simultaneous outstanding interactions.

          +

          Revised IANA considerations to focus on the CoAP option number 21.

        • -

          No more special conversion from OSCORE ID to EDHOC ID.

          +

          Guidelines on using Block-wise moved to an appendix.

        • -

          Considerations on using Block-wise.

          -
          • -
        • -

          Wed Linking signaling of multiple supported EAD labels.

          -
          • -
        • -

          Added security considerations.

          -
          • -
        • -

          Editorial improvements.

          +

          Editorial improvements.

        -
        +
        -

        -A.8. Version -02 to -03 +

        +A.8. Version -03 to -04

        • -

          Clarifications on transporting EDHOC message_3 in the CoAP payload.

          +

          Renamed "applicability statement" to "application profile".

        • -

          At most one simultaneous outstanding interaction as an EDHOC + OSCORE request with the same server for the same session with connection identifier C_R.

          +

          Use the latest Content-Formats.

        • -

          The EDHOC option is removed from the EDHOC + OSCORE request after processing the EDHOC data.

          +

          Use of SHOULD NOT for multiple simultaneous outstanding interactions.

        • -

          Added explicit constraints when selecting a Recipient ID as C_X.

          +

          No more special conversion from OSCORE ID to EDHOC ID.

        • -

          Added processing steps for when Block-wise is used.

          +

          Considerations on using Block-wise.

        • -

          Improved error handling on the server.

          +

          Wed Linking signaling of multiple supported EAD labels.

        • -

          Improved section on Web Linking.

          +

          Added security considerations.

        • -

          Updated figures; editorial improvements.

          +

          Editorial improvements.

        -
        +
        -

        -A.9. Version -01 to -02 +

        +A.9. Version -02 to -03

        • -

          New title, abstract and introduction.

          +

          Clarifications on transporting EDHOC message_3 in the CoAP payload.

        • -

          Restructured table of content.

          +

          At most one simultaneous outstanding interaction as an EDHOC + OSCORE request with the same server for the same session with connection identifier C_R.

        • -

          Alignment with latest format of EDHOC messages.

          +

          The EDHOC option is removed from the EDHOC + OSCORE request after processing the EDHOC data.

        • -

          Guideline on ID conversions based on application profile.

          +

          Added explicit constraints when selecting a Recipient ID as C_X.

        • -

          Clarifications, extension and consistency on application profile.

          +

          Added processing steps for when Block-wise is used.

        • -

          Section on web-linking.

          +

          Improved error handling on the server.

        • -

          RFC8126 terminology in IANA considerations.

          +

          Improved section on Web Linking.

        • -

          Revised Appendix "Checking CBOR Encoding of Numeric Values".

          +

          Updated figures; editorial improvements.

        -
        +
        -

        -A.10. Version -00 to -01 +

        +A.10. Version -01 to -02

        • -

          Improved background overview of EDHOC.

          +

          New title, abstract and introduction.

        • -

          Added explicit rules for converting OSCORE Sender/Recipient IDs to EDHOC connection identifiers following the removal of bstr_identifier from EDHOC.

          +

          Restructured table of content.

        • -

          Revised section organization.

          +

          Alignment with latest format of EDHOC messages.

        • -

          Recommended number for EDHOC option changed to 21.

          +

          Guideline on ID conversions based on application profile.

        • -

          Editorial improvements.

          +

          Clarifications, extension and consistency on application profile.

          +
          • +
        • +

          Section on web-linking.

          +
          • +
        • +

          RFC8126 terminology in IANA considerations.

          +
          • +
        • +

          Revised Appendix "Checking CBOR Encoding of Numeric Values".

          +
          • +
        +
        +
        +
        +
        +

        +A.11. Version -00 to -01 +

        +
          +
        • +

          Improved background overview of EDHOC.

          +
          • +
        • +

          Added explicit rules for converting OSCORE Sender/Recipient IDs to EDHOC connection identifiers following the removal of bstr_identifier from EDHOC.

          +
          • +
        • +

          Revised section organization.

          +
          • +
        • +

          Recommended number for EDHOC option changed to 21.

          +
          • +
        • +

          Editorial improvements.

        @@ -2609,7 +2634,7 @@

        Acknowledgments

        -

        The authors sincerely thank Christian Amsüss, Carsten Bormann, Esko Dijk, Joel Halpern, Wes Hardaker, Klaus Hartke, John Preuß Mattsson, David Navarro, Shuping Peng, Jim Schaad, Jürgen Schönwälder, John Scudder, Mališa Vučinić, and Paul Wouters for their feedback and comments.

        +

        The authors sincerely thank Christian Amsüss, Emmanuel Baccelli, Carsten Bormann, Esko Dijk, Joel Halpern, Wes Hardaker, Klaus Hartke, John Preuß Mattsson, David Navarro, Shuping Peng, Jim Schaad, Jürgen Schönwälder, John Scudder, Orie Steele, Gunter Van de Velde, Mališa Vučinić, and Paul Wouters for their feedback and comments.

        The work on this document has been partly supported by VINNOVA and the Celtic-Next project CRITISEC; and by the H2020 project SIFIS-Home (Grant agreement 952652).

        diff --git a/john-scudder-review/draft-ietf-core-oscore-edhoc.txt b/john-scudder-review/draft-ietf-core-oscore-edhoc.txt index 2de0bd8..48468a2 100644 --- a/john-scudder-review/draft-ietf-core-oscore-edhoc.txt +++ b/john-scudder-review/draft-ietf-core-oscore-edhoc.txt @@ -5,13 +5,13 @@ CoRE Working Group F. Palombini Internet-Draft Ericsson Intended status: Standards Track M. Tiloca -Expires: 6 October 2024 R. Höglund +Expires: 11 October 2024 R. Höglund RISE AB S. Hristozov Fraunhofer AISEC G. Selander Ericsson - 4 April 2024 + 9 April 2024 Using Ephemeral Diffie-Hellman Over COSE (EDHOC) with the Constrained @@ -59,7 +59,7 @@ Status of This Memo time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." - This Internet-Draft will expire on 6 October 2024. + This Internet-Draft will expire on 11 October 2024. Copyright Notice @@ -106,25 +106,26 @@ Table of Contents 9.1. Normative References 9.2. Informative References Appendix A. Document Updates - A.1. Version -09 to -10 - A.2. Version -08 to -09 - A.3. Version -07 to -08 - A.4. Version -06 to -07 - A.5. Version -05 to -06 - A.6. Version -04 to -05 - A.7. Version -03 to -04 - A.8. Version -02 to -03 - A.9. Version -01 to -02 - A.10. Version -00 to -01 + A.1. Version -10 to -11 + A.2. Version -09 to -10 + A.3. Version -08 to -09 + A.4. Version -07 to -08 + A.5. Version -06 to -07 + A.6. Version -05 to -06 + A.7. Version -04 to -05 + A.8. Version -03 to -04 + A.9. Version -02 to -03 + A.10. Version -01 to -02 + A.11. Version -00 to -01 Acknowledgments Authors' Addresses 1. Introduction - Ephemeral Diffie-Hellman Over COSE (EDHOC) [I-D.ietf-lake-edhoc] is a - lightweight authenticated key exchange protocol, especially intended - for use in constrained scenarios. In particular, EDHOC messages can - be transported over the Constrained Application Protocol (CoAP) + Ephemeral Diffie-Hellman Over COSE (EDHOC) [RFC9528] is a lightweight + authenticated key exchange protocol, especially intended for use in + constrained scenarios. In particular, EDHOC messages can be + transported over the Constrained Application Protocol (CoAP) [RFC7252] and used for establishing a Security Context for Object Security for Constrained RESTful Environments (OSCORE) [RFC8613]. @@ -132,20 +133,27 @@ Table of Contents OSCORE, and specifies a number of additional and optional mechanisms. These especially include an optimization approach that combines the EDHOC execution with the first OSCORE transaction (see Section 3). - This allows for a minimum number of round trips necessary to setup - the OSCORE Security Context and complete an OSCORE transaction, e.g., - when an IoT device gets configured in a network for the first time. + This allows for a minimum number of two round trips necessary to + setup the OSCORE Security Context and complete an OSCORE transaction, + e.g., when an IoT device gets configured in a network for the first + time. This optimization is desirable, since the number of message exchanges can have a substantial impact on the latency of conveying the first OSCORE request, when using certain radio technologies. - Without this optimization, it is not possible, not even in theory, to - achieve the minimum number of round trips. This optimization makes - it possible also in practice, since the message_3 of the EDHOC - protocol can be made relatively small (see Section 1.2 of - [I-D.ietf-lake-edhoc]), thus allowing additional OSCORE-protected - CoAP data within target MTU sizes. + Without this optimization, it is not possible to achieve the minimum + number of two round trips. This optimization makes it possible, + since the message_3 of the EDHOC protocol can be made relatively + small (see Section 1.2 of [RFC9528]), thus allowing additional + OSCORE-protected CoAP data within target MTU sizes. + + The minimum number of two round trips can be achieved only if the + default, forward message flow of EDHOC is used, i.e., when a CoAP + client acts as EDHOC Initiator and a CoAP server acts as EDHOC + Responder. The performance advantage of using this optimization can + be lost when used in combination with Block-wise transfers [RFC7959] + that rely on specific parameter values and block sizes. Furthermore, this document defines a number of parameters corresponding to different information elements of an EDHOC @@ -164,20 +172,19 @@ Table of Contents The reader is expected to be familiar with terms and concepts defined in CoAP [RFC7252], CBOR [RFC8949], OSCORE [RFC8613], and EDHOC - [I-D.ietf-lake-edhoc]. + [RFC9528]. 2. EDHOC Overview This section is not normative and summarizes what is specified in - [I-D.ietf-lake-edhoc], in particular its Appendix A.2. Thus, it - provides a baseline for the enhancements in the subsequent sections. + [RFC9528], in particular its Appendix A.2. Thus, it provides a + baseline for the enhancements in the subsequent sections. - The EDHOC protocol specified in [I-D.ietf-lake-edhoc] allows two - peers to agree on a cryptographic secret, in a mutually-authenticated - way and by using Diffie-Hellman ephemeral keys to achieve forward - secrecy. The two peers are denoted as Initiator and Responder, as - the one sending or receiving the initial EDHOC message_1, - respectively. + The EDHOC protocol specified in [RFC9528] allows two peers to agree + on a cryptographic secret, in a mutually-authenticated way and by + using Diffie-Hellman ephemeral keys to achieve forward secrecy. The + two peers are denoted as Initiator and Responder, as the one sending + or receiving the initial EDHOC message_1, respectively. After successful processing of EDHOC message_3, both peers agree on a cryptographic secret that can be used to derive further security @@ -186,61 +193,58 @@ Table of Contents to achieve key confirmation, e.g., in deployments where no protected application message is sent from the Responder to the Initiator. - Appendix A.2 of [I-D.ietf-lake-edhoc] specifies how to transfer EDHOC - over CoAP. That is, the EDHOC data (i.e., the EDHOC message possibly - with a prepended connection identifier) are transported in the - payload of CoAP requests and responses. The default, forward message - flow of EDHOC consists in the CoAP client acting as Initiator and the - CoAP server acting as Responder (see Appendix A.2.1 of - [I-D.ietf-lake-edhoc]). Alternatively, the two roles can be - reversed, as per the reverse message flow of EDHOC (see - Appendix A.2.2 of [I-D.ietf-lake-edhoc]). In the rest of this - document, EDHOC messages are considered to be transferred over CoAP. + Appendix A.2 of [RFC9528] specifies how to transfer EDHOC over CoAP. + That is, the EDHOC data (i.e., the EDHOC message possibly with a + prepended connection identifier) are transported in the payload of + CoAP requests and responses. The default, forward message flow of + EDHOC consists in the CoAP client acting as Initiator and the CoAP + server acting as Responder (see Appendix A.2.1 of [RFC9528]). + Alternatively, the two roles can be reversed, as per the reverse + message flow of EDHOC (see Appendix A.2.2 of [RFC9528]). In the rest + of this document, EDHOC messages are considered to be transferred + over CoAP. Figure 1 shows a successful execution of EDHOC, with a CoAP client and a CoAP server running EDHOC as Initiator and Responder, - respectively. In particular, it extends Figure 18 from - Appendix A.2.1 of [I-D.ietf-lake-edhoc], by highlighting when the two - peers perform EDHOC verification and establish the OSCORE Security - Context, and by adding an exchange of OSCORE-protected CoAP messages - after completing the EDHOC execution. + respectively. In particular, it extends Figure 10 from + Appendix A.2.1 of [RFC9528], by highlighting when the two peers + perform EDHOC verification and establish the OSCORE Security Context, + and by adding an exchange of OSCORE-protected CoAP messages after + completing the EDHOC execution. That is, the client sends a POST request to a reserved _EDHOC resource_ at the server, by default at the Uri-Path "/.well-known/ - edhoc". The request payload consists of the CBOR simple value "true" + edhoc". The request payload consists of the CBOR simple value true (0xf5) concatenated with EDHOC message_1, which also includes the EDHOC connection identifier C_I of the client encoded as per - Section 3.3 of [I-D.ietf-lake-edhoc]. The Content-Format of the - request can be set to application/cid-edhoc+cbor-seq. + Section 3.3 of [RFC9528]. The request has Content-Format + application/cid-edhoc+cbor-seq. This triggers the EDHOC execution at the server, which replies with a 2.04 (Changed) response. The response payload consists of EDHOC message_2, which also includes the EDHOC connection identifier C_R of - the server encoded as per Section 3.3 of [I-D.ietf-lake-edhoc]. The - Content-Format of the response can be set to application/edhoc+cbor- - seq. + the server encoded as per Section 3.3 of [RFC9528]. The response has + Content-Format application/edhoc+cbor-seq. Finally, the client sends a POST request to the same EDHOC resource used earlier when it sent EDHOC message_1. The request payload consists of the EDHOC connection identifier C_R encoded as per - Section 3.3 of [I-D.ietf-lake-edhoc], concatenated with EDHOC - message_3. The Content-Format of the request can be set to - application/cid-edhoc+cbor-seq. + Section 3.3 of [RFC9528], concatenated with EDHOC message_3. The + request has Content-Format application/cid-edhoc+cbor-seq. After this exchange takes place, and after successful verifications as specified in the EDHOC protocol, the client and server can derive - an OSCORE Security Context, as defined in Appendix A.1 of - [I-D.ietf-lake-edhoc]. After that, they can use OSCORE to protect - their communications as per [RFC8613]. Note that the EDHOC - Connection Identifier C_R is used as the OSCORE Sender ID of the - client (see Appendix A.1 of [I-D.ietf-lake-edhoc]). Therefore, C_R - is transported in the 'kid' field of the OSCORE Option of the OSCORE - Request (see Section 6.1 of [RFC8613]). + an OSCORE Security Context, as defined in Appendix A.1 of [RFC9528]. + After that, they can use OSCORE to protect their communications as + per [RFC8613]. Note that the EDHOC Connection Identifier C_R is used + as the OSCORE Sender ID of the client (see Appendix A.1 of + [RFC9528]). Therefore, C_R is transported in the 'kid' field of the + OSCORE Option of the OSCORE Request (see Section 6.1 of [RFC8613]). The client and server are required to agree in advance on certain information and parameters describing how they should use EDHOC. These are specified in an application profile associated with the - EDHOC resource addressed (see Section 3.9 of [I-D.ietf-lake-edhoc]. + EDHOC resource addressed (see Section 3.9 of [RFC9528]. CoAP client CoAP server (EDHOC Initiator) (EDHOC Responder) @@ -290,8 +294,7 @@ Table of Contents | | Figure 1: EDHOC and OSCORE run sequentially. The optional - message_4 is included in this example, without which that message - needs no payload. + message_4 is included in this example. As shown in Figure 1, this sequential flow where EDHOC is run first and then OSCORE is used takes three round trips to complete. @@ -305,12 +308,14 @@ Table of Contents This section defines an optimization for combining the EDHOC message exchange with the first OSCORE transaction, thus minimizing the - number of round trips between the two peers. + number of round trips between the two peers to the absolute possible + minimum of two round trips. - This approach can be used only if the default, forward message flow - of EDHOC is used, i.e., when the client acts as Initiator and the - server acts as Responder. That is, it cannot be used in the case - with reversed roles as per the reverse message flow of EDHOC. + To this end, this approach can be used only if the default, forward + message flow of EDHOC is used, i.e., when the client acts as + Initiator and the server acts as Responder. The same is not possible + in the case with reversed roles as per the reverse message flow of + EDHOC. When running the sequential flow of Section 2, the client has all the information to derive the OSCORE Security Context already after @@ -383,10 +388,9 @@ Table of Contents OSCORE request, prepended to the payload of the OSCORE Request. This is because EDHOC message_3 may be too large to be included in a CoAP Option, e.g., when conveying a large public key - certificate chain as ID_CRED_I (see Section 3.5.3 of - [I-D.ietf-lake-edhoc]) or when conveying large External - Authorization Data as EAD_3 (see Section 3.8 of - [I-D.ietf-lake-edhoc]). + certificate chain as ID_CRED_I (see Section 3.5.3 of [RFC9528]) + or when conveying large External Authorization Data as EAD_3 + (see Section 3.8 of [RFC9528]). The rest of this section specifies how to transport the data in the EDHOC + OSCORE request and their processing order. In particular, @@ -453,7 +457,7 @@ Table of Contents The client prepares an EDHOC + OSCORE request as follows. 1. Compose EDHOC message_3 into EDHOC_MSG_3, as per Section 5.4.2 of - [I-D.ietf-lake-edhoc]. + [RFC9528]. 2. Establish the new OSCORE Security Context and use it to encrypt the original CoAP request as per Section 8.1 of [RFC8613]. @@ -467,10 +471,10 @@ Table of Contents OSCORE_PAYLOAD, where | denotes byte string concatenation and: * EDHOC_MSG_3 is the binary encoding of EDHOC message_3 - resulting from step 1. As per Section 5.4.1 of - [I-D.ietf-lake-edhoc], EDHOC message_3 consists of one CBOR - data item CIPHERTEXT_3, which is a CBOR byte string. - Therefore, EDHOC_MSG_3 is the binary encoding of CIPHERTEXT_3. + resulting from step 1. As per Section 5.4.1 of [RFC9528], + EDHOC message_3 consists of one CBOR data item CIPHERTEXT_3, + which is a CBOR byte string. Therefore, EDHOC_MSG_3 is the + binary encoding of CIPHERTEXT_3. * OSCORE_PAYLOAD is the OSCORE ciphertext of the OSCORE- protected CoAP request resulting from step 2. @@ -534,8 +538,8 @@ Table of Contents client can continue by switching to the sequential workflow shown in Figure 1. That is, the client first sends EDHOC message_3 prepended by the EDHOC Connection Identifier C_R encoded as per - Section 3.3 of [I-D.ietf-lake-edhoc], and then sends the OSCORE- - protected CoAP request once the EDHOC execution is completed. + Section 3.3 of [RFC9528], and then sends the OSCORE-protected CoAP + request once the EDHOC execution is completed. The performance advantage of using the EDHOC + OSCORE request can be lost when used in combination with Block-wise transfers that rely on @@ -577,9 +581,8 @@ Table of Contents error. Otherwise, perform the EDHOC processing on the EDHOC message_3 - extracted at step 2 as per Section 5.4.3 of - [I-D.ietf-lake-edhoc], based on the protocol state of the - retrieved EDHOC session. + extracted at step 2 as per Section 5.4.3 of [RFC9528], based on + the protocol state of the retrieved EDHOC session. The application profile used in the EDHOC session is the same one associated with the EDHOC resource where the server received the @@ -588,8 +591,8 @@ Table of Contents which may generally refer to different application profiles. 5. Establish a new OSCORE Security Context associated with the - client as per Appendix A.1 of [I-D.ietf-lake-edhoc], using the - EDHOC output from step 4. + client as per Appendix A.1 of [RFC9528], using the EDHOC output + from step 4. 6. Extract the OSCORE ciphertext from the payload COMB_PAYLOAD of the EDHOC + OSCORE request, as the second element OSCORE_PAYLOAD @@ -613,22 +616,21 @@ Table of Contents If steps 4 (EDHOC processing) and 8 (OSCORE processing) are both successfully completed, the server MUST reply with an OSCORE- - protected response (see Section 5.4.3 of [I-D.ietf-lake-edhoc]). The - usage of EDHOC message_4 as defined in Section 5.5 of - [I-D.ietf-lake-edhoc] is not applicable to the approach defined in - this document. + protected response (see Section 5.4.3 of [RFC9528]). The usage of + EDHOC message_4 as defined in Section 5.5 of [RFC9528] is not + applicable to the approach defined in this document. If step 4 (EDHOC processing) fails, the server aborts the session as - per Section 5.4.3 of [I-D.ietf-lake-edhoc] and responds with an EDHOC - error message with error code 1, formatted as defined in Section 6.2 - of [I-D.ietf-lake-edhoc]. The server MUST NOT establish a new OSCORE - Security Context from the present EDHOC session with the client. The - CoAP response conveying the EDHOC error message is not protected with - OSCORE. As per Section 9.5 of [I-D.ietf-lake-edhoc], the server has - to make sure that the error message does not reveal sensitive - information. The CoAP response conveying the EDHOC error message - MUST have Content-Format set to application/edhoc+cbor-seq defined in - Section 10.9 of [I-D.ietf-lake-edhoc]. + per Section 5.4.3 of [RFC9528] and responds with an EDHOC error + message with error code 1, formatted as defined in Section 6.2 of + [RFC9528]. The server MUST NOT establish a new OSCORE Security + Context from the present EDHOC session with the client. The CoAP + response conveying the EDHOC error message is not protected with + OSCORE. As per Section 9.5 of [RFC9528], the server has to make sure + that the error message does not reveal sensitive information. The + CoAP response conveying the EDHOC error message MUST have Content- + Format set to application/edhoc+cbor-seq registered in Section 10.9 + of [RFC9528]. If step 4 (EDHOC processing) is successfully completed but step 8 (OSCORE processing) fails, the same OSCORE error handling as defined @@ -653,15 +655,14 @@ Table of Contents * The OSCORE Sender ID of the client is 0x01. - As per Section 3.3.3 of [I-D.ietf-lake-edhoc], this - straightforwardly corresponds to the EDHOC connection identifier - C_R 0x01. + As per Section 3.3.3 of [RFC9528], this straightforwardly + corresponds to the EDHOC connection identifier C_R 0x01. - As per Section 3.3.2 of [I-D.ietf-lake-edhoc], when using the - sequential flow shown in Figure 1, the same C_R with value 0x01 - would be encoded on the wire as the CBOR integer 1 (0x01 in CBOR - encoding), and prepended to EDHOC message_3 in the payload of the - second EDHOC request. + As per Section 3.3.2 of [RFC9528], when using the sequential flow + shown in Figure 1, the same C_R with value 0x01 would be encoded + on the wire as the CBOR integer 1 (0x01 in CBOR encoding), and + prepended to EDHOC message_3 in the payload of the second EDHOC + request. * The EDHOC option is registered with CoAP option number 21. @@ -696,8 +697,8 @@ Table of Contents 4. Use of EDHOC Connection Identifiers with OSCORE The OSCORE Sender/Recipient IDs are the EDHOC connection identifiers - (see Section 3.3.3 of [I-D.ietf-lake-edhoc]). This applies also to - the optimized workflow defined in Section 3 of this document. + (see Section 3.3.3 of [RFC9528]). This applies also to the optimized + workflow defined in Section 3 of this document. Note that, at step 3 of Section 3.3.1, the value of 'kid' in the OSCORE Option of the EDHOC + OSCORE request is both the server's @@ -708,7 +709,7 @@ Table of Contents When using EDHOC to establish an OSCORE Security Context, the client and server MUST perform the following additional steps during an - EDHOC execution, thus extending Section 5 of [I-D.ietf-lake-edhoc]. + EDHOC execution, thus extending Section 5 of [RFC9528]. 4.1.1. Initiator Processing of Message 1 @@ -750,7 +751,7 @@ Table of Contents Connection Identifier C_R specified in EDHOC message_2, then the Initiator MUST abort the session and reply with an EDHOC error message with error code 1, formatted as defined in Section 6.2 of - [I-D.ietf-lake-edhoc]. + [RFC9528]. 5. Extension and Consistency of Application Profiles @@ -764,11 +765,11 @@ Table of Contents support for the EDHOC + OSCORE request. In case the application profile indicates that the server supports - the optional EDHOC message_4 (see Section 5.5 of - [I-D.ietf-lake-edhoc]), it is still possible to use the optimized - workflow based on the EDHOC + OSCORE request. However, this means - the server is not going to send EDHOC message_4, since it is not - applicable to the optimized workflow (see Section 3.3.1). + the optional EDHOC message_4 (see Section 5.5 of [RFC9528]), it is + still possible to use the optimized workflow based on the EDHOC + + OSCORE request. However, this means the server is not going to send + EDHOC message_4, since it is not applicable to the optimized workflow + (see Section 3.3.1). Also, in case the application profile indicates that the server shall send EDHOC message_4, then the application profile MUST NOT specify @@ -778,26 +779,24 @@ Table of Contents 6. Web Linking - Section 10.10 of [I-D.ietf-lake-edhoc] registers the resource type - "core.edhoc", which can be used as target attribute in a web link - [RFC8288] to an EDHOC resource, e.g., using a link-format document - [RFC6690]. This enables clients to discover the presence of EDHOC - resources at a server, possibly using the resource type as filter - criterion. + Section 10.10 of [RFC9528] registers the resource type "core.edhoc", + which can be used as target attribute in a web link [RFC8288] to an + EDHOC resource, e.g., using a link-format document [RFC6690]. This + enables clients to discover the presence of EDHOC resources at a + server, possibly using the resource type as filter criterion. At the same time, the application profile associated with an EDHOC resource provides information describing how the EDHOC protocol can - be used through that resource. While a client may become aware of - the application profile through several means, it would be convenient - to obtain its information elements upon discovering the EDHOC - resources at the server. This might aim at discovering especially - the EDHOC resources whose associated application profile denotes a - way of using EDHOC which is most suitable to the client, e.g., with - EDHOC cipher suites or authentication methods that the client also - supports or prefers. - - That is, it would be convenient that a client discovering an EDHOC - resource contextually obtains relevant pieces of information from the + be used through that resource. A client may become aware of the + application profile, e.g., by obtaining its information elements upon + discovering the EDHOC resources at the server. This allows the + client to discover especially the EDHOC resources whose associated + application profile denotes a way of using EDHOC which is most + suitable to the client, e.g., with EDHOC cipher suites or + authentication methods that the client also supports or prefers. + + That is, while discovering an EDHOC resource, a client can + contextually obtain relevant pieces of information from the application profile associated with that resource. The resource discovery can occur by means of a direct interaction with the server, or instead by means of the CoRE Resource Directory [RFC9176], where @@ -827,16 +826,16 @@ Table of Contents * 'ed-method', specifying an authentication method supported by the server. This parameter MUST specify a single value, which is taken from the 'Value' column of the "EDHOC Method Type" registry - defined in Section 10.3 of [I-D.ietf-lake-edhoc]. This parameter - MAY occur multiple times, with each occurrence specifying an - authentication method. + defined in Section 10.3 of [RFC9528]. This parameter MAY occur + multiple times, with each occurrence specifying an authentication + method. * 'ed-csuite', specifying an EDHOC cipher suite supported by the server. This parameter MUST specify a single value, which is taken from the 'Value' column of the "EDHOC Cipher Suites" - registry defined in Section 10.2 of [I-D.ietf-lake-edhoc]. This - parameter MAY occur multiple times, with each occurrence - specifying a cipher suite. + registry defined in Section 10.2 of [RFC9528]. This parameter MAY + occur multiple times, with each occurrence specifying a cipher + suite. * 'ed-cred-t', specifying a type of authentication credential supported by the server. This parameter MUST specify a single @@ -862,13 +861,12 @@ Table of Contents NOT be used in the 'ed-idcred-t' parameter. * 'ed-ead', specifying the support of the server for an External - Authorization Data (EAD) item (see Section 3.8 of - [I-D.ietf-lake-edhoc]). This parameter MUST specify a single - value, which is taken from the 'Label' column of the "EDHOC - External Authorization Data" registry defined in Section 10.5 of - [I-D.ietf-lake-edhoc]. This parameter MAY occur multiple times, - with each occurrence specifying the ead_label of an EAD item that - the server supports. + Authorization Data (EAD) item (see Section 3.8 of [RFC9528]). + This parameter MUST specify a single value, which is taken from + the 'Label' column of the "EDHOC External Authorization Data" + registry defined in Section 10.5 of [RFC9528]. This parameter MAY + occur multiple times, with each occurrence specifying the + ead_label of an EAD item that the server supports. * 'ed-comb-req', specifying, if present, that the server supports the EDHOC + OSCORE request defined in Section 3. A value MUST NOT @@ -898,8 +896,8 @@ Table of Contents 7. Security Considerations The same security considerations from OSCORE [RFC8613] and EDHOC - [I-D.ietf-lake-edhoc] hold for this document. In addition, the - following considerations also apply. + [RFC9528] hold for this document. In addition, the following + considerations also apply. Section 3.2.1 specifies that a client SHOULD NOT have multiple outstanding EDHOC + OSCORE requests pertaining to the same EDHOC @@ -907,29 +905,27 @@ Table of Contents not have any impact in terms of security. That is, the server would still not process different instances of the same EDHOC message_3 more than once in the same EDHOC session (see Section 5.1 of - [I-D.ietf-lake-edhoc]), and would still enforce replay protection of - the OSCORE-protected request (see Sections 7.4 and 8.2 of [RFC8613]). + [RFC9528]), and would still enforce replay protection of the OSCORE- + protected request (see Sections 7.4 and 8.2 of [RFC8613]). When using the optimized workflow in Figure 2, a minimum of 128-bit security against online brute force attacks is achieved after the client receives and successfully verifies the first OSCORE-protected - response (see Section 9.1 of [I-D.ietf-lake-edhoc]). As an example, - if EDHOC is used with method 3 (see Section 3.2 of - [I-D.ietf-lake-edhoc]) and cipher suite 2 (see Section 3.6 of - [I-D.ietf-lake-edhoc]), then the following holds. + response (see Sections 9.1 and 9.4 of [RFC9528]). As an example, if + EDHOC is used with method 3 (see Section 3.2 of [RFC9528]) and cipher + suite 2 (see Section 3.6 of [RFC9528]), then the following holds. * The Initiator is authenticated with 128-bit security against - online attacks. As per Section 9.1 of [I-D.ietf-lake-edhoc], this - results from the combination of the strength of the 64-bit MAC in - EDHOC message_3 and of the 64-bit MAC in the AEAD of the first - OSCORE-protected CoAP request, as rebuilt at step 7 of - Section 3.3.1. + online attacks. As per Section 9.1 of [RFC9528], this results + from the combination of the strength of the 64-bit MAC in EDHOC + message_3 and of the 64-bit MAC in the AEAD of the first OSCORE- + protected CoAP request, as rebuilt at step 7 of Section 3.3.1. * The Responder is authenticated with 128-bit security against - online attacks. As per Section 9.1 of [I-D.ietf-lake-edhoc], this - results from the combination of the strength of the 64-bit MAC in - EDHOC message_2 and of the 64-bit MAC in the AEAD of the first - OSCORE-protected CoAP response. + online attacks. As per Section 9.1 of [RFC9528], this results + from the combination of the strength of the 64-bit MAC in EDHOC + message_2 and of the 64-bit MAC in the AEAD of the first OSCORE- + protected CoAP response. With reference to the sequential workflow in Figure 1, the OSCORE request might have to undergo access control checks at the server, @@ -948,7 +944,7 @@ Table of Contents application request. Such information may have been provided to the server separately before starting the EDHOC execution altogether, or instead as External Authorization Data during the EDHOC execution - (see Section 3.8 of [I-D.ietf-lake-edhoc]). + (see Section 3.8 of [RFC9528]). Thus, a successful completion of the EDHOC protocol and the following derivation of the OSCORE Security Context at the server do not play a @@ -1004,9 +1000,10 @@ Table of Contents 8.2. Target Attributes Registry IANA is asked to register the following entries in the "Target - Attributes" registry within the "CoRE Parameters" registry group, as - per [I-D.ietf-core-target-attr]. For all entries, the Change - Controller is IETF, and the reference is [RFC-XXXX]. + Attributes" registry [CORE.Target.Attributes] within the "Constrained + RESTful Environments (CoRE) Parameters" registry group, as per + [I-D.ietf-core-target-attr]. For all entries, the Change Controller + is IETF, and the reference is [RFC-XXXX]. +=================+=============================================+ | Attribute Name: | Brief Description: | @@ -1037,7 +1034,7 @@ Table of Contents IANA is requested to create a new "EDHOC Authentication Credential Types" registry within the "Ephemeral Diffie-Hellman Over COSE - (EDHOC)" registry group defined in [I-D.ietf-lake-edhoc]. + (EDHOC)" registry group defined in [RFC9528]. As registration policy, the registry uses either "Standards Action with Expert Review", or "Specification Required" per Section 4.6 of @@ -1153,24 +1150,16 @@ Table of Contents 9.1. Normative References + [CORE.Target.Attributes] + IANA, "Target Attributes", + . + [COSE.Header.Parameters] IANA, "COSE Header Parameters", . - [I-D.ietf-core-target-attr] - Bormann, C., "CoRE Target Attributes Registry", Work in - Progress, Internet-Draft, draft-ietf-core-target-attr-06, - 11 October 2023, . - - [I-D.ietf-lake-edhoc] - Selander, G., Mattsson, J. P., and F. Palombini, - "Ephemeral Diffie-Hellman Over COSE (EDHOC)", Work in - Progress, Internet-Draft, draft-ietf-lake-edhoc-23, 22 - January 2024, . - [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, @@ -1222,8 +1211,19 @@ Table of Contents Resource Directory", RFC 9176, DOI 10.17487/RFC9176, April 2022, . + [RFC9528] Selander, G., Preuß Mattsson, J., and F. Palombini, + "Ephemeral Diffie-Hellman Over COSE (EDHOC)", RFC 9528, + DOI 10.17487/RFC9528, March 2024, + . + 9.2. Informative References + [I-D.ietf-core-target-attr] + Bormann, C., "CoRE Target Attributes Registry", Work in + Progress, Internet-Draft, draft-ietf-core-target-attr-06, + 11 October 2023, . + [I-D.ietf-cose-cbor-encoded-cert] Mattsson, J. P., Selander, G., Raza, S., Höglund, J., and M. Furuhed, "CBOR Encoded X.509 Certificates (C509 @@ -1246,7 +1246,15 @@ Appendix A. Document Updates This section is to be removed before publishing as an RFC. -A.1. Version -09 to -10 +A.1. Version -10 to -11 + + * Avoid using quotation marks for CBOR Simple Values. + + * Clarifications and editorial improvements. + + * Updated references. + +A.2. Version -09 to -10 * Expanded acronyms in the document title. @@ -1271,7 +1279,7 @@ A.1. Version -09 to -10 * Fixes and editorial improvements. -A.2. Version -08 to -09 +A.3. Version -08 to -09 * Clarified meaning of "EDHOC data". @@ -1285,11 +1293,11 @@ A.2. Version -08 to -09 * Clarifications and editorial improvements. -A.3. Version -07 to -08 +A.4. Version -07 to -08 * Fixes and clarifications from the Shepherd's review. -A.4. Version -06 to -07 +A.5. Version -06 to -07 * Changed document title. @@ -1327,7 +1335,7 @@ A.4. Version -06 to -07 * Editorial improvements. -A.5. Version -05 to -06 +A.6. Version -05 to -06 * Extended figure on EDHOC sequential workflow. @@ -1337,7 +1345,7 @@ A.5. Version -05 to -06 * Registration of target attributes. -A.6. Version -04 to -05 +A.7. Version -04 to -05 * Clarifications on Web Linking parameters. @@ -1349,7 +1357,7 @@ A.6. Version -04 to -05 * Editorial improvements. -A.7. Version -03 to -04 +A.8. Version -03 to -04 * Renamed "applicability statement" to "application profile". @@ -1368,7 +1376,7 @@ A.7. Version -03 to -04 * Editorial improvements. -A.8. Version -02 to -03 +A.9. Version -02 to -03 * Clarifications on transporting EDHOC message_3 in the CoAP payload. @@ -1390,7 +1398,7 @@ A.8. Version -02 to -03 * Updated figures; editorial improvements. -A.9. Version -01 to -02 +A.10. Version -01 to -02 * New title, abstract and introduction. @@ -1408,7 +1416,7 @@ A.9. Version -01 to -02 * Revised Appendix "Checking CBOR Encoding of Numeric Values". -A.10. Version -00 to -01 +A.11. Version -00 to -01 * Improved background overview of EDHOC. @@ -1424,11 +1432,11 @@ A.10. Version -00 to -01 Acknowledgments - The authors sincerely thank Christian Amsüss, Carsten Bormann, Esko - Dijk, Joel Halpern, Wes Hardaker, Klaus Hartke, John Preuß Mattsson, - David Navarro, Shuping Peng, Jim Schaad, Jürgen Schönwälder, John - Scudder, Mališa Vučinić, and Paul Wouters for their feedback and - comments. + The authors sincerely thank Christian Amsüss, Emmanuel Baccelli, + Carsten Bormann, Esko Dijk, Joel Halpern, Wes Hardaker, Klaus Hartke, + John Preuß Mattsson, David Navarro, Shuping Peng, Jim Schaad, Jürgen + Schönwälder, John Scudder, Orie Steele, Gunter Van de Velde, Mališa + Vučinić, and Paul Wouters for their feedback and comments. The work on this document has been partly supported by VINNOVA and the Celtic-Next project CRITISEC; and by the H2020 project SIFIS-Home