rfc9237.original | rfc9237.txt | |||
---|---|---|---|---|
ACE Working Group C. Bormann | Internet Engineering Task Force (IETF) C. Bormann | |||
Internet-Draft Universität Bremen TZI | Request for Comments: 9237 Universität Bremen TZI | |||
Intended status: Standards Track 15 March 2022 | Category: Standards Track April 2022 | |||
Expires: 16 September 2022 | ISSN: 2070-1721 | |||
An Authorization Information Format (AIF) for ACE | An Authorization Information Format (AIF) for Authentication and | |||
draft-ietf-ace-aif-07 | Authorization for Constrained Environments (ACE) | |||
Abstract | Abstract | |||
Information about which entities are authorized to perform what | Information about which entities are authorized to perform what | |||
operations on which constituents of other entities is a crucial | operations on which constituents of other entities is a crucial | |||
component of producing an overall system that is secure. Conveying | component of producing an overall system that is secure. Conveying | |||
precise authorization information is especially critical in highly | precise authorization information is especially critical in highly | |||
automated systems with large numbers of entities, such as the | automated systems with large numbers of entities, such as the | |||
"Internet of Things". | Internet of Things. | |||
This specification provides a generic information model and format | This specification provides a generic information model and format | |||
for representing such authorization information, as well as two | for representing such authorization information, as well as two | |||
variants of a specific instantiation of that format for use with REST | variants of a specific instantiation of that format for use with | |||
resources identified by URI path. | Representational State Transfer (REST) resources identified by URI | |||
path. | ||||
About This Document | ||||
This note is to be removed before publishing as an RFC. | ||||
Status information for this document may be found at | ||||
https://datatracker.ietf.org/doc/draft-ietf-ace-aif/. | ||||
Discussion of this document takes place on the Authentication and | ||||
Authorization for Constrained Environments (ace) Working Group | ||||
mailing list (mailto:ace@ietf.org), which is archived at | ||||
https://mailarchive.ietf.org/arch/browse/ace/. | ||||
Source for this draft and an issue tracker can be found at | ||||
https://github.com/cabo/ace-aif. | ||||
Status of This Memo | Status of This Memo | |||
This Internet-Draft is submitted in full conformance with the | This is an Internet Standards Track document. | |||
provisions of BCP 78 and BCP 79. | ||||
Internet-Drafts are working documents of the Internet Engineering | ||||
Task Force (IETF). Note that other groups may also distribute | ||||
working documents as Internet-Drafts. The list of current Internet- | ||||
Drafts is at https://datatracker.ietf.org/drafts/current/. | ||||
Internet-Drafts are draft documents valid for a maximum of six months | This document is a product of the Internet Engineering Task Force | |||
and may be updated, replaced, or obsoleted by other documents at any | (IETF). It represents the consensus of the IETF community. It has | |||
time. It is inappropriate to use Internet-Drafts as reference | received public review and has been approved for publication by the | |||
material or to cite them other than as "work in progress." | Internet Engineering Steering Group (IESG). Further information on | |||
Internet Standards is available in Section 2 of RFC 7841. | ||||
This Internet-Draft will expire on 16 September 2022. | Information about the current status of this document, any errata, | |||
and how to provide feedback on it may be obtained at | ||||
https://www.rfc-editor.org/info/rfc9237. | ||||
Copyright Notice | Copyright Notice | |||
Copyright (c) 2022 IETF Trust and the persons identified as the | Copyright (c) 2022 IETF Trust and the persons identified as the | |||
document authors. All rights reserved. | document authors. All rights reserved. | |||
This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
Provisions Relating to IETF Documents (https://trustee.ietf.org/ | Provisions Relating to IETF Documents | |||
license-info) in effect on the date of publication of this document. | (https://trustee.ietf.org/license-info) in effect on the date of | |||
Please review these documents carefully, as they describe your rights | publication of this document. Please review these documents | |||
and restrictions with respect to this document. Code Components | carefully, as they describe your rights and restrictions with respect | |||
extracted from this document must include Revised BSD License text as | to this document. Code Components extracted from this document must | |||
described in Section 4.e of the Trust Legal Provisions and are | include Revised BSD License text as described in Section 4.e of the | |||
provided without warranty as described in the Revised BSD License. | Trust Legal Provisions and are provided without warranty as described | |||
in the Revised BSD License. | ||||
Table of Contents | Table of Contents | |||
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 | 1. Introduction | |||
1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3 | 1.1. Terminology | |||
2. Information Model . . . . . . . . . . . . . . . . . . . . . . 3 | 2. Information Model | |||
2.1. REST-specific Model . . . . . . . . . . . . . . . . . . . 4 | 2.1. REST-Specific Model | |||
2.2. Limitations . . . . . . . . . . . . . . . . . . . . . . . 5 | 2.2. Limitations | |||
2.3. REST-specific Model With Dynamic Resource Creation . . . 6 | 2.3. REST-Specific Model with Dynamic Resource Creation | |||
3. Data Model . . . . . . . . . . . . . . . . . . . . . . . . . 6 | 3. Data Model | |||
4. Media Types . . . . . . . . . . . . . . . . . . . . . . . . . 9 | 4. Media Types | |||
5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9 | 5. IANA Considerations | |||
5.1. Media Types . . . . . . . . . . . . . . . . . . . . . . . 9 | 5.1. Media Types | |||
5.2. Registries . . . . . . . . . . . . . . . . . . . . . . . 11 | 5.1.1. application/aif+cbor | |||
5.3. Content-Format . . . . . . . . . . . . . . . . . . . . . 12 | 5.1.2. application/aif+json | |||
6. Security Considerations . . . . . . . . . . . . . . . . . . . 12 | 5.2. Registries | |||
7. References . . . . . . . . . . . . . . . . . . . . . . . . . 13 | 5.3. Content-Format | |||
7.1. Normative References . . . . . . . . . . . . . . . . . . 13 | 6. Security Considerations | |||
7.2. Informative References . . . . . . . . . . . . . . . . . 14 | 7. References | |||
Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 16 | 7.1. Normative References | |||
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 16 | 7.2. Informative References | |||
Acknowledgements | ||||
Author's Address | ||||
1. Introduction | 1. Introduction | |||
Constrained Devices as they are used in the "Internet of Things" need | Constrained devices, as they are used in the Internet of Things, need | |||
security in order to operate correctly and prevent misuse. One | security in order to operate correctly and prevent misuse. One | |||
important element of this security is that devices in the Internet of | important element of this security is that devices in the Internet of | |||
Things need to be able to decide which operations requested of them | Things need to be able to decide which operations requested of them | |||
should be considered authorized, need to ascertain that the | should be considered authorized, ascertain that the authorization to | |||
authorization to request the operation does apply to the actual | request the operation does apply to the actual requester as | |||
requester as authenticated, and need to ascertain that other devices | authenticated, and ascertain that other devices they make requests of | |||
they make requests of are the ones they intended. | are the ones they intended. | |||
To transfer detailed authorization information from an authorization | To transfer detailed authorization information from an authorization | |||
manager (such as an ACE-OAuth Authorization Server | manager (such as an ACE-OAuth authorization server [RFC9200]) to a | |||
[I-D.ietf-ace-oauth-authz]) to a device, a compact representation | device, a compact representation format is needed. This document | |||
format is needed. This document defines such a format, the | defines such a format -- the Authorization Information Format (AIF). | |||
Authorization Information Format (AIF). AIF is defined both as a | AIF is defined both as a general structure that can be used for many | |||
general structure that can be used for many different applications | different applications and as a specific instantiation tailored to | |||
and as a specific instantiation tailored to REST resources and the | REST resources and the permissions on them, including some provision | |||
permissions on them, including some provision for dynamically created | for dynamically created resources. | |||
resources. | ||||
1.1. Terminology | 1.1. Terminology | |||
This memo uses terms from CoAP [RFC7252] and the Internet Security | This memo uses terms from the Constrained Application Protocol (CoAP) | |||
Glossary [RFC4949]; CoAP is used for the explanatory examples as it | [RFC7252] and the Internet Security Glossary [RFC4949]; CoAP is used | |||
is a good fit for Constrained Devices. | for the explanatory examples as it is a good fit for constrained | |||
devices. | ||||
The shape of data is specified in CDDL [RFC8610] [RFC9165]. | The shape of data is specified in Concise Data Definition Language | |||
Terminology for Constrained Devices is defined in [RFC7228]. | (CDDL) [RFC8610] [RFC9165]. Terminology for constrained devices is | |||
defined in [RFC7228]. | ||||
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and | "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and | |||
"OPTIONAL" in this document are to be interpreted as described in | "OPTIONAL" in this document are to be interpreted as described in | |||
BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all | BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all | |||
capitals, as shown here. | capitals, as shown here. | |||
The term "byte", abbreviated by "B", is used in its now customary | The term "byte", abbreviated by "B", is used in its now customary | |||
sense as a synonym for "octet". | sense as a synonym for "octet". | |||
skipping to change at page 4, line 13 ¶ | skipping to change at line 132 ¶ | |||
of that data (as opposed to the cryptographic armor around it). | of that data (as opposed to the cryptographic armor around it). | |||
The semantics of the authorization information defined in this | The semantics of the authorization information defined in this | |||
document are that of an _allow-list_: everything is denied until it | document are that of an _allow-list_: everything is denied until it | |||
is explicitly allowed. | is explicitly allowed. | |||
For the purposes of this specification, the underlying access control | For the purposes of this specification, the underlying access control | |||
model will be that of an access matrix, which gives a set of | model will be that of an access matrix, which gives a set of | |||
permissions for each possible combination of a subject and an object. | permissions for each possible combination of a subject and an object. | |||
We are focusing the AIF data item on a single row in the access | We are focusing the AIF data item on a single row in the access | |||
matrix (such a row has often been called a capability list), without | matrix (such a row has often been called a "capability list") without | |||
concern to the subject for which the data item is issued. As a | concern to the subject for which the data item is issued. As a | |||
consequence, AIF MUST be used in a way that the subject of the | consequence, AIF MUST be used in a way that the subject of the | |||
authorizations is unambiguously identified (e.g., as part of the | authorizations is unambiguously identified (e.g., as part of the | |||
armor around it). | armor around it). | |||
The generic model of such a capability list is a list of pairs of | The generic model of such a capability list is a list of pairs of | |||
object identifiers (of type Toid) and the permissions (of type Tperm) | object identifiers (of type Toid) and the permissions (of type Tperm) | |||
the subject has on the object(s) identified. | that the subject has on the object(s) identified. | |||
AIF-Generic<Toid, Tperm> = [* [Toid, Tperm]] | AIF-Generic<Toid, Tperm> = [* [Toid, Tperm]] | |||
Figure 1: Definition of Generic AIF | Figure 1: Definition of Generic AIF | |||
In a specific data model (such as the one also specified in this | In a specific data model (such as the one specified in this | |||
document), the object identifier (Toid) will often be a text string, | document), the object identifier (Toid) will often be a text string, | |||
and the set of permissions (Tperm) will be represented by a bitset in | and the set of permissions (Tperm) will be represented by a bit set, | |||
turn represented as a number (see Section 3). | which in turn is represented as a number (see Section 3). | |||
AIF-Specific = AIF-Generic<tstr, uint> | AIF-Specific = AIF-Generic<tstr, uint> | |||
Figure 2: Commonly used shape of a specific AIF | Figure 2: Commonly Used Shape of a Specific AIF | |||
2.1. REST-specific Model | 2.1. REST-Specific Model | |||
In the specific instantiation of the REST resources and the | In the specific instantiation of the REST resources and the | |||
permissions on them, for the object identifiers (Toid), we use the | permissions on them, for the object identifiers (Toid), we use the | |||
URI of a resource on a CoAP server. More specifically, since the | URI of a resource on a CoAP server. More specifically, since the | |||
parts of the URI that identify the server ("authority" in [RFC3986]) | parts of the URI that identify the server ("authority" in [RFC3986]) | |||
are what are authenticated during REST resource access (Section 4.2.2 | are authenticated during REST resource access (Section 4.2.2 of | |||
of [I-D.ietf-httpbis-semantics] and Section 6.2 of [RFC7252]), they | [RFC9110] and Section 6.2 of [RFC7252]), they naturally fall into the | |||
naturally fall into the realm handled by the cryptographic armor; we | realm handled by the cryptographic armor; we therefore focus on the | |||
therefore focus on the "path" ("path-abempty") and "query" parts of | "path" ("path-abempty") and "query" parts of the URI (_URI-local- | |||
the URI (_URI-local-part_ in this specification, as expressed by the | part_ in this specification, as expressed by the Uri-Path and Uri- | |||
Uri-Path and Uri-Query options in CoAP). As a consequence, AIF MUST | Query options in CoAP). As a consequence, AIF MUST be used in a way | |||
be used in a way that it is clear who is the target (enforcement | that clearly shows who is the target (enforcement point) of these | |||
point) of these authorizations (note that there may be more than one | authorizations (note that there may be more than one target that the | |||
target that the same authorization applies to, e.g., in a situation | same authorization applies to, e.g., in a situation with homogeneous | |||
with homogeneous devices). | devices). | |||
For the permissions (Tperm), we use a simple permissions model that | For the permissions (Tperm), we use a simple permissions model that | |||
lists the subset of the REST (CoAP or HTTP) methods permitted. This | lists the subset of the REST (CoAP or HTTP) methods permitted. This | |||
model is summarized in Table 1. | model is summarized in Table 1. | |||
+================+================+ | +================+================+ | |||
| URI-local-part | Permission Set | | | URI-local-part | Permission Set | | |||
+================+================+ | +================+================+ | |||
| /s/temp | GET | | | /s/temp | GET | | |||
+----------------+----------------+ | +----------------+----------------+ | |||
| /a/led | PUT, GET | | | /a/led | PUT, GET | | |||
+----------------+----------------+ | +----------------+----------------+ | |||
| /dtls | POST | | | /dtls | POST | | |||
+----------------+----------------+ | +----------------+----------------+ | |||
Table 1: An authorization | Table 1: An Authorization | |||
instance in the AIF Information | Instance in the AIF Information | |||
Model | Model | |||
In this example, a device offers a temperature sensor /s/temp for | In this example, a device offers a temperature sensor /s/temp for | |||
read-only access, a LED actuator /a/led for read/write, and a /dtls | read-only access, a LED actuator /a/led for read/write, and a /dtls | |||
resource for POST access. | resource for POST access. | |||
As will be seen in the data model (Section 3), the representations of | As shown in the data model (Section 3), the representations of REST | |||
REST methods provided are limited to those that have a CoAP method | methods provided are limited to those that have a CoAP method number | |||
number assigned; an extension to the model may be necessary to | assigned; an extension to the model may be necessary to represent | |||
represent permissions for exotic HTTP methods. | permissions for exotic HTTP methods. | |||
2.2. Limitations | 2.2. Limitations | |||
This simple information model only allows granting permissions for | This simple information model only allows granting permissions for | |||
statically identifiable objects, e.g., URIs for the REST-specific | statically identifiable objects, e.g., URIs for the REST-specific | |||
instantiation. One might be tempted to extend the model towards URI | instantiation. One might be tempted to extend the model towards URI | |||
templates [RFC6570] (for instance, to open up an authorization for | templates [RFC6570] (for instance, to open up an authorization for | |||
many parameter values as in /s/temp{?any*}). However, that requires | many parameter values as in /s/temp{?any*}). However, that requires | |||
some considerations of the ease and unambiguity of matching a given | some considerations of the ease and unambiguity of matching a given | |||
URI against a set of templates in an AIF data item. | URI against a set of templates in an AIF data item. | |||
skipping to change at page 6, line 5 ¶ | skipping to change at line 219 ¶ | |||
This simple information model also does not allow expressing | This simple information model also does not allow expressing | |||
conditionalized access based on state outside the identification of | conditionalized access based on state outside the identification of | |||
objects (e.g., "opening a door is allowed if that is not locked"). | objects (e.g., "opening a door is allowed if that is not locked"). | |||
Finally, the model does not provide any special access for a set of | Finally, the model does not provide any special access for a set of | |||
resources that are specific to a subject, e.g., that the subject | resources that are specific to a subject, e.g., that the subject | |||
created itself by previous operations (PUT, POST, or PATCH/iPATCH | created itself by previous operations (PUT, POST, or PATCH/iPATCH | |||
[RFC8132]) or that were specifically created for the subject by | [RFC8132]) or that were specifically created for the subject by | |||
others. | others. | |||
2.3. REST-specific Model With Dynamic Resource Creation | 2.3. REST-Specific Model with Dynamic Resource Creation | |||
The REST-specific Model With Dynamic Resource Creation addresses the | The REST-Specific Model with Dynamic Resource Creation addresses the | |||
need to provide defined access to dynamic resources that were created | need to provide defined access to dynamic resources that were created | |||
by the subject itself, specifically, a resource that is made known to | by the subject itself, specifically, a resource that is made known to | |||
the subject by providing Location-* options in a CoAP response or | the subject by providing Location-* options in a CoAP response or | |||
using the Location header field in HTTP [I-D.ietf-httpbis-semantics] | using the Location header field in HTTP [RFC9110] (the Location- | |||
(the Location-indicating mechanisms). (The concept is somewhat | indicating mechanisms). (The concept is somewhat comparable to | |||
comparable to "ACL inheritance" in NFSv4 [RFC8881], except that it | "Access Control List (ACL) inheritance" in the Network File System | |||
does not use a containment relationship but the fact that the dynamic | version 4 (NFSv4) protocol [RFC8881], except that it does not use a | |||
containment relationship but rather the fact that the dynamic | ||||
resource was created from a resource to which the subject had | resource was created from a resource to which the subject had | |||
access.) In other words, it addresses an important subset of the | access.) In other words, it addresses an important subset of the | |||
third limitation mentioned in Section 2.2. | third limitation mentioned in Section 2.2. | |||
+================+===================================+ | +================+===================================+ | |||
| URI-local-part | Permission Set | | | URI-local-part | Permission Set | | |||
+================+===================================+ | +================+===================================+ | |||
| /a/make-coffee | POST, Dynamic-GET, Dynamic-DELETE | | | /a/make-coffee | POST, Dynamic-GET, Dynamic-DELETE | | |||
+----------------+-----------------------------------+ | +----------------+-----------------------------------+ | |||
Table 2: An authorization instance in the AIF | Table 2: An Authorization Instance in the AIF | |||
Information Model With Dynamic Resource Creation | Information Model with Dynamic Resource Creation | |||
For a method X, the presence of a Dynamic-X permission means that the | For a method X, the presence of a Dynamic-X permission means that the | |||
subject holds permission to exercise the method X on resources that | subject holds permission to exercise the method X on resources that | |||
have been returned in a 2.01 (201 Created) response by a Location- | have been returned in a 2.01 (201 Created) response by a Location- | |||
indicating mechanism to a request that the subject made to the | indicating mechanism to a request that the subject made to the | |||
resource listed. In the example shown in Table 2, POST operations on | resource listed. In the example shown in Table 2, POST operations on | |||
/a/make-coffee might return the location of a resource dynamically | /a/make-coffee might return the location of a resource dynamically | |||
created on the coffee machine that allows GET to find out about the | created on the coffee machine that allows GET to find out about the | |||
status of, and DELETE to cancel, the coffee-making operation. | status of, and DELETE to cancel, the coffee-making operation. | |||
skipping to change at page 7, line 6 ¶ | skipping to change at line 264 ¶ | |||
need for another explicit switch between the basic and the model | need for another explicit switch between the basic and the model | |||
extended by dynamic resource creation; the extended model is always | extended by dynamic resource creation; the extended model is always | |||
presumed once a Dynamic-X permission is present. | presumed once a Dynamic-X permission is present. | |||
3. Data Model | 3. Data Model | |||
Different data model specializations can be defined for the generic | Different data model specializations can be defined for the generic | |||
information model given above. | information model given above. | |||
In this section, we will give the data model for simple REST | In this section, we will give the data model for simple REST | |||
authorization as per Section 2.1 and Section 2.3. As discussed, in | authorization as per Sections 2.1 and 2.3. As discussed, in this | |||
this case the object identifier is specialized as a text string | case the object identifier is specialized as a text string giving a | |||
giving a relative URI (URI-local-part as absolute path on the server | relative URI (URI-local-part as the absolute path on the server | |||
serving as enforcement point). The permission set is specialized to | serving as the enforcement point). The permission set is specialized | |||
a single number REST-method-set by the following steps: | to a single number REST-method-set by the following steps: | |||
* The entries in the table that specify the same URI-local-part are | * The entries in the table that specify the same URI-local-part are | |||
merged into a single entry that specifies the union of the | merged into a single entry that specifies the union of the | |||
permission sets. | permission sets. | |||
* The (non-dynamic) methods in the permission sets are converted | * The (non-dynamic) methods in the permission sets are converted | |||
into their CoAP method numbers, minus 1. | into their CoAP method numbers, minus 1. | |||
* Dynamic-X permissions are converted into what the number would | * Dynamic-X permissions are converted into what the number would | |||
have been for X, plus a Dynamic-Offset chosen as 32 (e.g., 35 is | have been for X, plus a Dynamic-Offset chosen as 32 (e.g., 35 is | |||
skipping to change at page 7, line 33 ¶ | skipping to change at line 291 ¶ | |||
* The set of numbers is converted into a single number REST-method- | * The set of numbers is converted into a single number REST-method- | |||
set by taking two to the power of each (decremented) method number | set by taking two to the power of each (decremented) method number | |||
and computing the inclusive OR of the binary representations of | and computing the inclusive OR of the binary representations of | |||
all the power values. | all the power values. | |||
This data model could be interchanged in the JSON [RFC8259] | This data model could be interchanged in the JSON [RFC8259] | |||
representation given in Figure 3. | representation given in Figure 3. | |||
[["/s/temp",1],["/a/led",5],["/dtls",2]] | [["/s/temp",1],["/a/led",5],["/dtls",2]] | |||
Figure 3: An authorization instance encoded in JSON (40 bytes) | Figure 3: An Authorization Instance Encoded in JSON (40 Bytes) | |||
In Figure 4, a straightforward specification of the data model | In Figure 4, a straightforward specification of the data model | |||
(including both the methods from [RFC7252] and the new ones from | (including both the methods from [RFC7252] and the new ones from | |||
[RFC8132], identified by the method code minus 1) is shown in CDDL | [RFC8132], identified by the method code minus 1) is shown in CDDL | |||
[RFC8610] [RFC9165]: | [RFC8610] [RFC9165]: | |||
AIF-REST = AIF-Generic<local-path, REST-method-set> | AIF-REST = AIF-Generic<local-path, REST-method-set> | |||
local-path = tstr ; URI relative to enforcement point | local-path = tstr ; URI relative to enforcement point | |||
REST-method-set = uint .bits methods | REST-method-set = uint .bits methods | |||
methods = &( | methods = &( | |||
skipping to change at page 8, line 28 ¶ | skipping to change at line 321 ¶ | |||
Dynamic-PUT: 34; 2 .plus Dynamic-Offset | Dynamic-PUT: 34; 2 .plus Dynamic-Offset | |||
Dynamic-DELETE: 35; 3 .plus Dynamic-Offset | Dynamic-DELETE: 35; 3 .plus Dynamic-Offset | |||
Dynamic-FETCH: 36; 4 .plus Dynamic-Offset | Dynamic-FETCH: 36; 4 .plus Dynamic-Offset | |||
Dynamic-PATCH: 37; 5 .plus Dynamic-Offset | Dynamic-PATCH: 37; 5 .plus Dynamic-Offset | |||
Dynamic-iPATCH: 38; 6 .plus Dynamic-Offset | Dynamic-iPATCH: 38; 6 .plus Dynamic-Offset | |||
) | ) | |||
Figure 4: AIF in CDDL | Figure 4: AIF in CDDL | |||
For the information shown in Table 1 and Figure 3, a representation | For the information shown in Table 1 and Figure 3, a representation | |||
in CBOR [RFC8949] is given in Figure 5; again, several optimizations/ | in Concise Binary Object Representation (CBOR) [RFC8949] is given in | |||
improvements are possible. | Figure 5; again, several optimizations and improvements are possible. | |||
83 # array(3) | 83 # array(3) | |||
82 # array(2) | 82 # array(2) | |||
67 # text(7) | 67 # text(7) | |||
2f732f74656d70 # "/s/temp" | 2f732f74656d70 # "/s/temp" | |||
01 # unsigned(1) | 01 # unsigned(1) | |||
82 # array(2) | 82 # array(2) | |||
66 # text(6) | 66 # text(6) | |||
2f612f6c6564 # "/a/led" | 2f612f6c6564 # "/a/led" | |||
05 # unsigned(5) | 05 # unsigned(5) | |||
82 # array(2) | 82 # array(2) | |||
65 # text(5) | 65 # text(5) | |||
2f64746c73 # "/dtls" | 2f64746c73 # "/dtls" | |||
02 # unsigned(2) | 02 # unsigned(2) | |||
Figure 5: An authorization instance encoded in CBOR (28 bytes) | Figure 5: An Authorization Instance Encoded in CBOR (28 Bytes) | |||
Note that choosing 32 as Dynamic-Offset means that all future CoAP | Note that choosing 32 as Dynamic-Offset means that all future CoAP | |||
methods that can be registered can be represented both as themselves | methods that are registered can be represented both as themselves and | |||
and in the Dynamic-X variant, but only the dynamic forms of methods 1 | in the Dynamic-X variant, but only the dynamic forms of methods 1 to | |||
to 21 are typically usable in a JSON form [RFC7493]. | 21 are typically usable in a JSON form [RFC7493]. | |||
4. Media Types | 4. Media Types | |||
This specification defines media types for the generic information | This specification defines media types for the generic information | |||
model, expressed in JSON (application/aif+json) or in CBOR | model, expressed in JSON (application/aif+json) or in CBOR | |||
(application/aif+cbor). These media types have parameters for | (application/aif+cbor). These media types have parameters for | |||
specifying Toid and Tperm; default values are the values "URI-local- | specifying Toid and Tperm; default values are the values "URI-local- | |||
part" for Toid and "REST-method-set" for Tperm, as per Section 3 of | part" for Toid and "REST-method-set" for Tperm, as per Section 3 of | |||
the present specification. | the present specification. | |||
A specification that wants to use Generic AIF with different Toid | A specification that wants to use generic AIF with different Toid | |||
and/or Tperm is expected to request these as media type parameters | and/or Tperm is expected to request these as media type parameters | |||
(Section 5.2) and register a corresponding Content-Format | (Section 5.2) and register a corresponding Content-Format | |||
(Section 5.3). | (Section 5.3). | |||
5. IANA Considerations | 5. IANA Considerations | |||
// RFC Ed.: throughout this section, please replace RFC XXXX with the | ||||
// RFC number of this specification and remove this note. | ||||
5.1. Media Types | 5.1. Media Types | |||
IANA is requested to add the following Media-Types to the "Media | IANA has added the following media types to the "Media Types" | |||
Types" registry. | registry. The registration entries are in the following subsections. | |||
+==========+======================+=====================+ | +==========+======================+=====================+ | |||
| Name | Template | Reference | | | Name | Template | Reference | | |||
+==========+======================+=====================+ | +==========+======================+=====================+ | |||
| aif+cbor | application/aif+cbor | RFC XXXX, Section 4 | | | aif+cbor | application/aif+cbor | RFC 9237, Section 4 | | |||
+----------+----------------------+---------------------+ | +----------+----------------------+---------------------+ | |||
| aif+json | application/aif+json | RFC XXXX, Section 4 | | | aif+json | application/aif+json | RFC 9237, Section 4 | | |||
+----------+----------------------+---------------------+ | +----------+----------------------+---------------------+ | |||
Table 3: New Media Types | Table 3: New Media Types | |||
For application/aif+cbor: | 5.1.1. application/aif+cbor | |||
Type name: application | Type name: application | |||
Subtype name: aif+cbor | Subtype name: aif+cbor | |||
Required parameters: N/A | Required parameters: N/A | |||
Optional parameters: | Optional parameters: | |||
* Toid: the identifier for the object for which permissions are | ||||
supplied. A value from the media-type parameter sub-registry | ||||
for Toid. Default value: "URI-local-part" (RFC XXXX). | ||||
* Tperm: the data type of a permission set for the object | Toid: | |||
identified via a Toid. A value from the media-type parameter | the identifier for the object for which permissions are | |||
sub-registry for Tperm. Default value: "REST-method-set" (RFC | supplied. A value from the "Sub-Parameter Registry for | |||
XXXX). | application/aif+cbor and application/aif+json" subregistry for | |||
Toid. Default value: "URI-local-part" (RFC 9237). | ||||
Tperm: | ||||
the data type of a permission set for the object identified via | ||||
a Toid. A value from the "Sub-Parameter Registry for | ||||
application/aif+cbor and application/aif+json" subregistry for | ||||
Tperm. Default value: "REST-method-set" (RFC 9237). | ||||
Encoding considerations: binary (CBOR) | Encoding considerations: binary (CBOR) | |||
Security considerations: Section 6 of RFC XXXX | ||||
Interoperability considerations: none | Security considerations: Section 6 of RFC 9237 | |||
Published specification: Section 4 of RFC XXXX | ||||
Interoperability considerations: N/A | ||||
Published specification: Section 4 of RFC 9237 | ||||
Applications that use this media type: Applications that need to | Applications that use this media type: Applications that need to | |||
convey structured authorization data for identified resources, | convey structured authorization data for identified resources, | |||
conveying sets of permissions. | conveying sets of permissions. | |||
Fragment identifier considerations: The syntax and semantics of | Fragment identifier considerations: The syntax and semantics of | |||
fragment identifiers is as specified for "application/cbor". (At | fragment identifiers is as specified for "application/cbor". (At | |||
publication of RFC XXXX, there is no fragment identification | publication of RFC 9237, there is no fragment identification | |||
syntax defined for "application/cbor".) | syntax defined for "application/cbor".) | |||
Person & email address to contact for further information: ACE WG | Person & email address to contact for further information: ACE WG | |||
mailing list (ace@ietf.org), or IETF Applications and Real-Time | mailing list (ace@ietf.org) or IETF Applications and Real-Time | |||
Area (art@ietf.org) | Area (art@ietf.org) | |||
Intended usage: COMMON | Intended usage: COMMON | |||
Restrictions on usage: none | ||||
Restrictions on usage: N/A | ||||
Author/Change controller: IETF | Author/Change controller: IETF | |||
Provisional registration: no | Provisional registration: no | |||
For application/aif+json: | 5.1.2. application/aif+json | |||
Type name: application | Type name: application | |||
Subtype name: aif+json | Subtype name: aif+json | |||
Required parameters: N/A | Required parameters: N/A | |||
Optional parameters: | Optional parameters: | |||
* Toid: the identifier for the object for which permissions are | ||||
supplied. A value from the media-type parameter sub-registry | ||||
for Toid. Default value: "URI-local-part" (RFC XXXX). | ||||
* Tperm: the data type of a permission set for the object | Toid: | |||
identified via a Toid. A value from the media-type parameter | the identifier for the object for which permissions are | |||
sub-registry for Tperm. Default value: "REST-method-set" (RFC | supplied. A value from the media-type parameter subregistry | |||
XXXX). | for Toid. Default value: "URI-local-part" (RFC 9237). | |||
Tperm: | ||||
the data type of a permission set for the object identified via | ||||
a Toid. A value from the media-type parameter subregistry for | ||||
Tperm. Default value: "REST-method-set" (RFC 9237). | ||||
Encoding considerations: binary (JSON is UTF-8-encoded text) | Encoding considerations: binary (JSON is UTF-8-encoded text) | |||
Security considerations: Section 6 of RFC XXXX | ||||
Interoperability considerations: none | Security considerations: Section 6 of RFC 9237 | |||
Published specification: Section 4 of RFC XXXX | ||||
Interoperability considerations: N/A | ||||
Published specification: Section 4 of RFC 9237 | ||||
Applications that use this media type: Applications that need to | Applications that use this media type: Applications that need to | |||
convey structured authorization data for identified resources, | convey structured authorization data for identified resources, | |||
conveying sets of permissions. | conveying sets of permissions. | |||
Fragment identifier considerations: The syntax and semantics of | Fragment identifier considerations: The syntax and semantics of | |||
fragment identifiers is as specified for "application/json". (At | fragment identifiers is as specified for "application/json". (At | |||
publication of RFC XXXX, there is no fragment identification | publication of RFC 9237, there is no fragment identification | |||
syntax defined for "application/json".) | syntax defined for "application/json".) | |||
Person & email address to contact for further information: ACE WG | Person & email address to contact for further information: ACE WG | |||
mailing list (ace@ietf.org), or IETF Applications and Real-Time | mailing list (ace@ietf.org) or IETF Applications and Real-Time | |||
Area (art@ietf.org) | Area (art@ietf.org) | |||
Intended usage: COMMON | Intended usage: COMMON | |||
Restrictions on usage: none | ||||
Restrictions on usage: N/A | ||||
Author/Change controller: IETF | Author/Change controller: IETF | |||
Provisional registration: no | Provisional registration: no | |||
5.2. Registries | 5.2. Registries | |||
For the media types application/aif+cbor and application/aif+json, | For the media types application/aif+cbor and application/aif+json, | |||
IANA is requested to create a sub-registry within | IANA has created a subregistry within | |||
[IANA.media-type-sub-parameters] for the two media-type parameters | [IANA.media-type-sub-parameters] for the media-type parameters Toid | |||
Toid and Tperm, populated with: | and Tperm, populated with the following: | |||
+===========+=================+=====================+===========+ | +===========+=================+=====================+===========+ | |||
| Parameter | name | Description/ | Reference | | | Parameter | name | Description/ | Reference | | |||
| | | Specification | | | | | | Specification | | | |||
+===========+=================+=====================+===========+ | +===========+=================+=====================+===========+ | |||
| Toid | URI-local-part | local-part of URI | RFC XXXX | | | Toid | URI-local-part | local-part of URI | RFC 9237 | | |||
+-----------+-----------------+---------------------+-----------+ | +-----------+-----------------+---------------------+-----------+ | |||
| Tperm | REST-method-set | set of REST methods | RFC XXXX | | | Tperm | REST-method-set | set of REST methods | RFC 9237 | | |||
| | | represented | | | | | | represented | | | |||
+-----------+-----------------+---------------------+-----------+ | +-----------+-----------------+---------------------+-----------+ | |||
Table 4: New Media Type Parameters | Table 4: New Media Type Parameters | |||
The registration policy is Specification required [RFC8126]. The | The registration policy is Specification Required [RFC8126]. The | |||
designated expert will engage with the submitter to ascertain the | designated expert will engage with the submitter to ascertain whether | |||
requirements of this document are addressed: | the requirements of this document are addressed: | |||
* The specifications for Toid and Tperm need to realize the general | * The specifications for Toid and Tperm need to realize the general | |||
ideas of unambiguous object identifiers and permission lists in | ideas of unambiguous object identifiers and permission lists in | |||
the context where the AIF data item is intended to be used, and | the context where the AIF data item is intended to be used, and | |||
their structure needs to be usable with the intended media types | their structure needs to be usable with the intended media types | |||
(application/aif+cbor and application/aif+json) as identified in | (application/aif+cbor and application/aif+json) as identified in | |||
the specification. | the specification. | |||
* The parameter names need to conform to Section 4.3 of [RFC6838], | * The parameter names need to conform to Section 4.3 of [RFC6838], | |||
but preferably are in [KebabCase] so they can easily be translated | but preferably are in [KebabCase] so they can be easily translated | |||
into names used in popular programming language APIs. | into names used in popular programming language APIs. | |||
The designated experts will develop further criteria and guidelines | The designated experts will develop further criteria and guidelines | |||
as needed. | as needed. | |||
5.3. Content-Format | 5.3. Content-Format | |||
IANA is requested to register Content-Format numbers in the "CoAP | IANA has registered Content-Format numbers in the "CoAP Content- | |||
Content-Formats" sub-registry, within the "Constrained RESTful | Formats" subregistry, within the "Constrained RESTful Environments | |||
Environments (CoRE) Parameters" Registry [IANA.core-parameters], as | (CoRE) Parameters" registry [IANA.core-parameters], as follows: | |||
follows: | ||||
+======================+================+======+===========+ | +======================+================+=====+===========+ | |||
| Content-Type | Content Coding | ID | Reference | | | Content-Type | Content Coding | ID | Reference | | |||
+======================+================+======+===========+ | +======================+================+=====+===========+ | |||
| application/aif+cbor | - | TBD1 | RFC XXXX | | | application/aif+cbor | - | 290 | RFC 9237 | | |||
+----------------------+----------------+------+-----------+ | +----------------------+----------------+-----+-----------+ | |||
| application/aif+json | - | TBD2 | RFC XXXX | | | application/aif+json | - | 291 | RFC 9237 | | |||
+----------------------+----------------+------+-----------+ | +----------------------+----------------+-----+-----------+ | |||
Table 5: New Content-Formats | Table 5: New Content-Formats | |||
// RFC Ed.: please replace TBD1 and TBD2 with assigned IDs and remove | ||||
this note. | ||||
In the registry as defined by Section 12.3 of [RFC7252] at the time | In the registry as defined by Section 12.3 of [RFC7252] at the time | |||
of writing, the column "Content-Type" is called "Media type" and the | of writing, the column "Content-Type" is called "Media type" and the | |||
column "Content Coding" is called "Encoding". | column "Content Coding" is called "Encoding". | |||
Note that applications that register Toid and Tperm values are | Note that applications that register Toid and Tperm values are | |||
encouraged to also register Content-Formats for the relevant | encouraged to also register Content-Formats for the relevant | |||
combinations. | combinations. | |||
6. Security Considerations | 6. Security Considerations | |||
The security considerations of [RFC7252] apply when AIF is used with | The security considerations of [RFC7252] apply when AIF is used with | |||
CoAP, and, if complex formats such as URIs are used for Toid or | CoAP, and, if complex formats such as URIs are used for Toid or | |||
Tperm, specifically Section 11.1 of [RFC7252]. Some wider issues are | Tperm, specifically Section 11.1 of [RFC7252]. Some wider issues are | |||
discussed in [RFC8576]. | discussed in [RFC8576]. | |||
When applying these formats, the referencing specification needs to | When applying these formats, the referencing specification needs to | |||
be careful to: | be careful to ensure that: | |||
* ensure that the cryptographic armor employed around this format | * the cryptographic armor employed around this format fulfills the | |||
fulfills the referencing specification's security objectives, and | referencing specification's security objectives and that the armor | |||
that the armor or some additional information included in it with | or some additional information included in it with the AIF data | |||
the AIF data item (1) unambiguously identifies the subject to | item (1) unambiguously identifies the subject to which the | |||
which the authorizations shall apply and (2) provides any context | authorizations shall apply and (2) provides any context | |||
information needed to derive the identity of the object to which | information needed to derive the identity of the object to which | |||
authorization is being granted from the object identifiers (such | authorization is being granted from the object identifiers (such | |||
as, for the data models defined in the present specification, the | as, for the data models defined in the present specification, the | |||
scheme and authority information that is used to construct the | scheme and authority information that is used to construct the | |||
full URI), and | full URI), and | |||
* ensure that the types used for Toid and Tperm provide the | * the types used for Toid and Tperm provide the appropriate | |||
appropriate granularity and precision so that application | granularity and precision so that application requirements on the | |||
requirements on the precision of the authorization information are | precision of the authorization information are fulfilled and that | |||
fulfilled, and that all parties have the same understanding of | all parties have the same understanding of each Toid/Tperm pair in | |||
each Toid/Tperm pair in terms of specified objects (resources) and | terms of specified objects (resources) and operations on those. | |||
operations on those. | ||||
For the data formats, the security considerations of [RFC8259] and | For the data formats, the security considerations of [RFC8259] and | |||
[RFC8949] apply. | [RFC8949] apply. | |||
A plain implementation of AIF might implement just the basic REST | A plain implementation of AIF might implement just the basic REST | |||
model as per Section 2.1. If it receives authorizations that include | model as per Section 2.1. If it receives authorizations that include | |||
permissions that use the REST-specific Model With Dynamic Resource | permissions that use the REST-Specific Model with Dynamic Resource | |||
Creation Section 2.3, it needs to either reject the AIF data item | Creation (Section 2.3), it needs to either reject the AIF data item | |||
entirely or act only on the permissions that it does understand. In | entirely or act only on the permissions that it does understand. In | |||
other words, the semantics underlying an allow-list as discussed | other words, the semantics underlying an allow-list as discussed | |||
above need to hold here as well. | above need to hold here as well. | |||
An implementation of the REST-specific Model With Dynamic Resource | An implementation of the REST-Specific Model with Dynamic Resource | |||
Creation Section 2.3 needs to carefully keep track of the dynamically | Creation (Section 2.3) needs to carefully keep track of the | |||
created objects and the subjects to which the Dynamic-X permissions | dynamically created objects and the subjects to which the Dynamic-X | |||
apply -- both on the server side to enforce the permissions and on | permissions apply -- both on the server side to enforce the | |||
the client side to know which permissions are available. | permissions and on the client side to know which permissions are | |||
available. | ||||
7. References | 7. References | |||
7.1. Normative References | 7.1. Normative References | |||
[I-D.ietf-httpbis-semantics] | ||||
Fielding, R. T., Nottingham, M., and J. Reschke, "HTTP | ||||
Semantics", Work in Progress, Internet-Draft, draft-ietf- | ||||
httpbis-semantics-19, 12 September 2021, | ||||
<https://www.ietf.org/archive/id/draft-ietf-httpbis- | ||||
semantics-19.txt>. | ||||
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
Requirement Levels", BCP 14, RFC 2119, | Requirement Levels", BCP 14, RFC 2119, | |||
DOI 10.17487/RFC2119, March 1997, | DOI 10.17487/RFC2119, March 1997, | |||
<https://www.rfc-editor.org/info/rfc2119>. | <https://www.rfc-editor.org/info/rfc2119>. | |||
[RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform | [RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform | |||
Resource Identifier (URI): Generic Syntax", STD 66, | Resource Identifier (URI): Generic Syntax", STD 66, | |||
RFC 3986, DOI 10.17487/RFC3986, January 2005, | RFC 3986, DOI 10.17487/RFC3986, January 2005, | |||
<https://www.rfc-editor.org/info/rfc3986>. | <https://www.rfc-editor.org/info/rfc3986>. | |||
skipping to change at page 14, line 30 ¶ | skipping to change at line 621 ¶ | |||
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC | [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC | |||
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, | 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, | |||
May 2017, <https://www.rfc-editor.org/info/rfc8174>. | May 2017, <https://www.rfc-editor.org/info/rfc8174>. | |||
[RFC8610] Birkholz, H., Vigano, C., and C. Bormann, "Concise Data | [RFC8610] Birkholz, H., Vigano, C., and C. Bormann, "Concise Data | |||
Definition Language (CDDL): A Notational Convention to | Definition Language (CDDL): A Notational Convention to | |||
Express Concise Binary Object Representation (CBOR) and | Express Concise Binary Object Representation (CBOR) and | |||
JSON Data Structures", RFC 8610, DOI 10.17487/RFC8610, | JSON Data Structures", RFC 8610, DOI 10.17487/RFC8610, | |||
June 2019, <https://www.rfc-editor.org/info/rfc8610>. | June 2019, <https://www.rfc-editor.org/info/rfc8610>. | |||
[RFC9110] Fielding, R., Ed., Nottingham, M., Ed., and J. Reschke, | ||||
Ed., "HTTP Semantics", RFC 9110, DOI 10.17487/RFC9110, | ||||
April 2022, <https://www.rfc-editor.org/info/rfc9110>. | ||||
[RFC9165] Bormann, C., "Additional Control Operators for the Concise | [RFC9165] Bormann, C., "Additional Control Operators for the Concise | |||
Data Definition Language (CDDL)", RFC 9165, | Data Definition Language (CDDL)", RFC 9165, | |||
DOI 10.17487/RFC9165, December 2021, | DOI 10.17487/RFC9165, December 2021, | |||
<https://www.rfc-editor.org/info/rfc9165>. | <https://www.rfc-editor.org/info/rfc9165>. | |||
7.2. Informative References | 7.2. Informative References | |||
[I-D.ietf-ace-oauth-authz] | ||||
Seitz, L., Selander, G., Wahlstroem, E., Erdtman, S., and | ||||
H. Tschofenig, "Authentication and Authorization for | ||||
Constrained Environments (ACE) using the OAuth 2.0 | ||||
Framework (ACE-OAuth)", Work in Progress, Internet-Draft, | ||||
draft-ietf-ace-oauth-authz-46, 8 November 2021, | ||||
<https://www.ietf.org/archive/id/draft-ietf-ace-oauth- | ||||
authz-46.txt>. | ||||
[IANA.core-parameters] | [IANA.core-parameters] | |||
IANA, "Constrained RESTful Environments (CoRE) | IANA, "Constrained RESTful Environments (CoRE) | |||
Parameters", | Parameters", | |||
<https://www.iana.org/assignments/core-parameters>. | <https://www.iana.org/assignments/core-parameters>. | |||
[IANA.media-type-sub-parameters] | [IANA.media-type-sub-parameters] | |||
IANA, "MIME Media Type Sub-Parameter Registries", | IANA, "MIME Media Type Sub-Parameter Registries", | |||
<https://www.iana.org/assignments/media-type-sub- | <https://www.iana.org/assignments/media-type-sub- | |||
parameters>. | parameters>. | |||
[KebabCase] | [KebabCase] | |||
"KebabCase", 29 August 2014, | "Kebab Case", 29 August 2014, | |||
<http://wiki.c2.com/?KebabCase>. | <http://wiki.c2.com/?KebabCase>. | |||
[RFC4949] Shirey, R., "Internet Security Glossary, Version 2", | [RFC4949] Shirey, R., "Internet Security Glossary, Version 2", | |||
FYI 36, RFC 4949, DOI 10.17487/RFC4949, August 2007, | FYI 36, RFC 4949, DOI 10.17487/RFC4949, August 2007, | |||
<https://www.rfc-editor.org/info/rfc4949>. | <https://www.rfc-editor.org/info/rfc4949>. | |||
[RFC6570] Gregorio, J., Fielding, R., Hadley, M., Nottingham, M., | [RFC6570] Gregorio, J., Fielding, R., Hadley, M., Nottingham, M., | |||
and D. Orchard, "URI Template", RFC 6570, | and D. Orchard, "URI Template", RFC 6570, | |||
DOI 10.17487/RFC6570, March 2012, | DOI 10.17487/RFC6570, March 2012, | |||
<https://www.rfc-editor.org/info/rfc6570>. | <https://www.rfc-editor.org/info/rfc6570>. | |||
skipping to change at page 16, line 10 ¶ | skipping to change at line 689 ¶ | |||
[RFC8881] Noveck, D., Ed. and C. Lever, "Network File System (NFS) | [RFC8881] Noveck, D., Ed. and C. Lever, "Network File System (NFS) | |||
Version 4 Minor Version 1 Protocol", RFC 8881, | Version 4 Minor Version 1 Protocol", RFC 8881, | |||
DOI 10.17487/RFC8881, August 2020, | DOI 10.17487/RFC8881, August 2020, | |||
<https://www.rfc-editor.org/info/rfc8881>. | <https://www.rfc-editor.org/info/rfc8881>. | |||
[RFC8949] Bormann, C. and P. Hoffman, "Concise Binary Object | [RFC8949] Bormann, C. and P. Hoffman, "Concise Binary Object | |||
Representation (CBOR)", STD 94, RFC 8949, | Representation (CBOR)", STD 94, RFC 8949, | |||
DOI 10.17487/RFC8949, December 2020, | DOI 10.17487/RFC8949, December 2020, | |||
<https://www.rfc-editor.org/info/rfc8949>. | <https://www.rfc-editor.org/info/rfc8949>. | |||
[RFC9200] Seitz, L., Selander, G., Wahlstroem, E., Erdtman, S., and | ||||
H. Tschofenig, "Authentication and Authorization for | ||||
Constrained Environments Using the OAuth 2.0 Framework | ||||
(ACE-OAuth)", RFC 9200, DOI 10.17487/RFC9200, April 2022, | ||||
<https://www.rfc-editor.org/info/rfc9200>. | ||||
Acknowledgements | Acknowledgements | |||
Jim Schaad, Francesca Palombini, Olaf Bergmann, Marco Tiloca, and | Jim Schaad, Francesca Palombini, Olaf Bergmann, Marco Tiloca, and | |||
Christian Amsüss provided comments that shaped the direction of this | Christian Amsüss provided comments that shaped the direction of this | |||
document. Alexey Melnikov pointed out that there were gaps in the | document. Alexey Melnikov pointed out that there were gaps in the | |||
media type specifications, and Loganaden Velvindron provided a | media type specifications, and Loganaden Velvindron provided a | |||
shepherd review with further comments. Many thanks also to the IESG | shepherd review with further comments. Many thanks also to the IESG | |||
reviewers, which provided several small but significant observations. | reviewers, who provided several small but significant observations. | |||
Benjamin Kaduk provided an extensive review as responsible Area | Benjamin Kaduk provided an extensive review as Responsible Area | |||
Director, and indeed is responsible for much improvement in the | Director and indeed is responsible for much improvement in the | |||
document. | document. | |||
Author's Address | Author's Address | |||
Carsten Bormann | Carsten Bormann | |||
Universität Bremen TZI | Universität Bremen TZI | |||
Postfach 330440 | Postfach 330440 | |||
D-28359 Bremen | D-28359 Bremen | |||
Germany | Germany | |||
Phone: +49-421-218-63921 | Phone: +49-421-218-63921 | |||
End of changes. 83 change blocks. | ||||
220 lines changed or deleted | 228 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ |