rfc9237.original.xml   rfc9237.xml 
<?xml version='1.0' encoding='utf-8'?> <?xml version="1.0" encoding="UTF-8"?>
<!-- draft submitted in xml v3 -->
<!DOCTYPE rfc [ <!DOCTYPE rfc [
<!ENTITY nbsp "&#160;"> <!ENTITY nbsp "&#160;">
<!ENTITY zwsp "&#8203;"> <!ENTITY zwsp "&#8203;">
<!ENTITY nbhy "&#8209;"> <!ENTITY nbhy "&#8209;">
<!ENTITY wj "&#8288;"> <!ENTITY wj "&#8288;">
]> ]>
<?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
<!-- generated by https://github.com/cabo/kramdown-rfc2629 version 1.6.6 (Ruby 3 <rfc xmlns:xi="http://www.w3.org/2001/XInclude" xml:lang="en" ipr="trust200902"
.1.1) --> docName="draft-ietf-ace-aif-07" number="9237" submissionType="IETF" category="st
<rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft d" consensus="true" tocDepth="4" tocInclude="true" sortRefs="true" symRefs="true
-ietf-ace-aif-07" category="std" consensus="true" submissionType="IETF" tocDepth " updates=""
="4" tocInclude="true" sortRefs="true" symRefs="true" version="3"> obsoletes="" version="3">
<!-- xml2rfc v2v3 conversion 3.12.1 -->
<!-- xml2rfc v2v3 conversion 3.12.1 -->
<!-- [rfced] Please note that the title of the document has been updated as
follows. The abbreviation "ACE" has been expanded per Section 3.6 of RFC
7322 (“RFC Style Guide”). Please review.
Original:
An Authorization Information Format (AIF) for ACE
Current:
An Authorization Information Format (AIF) for Authentication and
Authorization for Constrained Environments (ACE)
-->
<!-- [rfced] We note that AIF and ACE are mentioned in the document title but
not in the abstract. Please review and let us know if any updates are
needed.
-->
<front> <front>
-&gt; <title abbrev="ACE AIF">An Authorization Information Format (AIF) for Authen
<title abbrev="ACE AIF">An Authorization Information Format (AIF) for ACE</t tication and Authorization for Constrained Environments (ACE)</title>
itle> <seriesInfo name="RFC" value="9237"/>
<seriesInfo name="Internet-Draft" value="draft-ietf-ace-aif-07"/>
<author initials="C." surname="Bormann" fullname="Carsten Bormann"> <author initials="C." surname="Bormann" fullname="Carsten Bormann">
<organization>Universität Bremen TZI</organization> <organization>Universität Bremen TZI</organization>
<address> <address>
<postal> <postal>
<street>Postfach 330440</street> <street>Postfach 330440</street>
<city>Bremen</city> <city>Bremen</city>
<code>D-28359</code> <code>D-28359</code>
<country>Germany</country> <country>Germany</country>
</postal> </postal>
<phone>+49-421-218-63921</phone> <phone>+49-421-218-63921</phone>
<email>cabo@tzi.org</email> <email>cabo@tzi.org</email>
</address> </address>
</author> </author>
<date year="2022" month="March" day="15"/> <date year="2022" month="April"/>
<area>Internet</area> <area>sec</area>
<workgroup>ACE Working Group</workgroup> <workgroup>ACE</workgroup>
<keyword>Internet-Draft</keyword>
<!-- [rfced] Please insert any keywords (beyond those that appear in the title)
for use on https://www.rfc-editor.org/search. -->
<abstract> <abstract>
<t>Information about which entities are authorized to perform what <t>Information about which entities are authorized to perform what
operations on which constituents of other entities is a crucial operations on which constituents of other entities is a crucial
component of producing an overall system that is secure. Conveying component of producing an overall system that is secure. Conveying
precise authorization information is especially critical in highly precise authorization information is especially critical in highly
automated systems with large numbers of entities, such as the automated systems with large numbers of entities, such as the
"Internet of Things".</t> Internet of Things.</t>
<t>This specification provides a generic information model and format for <t>This specification provides a generic information model and format for
representing such authorization information, as well as two variants representing such authorization information, as well as two variants
of a specific instantiation of that format for use with REST resources of a specific instantiation of that format for use with Representational State T ransfer (REST) resources
identified by URI path.</t> identified by URI path.</t>
</abstract> </abstract>
<note removeInRFC="true">
<name>About This Document</name>
<t>
Status information for this document may be found at <eref target="https
://datatracker.ietf.org/doc/draft-ietf-ace-aif/"/>.
</t>
<t>
Discussion of this document takes place on the
Authentication and Authorization for Constrained Environments (ace) Work
ing Group mailing list (<eref target="mailto:ace@ietf.org"/>),
which is archived at <eref target="https://mailarchive.ietf.org/arch/bro
wse/ace/"/>.
</t>
<t>Source for this draft and an issue tracker can be found at
<eref target="https://github.com/cabo/ace-aif"/>.</t>
</note>
</front> </front>
<middle> <middle>
<section anchor="introduction"> <section anchor="introduction">
<name>Introduction</name> <name>Introduction</name>
<t>Constrained Devices as they are used in the "Internet of Things" need <t>Constrained devices, as they are used in the Internet of Things, need
security in order to operate correctly and prevent misuse. security in order to operate correctly and prevent misuse.
One important element of this security is that devices in the Internet One important element of this security is that devices in the Internet
of Things need to be able to decide which operations requested of them of Things need to be able to decide which operations requested of them
should be considered authorized, need to ascertain that the should be considered authorized, ascertain that the
authorization to request the operation does apply to the actual authorization to request the operation does apply to the actual
requester as authenticated, requester as authenticated,
and need to ascertain that other devices they make and ascertain that other devices they make
requests of are the ones they intended.</t> requests of are the ones they intended.</t>
<t>To transfer detailed authorization information from an authorization ma nager <t>To transfer detailed authorization information from an authorization ma nager
(such as an ACE-OAuth Authorization Server <xref target="I-D.ietf-ace-oauth-auth z"/>) to a device, a (such as an ACE-OAuth authorization server <xref target="RFC9200"/>) to a device , a
compact representation format is needed. compact representation format is needed.
This document defines such a format, the This document defines such a format -- the
Authorization Information Format (AIF). Authorization Information Format (AIF).
AIF is defined both as a general structure that can be used for many AIF is defined both as a general structure that can be used for many
different applications and different applications and
as a specific instantiation tailored to REST resources and the permissions as a specific instantiation tailored to REST resources and the permissions
on them, including some provision for dynamically created resources.</t> on them, including some provision for dynamically created resources.</t>
<section anchor="terminology"> <section anchor="terminology">
<name>Terminology</name> <name>Terminology</name>
<t>This memo uses terms from CoAP <xref target="RFC7252"/> and the Inter
net Security Glossary <xref target="RFC4949"/>; CoAP is used for <!-- [rfced] Although not required, the text about the RFC 2119 key words
the explanatory examples as it is a good fit for Constrained Devices.</t> often appears at the end of the Terminology section. Would you like to
<t>The shape of data is specified in CDDL <xref target="RFC8610"/> <xref leave it as is or move it to the end of the section?
target="RFC9165"/>. -->
Terminology for Constrained Devices is defined in <xref target="RFC7228"/>.</t>
<t>The key words "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp <t>This memo uses terms from the Constrained Application Protocol (CoAP)
14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL <xref target="RFC7252"/> and the Internet Security Glossary <xref target="RFC494
NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>RECO 9"/>; CoAP is used for
MMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>", the explanatory examples as it is a good fit for constrained devices.</t>
"<bcp14>MAY</bcp14>", and "<bcp14>OPTIONAL</bcp14>" in this document are to be i <t>The shape of data is specified in Concise Data Definition Language (C
nterpreted as DDL) <xref target="RFC8610"/> <xref target="RFC9165"/>.
described in BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and Terminology for constrained devices is defined in <xref target="RFC7228"/>.</t>
only when, they <t>
appear in all capitals, as shown here.</t> The key words "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>",
<t>The term "byte", abbreviated by "B", is used in its now customary "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL NOT</bcp14>",
"<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>",
"<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>",
"<bcp14>MAY</bcp14>", and "<bcp14>OPTIONAL</bcp14>" in this document are to be
interpreted as described in BCP&nbsp;14 <xref target="RFC2119"/> <xref
target="RFC8174"/> when, and only when, they appear in all capitals, as shown
here.
</t>
<t>The term "byte", abbreviated by "B", is used in its now customary
sense as a synonym for "octet".</t> sense as a synonym for "octet".</t>
</section> </section>
</section> </section>
<section anchor="information-model"> <section anchor="information-model">
<name>Information Model</name> <name>Information Model</name>
<t>Authorizations are generally expressed through some data structures <t>Authorizations are generally expressed through some data structures
that are cryptographically secured (or transmitted in a secure way). that are cryptographically secured (or transmitted in a secure way).
This section discusses the information model underlying the payload of This section discusses the information model underlying the payload of
that data (as opposed to the cryptographic armor around it).</t> that data (as opposed to the cryptographic armor around it).</t>
<t>The semantics of the authorization information defined in this <t>The semantics of the authorization information defined in this
document are that of an <em>allow-list</em>: document are that of an <em>allow-list</em>:
everything is denied until it is explicitly allowed.</t> everything is denied until it is explicitly allowed.</t>
<t>For the purposes of this specification, the underlying access control m odel <t>For the purposes of this specification, the underlying access control m odel
will be that of an access matrix, which gives a set of permissions for will be that of an access matrix, which gives a set of permissions for
each possible combination of a subject and an object. each possible combination of a subject and an object.
We are focusing the AIF data item on a single row in the access matrix We are focusing the AIF data item on a single row in the access matrix
(such a row has often been called a capability list), without (such a row has often been called a "capability list") without
concern to the subject for which the data item is issued. concern to the subject for which the data item is issued.
As a consequence, AIF <bcp14>MUST</bcp14> be used in a way that the subject of t he As a consequence, AIF <bcp14>MUST</bcp14> be used in a way that the subject of t he
authorizations is unambiguously identified (e.g., as part of the armor authorizations is unambiguously identified (e.g., as part of the armor
around it).</t> around it).</t>
<t>The generic model of such a capability list is a list of pairs of <t>The generic model of such a capability list is a list of pairs of
object identifiers (of type <tt>Toid</tt>) and the permissions (of type <tt>Tper m</tt>) the subject has on the object identifiers (of type <tt>Toid</tt>) and the permissions (of type <tt>Tper m</tt>) that the subject has on the
object(s) identified.</t> object(s) identified.</t>
<figure anchor="genaif"> <figure anchor="genaif">
<name>Definition of Generic AIF</name> <name>Definition of Generic AIF</name>
<sourcecode type="cddl"><![CDATA[ <sourcecode type="cddl"><![CDATA[
AIF-Generic<Toid, Tperm> = [* [Toid, Tperm]] AIF-Generic<Toid, Tperm> = [* [Toid, Tperm]]
]]></sourcecode> ]]></sourcecode>
</figure> </figure>
<t>In a specific data model (such as the one also specified in <t>In a specific data model (such as the one specified in
this document), the object identifier (<tt>Toid</tt>) will often be this document), the object identifier (<tt>Toid</tt>) will often be
a text string, and the set of permissions (<tt>Tperm</tt>) will be represented a text string, and the set of permissions (<tt>Tperm</tt>) will be represented
by a bitset in turn represented as a number (see <xref target="data-model"/>).</ t> by a bit set, which in turn is represented as a number (see <xref target="data-m odel"/>).</t>
<figure anchor="specaif"> <figure anchor="specaif">
<name>Commonly used shape of a specific AIF</name> <name>Commonly Used Shape of a Specific AIF</name>
<sourcecode type="cddl"><![CDATA[ <sourcecode type="cddl"><![CDATA[
AIF-Specific = AIF-Generic<tstr, uint> AIF-Specific = AIF-Generic<tstr, uint>
]]></sourcecode> ]]></sourcecode>
</figure> </figure>
<section anchor="rest-model"> <section anchor="rest-model">
<name>REST-specific Model</name> <name>REST-Specific Model</name>
<!-- [rfced] May we move the phrase "for the object identifiers (Toid)" to
appear at the end of the sentence? Also, please confirm that the plural
"object identifiers" is correct here.
Original:
In the specific instantiation of the REST resources and the
permissions on them, for the object identifiers (Toid), we use the
URI of a resource on a CoAP server.
Perhaps:
In the specific instantiation of the REST resources and the
permissions on them, we use the
URI of a resource on a CoAP server for the object identifiers (Toid).
-->
<t>In the specific instantiation of the REST resources and the <t>In the specific instantiation of the REST resources and the
permissions on them, for the object identifiers (<tt>Toid</tt>), we permissions on them, for the object identifiers (<tt>Toid</tt>), we
use the URI of a resource on a CoAP server. More specifically, since the use the URI of a resource on a CoAP server. More specifically, since the
parts of the URI that identify the server ("authority" in parts of the URI that identify the server ("authority" in
<xref target="RFC3986"/>) are what are authenticated during REST resource access (<xref section="4.2.2" sectionFormat="of" target="I-D.ietf-httpbis-semantics"/> and <xref section="6.2" sectionFormat="of" target="RFC7252"/>), they <xref target="RFC3986"/>) are authenticated during REST resource access (<xref s ection="4.2.2" sectionFormat="of" target="RFC9110"/> and <xref section="6.2" sec tionFormat="of" target="RFC7252"/>), they
naturally fall into the realm handled by the cryptographic armor; we therefore f ocus on naturally fall into the realm handled by the cryptographic armor; we therefore f ocus on
the "path" ("path-abempty") and "query" parts of the URI (<em>URI-local-part</em > in the "path" ("path-abempty") and "query" parts of the URI (<em>URI-local-part</em > in
this specification, as expressed by the Uri-Path and Uri-Query options this specification, as expressed by the Uri-Path and Uri-Query options
in CoAP). As a consequence, AIF <bcp14>MUST</bcp14> be used in a way that it is in CoAP).
clear who is the target (enforcement point) of these authorizations
<!--[rfced] We updated this text slightly for ease of readability
(i.e., updated "that it is clear who" to "that clearly shows
who". Please let us know of any objections.
Original:
As a consequence, AIF MUST be used in a way that it is clear who is
the target (enforcement point) of these authorizations (note that
there may be more than one target that the same authorization applies
to, e.g., in a situation with homogeneous devices).
Current
As a consequence, AIF MUST be used in a way that clearly shows
who is the target (enforcement point) of these authorizations (note
that there may be more than one target that the same authorization
applies to, e.g., in a situation with homogeneous devices).
-->
As a consequence, AIF <bcp14>MUST</bcp14> be used in a way that clearly shows
who is the target (enforcement point) of these authorizations
(note that there may be more than one target that the same (note that there may be more than one target that the same
authorization applies to, e.g., in a situation with homogeneous authorization applies to, e.g., in a situation with homogeneous
devices).</t> devices).</t>
<t>For the permissions (<tt>Tperm</tt>), we use a simple permissions mod el that <t>For the permissions (<tt>Tperm</tt>), we use a simple permissions mod el that
lists the subset of the REST (CoAP or HTTP) methods permitted. lists the subset of the REST (CoAP or HTTP) methods permitted.
This model is summarized in <xref target="im-example"/>.</t> This model is summarized in <xref target="im-example"/>.</t>
<table anchor="im-example"> <!-- [rfced] Please review these table titles and let us know if any updates
<name>An authorization instance in the AIF Information Model</name> are needed to "AIF Information Model". We ask because the corresponding
sections are titled "REST-Specific Model" and "REST-Specific Model with
Dynamic Resource Creation", respectively.
Current:
Table 1: An Authorization Instance in the AIF Information Model
...
Table 2: An Authorization Instance in the AIF Information Model
with Dynamic Resource Creation
-->
<table anchor="im-example">
<name>An Authorization Instance in the AIF Information Model</name>
<thead> <thead>
<tr> <tr>
<th align="left">URI-local-part</th> <th align="left">URI-local-part</th>
<th align="left">Permission Set</th> <th align="left">Permission Set</th>
</tr> </tr>
</thead> </thead>
<tbody> <tbody>
<tr> <tr>
<td align="left">/s/temp</td> <td align="left">/s/temp</td>
<td align="left">GET</td> <td align="left">GET</td>
skipping to change at line 175 skipping to change at line 238
</tr> </tr>
<tr> <tr>
<td align="left">/dtls</td> <td align="left">/dtls</td>
<td align="left">POST</td> <td align="left">POST</td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<t>In this example, a device offers a temperature sensor <tt>/s/temp</tt > for <t>In this example, a device offers a temperature sensor <tt>/s/temp</tt > for
read-only access, a LED actuator <tt>/a/led</tt> for read/write, and a read-only access, a LED actuator <tt>/a/led</tt> for read/write, and a
<tt>/dtls</tt> resource for POST access.</t> <tt>/dtls</tt> resource for POST access.</t>
<t>As will be seen in the data model (<xref target="data-model"/>), the representations <t>As shown in the data model (<xref target="data-model"/>), the represe ntations
of REST methods provided are limited to those that have a CoAP method of REST methods provided are limited to those that have a CoAP method
number assigned; an extension to the model may be necessary to represent number assigned; an extension to the model may be necessary to represent
permissions for exotic HTTP methods.</t> permissions for exotic HTTP methods.</t>
</section> </section>
<section anchor="limitations"> <section anchor="limitations">
<name>Limitations</name> <name>Limitations</name>
<t>This simple information model only allows granting permissions for <t>This simple information model only allows granting permissions for
statically identifiable objects, e.g., URIs for the REST-specific statically identifiable objects, e.g., URIs for the REST-specific
instantiation. One might be tempted to extend the model towards URI instantiation. One might be tempted to extend the model towards URI
templates <xref target="RFC6570"/> (for instance, to open up an templates <xref target="RFC6570"/> (for instance, to open up an
authorization for many parameter values as in authorization for many parameter values as in
<tt>/s/temp{?any*}</tt>). <tt>/s/temp{?any*}</tt>).
However, that requires some considerations of However, that requires some considerations of
the ease and unambiguity of matching a given URI against a set of the ease and unambiguity of matching a given URI against a set of
templates in an AIF data item.</t> templates in an AIF data item.</t>
<t>This simple information model also does not allow expressing <!-- [rfced] May we update "that is not locked" here to read either "it is not
locked" or "that door is not locked"?
Original:
This simple information model also does not allow expressing
conditionalized access based on state outside the identification of
objects (e.g., "opening a door is allowed if that is not locked").
-->
<t>This simple information model also does not allow expressing
conditionalized access based on state outside the identification of conditionalized access based on state outside the identification of
objects (e.g., "opening a door is allowed if that is not locked").</t> objects (e.g., "opening a door is allowed if that is not locked").</t>
<t>Finally, the model does not provide any special access for a set of <t>Finally, the model does not provide any special access for a set of
resources that are specific to a subject, e.g., that the subject resources that are specific to a subject, e.g., that the subject
created itself by previous operations (PUT, POST, or PATCH/iPATCH <xref target=" RFC8132"/>) or that were created itself by previous operations (PUT, POST, or PATCH/iPATCH <xref target=" RFC8132"/>) or that were
specifically created for the subject by others.</t> specifically created for the subject by others.</t>
</section> </section>
<section anchor="ext-rest-model"> <section anchor="ext-rest-model">
<name>REST-specific Model With Dynamic Resource Creation</name> <name>REST-Specific Model with Dynamic Resource Creation</name>
<t>The REST-specific Model With Dynamic Resource Creation addresses the <t>The REST-Specific Model with Dynamic Resource Creation addresses the
need to provide defined need to provide defined
access to dynamic resources that were created by the subject itself, access to dynamic resources that were created by the subject itself,
specifically, a resource that is made known to the subject by specifically, a resource that is made known to the subject by
providing Location-* options in a CoAP response or using the Location providing Location-* options in a CoAP response or using the Location
header field in HTTP <xref target="I-D.ietf-httpbis-semantics"/> (the Location-i header field in HTTP <xref target="RFC9110"/> (the Location-indicating mechanism
ndicating mechanisms). s).
(The concept is somewhat comparable to "ACL inheritance" in NFSv4 (The concept is somewhat comparable to "Access Control List (ACL) inheritance" i
n the Network File System version 4 (NFSv4) protocol
<xref target="RFC8881"/>, except that it does not use a containment relationship <xref target="RFC8881"/>, except that it does not use a containment relationship
but the fact that the dynamic resource was created from a resource to but rather the fact that the dynamic resource was created from a resource to
which the subject had access.) which the subject had access.)
In other words, it addresses an important subset of the third In other words, it addresses an important subset of the third
limitation mentioned in <xref target="limitations"/>.</t> limitation mentioned in <xref target="limitations"/>.</t>
<table anchor="im-example-dynamic"> <table anchor="im-example-dynamic">
<name>An authorization instance in the AIF Information Model With Dyna mic Resource Creation</name> <name>An Authorization Instance in the AIF Information Model with Dyna mic Resource Creation</name>
<thead> <thead>
<tr> <tr>
<th align="left">URI-local-part</th> <th align="left">URI-local-part</th>
<th align="left">Permission Set</th> <th align="left">Permission Set</th>
</tr> </tr>
</thead> </thead>
<tbody> <tbody>
<tr> <tr>
<td align="left">/a/make-coffee</td> <td align="left">/a/make-coffee</td>
<td align="left">POST, Dynamic-GET, Dynamic-DELETE</td> <td align="left">POST, Dynamic-GET, Dynamic-DELETE</td>
skipping to change at line 249 skipping to change at line 320
another explicit switch between the basic and the model extended by another explicit switch between the basic and the model extended by
dynamic resource creation; the dynamic resource creation; the
extended model is always presumed once a Dynamic-X permission is present.</t> extended model is always presumed once a Dynamic-X permission is present.</t>
</section> </section>
</section> </section>
<section anchor="data-model"> <section anchor="data-model">
<name>Data Model</name> <name>Data Model</name>
<t>Different data model specializations can be defined for the generic <t>Different data model specializations can be defined for the generic
information model given above.</t> information model given above.</t>
<t>In this section, we will give the data model for simple REST <t>In this section, we will give the data model for simple REST
authorization as per <xref target="rest-model"/> and <xref target="ext-rest-mode l"/>. authorization as per Sections <xref target="rest-model" format="counter"/> and < xref target="ext-rest-model" format="counter"/>.
As discussed, in this case the object identifier is specialized as a text string As discussed, in this case the object identifier is specialized as a text string
giving a relative URI (URI-local-part as absolute path on the server giving a relative URI (URI-local-part as the absolute path on the server
serving as enforcement point). serving as the enforcement point).
The permission set is specialized to a single number <tt>REST-method-set</tt> by the following steps:</t> The permission set is specialized to a single number <tt>REST-method-set</tt> by the following steps:</t>
<ul spacing="normal"> <ul spacing="normal">
<li>The entries in the table that specify the same URI-local-part are me rged <li>The entries in the table that specify the same URI-local-part are me rged
into a single entry that specifies the union of the permission sets.</li> into a single entry that specifies the union of the permission sets.</li>
<li>The (non-dynamic) methods in the permission sets are converted into <li>The (non-dynamic) methods in the permission sets are converted into
their CoAP method numbers, minus 1.</li> their CoAP method numbers, minus 1.</li>
<li>Dynamic-X permissions are converted into what the number would have <!-- [rfced] Is "chosen as" correct here? Would "of" be better?
Original:
* Dynamic-X permissions are converted into what the number would
have been for X, plus a Dynamic-Offset chosen as 32 (e.g., 35 is
the number for Dynamic-DELETE as the number for DELETE is 3).
Similarly, what about "choosing 32 as Dynamic-Offset" here? Would "a
Dynamic-Offset of 32" or something similar be better?
Original:
Note that choosing 32 as Dynamic-Offset means that all future CoAP
methods that can be registered can be represented both as themselves
and in the Dynamic-X variant, but only the dynamic forms of methods 1
to 21 are typically usable in a JSON form [RFC7493].
-->
<li>Dynamic-X permissions are converted into what the number would have
been for X, plus a Dynamic-Offset chosen as 32 (e.g., 35 is the been for X, plus a Dynamic-Offset chosen as 32 (e.g., 35 is the
number for Dynamic-DELETE as the number for DELETE is 3).</li> number for Dynamic-DELETE as the number for DELETE is 3).</li>
<li>The set of numbers is converted into a single number <tt>REST-method -set</tt> by taking two to the <li>The set of numbers is converted into a single number <tt>REST-method -set</tt> by taking two to the
power of each (decremented) method number and computing the inclusive OR of the power of each (decremented) method number and computing the inclusive OR of the
binary representations of all the power values.</li> binary representations of all the power values.</li>
</ul> </ul>
<t>This data model could be interchanged in the JSON <t>This data model could be interchanged in the JSON
<xref target="RFC8259"/> representation given in <xref target="dm-json"/>.</t> <xref target="RFC8259"/> representation given in <xref target="dm-json"/>.</t>
<figure anchor="dm-json"> <figure anchor="dm-json">
<name>An authorization instance encoded in JSON (40 bytes)</name> <name>An Authorization Instance Encoded in JSON (40 Bytes)</name>
<sourcecode type="json"><![CDATA[ <sourcecode type="json"><![CDATA[
[["/s/temp",1],["/a/led",5],["/dtls",2]] [["/s/temp",1],["/a/led",5],["/dtls",2]]
]]></sourcecode> ]]></sourcecode>
</figure> </figure>
<t>In <xref target="aif-cddl"/>, a straightforward specification of the da ta model <t>In <xref target="aif-cddl"/>, a straightforward specification of the da ta model
(including both the methods from <xref target="RFC7252"/> and the new ones from (including both the methods from <xref target="RFC7252"/> and the new ones from
<xref target="RFC8132"/>, identified by the method code minus 1) is shown in CDD L <xref target="RFC8132"/>, identified by the method code minus 1) is shown in CDD L
<xref target="RFC8610"/> <xref target="RFC9165"/>:</t> <xref target="RFC8610"/> <xref target="RFC9165"/>:</t>
<figure anchor="aif-cddl"> <figure anchor="aif-cddl">
<name>AIF in CDDL</name> <name>AIF in CDDL</name>
skipping to change at line 303 skipping to change at line 390
Dynamic-POST: 33; 1 .plus Dynamic-Offset Dynamic-POST: 33; 1 .plus Dynamic-Offset
Dynamic-PUT: 34; 2 .plus Dynamic-Offset Dynamic-PUT: 34; 2 .plus Dynamic-Offset
Dynamic-DELETE: 35; 3 .plus Dynamic-Offset Dynamic-DELETE: 35; 3 .plus Dynamic-Offset
Dynamic-FETCH: 36; 4 .plus Dynamic-Offset Dynamic-FETCH: 36; 4 .plus Dynamic-Offset
Dynamic-PATCH: 37; 5 .plus Dynamic-Offset Dynamic-PATCH: 37; 5 .plus Dynamic-Offset
Dynamic-iPATCH: 38; 6 .plus Dynamic-Offset Dynamic-iPATCH: 38; 6 .plus Dynamic-Offset
) )
]]></sourcecode> ]]></sourcecode>
</figure> </figure>
<t>For the information shown in <xref target="im-example"/> and <xref targ et="dm-json"/>, a <t>For the information shown in <xref target="im-example"/> and <xref targ et="dm-json"/>, a
representation in CBOR <xref target="RFC8949"/> is given in <xref target="dm-cbo representation in Concise Binary Object Representation (CBOR) <xref target="RFC8
r"/>; again, 949"/> is given in <xref target="dm-cbor"/>; again,
several optimizations/improvements are possible.</t> several optimizations and improvements are possible.</t>
<figure anchor="dm-cbor"> <figure anchor="dm-cbor">
<name>An authorization instance encoded in CBOR (28 bytes)</name> <name>An Authorization Instance Encoded in CBOR (28 Bytes)</name>
<artwork type="hex-dump"><![CDATA[ <artwork><![CDATA[
83 # array(3) 83 # array(3)
82 # array(2) 82 # array(2)
67 # text(7) 67 # text(7)
2f732f74656d70 # "/s/temp" 2f732f74656d70 # "/s/temp"
01 # unsigned(1) 01 # unsigned(1)
82 # array(2) 82 # array(2)
66 # text(6) 66 # text(6)
2f612f6c6564 # "/a/led" 2f612f6c6564 # "/a/led"
05 # unsigned(5) 05 # unsigned(5)
82 # array(2) 82 # array(2)
65 # text(5) 65 # text(5)
2f64746c73 # "/dtls" 2f64746c73 # "/dtls"
02 # unsigned(2) 02 # unsigned(2)
]]></artwork> ]]></artwork>
</figure> </figure>
<t>Note that choosing 32 as Dynamic-Offset means that all future CoAP <t>Note that choosing 32 as Dynamic-Offset means that all future CoAP
methods that can be registered can be represented both as themselves methods that are registered can be represented both as themselves
and in the Dynamic-X variant, but only the dynamic forms of methods 1 and in the Dynamic-X variant, but only the dynamic forms of methods 1
to 21 are typically usable in a JSON form <xref target="RFC7493"/>.</t> to 21 are typically usable in a JSON form <xref target="RFC7493"/>.</t>
</section> </section>
<section anchor="media-types"> <section anchor="media-types">
<name>Media Types</name> <name>Media Types</name>
<t>This specification defines media types for the generic information <t>This specification defines media types for the generic information
model, expressed in JSON (<tt>application/aif+json</tt>) or in CBOR (<tt>applica tion/aif+cbor</tt>). These media types have model, expressed in JSON (<tt>application/aif+json</tt>) or in CBOR (<tt>applica tion/aif+cbor</tt>). These media types have
parameters for specifying <tt>Toid</tt> and <tt>Tperm</tt>; default values are t he parameters for specifying <tt>Toid</tt> and <tt>Tperm</tt>; default values are t he
values "URI-local-part" for <tt>Toid</tt> and "REST-method-set" for <tt>Tperm</t t>, as values "URI-local-part" for <tt>Toid</tt> and "REST-method-set" for <tt>Tperm</t t>, as
per <xref target="data-model"/> of the present specification.</t> per <xref target="data-model"/> of the present specification.</t>
<t>A specification that wants to use Generic AIF with different <tt>Toid</ tt> <t>A specification that wants to use generic AIF with different <tt>Toid</ tt>
and/or <tt>Tperm</tt> is expected to request these as media type parameters and/or <tt>Tperm</tt> is expected to request these as media type parameters
(<xref target="registries"/>) and register a corresponding Content-Format (<xref target="content-format"/>).</t> (<xref target="registries"/>) and register a corresponding Content-Format (<xref target="content-format"/>).</t>
</section> </section>
<section anchor="iana-considerations"> <section anchor="iana-considerations">
<name>IANA Considerations</name> <name>IANA Considerations</name>
<t><cref anchor="replace-xxxx">RFC Ed.: throughout this section, please re
place RFC <!-- [rfced] FYI: In the media type registration entries in Section 5.1, we
XXXX with the RFC number of this specification and remove this note.</cref></t updated "none" to "N/A" per Section 5.6 of RFC 6838, which states:
>
"N/A", written exactly that way, can be used in any field if desired
to emphasize the fact that it does not apply or that the question was
not omitted by accident. Do not use 'none' or other words that could
be mistaken for a response.
-->
<!-- [rfced] We note that spacing="compact" was used for the media type
registration entries in Section 5.1. However, spacing="normal" is more
typical for these (see examples in RFCS 8866 and 8801). When we updated
to spacing="normal", the two entries ran together; thus, we put each
entry in a new subsection (i.e., Section 5.1.1 for application/aif+cbor
and Section 5.1.2 for application/aif+json). Please review and let us
know any objections.
-->
<section anchor="media-types-1"> <section anchor="media-types-1">
<name>Media Types</name> <name>Media Types</name>
<t>IANA is requested to add the following Media-Types to the "Media Type s" registry.</t> <t>IANA has added the following media types to the "Media Types" registr y. The registration entries are in the following subsections.</t>
<table align="left"> <table align="left">
<name>New Media Types</name> <name>New Media Types</name>
<thead> <thead>
<tr> <tr>
<th align="left">Name</th> <th align="left">Name</th>
<th align="left">Template</th> <th align="left">Template</th>
<th align="left">Reference</th> <th align="left">Reference</th>
</tr> </tr>
</thead> </thead>
<tbody> <tbody>
<tr> <tr>
<td align="left">aif+cbor</td> <td align="left">aif+cbor</td>
<td align="left">application/aif+cbor</td> <td align="left">application/aif+cbor</td>
<td align="left">RFC XXXX, <xref target="media-types"/></td> <td align="left">RFC 9237, <xref target="media-types"/></td>
</tr> </tr>
<tr> <tr>
<td align="left">aif+json</td> <td align="left">aif+json</td>
<td align="left">application/aif+json</td> <td align="left">application/aif+json</td>
<td align="left">RFC XXXX, <xref target="media-types"/></td> <td align="left">RFC 9237, <xref target="media-types"/></td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<t>For <tt>application/aif+cbor</tt>:</t> <section anchor="media-type-template1">
<dl spacing="compact"> <name>application/aif+cbor</name>
<dl spacing="normal">
<dt>Type name:</dt> <dt>Type name:</dt>
<dd> <dd>
<t>application</t> <t>application</t>
</dd> </dd>
<dt>Subtype name:</dt> <dt>Subtype name:</dt>
<dd> <dd>
<t>aif+cbor</t> <t>aif+cbor</t>
</dd> </dd>
<dt>Required parameters:</dt> <dt>Required parameters:</dt>
<dd> <dd>
<t>N/A</t> <t>N/A</t>
</dd> </dd>
<dt>Optional parameters:</dt> <dt>Optional parameters:</dt>
<dd> <dd>
<ul spacing="normal"> <t><br/></t>
<li> <dl newline="true" spacing="normal">
<tt>Toid</tt>: the identifier for the object for which permissio <dt>
ns are <tt>Toid</tt>:</dt><dd>the identifier for the object for which p
ermissions are
supplied. supplied.
A value from the media-type parameter sub-registry for <tt>Toid</tt>. A value from the "Sub-Parameter Registry for application/aif+cbor and applicatio
Default value: "URI-local-part" (RFC XXXX).</li> n/aif+json" subregistry for <tt>Toid</tt>.
<li> Default value: "URI-local-part" (RFC 9237).</dd>
<tt>Tperm</tt>: the data type of a permission set for the object <dt>
<tt>Tperm</tt>:</dt><dd>the data type of a permission set for th
e object
identified via a <tt>Toid</tt>. identified via a <tt>Toid</tt>.
A value from the media-type parameter sub-registry for <tt>Tperm</tt>. A value from the "Sub-Parameter Registry for application/aif+cbor and applicatio
Default value: "REST-method-set" (RFC XXXX).</li> n/aif+json" subregistry for <tt>Tperm</tt>.
</ul> Default value: "REST-method-set" (RFC 9237).</dd>
</dl>
</dd> </dd>
<dt>Encoding considerations:</dt> <dt>Encoding considerations:</dt>
<dd> <dd>
<t>binary (CBOR)</t> <t>binary (CBOR)</t>
</dd> </dd>
<dt>Security considerations:</dt> <dt>Security considerations:</dt>
<dd> <dd>
<t><xref target="seccons"/> of RFC XXXX</t> <t><xref target="seccons"/> of RFC 9237</t>
</dd> </dd>
<dt>Interoperability considerations:</dt> <dt>Interoperability considerations:</dt>
<dd> <dd>
<t>none</t> <t>N/A</t>
</dd> </dd>
<dt>Published specification:</dt> <dt>Published specification:</dt>
<dd> <dd>
<t><xref target="media-types"/> of RFC XXXX</t> <t><xref target="media-types"/> of RFC 9237</t>
</dd> </dd>
<dt>Applications that use this media type:</dt> <dt>Applications that use this media type:</dt>
<dd> <dd>
<t>Applications that need to convey structured authorization data fo r <t>Applications that need to convey structured authorization data fo r
identified resources, conveying sets of permissions.</t> identified resources, conveying sets of permissions.</t>
</dd> </dd>
<dt>Fragment identifier considerations:</dt> <dt>Fragment identifier considerations:</dt>
<dd> <dd>
<t>The syntax and semantics of fragment identifiers is as specified for <t>The syntax and semantics of fragment identifiers is as specified for
"application/cbor". (At publication of RFC XXXX, there is no "application/cbor". (At publication of RFC 9237, there is no
fragment identification syntax defined for "application/cbor".)</t> fragment identification syntax defined for "application/cbor".)</t>
</dd> </dd>
<dt>Person &amp; email address to contact for further information:</dt > <dt>Person &amp; email address to contact for further information:</dt >
<dd> <dd>
<t>ACE WG mailing list (ace@ietf.org), <t>ACE WG mailing list (ace@ietf.org)
or IETF Applications and Real-Time Area (art@ietf.org)</t> or IETF Applications and Real-Time Area (art@ietf.org)</t>
</dd> </dd>
<dt>Intended usage:</dt> <dt>Intended usage:</dt>
<dd> <dd>
<t>COMMON</t> <t>COMMON</t>
</dd> </dd>
<dt>Restrictions on usage:</dt> <dt>Restrictions on usage:</dt>
<dd> <dd>
<t>none</t> <t>N/A</t>
</dd> </dd>
<dt>Author/Change controller:</dt> <dt>Author/Change controller:</dt>
<dd> <dd>
<t>IETF</t> <t>IETF</t>
</dd> </dd>
<dt>Provisional registration:</dt> <dt>Provisional registration:</dt>
<dd> <dd>
<t>no</t> <t>no</t>
</dd> </dd>
</dl> </dl>
<t>For <tt>application/aif+json</tt>:</t> </section>
<dl spacing="compact"> <section anchor="media-type-template2">
<name>application/aif+json</name>
<dl spacing="normal">
<dt>Type name:</dt> <dt>Type name:</dt>
<dd> <dd>
<t>application</t> <t>application</t>
</dd> </dd>
<dt>Subtype name:</dt> <dt>Subtype name:</dt>
<dd> <dd>
<t>aif+json</t> <t>aif+json</t>
</dd> </dd>
<dt>Required parameters:</dt> <dt>Required parameters:</dt>
<dd> <dd>
<t>N/A</t> <t>N/A</t>
</dd> </dd>
<dt>Optional parameters:</dt> <dt>Optional parameters:</dt>
<dd> <dd>
<ul spacing="normal"> <t><br/></t>
<li> <dl newline="true" spacing="normal">
<tt>Toid</tt>: the identifier for the object for which permissio <dt>
ns are <tt>Toid</tt>:</dt><dd>the identifier for the object for which p
ermissions are
supplied. supplied.
A value from the media-type parameter sub-registry for <tt>Toid</tt>. A value from the media-type parameter subregistry for <tt>Toid</tt>.
Default value: "URI-local-part" (RFC XXXX).</li> Default value: "URI-local-part" (RFC 9237).</dd>
<li> <dt>
<tt>Tperm</tt>: the data type of a permission set for the object <tt>Tperm</tt>:</dt><dd>the data type of a permission set for th
e object
identified via a <tt>Toid</tt>. identified via a <tt>Toid</tt>.
A value from the media-type parameter sub-registry for <tt>Tperm</tt>. A value from the media-type parameter subregistry for <tt>Tperm</tt>.
Default value: "REST-method-set" (RFC XXXX).</li> Default value: "REST-method-set" (RFC 9237).</dd>
</ul> </dl>
</dd> </dd>
<dt>Encoding considerations:</dt> <dt>Encoding considerations:</dt>
<dd> <dd>
<t>binary (JSON is UTF-8-encoded text)</t> <t>binary (JSON is UTF-8-encoded text)</t>
</dd> </dd>
<dt>Security considerations:</dt> <dt>Security considerations:</dt>
<dd> <dd>
<t><xref target="seccons"/> of RFC XXXX</t> <t><xref target="seccons"/> of RFC 9237</t>
</dd> </dd>
<dt>Interoperability considerations:</dt> <dt>Interoperability considerations:</dt>
<dd> <dd>
<t>none</t> <t>N/A</t>
</dd> </dd>
<dt>Published specification:</dt> <dt>Published specification:</dt>
<dd> <dd>
<t><xref target="media-types"/> of RFC XXXX</t> <t><xref target="media-types"/> of RFC 9237</t>
</dd> </dd>
<dt>Applications that use this media type:</dt> <dt>Applications that use this media type:</dt>
<dd> <dd>
<t>Applications that need to convey structured authorization data fo r <t>Applications that need to convey structured authorization data fo r
identified resources, conveying sets of permissions.</t> identified resources, conveying sets of permissions.</t>
</dd> </dd>
<dt>Fragment identifier considerations:</dt> <dt>Fragment identifier considerations:</dt>
<dd> <dd>
<t>The syntax and semantics of fragment identifiers is as specified for <t>The syntax and semantics of fragment identifiers is as specified for
"application/json". (At publication of RFC XXXX, there is no "application/json". (At publication of RFC 9237, there is no
fragment identification syntax defined for "application/json".)</t> fragment identification syntax defined for "application/json".)</t>
</dd> </dd>
<dt>Person &amp; email address to contact for further information:</dt > <dt>Person &amp; email address to contact for further information:</dt >
<dd> <dd>
<t>ACE WG mailing list (ace@ietf.org), <t>ACE WG mailing list (ace@ietf.org)
or IETF Applications and Real-Time Area (art@ietf.org)</t> or IETF Applications and Real-Time Area (art@ietf.org)</t>
</dd> </dd>
<dt>Intended usage:</dt> <dt>Intended usage:</dt>
<dd> <dd>
<t>COMMON</t> <t>COMMON</t>
</dd> </dd>
<dt>Restrictions on usage:</dt> <dt>Restrictions on usage:</dt>
<dd> <dd>
<t>none</t> <t>N/A</t>
</dd> </dd>
<dt>Author/Change controller:</dt> <dt>Author/Change controller:</dt>
<dd> <dd>
<t>IETF</t> <t>IETF</t>
</dd> </dd>
<dt>Provisional registration:</dt> <dt>Provisional registration:</dt>
<dd> <dd>
<t>no</t> <t>no</t>
</dd> </dd>
</dl> </dl>
</section> </section>
</section>
<section anchor="registries"> <section anchor="registries">
<name>Registries</name> <name>Registries</name>
<t>For the media types application/aif+cbor and application/aif+json, <t>For the media types application/aif+cbor and application/aif+json,
IANA is requested to create a sub-registry within IANA has created a subregistry within
<xref target="IANA.media-type-sub-parameters"/> for the two media-type parameter <xref target="IANA.media-type-sub-parameters"/> for the media-type parameters
s <tt>Toid</tt> and <tt>Tperm</tt>, populated with the following:</t>
<tt>Toid</tt> and <tt>Tperm</tt>, populated with:</t>
<table align="left"> <table align="left">
<name>New Media Type Parameters</name> <name>New Media Type Parameters</name>
<thead> <thead>
<tr> <tr>
<th align="left">Parameter</th> <th align="left">Parameter</th>
<th align="left">name</th> <th align="left">name</th>
<th align="left">Description/Specification</th> <th align="left">Description/Specification</th>
<th align="left">Reference</th> <th align="left">Reference</th>
</tr> </tr>
</thead> </thead>
<tbody> <tbody>
<tr> <tr>
<td align="left">Toid</td> <td align="left">Toid</td>
<td align="left">URI-local-part</td> <td align="left">URI-local-part</td>
<td align="left">local-part of URI</td> <td align="left">local-part of URI</td>
<td align="left">RFC XXXX</td> <td align="left">RFC 9237</td>
</tr> </tr>
<tr> <tr>
<td align="left">Tperm</td> <td align="left">Tperm</td>
<td align="left">REST-method-set</td> <td align="left">REST-method-set</td>
<td align="left">set of REST methods represented</td> <td align="left">set of REST methods represented</td>
<td align="left">RFC XXXX</td> <td align="left">RFC 9237</td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<t>The registration policy is Specification required <xref target="RFC81 <t>The registration policy is Specification Required <xref target="RFC81
26"/>. 26"/>.
The designated expert will engage with the submitter to ascertain the The designated expert will engage with the submitter to ascertain whether the
requirements of this document are addressed:</t> requirements of this document are addressed:</t>
<ul spacing="normal"> <ul spacing="normal">
<li>The specifications for <tt>Toid</tt> and <tt>Tperm</tt> need to re alize the <li>The specifications for <tt>Toid</tt> and <tt>Tperm</tt> need to re alize the
general ideas of unambiguous object identifiers and permission lists general ideas of unambiguous object identifiers and permission lists
in the context where the AIF data item is intended to be used, and in the context where the AIF data item is intended to be used, and
their structure needs to be usable with the intended media types their structure needs to be usable with the intended media types
(application/aif+cbor and application/aif+json) as identified in the (application/aif+cbor and application/aif+json) as identified in the
specification.</li> specification.</li>
<li>The parameter names need to conform to <xref section="4.3" section <!-- [rfced] Please review "popular programming language APIs". Would updating
Format="of" target="RFC6838"/>, but preferably are in <xref target="KebabCase"/> to "APIs for popular programming language" make this phrase easier to read?
so they can
easily be translated into names used in popular programming Original:
* The parameter names need to conform to Section 4.3 of [RFC6838],
but preferably are in [KebabCase] so they can easily be translated
into names used in popular programming language APIs.
Perhaps:
* The parameter names need to conform to Section 4.3 of [RFC6838],
but preferably they are in [KebabCase] so they can easily be
translated into names used in APIs for popular programming
languages.
-->
<li>The parameter names need to conform to <xref section="4.3" sectionFormat="of
" target="RFC6838"/>, but preferably are in <xref target="KebabCase"/> so they c
an be
easily translated into names used in popular programming
language APIs.</li> language APIs.</li>
</ul> </ul>
<t>The designated experts will develop further criteria and guidelines a s <t>The designated experts will develop further criteria and guidelines a s
needed.</t> needed.</t>
</section> </section>
<section anchor="content-format"> <section anchor="content-format">
<name>Content-Format</name> <name>Content-Format</name>
<t>IANA is requested to register Content-Format numbers in the "CoAP <t>IANA has registered Content-Format numbers in the "CoAP
Content-Formats" sub-registry, within the "Constrained RESTful Content-Formats" subregistry, within the "Constrained RESTful
Environments (CoRE) Parameters" Registry <xref target="IANA.core-parameters"/>, Environments (CoRE) Parameters" registry <xref target="IANA.core-parameters"/>,
as as
follows:</t> follows:</t>
<table align="left"> <table align="left">
<name>New Content-Formats</name> <name>New Content-Formats</name>
<thead> <thead>
<tr> <tr>
<th align="left">Content-Type</th> <th align="left">Content-Type</th>
<th align="left">Content Coding</th> <th align="left">Content Coding</th>
<th align="left">ID</th> <th align="left">ID</th>
<th align="left">Reference</th> <th align="left">Reference</th>
</tr> </tr>
</thead> </thead>
<tbody> <tbody>
<tr> <tr>
<td align="left">application/aif+cbor</td> <td align="left">application/aif+cbor</td>
<td align="left">-</td> <td align="left">-</td>
<td align="left">TBD1</td> <td align="left">290</td>
<td align="left">RFC XXXX</td> <td align="left">RFC 9237</td>
</tr> </tr>
<tr> <tr>
<td align="left">application/aif+json</td> <td align="left">application/aif+json</td>
<td align="left">-</td> <td align="left">-</td>
<td align="left">TBD2</td> <td align="left">291</td>
<td align="left">RFC XXXX</td> <td align="left">RFC 9237</td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<t>// RFC Ed.: please replace TBD1 and TBD2 with assigned IDs and remove
this note.</t> <!--[rfced] In Section 5.3, we notice that the headers for Table 5 are
different than the headers in the "CoAP Content-Formats”
subregistry, and this variance is pointed out in the text below.
Should the headers in Table 5 perhaps match the current headers
in the registry? Please clarify why different header names were
used.
Original:
In the registry as defined by Section 12.3 of [RFC7252] at the time
of writing, the column "Content-Type" is called "Media type" and the
column "Content Coding" is called "Encoding”.
-->
<t>In the registry as defined by <xref section="12.3" sectionFormat="of" target="RFC7252"/> at the time of <t>In the registry as defined by <xref section="12.3" sectionFormat="of" target="RFC7252"/> at the time of
writing, the column "Content-Type" is called "Media type" and the writing, the column "Content-Type" is called "Media type" and the
column "Content Coding" is called "Encoding".</t> column "Content Coding" is called "Encoding".</t>
<t>Note that applications that register <tt>Toid</tt> and <tt>Tperm</tt> values are <t>Note that applications that register <tt>Toid</tt> and <tt>Tperm</tt> values are
encouraged to also register Content-Formats for the relevant encouraged to also register Content-Formats for the relevant
combinations.</t> combinations.</t>
</section> </section>
</section> </section>
<section anchor="seccons"> <section anchor="seccons">
<name>Security Considerations</name> <name>Security Considerations</name>
<!-- [rfced] May we update this sentence as follows for clarity?
Original:
The security considerations of [RFC7252] apply when AIF is used with
CoAP, and, if complex formats such as URIs are used for Toid or
Tperm, specifically Section 11.1 of [RFC7252].
Perhaps:
The security considerations of [RFC7252] apply when AIF is used with
CoAP; Section 11.1 of [RFC7252] specifically applies if complex
formats such as URIs are used for Toid or Tperm.
-->
<t>The security considerations of <xref target="RFC7252"/> apply when AIF is used with <t>The security considerations of <xref target="RFC7252"/> apply when AIF is used with
CoAP, and, if complex formats such as URIs are used for <tt>Toid</tt> or CoAP, and, if complex formats such as URIs are used for <tt>Toid</tt> or
<tt>Tperm</tt>, specifically <xref section="11.1" sectionFormat="of" target="RFC 7252"/>. <tt>Tperm</tt>, specifically <xref section="11.1" sectionFormat="of" target="RFC 7252"/>.
Some wider issues are discussed in <xref target="RFC8576"/>.</t> Some wider issues are discussed in <xref target="RFC8576"/>.</t>
<t>When applying these formats, the referencing specification needs to be <t>When applying these formats, the referencing specification needs to be
careful to:</t> careful to ensure that:</t>
<ul spacing="normal"> <ul spacing="normal">
<li>ensure that the cryptographic armor employed around this format <li>the cryptographic armor employed around this format
fulfills the referencing specification's security objectives, and that the armor fulfills the referencing specification's security objectives and that the armor
or some or some
additional information included in it with the AIF data item additional information included in it with the AIF data item
(1) unambiguously identifies the subject to which the authorizations (1) unambiguously identifies the subject to which the authorizations
shall apply and (2) provides any context information needed to derive the shall apply and (2) provides any context information needed to derive the
identity of the object to which authorization is being granted identity of the object to which authorization is being granted
from the object identifiers (such as, for from the object identifiers (such as, for
the data models defined in the present specification, the scheme and the data models defined in the present specification, the scheme and
authority information that is used to construct the full URI), and</li> authority information that is used to construct the full URI), and</li>
<li>ensure that the types used for <tt>Toid</tt> and <tt>Tperm</tt> prov ide the <li>the types used for <tt>Toid</tt> and <tt>Tperm</tt> provide the
appropriate granularity and precision so that application requirements on the appropriate granularity and precision so that application requirements on the
precision of the authorization information are fulfilled, and that precision of the authorization information are fulfilled and that
all parties have the same understanding of each Toid/Tperm pair in all parties have the same understanding of each Toid/Tperm pair in
terms of specified objects (resources) and operations on those.</li> terms of specified objects (resources) and operations on those.</li>
</ul> </ul>
<t>For the data formats, the security considerations of <xref target="RFC8 259"/> and <t>For the data formats, the security considerations of <xref target="RFC8 259"/> and
<xref target="RFC8949"/> apply.</t> <xref target="RFC8949"/> apply.</t>
<t>A plain implementation of AIF might implement just the basic REST <t>A plain implementation of AIF might implement just the basic REST
model as per <xref target="rest-model"/>. If it receives authorizations that model as per <xref target="rest-model"/>. If it receives authorizations that
include permissions that use the REST-specific Model With Dynamic include permissions that use the REST-Specific Model with Dynamic
Resource Creation <xref target="ext-rest-model"/>, it needs to either Resource Creation (<xref target="ext-rest-model"/>), it needs to either
reject the AIF data item entirely or act only on the reject the AIF data item entirely or act only on the
permissions that it does understand. permissions that it does understand.
In other words, the semantics underlying an allow-list as discussed In other words, the semantics underlying an allow-list as discussed
above need to hold here as well.</t> above need to hold here as well.</t>
<t>An implementation of the REST-specific Model With Dynamic Resource <t>An implementation of the REST-Specific Model with Dynamic Resource
Creation <xref target="ext-rest-model"/> needs to carefully keep track of the Creation (<xref target="ext-rest-model"/>) needs to carefully keep track of the
dynamically created objects and the subjects to which the Dynamic-X dynamically created objects and the subjects to which the Dynamic-X
permissions apply -- both on the server side to enforce the permissions permissions apply -- both on the server side to enforce the permissions
and on the client side to know which permissions are available.</t> and on the client side to know which permissions are available.</t>
</section> </section>
</middle> </middle>
<back> <back>
<references> <references>
<name>References</name> <name>References</name>
<references> <references>
<name>Normative References</name> <name>Normative References</name>
<reference anchor="RFC3986" target="https://www.rfc-editor.org/info/rfc3
986">
<front>
<title>Uniform Resource Identifier (URI): Generic Syntax</title>
<author fullname="T. Berners-Lee" initials="T." surname="Berners-Lee
">
<organization/>
</author>
<author fullname="R. Fielding" initials="R." surname="Fielding">
<organization/>
</author>
<author fullname="L. Masinter" initials="L." surname="Masinter">
<organization/>
</author>
<date month="January" year="2005"/>
<abstract>
<t>A Uniform Resource Identifier (URI) is a compact sequence of ch
aracters that identifies an abstract or physical resource. This specification d
efines the generic URI syntax and a process for resolving URI references that mi
ght be in relative form, along with guidelines and security considerations for t
he use of URIs on the Internet. The URI syntax defines a grammar that is a supe
rset of all valid URIs, allowing an implementation to parse the common component
s of a URI reference without knowing the scheme-specific requirements of every p
ossible identifier. This specification does not define a generative grammar for
URIs; that task is performed by the individual specifications of each URI schem
e. [STANDARDS-TRACK]</t>
</abstract>
</front>
<seriesInfo name="STD" value="66"/>
<seriesInfo name="RFC" value="3986"/>
<seriesInfo name="DOI" value="10.17487/RFC3986"/>
</reference>
<reference anchor="RFC7252" target="https://www.rfc-editor.org/info/rfc7
252">
<front>
<title>The Constrained Application Protocol (CoAP)</title>
<author fullname="Z. Shelby" initials="Z." surname="Shelby">
<organization/>
</author>
<author fullname="K. Hartke" initials="K." surname="Hartke">
<organization/>
</author>
<author fullname="C. Bormann" initials="C." surname="Bormann">
<organization/>
</author>
<date month="June" year="2014"/>
<abstract>
<t>The Constrained Application Protocol (CoAP) is a specialized we
b transfer protocol for use with constrained nodes and constrained (e.g., low-po
wer, lossy) networks. The nodes often have 8-bit microcontrollers with small am
ounts of ROM and RAM, while constrained networks such as IPv6 over Low-Power Wir
eless Personal Area Networks (6LoWPANs) often have high packet error rates and a
typical throughput of 10s of kbit/s. The protocol is designed for machine- to-
machine (M2M) applications such as smart energy and building automation.</t>
<t>CoAP provides a request/response interaction model between appl
ication endpoints, supports built-in discovery of services and resources, and in
cludes key concepts of the Web such as URIs and Internet media types. CoAP is d
esigned to easily interface with HTTP for integration with the Web while meeting
specialized requirements such as multicast support, very low overhead, and simp
licity for constrained environments.</t>
</abstract>
</front>
<seriesInfo name="RFC" value="7252"/>
<seriesInfo name="DOI" value="10.17487/RFC7252"/>
</reference>
<reference anchor="I-D.ietf-httpbis-semantics" target="https://www.ietf.
org/archive/id/draft-ietf-httpbis-semantics-19.txt">
<front>
<title>HTTP Semantics</title>
<author fullname="Roy T. Fielding">
<organization>Adobe</organization>
</author>
<author fullname="Mark Nottingham">
<organization>Fastly</organization>
</author>
<author fullname="Julian Reschke">
<organization>greenbytes GmbH</organization>
</author>
<date day="12" month="September" year="2021"/>
<abstract>
<t> The Hypertext Transfer Protocol (HTTP) is a stateless applic
ation-
level protocol for distributed, collaborative, hypertext information
systems. This document describes the overall architecture of HTTP,
establishes common terminology, and defines aspects of the protocol
that are shared by all versions. In this definition are core
protocol elements, extensibility mechanisms, and the "http" and
"https" Uniform Resource Identifier (URI) schemes.
This document updates RFC 3864 and obsoletes RFC 2818, RFC 7231, RFC <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RF
7232, RFC 7233, RFC 7235, RFC 7538, RFC 7615, RFC 7694, and portions C.3986.xml"/>
of RFC 7230. <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RF
C.7252.xml"/>
<!-- [I-D.ietf-httpbis-semantics] in AUTH48 state as RFC 9110 as of 4/22/2022 --
>
<reference anchor='RFC9110' target="https://www.rfc-editor.org/info/rfc9110">
<front>
<title>HTTP Semantics</title>
<author initials='R' surname='Fielding' fullname='Roy Fielding' role='editor'>
<organization />
</author>
<author initials='M' surname='Nottingham' fullname='Mark Nottingham' role='edito
r'>
<organization />
</author>
<author initials='J' surname='Reschke' fullname='Julian Reschke' role='editor'>
<organization />
</author>
<date year='2022' month='April' />
</front>
<seriesInfo name="RFC" value="9110"/>
<seriesInfo name="DOI" value="10.17487/RFC9110"/>
</reference>
<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RF
C.8126.xml"/>
<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RF
C.6838.xml"/>
<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RF
C.8610.xml"/>
<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RF
C.9165.xml"/>
<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RF
C.2119.xml"/>
<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RF
C.8174.xml"/>
</t>
</abstract>
</front>
<seriesInfo name="Internet-Draft" value="draft-ietf-httpbis-semantics-
19"/>
</reference>
<reference anchor="RFC8126" target="https://www.rfc-editor.org/info/rfc8
126">
<front>
<title>Guidelines for Writing an IANA Considerations Section in RFCs
</title>
<author fullname="M. Cotton" initials="M." surname="Cotton">
<organization/>
</author>
<author fullname="B. Leiba" initials="B." surname="Leiba">
<organization/>
</author>
<author fullname="T. Narten" initials="T." surname="Narten">
<organization/>
</author>
<date month="June" year="2017"/>
<abstract>
<t>Many protocols make use of points of extensibility that use con
stants to identify various protocol parameters. To ensure that the values in th
ese fields do not have conflicting uses and to promote interoperability, their a
llocations are often coordinated by a central record keeper. For IETF protocols
, that role is filled by the Internet Assigned Numbers Authority (IANA).</t>
<t>To make assignments in a given registry prudently, guidance des
cribing the conditions under which new values should be assigned, as well as whe
n and how modifications to existing values can be made, is needed. This documen
t defines a framework for the documentation of these guidelines by specification
authors, in order to assure that the provided guidance for the IANA Considerati
ons is clear and addresses the various issues that are likely in the operation o
f a registry.</t>
<t>This is the third edition of this document; it obsoletes RFC 52
26.</t>
</abstract>
</front>
<seriesInfo name="BCP" value="26"/>
<seriesInfo name="RFC" value="8126"/>
<seriesInfo name="DOI" value="10.17487/RFC8126"/>
</reference>
<reference anchor="RFC6838" target="https://www.rfc-editor.org/info/rfc6
838">
<front>
<title>Media Type Specifications and Registration Procedures</title>
<author fullname="N. Freed" initials="N." surname="Freed">
<organization/>
</author>
<author fullname="J. Klensin" initials="J." surname="Klensin">
<organization/>
</author>
<author fullname="T. Hansen" initials="T." surname="Hansen">
<organization/>
</author>
<date month="January" year="2013"/>
<abstract>
<t>This document defines procedures for the specification and regi
stration of media types for use in HTTP, MIME, and other Internet protocols. Th
is memo documents an Internet Best Current Practice.</t>
</abstract>
</front>
<seriesInfo name="BCP" value="13"/>
<seriesInfo name="RFC" value="6838"/>
<seriesInfo name="DOI" value="10.17487/RFC6838"/>
</reference>
<reference anchor="RFC8610" target="https://www.rfc-editor.org/info/rfc8
610">
<front>
<title>Concise Data Definition Language (CDDL): A Notational Convent
ion to Express Concise Binary Object Representation (CBOR) and JSON Data Structu
res</title>
<author fullname="H. Birkholz" initials="H." surname="Birkholz">
<organization/>
</author>
<author fullname="C. Vigano" initials="C." surname="Vigano">
<organization/>
</author>
<author fullname="C. Bormann" initials="C." surname="Bormann">
<organization/>
</author>
<date month="June" year="2019"/>
<abstract>
<t>This document proposes a notational convention to express Conci
se Binary Object Representation (CBOR) data structures (RFC 7049). Its main goa
l is to provide an easy and unambiguous way to express structures for protocol m
essages and data formats that use CBOR or JSON.</t>
</abstract>
</front>
<seriesInfo name="RFC" value="8610"/>
<seriesInfo name="DOI" value="10.17487/RFC8610"/>
</reference>
<reference anchor="RFC9165" target="https://www.rfc-editor.org/info/rfc9
165">
<front>
<title>Additional Control Operators for the Concise Data Definition
Language (CDDL)</title>
<author fullname="C. Bormann" initials="C." surname="Bormann">
<organization/>
</author>
<date month="December" year="2021"/>
<abstract>
<t>The Concise Data Definition Language (CDDL), standardized in RF
C 8610, provides "control operators" as its main language extension point.</t>
<t>The present document defines a number of control operators that
were not yet ready at the time RFC 8610 was completed: , , and for the constru
ction of constants; / for including ABNF (RFC 5234 and RFC 7405) in CDDL specifi
cations; and for indicating the use of a non-basic feature in an instance.</t>
</abstract>
</front>
<seriesInfo name="RFC" value="9165"/>
<seriesInfo name="DOI" value="10.17487/RFC9165"/>
</reference>
<reference anchor="RFC2119" target="https://www.rfc-editor.org/info/rfc2
119">
<front>
<title>Key words for use in RFCs to Indicate Requirement Levels</tit
le>
<author fullname="S. Bradner" initials="S." surname="Bradner">
<organization/>
</author>
<date month="March" year="1997"/>
<abstract>
<t>In many standards track documents several words are used to sig
nify the requirements in the specification. These words are often capitalized.
This document defines these words as they should be interpreted in IETF document
s. This document specifies an Internet Best Current Practices for the Internet
Community, and requests discussion and suggestions for improvements.</t>
</abstract>
</front>
<seriesInfo name="BCP" value="14"/>
<seriesInfo name="RFC" value="2119"/>
<seriesInfo name="DOI" value="10.17487/RFC2119"/>
</reference>
<reference anchor="RFC8174" target="https://www.rfc-editor.org/info/rfc8
174">
<front>
<title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</ti
tle>
<author fullname="B. Leiba" initials="B." surname="Leiba">
<organization/>
</author>
<date month="May" year="2017"/>
<abstract>
<t>RFC 2119 specifies common key words that may be used in protoco
l specifications. This document aims to reduce the ambiguity by clarifying tha
t only UPPERCASE usage of the key words have the defined special meanings.</t>
</abstract>
</front>
<seriesInfo name="BCP" value="14"/>
<seriesInfo name="RFC" value="8174"/>
<seriesInfo name="DOI" value="10.17487/RFC8174"/>
</reference>
</references> </references>
<references> <references>
<name>Informative References</name> <name>Informative References</name>
<reference anchor="RFC4949" target="https://www.rfc-editor.org/info/rfc4
949">
<front>
<title>Internet Security Glossary, Version 2</title>
<author fullname="R. Shirey" initials="R." surname="Shirey">
<organization/>
</author>
<date month="August" year="2007"/>
<abstract>
<t>This Glossary provides definitions, abbreviations, and explanat
ions of terminology for information system security. The 334 pages of entries of
fer recommendations to improve the comprehensibility of written material that is
generated in the Internet Standards Process (RFC 2026). The recommendations fol
low the principles that such writing should (a) use the same term or definition
whenever the same concept is mentioned; (b) use terms in their plainest, diction
ary sense; (c) use terms that are already well-established in open publications;
and (d) avoid terms that either favor a particular vendor or favor a particular
technology or mechanism over other, competing techniques that already exist or
could be developed. This memo provides information for the Internet community.<
/t>
</abstract>
</front>
<seriesInfo name="FYI" value="36"/>
<seriesInfo name="RFC" value="4949"/>
<seriesInfo name="DOI" value="10.17487/RFC4949"/>
</reference>
<reference anchor="RFC8259" target="https://www.rfc-editor.org/info/rfc8
259">
<front>
<title>The JavaScript Object Notation (JSON) Data Interchange Format
</title>
<author fullname="T. Bray" initials="T." role="editor" surname="Bray
">
<organization/>
</author>
<date month="December" year="2017"/>
<abstract>
<t>JavaScript Object Notation (JSON) is a lightweight, text-based,
language-independent data interchange format. It was derived from the ECMAScri
pt Programming Language Standard. JSON defines a small set of formatting rules
for the portable representation of structured data.</t>
<t>This document removes inconsistencies with other specifications
of JSON, repairs specification errors, and offers experience-based interoperabi
lity guidance.</t>
</abstract>
</front>
<seriesInfo name="STD" value="90"/>
<seriesInfo name="RFC" value="8259"/>
<seriesInfo name="DOI" value="10.17487/RFC8259"/>
</reference>
<reference anchor="I-D.ietf-ace-oauth-authz" target="https://www.ietf.or
g/archive/id/draft-ietf-ace-oauth-authz-46.txt">
<front>
<title>Authentication and Authorization for Constrained Environments
(ACE) using the OAuth 2.0 Framework (ACE-OAuth)</title>
<author fullname="Ludwig Seitz">
<organization>Combitech</organization>
</author>
<author fullname="Goeran Selander">
<organization>Ericsson</organization>
</author>
<author fullname="Erik Wahlstroem">
</author>
<author fullname="Samuel Erdtman">
<organization>Spotify AB</organization>
</author>
<author fullname="Hannes Tschofenig">
<organization>Arm Ltd.</organization>
</author>
<date day="8" month="November" year="2021"/>
<abstract>
<t> This specification defines a framework for authentication an
d
authorization in Internet of Things (IoT) environments called ACE-
OAuth. The framework is based on a set of building blocks including
OAuth 2.0 and the Constrained Application Protocol (CoAP), thus
transforming a well-known and widely used authorization solution into
a form suitable for IoT devices. Existing specifications are used
where possible, but extensions are added and profiles are defined to
better serve the IoT use cases.
</t> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RF
</abstract> C.4949.xml"/>
</front> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RF
<seriesInfo name="Internet-Draft" value="draft-ietf-ace-oauth-authz-46 C.8259.xml"/>
"/>
</reference> <!-- [I-D.ietf-ace-oauth-authz] in AUTH48-DONE state as RFC 9200 as of 4/22/2022
<reference anchor="RFC7493" target="https://www.rfc-editor.org/info/rfc7 -->
493">
<front> <reference anchor='RFC9200' target="https://www.rfc-editor.org/info/rfc9200">
<title>The I-JSON Message Format</title> <front>
<author fullname="T. Bray" initials="T." role="editor" surname="Bray <title>Authentication and Authorization for Constrained Environments Using the O
"> Auth 2.0 Framework (ACE-OAuth)</title>
<organization/> <author initials='L' surname='Seitz' fullname='Ludwig Seitz'>
</author> <organization />
<date month="March" year="2015"/> </author>
<abstract> <author initials='G' surname='Selander' fullname='Goeran Selander'>
<t>I-JSON (short for "Internet JSON") is a restricted profile of J <organization />
SON designed to maximize interoperability and increase confidence that software </author>
can process it successfully with predictable results.</t> <author initials='E' surname='Wahlstroem' fullname='Erik Wahlstroem'>
</abstract> <organization />
</front> </author>
<seriesInfo name="RFC" value="7493"/> <author initials='S' surname='Erdtman' fullname='Samuel Erdtman'>
<seriesInfo name="DOI" value="10.17487/RFC7493"/> <organization />
</reference> </author>
<reference anchor="RFC8949" target="https://www.rfc-editor.org/info/rfc8 <author initials='H' surname='Tschofenig' fullname='Hannes Tschofenig'>
949"> <organization />
<front> </author>
<title>Concise Binary Object Representation (CBOR)</title> <date year='2022' month='April' />
<author fullname="C. Bormann" initials="C." surname="Bormann"> </front>
<organization/> <seriesInfo name="RFC" value="9200"/>
</author> <seriesInfo name="DOI" value="10.17487/RFC9200"/>
<author fullname="P. Hoffman" initials="P." surname="Hoffman"> </reference>
<organization/>
</author> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RF
<date month="December" year="2020"/> C.7493.xml"/>
<abstract> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RF
<t>The Concise Binary Object Representation (CBOR) is a data forma C.8949.xml"/>
t whose design goals include the possibility of extremely small code size, fairl <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RF
y small message size, and extensibility without the need for version negotiation C.8132.xml"/>
. These design goals make it different from earlier binary serializations such a <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RF
s ASN.1 and MessagePack.</t> C.8576.xml"/>
<t>This document obsoletes RFC 7049, providing editorial improveme <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RF
nts, new details, and errata fixes while keeping full compatibility with the int C.6570.xml"/>
erchange format of RFC 7049. It does not create a new version of the format.</t <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RF
> C.7228.xml"/>
</abstract>
</front>
<seriesInfo name="STD" value="94"/>
<seriesInfo name="RFC" value="8949"/>
<seriesInfo name="DOI" value="10.17487/RFC8949"/>
</reference>
<reference anchor="RFC8132" target="https://www.rfc-editor.org/info/rfc8
132">
<front>
<title>PATCH and FETCH Methods for the Constrained Application Proto
col (CoAP)</title>
<author fullname="P. van der Stok" initials="P." surname="van der St
ok">
<organization/>
</author>
<author fullname="C. Bormann" initials="C." surname="Bormann">
<organization/>
</author>
<author fullname="A. Sehgal" initials="A." surname="Sehgal">
<organization/>
</author>
<date month="April" year="2017"/>
<abstract>
<t>The methods defined in RFC 7252 for the Constrained Application
Protocol (CoAP) only allow access to a complete resource, not to parts of a res
ource. In case of resources with larger or complex data, or in situations where
resource continuity is required, replacing or requesting the whole resource is
undesirable. Several applications using CoAP need to access parts of the resour
ces.</t>
<t>This specification defines the new CoAP methods, FETCH, PATCH,
and iPATCH, which are used to access and update parts of a resource.</t>
</abstract>
</front>
<seriesInfo name="RFC" value="8132"/>
<seriesInfo name="DOI" value="10.17487/RFC8132"/>
</reference>
<reference anchor="RFC8576" target="https://www.rfc-editor.org/info/rfc8
576">
<front>
<title>Internet of Things (IoT) Security: State of the Art and Chall
enges</title>
<author fullname="O. Garcia-Morchon" initials="O." surname="Garcia-M
orchon">
<organization/>
</author>
<author fullname="S. Kumar" initials="S." surname="Kumar">
<organization/>
</author>
<author fullname="M. Sethi" initials="M." surname="Sethi">
<organization/>
</author>
<date month="April" year="2019"/>
<abstract>
<t>The Internet of Things (IoT) concept refers to the usage of sta
ndard Internet protocols to allow for human-to-thing and thing-to-thing communic
ation. The security needs for IoT systems are well recognized, and many standar
dization steps to provide security have been taken -- for example, the specifica
tion of the Constrained Application Protocol (CoAP) secured with Datagram Transp
ort Layer Security (DTLS). However, security challenges still exist, not only b
ecause there are some use cases that lack a suitable solution, but also because
many IoT devices and systems have been designed and deployed with very limited s
ecurity capabilities. In this document, we first discuss the various stages in
the lifecycle of a thing. Next, we document the security threats to a thing and
the challenges that one might face to protect against these threats. Lastly, we
discuss the next steps needed to facilitate the deployment of secure IoT system
s. This document can be used by implementers and authors of IoT specifications
as a reference for details about security considerations while documenting their
specific security challenges, threat models, and mitigations.</t>
<t>This document is a product of the IRTF Thing-to-Thing Research
Group (T2TRG).</t>
</abstract>
</front>
<seriesInfo name="RFC" value="8576"/>
<seriesInfo name="DOI" value="10.17487/RFC8576"/>
</reference>
<reference anchor="RFC6570" target="https://www.rfc-editor.org/info/rfc6
570">
<front>
<title>URI Template</title>
<author fullname="J. Gregorio" initials="J." surname="Gregorio">
<organization/>
</author>
<author fullname="R. Fielding" initials="R." surname="Fielding">
<organization/>
</author>
<author fullname="M. Hadley" initials="M." surname="Hadley">
<organization/>
</author>
<author fullname="M. Nottingham" initials="M." surname="Nottingham">
<organization/>
</author>
<author fullname="D. Orchard" initials="D." surname="Orchard">
<organization/>
</author>
<date month="March" year="2012"/>
<abstract>
<t>A URI Template is a compact sequence of characters for describi
ng a range of Uniform Resource Identifiers through variable expansion. This spec
ification defines the URI Template syntax and the process for expanding a URI Te
mplate into a URI reference, along with guidelines for the use of URI Templates
on the Internet. [STANDARDS-TRACK]</t>
</abstract>
</front>
<seriesInfo name="RFC" value="6570"/>
<seriesInfo name="DOI" value="10.17487/RFC6570"/>
</reference>
<reference anchor="RFC7228" target="https://www.rfc-editor.org/info/rfc7
228">
<front>
<title>Terminology for Constrained-Node Networks</title>
<author fullname="C. Bormann" initials="C." surname="Bormann">
<organization/>
</author>
<author fullname="M. Ersue" initials="M." surname="Ersue">
<organization/>
</author>
<author fullname="A. Keranen" initials="A." surname="Keranen">
<organization/>
</author>
<date month="May" year="2014"/>
<abstract>
<t>The Internet Protocol Suite is increasingly used on small devic
es with severe constraints on power, memory, and processing resources, creating
constrained-node networks. This document provides a number of basic terms that
have been useful in the standardization work for constrained-node networks.</t>
</abstract>
</front>
<seriesInfo name="RFC" value="7228"/>
<seriesInfo name="DOI" value="10.17487/RFC7228"/>
</reference>
<reference anchor="IANA.core-parameters" target="https://www.iana.org/as signments/core-parameters"> <reference anchor="IANA.core-parameters" target="https://www.iana.org/as signments/core-parameters">
<front> <front>
<title>Constrained RESTful Environments (CoRE) Parameters</title> <title>Constrained RESTful Environments (CoRE) Parameters</title>
<author> <author>
<organization>IANA</organization> <organization>IANA</organization>
</author> </author>
<date/> <date/>
</front> </front>
</reference> </reference>
<reference anchor="IANA.media-type-sub-parameters" target="https://www.i ana.org/assignments/media-type-sub-parameters"> <reference anchor="IANA.media-type-sub-parameters" target="https://www.i ana.org/assignments/media-type-sub-parameters">
<front> <front>
<title>MIME Media Type Sub-Parameter Registries</title> <title>MIME Media Type Sub-Parameter Registries</title>
<author> <author>
<organization>IANA</organization> <organization>IANA</organization>
</author> </author>
<date/> <date/>
</front> </front>
</reference> </reference>
<reference anchor="KebabCase" target="http://wiki.c2.com/?KebabCase"> <reference anchor="KebabCase" target="http://wiki.c2.com/?KebabCase">
<front> <front>
<title>KebabCase</title> <title>Kebab Case</title>
<author> <author>
<organization/> <organization/>
</author> </author>
<date year="2014" month="August" day="29"/> <date year="2014" month="August" day="29"/>
</front> </front>
</reference> </reference>
<reference anchor="RFC8881" target="https://www.rfc-editor.org/info/rfc8
881"> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8881.
<front> xml"/>
<title>Network File System (NFS) Version 4 Minor Version 1 Protocol<
/title>
<author fullname="D. Noveck" initials="D." role="editor" surname="No
veck">
<organization/>
</author>
<author fullname="C. Lever" initials="C." surname="Lever">
<organization/>
</author>
<date month="August" year="2020"/>
<abstract>
<t>This document describes the Network File System (NFS) version 4
minor version 1, including features retained from the base protocol (NFS versio
n 4 minor version 0, which is specified in RFC 7530) and protocol extensions mad
e subsequently. The later minor version has no dependencies on NFS version 4 mi
nor version 0, and is considered a separate protocol. </t>
<t>This document obsoletes RFC 5661. It substantially revises the
treatment of features relating to multi-server namespace, superseding the descr
iption of those features appearing in RFC 5661.</t>
</abstract>
</front>
<seriesInfo name="RFC" value="8881"/>
<seriesInfo name="DOI" value="10.17487/RFC8881"/>
</reference>
</references> </references>
</references> </references>
<section numbered="false" anchor="acknowledgements"> <section numbered="false" anchor="acknowledgements">
<name>Acknowledgements</name> <name>Acknowledgements</name>
<t><contact fullname="Jim Schaad"/>, <t><contact fullname="Jim Schaad"/>,
<contact fullname="Francesca Palombini"/>, <contact fullname="Francesca Palombini"/>,
<contact fullname="Olaf Bergmann"/>, <contact fullname="Olaf Bergmann"/>,
<contact fullname="Marco Tiloca"/>, <contact fullname="Marco Tiloca"/>,
and and
<contact fullname="Christian Amsüss"/> <contact fullname="Christian Amsüss"/>
provided comments that shaped the provided comments that shaped the
direction of this document. direction of this document.
<contact fullname="Alexey Melnikov"/> pointed out that there were gaps in the me dia <contact fullname="Alexey Melnikov"/> pointed out that there were gaps in the me dia
type specifications, and <contact fullname="Loganaden Velvindron"/> provided a s hepherd type specifications, and <contact fullname="Loganaden Velvindron"/> provided a s hepherd
review with further comments. review with further comments.
Many thanks also to the IESG reviewers, which provided several small Many thanks also to the IESG reviewers, who provided several small
but significant observations. but significant observations.
<contact fullname="Benjamin Kaduk"/> provided an extensive review as responsible <contact fullname="Benjamin Kaduk"/> provided an extensive review as Responsible
Area Area
Director, and indeed is responsible for much improvement in the document.</t> Director and indeed is responsible for much improvement in the document.</t>
</section> </section>
</back> </back>
<!-- ##markdown-source: <!-- [rfced] Terminology
H4sIANOHMGIAA+1ca3IbSXL+X6eoxUSsQS0AiiD1gnZmlyKpGe3qtSLl2fXE
2GqgC0CPGt1wP0hhKG74ED6Af/gY/uW9iU/i/DKrqqsboDRjOxzh8DJiRkCj
HllZmV8+KquHw6Gqkio1E32c6eO6WuZF8mNUJXmmn2XzvFjJ56f8SfePnz3d
0/RYH5+cqWg6LczlBJ81/aDifJZFKxoqLqJ5NUxMNR9GMzOMkvkwjSpTVuoL
HdOHiR7fHY+Hd8fDgyOlyirK4n+I0jyjH6qiNkol64I/ltX47t1Hd8cqKkw0
IYoqU2SmUlcLmfXbvHifZAv9dZHXa/X+qmkyPAUNahZVE11WsZrlWWmysi7t
FGU9XSVlSWurNmua99nZxVOl1slEaV3ls4nemFI+xmZdLSf6iL6VeVEVZl66
X8vNqvmqLk1WG/RfgJoJc9NkVTITFtIiOwwGH0+IrqqIkszE+iy7TIo8W1Gn
UveJc3s02CpK0ommL78FP0d5scAMSbWspxM9i6b5vmWxUhGPDgrwN7T/ap1k
ROLJSD/BJmaZfy6bdRIVZWWyrV9ppol+myWXpiiT6i//WuknhSHa9MXfPfON
iHZjiMWv87KaR7OlPjy8e3R01/8+S6rNxHZsHuYxzXs6HD88vPcoeFpnVUGt
vzYgZON/WC9ZMn519Gh4ND4Yjg8eDu8fPhof+AZGeARm/Lb6MWEeqUxk95J3
5M3Tk8NHD+9PdF0k8vXB+N6YuuTRmr4/G56OWFqXVbWeJuWwpCGxc8Q3PGq+
S+eHB2MaK4myCGIlz+4/PHw40SsTJ9EQIjUszMK2vn9wl6aK41S+Pzq4f0++
r9Oa5CZxeuZpPXp09GiiF2leugnH9+jBD2WehdRi43Ns+hD/+5GlRB6QnrWb
xVVaDiMrfdBQ/j4zWw3zcpYXZrgu8nkCVMD3aM1NhW9Hjw5p6UNLC2hjYmfT
vHDMOSTOrqNqtrQP7j0gbpVmFjDr3oO7vBnDyqzWjA1uW8bERVLhFRZ6/PJ4
JOREBckqPS4n7nnAadLlTovfm2k0PYlKI8pQRcUCUoq9nOzvXyXvk9FsTEOv
9n/jm0pLwcL2QwdZB0fDuw+H40dKDYdDHU2huLNKqRAoSQbrSl8tE9IFKH+V
mFITemnP/JhARa9NgT7UMKpUTt+4d6lpBOkLXlHvmrEgn+ucsKRoRkxoUD0r
6lkSpYRtqzWpSFahIe1cTI8JFKNM56S8UZoSUJGKr3RFs6Er7UVdmJEG+lya
DTVW68LMkrIhU1aTBCujfqZcG8yYbmjuBMiWUhO9TBbLdAP4yaktLVCmK/UV
wZROwXyd1aspbQ4odIsY6LKmlUYl0WVUzyE3mlwsiaayN1KKPhG9mHbugJRW
eJnEYKtemMwUyaxF54rQJWW0lWf4RxWGFlhiZmKMTHvbQgeg6MoQ10DZVa4v
o4JUvSoVERZ5WoCqFUBBBqDfmLvNnLomdjIH3pydX2iaPq+LGQk60U7d5gkx
arrRb988g7Isaa3f/X1CCJgfDL+ftOzCqblMZlgvc2rD4kSDx+A9PdC7WKcz
Y2KWXt5sgmG0zouYpIjkT0TOkJgVtPEVbSgYRjy6hBiRZaTxR9z9VWZ0QvJV
YLHapEDySpbrJIkHL2X9saXVkuYtNlsURx0TBzKmJHDT1OBjTGyNjZX+QCMK
8481eQ7Unuc0K1nUMq/TGP2hKNSxoAaNig38DFE5M0Q6k0PkQdLQv7371M5O
w0T72XWcg+3rNfGH2uA3Uvg6SnkMR1mBjYkaY0/TyxzE0VvIEG12vOJNXUXv
TTgsqwp2minKXDOSEJPFJm7EZQxxYTUh/6vm3YnNPEEPEXQrkwO/+J/m5sn2
0yfsrYxIDCfKebmieqT/JKU18YQJpa4zQp2pFU8ogbfkcTKf0y4RdeCn1eUS
TBJmlbfrFvEtzQthZFuXmMdgEO2YdedKETUWv9WARpqldcxan6+MYEfpnK94
Qy4QUIwBzTB2+bFHAvOrhAy1AchXjKygSH0Z/IV6S3hFYlJEWTnn/QXlgWBu
g+q8yFcA6nYLYlq0MIXqO4CkFuTuDl9h5zrbd24KAnl9fd24Azc3eyxzVsAI
0NhEkOhqj4PeA12JSYCgQqoaoaK1gKlZnuaLDVjh/iwor8wqxz6XbK5LWcpJ
fvwatMBpuLnx2+MB6tzhxddwbqJig8bs6NzcPJbeNLSTHoW+5gM5CFlU5dTY
fIjIXRAoTCqxgos8p8ZJteVOW9hkI2IIMaK1gU6RNY90Y1QERk9OT58z3bTZ
RLf9BP/s5mYUMuK2WUIlofFoAHAFnXn296S6V4S+pe69eHt+0RvIv/rlK/78
5uwPb5+9OTvF5/Nvjp8/9x+UbXH+zau3z0+bT03Pk1cvXpy9PJXO9FS3Hqne
i+M/0S/Yid6r1xfPXr08ft4TeA4hg5GGARkIU5CUQBmiUpGhJVs/lWU9OXn9
7/9ycETL+wU5a+ODg0fMrF+w2/fgiL5cEQrKbHlGWiVfgVyK1N5EBUaBRzKL
1kkVpSVbW0LzK3IjCB6IXXe+A2cI0349na0Pjr6yD7Dg1kPHs9ZD5tn2k63O
wsQdj3ZM47nZet7hdJve4z+1vju+Bw9FLCAjujfdVAZbxOF0wihEjkHvCT1z
ykBcS8gkZPmVnlFUTH5WsVEIaI1Fzk2WZ5sVS2cvn1WmgvMUQvsLuEUt4LLo
1YIT8VUttqdQOOAFKKiWFNUulgKjrEMe+UvF0I+es2KzrvJFEa2XFlfF14x1
nyhjZFwlVSUriuyP+irakLm5sA6FWN6kpIWWYvZ2+Hc1GcEihesq+B9t0jyC
jyC0MIF9Yk2+XuelmA60a9FHFK+IqogWRvKaVHsOKly0Z12OT+B3oPLQJ9XW
Jzb1c6D3HeJFfjVMk7K6M1HkZRWbCq6QwEYGFKLoN0ktqgHzEoqd4ZehI9v7
p+Ag1loXWFPZOGGhe8zaFrInmhE8lfCTCNdTYZ+6SkgHpy0SbTtaWJF8GFhH
bEFBKcuXOJeBmWV8Ngj5iZgygRdHRmaaZN4fpl719AfaT4YDRCP8baS+Ncye
OfGqdBsIP0OQGYFKzsJBv9GoBcm89SZbJDrryA2W2Oo50hhTQ/+D6AG+ADPR
NElhccD7vQF75BSiISFELlnmBMORCgWSpeNpQ1EChC9rbMQxx17IJ5GjlsG+
gnjGqGnjmEeQau90+vFFolTUVjqoObki02RR53VJux7ECH0zWowYJinGrbxI
QnTVlui6gEiUhNpaHnX4IJaTP2FXo4QjMyUb1ExOT/uYj4Js/e4iT+J3e7s8
rrARHlOrcMm8N7yBdoJ+uRcskCj/85//LPkRYuTwa1nCrzHfQPOAX+kv9Xd3
9HfBo++/Ry91PdFf0JqjZC6h+5e9U2hk4mTQDoYd6t0AEEMvk3dXONUPQlF4
26R2Zd5yEVTLXu6Jmm0xTPcdn1jDnEiqiKD+QwXIJKEeeCbuUKu+56HTUe+z
UUBHdiHSUzIF1BFKUZMEB7+LMZBYm9ZkDBlnrHLIqyS/sMvsc8eLL3XI+4oI
HeiaXIGvPJvBjIDPJ/lqxSaeBd57VwF7Lc8VXPahf8p2SF9/QSRXlqzQuWyc
zGei85+Kt80t4YAKGepDgbnFz11SbneN4MEoxO1oh8icV+TGF1hiJ7Vkr3uk
aTlFQyMM3gC4NTNCBimsNyIYThIwMvHGSgC77/2eRYRqA+dMkf9IfjIceSDl
lTOvrShTxzWkqc0Dh5H96+tzMaXqaDQejUHFsJ3LtP65b6jvSzObHaXJredG
kF6LOzCH60ZSIZhJEVO6IvXO4lRcllss7GPiKn4rzDx3uE+8ZO++h9xHj9aP
f4fR1KzWxAKBmR7ha0H82GJj/w79f5jmxHAk/qo7Xj87pjAqAw/GEvi2SIav
I4SxNAW+/AGzkKPAUKwQDNAO79He/mygZ+OtZin83KtlLkkRY9OPBORwHGaS
QFnnxMY9u6hu3q1U/SyvjLcexLQVzUGTrnLxKzIGKTtwY2SiVce0SLANLyof
aDEk4nglVS0NOEO1zFc5TAcZH2WzEnuhx7ELn6ArnOPCaIjKWs0EVkGZgpkp
nUWwiOd1t8/qRPN8c3Hxeo+CSiKeoiQeCn6idQtlOGxwvSLfl9OoHGYlq6EN
CjnW+qjbkqE/6teeKoo+6QG12S/3kXdGouCj/vrsQgd//Hu0D4mW31+/vRgE
jfh3pM+1+/3V+UWrP8CyIcvh5XE3yBc8mxnn3EC2thx2a7RYtu2AAx/YEyPn
QC8YlxXnrOBMIyogfr6zi3xn859RPGS4FnzAIM/PTiWdVXFzXjO3hmLH+1cE
RkZMVaTe8ZLfNTCDZrxyGY9Yf1x6i1XCB7PLCo1sxxgNLIqEKQnOsrJkeFGQ
dG/MAJgmJBbOnc9LqyLL6NI4ZJZuytrAiDZ+QQ76Y/ifZIGJNzbhh6mFLKta
mcFCkJLgdKAlSnVcXhokJ/BkcXUk0uKfgy67gO1UidWP7ShGdgQefqkJMiU9
3XWySwwswZSzWZw0FTtWOr0mwS+9jWvZXNUynSPJ6a6SxbLiEACQKyxlBsUB
a6r8KkLSgsZW/qRGi3Fqjm7IkPQxsZPogc0wZ7peE987iOSygtof2ejLKK1t
UidTXnKvf0Ot7ty8IyT6hkIgMpMD2W5kSJMC+U3Eoi4B7E5Q5pI1ioBMWez9
ari+JFornEtxWMSxTcb2JFpEoN3HOcFagZZZOzoZfW5X2Xfk1DGhuGyvM0M4
aiGCY3ZQo5RxzFrsaQSDQoNgv2l36wrLkvDXbvvM+T7WkS5dcNADt2VVcY6d
KF3cqJO5P/YBNQSN703cY3SnWI0dlma/PdFW6TT2yR76ODqxf55RjevlUwDe
YeMUpA0CnJB24yHl0q5wadM5bDQOIZIcHkJzCNBnEAbeDGArXh9fnHyzn/A/
kEY+bISzxNJPM1yRyVShV+bTu05BXHBCE3IyHkq8y1H9FubxVPLE+o1DvxOM
hq24/oJ0ZvgZX7YFBx3d/GnTRHHMTowclblDBbdJNgmh7AbhMMWO1NkesMVz
wrpDjhGyAQPV9mUD59dJ0SqiKd9nyNh1YufpRglJkMTnuUjr8I5zrcTzYJCm
QdfwqzQfk7kcgOuilmR/CBbIN0/ZzDPY0j5v+a/9sNswIb3CRxpuZWbkJCXl
Cn5MH1zneH8tx58EG+xSc1a8cCdQveOT5zQbCUPCMMZZ0pdPzy+PyB3/DVKc
Dx8e3NyQKH/gkZzL55VGnCEkWghO2MsrTCoSvEzWalqL6M+RiPeK0N0q8ibL
Rlr5eCDYg1w1yYkmvnYYMtqDsyCHS5xtHoC+RngIyZqjvLYzRh5GEavUmzEN
+ulf52c1v5Q/0dHa8Wd9Kxx1DWdwXoz1nwZO9ofkaDVfTs+en12cbblUQ8ez
/5Zr9Rmdg+f1lKFOrLz+owCl+AUzG+w6Sv8YWG3qEGXlNtQt89R5tqXzQswH
U/C5O2OwnQhGoKO57OEgtUWIi6DfhR7j0d0D3R/T/05EZPYa3eJcwSeVQyC6
Ofq0B6ROsFjTfaxn+QNvHm65Dc+dlysp/I5L7jYKSsPOYqvSQb1ry8I765PI
Cnn0NPcmL1SD4NzOGxAJ87UVq1UEK29ByzpY8OFpNYSVsUKRhpRq8A6RZMPg
zMXdtWJHbWeQonQQjDwkgmHE/UpIF85dwM8IYBWqcTY7OWKf4rZHpTG5QDOb
2xEpYMXDRtmhdglZObCBIdt1OWeGsxhltlLEZpB1SQEeAcbUVFfwyjEeeRoI
zVuenrh+bBbUFiTNrE48ZvHwTX1QFqUUApesGvWK9wKJiN3KkZRWhSri3Cl8
qu7JBD32Z8VB9GDdEJ8z9ewT7jrDbjOgatstE3+Pdv3SjJqoyu4GR7Mcv6BZ
N3LB4Nbdg/Xuxtis1ST5gR/gcisd9+CG08fucCMeeKGYRRYEtlOKLq3h3EUJ
+Hw2URHB4vqJtbm0OZIOPqPbtMzTujJcb+IURhJQCv/wKBRnbqUpRuy3BJvI
6cc2WeLtScreBl/v2NMRVCOzXb1zPsc8h0byoXxl1uVEqTsaM9CMRdIUj1Ri
maHC4pVsfJaja33geK5MseCaF05QeWIw6CYcJbGHSnUWJBLbiyNvUCjqZwSd
Vh+a7ISlr9NHDsBQUVXIARdZa42GSRGGpq4UakBwlxHqHGCunSq+Y0BJBWJy
y+MrroOBeaC5+OwDskq2CmfXgQ6+ms+xaTMEzSyxh2MXPBzes4kqGsGOijE6
RtjmxsMG8gP1Pdxz/LIehav2Ssou/T9NRhhjufhKzA9RtqZopuDyMZw59WMz
46JSNnktxrLiwbOrK+dYchFICc149cadwBC3KP4hyejkH9jUpKlsMM8p0amL
+gJUmLkaJD4yh01dNEVZvzt/9RJpXBRKEhp0Ci8Ei9hcxivbRnLzXFj53Xc9
GwT3BgffD+gbZ2d6g3v8BbmY3mAcnIHYQT7vEZHrksdCJSjU/aO7GufP5Z5N
NV1fo1xb6iDg/3OhA5ll2nHkAjq1eFZ7GqaoflNxw8VCjWNjS0S2q0MycyUV
TvhdNfHcQLdL5QIfCYtw+rPHUOT8D1RyqFsqOSbM4eD4gxNN7aMPByrVcqA7
svmVan6kXjgkIaf2McOtx144dV0AVZ2BqDPOVvQIJzmOO8px6Uv9yz6JJ7kr
E41KanhOE41yZ4qCJ3pMH0T1JvqQPj89oyhY6tM5IJ7oe8BA+/k+Wje+NXUZ
P9Z39YjhoQ0OQUuZ8vDwsT74bFPQdHj0WI8/19ITfe+xPvxcY7uqw/uP9dFn
SZClHj54rO99rq3jy+HDx/r+7sZ7LCSsVk4VvF6hGk5kzMUH3fKEnY6wdwe8
sqMoq4MJGPgJARREdpoX1Ifkug0U8vyxJKwoVjdc38sB9so5Rvvkp1AUbuQa
AUyIO6AXgFmaD8O4Xq3Vw8NdMRr+vqBuRbTpH+ICgn44/mSj8Z4txL//YFcj
eCr9B64N/Y3nDw7pv6P79+7HD+5yGw92thWFMztGqjPJ5fYPfh5Z928l636L
rPsH9N+MyDqybRzqOqrufZKqez+Pqp2DMVX32lQdEatmDw59Gwv/jqgd8wVE
jfdCEwHx+VkmguWxP34YmIiX/mCKfImcczfkSkRdLQqDYJjTec2HE/CDPNCF
BaOFWSCwRKWQf9Ica7uyUxzklia9NKWCPllT2zhPtlR7oJFr4eR6mGKBkrJ9
dwQcKELr8YEU62zWNlVYl+x3cnzNNpIr9Ukrk8ZQv8DtA32xWRMlrWqqHfXq
rhqXbyxwnUTZjVZCBFFsRwfBwaW31e+C0tl9wqZfgZ53nPb0m7XVBpv+DseZ
F3zQGFLBbmNzc0LCHPG0sa9yKM7IZQ/9HmMxUZ1WPmUvBcrKfu213fIejxgM
0+sYQteAB8dxrZJAKjwm8h66SEObuTh36rBbMp0o2IctRkQeFIHIcWdTiyy0
QZj2G0JsBRZH5Z3acKm3a3jYHGKUqo8AEFKMGIaP7rPYyzUnBgvJzbBzdJKj
krsaupLr6+uZfSKSIMUauOrC5abNCcd2DZ/UIJO+pCgB/kB/3289mOBYX5/F
o4m2lXyS/AgjYDJUiEJtP3SwIPNH+hPO8dkSDWRd7Z0VaHbdq5zjaDl3MB2d
aVd6YJFJWOqPQCGOO7Ei9x9yf5eV6gVj9iyviw2nJ18iSsTfR31hT3NaIPlR
vzEsBDPTxU/OUzrVoYa7NAr9iQ/gzIAEtrmNhLS0688u+XZ/+/hT/QmwKa5e
ZF/2UjMnNbGg/ZI85XDJ1gfZrfPk7dIw5TrCbaAve7YEnPqgr1z+U5OQOKXO
62nV+tGOpdQbOXOLdXjRaqJf7h8r9Wotp1md3+5Y7Zq0zrBs8BikOpqSu07s
Kzc9aq5giO11BAEeiSQkHnCMC84TcSHMCUMAQTLEaYhgk23I6rt9gf5pXgWj
wqSJdHg6Tkl2ciLtlfF0QQhzSfsWtWj5Ly+HKdq9ni2IbS3oDMYd2tQ+NsV+
2Xi4DzuyR7LgSvW3W15f29t8gs5ufL4kYQpOjdpiw+2+GUV6Sr2up2lSLk0n
npTB28rQmuA4vDvCSC/VWkkIyhhlu6E7NeOExKapXu5ez+AdnvNtxmDvfD5+
YAfg7JWRuqRAbnGuWkQLjv0Ckd/mA2dLNuT7f2C8bNUcz7dHkCt/4a0FIbEX
qj5UtUeWvn9MgSc43ETpDdgEaWPqvzWV7WJJC7OrO6YiMXlNtFH7X8otXHfY
ZBldRVa/53XBaenAz+Fdwh3ur/mOM/jJBan98K7zHq5SUX9cz27vKZj2xpDW
XiQE9MeFQb13UTU9RRo5UU0e3YKlAuX6r14CzWClZ/7OpW8g0ikl8fsnnNFx
ldOpKdBCLoq/dveICPWsavpFEV9vgWV21/6HYJnzRH+F5f8/sMwhAKnt24un
w4dDF6QhYvwrWP9fBGso8P8SWMtUfwXr28CapnBxmwoDE5ffC2PmncEAF0nu
APvB7thGzqylOqqBEARYXPr96fcbkJY5PMMByS5oKtV26E7hXb6uUz4rx0wT
BEmvPZh9ZOPSDpBO+eofW5H981aEtx1CUcgTxHTh59uefKoFAiiswM3TOe2j
J8E3Uhhk4DshnFciCeeYCe6XTjb+ozu2atWdhvmn9mg/KThreMth2sXStGSP
doOkhe/Nt1lbOIuOhJN9wwjfQYWVM0jr8RYiP0Fr5xNrky1II5oAnd9tU1Vy
0z+8eW6UHX3lXiuxfQnUVQvF/lS2BfplN6XjciYOsXEpIPnR2DM2d0ucAItv
aIXXnHZdxOC3EDTGm0vH+UTXlmBkfPB9xajoKnval7QcjMhl1poP2eWSuZzE
NvfVQXHp23HOz7PQDxOoPg3R/1nav8cVrY1Zsnugt1JYwufGs4AqlqEN5Awk
fWzuahyNDlF/qfWw/coZnCwg+UmyO4dlT+V1EXyA4N9qQhBScgJlg2QrDUKb
k6RcBc1XNAUl+LxWSHF3HQRCClQeLojYFcoPtE4JeWtI4PHrZ+669Zao2urw
2FyaNF97G4P3iJgCHhgxcVETt1JOlkalclfSVTtV1qmwvCV95PNunTybP5m2
r87ghHS7Tdlr4fLAArNr31z9BlzM61S139t0kr852wu1X79xCG+hvfNKGz4M
KpUkukrGZUcQA0kDafYx/cu+4kf97HQbhm9LVw27AHnx5PRgCydvyVXt6jz+
6bDYZTAB4v5+k5HsJB6ZMMgDT8I66er4acXlbflFW5Hm7WkUvLZiE6jOwZh1
R/tjaCmoqOCakErh3gNf0hPESetVxtvuN6THZQ1yw9QmICt+7G6fdTrZ7Wp1
c/4+bmk3JyrRlh/sxXgH4jYpeIVooCbn0KZOUX9+iwI0Rw+FSc0lubEquLYL
7W1iiXbeWV9/4QKJXSlod/xhmnfCbFXmh2f//FIVvB7AvWKEMQabraCTDNoD
VK8jQE7NB/uuitK/NIjvO/hX4QRWiVxt7/O0asADETgYHQQiMFLnuElwBWLl
mq+M7Ou07CsdfCBFbPoWpPMqbJVJaRyJ7l6LKCXHHi0THxgeNaN5CEPoG9tb
vKLO3Ryvdt+m08hm5xu+EMO3f1kHZGrECHU6J6AtP03D3wSv7hEzjIve7mKq
nVymw5kQcYeGJtfA3ltovxiKCz7cSwoaG9qyzTCeB3u33XL218PYIeAyJ1fl
3LkYh1f/4DxR5Afk9sd7wSuhso33EkIaxZbIe4YKW+DnY0a5GRKkPjwBnRPS
knYMrOSrOlxq5jMEuy6VWkkd2OivXShTtutCbznfElEqZ0ty2awb4y+Kthbo
qvPr0jsN4unIIUpNLCOF2RNfaIegSXDTVaUQbtxtA+Ec8b/I1wXeVsHsgFsA
muxrpGbykh32MtrAptsuqHOJmj6ffecCvztApNw6dzwJiEo52cVvSOOKaV8u
yO9D4BdN2rpariLDIvclMsAdeL59ZN9mg6vzPnr3t218YkEO99ovbuMLacGt
SZebaCDh08hoK8WwQU0JCMs5n3KSbUy4fl9eweWTBVAzKZz2v+kfavsqKyn1
5ZpVezdpV63qSOtnc+gubYKRNz6030/A/LV63koHBlmdz19sUTvuz2wVyPKV
BY+QJoGXSGGL6OWWxw9tI0O2AUohfcFn/laotuh0dzUaYRht3ZeQbXLpnfA1
Gplu3uHBvoUzDopLir27jjJ/fpeNe48cdm/Xxv0Ulvl7CeoTLGvYZa0J8eC9
MWs487P3ruBx18uunGD79xHU9kELgn19RYulgsD/8U//LNUZrXJiLVfXfClc
p1xWqjdcxX6aMOzZHrhZtDvvrKPLKEkjKWQiz5+Ee/aeeDtDF4KChWDKlnMC
x1TcfhN/2ctyeJ/X19e/S1b6fLaMoviGpA5PnhaofylnEXnvKTtFifvpVRrN
9RNTLPCKVPfwRVTMcn2RIBfBz0R1r0+WBclIgnuDq/Iv/4Z3W90of42V/BnB
PilJxosTxG2Mk8K6J93AfIRRj8kJooDthUmz5H1+SWNKcSG2sW5ub+B1Afjf
Ilr7KIdDRMU5onYwP7BladfP80WURWS89N+a9DLJ4gJYdBNcviVKzZqGjxXu
55FPz3beh3F2USP1AiYYN9Tfl+KI2qP6Z2fnX2vpysXPdovd+K6UrVyRgPJV
KTj8TCleNziFXDkXleh9YrIfSCYz/fsort+3KfUXfS+NnRCaaK/F8ItqkIBU
p8zuvBAe0JKhv0m7Id9VhRUPaur8xWa/OSyM87Sez5X69S/oM9+6Sb8Fokz0
jncitb06xJNXJFecxeJ4VA+HX+0aCdgX3mdt3SQFSPEZAc5vbx2iVSrYeadG
52KqjPGf7uZ9eiJaAAA=
a) We updated "Constrained Devices" (capitalized) to "constrained devices"
(lowercase) per usage in RFC 7228. Aside from the usage in RFC 7228, the
lowercase form is also more common in the RFC Series as a whole. Please let us
know any objections.
b) We see both of the following forms in the document. Please review each
instance and let us know if any updates are needed.
location vs. Location
c) Does the following need to be capitalized in running text?
Current:
REST-Specific Model with Dynamic Resource Creation
Perhaps:
REST-specific model with dynamic resource creation
--> -->
<!-- [rfced] Please review the "Inclusive Language" portion of the online
Style Guide <https://www.rfc-editor.org/styleguide/part2/#inclusive_language>
and let us know if any changes are needed. -->
<!-- [rfced] XML Formatting
a) We note that URI-local-part appears in several ways: with quotation marks,
with no quotation marks, and in italics/underscores (i.e., <em> in xml). In
addition, we see that REST-method-set appears with quotation marks in some
instances and in fixed-width font (i.e., <tt> in xml) in others. Should the
formatting of these terms be consistent? Let us know if any updates are
needed.
URI-local-part
REST-method-set
b) The document has two instances of "allow-list". One is enclosed in <em> in
the xml but the other is not. Should this be consistent? If so, please let us
know which form is preferred.
c) In the xml file, <tt> is used consistently for Toid and Tperm in general
text. Should <tt> also be used for "Toid/Tperm" in the following sentence?
Original:
...that all parties have the same understanding of
each Toid/Tperm pair in terms of specified objects (resources) and
operations on those.
d) The following appear both with and without <tt> in the xml file. Should
this be consistent? If so, please let us know which form to use.
application/aif+json
application/aif+cbor
e) A question about the use of <tt> was sent on 28 February 2022 to all
authors of documents in cluster 442. It seems that the cluster authors decided
to use <tt> for claims and parameters. Please let us know if any updates are
needed for this document to correspond with that cluster-wide decision.
-->
</rfc> </rfc>
 End of changes. 91 change blocks. 
878 lines changed or deleted 460 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/

mirror server hosted at Truenetwork, Russian Federation.