rfc9203v2.txt   rfc9203.txt 
skipping to change at line 182 skipping to change at line 182
between the client and AS is RECOMMENDED in this profile, to reduce between the client and AS is RECOMMENDED in this profile, to reduce
the number of libraries the client has to support, but other the number of libraries the client has to support, but other
protocols fulfilling the security requirements defined in Section 5 protocols fulfilling the security requirements defined in Section 5
of [RFC9200] MAY alternatively be used, such as TLS [RFC8446] or DTLS of [RFC9200] MAY alternatively be used, such as TLS [RFC8446] or DTLS
[RFC9147]. [RFC9147].
Once the client has retrieved the access token, it generates a nonce Once the client has retrieved the access token, it generates a nonce
N1, as defined in this document (see Section 4.1.1). The client also N1, as defined in this document (see Section 4.1.1). The client also
generates its own OSCORE Recipient ID, ID1 (see Section 3.1 of generates its own OSCORE Recipient ID, ID1 (see Section 3.1 of
[RFC8613]), for use with the keying material associated to the RS. [RFC8613]), for use with the keying material associated to the RS.
The client posts the token N1 and its Recipient ID to the RS using The client posts the token, N1, and its Recipient ID to the RS using
the authz-info endpoint and mechanisms specified in Section 5.8 of the authz-info endpoint and mechanisms specified in Section 5.8 of
[RFC9200] and Content-Format = application/ace+cbor. When using this [RFC9200] and Content-Format = application/ace+cbor. When using this
profile, the communication with the authz-info endpoint is not profile, the communication with the authz-info endpoint is not
protected, except for the update of access rights. protected, except for the update of access rights.
If the access token is valid, the RS replies to this request with a If the access token is valid, the RS replies to this request with a
2.01 (Created) response with Content-Format = application/ace+cbor, 2.01 (Created) response with Content-Format = application/ace+cbor,
which contains a nonce N2 and its newly generated OSCORE Recipient which contains a nonce N2 and its newly generated OSCORE Recipient
ID, ID2, for use with the keying material associated to the client. ID, ID2, for use with the keying material associated to the client.
Moreover, the server concatenates the input salt received in the Moreover, the server concatenates the input salt received in the
token, N1, and N2 to obtain the Master Salt of the OSCORE security token, N1, and N2 to obtain the Master Salt of the OSCORE security
context (see Section 3 of [RFC8613]). The RS then derives the context (see Section 3 of [RFC8613]). The RS then derives the
complete security context associated with the received token from the complete security context associated with the received token from the
Master Salt; the OSCORE Recipient ID generated by the client (set as Master Salt; the OSCORE Recipient ID generated by the client (set as
its OSCORE Sender ID); its own OSCORE Recipient ID; plus the its OSCORE Sender ID); its own OSCORE Recipient ID; plus the
parameters received in the access token from the AS, following parameters received in the access token from the AS, following
Section 3.2 of [RFC8613]. Section 3.2 of [RFC8613].
In a similar way, after receiving the nonce N2, the client In a similar way, after receiving the nonce N2, the client
concatenates the input salt N1 and N2 to obtain the Master Salt of concatenates the input salt, N1, and N2 to obtain the Master Salt of
the OSCORE security context. The client then derives the complete the OSCORE security context. The client then derives the complete
security context from the Master Salt; the OSCORE Recipient ID security context from the Master Salt; the OSCORE Recipient ID
generated by the RS (set as its OSCORE Sender ID); its own OSCORE generated by the RS (set as its OSCORE Sender ID); its own OSCORE
Recipient ID; plus the parameters received from the AS. Recipient ID; plus the parameters received from the AS.
Finally, the client starts the communication with the RS by sending a Finally, the client starts the communication with the RS by sending a
request protected with OSCORE to the RS. If the request is request protected with OSCORE to the RS. If the request is
successfully verified, the server stores the complete security successfully verified, the server stores the complete security
context state that is ready for use in protecting messages and uses context state that is ready for use in protecting messages and uses
it in the response, and in further communications with the client, it in the response, and in further communications with the client,
skipping to change at line 339 skipping to change at line 339
Header: POST (Code=0.02) Header: POST (Code=0.02)
Uri-Host: "as.example.com" Uri-Host: "as.example.com"
Uri-Path: "token" Uri-Path: "token"
Content-Format: application/ace+cbor Content-Format: application/ace+cbor
Payload: Payload:
{ {
/ audience / 5 : "tempSensor4711", / audience / 5 : "tempSensor4711",
/ scope / 9 : "write", / scope / 9 : "write",
/ req_cnf / 4 : { / req_cnf / 4 : {
/ kid / 2 : h'01' / kid / 3 : h'01'
} }
} }
Figure 3: Example C-to-AS POST /token Request for Updating Rights Figure 3: Example C-to-AS POST /token Request for Updating Rights
to an Access Token Bound to a Symmetric Key to an Access Token Bound to a Symmetric Key
3.2. AS-to-C: Access Token 3.2. AS-to-C: Access Token
After verifying the POST request to the token endpoint and that the After verifying the POST request to the token endpoint and that the
client is authorized to obtain an access token corresponding to its client is authorized to obtain an access token corresponding to its
skipping to change at line 527 skipping to change at line 527
Figure 8 shows an example CWT Claims Set that contains the necessary Figure 8 shows an example CWT Claims Set that contains the necessary
OSCORE parameters in the cnf claim for the update of access rights. OSCORE parameters in the cnf claim for the update of access rights.
{ {
/ aud / 3 : "tempSensorInLivingRoom", / aud / 3 : "tempSensorInLivingRoom",
/ iat / 6 : 1360189224, / iat / 6 : 1360189224,
/ exp / 4 : 1360289224, / exp / 4 : 1360289224,
/ scope / 9 : "temperature_h", / scope / 9 : "temperature_h",
/ cnf / 8 : { / cnf / 8 : {
/ kid / 2 : h'01' / kid / 3 : h'01'
} }
} }
Figure 8: Example CWT Claims Set with OSCORE Parameters for the Figure 8: Example CWT Claims Set with OSCORE Parameters for the
Update of Access Rights Update of Access Rights
3.2.1. The OSCORE_Input_Material 3.2.1. The OSCORE_Input_Material
An OSCORE_Input_Material is an object that represents the input An OSCORE_Input_Material is an object that represents the input
material to derive an OSCORE security context, i.e., the local set of material to derive an OSCORE security context, i.e., the local set of
skipping to change at line 1228 skipping to change at line 1228
Name: ace_server_recipientid Name: ace_server_recipientid
CBOR Key: 44 CBOR Key: 44
Value Type: bstr Value Type: bstr
Reference: RFC 9203 Reference: RFC 9203
Original Specification: RFC 9203 Original Specification: RFC 9203
9.4. OSCORE Security Context Parameters Registry 9.4. OSCORE Security Context Parameters Registry
IANA has created a new registry entitled "OSCORE Security Context IANA has created a new registry entitled "OSCORE Security Context
Parameters". The registration procedure depends on range of CBOR Parameters". The registration procedure depends on the range of CBOR
label values, following [RFC8126]. Guidelines for the experts are label values, following [RFC8126]. Guidelines for the experts are
provided in Section 9.7. provided in Section 9.7.
The columns of the registry are: The columns of the registry are:
Name: The JSON name requested (e.g., "ms"). Because a core goal of Name: The JSON name requested (e.g., "ms"). Because a core goal of
this document is for the resulting representations to be compact, this document is for the resulting representations to be compact,
it is RECOMMENDED that the name be short. This name is case it is RECOMMENDED that the name be short. This name is case
sensitive. Names may not match other registered names in a case- sensitive. Names may not match other registered names in a case-
insensitive manner unless the designated experts determine that insensitive manner unless the designated experts determine that
 End of changes. 5 change blocks. 
5 lines changed or deleted 5 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/