<?xml version='1.0' encoding='utf-8'?> version="1.0" encoding="UTF-8"?>
<!DOCTYPE rfc SYSTEM "rfc2629-xhtml.ent">
<?rfc toc="yes"?>
<?rfc sortrefs="yes"?>
<?rfc symrefs="yes"?> [
 <!ENTITY nbsp    "&#160;">
 <!ENTITY zwsp   "&#8203;">
 <!ENTITY nbhy   "&#8209;">
 <!ENTITY wj     "&#8288;">
]>

<rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft-ietf-ace-oscore-profile-19" category="std" number="9203" obsoletes="" updates="" submissionType="IETF" category="std" consensus="true" xml:lang="en" tocInclude="true" sortRefs="true" symRefs="true" version="3">

  <!-- xml2rfc v2v3 conversion 2.39.0 -->
  <front>

 <!-- [rfced] Please note that the title of the document has been updated
as follows.  Acronyms have been expanded per Section 3.6 of RFC 7322
("RFC Style Guide"). Please let us know of any concerns.

Original
 OSCORE Profile of the Authentication and Authorization for Constrained
                         Environments Framework

Current:
   The Object Security for Constrained RESTful Environments (OSCORE)
    Profile of the Authentication and Authorization for Constrained
                      Environments (ACE) Framework
-->

    <title abbrev="OSCORE Profile of ACE">OSCORE ACE">The Object Security for Constrained RESTful Environments (OSCORE) Profile of the Authentication and Authorization for Constrained Environments (ACE) Framework</title>
    <seriesInfo name="Internet-Draft" value="draft-ietf-ace-oscore-profile-19"/> name="RFC" value="9203"/>
    <author initials="F." surname="Palombini" fullname="Francesca Palombini">
      <organization>Ericsson AB</organization>
      <address>
        <email>francesca.palombini@ericsson.com</email>
      </address>
    </author>
    <author fullname="Ludwig Seitz" initials="L." surname="Seitz">
      <organization>Combitech</organization>
      <address>
        <postal>
          <street>Djaeknegatan
          <street>Djäknegatan 31</street>
          <!-- Reorder these if your country does things differently -->
          <city>Malmoe</city>
          <city>Malmö</city>
          <code>211 35</code>
          <country>Sweden</country>
        </postal>
        <email>ludwig.seitz@combitech.com</email>
        <!-- uri and facsimile elements may also be added -->
      </address>
    </author>
    <author fullname="Göran Selander" initials="G." surname="Selander">
      <organization>Ericsson AB</organization>
      <address>
        <email>goran.selander@ericsson.com</email>
        <!-- uri and facsimile elements may also be added -->
      </address>
    </author>
    <author fullname="Martin Gunnarsson" initials="M." surname="Gunnarsson">
      <organization>RISE</organization>
      <address>
        <postal>
          <street>Scheelevagen 17</street>
          <!-- Reorder these if your country does things differently -->
          <city>Lund</city>
          <code>22370</code>
          <country>Sweden</country>
        </postal>
        <email>martin.gunnarsson@ri.se</email>
        <!-- uri and facsimile elements may also be added -->

      </address>
    </author>
    <date/>
    <date year="2022" month="March" />
    <area>Security</area>
    <workgroup>ACE Working Group</workgroup>
    <workgroup>ACE</workgroup>

<!-- [rfced] Please insert any keywords (beyond those that appear in
the title) for use on https://www.rfc-editor.org/search. -->

    <abstract>
      <t>
        This document specifies a profile for the Authentication and Authorization for Constrained Environments (ACE) framework.  It utilizes Object Security for Constrained RESTful Environments (OSCORE) to provide communication security and proof-of-possession for a key owned by the client and bound to an OAuth 2.0 access token.
      </t>
      <!--
        Jim: Lookup on
    </abstract>
  </front>
  <middle>
<!--[rfced] FYI, the RFC Editor page text rendering of the <tt> element was changed
in Sept. 2021 (xml2rfc release 3.10.0). <tt> no longer yields quotation
marks in the text rendering. In light of this, please review and let us
know if you need want to expand OAuth

        From editor's list make any changes (e.g., add quotation marks that
would be in all 3 output formats). For example:

Original text (where <tt> was used in the source):
   The master secret and the identifier of well known:
        OAuth     *- [seems to the OSCORE_Input_Material
   MUST be more communicated as the "ms" and "id" field in the "osc" field in
   the "cnf" parameter of a name rather than an abbreviation] the access token response.

Current text:
   The Master Secret and the identifier of the OSCORE_Input_Material
   MUST be communicated as the ms and id field in the osc field in the
   cnf parameter of the access token response.

Note: <tt> yields fixed-width font in the HTML and PDF files.

This alternative diff file has been provided so that you can review
changes without the noise of the quotation marks being removed due
to this change to the rendering of <tt>:
https://www.rfc-editor.org/authors/rfc9203-alt-diff.html
-->
    </abstract>
  </front>
  <middle>

    <section anchor="introduction" numbered="true" toc="default">
      <name>Introduction</name>
      <t>
        This document specifies the "coap_oscore" profile of the ACE framework <xref target="I-D.ietf-ace-oauth-authz" target="RFC9200" format="default"/>.  In this profile, a client (C) and a resource server (RS) use the Constrained Application Protocol (CoAP) <xref target="RFC7252" format="default"/> to communicate.  The client uses an access token, bound to a symmetric key (the proof-of-possession (PoP) key) to authorize its access to the resource server.  Note that this profile uses a symmetric-crypto-based scheme, where the symmetric secret is used as input material for keying material derivation.  In order to provide communication security and proof of possession, PoP, the client and resource server use Object Security for Constrained RESTful Environments (OSCORE) as defined in <xref target="RFC8613" format="default"/>.  Note that the proof of possession PoP is not achieved through a dedicated protocol element, element but rather occurs after the first message exchange using OSCORE.
      </t>
      <t>
        OSCORE specifies how to use CBOR Object Signing and Encryption (COSE) <xref target="I-D.ietf-cose-rfc8152bis-struct" format="default"/><xref target="I-D.ietf-cose-rfc8152bis-algs" target="RFC9052" format="default"/> <xref target="RFC9053" format="default"/> to secure CoAP messages.
        Note that OSCORE can be used to secure CoAP messages, as well as HTTP and combinations of HTTP and CoAP; a profile of ACE similar to the one described in this document, with the difference of using HTTP instead of CoAP as the communication protocol, could be specified analogously to this one.
      </t>
      <section anchor="terminology" numbered="true" toc="default">
        <name>Terminology</name>
        <t>
    The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL
      NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED",
      "MAY", "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL
    NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>",
    "<bcp14>MAY</bcp14>", and "OPTIONAL" "<bcp14>OPTIONAL</bcp14>" in this document are to be interpreted as
    described in BCP 14 BCP&nbsp;14 <xref target="RFC2119" format="default"/> target="RFC2119"/> <xref target="RFC8174" format="default"/> target="RFC8174"/>
    when, and only when, they appear in all capitals, as shown here.
        </t>
        <t>
          Certain security-related terms such as "authentication", "authorization", "confidentiality", "(data) integrity", "Message Authentication Code (MAC)", "Hash-based Message Authentication Code (HMAC)", and "verify" are taken from <xref target="RFC4949" format="default"/>.
        </t>
        <t>
          RESTful terminology follows HTTP <xref target="RFC7231" format="default"/>.
        </t>
        <t>
          Readers are expected to be familiar with the terms and concepts defined in OSCORE <xref target="RFC8613" format="default"/>, such as "Security Context" and "Recipient ID".
        </t>
        <t>
          Terminology for entities in the architecture is defined in OAuth 2.0 <xref target="RFC6749" format="default"/>, such as client (C), resource server (RS), and authorization server (AS). It is assumed in this document that a given resource on a specific RS is associated to a unique AS.
        </t>
        <t>
          Concise Binary Object Representation (CBOR) <xref target="RFC8949" format="default"/> and Concise Data Definition Language (CDDL) <xref target="RFC8610" format="default"/> are used in this document. CDDL predefined type names, especially bstr "bstr" for CBOR byte strings and tstr "tstr" for CBOR text strings, are used extensively in this document.
        </t>
        <t>
          Note that the term "endpoint" is used here, as in <xref target="I-D.ietf-ace-oauth-authz" target="RFC9200" format="default"/>, following its OAuth definition, which is to denote resources such as token and introspect at the AS and authz-info at the RS.

	  The CoAP <xref target="RFC7252" format="default"/> definition, which is "An "[a]n entity participating in the CoAP protocol" <xref target="RFC7252" format="default"/>, is not used in this document.
        </t>
        <t>
          Examples throughout this document are expressed in CBOR diagnostic notation without the tag and value abbreviations.
        </t>
      </section>
    </section>
    <section numbered="true" toc="default">
      <name>Protocol Overview</name>
      <t>
        This section gives an overview of how to use the ACE Framework <xref target="I-D.ietf-ace-oauth-authz" target="RFC9200" format="default"/> to secure the communication between a client and a resource server using OSCORE <xref target="RFC8613" format="default"/>. The parameters needed by the client to negotiate the use of this profile with the authorization server, AS, as well as the OSCORE setup process, are described in detail in the following sections.
      </t>
      <t>
        The RS maintains a collection of OSCORE Security Contexts with associated authorization information for all the clients that it is communicating with. The
        authorization information is maintained as policy that is used as input to processing requests from those clients.
      </t>
      <t>
        This profile requires a client to retrieve an access token from the AS for the resource it wants to access on an RS, by sending an access token request to the token endpoint, as specified in section 5.8 of <xref target="I-D.ietf-ace-oauth-authz" format="default"/>. target="RFC9200" sectionFormat="of" section="5.8"/>. The access token request and response MUST <bcp14>MUST</bcp14> be confidentiality-protected confidentiality protected and ensure authenticity.  This profile RECOMMENDS the  The use of OSCORE between the client and AS, AS is <bcp14>RECOMMENDED</bcp14> in this profile, to reduce the number of libraries the client has to support, but other protocols fulfilling the security requirements defined in section 5 of <xref target="I-D.ietf-ace-oauth-authz" format="default"/> MAY target="RFC9200" sectionFormat="of" section="5"/> <bcp14>MAY</bcp14> alternatively be used, such as TLS <xref target="RFC8446" format="default"/> or DTLS <xref target="I-D.ietf-tls-dtls13" target="RFC9147" format="default"/>.
      </t>
      <t>
        Once the client has retrieved the access token, it generates a nonce N1, as defined in this document (see <xref target="nonce1" format="default"/>). The client also generates its own OSCORE Recipient ID ID, ID1 (see Section 3.1 of <xref target="RFC8613" format="default"/>), sectionFormat="of" section="3.1"/>), for use with the keying material associated to the RS. The client posts the token, token N1 and its Recipient ID to the RS using the authz-info endpoint and mechanisms specified in section 5.8 of <xref target="I-D.ietf-ace-oauth-authz" format="default"/> target="RFC9200" sectionFormat="of" section="5.8"/> and Content-Format = application/ace+cbor. When using this profile, the communication with the authz-info endpoint is not protected, except for the update of access rights.
      </t>
      <t>
        If the access token is valid, the RS replies to this request with a 2.01 (Created) response with Content-Format = application/ace+cbor, which contains a nonce N2 and its newly generated OSCORE Recipient ID, ID2, for use with the keying material associated to the client. Moreover, the server concatenates the input salt received in the token, N1, and N2 to obtain the Master Salt of the OSCORE Security Context (see section 3 of <xref target="RFC8613" format="default"/>). sectionFormat="of" section="3"/>).
        The RS then derives the complete Security Context associated with the received token from the Master Salt, Salt; the OSCORE Recipient ID generated by the client (set as its OSCORE Sender ID), ID); its own OSCORE Recipient ID, ID; plus the parameters received in the access token from the AS, following section 3.2 of <xref target="RFC8613" format="default"/>. sectionFormat="of" section="3.2"/>.
      </t>
      <t>
        In a similar way, after receiving the nonce N2, the client concatenates the input salt, salt N1 and N2 to obtain the Master Salt of the OSCORE Security Context. The client then derives the complete Security Context from the Master Salt, Salt; the OSCORE Recipient ID generated by the RS (set as its OSCORE Sender ID), ID); its own OSCORE Recipient ID, ID; plus the parameters received from the AS.
      </t>
      <t>
        Finally, the client starts the communication with the RS by sending a request protected with OSCORE to the RS. If the request is successfully verified, the server stores the complete Security Context state that is ready for use in protecting messages, messages and uses it in the response, and in further communications with the client, until token deletion due to, for example, expiration. This Security Context is discarded when a token (whether the same or a different one) is used to successfully derive a new Security Context for that client.
      </t>
      <t>
        The use of nonces N1 and N2 during the exchange prevents the reuse of an
        Authenticated Encryption with Associated Data (AEAD) nonce/key pair
        for two different messages. Reuse might otherwise occur when the
        client and RS derive a new Security Context from an existing (non-
        expired) (non-expired)
        access token, as might occur when either party has just rebooted, and that might lead to loss of both confidentiality and integrity.
        Instead, by using the exchanged nonces N1 and N2 as part of the Master Salt, the request to the authz-info endpoint posting the same token results in a different Security Context, by OSCORE construction, since even though the Master Secret, Sender ID ID, and Recipient ID are the same, the Master Salt is different (see Section 3.2.1 of <xref target="RFC8613" format="default"/>). sectionFormat="of" section="3.2.1"/>). If the exchanged nonces were reused, a node reusing a non-expired old token would be susceptible to on-path attackers provoking the creation of an OSCORE message using an old AEAD key and nonce.
      </t>
      <t>

<!--[rfced] Regarding "OSCORE security input material",
because the term "OSCORE Input Material" is used elsewhere
in the document, is it correct to simply remove "security" from
this term (2 instances)?  Or, do you want to rephrase otherwise
(e.g., "secure OSCORE Input Material")?

Original:
   After the whole message exchange has taken place, the client can
   contact the AS to request an update of its access rights, sending a
   similar request to the token endpoint that also includes an
   identifier so that the AS can find the correct OSCORE security input
   material it has previously shared with the client. This specific
   identifier, encoded as a byte string, is assigned by the AS to be
   unique in the sets of its OSCORE security input materials, and is not
   used as input material to derive the full OSCORE Security Context.

Perhaps (using "OSCORE Input Material"):
   After the whole message exchange has taken place, the client can
   contact the AS to request an update of its access rights, sending a
   similar request to the token endpoint that also includes an
   identifier so that the AS can find the correct OSCORE Input
   Material it has previously shared with the client.  This specific
   identifier, encoded as a byte string, is assigned by the AS to be
   unique in the sets of its OSCORE Input Materials, and it is
   not used as input material to derive the full OSCORE Security
   Context.
-->

        After the whole message exchange has taken place, the client can contact the AS to request an update of its access rights, sending a similar request to the token endpoint that also includes an identifier so that the AS can find the correct OSCORE security input material it has previously shared with the client. This specific identifier, encoded as a byte string, is assigned by the AS to be unique in the sets of its OSCORE security input materials, and it is not used as input material to derive the full OSCORE Security Context.
      </t>
      <t>
        An overview of the profile flow for the OSCORE profile is given in <xref target="prof-overview" format="default"/>. The names of messages coincide with those of <xref target="I-D.ietf-ace-oauth-authz" target="RFC9200" format="default"/> when applicable.
      </t>
      <figure anchor="prof-overview">
        <name>Protocol Overview</name>
        <artwork name="" type="" align="left" alt=""><![CDATA[
   C                            RS                   AS
   |                            |                     |
   | ----- POST /token  ----------------------------> |
   |                            |                     |
   | <---------------------------- Access Token ----- |
   |                           + Access Information   |
   | ---- POST /authz-info ---> |                     |
   |   (access_token, N1, ID1)  |                     |
   |                            |                     |
   | <- 2.01 Created (N2, ID2)- |                     |
   |                            |                     |
 /Sec Context             /Sec Context                |
   derivation/              derivation/               |
   |                            |                     |
   | ---- OSCORE Request -----> |                     |
   |                            |                     |
   |                    /proof-of-possession          |
   |                    Sec Context storage/          |
   |                            |                     |
   | <--- OSCORE Response ----- |                     |
   |                            |                     |
/proof-of-possession            |                     |
Sec Context storage/            |                     |
   |                            |                     |
   | ---- OSCORE Request -----> |                     |
   |                            |                     |
   | <--- OSCORE Response ----- |                     |
   |                            |                     |
   |           ...              |                     |
        ]]></artwork>
      </figure>
    </section>
    <section anchor="client-as" numbered="true" toc="default">
      <name>Client-AS Communication</name>
      <t>
        The following subsections describe the details of the POST request and response to the token endpoint between the client and AS. Section 3.2 of <xref target="RFC8613" format="default"/> sectionFormat="of" section="3.2"/> defines how to derive a Security Context based on a shared master secret Master Secret and a set of other parameters, established between the client and server, which the client receives from the AS in this exchange.  The proof-of-possession PoP key (pop-key) included in the response from the AS MUST <bcp14>MUST</bcp14> be used as master secret a Master Secret in OSCORE.
      </t>
      <section anchor="c-as" numbered="true" toc="default">
        <name>C-to-AS: POST to token endpoint</name> Token Endpoint</name>
        <t>
          The client-to-AS request is specified in Section 5.8.1 of <xref target="I-D.ietf-ace-oauth-authz" format="default"/>. target="RFC9200" sectionFormat="of" section="5.8.1"/>.
        </t>
        <t>
          The client must send this POST request to the token endpoint over a secure channel that guarantees authentication, message integrity integrity, and confidentiality (see <xref target="introsp" format="default"/>).
        </t>
        <t>
          An example of such a request is shown in <xref target="ex0" format="default"/> format="default"/>.
        </t>
        <figure anchor="ex0">
          <name>Example C-to-AS POST /token request Request for an access token bound Access Token Bound to a symmetric key.</name>
          <artwork Symmetric Key</name>

<!-- [rfced] Please review the "type" attribute of each sourcecode element
in the XML file to ensure correctness. If the current list of preferred
values for "type" (https://www.rfc-editor.org/materials/sourcecode-types.txt)
does not contain an applicable type, then feel free to let us know. Also, it
is acceptable to leave the "type" attribute not set.
-->
        <sourcecode name="" type="" align="left" alt=""><![CDATA[ type="cbor"><![CDATA[
    Header: POST (Code=0.02)
    Uri-Host: "as.example.com"
    Uri-Path: "token"
    Content-Format: "application/ace+cbor"
    Payload:
    {
      "audience" : "tempSensor4711",
      "scope" : "read"
     }

          ]]></artwork>
          ]]></sourcecode>
        </figure>

        <t>
          If the client wants to update its access rights without changing an existing OSCORE Security Context, it MUST <bcp14>MUST</bcp14> include a "req_cnf" object in its POST request to the token endpoint a req_cnf object, endpoint, with the kid <tt>kid</tt> field carrying a CBOR byte string containing the OSCORE Input Material Identifier identifier (assigned as discussed in <xref target="as-c" format="default"/>). This identifier, together with other information such as audience (see Section 5.8.1 of <xref target="I-D.ietf-ace-oauth-authz" format="default"/>), target="RFC9200" sectionFormat="of" section="5.8.1"/>), can be used by the AS to determine the shared secret bound to the proof-of-possession token and therefore MUST token; therefore, it <bcp14>MUST</bcp14> identify a symmetric key that was previously generated by the AS as a shared secret for the communication between the client and the RS. The AS MUST <bcp14>MUST</bcp14> verify that the received value identifies a proof-of-possession key that has previously been issued to the requesting client. If that is not the case, the Client-to-AS client-to-AS request MUST <bcp14>MUST</bcp14> be declined with the error code <tt>invalid_request</tt> as defined in Section 5.8.3 of <xref target="I-D.ietf-ace-oauth-authz" format="default"/>. target="RFC9200" sectionFormat="of" section="5.8.3"/>.
        </t>
        <t>
          An example of such a request is shown in <xref target="ex7" format="default"/> format="default"/>.
        </t>
        <figure anchor="ex7">
          <name>Example C-to-AS POST /token request Request for updating rights Updating Rights to an access token bound Access Token Bound to a symmetric key.</name>
          <artwork Symmetric Key</name>
          <sourcecode name="" type="" align="left" alt=""><![CDATA[ type="cbor"><![CDATA[
    Header: POST (Code=0.02)
    Uri-Host: "as.example.com"
    Uri-Path: "token"
    Content-Format: "application/ace+cbor"
    Payload:
    {
      "audience" : "tempSensor4711",
      "scope" : "write",
      "req_cnf" : {
        "kid" : h'01'
     }

          ]]></artwork>
          ]]></sourcecode>
        </figure>
      </section>
      <section anchor="as-c" numbered="true" toc="default">
        <name>AS-to-C: Access Token</name>
        <t>
          After verifying the POST request to the token endpoint and that the client is authorized to obtain an access token corresponding to its access token request, the AS responds as defined in section 5.8.2 of <xref target="I-D.ietf-ace-oauth-authz" format="default"/>. target="RFC9200" sectionFormat="of" section="5.8.2"/>. If the client request was invalid, or not authorized, the AS returns an error response as described in section 5.8.3 of <xref target="I-D.ietf-ace-oauth-authz" format="default"/>. target="RFC9200" sectionFormat="of" section="5.8.3"/>.
        </t>
        <t>
          The AS can signal that the use of OSCORE is REQUIRED <bcp14>REQUIRED</bcp14> for a specific access token by including the "ace_profile" <tt>ace_profile</tt> parameter with the value "coap_oscore" in the access token response.  This means that the client MUST <bcp14>MUST</bcp14> use OSCORE towards all resource servers for which this access token is valid, and follow <xref target="oscore-setup" format="default"/> to derive the security context to run OSCORE.
Usually
Usually, it is assumed that constrained devices will be pre-configured preconfigured with the necessary profile, so that this kind of profile signaling can be omitted.
        </t>
        <t>
          Moreover, the AS MUST <bcp14>MUST</bcp14> send the following data:
        </t>
        <ul spacing="normal">
          <li>a master secret</li> Master Secret</li>
          <li>an identifier of the OSCORE Input Material</li>
        </ul>
        <t>
          Additionally, the AS MAY <bcp14>MAY</bcp14> send the following data, in the same response.
        </t>

<!--[rfced] In RFC-to-be 9053 (draft-ietf-cose-rfc8152bis-algs-12),
Section 5.1 (not Section 3.1) discusses HKDF; is an update needed
to the text below? Please refer to the document in AUTH48:
<https://www.rfc-editor.org/authors/rfc9053.html>.

Original:
   an HMAC-based key derivation function (HKDF, [RFC5869]) algorithm,
   see section 3.1 of [I-D.ietf-cose-rfc8152bis-algs]

Perhaps:
   an HMAC-based key derivation function (HKDF) algorithm [RFC5869];
   see Section 5.1 of [RFC9053].
-->
        <ul spacing="normal">
          <li>a context identifier</li>
          <li>an AEAD algorithm</li>
          <li>an HMAC-based key derivation function (HKDF, (HKDF) algorithm <xref target="RFC5869" format="default"/>) algorithm, format="default"/>; see section 3.1 of <xref target="I-D.ietf-cose-rfc8152bis-algs" format="default"/></li> target="RFC9053" sectionFormat="of" section="3.1"/></li>
          <li>a salt</li>
          <li>the OSCORE version number</li>
        </ul>
        <t>
          This data is transported in the OSCORE_Input_Material. The OSCORE_Input_Material is a CBOR map object, defined in <xref target="oscore-sec-ctx" format="default"/>. This object is transported in the <tt>cnf</tt> parameter of the access token response response, as defined in Section 3.2 of <xref target="I-D.ietf-ace-oauth-params" format="default"/>, target="RFC9201" sectionFormat="of" section="3.2"/>, as the value of a field named <tt>osc</tt>, "osc", which is registered in Sections <xref target="osc-cwt" format="default"/> format="counter"/> and <xref target="osc-jwt" format="default"/>. format="counter"/>.
        </t>
        <t>
          The AS MAY <bcp14>MAY</bcp14> assign an identifier to the context (context identifier). This identifier is used as ID Context in the OSCORE context as described in section 3.1 of <xref target="RFC8613" format="default"/>. sectionFormat="of" section="3.1"/>. If assigned, this these parameters MUST <bcp14>MUST</bcp14> be communicated as the <tt>contextId</tt> field in the OSCORE_Input_Material. The application needs to consider that this identifier is sent in the clear and may reveal information about the endpoints, as mentioned in section 12.8 of <xref target="RFC8613" format="default"/>. sectionFormat="of" section="12.8"/>.
        </t>
        <t>
          The master secret Master Secret and the identifier of the OSCORE_Input_Material MUST <bcp14>MUST</bcp14> be communicated as the <tt>ms</tt> and <tt>id</tt> field in the <tt>osc</tt> field in the <tt>cnf</tt> parameter of the access token response.

<!--[rfced] FYI, we rephrased the opening of this sentence to
improve readability.  Please let us know if you prefer otherwise.
(Side note: this text shows the <tt> change to quotation marks as
described above.)

Original:
   If included, the
   AEAD algorithm is sent in the "alg" parameter in the
   OSCORE_Input_Material; the HKDF algorithm in the "hkdf" parameter of
   the OSCORE_Input_Material; a salt in the "salt" parameter of the
   OSCORE_Input_Material; and the OSCORE version in the "version"
   parameter of the OSCORE_Input_Material.

Current:
   If included, the
   following are sent: the AEAD algorithm in the alg parameter in the
   OSCORE_Input_Material; the HKDF algorithm in the hkdf parameter of
   the OSCORE_Input_Material; a salt in the salt parameter of the
   OSCORE_Input_Material; and the OSCORE version in the version
   parameter of the OSCORE_Input_Material.
-->

          If included, the following are sent: the AEAD algorithm in the <tt>alg</tt> parameter in the OSCORE_Input_Material; the HKDF algorithm in the <tt>hkdf</tt> parameter of the OSCORE_Input_Material; a salt in the <tt>salt</tt> parameter of the OSCORE_Input_Material; and the OSCORE version in the <tt>version</tt> parameter of the OSCORE_Input_Material.
        </t>
        <t>
        	The same parameters MUST <bcp14>MUST</bcp14> be included in the claims associated with the access token.
          The OSCORE master secret MUST Master Secret <bcp14>MUST</bcp14> be encrypted by the authorization server so that only the resource server can decrypt it (see Section 6.1. of <xref target="I-D.ietf-ace-oauth-authz" format="default"/>). This profile RECOMMENDS the target="RFC9200" sectionFormat="of" section="6.1"/>). The use of a CBOR web token Web Token (CWT) protected with COSE_Encrypt/COSE_Encrypt0 as specified in <xref target="RFC8392" format="default"/>. format="default"/> is <bcp14>RECOMMENDED</bcp14> in this profile. If the token is a CWT, the same OSCORE_Input_Material structure defined above MUST <bcp14>MUST</bcp14> be placed in the <tt>osc</tt> field of the <tt>cnf</tt> claim of this token.
        </t>
        <t>
          The AS MUST <bcp14>MUST</bcp14> send a different OSCORE_Input_Material (and therefore different access tokens) to different authorized clients, in order for the RS to differentiate between clients.
        </t>
        <t>
          <xref target="ex1" format="default"/> shows an example of an AS response. The access token has been truncated for readability.
        </t>
        <figure anchor="ex1">
          <name>Example AS-to-C Access Token response Response with an OSCORE profile.</name>
          <artwork Profile</name>
          <sourcecode name="" type="" align="left" alt=""><![CDATA[ type="cbor"><![CDATA[
    Header: Created (Code=2.01)
    Content-Type: "application/ace+cbor"
    Payload:
    {
      "access_token" : h'8343a1010aa2044c53 ...
       (remainder of access token (CWT) omitted for brevity)',
      "ace_profile" : "coap_oscore",
      "expires_in" : "3600",
      "cnf" : {
        "osc" : {
          "id" : h'01',
          "ms" : h'f9af838368e353e78888e1426bd94e6f'
        }
      }
    }

          ]]></artwork>
          ]]></sourcecode>
        </figure>
        <t>
          <xref target="ex2" format="default"/> shows an example CWT Claims Set, including the relevant OSCORE parameters in the <tt>cnf</tt> claim.
        </t>
        <figure anchor="ex2">
          <name>Example CWT Claims Set with OSCORE parameters.</name>
          <artwork Parameters</name>
         <sourcecode name="" type="" align="left" alt=""><![CDATA[ type=""><![CDATA[
{
  "aud" : "tempSensorInLivingRoom",
  "iat" : "1360189224",
  "exp" : "1360289224",
  "scope" :  "temperature_g firmware_p",
  "cnf" : {
    "osc" : {
      "ms" : h'f9af838368e353e78888e1426bd94e6f',
      "id" : h'01'
    }
  }
}

          ]]></artwork>
          ]]></sourcecode>
        </figure>
        <t>
          The same CWT Claims Set as in <xref target="ex2" format="default"/>, using the value abbreviations defined in <xref target="I-D.ietf-ace-oauth-authz" target="RFC9200" format="default"/> and <xref target="RFC8747" format="default"/> and encoded in CBOR CBOR, is shown in <xref target="ex2-cbor" format="default"/>. The bytes in hexadecimal are reported in the first column, while their corresponding CBOR meaning is reported after the <tt>#</tt> sign on the second column, for easiness of readability.
        </t>
        <t>
          NOTE TO THE RFC EDITOR: before publishing, it should be checked (and in case fixed) that the values used below (which are not yet registered) are
<!--[rfced] Please review the final values registered in IANA.
        </t> Figure 6 as per your note
regarding IANA-assigned values, and let us know if any updates are
needed.
-->

        <figure anchor="ex2-cbor">
          <name>Example CWT Claims Set with OSCORE parameters, Parameters Using CBOR encoded.</name>
          <artwork Encoding</name>
          <sourcecode name="" type="" align="left" alt=""><![CDATA[ type="cbor"><![CDATA[
A5                                      # map(5)
   63                                   # text(3)
      617564                            # "aud"
   76                                   # text(22)
      74656D7053656E736F72496E4C6976696E67526F6F6D
                                        # "tempSensorInLivingRoom"
   63                                   # text(3)
      696174                            # "iat"
   6A                                   # text(10)
      31333630313839323234              # "1360189224"
   63                                   # text(3)
      657870                            # "exp"
   6A                                   # text(10)
      31333630323839323234              # "1360289224"
   65                                   # text(5)
      73636F7065                        # "scope"
   78 18                                # text(24)
      74656D70657261747572655F67206669726D776172655F70
                                        # "temperature_g firmware_p"
   63                                   # text(3)
      636E66                            # "cnf"
   A1                                   # map(1)
      63                                # text(3)
         6F7363                         # "osc"
      A2                                # map(2)
         62                             # text(2)
            6D73                        # "ms"
         50                             # bytes(16)
            F9AF838368E353E78888E1426BD94E6F
                                        # "\xF9\xAF\x83\x83h\xE3S\xE7
                                        \x88\x88\xE1Bk\xD9No"
         62                             # text(2)
            6964                        # "id"
         41                             # bytes(1)
            01                          # "\x01"

          ]]></artwork>
          ]]></sourcecode>
        </figure>
        <t>
          If the client has requested an update to its access rights using the same OSCORE Security Context, which is valid and authorized, the AS MUST <bcp14>MUST</bcp14> omit the <tt>cnf</tt> parameter in the response, response and MUST <bcp14>MUST</bcp14> carry the OSCORE Input Material identifier in the <tt>kid</tt> field in the <tt>cnf</tt> claim of the token. This identifier needs to be included in the token in order for the RS to identify the correct OSCORE Input Material.
        </t>
        <t>
          <xref target="ex5" format="default"/> shows an example of such an AS response response. The access token has been truncated for readability.
        </t>
        <figure anchor="ex5">
          <name>Example AS-to-C Access Token response Response with an OSCORE profile, Profile for update the Update of access rights.</name>
          <artwork Access Rights</name>
          <sourcecode name="" type="" align="left" alt=""><![CDATA[ type=""><![CDATA[
    Header: Created (Code=2.01)
    Content-Type: "application/ace+cbor"
    Payload:
    {
      "access_token" : h'8343a1010aa2044c53 ...
       (remainder of access token (CWT) omitted for brevity)',
      "ace_profile" : "coap_oscore",
      "expires_in" : "3600"
    }

          ]]></artwork>
          ]]></sourcecode>
        </figure>
        <t>
          <xref target="ex6" format="default"/> shows an example CWT Claims Set, containing Set that contains the necessary OSCORE parameters in the <tt>cnf</tt> claim for the update of access rights.
        </t>
        <figure anchor="ex6">
          <name>Example CWT Claims Set with OSCORE parameters Parameters for update the Update of access rights.</name>
          <artwork Access Rights</name>
         <sourcecode name="" type="" align="left" alt=""><![CDATA[ type=""><![CDATA[
  {
    "aud" : "tempSensorInLivingRoom",
    "iat" : "1360189224",
    "exp" : "1360289224",
    "scope" :  "temperature_h",
    "cnf" : {
      "kid" : h'01'
    }
  }

          ]]></artwork>
          ]]></sourcecode>
        </figure>
        <!-- Client rejecting OSCORE_Security_Context if invalid <- This is not done as the client does not verify the token, so it would be easy for an attacker to interrupt ACE by just injecting unexisting fields.
        <t>
          When receiving the access token response, the client MUST <bcp14>MUST</bcp14> verify the OSCORE_Security_Context. If any of the expected parameters in the OSCORE_Security_Context is missing (e.g. any of the mandatory parameters from the AS), or if any parameters received in the OSCORE_Security_Context is unrecognized, the client MUST NOT <bcp14>MUST NOT</bcp14> continue processing, and MAY <bcp14>MAY</bcp14> attempt to retrieve a new token from the AS.
        <t>
        -->

        <section anchor="oscore-sec-ctx" numbered="true" toc="default">
          <name>The OSCORE_Input_Material</name>
          <t>
            An OSCORE_Input_Material is an object that represents the input material to derive an OSCORE Security Context, i.e., the local set of information elements necessary to carry out the cryptographic operations in OSCORE (Section 3.1 of <xref (<xref target="RFC8613" format="default"/>). sectionFormat="of" section="3.1"/>). In particular, the OSCORE_Input_Material is defined to be serialized and transported between nodes, as specified by this document, but it can also be used by other specifications if needed. The OSCORE_Input_Material can either be encoded as either a JSON object or as a CBOR map. The set of common parameters that can appear in an OSCORE_Input_Material can be found in the IANA "OSCORE Security Context Parameters" registry (<xref target="sec-ctx-params-reg" format="default"/>), defined for extensibility, and the initial set of parameters defined in this document is specified below.
            All parameters are optional.
            <xref target="key-labels" format="default"/> provides a summary of the OSCORE_Input_Material parameters defined in this section.
          </t>
          <table anchor="key-labels" align="center">
            <name>OSCORE_Input_Material Parameters</name>
            <thead>
              <tr>
                <th align="left">name</th>
                <th align="left">CBOR label</th>
                <th align="left">CBOR type</th>
                <th align="left">registry</th>
                <th align="left">description</th>
              </tr>
            </thead>
            <tbody>
              <tr>
                <td align="left">id</td>
                <td align="left">0</td>
                <td align="left">byte string</td>
                <td align="left"/>
                <td align="left">OSCORE Input Material Identifier</td> identifier</td>
              </tr>
              <tr>
                <td align="left">version</td>
                <td align="left">1</td>
                <td align="left">unsigned integer</td>
                <td align="left"/>
                <td align="left">OSCORE Version</td> version</td>
              </tr>
              <tr>
                <td align="left">ms</td>
                <td align="left">2</td>
                <td align="left">byte string</td>
                <td align="left"/>
                <td align="left">OSCORE Master Secret value</td>
              </tr>
              <tr>
                <td align="left">hkdf</td>
                <td align="left">3</td>
                <td align="left">text string / integer</td>
                <td align="left">
                  <xref target="COSE.Algorithms" format="default"/> Values values (HMAC-based)</td>
                <td align="left">OSCORE HKDF value</td>
              </tr>
              <tr>
                <td align="left">alg</td>
                <td align="left">4</td>
                <td align="left">text string / integer</td>
                <td align="left">
                  <xref target="COSE.Algorithms" format="default"/> Values values (AEAD)</td>
                <td align="left">OSCORE AEAD Algorithm value</td>
              </tr>
              <tr>
                <td align="left">salt</td>
                <td align="left">5</td>
                <td align="left">byte string</td>
                <td align="left"/>
                <td align="left">an input to OSCORE Master Salt value</td>
              </tr>
              <tr>
                <td align="left">contextId</td>
                <td align="left">6</td>
                <td align="left">byte string</td>
                <td align="left"/>
                <td align="left">OSCORE ID Context value</td>
              </tr>
            </tbody>
          </table>
          <dl newline="false" spacing="normal">
            <dt>id:</dt>
            <dd>
                This parameter identifies the OSCORE_Input_Material and is encoded as a byte string.
                In JSON, the "id" value is a Base64 encoded base64-encoded byte string.
                In CBOR, the "id" type is a byte string, and it has label 0.
              </dd>
            <dt>version:</dt>
            <dd>
                This parameter identifies the OSCORE Version version number, which is an unsigned integer. For more information about this field, see section 5.4 of <xref target="RFC8613" format="default"/>. sectionFormat="of" section="5.4"/>.
                In JSON, the "version" value is an integer.
                In CBOR, the "version" type is an integer, and it has label 1.
              </dd>
            <dt>ms:</dt>
            <dd>
                This parameter identifies the OSCORE Master Secret value, which is a byte string. For more information about this field, see section 3.1 of <xref target="RFC8613" format="default"/>. sectionFormat="of" section="3.1"/>.
                In JSON, the "ms" value is a Base64 encoded base64-encoded byte string.
                In CBOR, the "ms" type is byte string, and it has label 2.
              </dd>
            <dt>hkdf:</dt>
            <dd>
                This parameter identifies the OSCORE HKDF Algorithm. For more information about this field, see section 3.1 of <xref target="RFC8613" format="default"/>. sectionFormat="of" section="3.1"/>.
                The values used MUST <bcp14>MUST</bcp14> be registered in the IANA "COSE Algorithms" registry (see <xref target="COSE.Algorithms" format="default"/>) and MUST <bcp14>MUST</bcp14> be HMAC-based HKDF algorithms (see section 3.1 of <xref target="I-D.ietf-cose-rfc8152bis-algs" format="default"/>). target="RFC9053" sectionFormat="of" section="3.1"/>). The value can either be either the integer or the text string text-string value of the HMAC-based HKDF algorithm in the "COSE Algorithms" registry.
                In JSON, the "hkdf" value is a case-sensitive ASCII string or an integer.
                In CBOR, the "hkdf" type is a text string or integer, and it has label 3.
              </dd>
            <dt>alg:</dt>
            <dd>
                This parameter identifies the OSCORE AEAD Algorithm. For more information about this field, see section 3.1 of <xref target="RFC8613" format="default"/> sectionFormat="of" section="3.1"/>.
                The values used MUST <bcp14>MUST</bcp14> be registered in the IANA "COSE Algorithms" registry (see <xref target="COSE.Algorithms" format="default"/>) and MUST <bcp14>MUST</bcp14> be AEAD algorithms. The value can either be either the integer or the text string text-string value of the HMAC-based HKDF algorithm in the "COSE Algorithms" registry.
                In JSON, the "alg" value is a case-sensitive ASCII string or an integer.
                In CBOR, the "alg" type is a text string or integer, and it has label 4.
              </dd>
            <dt>salt:</dt>
            <dd>
                This parameter identifies an input to the OSCORE Master Salt value, which is a byte string. For more information about this field, see section 3.1 of <xref target="RFC8613" format="default"/>. sectionFormat="of" section="3.1"/>.
                In JSON, the "salt" value is a Base64 encoded base64-encoded byte string.
                In CBOR, the "salt" type is a byte string, and it has label 5.
              </dd>
              <dt>contextId:</dt>
            <dd>
                This parameter identifies the security context as a byte string. This identifier is used as OSCORE ID Context. For more information about this field, see section 3.1 of <xref target="RFC8613" format="default"/>. sectionFormat="of" section="3.1"/>.
                In JSON, the "contextID" value is a Base64 encoded base64-encoded byte string.
                In CBOR, the "contextID" type is a byte string, and it has label 6.
              </dd>
          </dl>
          <t>
            An example of JSON OSCORE_Input_Material is given in <xref target="JSON-osc" format="default"/>.
          </t>
          <figure anchor="JSON-osc">
            <name>Example JSON OSCORE_Input_Material</name>
            <artwork
            <sourcecode name="" type="" align="left" alt=""><![CDATA[ type="json"><![CDATA[
        "osc" : {
          "alg" : "AES-CCM-16-64-128",
          "id" : b64'AQ=='
          "ms" : b64'+a+Dg2jjU+eIiOFCa9lObw'
        }

            ]]></artwork>
            ]]></sourcecode>
          </figure>
          <t>
            The CDDL grammar describing the CBOR OSCORE_Input_Material is:
          </t>
          <artwork type="CDDL"

<!--[rfced] In Section 3.2.1, we notice that the last figure (after
Figure 9) that describes the CDDL grammar for the CBOR
OSCORE_Input_Material does not have a title or figure number.
Would you like to add a title and make this Figure 10? If so,
please provide the desired text.
-->

        <sourcecode name="" align="left" alt=""><![CDATA[ type="cddl"><![CDATA[
OSCORE_Input_Material = {
    ? 0 => bstr,              ; id
    ? 1 => int,               ; version
    ? 2 => bstr,              ; ms
    ? 3 => tstr / int,        ; hkdf
    ? 4 => tstr / int,        ; alg
    ? 5 => bstr,              ; salt
    ? 6 => bstr,              ; contextId
    * int / tstr => any
}
]]></artwork>
]]></sourcecode>
        </section>
      </section>
    </section>
    <section anchor="c-rs1" numbered="true" toc="default">
      <name>Client-RS Communication</name>
      <t>
        The following subsections describe the details of the POST request and response to the authz-info endpoint between the client and RS. The client generates a nonce N1 and an identifier ID1 that is unique in the sets of its own Recipient IDs, IDs and posts them together with the token that includes the materials (e.g., OSCORE parameters) received from the AS to the RS. The RS then generates a nonce N2 and an identifier ID2 that is unique in the sets of its own Recipient IDs, IDs and uses Section 3.2 of <xref target="RFC8613" format="default"/> sectionFormat="of" section="3.2"/> to derive a security context based on a shared master secret, Master Secret, the two exchanged nonces nonces, and the two identifiers, established between the client and server. The exchanged nonces and identifiers are encoded as a CBOR byte string if CBOR is used, used and as Base64 a base64 string if JSON is used. This security context is used to protect all future communication between the client and RS using OSCORE, as long as the access token is valid.
      </t>
      <!--      <t>
        Note that the proof-of-possession required to bind the access token to the
        client is implicitly performed by generating the shared OSCORE Security Context using
        the pop-key as master secret, for both client and RS.  An attacker
        using a stolen token will not be able to generate a valid OSCORE context and
        thus not be able to prove possession of the pop-key.
      </t> -->

      <t>
        Note that the RS and client authenticate each other
        by generating the shared OSCORE Security Context using
        the pop-key PoP key as master secret. the Master Secret.  An attacker
        posting a valid token to the RS will not be able to generate a valid OSCORE Security Context and
        thus will not be able to prove possession of the pop-key. PoP key. Additionally, the mutual authentication is only achieved after the client has successfully verified a response from the RS protected with the generated OSCORE Security Context.
      </t>
      <section anchor="c-rs" numbered="true" toc="default">
        <name>C-to-RS: POST to authz-info endpoint</name> Endpoint</name>
        <t>
          The client MUST <bcp14>MUST</bcp14> generate a nonce value N1 that is very unlikely to have been previously used with the same input keying material. This profile RECOMMENDS using The use of a 64-bit long random number as the nonce's value. value is <bcp14>RECOMMENDED</bcp14> in this profile. The client MUST <bcp14>MUST</bcp14> store the nonce N1 as long as the response from the RS is not received and the access token related to it is still valid (to the best of the client's knowledge).
        </t>
        <t>
          The client generates its own Recipient ID, ID1, for the OSCORE Security Context that it is establishing with the RS. By generating its own Recipient ID, the client makes sure that it does not collide with any of its Recipient IDs, nor with any other identifier ID1 if the client is executing this exchange with a different RS at the same time.
        </t>
        <t>
          The client MUST <bcp14>MUST</bcp14> use CoAP and the Authorization Information authorization information resource as described in section 5.8.1 of <xref target="I-D.ietf-ace-oauth-authz" format="default"/> target="RFC9200" sectionFormat="of" section="5.8.1"/> to transport the token, N1 N1, and ID1 to the RS.
        </t>
        <t>
          Note that the use of the payload and the Content-Format is different from what is described in section 5.8.1 of <xref target="I-D.ietf-ace-oauth-authz" format="default"/>, target="RFC9200" sectionFormat="of" section="5.8.1"/>, which only transports the token without any CBOR wrapping. In this profile, the client MUST <bcp14>MUST</bcp14> wrap the token, N1 N1, and ID1 in a CBOR map.

<!--[rfced] In RFC 9200, "application/ace+cbor" is defined in 8.15
and registered in the "CoAP Content-Formats" registry in 8.16.
How should the section number here be updated?

Original:
   The client MUST use the Content-Format
   "application/ace+cbor" defined in section 8.14 of
   [I-D.ietf-ace-oauth-authz].
-->
The client <bcp14>MUST</bcp14> use the Content-Format "application/ace+cbor" defined in <xref target="I-D.ietf-ace-oauth-authz" format="default"/>. target="RFC9200" sectionFormat="of" section="8.14"/>. The client MUST <bcp14>MUST</bcp14> include the access token using the <tt>access_token</tt> parameter, parameter; N1 using the <tt>nonce1</tt> parameter defined in <xref target="nonce1" format="default"/>, format="default"/>; and ID1 using the <tt>ace_client_recipientid</tt> parameter defined in <xref target="id1" format="default"/>.
        </t>
        <t>
          The communication with the authz-info endpoint does not have to be protected, except for the update of access rights case described below.
        </t>
        <t>
          Note that a client may be required to re-POST the access token in order to complete a request, since an RS may delete a stored access token (and associated Security Context) at any time, for example example, due to all storage space being consumed. This situation is detected by the client when it receives an AS Request Creation Hints response. Reposting the same access token will result in deriving a new OSCORE Security Context to be used with the RS, as different exchanged nonces will be used.
        </t>
        <t>
          The client may also choose to re-POST the access token in order to update its OSCORE Security Context. In that case, the client and the RS will exchange newly generated nonces, re-negotiate renegotiate identifiers, and derive new keying material. The client and RS might decide to keep the same identifiers or renew them during the re-negotiation. renegotiation.
        </t>
        <t>
          <xref target="ex3" format="default"/> shows an example of the request sent from the client to the RS. The access token has been truncated for readability.
        </t>
        <figure anchor="ex3">
          <name>Example C-to-RS POST /authz-info request using Request Using CWT</name>
          <artwork
          <sourcecode name="" type="" align="left" alt=""><![CDATA[ type="cbor"><![CDATA[
      Header: POST (Code=0.02)
      Uri-Host: "rs.example.com"
      Uri-Path: "authz-info"
      Content-Format: "application/ace+cbor"
      Payload:
        {
          "access_token": h'8343a1010aa2044c53 ...
       (remainder of access token (CWT) omitted for brevity)',
          "nonce1": h'018a278f7faab55a',
          "ace_client_recipientid" : h'1645'
        }

          ]]></artwork>
          ]]></sourcecode>
        </figure>
        <t>
          If the client has already posted a valid token, has already established a security association with the RS, and wants to update its access rights, the client can do so by posting the new token (retrieved from the AS and containing the update of access rights) to the /authz-info endpoint. The client MUST <bcp14>MUST</bcp14> protect the request using the OSCORE Security Context established during the first token exchange. The client MUST <bcp14>MUST</bcp14> only send the <tt>access_token</tt> field in the CBOR map in the payload, payload; no nonce or identifier are is sent. After proper verification (see <xref target="rs-c" format="default"/>), the RS will replace the old token with the new one, maintaining the same Security Context.
        </t>
        <section anchor="nonce1" numbered="true" toc="default">
          <name>The Nonce 1 Parameter</name>
          <t>
             This
             The <tt>nonce 1</tt> parameter MUST <bcp14>MUST</bcp14> be sent from the client to the RS, together with the access token, if the ace ACE profile used is coap_oscore, "coap_oscore", and the message is not an update of access rights, protected with an existing OSCORE Security Context.  The parameter is encoded as a byte string for
   CBOR-based interactions, interactions and as a string (Base64 encoded (base64-encoded binary) for
   JSON-based interactions. This parameter is registered in <xref target="iana-nonces-ids" format="default"/>.
          </t>
        </section>
        <section anchor="id1" numbered="true" toc="default">
          <name>The ace_client_recipientid Parameter</name>
          <t>
             This
             The <tt>ace_client_recipientid</tt> parameter MUST <bcp14>MUST</bcp14> be sent from the client to the RS, together with the access token, if the ace ACE profile used is coap_oscore, "coap_oscore", and the message is not an update of access rights, protected with an existing OSCORE Security Context.  The parameter is encoded as a byte string for
   CBOR-based interactions, interactions and as a string (Base64 encoded (base64-encoded binary) for
   JSON-based interactions. This parameter is registered in <xref target="iana-nonces-ids" format="default"/>.
          </t>
        </section>
      </section>
      <section anchor="rs-c" numbered="true" toc="default">
        <name>RS-to-C: 2.01 (Created)</name>
        <t>
          The RS MUST <bcp14>MUST</bcp14> follow the procedures defined in section 5.8.1 of <xref target="I-D.ietf-ace-oauth-authz" format="default"/>: target="RFC9200" sectionFormat="of" section="5.8.1"/>: the RS must verify the validity of the token. If the token is valid, the RS must respond to the POST request with 2.01 (Created).

<!--[rfced] For consistency, we updated one instance of "id1" to be
"ID1" in the text below.  If this update is not correct, please
let us know.

Original:
   If the token is valid but is associated
   to claims that the RS cannot process (e.g., an unknown scope), or if
   any of the expected parameters is missing (e.g., any of the mandatory
   parameters from the AS or the identifier <tt>id1</tt>), "id1")...

Current:
   If the token is valid but is associated
   to claims that the RS cannot process (e.g., an unknown scope), or if
   any of the expected parameters is missing (e.g., any of the mandatory
   parameters from the AS or the identifier "ID1")...
-->
	  If the token is valid but is associated to claims that the RS cannot process (e.g., an unknown scope), or if any of the expected parameters are missing (e.g., any of the mandatory parameters from the AS or the identifier ID1), or if any parameters received in the <tt>osc</tt> field is are unrecognized, the RS must respond with an error response code equivalent to the CoAP code 4.00 (Bad Request). In the latter two cases, the RS may provide additional information in the error response, in order to clarify what went wrong.
          The RS may make an introspection request (see Section 5.9.1 of <xref target="I-D.ietf-ace-oauth-authz" format="default"/>) target="RFC9200" sectionFormat="of" section="5.9.1"/>) to validate the token before responding to the POST request to the authz-info endpoint.
        </t>
        <t>
          Additionally, the RS MUST <bcp14>MUST</bcp14> generate a nonce N2 that is very unlikely to have been previously used with the same input keying material, material and its own Recipient ID, ID2. The RS makes sure that ID2 does not collide with any of its Recipient IDs. The RS MUST <bcp14>MUST</bcp14> ensure that ID2 is different from the value received in the ace_client_recipientid <tt>ace_client_recipientid</tt> parameter. The RS sends N2 and ID2 within the 2.01 (Created) response. The payload of the 2.01 (Created) response MUST <bcp14>MUST</bcp14> be a CBOR map containing the <tt>nonce2</tt> parameter defined in <xref target="nonce2" format="default"/>, set to N2, and the <tt>ace_server_recipientid</tt> parameter defined in <xref target="id2" format="default"/>, set to ID2. This profile RECOMMENDS using The use of a 64-bit long random number as the nonce's value. value is <bcp14>RECOMMENDED</bcp14> in this profile.

<!--[rfced] In RFC 9200, "application/ace+cbor" is defined in 8.15
and registered in the "CoAP Content-Formats" registry in 8.16.
How should the section number here be updated?

Original:
   The RS MUST use the Content-Format "application/ace+cbor" "application/
   ace+cbor" defined in section 8.14 of [I-D.ietf-ace-oauth-authz].
-->

	  The RS <bcp14>MUST</bcp14> use the Content-Format "application/ace+cbor" defined in <xref target="I-D.ietf-ace-oauth-authz" format="default"/>. target="RFC9200" sectionFormat="of" section="8.14"/>.
        </t>
        <!--
        <t>
        	Note that, when using this profile, an identifier of the token (e.g., the cti for a CWT) is not transported in the payload of this request, as section 5.8.1 of <xref target="I-D.ietf-ace-oauth-authz"/> allows.
        </t>
-->

        <t>
          <xref target="ex4" format="default"/> shows an example of the response sent from the RS to the client.
        </t>
        <figure anchor="ex4">
          <name>Example RS-to-C 2.01 (Created) response</name>
          <artwork Response</name>
          <sourcecode name="" type="" align="left" alt=""><![CDATA[ type="cbor"><![CDATA[
      Header: Created (Code=2.01)
      Content-Format: "application/ace+cbor"
      Payload:
        {
          "nonce2": h'25a8991cd700ac01',
          "ace_server_recipientid" : h'0000'
        }

          ]]></artwork>
          ]]></sourcecode>
        </figure>
        <t>
          As specified in section 5.8.3 of <xref target="I-D.ietf-ace-oauth-authz" format="default"/>, target="RFC9200" sectionFormat="of" section="5.8.3"/>, the RS must notify the client with an error response with code 4.01 (Unauthorized) for any long running request before terminating the session, when the access token expires.
        </t>
        <t>
          If the RS receives the token in a OSCORE protected an OSCORE-protected message, it means that the client is requesting an update of access rights. The RS MUST <bcp14>MUST</bcp14> ignore any nonce and identifiers in the request, if any was were sent. The RS MUST <bcp14>MUST</bcp14> check that the "kid" of the <tt>cnf</tt> claim of the new access token matches the identifier of the OSCORE Input Material of the context used to protect the message. If that is the case, the RS MUST <bcp14>MUST</bcp14> overwrite the old token and associate the new token to the Security Context identified by the "kid" value in the <tt>cnf</tt> claim. The RS MUST <bcp14>MUST</bcp14> respond with a 2.01 (Created) response protected with the same Security Context, with no payload. If any verification fails, the RS MUST <bcp14>MUST</bcp14> respond with a 4.01 (Unauthorized) error response.
        </t>
        <t>
          As specified in section 5.8.1 of <xref target="I-D.ietf-ace-oauth-authz" format="default"/>, target="RFC9200" sectionFormat="of" section="5.8.1"/>, when receiving an updated access token with updated authorization information from the client (see <xref target="c-as" format="default"/>), it is recommended that the RS overwrites the previous token, token; that is is, only the latest authorization information in the token received by the RS is valid. This simplifies the process needed by the RS to keep track of authorization information for a given client.
        </t>
        <section anchor="nonce2" numbered="true" toc="default">
          <name>The Nonce 2 Parameter</name>
          <t>
             This
             The <tt>nonce 2</tt> parameter MUST <bcp14>MUST</bcp14> be sent from the RS to the client if the ace ACE profile used is coap_oscore, "coap_oscore" and the message is not a response to an update of access rights, protected with an existing OSCORE Security Context. The parameter is encoded as a byte string for
   CBOR-based interactions, interactions and as a string (Base64 encoded (base64-encoded binary) for
   JSON-based interactions. This parameter is registered in <xref target="iana-nonces-ids" format="default"/>
          </t>
        </section>
        <section anchor="id2" numbered="true" toc="default">
          <name>The ace_server_recipientid Parameter</name>
          <t>
             This
             The <tt>ace_server_recipientid</tt> parameter MUST <bcp14>MUST</bcp14> be sent from the RS to the client if the ace ACE profile used is coap_oscore, "coap_oscore" and the message is not a response to an update of access rights, protected with an existing OSCORE Security Context. The parameter is encoded as a byte string for
   CBOR-based interactions, interactions and as a string (Base64 encoded (base64-encoded binary) for
   JSON-based interactions. This parameter is registered in <xref target="iana-nonces-ids" format="default"/>
          </t>
        </section>
      </section>
      <section anchor="oscore-setup" numbered="true" toc="default">
        <name>OSCORE Setup</name>
        <t>
          Once the 2.01 (Created) response is received from the RS, following the POST request to authz-info endpoint, the client MUST <bcp14>MUST</bcp14> extract the bstr nonce N2 from the <tt>nonce2</tt> parameter in the CBOR map in the payload of the response. Then, the client MUST <bcp14>MUST</bcp14> set the Master Salt of the Security Context created to communicate with the RS to the concatenation of salt, N1, and N2, N2 in this order: Master Salt = salt | N1 | N2, where | denotes byte string concatenation, where salt is the CBOR byte string received from the AS in <xref target="as-c" format="default"/>, and where N1 and N2 are the two nonces encoded as CBOR byte strings.  An example of Master Salt construction using CBOR encoding is given in <xref target="ms-ex" format="default"/>.
        </t>
        <figure anchor="ms-ex">
          <name>Example of Master Salt construction using Construction Using CBOR encoding</name>
          <artwork Encoding</name>
         <sourcecode name="" type="" align="left" alt=""><![CDATA[ type="cbor"><![CDATA[
N1, N2 and input salt expressed in CBOR diagnostic notation:
      nonce1 = h'018a278f7faab55a'
      nonce2 = h'25a8991cd700ac01'
      input salt = h'f9af838368e353e78888e1426bd94e6f'

N1, N2 and input salt as CBOR encoded byte strings:
      nonce1 = 0x48018a278f7faab55a
      nonce2 = 0x4825a8991cd700ac01
      input salt = 0x50f9af838368e353e78888e1426bd94e6f

Master Salt = 0x50 f9af838368e353e78888e1426bd94e6f
                48 018a278f7faab55a 48 25a8991cd700ac01

          ]]></artwork>
          ]]></sourcecode>
        </figure>
        <t>
          If JSON is used instead of CBOR, the Master Salt of the Security Context is the Base64 base64 encoding of the concatenation of the same parameters, each of them prefixed by their size, encoded in 1 byte. When using JSON, the nonces and input salt have a maximum size of 255 bytes. An example of Master Salt construction using Base64 base64 encoding is given in <xref target="ms-ex-2" format="default"/>.
        </t>
        <figure anchor="ms-ex-2">
          <name>Example of Master Salt construction using Construction Using Base64 encoding</name>
          <artwork Encoding</name>

<!--rfced] Note that we lowercased "Base64" throughout the text for
consistency with other RFCs. May we also lowercase "Base64" in
Figure 13?

Also, should a comma be inserted after "N2" to match use of the
serial comma in the running text (note that we would apply
this update to the other figures as well, if desired)?

Original:
   N1, N2 and input salt values:
      nonce1 = 0x018a278f7faab55a (8 bytes)
      nonce2 = 0x25a8991cd700ac01 (8 bytes)
      input salt = 0xf9af838368e353e78888e1426bd94e6f (16 bytes)

   Input to Base64 encoding: 0x10 f9af838368e353e78888e1426bd94e6f
                            08 018a278f7faab55a 08 25a8991cd700ac01

Perhaps:
   N1, N2, and input salt values:
      nonce1 = 0x018a278f7faab55a (8 bytes)
      nonce2 = 0x25a8991cd700ac01 (8 bytes)
      input salt = 0xf9af838368e353e78888e1426bd94e6f (16 bytes)

   Input to base64 encoding: 0x10 f9af838368e353e78888e1426bd94e6f
                            08 018a278f7faab55a 08 25a8991cd700ac01
-->
         <sourcecode name="" type="" align="left" alt=""><![CDATA[ type="json"><![CDATA[
N1, N2 and input salt values:
      nonce1 = 0x018a278f7faab55a (8 bytes)
      nonce2 = 0x25a8991cd700ac01 (8 bytes)
      input salt = 0xf9af838368e353e78888e1426bd94e6f (16 bytes)

Input to Base64 encoding: 0x10 f9af838368e353e78888e1426bd94e6f
                            08 018a278f7faab55a 08 25a8991cd700ac01

Master Salt = b64'EPmvg4No41PniIjhQmvZTm8IAYonj3+qtVoIJaiZHNcArAE='

          ]]></artwork>
          ]]></sourcecode>
        </figure>
        <t>
           The client MUST <bcp14>MUST</bcp14> set the Sender ID to the ace_server_recipientid <tt>ace_server_recipientid</tt> received in <xref target="rs-c" format="default"/>, format="default"/> and set the Recipient ID to the ace_client_recipientid <tt>ace_client_recipientid</tt> sent in <xref target="c-rs" format="default"/>. The client MUST <bcp14>MUST</bcp14> set the Master Secret from the parameter received from the AS in <xref target="as-c" format="default"/>. The client MUST <bcp14>MUST</bcp14> set the AEAD Algorithm, algorithm, ID Context, HKDF, and OSCORE Version version from the parameters received from the AS in <xref target="as-c" format="default"/>, if present. In case an optional parameter is omitted, the default value SHALL <bcp14>SHALL</bcp14> be used as described in sections 3.2 Sections <xref target="RFC8613" sectionFormat="bare" section="3.2"/> and 5.4 <xref target="RFC8613" sectionFormat="bare" section="5.4"/> of <xref target="RFC8613" format="default"/>. After that, the client MUST <bcp14>MUST</bcp14> derive the complete Security Context following section 3.2.1 of <xref target="RFC8613" format="default"/>. sectionFormat="of" section="3.2.1"/>. From this point on, the client MUST <bcp14>MUST</bcp14> use this Security Context to communicate with the RS when accessing the resources as specified by the authorization information.
        </t>
        <t>
          If any of the expected parameters is are missing (e.g., any of the mandatory parameters from the AS or the RS), or if ace_client_recipientid <tt>ace_client_recipientid</tt> equals ace_server_recipientid <tt>ace_server_recipientid</tt> (and as a consequence consequence, the Sender and Recipient Keys derived would be equal, equal; see section 3.3 of <xref target="RFC8613" format="default"/>), sectionFormat="of" section="3.3"/>), then the client MUST <bcp14>MUST</bcp14> stop the exchange, exchange and MUST NOT <bcp14>MUST NOT</bcp14> derive the Security Context. The client MAY <bcp14>MAY</bcp14> restart the exchange, to get the correct security material.
        </t>
        <t>
          The client then uses this Security Context to send requests to the RS using OSCORE.
        </t>
        <t>
          After sending the 2.01 (Created) response, the RS MUST <bcp14>MUST</bcp14> set the Master Salt of the Security Context created to communicate with the client to the concatenation of salt, N1, and N2, N2 in the same way described above. An example of Master Salt construction using CBOR encoding is given in <xref target="ms-ex" format="default"/> and using Base64 base64 encoding is given in <xref target="ms-ex-2" format="default"/>. The RS MUST <bcp14>MUST</bcp14> set the Sender ID from the ace_client_recipientid <tt>ace_client_recipientid</tt> received in <xref target="c-rs" format="default"/>, format="default"/> and set the Recipient ID from the ace_server_recipientid <tt>ace_server_recipientid</tt> sent in <xref target="rs-c" format="default"/>. The RS MUST <bcp14>MUST</bcp14> set the Master Secret from the parameter received from the AS and forwarded by the client in the access token in <xref target="c-rs" format="default"/> after validation of the token as specified in <xref target="rs-c" format="default"/>. The RS MUST <bcp14>MUST</bcp14> set the AEAD Algorithm, algorithm, ID Context, HKDF, and OSCORE Version version from the parameters received from the AS and forwarded by the client in the access token in <xref target="c-rs" format="default"/> after validation of the token as specified in <xref target="rs-c" format="default"/>, if present. In case an optional parameter is omitted, the default value SHALL <bcp14>SHALL</bcp14> be used as described in sections 3.2 Sections <xref target="RFC8613" sectionFormat="bare" section="3.2"/> and 5.4 <xref target="RFC8613" sectionFormat="bare" section="5.4"/> of <xref target="RFC8613" format="default"/>. After that, the RS MUST <bcp14>MUST</bcp14> derive the complete Security Context following section 3.2.1 of <xref target="RFC8613" format="default"/>, sectionFormat="of" section="3.2.1"/> and MUST <bcp14>MUST</bcp14> associate this Security Context with the authorization information from the access token.
        </t>
        <t>
          The RS then uses this Security Context to verify requests and send responses to the client using OSCORE. If OSCORE verification fails, error responses are used, as specified in section 8 of <xref target="RFC8613" format="default"/>. sectionFormat="of" section="8"/>. Additionally, if OSCORE verification succeeds, the verification of access rights is performed as described in section <xref target="tok-ver" format="default"/>. The RS MUST NOT <bcp14>MUST NOT</bcp14> use the Security Context after the related token has expired, expired and MUST <bcp14>MUST</bcp14> respond with a an unprotected 4.01 (Unauthorized) error message to
requests received that correspond to a Security Context with an expired
token.
        </t>
        <t>
          Note that the ID Context can be assigned by the AS, communicated and set in both the RS and client after the exchange specified in this profile is executed. Subsequently, the client and RS can update their ID Context by running a mechanism such as the one defined in Appendix B.2 of <xref target="RFC8613" format="default"/> sectionFormat="of" section="B.2"/> if they both support it and are configured to do so. In that case, the ID Context in the OSCORE Security Context will not match the "contextId" <tt>contextId</tt> parameter of the corresponding OSCORE_Input_Material. Running Appendix B.2 <xref target="RFC8613" sectionFormat="bare" section="B.2"/> results in the keying material being updated in the Security Contexts of the client and RS being updated; RS; this same result can also be achieved by the client reposting the access token to the unprotected /authz-info endpoint at the RS, as described in <xref target="c-rs" format="default"/>, but without updating the ID Context.
        </t>
      </section>
      <section anchor="tok-ver" numbered="true" toc="default">
        <name>Access rights verification</name> Rights Verification</name>
        <t>
          The RS MUST <bcp14>MUST</bcp14> follow the procedures defined in section 5.8.2 of <xref target="I-D.ietf-ace-oauth-authz" format="default"/>: target="RFC9200" sectionFormat="of" section="5.8.2"/>: if an RS receives an OSCORE-protected request from a client, then the RS processes it according to <xref target="RFC8613" format="default"/>. If OSCORE verification succeeds, and the target resource
          requires authorization, the RS retrieves the authorization information using the access token associated to the Security Context. The RS then must verify that the authorization information covers the resource and the action requested.
        </t>
      </section>
    </section>
    <section anchor="introsp" numbered="true" toc="default">
      <name>Secure Communication with AS</name>
      <t>
        As specified in the ACE framework (section 5.9 of <xref target="I-D.ietf-ace-oauth-authz" format="default"/>), (<xref target="RFC9200" sectionFormat="of" section="5.9"/>), the requesting entity (RS and/or client) and the AS communicates via the introspection or token endpoint. The use of CoAP and OSCORE (<xref <xref target="RFC8613" format="default"/>) format="default"/> for this communication is RECOMMENDED <bcp14>RECOMMENDED</bcp14> in this profile; other protocols fulfilling the security requirements defined in section 5 of <xref target="I-D.ietf-ace-oauth-authz" format="default"/> target="RFC9200" sectionFormat="of" section="5"/> (such as HTTP and DTLS or TLS) MAY <bcp14>MAY</bcp14> be used instead.
      </t>
      <t>
        If OSCORE is used, the requesting entity and the AS are expected to have pre-established preestablished security contexts in place.  How these security contexts are established is out of scope for this profile.  Furthermore  Furthermore, the requesting entity and the AS communicate through the introspection endpoint as specified in section 5.9 of <xref target="I-D.ietf-ace-oauth-authz" format="default"/> target="RFC9200" sectionFormat="of" section="5.9"/> and through the token endpoint as specified in section 5.8 of <xref target="I-D.ietf-ace-oauth-authz" format="default"/>. target="RFC9200" sectionFormat="of" section="5.8"/>.
      </t>
    </section>
    <section anchor="sec-ctx-discard" numbered="true" toc="default">
      <name>Discarding the Security Context</name>
      <t>
        There are a number of scenarios where a client or RS needs to discard the OSCORE security context, context and acquire a new one.
      </t>
      <t>
        The client MUST <bcp14>MUST</bcp14> discard the current Security Context associated with an RS when any of the following occurs:
      </t>
      <ul spacing="normal">
        <li> the Sequence Number sequence number space ends. </li>
        <li> the access token associated with the context becomes invalid due to, for example, expiration. </li>
        <li> the client receives a number of 4.01 Unauthorized responses to OSCORE requests using the same Security Context. The exact number needs to be specified by the application. </li>
        <li> the client receives a new nonce in the 2.01 (Created) response (see <xref target="rs-c" format="default"/>) to a POST request to the authz-info endpoint, when re-posting reposting a (non-expired) token associated to the existing context. </li>
      </ul>
      <t>
        The RS MUST <bcp14>MUST</bcp14> discard the current Security Context associated with a client when any of the following occurs:
      </t>
      <ul spacing="normal">
        <li> the Sequence Number sequence number space ends. </li>
        <li> the access token associated with the context expires. </li>
        <li> the client has successfully replaced the current security context with a newer one by posting an access token to the unprotected /authz-info endpoint at the RS, e.g., by re-posting reposting the same token, as specified in <xref target="c-rs" format="default"/>.</li>
      </ul>
      <t>
        Whenever one more access token is successfully posted to the RS, and a new Security Context is derived between the client and RS, messages in transit that were protected with the previous Security Context might not pass verification, as the old context is discarded. That means that messages sent shortly before the client posts one more access token tokens to the RS might not successfully reach the destination. Analogously, implementations may want to cancel CoAP observations at the RS registered before the Security Context is replaced, or conversely conversely, they will need to implement a mechanism to ensure that those observations are to be protected with the newly derived Security Context.
      </t>
    </section>
    <section anchor="sec-cons" numbered="true" toc="default">
      <name>Security Considerations</name>
      <t>
        This document specifies a profile for the Authentication and
        Authorization for Constrained Environments (ACE) ACE framework
        <xref target="I-D.ietf-ace-oauth-authz" target="RFC9200" format="default"/>.  Thus  Thus, the general security
        considerations from the framework also apply to this profile.
      </t>
      <t>
        Furthermore
        Furthermore, the general security considerations of OSCORE <xref target="RFC8613" format="default"/> also apply to this specific
        use of the OSCORE protocol.
      </t>
      <t>
        As previously stated, the proof-of-possession proof of possession in this profile is performed by both parties verifying that they have established the same Security Context, as specified in <xref target="oscore-setup" format="default"/>, which means that both the OSCORE request and the OSCORE response passes verification.
        RS authentication requires both that the client trusts the AS and that the OSCORE response from the RS passes verification.
      </t>
      <t>
        OSCORE is designed to secure point-to-point communication,
        providing a secure binding between the request and the response(s).
        Thus
        Thus, the basic OSCORE protocol is not intended for use in
        point-to-multipoint communication (e.g., multicast, publish-subscribe).
        Implementers of this profile should make sure that their use case
        corresponds to the expected use of OSCORE, to prevent weakening the
        security assurances provided by OSCORE.
      </t>
      <t>
        Since the use of nonces N1 and N2 during the exchange guarantees uniqueness of AEAD keys and nonces, it is REQUIRED <bcp14>REQUIRED</bcp14> that the exchanged nonces are not reused with the same input keying material even in case of re-boots. This document RECOMMENDS the reboots. The exchange of 64 bit 64-bit random nonces. nonces is <bcp14>RECOMMENDED</bcp14> in this document.

<!-- [rfced] FYI, we have used the <sup> element for superscript in
Section 7; please review. If this output is not desired, please
let us know.

Note: In the HTML and PDF files, it appears as superscript.
In the text output, <sup> generates a^b.

Original:
   Considering the birthday paradox, the average collision for
   each nonce will happen after 2^32 messages, which is
   considerably more token provisioned than would be
   expected for intended applications.

Current:
   See Section 7 (paragraph 5) in the output files.
-->

<!--Per the authors, "token provisioned" has been
updated to "token provisionings" in the sentence that follows.
-->
Considering the birthday paradox, the average collision for each nonce will happen after 2<sup>32</sup> messages, which is considerably more token provisionings than would be expected for intended applications. If applications use something else, such as a counter, they need to guarantee that reboot and loss of state on either node does not provoke reuse.
        If that is not guaranteed, nodes are susceptible to reuse of AEAD (nonce, key) pairs, especially since an on-path attacker can cause the use of a previously exchanged client nonce N1 for Security Context establishment by replaying the corresponding client-to-server message.
      </t>
      <t>
        This profile RECOMMENDS
        In this profile, it is <bcp14>RECOMMENDED</bcp14> that the RS maintains a single access token for each client. The use of multiple access tokens for a single client increases the strain on the resource server as it must consider every access token and calculate the actual permissions of the client. Also, tokens indicating different or disjoint permissions from each other may lead the server to enforce wrong permissions. If one of the access tokens expires earlier than others, the resulting permissions may offer insufficient protection. Developers SHOULD <bcp14>SHOULD</bcp14> avoid using multiple access tokens for a the same client.
      </t>
      <t>
        If a single OSCORE Input Material is used with multiple RSs, the RSs can impersonate the client to one of the other RS, RSs and impersonate another RS to the client. If a master secret Master Secret is used with several clients, the clients can impersonate RS to one of the other clients. Similarly Similarly, if symmetric keys are used to integrity protect the token between AS and RS and the token can be used with multiple RSs, the RSs can impersonate AS to one of the other RS. RSs. If the token key is used for any other communication between the RSs and AS, the RSs can impersonate each other to the AS.
      </t>
    </section>
    <section numbered="true" toc="default">
      <name>Privacy Considerations</name>
      <t>
        This document specifies a profile for the Authentication and
        Authorization for Constrained Environments (ACE) ACE framework
        <xref target="I-D.ietf-ace-oauth-authz" target="RFC9200" format="default"/>.  Thus  Thus, the general privacy
        considerations from the framework also apply to this profile.
      </t>
      <t>
        As this document uses OSCORE, thus the privacy considerations from
	<xref target="RFC8613" format="default"/> apply here as well.
      </t>
      <t>
      	An unprotected response to an unauthorized request may disclose information about the resource server and/or its existing relationship with the client. It is advisable to include as little information as possible in an unencrypted response. When an OSCORE Security Context already exists between the client and the resource server, more detailed information may be included.
      </t>
      <t>
        The token is sent in the clear to the authz-info endpoint, so if a client uses the same single token from multiple locations with multiple Resource Servers, resource servers, it can risk being tracked by the token's value even when the access token is encrypted.
      </t>
      <t>
        The nonces exchanged in the request and response to the authz-info endpoint are also sent in the clear, so using random nonces is best for privacy (as opposed to, e.g., a counter, that which might leak some information about the client).
      </t>
      <t>
        The identifiers used in OSCORE, negotiated between the client and RS RS, are privacy sensitive (see Section 12.8 of <xref target="RFC8613" format="default"/>), sectionFormat="of" section="12.8"/>) and could reveal information about the client, or they may be used for correlating requests from one client.
      </t>
      <t>
      	Note that some information might still leak after OSCORE is established, due to observable message sizes, the source, and the destination addresses.
      </t>
    </section>
    <section numbered="true" toc="default">
      <name>IANA Considerations</name>
      <t>Note to RFC Editor: Please replace all occurrences of "[[this document]]"
      with the RFC number of this document. Please add a reference to the IANA ACE Profile registry in the nextt subsection once it has been created by IANA, and then delete this paragraph.</t>
      <section numbered="true" toc="default">
        <name>ACE Profile Registry</name>
        <t>The following registration is done for has been made in the ACE Profile
        Registry "ACE Profiles"
        registry following the procedure specified in section 8.8 of <xref target="I-D.ietf-ace-oauth-authz" format="default"/>:</t>
        <ul target="RFC9200" sectionFormat="of" section="8.8"/>:</t>

	<dl spacing="compact">
          <li>Name: coap_oscore</li>
          <li>Description: Profile
          <dt>Name:</dt><dd> coap_oscore</dd>
          <dt>Description:</dt><dd>Profile for using OSCORE to secure communication
        between constrained nodes using the Authentication and Authorization
        for Constrained Environments framework.</li>
          <li>CBOR Value: TBD (value between 1 and 255)</li>
          <li>Reference: [[this document]]</li>
        </ul> framework.</dd>
          <dt>CBOR Value:</dt><dd>2</dd>
          <dt>Reference:</dt><dd>RFC 9203</dd>
        </dl>
      </section>

      <section anchor="iana-nonces-ids" numbered="true" toc="default">
        <name>OAuth Parameters Registry</name>
        <t>The following registrations are done for have been made in the OAuth Parameters
        Registry "OAuth Parameters"
        registry <xref target="IANA.OAuthParameters" format="default"/> following the procedure specified in section 11.2 of <xref target="RFC6749" format="default"/>:</t>
        <ul sectionFormat="of" section="11.2"/>:</t>

        <dl spacing="compact">
          <li>Parameter name: nonce1</li>
          <li>Parameter
          <dt>Parameter name:</dt><dd>nonce1</dd>
          <dt>Parameter usage location: client-rs request</li>
          <li>Change Controller: IESG</li>
          <li>Specification Document(s): [[this document]]</li>
        </ul>
        <ul location:</dt><dd>client-rs request</dd>
          <dt>Change Controller:</dt><dd>IETF</dd>
          <dt>Specification Document(s):</dt><dd>RFC 9203</dd>
        </dl>
        <dl spacing="compact">
          <li>Parameter name: nonce2</li>
          <li>Parameter
          <dt>Parameter name:</dt><dd>nonce2</dd>
          <dt>Parameter usage location: rs-client response</li>
          <li>Change Controller: IESG</li>
          <li>Specification Document(s): [[this document]]</li>
        </ul>
        <ul location:</dt><dd>rs-client response</dd>
          <dt>Change Controller:</dt><dd>IETF</dd>
          <dt>Specification Document(s):</dt><dd>RFC 9203</dd>
        </dl>
        <dl spacing="compact">
          <li>Parameter name: ace_client_recipientid</li>
          <li>Parameter
          <dt>Parameter name:</dt><dd>ace_client_recipientid</dd>
          <dt>Parameter usage location: client-rs request</li>
          <li>Change Controller: IESG</li>
          <li>Specification Document(s): [[this document]]</li>
        </ul>
        <ul location:</dt><dd>client-rs request</dd>
          <dt>Change Controller:</dt><dd>IETF</dd>
          <dt>Specification Document(s):</dt><dd>RFC 9203</dd>
        </dl>
        <dl spacing="compact">
          <li>Parameter name: ace_server_recipientid</li>
          <li>Parameter
          <dt>Parameter name:</dt><dd>ace_server_recipientid</dd>
          <dt>Parameter usage location: rs-client response</li>
          <li>Change Controller: IESG</li>
          <li>Specification Document(s): [[this document]]</li>
        </ul> location:</dt><dd>rs-client response</dd>
          <dt>Change Controller:</dt><dd>IETF</dd>
          <dt>Specification Document(s):</dt><dd>RFC 9203</dd>
        </dl>
      </section>
      <section numbered="true" toc="default">
        <name>OAuth Parameters CBOR Mappings Registry</name>
        <t>The following registrations are done for have been made in the OAuth "OAuth Parameters CBOR Mappings
        Registry Mappings"
        registry following the procedure specified in section 8.10 of <xref target="I-D.ietf-ace-oauth-authz" format="default"/>:</t>
        <ul spacing="compact">
          <li>Name: nonce1</li>
          <li>CBOR Key: TBD1</li>
          <li>Value Type: bstr</li>
          <li>Reference: [[this document]]</li>
        </ul>
        <ul spacing="compact">
          <li>Name: nonce2</li>
          <li>CBOR Key: TBD2</li>
          <li>Value Type: bstr</li>
          <li>Reference: [[this document]]</li>
        </ul>
        <ul spacing="compact">
          <li>Name: ace_client_recipientid</li>
          <li>CBOR Key: TBD3</li>
          <li>Value Type: bstr</li>
          <li>Reference: [[this document]]</li>
        </ul>
        <ul spacing="compact">
          <li>Name: ace_server_recipientid</li>
          <li>CBOR Key: TBD4</li>
          <li>Value Type: bstr</li>
          <li>Reference: [[this document]]</li>
        </ul> target="RFC9200" sectionFormat="of" section="8.10"/>:</t>
        <dl spacing="compact" indent="12">
          <dt>Name:</dt><dd>nonce1</dd>
          <dt>CBOR Key:</dt><dd>40</dd>
          <dt>Value Type:</dt><dd>bstr</dd>
          <dt>Reference:</dt><dd>RFC 9203</dd>
	  <dt>Original Specification:</dt><dd>RFC 9203</dd>
        </dl>
        <dl spacing="compact" indent="12">
          <dt>Name:</dt><dd>nonce2</dd>
          <dt>CBOR Key:</dt><dd>42</dd>
          <dt>Value Type:</dt><dd>bstr</dd>
          <dt>Reference:</dt><dd>RFC 9203</dd>
	  <dt>Original Specification:</dt><dd>RFC 9203</dd>
        </dl>
        <dl spacing="compact" indent="12">
          <dt>Name:</dt><dd>ace_client_recipientid</dd>
          <dt>CBOR Key:</dt><dd>43</dd>
          <dt>Value Type:</dt><dd>bstr</dd>
          <dt>Reference:</dt><dd>RFC 9203</dd>
	  <dt>Original Specification:</dt><dd>RFC 9203</dd>
        </dl>
        <dl spacing="compact" indent="12">
          <dt>Name:</dt><dd>ace_server_recipientid</dd>
          <dt>CBOR Key:</dt><dd>44</dd>
          <dt>Value Type:</dt><dd>bstr</dd>
          <dt>Reference:</dt><dd>RFC 9203</dd>
	  <dt>Original Specification:</dt><dd>RFC 9203</dd>
        </dl>
      </section>
      <section anchor="sec-ctx-params-reg" numbered="true" toc="default">
        <name>OSCORE Security Context Parameters Registry</name>
        <t>
          It is requested that
          IANA create has created a new registry entitled "OSCORE Security Context Parameters" registry. Parameters".
          The registry registration procedure is to be created as Expert Review Required. <xref target="RFC8126" format="default"/>.
          Guidelines for the experts is are provided in <xref target="review" format="default"/>.
          It should be noted that in addition to the expert review, Expert Review, some portions of the registry require a specification, potentially on standards track, the Standards Track, be supplied as well.
        </t>
        <t>
          The columns of the registry are:
        </t>
        <dl newline="false" spacing="compact">
          <dt>name</dt> spacing="normal">
          <dt>Name:</dt>
          <dd>
              The JSON name requested (e.g., "ms").
              Because a core goal of this document is for the resulting representations to be compact, it is RECOMMENDED <bcp14>RECOMMENDED</bcp14> that the name be short.
              This name is case sensitive.
              Names may not match other registered names in a case-insensitive manner unless the Designated Experts designated experts determine that there is a compelling reason to allow an exception.
              The name is not used in the CBOR encoding.
            </dd>
          <dt>CBOR label</dt> Label:</dt>
<!--[rfced] In Section 9.4, the ranges for registration procedures are described,
but they do not match the IANA registry, which shows "Expert Review" only.
(https://www.iana.org/assignments/ace/ace.xhtml#oscore-security-context-parameters).
Which on is correct? i.e.,
Should the IANA registry be updated, or should this document be updated?

Original:
      Integer values between -256 and 255
      and strings of length 1 are designated as Standards Track Document
      required.  Integer values from -65536 to -257 and from 256 to
      65535 and strings of length 2 are designated as Specification
      Required.  Integer values greater than 65535 and strings of length
      greater than 2 are designated as expert review.  Integer values
      less than -65536 are marked as private use.

Either way, may this sentence be removed? It seems redundant with the text above.

Original:
   It should be noted that in addition to the expert
   review, some portions of the registry require a specification,
   potentially on standards track, be supplied as well.
-->
          <dd>
              The value to be used to identify this algorithm.
              Map key labels MUST <bcp14>MUST</bcp14> be unique.
              The label can be a positive integer, a negative integer integer, or a string.
              Integer values between -256 and 255 and strings of length 1 are designated as Standards Track Document document required.
              Integer values from -65536 to -257 and from 256 to 65535 and strings of length 2 are designated as Specification Required.
              Integer values greater than 65535 and strings of length greater than 2 are designated as expert review. Expert Review.
              Integer values less than -65536 are marked as private use. Private Use.
            </dd>
          <dt>CBOR Type</dt> Type:</dt>
          <dd>
              This field contains the CBOR type for the field.
            </dd>
          <dt>registry</dt>
          <dt>Registry:</dt>
          <dd>
              This field denotes the registry that values may come from, if one exists.
            </dd>
          <dt>description</dt>
          <dt>Description:</dt>
          <dd>
              This field contains a brief description for the field.
            </dd>
          <dt>specification</dt>
          <dt>Reference:</dt>
          <dd>
              This contains a pointer to the public specification for the field field, if one exists exists.
            </dd>
        </dl>
        <t>
          This registry will be has been initially populated by the values in <xref target="key-labels" format="default"/>.
<!--[rfced] Re: OSCORE Security Context Parameters
This sentence does not match with the IANA registry (https://www.iana.org/assignments/ace). Should RFC 8613 be added to the Reference column in the IANA registry, or should
this sentence be altered?

Original:
   The specification column for all of these entries will be this
   document and [RFC8613].

Current:
   The Reference column for all of these entries is this document and
   [RFC8613].
-->

          The Reference column for all of these entries is this document and <xref target="RFC8613" format="default"/>.
        </t>
      </section>

      <section anchor="osc-cwt" numbered="true" toc="default">
        <name>CWT Confirmation Methods Registry</name>
        <t>The following registration is done for has been made in the CWT "CWT Confirmation Methods Registry Methods" registry <xref target="IANA.CWTConfirmationMethods" format="default"/> following the procedure specified in section 7.2.1 of <xref target="RFC8747" format="default"/>:</t>
        <ul sectionFormat="of" section="7.2.1"/>:</t>
        <dl spacing="compact">
          <li>Confirmation
          <dt>Confirmation Method Name: "osc"</li>
          <li>Confirmation Name:</dt><dd>"osc"</dd>
          <dt>Confirmation Method Description: OSCORE_Input_Material Description:</dt><dd>OSCORE_Input_Material carrying the parameters for using OSCORE per-message security with implicit key confirmation</li>
          <li>Confirmation Key: TBD (value between 4 and 255)</li>
          <li>Confirmation confirmation</dd>
	  <dt>JWT Confirmation Method Name:</dt><dd>osc</dd>
          <dt>Confirmation Key:</dt><dd>4</dd>
          <dt>Confirmation Value Type(s): map</li>
          <li>Change Controller: IESG</li>
          <li>Specification Document(s): <xref Type(s):</dt><dd>map</dd>
          <dt>Change Controller:</dt><dd>IETF</dd>
          <dt>Specification Document(s):</dt><dd><xref target="oscore-sec-ctx" format="default"/> of [[this document]]</li>
        </ul> RFC 9203</dd>
        </dl>
      </section>
      <section anchor="osc-jwt" numbered="true" toc="default">
        <name>JWT Confirmation Methods Registry</name>
        <t>The following registration is done for has been made in the JWT "JWT Confirmation Methods Registry Methods" registry <xref target="IANA.JWTConfirmationMethods" format="default"/> following the procedure specified in section 6.2.1 of <xref target="RFC7800" format="default"/>:</t>
        <ul sectionFormat="of" section="6.2.1"/>:</t>
        <dl spacing="compact">
          <li>Confirmation
          <dt>Confirmation Method Value: "osc"</li>
          <li>Confirmation Value:</dt><dd>"osc"</dd>
          <dt>Confirmation Method Description: OSCORE_Input_Material Description:</dt><dd>OSCORE_Input_Material carrying the parameters for using OSCORE per-message security with implicit key confirmation</li>
          <li>Change Controller: IESG</li>
          <li>Specification Document(s): <xref confirmation</dd>
          <dt>Change Controller:</dt><dd>IETF</dd>
          <dt>Specification Document(s):</dt><dd><xref target="oscore-sec-ctx" format="default"/> of [[this document]]</li>
        </ul> RFC 9203</dd>
        </dl>
      </section>
      <section anchor="review" numbered="true" toc="default">
        <name>Expert Review Instructions</name>
        <t>
          The IANA registry established in this document is defined to use the Expert Review registration policy.
          This section gives some general guidelines for what the experts should be looking for, but they are being designated as experts for a reason reason, so they should be given substantial latitude.
        </t>
        <t>
          Expert reviewers should take into consideration the following points:
        </t>
        <ul spacing="compact">
          <li>
              Point squatting should be discouraged. Reviewers are encouraged to get sufficient information for registration requests to ensure that the usage is not going to duplicate one that is already registered and that the point is likely to be used in deployments. The zones tagged as private use Private Use are intended for testing purposes and closed environments. Code points in other ranges should not be assigned for testing.
            </li>
          <li>
              Specifications are required for the standards track Standards Track range of point assignment.
              Specifications should exist for specification required ranges, but early assignment before a specification is available is considered to be permissible. Specifications are needed for the first-come, first-serve First Come First Served range if they are expected to be used outside of closed environments in an interoperable way. When specifications are not provided, the description provided needs to have sufficient information to identify what the point is being used for.
            </li>
          <li>
              Experts should take into account the expected usage of fields when approving point assignment.
              The fact that there is a range for standards track Standards Track documents does not mean that a standards track Standards Track document cannot have points assigned outside of that range.
              The length of the encoded value should be weighed against how many code points of that length are left, the size of device it will be used on, and the number of code points left that encode to that size.
            </li>
        </ul>
      </section>
    </section>
  </middle>
  <back>
    <references>
      <name>References</name>
      <references>
        <name>Normative References</name>
        <reference anchor="RFC8613" target="https://www.rfc-editor.org/info/rfc8613" xml:base="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.8613.xml">
          <front>
            <title>Object Security for Constrained RESTful Environments (OSCORE)</title>
            <seriesInfo name="DOI" value="10.17487/RFC8613"/>
            <seriesInfo name="RFC" value="8613"/>
            <author initials="G." surname="Selander" fullname="G. Selander">
              <organization/>
            </author>
            <author initials="J." surname="Mattsson" fullname="J. Mattsson">
              <organization/>
            </author>
            <author initials="F." surname="Palombini" fullname="F. Palombini">
              <organization/>
            </author>
            <author initials="L." surname="Seitz" fullname="L. Seitz">
              <organization/>
            </author>
            <date year="2019" month="July"/>
            <abstract>
              <t>This document defines Object Security for Constrained RESTful Environments (OSCORE), a method for application-layer protection of the Constrained Application Protocol (CoAP), using CBOR Object Signing and Encryption (COSE).  OSCORE provides end-to-end protection between endpoints communicating using CoAP or CoAP-mappable HTTP. OSCORE

<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8613.xml"/>

<!-- [I-D.ietf-ace-oauth-authz-43] is designed for constrained nodes and networks supporting a range of proxy operations, including translation between different transport protocols.</t>
              <t>Although an optional functionality of CoAP, OSCORE alters CoAP options processing and IANA registration.  Therefore, this companion document updates RFC 7252.</t>
            </abstract>
          </front>
        </reference> 9200 -->
<!--[KC] Updated the title per the diff file (9/3/21)-->
<reference anchor="I-D.ietf-ace-oauth-authz" xml:base="https://xml2rfc.tools.ietf.org/public/rfc/bibxml3/reference.I-D.ietf-ace-oauth-authz.xml" target="https://www.ietf.org/archive/id/draft-ietf-ace-oauth-authz-40.txt"> anchor='RFC9200' target='https://www.rfc-editor.org/info/rfc9200'>
<front>
<title>Authentication and Authorization for Constrained Environments (ACE) using Using the OAuth 2.0 Framework (ACE-OAuth)</title>
            <seriesInfo name="Internet-Draft" value="draft-ietf-ace-oauth-authz-40"/>
            <author fullname="Ludwig Seitz">
              <organization>Combitech</organization>
            </author>
            <author fullname="Goeran Selander">
              <organization>Ericsson</organization>
            </author>
<author fullname="Erik Wahlstroem">
	 </author>
            <author fullname="Samuel Erdtman">
              <organization>Spotify AB</organization>
            </author>
            <author fullname="Hannes Tschofenig">
              <organization>Arm Ltd.</organization> initials='L' surname='Seitz' fullname='Ludwig Seitz'>
<organization />
</author>
<author initials='G' surname='Selander' fullname='Goeran Selander'>
<organization />
</author>
<author initials='E' surname='Wahlstroem' fullname='Erik Wahlstroem'>
<organization />
</author>
<author initials='S' surname='Erdtman' fullname='Samuel Erdtman'>
<organization />
</author>
<author initials='H' surname='Tschofenig' fullname='Hannes Tschofenig'>
<organization />
</author>
<date month="April" day="26" year="2021"/>
            <abstract>
              <t>   This specification defines a framework for authentication and
   authorization year='2021' month='September' />
</front>
<seriesInfo name="RFC" value="9200"/>
<seriesInfo name="DOI" value="10.17487/RFC9200"/>
</reference>

<!-- [I-D.ietf-ace-oauth-params] in Internet of Things (IoT) environments called ACE-
   OAuth.  The framework is based on a set of building blocks including
   OAuth 2.0 and companion document RFC 9201 -->
<!--[KC] Updated the Constrained Application Protocol (CoAP), thus
   transforming a well-known and widely used authorization solution into
   a form suitable for IoT devices.  Existing specifications are used
   where possible, but extensions are added and profiles are defined to
   better serve title per the IoT use cases.

              </t>
            </abstract>
          </front>
        </reference> diff (9/3/21) -->
<reference anchor="I-D.ietf-ace-oauth-params" xml:base="https://xml2rfc.tools.ietf.org/public/rfc/bibxml3/reference.I-D.ietf-ace-oauth-params.xml" target="https://www.ietf.org/archive/id/draft-ietf-ace-oauth-params-14.txt"> anchor='RFC9201' target='https://www.rfc-editor.org/info/rfc9201'>
<front>
<title>Additional OAuth Parameters for Authentication and Authorization in for Constrained Environments (ACE)</title>
            <seriesInfo name="Internet-Draft" value="draft-ietf-ace-oauth-params-14"/>
<author fullname="Ludwig Seitz">
              <organization>Combitech</organization> initials='L' surname='Seitz' fullname='Ludwig Seitz'>
<organization />
</author>
<date month="March" day="25" year="2021"/>
            <abstract>
              <t>   This specification defines new parameters and encodings for the OAuth
   2.0 token and introspection endpoints when used with the framework
   for authentication and authorization for constrained environments
   (ACE).  These are used to express the proof-of-possession key the
   client wishes to use, the proof-of-possession key that the
   Authorization Server has selected, and the key the Resource Server
   uses to authenticate to the client.

              </t>
            </abstract> year='2021' month='September' />
</front>
        </reference>
        <reference anchor="RFC8949" target="https://www.rfc-editor.org/info/rfc8949" xml:base="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.8949.xml">
          <front>
            <title>Concise Binary Object Representation (CBOR)</title>
            <seriesInfo name="DOI" value="10.17487/RFC8949"/>
<seriesInfo name="RFC" value="8949"/>
            <seriesInfo name="STD" value="94"/>
            <author initials="C." surname="Bormann" fullname="C. Bormann">
              <organization/>
            </author>
            <author initials="P." surname="Hoffman" fullname="P. Hoffman">
              <organization/>
            </author>
            <date year="2020" month="December"/>
            <abstract>
              <t>The Concise Binary Object Representation (CBOR) is a data format whose design goals include the possibility of extremely small code size, fairly small message size, and extensibility without the need for version negotiation. These design goals make it different from earlier binary serializations such as ASN.1 and MessagePack.</t>
              <t>This document obsoletes RFC 7049, providing editorial improvements, new details, and errata fixes while keeping full compatibility with the interchange format of RFC 7049.  It does not create a new version of the format.</t>
            </abstract>
          </front>
        </reference>
        <reference anchor="RFC8392" target="https://www.rfc-editor.org/info/rfc8392" xml:base="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.8392.xml">
          <front>
            <title>CBOR Web Token (CWT)</title> value="9201"/>
<seriesInfo name="DOI" value="10.17487/RFC8392"/>
            <seriesInfo name="RFC" value="8392"/>
            <author initials="M." surname="Jones" fullname="M. Jones">
              <organization/>
            </author>
            <author initials="E." surname="Wahlstroem" fullname="E. Wahlstroem">
              <organization/>
            </author>
            <author initials="S." surname="Erdtman" fullname="S. Erdtman">
              <organization/>
            </author>
            <author initials="H." surname="Tschofenig" fullname="H. Tschofenig">
              <organization/>
            </author>
            <date year="2018" month="May"/>
            <abstract>
              <t>CBOR Web Token (CWT) is a compact means of representing claims to be transferred between two parties.  The claims in a CWT are encoded in the Concise Binary Object Representation (CBOR), and CBOR Object Signing and Encryption (COSE) is used for added application-layer security protection.  A claim is a piece of information asserted about a subject and is represented as a name/value pair consisting of a claim name and a claim value.  CWT is derived from JSON Web Token (JWT) but uses CBOR rather than JSON.</t>
            </abstract>
          </front> value="10.17487/RFC9201"/>
</reference>
        <reference anchor="RFC2119" target="https://www.rfc-editor.org/info/rfc2119" xml:base="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.2119.xml">
          <front>
            <title>Key words for use in RFCs to Indicate Requirement Levels</title>
            <seriesInfo name="DOI" value="10.17487/RFC2119"/>
            <seriesInfo name="RFC" value="2119"/>
            <seriesInfo name="BCP" value="14"/>
            <author initials="S." surname="Bradner" fullname="S. Bradner">
              <organization/>
            </author>
            <date year="1997" month="March"/>
            <abstract>
              <t>In many standards track documents several words are used to signify the requirements in the specification.  These words are often capitalized. This document defines these words as they should be interpreted

<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8949.xml"/>
<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8392.xml"/>
<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.2119.xml"/>
<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.7252.xml"/>

<!-- [I-D.ietf-cose-rfc8152bis-struct] in IETF documents.  This AUTH48*R state; companion document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t>
            </abstract>
          </front>
        </reference>
        <reference anchor="RFC7252" target="https://www.rfc-editor.org/info/rfc7252" xml:base="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.7252.xml">
          <front>
            <title>The Constrained Application Protocol (CoAP)</title>
            <seriesInfo name="DOI" value="10.17487/RFC7252"/>
            <seriesInfo name="RFC" value="7252"/>
            <author initials="Z." surname="Shelby" fullname="Z. Shelby">
              <organization/>
            </author>
            <author initials="K." surname="Hartke" fullname="K. Hartke">
              <organization/>
            </author>
            <author initials="C." surname="Bormann" fullname="C. Bormann">
              <organization/>
            </author>
            <date year="2014" month="June"/>
            <abstract>
              <t>The Constrained Application Protocol (CoAP) is a specialized web transfer protocol for use with constrained nodes and constrained (e.g., low-power, lossy) networks.  The nodes often have 8-bit microcontrollers with small amounts of ROM and RAM, while constrained networks such as IPv6 over Low-Power Wireless Personal Area Networks (6LoWPANs) often have high packet error rates and a typical throughput of 10s of kbit/s.  The protocol RFC 9052; note that this doc is designed for machine- to-machine (M2M) applications such as smart energy and building automation.</t>
              <t>CoAP provides a request/response interaction model between application endpoints, supports built-in discovery of services and resources, and includes key concepts part of the Web such as URIs and Internet media types.  CoAP is designed to easily interface with HTTP for integration with the Web while meeting specialized requirements such as multicast support, very low overhead, and simplicity for constrained environments.</t>
            </abstract>
          </front>
        </reference> C416 -->
<reference anchor="I-D.ietf-cose-rfc8152bis-struct" xml:base="https://xml2rfc.tools.ietf.org/public/rfc/bibxml3/reference.I-D.ietf-cose-rfc8152bis-struct.xml" target="https://www.ietf.org/archive/id/draft-ietf-cose-rfc8152bis-struct-15.txt"> anchor='RFC9052' target='https://www.rfc-editor.org/info/rfc9052'>
<front>
<title>CBOR Object Signing and Encryption (COSE): Structures and Process</title>
            <seriesInfo name="Internet-Draft" value="draft-ietf-cose-rfc8152bis-struct-15"/>
<author fullname="Jim Schaad">
              <organization>August Cellars</organization> initials='J' surname='Schaad' fullname='Jim Schaad'>
<organization />
</author>
<date month="February" day="1" year="2021"/>
            <abstract>
              <t>   Concise Binary Object Representation (CBOR) is a data format designed
   for small code size and small message size.  There is a need for the
   ability to have basic security services defined for this data format.
   This document defines the CBOR Object Signing and Encryption (COSE)
   protocol.  This specification describes how to create and process
   signatures, message authentication codes, and encryption using CBOR
   for serialization.  This specification additionally describes how to
   represent cryptographic keys using CBOR.

   This document along with [I-D.ietf-cose-rfc8152bis-algs] obsoletes
   RFC8152.

              </t>
            </abstract> year='2022' month='March' /> <!-- TBD -->
</front>
<seriesInfo name="RFC" value="9052"/>
<seriesInfo name="DOI" value="10.17487/RFC9052"/>
</reference>

<!-- [I-D.ietf-cose-rfc8152bis-algs] in AUTH48*R state; companion document
RFC 9053. Note that this doc is part of C416 -->
<reference anchor="I-D.ietf-cose-rfc8152bis-algs" xml:base="https://xml2rfc.tools.ietf.org/public/rfc/bibxml3/reference.I-D.ietf-cose-rfc8152bis-algs.xml" target="https://www.ietf.org/archive/id/draft-ietf-cose-rfc8152bis-algs-12.txt"> anchor='RFC9053' target='https://www.rfc-editor.org/info/rfc9053'>
<front>
<title>CBOR Object Signing and Encryption (COSE): Initial Algorithms</title>
            <seriesInfo name="Internet-Draft" value="draft-ietf-cose-rfc8152bis-algs-12"/>
<author fullname="Jim Schaad">
              <organization>August Cellars</organization> initials='J' surname='Schaad' fullname='Jim Schaad'>
<organization />
</author>
<date month="September" day="24" year="2020"/>
            <abstract>
              <t>   Concise Binary Object Representation (CBOR) is a data format designed
   for small code size and small message size.  There is a need for the
   ability to have basic security services defined for this data format.
   THis document defines a set of algorithms that can be used with the
   CBOR Object Signing and Encryption (COSE) protocol RFC XXXX.

              </t>
            </abstract> year='2022' month='March' /><!-- TBD -->
</front>
        </reference>
        <reference anchor="RFC8174" target="https://www.rfc-editor.org/info/rfc8174" xml:base="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.8174.xml">
          <front>
            <title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</title>
            <seriesInfo name="DOI" value="10.17487/RFC8174"/>
<seriesInfo name="RFC" value="8174"/>
            <seriesInfo name="BCP" value="14"/>
            <author initials="B." surname="Leiba" fullname="B. Leiba">
              <organization/>
            </author>
            <date year="2017" month="May"/>
            <abstract>
              <t>RFC 2119 specifies common key words that may be used in protocol  specifications.  This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the  defined special meanings.</t>
            </abstract>
          </front>
        </reference>
        <reference anchor="RFC8610" target="https://www.rfc-editor.org/info/rfc8610" xml:base="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.8610.xml">
          <front>
            <title>Concise Data Definition Language (CDDL): A Notational Convention to Express Concise Binary Object Representation (CBOR) and JSON Data Structures</title> value="9053"/>
<seriesInfo name="DOI" value="10.17487/RFC8610"/>
            <seriesInfo name="RFC" value="8610"/>
            <author initials="H." surname="Birkholz" fullname="H. Birkholz">
              <organization/>
            </author>
            <author initials="C." surname="Vigano" fullname="C. Vigano">
              <organization/>
            </author>
            <author initials="C." surname="Bormann" fullname="C. Bormann">
              <organization/>
            </author>
            <date year="2019" month="June"/>
            <abstract>
              <t>This document proposes a notational convention to express Concise Binary Object Representation (CBOR) data structures (RFC 7049).  Its main goal is to provide an easy and unambiguous way to express structures for protocol messages and data formats that use CBOR or JSON.</t>
            </abstract>
          </front> value="10.17487/RFC9053"/>
</reference>
        <reference anchor="RFC5869" target="https://www.rfc-editor.org/info/rfc5869" xml:base="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.5869.xml">
          <front>
            <title>HMAC-based Extract-and-Expand Key Derivation Function (HKDF)</title>
            <seriesInfo name="DOI" value="10.17487/RFC5869"/>
            <seriesInfo name="RFC" value="5869"/>
            <author initials="H." surname="Krawczyk" fullname="H. Krawczyk">
              <organization/>
            </author>
            <author initials="P." surname="Eronen" fullname="P. Eronen">
              <organization/>
            </author>
            <date year="2010" month="May"/>
            <abstract>
              <t>This document specifies a simple Hashed Message Authentication Code (HMAC)-based key derivation function (HKDF), which can be used as a building block in various protocols and applications.

<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8174.xml"/>
<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8610.xml"/>
<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.5869.xml"/>

<!-- [IANA.OAuthParameters] The key derivation function (KDF) is intended to support a wide range of applications and requirements, and is conservative in its use of cryptographic hash functions.  This document is not an Internet  Standards Track specification; it URL below is published for informational  purposes.</t>
            </abstract>
          </front>
        </reference> correct -->
        <reference anchor="IANA.OAuthParameters" target="https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml#parameters"> target="https://www.iana.org/assignments/oauth-parameters">
          <front>
            <title>OAuth Parameters</title>
            <author>
              <organization>IANA</organization>
            </author>
            <date/>
          </front>
        </reference>

        <reference anchor="IANA.CWTConfirmationMethods" target="https://www.iana.org/assignments/cwt/cwt.xhtml#confirmation-methods"> target="https://www.iana.org/assignments/cwt">
          <front>
            <title>CWT Confirmation Methods</title>
            <author>
              <organization>IANA</organization>
            </author>
            <date/>
          </front>
        </reference>

        <reference anchor="IANA.JWTConfirmationMethods" target="https://www.iana.org/assignments/jwt/jwt.xhtml#confirmation-methods"> target="https://www.iana.org/assignments/jwt">
          <front>
            <title>JWT Confirmation Methods</title>
            <author>
              <organization>IANA</organization>
            </author>
            <date/>
          </front>
        </reference>

        <reference anchor="COSE.Algorithms" target="https://www.iana.org/assignments/cose/cose.xhtml#algorithms"> target="https://www.iana.org/assignments/cose">
          <front>
            <title>COSE Algorithms</title>
            <author>
              <organization>IANA</organization>
            </author>
            <date/>
          </front>
        </reference>
      </references>
      <references>
        <name>Informative References</name>
        <reference anchor="RFC8747" target="https://www.rfc-editor.org/info/rfc8747" xml:base="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.8747.xml">
          <front>
            <title>Proof-of-Possession Key Semantics for CBOR Web Tokens (CWTs)</title>
            <seriesInfo name="DOI" value="10.17487/RFC8747"/>
            <seriesInfo name="RFC" value="8747"/>
            <author initials="M." surname="Jones" fullname="M. Jones">
              <organization/>
            </author>
            <author initials="L." surname="Seitz" fullname="L. Seitz">
              <organization/>
            </author>
            <author initials="G." surname="Selander" fullname="G. Selander">
              <organization/>
            </author>
            <author initials="S." surname="Erdtman" fullname="S. Erdtman">
              <organization/>
            </author>
            <author initials="H." surname="Tschofenig" fullname="H. Tschofenig">
              <organization/>
            </author>
            <date year="2020" month="March"/>
            <abstract>
              <t>This specification describes how to declare in a CBOR Web Token (CWT) (which is defined by RFC 8392) that the presenter of the CWT possesses a particular proof-of-possession key. Being able to prove possession of a key is also sometimes described as being the holder-of-key. This specification provides equivalent functionality to "Proof-of-Possession Key Semantics for JSON Web Tokens (JWTs)" (RFC 7800) but using Concise Binary Object Representation (CBOR) and CWTs rather than JavaScript Object Notation (JSON) and JSON Web Tokens (JWTs).</t>
            </abstract>
          </front>
        </reference>
        <reference anchor="RFC7800" target="https://www.rfc-editor.org/info/rfc7800" xml:base="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.7800.xml">
          <front>
            <title>Proof-of-Possession Key Semantics for JSON Web Tokens (JWTs)</title>
            <seriesInfo name="DOI" value="10.17487/RFC7800"/>
            <seriesInfo name="RFC" value="7800"/>
            <author initials="M." surname="Jones" fullname="M. Jones">
              <organization/>
            </author>
            <author initials="J." surname="Bradley" fullname="J. Bradley">
              <organization/>
            </author>
            <author initials="H." surname="Tschofenig" fullname="H. Tschofenig">
              <organization/>
            </author>
            <date year="2016" month="April"/>
            <abstract>
              <t>This specification describes how to declare in a JSON Web Token (JWT) that the presenter of the JWT possesses a particular proof-of- possession key and how the recipient can cryptographically confirm proof of possession of the key by the presenter.  Being able to prove possession of a key is also sometimes described as the presenter being a holder-of-key.</t>
            </abstract>
          </front>
        </reference>
        <reference anchor="RFC4949" target="https://www.rfc-editor.org/info/rfc4949" xml:base="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.4949.xml">
          <front>
            <title>Internet Security Glossary, Version 2</title>
            <seriesInfo name="DOI" value="10.17487/RFC4949"/>
            <seriesInfo name="RFC" value="4949"/>
            <seriesInfo name="FYI" value="36"/>
            <author initials="R." surname="Shirey" fullname="R. Shirey">
              <organization/>
            </author>
            <date year="2007" month="August"/>
            <abstract>
              <t>This Glossary provides definitions, abbreviations, and explanations of terminology for information system security. The 334 pages of entries offer recommendations to improve the comprehensibility of written material that is generated in the Internet Standards Process (RFC 2026). The recommendations follow the principles that such writing should (a) use the same term or definition whenever the same concept is mentioned; (b) use terms in their plainest, dictionary sense; (c) use terms that are already well-established

<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8747.xml"/>
<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.7800.xml"/>
<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.4949.xml"/>
<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.6749.xml"/>
<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.7231.xml"/>
<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8126.xml"/>

<!-- [I-D.ietf-tls-dtls13] in open publications; and (d) avoid terms that either favor a particular vendor or favor a particular technology or mechanism over other, competing techniques AUTH48*R; note that already exist or could be developed.  This memo provides information for the Internet community.</t>
            </abstract>
          </front>
        </reference>
        <reference anchor="RFC6749" target="https://www.rfc-editor.org/info/rfc6749" xml:base="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.6749.xml">
          <front>
            <title>The OAuth 2.0 Authorization Framework</title>
            <seriesInfo name="DOI" value="10.17487/RFC6749"/>
            <seriesInfo name="RFC" value="6749"/>
            <author initials="D." surname="Hardt" fullname="D. Hardt" role="editor">
              <organization/>
            </author>
            <date year="2012" month="October"/>
            <abstract>
              <t>The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, or by allowing the third-party application to obtain access on its own behalf.  This specification replaces and obsoletes the OAuth 1.0 protocol described in RFC 5849.  [STANDARDS-TRACK]</t>
            </abstract>
          </front>
        </reference>
        <reference anchor="RFC7231" target="https://www.rfc-editor.org/info/rfc7231" xml:base="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.7231.xml">
          <front>
            <title>Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content</title>
            <seriesInfo name="DOI" value="10.17487/RFC7231"/>
            <seriesInfo name="RFC" value="7231"/>
            <author initials="R." surname="Fielding" fullname="R. Fielding" role="editor">
              <organization/>
            </author>
            <author initials="J." surname="Reschke" fullname="J. Reschke" role="editor">
              <organization/>
            </author>
            <date year="2014" month="June"/>
            <abstract>
              <t>The Hypertext Transfer Protocol (HTTP) this doc is a stateless \%application- level protocol for distributed, collaborative, hypertext information systems.  This document defines the semantics of HTTP/1.1 messages, as expressed by request methods, request header fields, response status codes, and response header fields, along with the payload part of messages (metadata and body content) and mechanisms for content negotiation.</t>
            </abstract>
          </front>
        </reference> C321 (RFC-to-be 9147) -->
<reference anchor="I-D.ietf-tls-dtls13" xml:base="https://xml2rfc.tools.ietf.org/public/rfc/bibxml3/reference.I-D.ietf-tls-dtls13.xml" target="https://www.ietf.org/internet-drafts/draft-ietf-tls-dtls13-43.txt"> anchor='RFC9147' target='https://www.rfc-editor.org/info/rfc9147'>
<front>
<title>The Datagram Transport Layer Security (DTLS) Protocol Version 1.3</title>
            <seriesInfo name="Internet-Draft" value="draft-ietf-tls-dtls13-43"/>
            <author initials="E" surname="Rescorla" fullname="Eric Rescorla">
              <organization/>
            </author>
            <author initials="H" surname="Tschofenig" fullname="Hannes Tschofenig">
              <organization/>
            </author>
<author initials="N" surname="Modadugu" fullname="Nagendra Modadugu">
              <organization/> initials='E' surname='Rescorla' fullname='Eric Rescorla'>
<organization />
</author>
<author initials='H' surname='Tschofenig' fullname='Hannes Tschofenig'>
<organization />
</author>
<author initials='N' surname='Modadugu' fullname='Nagendra Modadugu'>
<organization />
</author>
<date year="2021" month="April" day="30"/>
            <abstract>
              <t>This document specifies Version 1.3 of the Datagram Transport Layer Security (DTLS) protocol.  DTLS 1.3 allows client/server applications to communicate over the Internet in a way that is designed to prevent eavesdropping, tampering, and message forgery.</t>
              <t> The DTLS 1.3 protocol is intentionally based on the Transport Layer Security (TLS) 1.3 protocol and provides equivalent security guarantees with the exception of order protection/non-replayability. Datagram semantics of the underlying transport are preserved by the DTLS protocol.</t>
              <t> This document obsoletes RFC 6347.</t>
            </abstract> year='2022' month='March'/><!-- TBD -->
</front>
        </reference>
        <reference anchor="RFC8446" target="https://www.rfc-editor.org/info/rfc8446" xml:base="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.8446.xml">
          <front>
            <title>The Transport Layer Security (TLS) Protocol Version 1.3</title>
            <seriesInfo name="DOI" value="10.17487/RFC8446"/>
<seriesInfo name="RFC" value="8446"/>
            <author initials="E." surname="Rescorla" fullname="E. Rescorla">
              <organization/>
            </author>
            <date year="2018" month="August"/>
            <abstract>
              <t>This document specifies version 1.3 of the Transport Layer Security (TLS) protocol.  TLS allows client/server applications to communicate over the Internet in a way that is designed to prevent eavesdropping, tampering, and message forgery.</t>
              <t>This document updates RFCs 5705 and 6066, and obsoletes RFCs 5077, 5246, and 6961.  This document also specifies new requirements for TLS 1.2 implementations.</t>
            </abstract>
          </front> value="9147"/>
<seriesInfo name="DOI" value="10.17487/RFC9147"/>
</reference>

<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8446.xml"/>

      </references>
    </references>
    <section numbered="true" toc="default">
      <name>Profile Requirements</name>
      <t>
        This section lists the specifications on of this profile based on the requirements on of the framework, as requested in Appendix C of <xref target="I-D.ietf-ace-oauth-authz" format="default"/>. target="RFC9200" sectionFormat="of" section="C"/>.
      </t>

<!--[rfced] In the following sentence, is a word missing after "in"
(or does "in" refer to "Not specified")?

Original:
   Optionally, define new methods for the client to discover the
   necessary permissions and AS for accessing a resource, different
   from the one proposed in: Not specified
-->

 <ul spacing="compact">
        <li>
            Optionally
            Optionally, define new methods for the client to discover the
            necessary permissions and AS for accessing a resource, different
            from the one proposed in: Not specified
          </li>
        <li>
            Optionally
            Optionally, specify new grant types: Not specified
          </li>
        <li>
            Optionally
            Optionally, define the use of client certificates as client
            credential type: Not specified
          </li>
        <li>
            Specify the communication protocol the client and RS the must use: CoAP
          </li>
        <li>
            Specify the security protocol the client and RS must use to
            protect their communication: OSCORE
          </li>
        <li>
            Specify how the client and the RS mutually authenticate: Implicitly by possession of a common OSCORE security context. Note that the mutual authentication is not completed before the client has verified an OSCORE response using this security context.
          </li>
        <li>
            Specify the proof-of-possession protocol(s) and how to select one,
            if several are available.  Also specify which key types (e.g.,
            symmetric/asymmetric) are supported by a specific proof-of-
            possession protocol: OSCORE algorithms; pre-established preestablished symmetric keys
          </li>
        <li>
            Specify a unique ace_profile identifier: coap_oscore
          </li>
        <li>
            If introspection is supported: Specify supported, specify the communication and
            security protocol for introspection: HTTP/CoAP (+ TLS/DTLS/OSCORE)
          </li>
        <li>
            Specify the communication and security protocol for interactions
            between client and AS: HTTP/CoAP (+ TLS/DTLS/OSCORE)
          </li>
        <li>
            Specify how/if if/how the authz-info endpoint is protected, including how
            error responses are protected: Not protected. protected
          </li>
        <li>
            Optionally
            Optionally, define other methods of token transport other than the authz-
            info authz-info
            endpoint: Not defined
          </li>
      </ul>

    </section>
    <section numbered="false" toc="default">
      <name>Acknowledgments</name>
      <t>
        The authors wish to thank Jim Schaad <contact fullname="Jim Schaad"/> and Marco Tiloca <contact fullname="Marco Tiloca"/> for the substantial input to this document, as well as Elwyn Davies, Linda Dunbar, Roman Danyliw, Martin Duke, Lars Eggert, Murray Kucherawy, and Zaheduzzaman Sarker <contact fullname="Elwyn Davies"/>, <contact fullname="Linda Dunbar"/>, <contact fullname="Roman Danyliw"/>, <contact fullname="Martin Duke"/>, <contact fullname="Lars Eggert"/>, <contact fullname="Murray Kucherawy"/>, and <contact fullname="Zaheduzzaman Sarker"/> for their reviews and feedback. Special thanks to the responsible area director Benjamin Kaduk <contact fullname="Benjamin Kaduk"/> for his extensive review and contributed text.
        Ludwig Seitz
        <contact fullname="Ludwig Seitz"/> worked on this document as part of the CelticNext projects CyberWI, CyberWI and CRITISEC with funding from Vinnova.
        The work on this document has been partly supported also by the H2020 project SIFIS-Home (Grant agreement 952652).
      </t>
    </section>

<!-- [rfced] Please review the "Inclusive Language" portion of the online
Style Guide <https://www.rfc-editor.org/styleguide/part2/#inclusive_language>
and let us know if any changes are needed.

In particular, please consider whether "master" should be updated.
 -->

<!-- [rfced] Throughout the text, the following terminology appears to be used
inconsistently. Please review these occurrences and let us know if/how they
may be made consistent.

re-POST (2) vs. reposting (4)
    Note: are these terms the same? If so, we suggest using "repost" for
          consistency.

Security Context (60) vs. security context (10)
    Note: May we lowercase this term to match use in RFC 8613 and the
          C442 companion documents?

FYI: to match the companion documents and references (especially
RFC 8613), we updated the case of the following terms as shown:

   ACE profile
   base64
   Master Secret
   OSCORE version
   resource server
   sequence number
-->

<!--[rfced] We notice some author comments in the XML file. Please
review and let us know if anything should be incorporated into
the text. Note that we will delete all comments prior to publication.
-->

  </back>
</rfc>