<?xml version='1.0' encoding='utf-8'?> version="1.0" encoding="UTF-8"?>

<!-- draft submitted in xml v3 -->

<!DOCTYPE rfc [
  <!ENTITY nbsp    "&#160;">
  <!ENTITY zwsp   "&#8203;">
  <!ENTITY nbhy   "&#8209;">
  <!ENTITY wj     "&#8288;">
]>
<?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
<!-- generated by https://github.com/cabo/kramdown-rfc2629 version 1.6.6 (Ruby 3.1.1) -->

<rfc xmlns:xi="http://www.w3.org/2001/XInclude" xml:lang="en" ipr="trust200902" docName="draft-ietf-ace-aif-07" number="9237" submissionType="IETF" category="std" consensus="true" submissionType="IETF" tocDepth="4" tocInclude="true" sortRefs="true" symRefs="true" updates=""
obsoletes="" version="3">

<!-- xml2rfc v2v3 conversion 3.12.1 -->
<!-- [rfced] Please note that the title of the document has been updated as
follows. The abbreviation "ACE" has been expanded per Section 3.6 of RFC
7322 (“RFC Style Guide”). Please review.

Original:
   An Authorization Information Format (AIF) for ACE

Current:
   An Authorization Information Format (AIF) for Authentication and
   Authorization for Constrained Environments (ACE)
-->
<!-- [rfced] We note that AIF and ACE are mentioned in the document title but
not in the abstract. Please review and let us know if any updates are
needed.
-->
  <front>
    <title abbrev="ACE AIF">An Authorization Information Format (AIF) for ACE</title> Authentication and Authorization for Constrained Environments (ACE)</title>
    <seriesInfo name="Internet-Draft" value="draft-ietf-ace-aif-07"/> name="RFC" value="9237"/>
    <author initials="C." surname="Bormann" fullname="Carsten Bormann">
      <organization>Universität Bremen TZI</organization>
      <address>
        <postal>
          <street>Postfach 330440</street>
          <city>Bremen</city>
          <code>D-28359</code>
          <country>Germany</country>
        </postal>
        <phone>+49-421-218-63921</phone>
        <email>cabo@tzi.org</email>
      </address>
    </author>
    <date year="2022" month="March" day="15"/>
    <area>Internet</area>
    <workgroup>ACE Working Group</workgroup>
    <keyword>Internet-Draft</keyword> month="April"/>
    <area>sec</area>
    <workgroup>ACE</workgroup>

<!-- [rfced] Please insert any keywords (beyond those that appear in the title) for use on https://www.rfc-editor.org/search. -->

    <abstract>
      <t>Information about which entities are authorized to perform what
operations on which constituents of other entities is a crucial
component of producing an overall system that is secure.  Conveying
precise authorization information is especially critical in highly
automated systems with large numbers of entities, such as the
"Internet
Internet of Things".</t> Things.</t>
      <t>This specification provides a generic information model and format for
representing such authorization information, as well as two variants
of a specific instantiation of that format for use with REST Representational State Transfer (REST) resources
identified by URI path.</t>
    </abstract>
    <note removeInRFC="true">
      <name>About This Document</name>
      <t>
        Status information for this document may be found at <eref target="https://datatracker.ietf.org/doc/draft-ietf-ace-aif/"/>.
      </t>
      <t>
        Discussion of this document takes place on the
        Authentication and Authorization for Constrained Environments (ace) Working Group mailing list (<eref target="mailto:ace@ietf.org"/>),
        which is archived at <eref target="https://mailarchive.ietf.org/arch/browse/ace/"/>.
      </t>
      <t>Source for this draft and an issue tracker can be found at
        <eref target="https://github.com/cabo/ace-aif"/>.</t>
    </note>
  </front>
  <middle>
    <section anchor="introduction">
      <name>Introduction</name>
      <t>Constrained Devices devices, as they are used in the "Internet Internet of Things" Things, need
security in order to operate correctly and prevent misuse.
One important element of this security is that devices in the Internet
of Things need to be able to decide which operations requested of them
should be considered authorized, need to ascertain that the
authorization to request the operation does apply to the actual
requester as authenticated,
and need to ascertain that other devices they make
requests of are the ones they intended.</t>
      <t>To transfer detailed authorization information from an authorization manager
(such as an ACE-OAuth Authorization Server authorization server <xref target="I-D.ietf-ace-oauth-authz"/>) target="RFC9200"/>) to a device, a
compact representation format is needed.
This document defines such a format, format -- the
Authorization Information Format (AIF).
AIF is defined both as a general structure that can be used for many
different applications and
as a specific instantiation tailored to REST resources and the permissions
on them, including some provision for dynamically created resources.</t>
      <section anchor="terminology">
        <name>Terminology</name>

<!-- [rfced] Although not required, the text about the RFC 2119 key words
often appears at the end of the Terminology section. Would you like to
leave it as is or move it to the end of the section?
-->

	<t>This memo uses terms from CoAP the Constrained Application Protocol (CoAP) <xref target="RFC7252"/> and the Internet Security Glossary <xref target="RFC4949"/>; CoAP is used for
the explanatory examples as it is a good fit for Constrained Devices.</t> constrained devices.</t>
        <t>The shape of data is specified in CDDL Concise Data Definition Language (CDDL) <xref target="RFC8610"/> <xref target="RFC9165"/>.
Terminology for Constrained Devices constrained devices is defined in <xref target="RFC7228"/>.</t>
        <t>The
        <t>
The key words "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>",
"<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL NOT</bcp14>",
"<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>",
"<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>",
"<bcp14>MAY</bcp14>", and "<bcp14>OPTIONAL</bcp14>" in this document are to be
interpreted as described in BCP 14 BCP&nbsp;14 <xref target="RFC2119"/> <xref
target="RFC8174"/> when, and only when, they appear in all capitals, as shown here.</t>
here.
        </t>
<t>The term "byte", abbreviated by "B", is used in its now customary
sense as a synonym for "octet".</t>
      </section>
    </section>
    <section anchor="information-model">
      <name>Information Model</name>
      <t>Authorizations are generally expressed through some data structures
that are cryptographically secured (or transmitted in a secure way).
This section discusses the information model underlying the payload of
that data (as opposed to the cryptographic armor around it).</t>
      <t>The semantics of the authorization information defined in this
document are that of an <em>allow-list</em>:
everything is denied until it is explicitly allowed.</t>
      <t>For the purposes of this specification, the underlying access control model
will be that of an access matrix, which gives a set of permissions for
each possible combination of a subject and an object.
We are focusing the AIF data item on a single row in the access matrix
(such a row has often been called a capability list), "capability list") without
concern to the subject for which the data item is issued.
As a consequence, AIF <bcp14>MUST</bcp14> be used in a way that the subject of the
authorizations is unambiguously identified (e.g., as part of the armor
around it).</t>
      <t>The generic model of such a capability list is a list of pairs of
object identifiers (of type <tt>Toid</tt>) and the permissions (of type <tt>Tperm</tt>) that the subject has on the
object(s) identified.</t>
      <figure anchor="genaif">
        <name>Definition of Generic AIF</name>
        <sourcecode type="cddl"><![CDATA[
AIF-Generic<Toid, Tperm> = [* [Toid, Tperm]]
]]></sourcecode>
      </figure>
      <t>In a specific data model (such as the one also specified in
this document), the object identifier (<tt>Toid</tt>) will often be
a text string, and the set of permissions (<tt>Tperm</tt>) will be represented
by a bitset bit set, which in turn is represented as a number (see <xref target="data-model"/>).</t>
      <figure anchor="specaif">
        <name>Commonly used shape Used Shape of a specific Specific AIF</name>
        <sourcecode type="cddl"><![CDATA[
AIF-Specific = AIF-Generic<tstr, uint>
]]></sourcecode>
      </figure>
      <section anchor="rest-model">
        <name>REST-specific
        <name>REST-Specific Model</name>
<!-- [rfced] May we move the phrase "for the object identifiers (Toid)" to
appear at the end of the sentence? Also, please confirm that the plural
"object identifiers" is correct here.

Original:
   In the specific instantiation of the REST resources and the
   permissions on them, for the object identifiers (Toid), we use the
   URI of a resource on a CoAP server.

Perhaps:
   In the specific instantiation of the REST resources and the
   permissions on them, we use the
   URI of a resource on a CoAP server for the object identifiers (Toid).
-->
        <t>In the specific instantiation of the REST resources and the
permissions on them, for the object identifiers (<tt>Toid</tt>), we
use the URI of a resource on a CoAP server.  More specifically, since the
parts of the URI that identify the server ("authority" in
<xref target="RFC3986"/>) are what are authenticated during REST resource access (<xref section="4.2.2" sectionFormat="of" target="I-D.ietf-httpbis-semantics"/> target="RFC9110"/> and <xref section="6.2" sectionFormat="of" target="RFC7252"/>), they
naturally fall into the realm handled by the cryptographic armor; we therefore focus on
the "path" ("path-abempty") and "query" parts of the URI (<em>URI-local-part</em> in
this specification, as expressed by the Uri-Path and Uri-Query options
in CoAP).

<!--[rfced] We updated this text slightly for ease of readability
(i.e., updated "that it is clear who" to "that clearly shows
who". Please let us know of any objections.

Original:
  As a consequence, AIF <bcp14>MUST</bcp14> MUST be used in a way that it is clear who is
  the target (enforcement point) of these authorizations (note that
  there may be more than one target that the same authorization applies
  to, e.g., in a situation with homogeneous devices).

Current
  As a consequence, AIF MUST be used in a way that clearly shows
  who is the target (enforcement point) of these authorizations (note
  that there may be more than one target that the same authorization
  applies to, e.g., in a situation with homogeneous devices).
-->

As a consequence, AIF <bcp14>MUST</bcp14> be used in a way that clearly shows
who is the target (enforcement point) of these authorizations
(note that there may be more than one target that the same
authorization applies to, e.g., in a situation with homogeneous
devices).</t>
        <t>For the permissions (<tt>Tperm</tt>), we use a simple permissions model that
lists the subset of the REST (CoAP or HTTP) methods permitted.
This model is summarized in <xref target="im-example"/>.</t>
<!-- [rfced] Please review these table titles and let us know if any updates
are needed to "AIF Information Model". We ask because the corresponding
sections are titled "REST-Specific Model" and "REST-Specific Model with
Dynamic Resource Creation", respectively.

Current:
  Table 1: An Authorization Instance in the AIF Information Model
  ...
  Table 2: An Authorization Instance in the AIF Information Model
  with Dynamic Resource Creation
-->
      <table anchor="im-example">
          <name>An authorization instance Authorization Instance in the AIF Information Model</name>
          <thead>
            <tr>
              <th align="left">URI-local-part</th>
              <th align="left">Permission Set</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td align="left">/s/temp</td>
              <td align="left">GET</td>
            </tr>
            <tr>
              <td align="left">/a/led</td>
              <td align="left">PUT, GET</td>
            </tr>
            <tr>
              <td align="left">/dtls</td>
              <td align="left">POST</td>
            </tr>
          </tbody>
        </table>
        <t>In this example, a device offers a temperature sensor <tt>/s/temp</tt> for
read-only access, a LED actuator <tt>/a/led</tt> for read/write, and a
<tt>/dtls</tt> resource for POST access.</t>
        <t>As will be seen shown in the data model (<xref target="data-model"/>), the representations
of REST methods provided are limited to those that have a CoAP method
number assigned; an extension to the model may be necessary to represent
permissions for exotic HTTP methods.</t>
      </section>
      <section anchor="limitations">
        <name>Limitations</name>
        <t>This simple information model only allows granting permissions for
statically identifiable objects, e.g., URIs for the REST-specific
instantiation.  One might be tempted to extend the model towards URI
templates <xref target="RFC6570"/> (for instance, to open up an
authorization for many parameter values as in
 <tt>/s/temp{?any*}</tt>).
However, that requires some considerations of
the ease and unambiguity of matching a given URI against a set of
templates in an AIF data item.</t>
<!-- [rfced] May we update "that is not locked" here to read either "it is not
locked" or "that door is not locked"?

Original:
   This simple information model also does not allow expressing
   conditionalized access based on state outside the identification of
   objects (e.g., "opening a door is allowed if that is not locked").
-->
<t>This simple information model also does not allow expressing
conditionalized access based on state outside the identification of
objects (e.g., "opening a door is allowed if that is not locked").</t>
        <t>Finally, the model does not provide any special access for a set of
resources that are specific to a subject, e.g., that the subject
created itself by previous operations (PUT, POST, or PATCH/iPATCH <xref target="RFC8132"/>) or that were
specifically created for the subject by others.</t>
      </section>
      <section anchor="ext-rest-model">
        <name>REST-specific
        <name>REST-Specific Model With with Dynamic Resource Creation</name>
        <t>The REST-specific REST-Specific Model With with Dynamic Resource Creation addresses the
need to provide defined
access to dynamic resources that were created by the subject itself,
specifically, a resource that is made known to the subject by
providing Location-* options in a CoAP response or using the Location
header field in HTTP <xref target="I-D.ietf-httpbis-semantics"/> target="RFC9110"/> (the Location-indicating mechanisms).
(The concept is somewhat comparable to "ACL "Access Control List (ACL) inheritance" in NFSv4 the Network File System version 4 (NFSv4) protocol
<xref target="RFC8881"/>, except that it does not use a containment relationship
but rather the fact that the dynamic resource was created from a resource to
which the subject had access.)
In other words, it addresses an important subset of the third
limitation mentioned in <xref target="limitations"/>.</t>
        <table anchor="im-example-dynamic">
          <name>An authorization instance Authorization Instance in the AIF Information Model With with Dynamic Resource Creation</name>
          <thead>
            <tr>
              <th align="left">URI-local-part</th>
              <th align="left">Permission Set</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td align="left">/a/make-coffee</td>
              <td align="left">POST, Dynamic-GET, Dynamic-DELETE</td>
            </tr>
          </tbody>
        </table>
        <t>For a method X, the presence of a Dynamic-X permission means that the subject
holds permission to exercise the method X on resources that have been
returned in a 2.01 (201 Created) response by a Location-indicating mechanism to a request that the
subject made to the resource listed.
In the example shown in <xref target="im-example-dynamic"/>, POST operations on
<tt>/a/make-coffee</tt> might return the location of a resource dynamically
created on the coffee machine that allows GET to find
out about the status of, and DELETE to cancel, the coffee-making
operation.</t>
        <t>Since the use of the extension defined in this section can be detected
by the mentioning of the Dynamic-X permissions, there is no need for
another explicit switch between the basic and the model extended by
dynamic resource creation; the
extended model is always presumed once a Dynamic-X permission is present.</t>
      </section>
    </section>
    <section anchor="data-model">
      <name>Data Model</name>
      <t>Different data model specializations can be defined for the generic
information model given above.</t>
      <t>In this section, we will give the data model for simple REST
authorization as per Sections <xref target="rest-model"/> target="rest-model" format="counter"/> and <xref target="ext-rest-model"/>. target="ext-rest-model" format="counter"/>.
As discussed, in this case the object identifier is specialized as a text string
giving a relative URI (URI-local-part as the absolute path on the server
serving as the enforcement point).
The permission set is specialized to a single number <tt>REST-method-set</tt> by the following steps:</t>
      <ul spacing="normal">
        <li>The entries in the table that specify the same URI-local-part are merged
into a single entry that specifies the union of the permission sets.</li>
        <li>The (non-dynamic) methods in the permission sets are converted into
their CoAP method numbers, minus 1.</li>
<!-- [rfced] Is "chosen as" correct here? Would "of" be better?

Original:
   *  Dynamic-X permissions are converted into what the number would
      have been for X, plus a Dynamic-Offset chosen as 32 (e.g., 35 is
      the number for Dynamic-DELETE as the number for DELETE is 3).

Similarly, what about "choosing 32 as Dynamic-Offset" here? Would "a
Dynamic-Offset of 32" or something similar be better?

Original:
   Note that choosing 32 as Dynamic-Offset means that all future CoAP
   methods that can be registered can be represented both as themselves
   and in the Dynamic-X variant, but only the dynamic forms of methods 1
   to 21 are typically usable in a JSON form [RFC7493].
-->
<li>Dynamic-X permissions are converted into what the number would have
been for X, plus a Dynamic-Offset chosen as 32 (e.g., 35 is the
number for Dynamic-DELETE as the number for DELETE is 3).</li>
        <li>The set of numbers is converted into a single number <tt>REST-method-set</tt> by taking two to the
power of each (decremented) method number and computing the inclusive OR of the
binary representations of all the power values.</li>
      </ul>
      <t>This data model could be interchanged in the JSON
<xref target="RFC8259"/> representation given in <xref target="dm-json"/>.</t>
      <figure anchor="dm-json">
        <name>An authorization instance encoded Authorization Instance Encoded in JSON (40 bytes)</name> Bytes)</name>
        <sourcecode type="json"><![CDATA[
[["/s/temp",1],["/a/led",5],["/dtls",2]]
]]></sourcecode>
      </figure>
      <t>In <xref target="aif-cddl"/>, a straightforward specification of the data model
(including both the methods from <xref target="RFC7252"/> and the new ones from
<xref target="RFC8132"/>, identified by the method code minus 1) is shown in CDDL
<xref target="RFC8610"/> <xref target="RFC9165"/>:</t>
      <figure anchor="aif-cddl">
        <name>AIF in CDDL</name>
        <sourcecode type="cddl"><![CDATA[
AIF-REST = AIF-Generic<local-path, REST-method-set>
local-path = tstr   ; URI relative to enforcement point
REST-method-set = uint .bits methods
methods = &(
  GET: 0
  POST: 1
  PUT: 2
  DELETE: 3
  FETCH: 4
  PATCH: 5
  iPATCH: 6
  Dynamic-GET: 32; 0 .plus Dynamic-Offset
  Dynamic-POST: 33; 1 .plus Dynamic-Offset
  Dynamic-PUT: 34; 2 .plus Dynamic-Offset
  Dynamic-DELETE: 35; 3 .plus Dynamic-Offset
  Dynamic-FETCH: 36; 4 .plus Dynamic-Offset
  Dynamic-PATCH: 37; 5 .plus Dynamic-Offset
  Dynamic-iPATCH: 38; 6 .plus Dynamic-Offset
)
]]></sourcecode>
      </figure>
      <t>For the information shown in <xref target="im-example"/> and <xref target="dm-json"/>, a
representation in CBOR Concise Binary Object Representation (CBOR) <xref target="RFC8949"/> is given in <xref target="dm-cbor"/>; again,
several optimizations/improvements optimizations and improvements are possible.</t>
      <figure anchor="dm-cbor">
        <name>An authorization instance encoded Authorization Instance Encoded in CBOR (28 bytes)</name>
        <artwork type="hex-dump"><![CDATA[ Bytes)</name>
        <artwork><![CDATA[
83                        # array(3)
   82                     # array(2)
      67                  # text(7)
         2f732f74656d70   # "/s/temp"
      01                  # unsigned(1)
   82                     # array(2)
      66                  # text(6)
         2f612f6c6564     # "/a/led"
      05                  # unsigned(5)
   82                     # array(2)
      65                  # text(5)
         2f64746c73       # "/dtls"
      02                  # unsigned(2)
]]></artwork>
      </figure>
      <t>Note that choosing 32 as Dynamic-Offset means that all future CoAP
methods that can be are registered can be represented both as themselves
and in the Dynamic-X variant, but only the dynamic forms of methods 1
to 21 are typically usable in a JSON form <xref target="RFC7493"/>.</t>
    </section>
    <section anchor="media-types">
      <name>Media Types</name>
      <t>This specification defines media types for the generic information
model, expressed in JSON (<tt>application/aif+json</tt>) or in CBOR (<tt>application/aif+cbor</tt>).  These media types have
parameters for specifying <tt>Toid</tt> and <tt>Tperm</tt>; default values are the
values "URI-local-part" for <tt>Toid</tt> and "REST-method-set" for <tt>Tperm</tt>, as
per <xref target="data-model"/> of the present specification.</t>
      <t>A specification that wants to use Generic generic AIF with different <tt>Toid</tt>
and/or <tt>Tperm</tt> is expected to request these as media type parameters
(<xref target="registries"/>) and register a corresponding Content-Format (<xref target="content-format"/>).</t>
    </section>
    <section anchor="iana-considerations">
      <name>IANA Considerations</name>
      <t><cref anchor="replace-xxxx">RFC Ed.: throughout this section, please replace RFC
  XXXX with

<!-- [rfced] FYI: In the RFC number media type registration entries in Section 5.1, we
updated "none" to "N/A" per Section 5.6 of this specification RFC 6838, which states:

   "N/A", written exactly that way, can be used in any field if desired
   to emphasize the fact that it does not apply or that the question was
   not omitted by accident.  Do not use 'none' or other words that could
   be mistaken for a response.
-->
<!-- [rfced] We note that spacing="compact" was used for the media type
registration entries in Section 5.1. However, spacing="normal" is more
typical for these (see examples in RFCS 8866 and remove this note.</cref></t> 8801). When we updated
to spacing="normal", the two entries ran together; thus, we put each
entry in a new subsection (i.e., Section 5.1.1 for application/aif+cbor
and Section 5.1.2 for application/aif+json). Please review and let us
know any objections.
-->
      <section anchor="media-types-1">
        <name>Media Types</name>
        <t>IANA is requested to add has added the following Media-Types media types to the "Media Types" registry.</t> registry. The registration entries are in the following subsections.</t>
        <table align="left">
          <name>New Media Types</name>
          <thead>
            <tr>
              <th align="left">Name</th>
              <th align="left">Template</th>
              <th align="left">Reference</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td align="left">aif+cbor</td>
              <td align="left">application/aif+cbor</td>
              <td align="left">RFC XXXX, 9237, <xref target="media-types"/></td>
            </tr>
            <tr>
              <td align="left">aif+json</td>
              <td align="left">application/aif+json</td>
              <td align="left">RFC XXXX, 9237, <xref target="media-types"/></td>
            </tr>
          </tbody>
        </table>
        <t>For <tt>application/aif+cbor</tt>:</t>
      <section anchor="media-type-template1">
        <name>application/aif+cbor</name>
        <dl spacing="compact"> spacing="normal">
          <dt>Type name:</dt>
          <dd>
            <t>application</t>
          </dd>
          <dt>Subtype name:</dt>
          <dd>
            <t>aif+cbor</t>
          </dd>
          <dt>Required parameters:</dt>
          <dd>
            <t>N/A</t>
          </dd>
          <dt>Optional parameters:</dt>
          <dd>
            <ul
	    <t><br/></t>
            <dl newline="true" spacing="normal">
              <li>
                <tt>Toid</tt>: the
              <dt>
                <tt>Toid</tt>:</dt><dd>the identifier for the object for which permissions are
supplied.
A value from the media-type parameter sub-registry "Sub-Parameter Registry for application/aif+cbor and application/aif+json" subregistry for <tt>Toid</tt>.
Default value: "URI-local-part" (RFC XXXX).</li>
              <li>
                <tt>Tperm</tt>: the 9237).</dd>
              <dt>
                <tt>Tperm</tt>:</dt><dd>the data type of a permission set for the object
identified via a <tt>Toid</tt>.
A value from the media-type parameter sub-registry "Sub-Parameter Registry for application/aif+cbor and application/aif+json" subregistry for <tt>Tperm</tt>.
Default value: "REST-method-set" (RFC XXXX).</li>
            </ul> 9237).</dd>
            </dl>
          </dd>
          <dt>Encoding considerations:</dt>
          <dd>
            <t>binary (CBOR)</t>
          </dd>
          <dt>Security considerations:</dt>
          <dd>
            <t><xref target="seccons"/> of RFC XXXX</t> 9237</t>
          </dd>
          <dt>Interoperability considerations:</dt>
          <dd>
            <t>none</t>
            <t>N/A</t>
          </dd>
          <dt>Published specification:</dt>
          <dd>
            <t><xref target="media-types"/> of RFC XXXX</t> 9237</t>
          </dd>
          <dt>Applications that use this media type:</dt>
          <dd>
            <t>Applications that need to convey structured authorization data for
identified resources, conveying sets of permissions.</t>
          </dd>
          <dt>Fragment identifier considerations:</dt>
          <dd>
            <t>The syntax and semantics of fragment identifiers is as specified for
"application/cbor".  (At publication of RFC XXXX, 9237, there is no
fragment identification syntax defined for "application/cbor".)</t>
          </dd>
          <dt>Person &amp; email address to contact for further information:</dt>
          <dd>
            <t>ACE WG mailing list (ace@ietf.org), (ace@ietf.org)
or IETF Applications and Real-Time Area (art@ietf.org)</t>
          </dd>
          <dt>Intended usage:</dt>
          <dd>
            <t>COMMON</t>
          </dd>
          <dt>Restrictions on usage:</dt>
          <dd>
            <t>none</t>
            <t>N/A</t>
          </dd>
          <dt>Author/Change controller:</dt>
          <dd>
            <t>IETF</t>
          </dd>
          <dt>Provisional registration:</dt>
          <dd>
            <t>no</t>
          </dd>
        </dl>
        <t>For <tt>application/aif+json</tt>:</t>
      </section>
      <section anchor="media-type-template2">
        <name>application/aif+json</name>
        <dl spacing="compact"> spacing="normal">
          <dt>Type name:</dt>
          <dd>
            <t>application</t>
          </dd>
          <dt>Subtype name:</dt>
          <dd>
            <t>aif+json</t>
          </dd>
          <dt>Required parameters:</dt>
          <dd>
            <t>N/A</t>
          </dd>
          <dt>Optional parameters:</dt>
          <dd>
            <ul
	    <t><br/></t>
            <dl newline="true" spacing="normal">
              <li>
                <tt>Toid</tt>: the
              <dt>
                <tt>Toid</tt>:</dt><dd>the identifier for the object for which permissions are
supplied.
A value from the media-type parameter sub-registry subregistry for <tt>Toid</tt>.
Default value: "URI-local-part" (RFC XXXX).</li>
              <li>
                <tt>Tperm</tt>: the 9237).</dd>
              <dt>
                <tt>Tperm</tt>:</dt><dd>the data type of a permission set for the object
identified via a <tt>Toid</tt>.
A value from the media-type parameter sub-registry subregistry for <tt>Tperm</tt>.
Default value: "REST-method-set" (RFC XXXX).</li>
            </ul> 9237).</dd>
            </dl>
          </dd>
          <dt>Encoding considerations:</dt>
          <dd>
            <t>binary (JSON is UTF-8-encoded text)</t>
          </dd>
          <dt>Security considerations:</dt>
          <dd>
            <t><xref target="seccons"/> of RFC XXXX</t> 9237</t>
          </dd>
          <dt>Interoperability considerations:</dt>
          <dd>
            <t>none</t>
            <t>N/A</t>
          </dd>
          <dt>Published specification:</dt>
          <dd>
            <t><xref target="media-types"/> of RFC XXXX</t> 9237</t>
          </dd>
          <dt>Applications that use this media type:</dt>
          <dd>
            <t>Applications that need to convey structured authorization data for
identified resources, conveying sets of permissions.</t>
          </dd>
          <dt>Fragment identifier considerations:</dt>
          <dd>
            <t>The syntax and semantics of fragment identifiers is as specified for
"application/json".  (At publication of RFC XXXX, 9237, there is no
fragment identification syntax defined for "application/json".)</t>
          </dd>
          <dt>Person &amp; email address to contact for further information:</dt>
          <dd>
            <t>ACE WG mailing list (ace@ietf.org), (ace@ietf.org)
or IETF Applications and Real-Time Area (art@ietf.org)</t>
          </dd>
          <dt>Intended usage:</dt>
          <dd>
            <t>COMMON</t>
          </dd>
          <dt>Restrictions on usage:</dt>
          <dd>
            <t>none</t>
            <t>N/A</t>
          </dd>
          <dt>Author/Change controller:</dt>
          <dd>
            <t>IETF</t>
          </dd>
          <dt>Provisional registration:</dt>
          <dd>
            <t>no</t>
          </dd>
        </dl>
      </section>
    </section>
      <section anchor="registries">
        <name>Registries</name>
        <t>For the media types application/aif+cbor and application/aif+json,
IANA is requested to create has created a sub-registry subregistry within
<xref target="IANA.media-type-sub-parameters"/> for the two media-type parameters
<tt>Toid</tt> and <tt>Tperm</tt>, populated with:</t> with the following:</t>
        <table align="left">
          <name>New Media Type Parameters</name>
          <thead>
            <tr>
              <th align="left">Parameter</th>
              <th align="left">name</th>
              <th align="left">Description/Specification</th>
              <th align="left">Reference</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td align="left">Toid</td>
              <td align="left">URI-local-part</td>
              <td align="left">local-part of URI</td>
              <td align="left">RFC XXXX</td> 9237</td>
            </tr>
            <tr>
              <td align="left">Tperm</td>
              <td align="left">REST-method-set</td>
              <td align="left">set of REST methods represented</td>
              <td align="left">RFC XXXX</td> 9237</td>
            </tr>
          </tbody>
        </table>
        <t>The registration policy is Specification required Required <xref target="RFC8126"/>.
The designated expert will engage with the submitter to ascertain whether the
requirements of this document are addressed:</t>
        <ul spacing="normal">
          <li>The specifications for <tt>Toid</tt> and <tt>Tperm</tt> need to realize the
general ideas of unambiguous object identifiers and permission lists
in the context where the AIF data item is intended to be used, and
their structure needs to be usable with the intended media types
(application/aif+cbor and application/aif+json) as identified in the
specification.</li>
<!-- [rfced] Please review "popular programming language APIs". Would updating
to "APIs for popular programming language" make this phrase easier to read?

Original:
   *  The parameter names need to conform to Section 4.3 of [RFC6838],
      but preferably are in [KebabCase] so they can easily be translated
      into names used in popular programming language APIs.

Perhaps:
   *  The parameter names need to conform to Section 4.3 of [RFC6838],
      but preferably they are in [KebabCase] so they can easily be
      translated into names used in APIs for popular programming
      languages.
-->
<li>The parameter names need to conform to <xref section="4.3" sectionFormat="of" target="RFC6838"/>, but preferably are in <xref target="KebabCase"/> so they can
easily be
easily translated into names used in popular programming
language APIs.</li>
        </ul>
        <t>The designated experts will develop further criteria and guidelines as
needed.</t>
      </section>
      <section anchor="content-format">
        <name>Content-Format</name>
        <t>IANA is requested to register has registered Content-Format numbers in the "CoAP
Content-Formats" sub-registry, subregistry, within the "Constrained RESTful
Environments (CoRE) Parameters" Registry registry <xref target="IANA.core-parameters"/>, as
follows:</t>
        <table align="left">
          <name>New Content-Formats</name>
          <thead>
            <tr>
              <th align="left">Content-Type</th>
              <th align="left">Content Coding</th>
              <th align="left">ID</th>
              <th align="left">Reference</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td align="left">application/aif+cbor</td>
              <td align="left">-</td>
              <td align="left">TBD1</td> align="left">290</td>
              <td align="left">RFC XXXX</td> 9237</td>
            </tr>
            <tr>
              <td align="left">application/aif+json</td>
              <td align="left">-</td>
              <td align="left">TBD2</td> align="left">291</td>
              <td align="left">RFC XXXX</td> 9237</td>
            </tr>
          </tbody>
        </table>
        <t>// RFC Ed.: please replace TBD1 and TBD2 with assigned IDs

<!--[rfced] In Section 5.3, we notice that the headers for Table 5 are
different than the headers in the "CoAP Content-Formats”
subregistry, and remove this note.</t> variance is pointed out in the text below.
Should the headers in Table 5 perhaps match the current headers
in the registry? Please clarify why different header names were
used.

Original:
  In the registry as defined by Section 12.3 of [RFC7252] at the time
  of writing, the column "Content-Type" is called "Media type" and the
  column "Content Coding" is called "Encoding”.
-->

        <t>In the registry as defined by <xref section="12.3" sectionFormat="of" target="RFC7252"/> at the time of
writing, the column "Content-Type" is called "Media type" and the
column "Content Coding" is called "Encoding".</t>
        <t>Note that applications that register <tt>Toid</tt> and <tt>Tperm</tt> values are
encouraged to also register Content-Formats for the relevant
combinations.</t>
      </section>
    </section>
    <section anchor="seccons">
      <name>Security Considerations</name>
<!-- [rfced] May we update this sentence as follows for clarity?

Original:
   The security considerations of [RFC7252] apply when AIF is used with
   CoAP, and, if complex formats such as URIs are used for Toid or
   Tperm, specifically Section 11.1 of [RFC7252].

Perhaps:
   The security considerations of [RFC7252] apply when AIF is used with
   CoAP; Section 11.1 of [RFC7252] specifically applies if complex
   formats such as URIs are used for Toid or Tperm.
-->
      <t>The security considerations of <xref target="RFC7252"/> apply when AIF is used with
CoAP, and, if complex formats such as URIs are used for <tt>Toid</tt> or
<tt>Tperm</tt>, specifically <xref section="11.1" sectionFormat="of" target="RFC7252"/>.
Some wider issues are discussed in <xref target="RFC8576"/>.</t>
      <t>When applying these formats, the referencing specification needs to be
careful to:</t> to ensure that:</t>
      <ul spacing="normal">
        <li>ensure that the
        <li>the cryptographic armor employed around this format
fulfills the referencing specification's security objectives, objectives and that the armor or some
additional information included in it with the AIF data item
(1) unambiguously identifies the subject to which the authorizations
shall apply and (2) provides any context information needed to derive the
identity of the object to which authorization is being granted
from the object identifiers (such as, for
the data models defined in the present specification, the scheme and
authority information that is used to construct the full URI), and</li>
        <li>ensure that the
        <li>the types used for <tt>Toid</tt> and <tt>Tperm</tt> provide the
appropriate granularity and precision so that application requirements on the
precision of the authorization information are fulfilled, fulfilled and that
all parties have the same understanding of each Toid/Tperm pair in
terms of specified objects (resources) and operations on those.</li>
      </ul>
      <t>For the data formats, the security considerations of <xref target="RFC8259"/> and
<xref target="RFC8949"/> apply.</t>
      <t>A plain implementation of AIF might implement just the basic REST
model as per <xref target="rest-model"/>.  If it receives authorizations that
include permissions that use the REST-specific REST-Specific Model With with Dynamic
Resource Creation <xref target="ext-rest-model"/>, (<xref target="ext-rest-model"/>), it needs to either
reject the AIF data item entirely or act only on the
permissions that it does understand.
In other words, the semantics underlying an allow-list as discussed
above need to hold here as well.</t>
      <t>An implementation of the REST-specific REST-Specific Model With with Dynamic Resource
Creation <xref target="ext-rest-model"/> (<xref target="ext-rest-model"/>) needs to carefully keep track of the
dynamically created objects and the subjects to which the Dynamic-X
permissions apply -- both on the server side to enforce the permissions
and on the client side to know which permissions are available.</t>
    </section>
  </middle>
  <back>
    <references>
      <name>References</name>
      <references>
        <name>Normative References</name>
        <reference anchor="RFC3986" target="https://www.rfc-editor.org/info/rfc3986">
          <front>
            <title>Uniform Resource Identifier (URI): Generic Syntax</title>
            <author fullname="T. Berners-Lee" initials="T." surname="Berners-Lee">
              <organization/>
            </author>
            <author fullname="R. Fielding" initials="R." surname="Fielding">
              <organization/>
            </author>
            <author fullname="L. Masinter" initials="L." surname="Masinter">
              <organization/>
            </author>
            <date month="January" year="2005"/>
            <abstract>
              <t>A Uniform Resource Identifier (URI) is a compact sequence of characters that identifies an abstract or physical resource.  This specification defines the generic URI syntax and a process for resolving URI references that might be

	<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.3986.xml"/>
	<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.7252.xml"/>

<!-- [I-D.ietf-httpbis-semantics] in relative form, along with guidelines and security considerations for the use of URIs on the Internet.  The URI syntax defines a grammar that is a superset of all valid URIs, allowing an implementation to parse the common components of a URI reference without knowing the scheme-specific requirements of every possible identifier.  This specification does not define a generative grammar for URIs; that task is performed by the individual specifications of each URI scheme.  [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="STD" value="66"/>
          <seriesInfo name="RFC" value="3986"/>
          <seriesInfo name="DOI" value="10.17487/RFC3986"/>
        </reference>
        <reference anchor="RFC7252" target="https://www.rfc-editor.org/info/rfc7252">
          <front>
            <title>The Constrained Application Protocol (CoAP)</title>
            <author fullname="Z. Shelby" initials="Z." surname="Shelby">
              <organization/>
            </author>
            <author fullname="K. Hartke" initials="K." surname="Hartke">
              <organization/>
            </author>
            <author fullname="C. Bormann" initials="C." surname="Bormann">
              <organization/>
            </author>
            <date month="June" year="2014"/>
            <abstract>
              <t>The Constrained Application Protocol (CoAP) is a specialized web transfer protocol for use with constrained nodes and constrained (e.g., low-power, lossy) networks.  The nodes often have 8-bit microcontrollers with small amounts of ROM and RAM, while constrained networks such AUTH48 state as IPv6 over Low-Power Wireless Personal Area Networks (6LoWPANs) often have high packet error rates and a typical throughput of 10s of kbit/s.  The protocol is designed for machine- to-machine (M2M) applications such RFC 9110 as smart energy and building automation.</t>
              <t>CoAP provides a request/response interaction model between application endpoints, supports built-in discovery of services and resources, and includes key concepts of the Web such as URIs and Internet media types.  CoAP is designed to easily interface with HTTP for integration with the Web while meeting specialized requirements such as multicast support, very low overhead, and simplicity for constrained environments.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="7252"/>
          <seriesInfo name="DOI" value="10.17487/RFC7252"/>
        </reference> 4/22/2022 -->

<reference anchor="I-D.ietf-httpbis-semantics" target="https://www.ietf.org/archive/id/draft-ietf-httpbis-semantics-19.txt"> anchor='RFC9110' target="https://www.rfc-editor.org/info/rfc9110">
<front>
<title>HTTP Semantics</title>
<author fullname="Roy T. Fielding">
              <organization>Adobe</organization>
            </author>
            <author fullname="Mark Nottingham">
              <organization>Fastly</organization>
            </author>
            <author fullname="Julian Reschke">
              <organization>greenbytes GmbH</organization> initials='R' surname='Fielding' fullname='Roy Fielding' role='editor'>
<organization />
</author>
<author initials='M' surname='Nottingham' fullname='Mark Nottingham' role='editor'>
<organization />
</author>
<author initials='J' surname='Reschke' fullname='Julian Reschke' role='editor'>
<organization />
</author>
<date day="12" month="September" year="2021"/>
            <abstract>
              <t>   The Hypertext Transfer Protocol (HTTP) is a stateless application-
   level protocol for distributed, collaborative, hypertext information
   systems.  This document describes the overall architecture of HTTP,
   establishes common terminology, and defines aspects of the protocol
   that are shared by all versions.  In this definition are core
   protocol elements, extensibility mechanisms, and the "http" and
   "https" Uniform Resource Identifier (URI) schemes.

   This document updates RFC 3864 and obsoletes RFC 2818, RFC 7231, RFC
   7232, RFC 7233, RFC 7235, RFC 7538, RFC 7615, RFC 7694, and portions
   of RFC 7230.

              </t>
            </abstract> year='2022' month='April' />
</front>
<seriesInfo name="Internet-Draft" value="draft-ietf-httpbis-semantics-19"/>
        </reference>
        <reference anchor="RFC8126" target="https://www.rfc-editor.org/info/rfc8126">
          <front>
            <title>Guidelines for Writing an IANA Considerations Section in RFCs</title>
            <author fullname="M. Cotton" initials="M." surname="Cotton">
              <organization/>
            </author>
            <author fullname="B. Leiba" initials="B." surname="Leiba">
              <organization/>
            </author>
            <author fullname="T. Narten" initials="T." surname="Narten">
              <organization/>
            </author>
            <date month="June" year="2017"/>
            <abstract>
              <t>Many protocols make use of points of extensibility that use constants to identify various protocol parameters.  To ensure that the values in these fields do not have conflicting uses and to promote interoperability, their allocations are often coordinated by a central record keeper.  For IETF protocols, that role is filled by the Internet Assigned Numbers Authority (IANA).</t>
              <t>To make assignments in a given registry prudently, guidance describing the conditions under which new values should be assigned, as well as when and how modifications to existing values can be made, is needed.  This document defines a framework for the documentation of these guidelines by specification authors, in order to assure that the provided guidance for the IANA Considerations is clear and addresses the various issues that are likely in the operation of a registry.</t>
              <t>This is the third edition of this document; it obsoletes RFC 5226.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="26"/>
          <seriesInfo name="RFC" value="8126"/>
          <seriesInfo name="DOI" value="10.17487/RFC8126"/>
        </reference>
        <reference anchor="RFC6838" target="https://www.rfc-editor.org/info/rfc6838">
          <front>
            <title>Media Type Specifications and Registration Procedures</title>
            <author fullname="N. Freed" initials="N." surname="Freed">
              <organization/>
            </author>
            <author fullname="J. Klensin" initials="J." surname="Klensin">
              <organization/>
            </author>
            <author fullname="T. Hansen" initials="T." surname="Hansen">
              <organization/>
            </author>
            <date month="January" year="2013"/>
            <abstract>
              <t>This document defines procedures for the specification and registration of media types for use in HTTP, MIME, and other Internet protocols.  This memo documents an Internet Best Current Practice.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="13"/>
          <seriesInfo name="RFC" value="6838"/>
          <seriesInfo name="DOI" value="10.17487/RFC6838"/>
        </reference>
        <reference anchor="RFC8610" target="https://www.rfc-editor.org/info/rfc8610">
          <front>
            <title>Concise Data Definition Language (CDDL): A Notational Convention to Express Concise Binary Object Representation (CBOR) and JSON Data Structures</title>
            <author fullname="H. Birkholz" initials="H." surname="Birkholz">
              <organization/>
            </author>
            <author fullname="C. Vigano" initials="C." surname="Vigano">
              <organization/>
            </author>
            <author fullname="C. Bormann" initials="C." surname="Bormann">
              <organization/>
            </author>
            <date month="June" year="2019"/>
            <abstract>
              <t>This document proposes a notational convention to express Concise Binary Object Representation (CBOR) data structures (RFC 7049).  Its main goal is to provide an easy and unambiguous way to express structures for protocol messages and data formats that use CBOR or JSON.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8610"/>
          <seriesInfo name="DOI" value="10.17487/RFC8610"/>
        </reference>
        <reference anchor="RFC9165" target="https://www.rfc-editor.org/info/rfc9165">
          <front>
            <title>Additional Control Operators for the Concise Data Definition Language (CDDL)</title>
            <author fullname="C. Bormann" initials="C." surname="Bormann">
              <organization/>
            </author>
            <date month="December" year="2021"/>
            <abstract>
              <t>The Concise Data Definition Language (CDDL), standardized in RFC 8610, provides "control operators" as its main language extension point.</t>
              <t>The present document defines a number of control operators that were not yet ready at the time RFC 8610 was completed: , , and  for the construction of constants; / for including ABNF (RFC 5234 and RFC 7405) in CDDL specifications; and for indicating the use of a non-basic feature in an instance.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9165"/>
          <seriesInfo name="DOI" value="10.17487/RFC9165"/>
        </reference>
        <reference anchor="RFC2119" target="https://www.rfc-editor.org/info/rfc2119">
          <front>
            <title>Key words for use in RFCs to Indicate Requirement Levels</title>
            <author fullname="S. Bradner" initials="S." surname="Bradner">
              <organization/>
            </author>
            <date month="March" year="1997"/>
            <abstract>
              <t>In many standards track documents several words are used to signify the requirements in the specification.  These words are often capitalized. This document defines these words as they should be interpreted in IETF documents.  This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="2119"/>
          <seriesInfo name="DOI" value="10.17487/RFC2119"/>
        </reference>
        <reference anchor="RFC8174" target="https://www.rfc-editor.org/info/rfc8174">
          <front>
            <title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</title>
            <author fullname="B. Leiba" initials="B." surname="Leiba">
              <organization/>
            </author>
            <date month="May" year="2017"/>
            <abstract>
              <t>RFC 2119 specifies common key words that may be used in protocol  specifications.  This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the  defined special meanings.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="8174"/> value="9110"/>
<seriesInfo name="DOI" value="10.17487/RFC8174"/> value="10.17487/RFC9110"/>
</reference>

	<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8126.xml"/>
	<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.6838.xml"/>
	<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8610.xml"/>
	<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.9165.xml"/>
	<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.2119.xml"/>
	<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8174.xml"/>

      </references>
      <references>
        <name>Informative References</name>
        <reference anchor="RFC4949" target="https://www.rfc-editor.org/info/rfc4949">
          <front>
            <title>Internet Security Glossary, Version 2</title>
            <author fullname="R. Shirey" initials="R." surname="Shirey">
              <organization/>
            </author>
            <date month="August" year="2007"/>
            <abstract>
              <t>This Glossary provides definitions, abbreviations, and explanations of terminology for information system security. The 334 pages of entries offer recommendations to improve the comprehensibility of written material that is generated in the Internet Standards Process (RFC 2026). The recommendations follow the principles that such writing should (a) use the same term or definition whenever the same concept is mentioned; (b) use terms in their plainest, dictionary sense; (c) use terms that are already well-established

	<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.4949.xml"/>
	<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8259.xml"/>

<!-- [I-D.ietf-ace-oauth-authz] in open publications; and (d) avoid terms that either favor a particular vendor or favor a particular technology or mechanism over other, competing techniques that already exist or could be developed.  This memo provides information for the Internet community.</t>
            </abstract>
          </front>
          <seriesInfo name="FYI" value="36"/>
          <seriesInfo name="RFC" value="4949"/>
          <seriesInfo name="DOI" value="10.17487/RFC4949"/>
        </reference>
        <reference anchor="RFC8259" target="https://www.rfc-editor.org/info/rfc8259">
          <front>
            <title>The JavaScript Object Notation (JSON) Data Interchange Format</title>
            <author fullname="T. Bray" initials="T." role="editor" surname="Bray">
              <organization/>
            </author>
            <date month="December" year="2017"/>
            <abstract>
              <t>JavaScript Object Notation (JSON) is a lightweight, text-based, language-independent data interchange format.  It was derived from the ECMAScript Programming Language Standard.  JSON defines a small set of formatting rules for the portable representation of structured data.</t>
              <t>This document removes inconsistencies with other specifications AUTH48-DONE state as RFC 9200 as of JSON, repairs specification errors, and offers experience-based interoperability guidance.</t>
            </abstract>
          </front>
          <seriesInfo name="STD" value="90"/>
          <seriesInfo name="RFC" value="8259"/>
          <seriesInfo name="DOI" value="10.17487/RFC8259"/>
        </reference> 4/22/2022 -->

<reference anchor="I-D.ietf-ace-oauth-authz" target="https://www.ietf.org/archive/id/draft-ietf-ace-oauth-authz-46.txt"> anchor='RFC9200' target="https://www.rfc-editor.org/info/rfc9200">
<front>
<title>Authentication and Authorization for Constrained Environments (ACE) using Using the OAuth 2.0 Framework (ACE-OAuth)</title>
<author fullname="Ludwig Seitz">
              <organization>Combitech</organization>
            </author>
            <author fullname="Goeran Selander">
              <organization>Ericsson</organization>
            </author>
            <author fullname="Erik Wahlstroem">
	 </author>
            <author fullname="Samuel Erdtman">
              <organization>Spotify AB</organization>
            </author>
            <author fullname="Hannes Tschofenig">
              <organization>Arm Ltd.</organization>
            </author>
            <date day="8" month="November" year="2021"/>
            <abstract>
              <t>   This specification defines a framework for authentication and
   authorization in Internet of Things (IoT) environments called ACE-
   OAuth.  The framework is based on a set of building blocks including
   OAuth 2.0 and the Constrained Application Protocol (CoAP), thus
   transforming a well-known and widely used authorization solution into
   a form suitable for IoT devices.  Existing specifications are used
   where possible, but extensions are added and profiles are defined to
   better serve the IoT use cases.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-ace-oauth-authz-46"/>
        </reference>
        <reference anchor="RFC7493" target="https://www.rfc-editor.org/info/rfc7493">
          <front>
            <title>The I-JSON Message Format</title>
            <author fullname="T. Bray" initials="T." role="editor" surname="Bray">
              <organization/>
            </author>
            <date month="March" year="2015"/>
            <abstract>
              <t>I-JSON (short for "Internet JSON") is a restricted profile of JSON designed to maximize interoperability and increase confidence that software can process it successfully with predictable results.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="7493"/>
          <seriesInfo name="DOI" value="10.17487/RFC7493"/>
        </reference>
        <reference anchor="RFC8949" target="https://www.rfc-editor.org/info/rfc8949">
          <front>
            <title>Concise Binary Object Representation (CBOR)</title>
            <author fullname="C. Bormann" initials="C." surname="Bormann">
              <organization/>
            </author>
            <author fullname="P. Hoffman" initials="P." surname="Hoffman">
              <organization/> initials='L' surname='Seitz' fullname='Ludwig Seitz'>
<organization />
</author>
<author initials='G' surname='Selander' fullname='Goeran Selander'>
<organization />
</author>
<author initials='E' surname='Wahlstroem' fullname='Erik Wahlstroem'>
<organization />
</author>
<author initials='S' surname='Erdtman' fullname='Samuel Erdtman'>
<organization />
</author>
<author initials='H' surname='Tschofenig' fullname='Hannes Tschofenig'>
<organization />
</author>
<date month="December" year="2020"/>
            <abstract>
              <t>The Concise Binary Object Representation (CBOR) is a data format whose design goals include the possibility of extremely small code size, fairly small message size, and extensibility without the need for version negotiation. These design goals make it different from earlier binary serializations such as ASN.1 and MessagePack.</t>
              <t>This document obsoletes RFC 7049, providing editorial improvements, new details, and errata fixes while keeping full compatibility with the interchange format of RFC 7049.  It does not create a new version of the format.</t>
            </abstract> year='2022' month='April' />
</front>
<seriesInfo name="STD" value="94"/>
          <seriesInfo name="RFC" value="8949"/> value="9200"/>
<seriesInfo name="DOI" value="10.17487/RFC8949"/>
        </reference>
        <reference anchor="RFC8132" target="https://www.rfc-editor.org/info/rfc8132">
          <front>
            <title>PATCH and FETCH Methods for the Constrained Application Protocol (CoAP)</title>
            <author fullname="P. van der Stok" initials="P." surname="van der Stok">
              <organization/>
            </author>
            <author fullname="C. Bormann" initials="C." surname="Bormann">
              <organization/>
            </author>
            <author fullname="A. Sehgal" initials="A." surname="Sehgal">
              <organization/>
            </author>
            <date month="April" year="2017"/>
            <abstract>
              <t>The methods defined in RFC 7252 for the Constrained Application Protocol (CoAP) only allow access to a complete resource, not to parts of a resource.  In case of resources with larger or complex data, or in situations where resource continuity is required, replacing or requesting the whole resource is undesirable.  Several applications using CoAP need to access parts of the resources.</t>
              <t>This specification defines the new CoAP methods, FETCH, PATCH, and iPATCH, which are used to access and update parts of a resource.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8132"/>
          <seriesInfo name="DOI" value="10.17487/RFC8132"/>
        </reference>
        <reference anchor="RFC8576" target="https://www.rfc-editor.org/info/rfc8576">
          <front>
            <title>Internet of Things (IoT) Security: State of the Art and Challenges</title>
            <author fullname="O. Garcia-Morchon" initials="O." surname="Garcia-Morchon">
              <organization/>
            </author>
            <author fullname="S. Kumar" initials="S." surname="Kumar">
              <organization/>
            </author>
            <author fullname="M. Sethi" initials="M." surname="Sethi">
              <organization/>
            </author>
            <date month="April" year="2019"/>
            <abstract>
              <t>The Internet of Things (IoT) concept refers to the usage of standard Internet protocols to allow for human-to-thing and thing-to-thing communication.  The security needs for IoT systems are well recognized, and many standardization steps to provide security have been taken -- for example, the specification of the Constrained Application Protocol (CoAP) secured with Datagram Transport Layer Security (DTLS).  However, security challenges still exist, not only because there are some use cases that lack a suitable solution, but also because many IoT devices and systems have been designed and deployed with very limited security capabilities.  In this document, we first discuss the various stages in the lifecycle of a thing. Next, we document the security threats to a thing and the challenges that one might face to protect against these threats.  Lastly, we discuss the next steps needed to facilitate the deployment of secure IoT systems.  This document can be used by implementers and authors of IoT specifications as a reference for details about security considerations while documenting their specific security challenges, threat models, and mitigations.</t>
              <t>This document is a product of the IRTF Thing-to-Thing Research Group (T2TRG).</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8576"/>
          <seriesInfo name="DOI" value="10.17487/RFC8576"/>
        </reference>
        <reference anchor="RFC6570" target="https://www.rfc-editor.org/info/rfc6570">
          <front>
            <title>URI Template</title>
            <author fullname="J. Gregorio" initials="J." surname="Gregorio">
              <organization/>
            </author>
            <author fullname="R. Fielding" initials="R." surname="Fielding">
              <organization/>
            </author>
            <author fullname="M. Hadley" initials="M." surname="Hadley">
              <organization/>
            </author>
            <author fullname="M. Nottingham" initials="M." surname="Nottingham">
              <organization/>
            </author>
            <author fullname="D. Orchard" initials="D." surname="Orchard">
              <organization/>
            </author>
            <date month="March" year="2012"/>
            <abstract>
              <t>A URI Template is a compact sequence of characters for describing a range of Uniform Resource Identifiers through variable expansion. This specification defines the URI Template syntax and the process for expanding a URI Template into a URI reference, along with guidelines for the use of URI Templates on the Internet.   [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="6570"/>
          <seriesInfo name="DOI" value="10.17487/RFC6570"/>
        </reference>
        <reference anchor="RFC7228" target="https://www.rfc-editor.org/info/rfc7228">
          <front>
            <title>Terminology for Constrained-Node Networks</title>
            <author fullname="C. Bormann" initials="C." surname="Bormann">
              <organization/>
            </author>
            <author fullname="M. Ersue" initials="M." surname="Ersue">
              <organization/>
            </author>
            <author fullname="A. Keranen" initials="A." surname="Keranen">
              <organization/>
            </author>
            <date month="May" year="2014"/>
            <abstract>
              <t>The Internet Protocol Suite is increasingly used on small devices with severe constraints on power, memory, and processing resources, creating constrained-node networks.  This document provides a number of basic terms that have been useful in the standardization work for constrained-node networks.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="7228"/>
          <seriesInfo name="DOI" value="10.17487/RFC7228"/> value="10.17487/RFC9200"/>
</reference>

	<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.7493.xml"/>
	<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8949.xml"/>
	<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8132.xml"/>
	<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8576.xml"/>
	<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.6570.xml"/>
	<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.7228.xml"/>

        <reference anchor="IANA.core-parameters" target="https://www.iana.org/assignments/core-parameters">
          <front>
            <title>Constrained RESTful Environments (CoRE) Parameters</title>
            <author>
              <organization>IANA</organization>
            </author>
            <date/>
          </front>
        </reference>

        <reference anchor="IANA.media-type-sub-parameters" target="https://www.iana.org/assignments/media-type-sub-parameters">
          <front>
            <title>MIME Media Type Sub-Parameter Registries</title>
            <author>
              <organization>IANA</organization>
            </author>
            <date/>
          </front>
        </reference>

        <reference anchor="KebabCase" target="http://wiki.c2.com/?KebabCase">
          <front>
            <title>KebabCase</title>
            <title>Kebab Case</title>
            <author>
              <organization/>
            </author>
            <date year="2014" month="August" day="29"/>
          </front>
        </reference>
        <reference anchor="RFC8881" target="https://www.rfc-editor.org/info/rfc8881">
          <front>
            <title>Network File System (NFS) Version 4 Minor Version 1 Protocol</title>
            <author fullname="D. Noveck" initials="D." role="editor" surname="Noveck">
              <organization/>
            </author>
            <author fullname="C. Lever" initials="C." surname="Lever">
              <organization/>
            </author>
            <date month="August" year="2020"/>
            <abstract>
              <t>This document describes the Network File System (NFS) version 4 minor version 1, including features retained from the base protocol (NFS version 4 minor version 0, which is specified in RFC 7530) and protocol extensions made subsequently.  The later minor version has no dependencies on NFS version 4 minor version 0, and is considered a separate protocol. </t>
              <t>This document obsoletes RFC 5661.  It substantially revises the treatment of features relating to multi-server namespace, superseding the description of those features appearing in RFC 5661.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8881"/>
          <seriesInfo name="DOI" value="10.17487/RFC8881"/>
        </reference>

<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8881.xml"/>

      </references>
    </references>
    <section numbered="false" anchor="acknowledgements">
      <name>Acknowledgements</name>
      <t><contact fullname="Jim Schaad"/>,
<contact fullname="Francesca Palombini"/>,
<contact fullname="Olaf Bergmann"/>,
<contact fullname="Marco Tiloca"/>,
and
<contact fullname="Christian Amsüss"/>
provided comments that shaped the
direction of this document.
<contact fullname="Alexey Melnikov"/> pointed out that there were gaps in the media
type specifications, and <contact fullname="Loganaden Velvindron"/> provided a shepherd
review with further comments.
Many thanks also to the IESG reviewers, which who provided several small
but significant observations.
<contact fullname="Benjamin Kaduk"/> provided an extensive review as responsible Responsible Area
Director,
Director and indeed is responsible for much improvement in the document.</t>
    </section>
  </back>
<!-- ##markdown-source:
H4sIANOHMGIAA+1ca3IbSXL+X6eoxUSsQS0AiiD1gnZmlyKpGe3qtSLl2fXE
2GqgC0CPGt1wP0hhKG74ED6Af/gY/uW9iU/i/DKrqqsboDRjOxzh8DJiRkCj
HllZmV8+KquHw6Gqkio1E32c6eO6WuZF8mNUJXmmn2XzvFjJ56f8SfePnz3d
0/RYH5+cqWg6LczlBJ81/aDifJZFKxoqLqJ5NUxMNR9GMzOMkvkwjSpTVuoL
HdOHiR7fHY+Hd8fDgyOlyirK4n+I0jyjH6qiNkol64I/ltX47t1Hd8cqKkw0
IYoqU2SmUlcLmfXbvHifZAv9dZHXa/X+qmkyPAUNahZVE11WsZrlWWmysi7t
FGU9XSVlSWurNmua99nZxVOl1slEaV3ls4nemFI+xmZdLSf6iL6VeVEVZl66
X8vNqvmqLk1WG/RfgJoJc9NkVTITFtIiOwwGH0+IrqqIkszE+iy7TIo8W1Gn
UveJc3s02CpK0ommL78FP0d5scAMSbWspxM9i6b5vmWxUhGPDgrwN7T/ap1k
ROLJSD/BJmaZfy6bdRIVZWWyrV9ppol+myWXpiiT6i//WuknhSHa9MXfPfON
iHZjiMWv87KaR7OlPjy8e3R01/8+S6rNxHZsHuYxzXs6HD88vPcoeFpnVUGt
vzYgZON/WC9ZMn519Gh4ND4Yjg8eDu8fPhof+AZGeARm/Lb6MWEeqUxk95J3
5M3Tk8NHD+9PdF0k8vXB+N6YuuTRmr4/G56OWFqXVbWeJuWwpCGxc8Q3PGq+
S+eHB2MaK4myCGIlz+4/PHw40SsTJ9EQIjUszMK2vn9wl6aK41S+Pzq4f0++
r9Oa5CZxeuZpPXp09GiiF2leugnH9+jBD2WehdRi43Ns+hD/+5GlRB6QnrWb
xVVaDiMrfdBQ/j4zWw3zcpYXZrgu8nkCVMD3aM1NhW9Hjw5p6UNLC2hjYmfT
vHDMOSTOrqNqtrQP7j0gbpVmFjDr3oO7vBnDyqzWjA1uW8bERVLhFRZ6/PJ4
JOREBckqPS4n7nnAadLlTovfm2k0PYlKI8pQRcUCUoq9nOzvXyXvk9FsTEOv
9n/jm0pLwcL2QwdZB0fDuw+H40dKDYdDHU2huLNKqRAoSQbrSl8tE9IFKH+V
mFITemnP/JhARa9NgT7UMKpUTt+4d6lpBOkLXlHvmrEgn+ucsKRoRkxoUD0r
6lkSpYRtqzWpSFahIe1cTI8JFKNM56S8UZoSUJGKr3RFs6Er7UVdmJEG+lya
DTVW68LMkrIhU1aTBCujfqZcG8yYbmjuBMiWUhO9TBbLdAP4yaktLVCmK/UV
wZROwXyd1aspbQ4odIsY6LKmlUYl0WVUzyE3mlwsiaayN1KKPhG9mHbugJRW
eJnEYKtemMwUyaxF54rQJWW0lWf4RxWGFlhiZmKMTHvbQgeg6MoQ10DZVa4v
o4JUvSoVERZ5WoCqFUBBBqDfmLvNnLomdjIH3pydX2iaPq+LGQk60U7d5gkx
arrRb988g7Isaa3f/X1CCJgfDL+ftOzCqblMZlgvc2rD4kSDx+A9PdC7WKcz
Y2KWXt5sgmG0zouYpIjkT0TOkJgVtPEVbSgYRjy6hBiRZaTxR9z9VWZ0QvJV
YLHapEDySpbrJIkHL2X9saXVkuYtNlsURx0TBzKmJHDT1OBjTGyNjZX+QCMK
8481eQ7Unuc0K1nUMq/TGP2hKNSxoAaNig38DFE5M0Q6k0PkQdLQv7371M5O
w0T72XWcg+3rNfGH2uA3Uvg6SnkMR1mBjYkaY0/TyxzE0VvIEG12vOJNXUXv
TTgsqwp2minKXDOSEJPFJm7EZQxxYTUh/6vm3YnNPEEPEXQrkwO/+J/m5sn2
0yfsrYxIDCfKebmieqT/JKU18YQJpa4zQp2pFU8ogbfkcTKf0y4RdeCn1eUS
TBJmlbfrFvEtzQthZFuXmMdgEO2YdedKETUWv9WARpqldcxan6+MYEfpnK94
Qy4QUIwBzTB2+bFHAvOrhAy1AchXjKygSH0Z/IV6S3hFYlJEWTnn/QXlgWBu
g+q8yFcA6nYLYlq0MIXqO4CkFuTuDl9h5zrbd24KAnl9fd24Azc3eyxzVsAI
0NhEkOhqj4PeA12JSYCgQqoaoaK1gKlZnuaLDVjh/iwor8wqxz6XbK5LWcpJ
fvwatMBpuLnx2+MB6tzhxddwbqJig8bs6NzcPJbeNLSTHoW+5gM5CFlU5dTY
fIjIXRAoTCqxgos8p8ZJteVOW9hkI2IIMaK1gU6RNY90Y1QERk9OT58z3bTZ
RLf9BP/s5mYUMuK2WUIlofFoAHAFnXn296S6V4S+pe69eHt+0RvIv/rlK/78
5uwPb5+9OTvF5/Nvjp8/9x+UbXH+zau3z0+bT03Pk1cvXpy9PJXO9FS3Hqne
i+M/0S/Yid6r1xfPXr08ft4TeA4hg5GGARkIU5CUQBmiUpGhJVs/lWU9OXn9
7/9ycETL+wU5a+ODg0fMrF+w2/fgiL5cEQrKbHlGWiVfgVyK1N5EBUaBRzKL
1kkVpSVbW0LzK3IjCB6IXXe+A2cI0349na0Pjr6yD7Dg1kPHs9ZD5tn2k63O
wsQdj3ZM47nZet7hdJve4z+1vju+Bw9FLCAjujfdVAZbxOF0wihEjkHvCT1z
ykBcS8gkZPmVnlFUTH5WsVEIaI1Fzk2WZ5sVS2cvn1WmgvMUQvsLuEUt4LLo
1YIT8VUttqdQOOAFKKiWFNUulgKjrEMe+UvF0I+es2KzrvJFEa2XFlfF14x1
nyhjZFwlVSUriuyP+irakLm5sA6FWN6kpIWWYvZ2+Hc1GcEihesq+B9t0jyC
jyC0MIF9Yk2+XuelmA60a9FHFK+IqogWRvKaVHsOKly0Z12OT+B3oPLQJ9XW
Jzb1c6D3HeJFfjVMk7K6M1HkZRWbCq6QwEYGFKLoN0ktqgHzEoqd4ZehI9v7
p+Ag1loXWFPZOGGhe8zaFrInmhE8lfCTCNdTYZ+6SkgHpy0SbTtaWJF8GFhH
bEFBKcuXOJeBmWV8Ngj5iZgygRdHRmaaZN4fpl719AfaT4YDRCP8baS+Ncye
OfGqdBsIP0OQGYFKzsJBv9GoBcm89SZbJDrryA2W2Oo50hhTQ/+D6AG+ADPR
NElhccD7vQF75BSiISFELlnmBMORCgWSpeNpQ1EChC9rbMQxx17IJ5GjlsG+
gnjGqGnjmEeQau90+vFFolTUVjqoObki02RR53VJux7ECH0zWowYJinGrbxI
QnTVlui6gEiUhNpaHnX4IJaTP2FXo4QjMyUb1ExOT/uYj4Js/e4iT+J3e7s8
rrARHlOrcMm8N7yBdoJ+uRcskCj/85//LPkRYuTwa1nCrzHfQPOAX+kv9Xd3
9HfBo++/Ry91PdFf0JqjZC6h+5e9U2hk4mTQDoYd6t0AEEMvk3dXONUPQlF4
26R2Zd5yEVTLXu6Jmm0xTPcdn1jDnEiqiKD+QwXIJKEeeCbuUKu+56HTUe+z
UUBHdiHSUzIF1BFKUZMEB7+LMZBYm9ZkDBlnrHLIqyS/sMvsc8eLL3XI+4oI
HeiaXIGvPJvBjIDPJ/lqxSaeBd57VwF7Lc8VXPahf8p2SF9/QSRXlqzQuWyc
zGei85+Kt80t4YAKGepDgbnFz11SbneN4MEoxO1oh8icV+TGF1hiJ7Vkr3uk
aTlFQyMM3gC4NTNCBimsNyIYThIwMvHGSgC77/2eRYRqA+dMkf9IfjIceSDl
lTOvrShTxzWkqc0Dh5H96+tzMaXqaDQejUHFsJ3LtP65b6jvSzObHaXJredG
kF6LOzCH60ZSIZhJEVO6IvXO4lRcllss7GPiKn4rzDx3uE+8ZO++h9xHj9aP
f4fR1KzWxAKBmR7ha0H82GJj/w79f5jmxHAk/qo7Xj87pjAqAw/GEvi2SIav
I4SxNAW+/AGzkKPAUKwQDNAO79He/mygZ+OtZin83KtlLkkRY9OPBORwHGaS
QFnnxMY9u6hu3q1U/SyvjLcexLQVzUGTrnLxKzIGKTtwY2SiVce0SLANLyof
aDEk4nglVS0NOEO1zFc5TAcZH2WzEnuhx7ELn6ArnOPCaIjKWs0EVkGZgpkp
nUWwiOd1t8/qRPN8c3Hxeo+CSiKeoiQeCn6idQtlOGxwvSLfl9OoHGYlq6EN
CjnW+qjbkqE/6teeKoo+6QG12S/3kXdGouCj/vrsQgd//Hu0D4mW31+/vRgE
jfh3pM+1+/3V+UWrP8CyIcvh5XE3yBc8mxnn3EC2thx2a7RYtu2AAx/YEyPn
QC8YlxXnrOBMIyogfr6zi3xn859RPGS4FnzAIM/PTiWdVXFzXjO3hmLH+1cE
RkZMVaTe8ZLfNTCDZrxyGY9Yf1x6i1XCB7PLCo1sxxgNLIqEKQnOsrJkeFGQ
dG/MAJgmJBbOnc9LqyLL6NI4ZJZuytrAiDZ+QQ76Y/ifZIGJNzbhh6mFLKta
mcFCkJLgdKAlSnVcXhokJ/BkcXUk0uKfgy67gO1UidWP7ShGdgQefqkJMiU9
3XWySwwswZSzWZw0FTtWOr0mwS+9jWvZXNUynSPJ6a6SxbLiEACQKyxlBsUB
a6r8KkLSgsZW/qRGi3Fqjm7IkPQxsZPogc0wZ7peE987iOSygtof2ejLKK1t
UidTXnKvf0Ot7ty8IyT6hkIgMpMD2W5kSJMC+U3Eoi4B7E5Q5pI1ioBMWez9
ari+JFornEtxWMSxTcb2JFpEoN3HOcFagZZZOzoZfW5X2Xfk1DGhuGyvM0M4
aiGCY3ZQo5RxzFrsaQSDQoNgv2l36wrLkvDXbvvM+T7WkS5dcNADt2VVcY6d
KF3cqJO5P/YBNQSN703cY3SnWI0dlma/PdFW6TT2yR76ODqxf55RjevlUwDe
YeMUpA0CnJB24yHl0q5wadM5bDQOIZIcHkJzCNBnEAbeDGArXh9fnHyzn/A/
kEY+bISzxNJPM1yRyVShV+bTu05BXHBCE3IyHkq8y1H9FubxVPLE+o1DvxOM
hq24/oJ0ZvgZX7YFBx3d/GnTRHHMTowclblDBbdJNgmh7AbhMMWO1NkesMVz
wrpDjhGyAQPV9mUD59dJ0SqiKd9nyNh1YufpRglJkMTnuUjr8I5zrcTzYJCm
QdfwqzQfk7kcgOuilmR/CBbIN0/ZzDPY0j5v+a/9sNswIb3CRxpuZWbkJCXl
Cn5MH1zneH8tx58EG+xSc1a8cCdQveOT5zQbCUPCMMZZ0pdPzy+PyB3/DVKc
Dx8e3NyQKH/gkZzL55VGnCEkWghO2MsrTCoSvEzWalqL6M+RiPeK0N0q8ibL
Rlr5eCDYg1w1yYkmvnYYMtqDsyCHS5xtHoC+RngIyZqjvLYzRh5GEavUmzEN
+ulf52c1v5Q/0dHa8Wd9Kxx1DWdwXoz1nwZO9ofkaDVfTs+en12cbblUQ8ez
/5Zr9Rmdg+f1lKFOrLz+owCl+AUzG+w6Sv8YWG3qEGXlNtQt89R5tqXzQswH
U/C5O2OwnQhGoKO57OEgtUWIi6DfhR7j0d0D3R/T/05EZPYa3eJcwSeVQyC6
Ofq0B6ROsFjTfaxn+QNvHm65Dc+dlysp/I5L7jYKSsPOYqvSQb1ry8I765PI
Cnn0NPcmL1SD4NzOGxAJ87UVq1UEK29ByzpY8OFpNYSVsUKRhpRq8A6RZMPg
zMXdtWJHbWeQonQQjDwkgmHE/UpIF85dwM8IYBWqcTY7OWKf4rZHpTG5QDOb
2xEpYMXDRtmhdglZObCBIdt1OWeGsxhltlLEZpB1SQEeAcbUVFfwyjEeeRoI
zVuenrh+bBbUFiTNrE48ZvHwTX1QFqUUApesGvWK9wKJiN3KkZRWhSri3Cl8
qu7JBD32Z8VB9GDdEJ8z9ewT7jrDbjOgatstE3+Pdv3SjJqoyu4GR7Mcv6BZ
N3LB4Nbdg/Xuxtis1ST5gR/gcisd9+CG08fucCMeeKGYRRYEtlOKLq3h3EUJ
+Hw2URHB4vqJtbm0OZIOPqPbtMzTujJcb+IURhJQCv/wKBRnbqUpRuy3BJvI
6cc2WeLtScreBl/v2NMRVCOzXb1zPsc8h0byoXxl1uVEqTsaM9CMRdIUj1Ri
maHC4pVsfJaja33geK5MseCaF05QeWIw6CYcJbGHSnUWJBLbiyNvUCjqZwSd
Vh+a7ISlr9NHDsBQUVXIARdZa42GSRGGpq4UakBwlxHqHGCunSq+Y0BJBWJy
y+MrroOBeaC5+OwDskq2CmfXgQ6+ms+xaTMEzSyxh2MXPBzes4kqGsGOijE6
RtjmxsMG8gP1Pdxz/LIehav2Ssou/T9NRhhjufhKzA9RtqZopuDyMZw59WMz
46JSNnktxrLiwbOrK+dYchFICc149cadwBC3KP4hyejkH9jUpKlsMM8p0amL
+gJUmLkaJD4yh01dNEVZvzt/9RJpXBRKEhp0Ci8Ei9hcxivbRnLzXFj53Xc9
GwT3BgffD+gbZ2d6g3v8BbmY3mAcnIHYQT7vEZHrksdCJSjU/aO7GufP5Z5N
NV1fo1xb6iDg/3OhA5ll2nHkAjq1eFZ7GqaoflNxw8VCjWNjS0S2q0MycyUV
TvhdNfHcQLdL5QIfCYtw+rPHUOT8D1RyqFsqOSbM4eD4gxNN7aMPByrVcqA7
svmVan6kXjgkIaf2McOtx144dV0AVZ2BqDPOVvQIJzmOO8px6Uv9yz6JJ7kr
E41KanhOE41yZ4qCJ3pMH0T1JvqQPj89oyhY6tM5IJ7oe8BA+/k+Wje+NXUZ
P9Z39YjhoQ0OQUuZ8vDwsT74bFPQdHj0WI8/19ITfe+xPvxcY7uqw/uP9dFn
SZClHj54rO99rq3jy+HDx/r+7sZ7LCSsVk4VvF6hGk5kzMUH3fKEnY6wdwe8
sqMoq4MJGPgJARREdpoX1Ifkug0U8vyxJKwoVjdc38sB9so5Rvvkp1AUbuQa
AUyIO6AXgFmaD8O4Xq3Vw8NdMRr+vqBuRbTpH+ICgn44/mSj8Z4txL//YFcj
eCr9B64N/Y3nDw7pv6P79+7HD+5yGw92thWFMztGqjPJ5fYPfh5Z928l636L
rPsH9N+MyDqybRzqOqrufZKqez+Pqp2DMVX32lQdEatmDw59Gwv/jqgd8wVE
jfdCEwHx+VkmguWxP34YmIiX/mCKfImcczfkSkRdLQqDYJjTec2HE/CDPNCF
BaOFWSCwRKWQf9Ica7uyUxzklia9NKWCPllT2zhPtlR7oJFr4eR6mGKBkrJ9
dwQcKELr8YEU62zWNlVYl+x3cnzNNpIr9Ukrk8ZQv8DtA32xWRMlrWqqHfXq
rhqXbyxwnUTZjVZCBFFsRwfBwaW31e+C0tl9wqZfgZ53nPb0m7XVBpv+DseZ
F3zQGFLBbmNzc0LCHPG0sa9yKM7IZQ/9HmMxUZ1WPmUvBcrKfu213fIejxgM
0+sYQteAB8dxrZJAKjwm8h66SEObuTh36rBbMp0o2IctRkQeFIHIcWdTiyy0
QZj2G0JsBRZH5Z3acKm3a3jYHGKUqo8AEFKMGIaP7rPYyzUnBgvJzbBzdJKj
krsaupLr6+uZfSKSIMUauOrC5abNCcd2DZ/UIJO+pCgB/kB/3289mOBYX5/F
o4m2lXyS/AgjYDJUiEJtP3SwIPNH+hPO8dkSDWRd7Z0VaHbdq5zjaDl3MB2d
aVd6YJFJWOqPQCGOO7Ei9x9yf5eV6gVj9iyviw2nJ18iSsTfR31hT3NaIPlR
vzEsBDPTxU/OUzrVoYa7NAr9iQ/gzIAEtrmNhLS0688u+XZ/+/hT/QmwKa5e
ZF/2UjMnNbGg/ZI85XDJ1gfZrfPk7dIw5TrCbaAve7YEnPqgr1z+U5OQOKXO
62nV+tGOpdQbOXOLdXjRaqJf7h8r9Wotp1md3+5Y7Zq0zrBs8BikOpqSu07s
Kzc9aq5giO11BAEeiSQkHnCMC84TcSHMCUMAQTLEaYhgk23I6rt9gf5pXgWj
wqSJdHg6Tkl2ciLtlfF0QQhzSfsWtWj5Ly+HKdq9ni2IbS3oDMYd2tQ+NsV+
2Xi4DzuyR7LgSvW3W15f29t8gs5ufL4kYQpOjdpiw+2+GUV6Sr2up2lSLk0n
npTB28rQmuA4vDvCSC/VWkkIyhhlu6E7NeOExKapXu5ez+AdnvNtxmDvfD5+
YAfg7JWRuqRAbnGuWkQLjv0Ckd/mA2dLNuT7f2C8bNUcz7dHkCt/4a0FIbEX
qj5UtUeWvn9MgSc43ETpDdgEaWPqvzWV7WJJC7OrO6YiMXlNtFH7X8otXHfY
ZBldRVa/53XBaenAz+Fdwh3ur/mOM/jJBan98K7zHq5SUX9cz27vKZj2xpDW
XiQE9MeFQb13UTU9RRo5UU0e3YKlAuX6r14CzWClZ/7OpW8g0ikl8fsnnNFx
ldOpKdBCLoq/dveICPWsavpFEV9vgWV21/6HYJnzRH+F5f8/sMwhAKnt24un
w4dDF6QhYvwrWP9fBGso8P8SWMtUfwXr28CapnBxmwoDE5ffC2PmncEAF0nu
APvB7thGzqylOqqBEARYXPr96fcbkJY5PMMByS5oKtV26E7hXb6uUz4rx0wT
BEmvPZh9ZOPSDpBO+eofW5H981aEtx1CUcgTxHTh59uefKoFAiiswM3TOe2j
J8E3Uhhk4DshnFciCeeYCe6XTjb+ozu2atWdhvmn9mg/KThreMth2sXStGSP
doOkhe/Nt1lbOIuOhJN9wwjfQYWVM0jr8RYiP0Fr5xNrky1II5oAnd9tU1Vy
0z+8eW6UHX3lXiuxfQnUVQvF/lS2BfplN6XjciYOsXEpIPnR2DM2d0ucAItv
aIXXnHZdxOC3EDTGm0vH+UTXlmBkfPB9xajoKnval7QcjMhl1poP2eWSuZzE
NvfVQXHp23HOz7PQDxOoPg3R/1nav8cVrY1Zsnugt1JYwufGs4AqlqEN5Awk
fWzuahyNDlF/qfWw/coZnCwg+UmyO4dlT+V1EXyA4N9qQhBScgJlg2QrDUKb
k6RcBc1XNAUl+LxWSHF3HQRCClQeLojYFcoPtE4JeWtI4PHrZ+669Zao2urw
2FyaNF97G4P3iJgCHhgxcVETt1JOlkalclfSVTtV1qmwvCV95PNunTybP5m2
r87ghHS7Tdlr4fLAArNr31z9BlzM61S139t0kr852wu1X79xCG+hvfNKGz4M
KpUkukrGZUcQA0kDafYx/cu+4kf97HQbhm9LVw27AHnx5PRgCydvyVXt6jz+
6bDYZTAB4v5+k5HsJB6ZMMgDT8I66er4acXlbflFW5Hm7WkUvLZiE6jOwZh1
R/tjaCmoqOCakErh3gNf0hPESetVxtvuN6THZQ1yw9QmICt+7G6fdTrZ7Wp1
c/4+bmk3JyrRlh/sxXgH4jYpeIVooCbn0KZOUX9+iwI0Rw+FSc0lubEquLYL
7W1iiXbeWV9/4QKJXSlod/xhmnfCbFXmh2f//FIVvB7AvWKEMQabraCTDNoD
VK8jQE7NB/uuitK/NIjvO/hX4QRWiVxt7/O0asADETgYHQQiMFLnuElwBWLl
mq+M7Ou07CsdfCBFbPoWpPMqbJVJaRyJ7l6LKCXHHi0THxgeNaN5CEPoG9tb
vKLO3Ryvdt+m08hm5xu+EMO3f1kHZGrECHU6J6AtP03D3wSv7hEzjIve7mKq
nVymw5kQcYeGJtfA3ltovxiKCz7cSwoaG9qyzTCeB3u33XL218PYIeAyJ1fl
3LkYh1f/4DxR5Afk9sd7wSuhso33EkIaxZbIe4YKW+DnY0a5GRKkPjwBnRPS
knYMrOSrOlxq5jMEuy6VWkkd2OivXShTtutCbznfElEqZ0ty2awb4y+Kthbo
qvPr0jsN4unIIUpNLCOF2RNfaIegSXDTVaUQbtxtA+Ec8b/I1wXeVsHsgFsA
muxrpGbykh32MtrAptsuqHOJmj6ffecCvztApNw6dzwJiEo52cVvSOOKaV8u
yO9D4BdN2rpariLDIvclMsAdeL59ZN9mg6vzPnr3t218YkEO99ovbuMLacGt
SZebaCDh08hoK8WwQU0JCMs5n3KSbUy4fl9eweWTBVAzKZz2v+kfavsqKyn1
5ZpVezdpV63qSOtnc+gubYKRNz6030/A/LV63koHBlmdz19sUTvuz2wVyPKV
BY+QJoGXSGGL6OWWxw9tI0O2AUohfcFn/laotuh0dzUaYRht3ZeQbXLpnfA1
Gplu3uHBvoUzDopLir27jjJ/fpeNe48cdm/Xxv0Ulvl7CeoTLGvYZa0J8eC9
MWs487P3ruBx18uunGD79xHU9kELgn19RYulgsD/8U//LNUZrXJiLVfXfClc
p1xWqjdcxX6aMOzZHrhZtDvvrKPLKEkjKWQiz5+Ee/aeeDtDF4KChWDKlnMC
x1TcfhN/2ctyeJ/X19e/S1b6fLaMoviGpA5PnhaofylnEXnvKTtFifvpVRrN
9RNTLPCKVPfwRVTMcn2RIBfBz0R1r0+WBclIgnuDq/Iv/4Z3W90of42V/BnB
PilJxosTxG2Mk8K6J93AfIRRj8kJooDthUmz5H1+SWNKcSG2sW5ub+B1Afjf
Ilr7KIdDRMU5onYwP7BladfP80WURWS89N+a9DLJ4gJYdBNcviVKzZqGjxXu
55FPz3beh3F2USP1AiYYN9Tfl+KI2qP6Z2fnX2vpysXPdovd+K6UrVyRgPJV
KTj8TCleNziFXDkXleh9YrIfSCYz/fsort+3KfUXfS+NnRCaaK/F8ItqkIBU
p8zuvBAe0JKhv0m7Id9VhRUPaur8xWa/OSyM87Sez5X69S/oM9+6Sb8Fokz0
jncitb06xJNXJFecxeJ4VA+HX+0aCdgX3mdt3SQFSPEZAc5vbx2iVSrYeadG
52KqjPGf7uZ9eiJaAAA= [rfced] Terminology

a) We updated "Constrained Devices" (capitalized) to "constrained devices"
(lowercase) per usage in RFC 7228. Aside from the usage in RFC 7228, the
lowercase form is also more common in the RFC Series as a whole. Please let us
know any objections.

b) We see both of the following forms in the document. Please review each
instance and let us know if any updates are needed.

location vs. Location

c) Does the following need to be capitalized in running text?

Current:
   REST-Specific Model with Dynamic Resource Creation

Perhaps:
   REST-specific model with dynamic resource creation
-->

<!-- [rfced] Please review the "Inclusive Language" portion of the online
Style Guide <https://www.rfc-editor.org/styleguide/part2/#inclusive_language>
and let us know if any changes are needed. -->

<!-- [rfced] XML Formatting

a) We note that URI-local-part appears in several ways: with quotation marks,
with no quotation marks, and in italics/underscores (i.e., <em> in xml). In
addition, we see that REST-method-set appears with quotation marks in some
instances and in fixed-width font (i.e., <tt> in xml) in others. Should the
formatting of these terms be consistent? Let us know if any updates are
needed.

URI-local-part
REST-method-set

b) The document has two instances of "allow-list". One is enclosed in <em> in
the xml but the other is not. Should this be consistent? If so, please let us
know which form is preferred.

c) In the xml file, <tt> is used consistently for Toid and Tperm in general
text. Should <tt> also be used for "Toid/Tperm" in the following sentence?

Original:
   ...that all parties have the same understanding of
   each Toid/Tperm pair in terms of specified objects (resources) and
   operations on those.

d) The following appear both with and without <tt> in the xml file. Should
this be consistent? If so, please let us know which form to use.

application/aif+json
application/aif+cbor

e) A question about the use of <tt> was sent on 28 February 2022 to all
authors of documents in cluster 442. It seems that the cluster authors decided
to use <tt> for claims and parameters. Please let us know if any updates are
needed for this document to correspond with that cluster-wide decision.
-->
</rfc>