< draft-ietf-ace-aif-04.txt   draft-ietf-ace-aif-05.txt >
ACE Working Group C. Bormann ACE Working Group C. Bormann
Internet-Draft Universität Bremen TZI Internet-Draft Universität Bremen TZI
Intended status: Standards Track 28 January 2022 Intended status: Standards Track 15 February 2022
Expires: 1 August 2022 Expires: 19 August 2022
An Authorization Information Format (AIF) for ACE An Authorization Information Format (AIF) for ACE
draft-ietf-ace-aif-04 draft-ietf-ace-aif-05
Abstract Abstract
Constrained Devices as they are used in the "Internet of Things" need Information about which entities are authorized to perform what
security. One important element of this security is that devices in operations on which constituents of other entities is a crucial
the Internet of Things need to be able to decide which operations component of producing an overall system that is secure. Conveying
requested of them should be considered authorized, need to ascertain precise authorization information is especially critical in highly
that the authorization to request the operation does apply to the automated systems with large numbers of entities, such as the
actual requester, and need to ascertain that other devices they place "Internet of Things".
requests on are the ones they intended.
To transfer detailed authorization information from an authorization This specification provides a generic information model and format
manager (such as an ACE-OAuth Authorization Server) to a device, a for representing such authorization information, as well as two
compact representation format is needed. This document provides a variants of a specific instantiation of that format for use with REST
suggestion for such a format, the Authorization Information Format resources identified by URI path.
(AIF). AIF is defined both as a general structure that can be used
for many different applications and as a specific refinement that
describes REST resources (potentially dynamically created) and the
permissions on them.
About This Document About This Document
This note is to be removed before publishing as an RFC. This note is to be removed before publishing as an RFC.
Status information for this document may be found at Status information for this document may be found at
https://datatracker.ietf.org/doc/draft-ietf-ace-aif/. https://datatracker.ietf.org/doc/draft-ietf-ace-aif/.
Discussion of this document takes place on the Authentication and Discussion of this document takes place on the Authentication and
Authorization for Constrained Environments (ace) Working Group Authorization for Constrained Environments (ace) Working Group
skipping to change at page 2, line 15 skipping to change at page 2, line 10
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on 1 August 2022. This Internet-Draft will expire on 19 August 2022.
Copyright Notice Copyright Notice
Copyright (c) 2022 IETF Trust and the persons identified as the Copyright (c) 2022 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/ Provisions Relating to IETF Documents (https://trustee.ietf.org/
license-info) in effect on the date of publication of this document. license-info) in effect on the date of publication of this document.
Please review these documents carefully, as they describe your rights Please review these documents carefully, as they describe your rights
and restrictions with respect to this document. Code Components and restrictions with respect to this document. Code Components
extracted from this document must include Revised BSD License text as extracted from this document must include Revised BSD License text as
described in Section 4.e of the Trust Legal Provisions and are described in Section 4.e of the Trust Legal Provisions and are
provided without warranty as described in the Revised BSD License. provided without warranty as described in the Revised BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3
2. Information Model . . . . . . . . . . . . . . . . . . . . . . 4 2. Information Model . . . . . . . . . . . . . . . . . . . . . . 3
2.1. REST-specific Model . . . . . . . . . . . . . . . . . . . 4 2.1. REST-specific Model . . . . . . . . . . . . . . . . . . . 4
2.2. Limitations . . . . . . . . . . . . . . . . . . . . . . . 5 2.2. Limitations . . . . . . . . . . . . . . . . . . . . . . . 5
2.3. Extended REST-specific Model . . . . . . . . . . . . . . 6 2.3. REST-specific Model With Dynamic Resource Creation . . . 6
3. Data Model . . . . . . . . . . . . . . . . . . . . . . . . . 6 3. Data Model . . . . . . . . . . . . . . . . . . . . . . . . . 6
4. Media Types . . . . . . . . . . . . . . . . . . . . . . . . . 8 4. Media Types . . . . . . . . . . . . . . . . . . . . . . . . . 8
5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8
5.1. Media Types . . . . . . . . . . . . . . . . . . . . . . . 8 5.1. Media Types . . . . . . . . . . . . . . . . . . . . . . . 8
5.2. Registries . . . . . . . . . . . . . . . . . . . . . . . 10 5.2. Registries . . . . . . . . . . . . . . . . . . . . . . . 10
5.3. Content-Format . . . . . . . . . . . . . . . . . . . . . 11 5.3. Content-Format . . . . . . . . . . . . . . . . . . . . . 11
6. Security Considerations . . . . . . . . . . . . . . . . . . . 11 6. Security Considerations . . . . . . . . . . . . . . . . . . . 11
7. References . . . . . . . . . . . . . . . . . . . . . . . . . 12 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 12
7.1. Normative References . . . . . . . . . . . . . . . . . . 12 7.1. Normative References . . . . . . . . . . . . . . . . . . 12
7.2. Informative References . . . . . . . . . . . . . . . . . 12 7.2. Informative References . . . . . . . . . . . . . . . . . 13
Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 14 Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 15
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 14 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 15
1. Introduction 1. Introduction
Constrained Devices as they are used in the "Internet of Things" need Constrained Devices as they are used in the "Internet of Things" need
security. One important element of this security is that devices in security in order to operate correctly and prevent misuse. One
the Internet of Things need to be able to decide which operations important element of this security is that devices in the Internet of
requested of them should be considered authorized, need to ascertain Things need to be able to decide which operations requested of them
that the authorization to request the operation does apply to the should be considered authorized, need to ascertain that the
actual requester, and need to ascertain that other devices they place authorization to request the operation does apply to the actual
requests on are the ones they intended. requester as authenticated, and need to ascertain that other devices
they make requests of are the ones they intended.
To transfer detailed authorization information from an authorization To transfer detailed authorization information from an authorization
manager (such as an ACE-OAuth Authorization Server manager (such as an ACE-OAuth Authorization Server
[I-D.ietf-ace-oauth-authz]) to a device, a compact representation [I-D.ietf-ace-oauth-authz]) to a device, a compact representation
format is needed. This document provides a suggestion for such a format is needed. This document defines such a format, the
format, the Authorization Information Format (AIF). AIF is defined Authorization Information Format (AIF). AIF is defined both as a
both as a general structure that can be used for many different general structure that can be used for many different applications
applications and as a specific refinement that describes REST and as a specific instantiation tailored to REST resources and the
resources (potentially dynamically created) and the permissions on permissions on them, including some provision for dynamically created
them. resources.
1.1. Terminology 1.1. Terminology
This memo uses terms from [RFC7252] and [RFC4949]; CoAP is used for This memo uses terms from [RFC7252] and [RFC4949]; CoAP is used for
the explanatory examples as it is a good fit for Constrained Devices. the explanatory examples as it is a good fit for Constrained Devices.
The shape of data is specified in CDDL [RFC8610]. Terminology for The shape of data is specified in CDDL [RFC8610] [RFC9165].
Constrained Devices is defined in [RFC7228]. Terminology for Constrained Devices is defined in [RFC7228].
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in "OPTIONAL" in this document are to be interpreted as described in
BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here. These words may also appear in this capitals, as shown here.
document in lower case as plain English words, absent their normative
meanings.
(Note that this document is itself informational, but it is
discussing normative statements that MUST be put into concrete terms
in each specification that makes use of this document.)
The term "byte", abbreviated by "B", is used in its now customary The term "byte", abbreviated by "B", is used in its now customary
sense as a synonym for "octet". sense as a synonym for "octet".
2. Information Model 2. Information Model
Authorizations are generally expressed through some data structures Authorizations are generally expressed through some data structures
that are cryptographically secured (or transmitted in a secure way). that are cryptographically secured (or transmitted in a secure way).
This section discusses the information model underlying the payload This section discusses the information model underlying the payload
of that data (as opposed to the cryptographic armor around it). of that data (as opposed to the cryptographic armor around it).
For the purposes of this specification, the underlying access control For the purposes of this specification, the underlying access control
model will be that of an access matrix, which gives a set of model will be that of an access matrix, which gives a set of
permissions for each possible combination of a subject and an object. permissions for each possible combination of a subject and an object.
We do not concern the AIF format with the subject for which the AIF
data item is issued, so we are focusing the AIF data item on a single We are focusing the AIF data item on a single row in the access
row in the access matrix (such a row traditionally is also called a matrix (such a row traditionally is also called a capability list),
capability list). As a consequence, AIF MUST be used in a way that without concern to the subject for which the data item is issued. As
the subject of the authorizations is unambiguously identified (e.g., a consequence, AIF MUST be used in a way that the subject of the
as part of the armor around it). authorizations is unambiguously identified (e.g., as part of the
armor around it).
The generic model of such a capability list is a list of pairs of The generic model of such a capability list is a list of pairs of
object identifiers and the permissions the subject has on the object identifiers and the permissions the subject has on the
object(s) identified. object(s) identified.
AIF-Generic<Toid, Tperm> = [* [Toid, Tperm]] AIF-Generic<Toid, Tperm> = [* [Toid, Tperm]]
Figure 1: Definition of Generic AIF Figure 1: Definition of Generic AIF
In a specific data model, the object identifier (Toid) will often be In a specific data model (such as the one also specified in this
a text string, and the set of permissions (Tperm) will be represented document), the object identifier (Toid) will often be a text string,
by a bitset in turn represented as a number (see Section 3). and the set of permissions (Tperm) will be represented by a bitset in
turn represented as a number (see Section 3).
AIF-Specific = AIF-Generic<tstr, uint> AIF-Specific = AIF-Generic<tstr, uint>
Figure 2: Likely shape of a specific AIF Figure 2: Commonly used shape of a specific AIF
2.1. REST-specific Model 2.1. REST-specific Model
In the specific instantiation of the REST resources and the In the specific instantiation of the REST resources and the
permissions on them, for the object identifiers (Toid), we use the permissions on them, for the object identifiers (Toid), we use the
URI of a resource on a CoAP server. More specifically, the parts of URI of a resource on a CoAP server. More specifically, since the
the URI that identify the server ("authority" in [RFC3986]) are parts of the URI that identify the server ("authority" in [RFC3986])
considered the realm of the authentication mechanism (which are are what are authenticated during REST resource access (Section 4.2.2
handled in the cryptographic armor); we therefore focus on the "path- of [I-D.ietf-httpbis-semantics] and Section 6.2 of [RFC7252]), they
absolute" and "query" parts of the URI (URI "local-part" in this naturally fall into the realm handled by the cryptographic armor); we
specification, as expressed by the Uri-Path and Uri-Query options in therefore focus on the "path" ("path-abempty") and "query" parts of
CoAP). As a consequence, AIF MUST be used in a way that it is clear the URI (URI "local-part" in this specification, as expressed by the
who is the target (enforcement point) of these authorizations (note Uri-Path and Uri-Query options in CoAP). As a consequence, AIF MUST
that there may be more than one target that the same authorization be used in a way that it is clear who is the target (enforcement
applies to, e.g., in a situation with homogeneous devices). point) of these authorizations (note that there may be more than one
target that the same authorization applies to, e.g., in a situation
with homogeneous devices).
For the permissions (Tperm), we simplify the model permissions to For the permissions (Tperm), we use a simple permissions model that
giving the subset of the CoAP methods permitted. This model is lists the subset of the REST (CoAP or HTTP) methods permitted. This
summarized in Table 1. model is summarized in Table 1.
+============+================+ +============+================+
| local-part | Permission Set | | local-part | Permission Set |
+============+================+ +============+================+
| /s/temp | GET | | /s/temp | GET |
+------------+----------------+ +------------+----------------+
| /a/led | PUT, GET | | /a/led | PUT, GET |
+------------+----------------+ +------------+----------------+
| /dtls | POST | | /dtls | POST |
+------------+----------------+ +------------+----------------+
Table 1: An authorization Table 1: An authorization
instance in the AIF instance in the AIF
Information Model Information Model
In this example, a device offers a temperature sensor /s/temp for In this example, a device offers a temperature sensor /s/temp for
read-only access and a LED actuator /a/led for read/write. read-only access, a LED actuator /a/led for read/write, and a /dtls
resource for POST access.
As will be seen in the data model (Section 3), the representations of
REST methods provided are limited to those that have a CoAP method
number assigned; an extension to the model may be necessary to
represent permissions for exotic HTTP methods.
2.2. Limitations 2.2. Limitations
This simple information model only allows granting permissions for This simple information model only allows granting permissions for
statically identifiable objects, e.g., URIs for the REST-specific statically identifiable objects, e.g., URIs for the REST-specific
instantiation. One might be tempted to extend the model towards URI instantiation. One might be tempted to extend the model towards URI
templates [RFC6570] (for instance, to open up an authorization for templates [RFC6570] (for instance, to open up an authorization for
many parameter values as in /s/temp{?any*}), however, that requires many parameter values as in /s/temp{?any*}), however, that requires
some considerations of the ease and unambiguity of matching a given some considerations of the ease and unambiguity of matching a given
URI against a set of templates in an AIF object. URI against a set of templates in an AIF object.
skipping to change at page 6, line 5 skipping to change at page 6, line 5
This simple information model also does not allow further This simple information model also does not allow further
conditionalizing access based on state outside the identification of conditionalizing access based on state outside the identification of
objects (e.g., "opening a door is allowed if that is not locked"). objects (e.g., "opening a door is allowed if that is not locked").
Finally, the model does not provide any special access for a set of Finally, the model does not provide any special access for a set of
resources that are specific to a subject, e.g., that the subject resources that are specific to a subject, e.g., that the subject
created itself by previous operations (PUT, POST, or PATCH/iPATCH created itself by previous operations (PUT, POST, or PATCH/iPATCH
[RFC8132]) or that were specifically created for the subject by [RFC8132]) or that were specifically created for the subject by
others. others.
2.3. Extended REST-specific Model 2.3. REST-specific Model With Dynamic Resource Creation
The extended REST-specific model addresses the need to provide The REST-specific Model With Dynamic Resource Creation addresses the
defined access to dynamic resources that were created by the subject need to provide defined access to dynamic resources that were created
itself, specifically, a resource that is made known to the subject by by the subject itself, specifically, a resource that is made known to
providing Location-* options in a CoAP response or using the Location the subject by providing Location-* options in a CoAP response or
header field in HTTP [RFC7231] (the Location-indicating mechanisms). using the Location header field in HTTP [I-D.ietf-httpbis-semantics]
(The concept is somewhat comparable to "ACL inheritance" in NFSv4 (the Location-indicating mechanisms). (The concept is somewhat
[RFC8881], except that it does not use a containment relationship but comparable to "ACL inheritance" in NFSv4 [RFC8881], except that it
the fact that the dynamic resource was created from a resource to does not use a containment relationship but the fact that the dynamic
which the subject had access.) In other words, it addresses the resource was created from a resource to which the subject had
access.) In other words, it addresses an important subset of the
third limitation mentioned in Section 2.2. third limitation mentioned in Section 2.2.
+================+===================================+ +================+===================================+
| local-part | Permission Set | | local-part | Permission Set |
+================+===================================+ +================+===================================+
| /a/make-coffee | POST, Dynamic-GET, Dynamic-DELETE | | /a/make-coffee | POST, Dynamic-GET, Dynamic-DELETE |
+----------------+-----------------------------------+ +----------------+-----------------------------------+
Table 2: An authorization instance in the AIF Table 2: An authorization instance in the AIF
Information Model Information Model
For a method X, the presence of a Dynamic-X permission means that the For a method X, the presence of a Dynamic-X permission means that the
subject holds permission to exercise the method X on resources that subject holds permission to exercise the method X on resources that
have been returned by a Location-indicating mechanism to a request have been returned in a 2.01 (201) response by a Location-indicating
that the subject made to the resource listed (/a/make-coffee in the mechanism to a request that the subject made to the resource listed
example shown in Table 2, which might return the location of a (/a/make-coffee in the example shown in Table 2, which might return
resource that allows GET to find out about the status and DELETE to the location of a resource that allows GET to find out about the
cancel the coffee-making operation). status and DELETE to cancel the coffee-making operation).
Since the use of the extension defined in this section can be Since the use of the extension defined in this section can be
detected by the mentioning of the Dynamic-X permissions, there is no detected by the mentioning of the Dynamic-X permissions, there is no
need for another explicit switch between the basic and the extended need for another explicit switch between the basic and the model
model; the extended model is always presumed once a Dynamic-X extended by dynamic resource creation; the extended model is always
permission is present. presumed once a Dynamic-X permission is present.
3. Data Model 3. Data Model
Different data model specializations can be defined for the generic Different data model specializations can be defined for the generic
information model given above. information model given above.
In this section, we will give the data model for basic REST In this section, we will give the data model for simple REST
authorization as per Section 2.1 and Section 2.3. As discussed, in authorization as per Section 2.1 and Section 2.3. As discussed, in
this case the object identifier is specialized as a text string this case the object identifier is specialized as a text string
giving a relative URI (local-part as absolute path on the server giving a relative URI (local-part as absolute path on the server
serving as enforcement point). The permission set is specialized to serving as enforcement point). The permission set is specialized to
a single number by the following steps: a single number by the following steps:
* The entries in the table that specify the same local-part are * The entries in the table that specify the same local-part are
merged into a single entry that specifies the union of the merged into a single entry that specifies the union of the
permission sets. permission sets.
skipping to change at page 7, line 23 skipping to change at page 7, line 23
have been for X, plus a Dynamic-Offset chosen as 32 (e.g., 35 for have been for X, plus a Dynamic-Offset chosen as 32 (e.g., 35 for
Dynamic-DELETE). Dynamic-DELETE).
* The set of numbers is converted into a single number by taking * The set of numbers is converted into a single number by taking
each number to the power of two and computing the inclusive OR of each number to the power of two and computing the inclusive OR of
the binary representations of all the power values. the binary representations of all the power values.
This data model could be interchanged in the JSON [RFC8259] This data model could be interchanged in the JSON [RFC8259]
representation given in Figure 3. representation given in Figure 3.
[["/s/temp", 1], ["/a/led", 5], ["/dtls", 2]] [["/s/temp",1],["/a/led",5],["/dtls",2]]
Figure 3: An authorization instance encoded in JSON (46 bytes) Figure 3: An authorization instance encoded in JSON (40 bytes)
In Figure 4, a straightforward specification of the data model In Figure 4, a straightforward specification of the data model
(including both the methods from [RFC7252] and the new ones from (including both the methods from [RFC7252] and the new ones from
[RFC8132], identified by the method code minus 1) is shown in CDDL [RFC8132], identified by the method code minus 1) is shown in CDDL
[RFC8610]: [RFC8610] [RFC9165]:
AIF-REST = AIF-Generic<path, permissions> AIF-REST = AIF-Generic<path, permissions>
path = tstr ; URI relative to enforcement point path = tstr ; URI relative to enforcement point
permissions = uint .bits methods permissions = uint .bits methods
methods = &( methods = &(
GET: 0 GET: 0
POST: 1 POST: 1
PUT: 2 PUT: 2
DELETE: 3 DELETE: 3
FETCH: 4 FETCH: 4
skipping to change at page 8, line 5 skipping to change at page 8, line 5
Dynamic-POST: 33; 1 .plus Dynamic-Offset Dynamic-POST: 33; 1 .plus Dynamic-Offset
Dynamic-PUT: 34; 2 .plus Dynamic-Offset Dynamic-PUT: 34; 2 .plus Dynamic-Offset
Dynamic-DELETE: 35; 3 .plus Dynamic-Offset Dynamic-DELETE: 35; 3 .plus Dynamic-Offset
Dynamic-FETCH: 36; 4 .plus Dynamic-Offset Dynamic-FETCH: 36; 4 .plus Dynamic-Offset
Dynamic-PATCH: 37; 5 .plus Dynamic-Offset Dynamic-PATCH: 37; 5 .plus Dynamic-Offset
Dynamic-iPATCH: 38; 6 .plus Dynamic-Offset Dynamic-iPATCH: 38; 6 .plus Dynamic-Offset
) )
Figure 4: AIF in CDDL Figure 4: AIF in CDDL
A representation of this information in CBOR [RFC8949] is given in For the information shown in Table 1 and Figure 3, a representation
Figure 5; again, several optimizations/improvements are possible. in CBOR [RFC8949] is given in Figure 5; again, several optimizations/
improvements are possible.
83 # array(3) 83 # array(3)
82 # array(2) 82 # array(2)
67 # text(7) 67 # text(7)
2f732f74656d70 # "/s/temp" 2f732f74656d70 # "/s/temp"
01 # unsigned(1) 01 # unsigned(1)
82 # array(2) 82 # array(2)
66 # text(6) 66 # text(6)
2f612f6c6564 # "/a/led" 2f612f6c6564 # "/a/led"
05 # unsigned(5) 05 # unsigned(5)
skipping to change at page 8, line 44 skipping to change at page 8, line 45
specifying Toid and Tperm; default values are the values "local-uri" specifying Toid and Tperm; default values are the values "local-uri"
for Toid and "REST-method-set" for Tperm. for Toid and "REST-method-set" for Tperm.
A specification that wants to use Generic AIF with different Toid A specification that wants to use Generic AIF with different Toid
and/or Tperm is expected to request these as media type parameters and/or Tperm is expected to request these as media type parameters
(Section 5.2) and register a corresponding Content-Format (Section 5.2) and register a corresponding Content-Format
(Section 5.3). (Section 5.3).
5. IANA Considerations 5. IANA Considerations
// RFC Ed.: throughout this section, please replace RFC XXXX with the
// RFC number of this specification and remove this note.
5.1. Media Types 5.1. Media Types
IANA is requested to add the following Media-Types to the "Media IANA is requested to add the following Media-Types to the "Media
Types" registry. Types" registry.
+==========+======================+=====================+ +==========+======================+=====================+
| Name | Template | Reference | | Name | Template | Reference |
+==========+======================+=====================+ +==========+======================+=====================+
| aif+cbor | application/aif+cbor | RFC XXXX, Section 4 | | aif+cbor | application/aif+cbor | RFC XXXX, Section 4 |
+----------+----------------------+---------------------+ +----------+----------------------+---------------------+
| aif+json | application/aif+json | RFC XXXX, Section 4 | | aif+json | application/aif+json | RFC XXXX, Section 4 |
+----------+----------------------+---------------------+ +----------+----------------------+---------------------+
Table 3 Table 3
// RFC Ed.: please replace RFC XXXX with this RFC number and remove
this note.
For application/aif+cbor: For application/aif+cbor:
Type name: application Type name: application
Subtype name: aif+cbor Subtype name: aif+cbor
Required parameters: Required parameters: none
Optional parameters:
* Toid: the identifier for the object for which permissions are * Toid: the identifier for the object for which permissions are
supplied. A value from the subregistry for Toid. Default supplied. A value from the media-type parameter sub-registry
value: "local-uri" (RFC XXXX). for Toid. Default value: "local-uri" (RFC XXXX).
* Tperm: the data type of a permission set for the object * Tperm: the data type of a permission set for the object
identified via a Toid. A value from the subregistry for Tperm. identified via a Toid. A value from the media-type parameter
Default value: "REST-method-set" (RFC XXXX). sub-registry for Tperm. Default value: "REST-method-set" (RFC
Optional parameters: none XXXX).
Encoding considerations: binary (CBOR) Encoding considerations: binary (CBOR)
Security considerations: Section 6 of RFC XXXX Security considerations: Section 6 of RFC XXXX
Interoperability considerations: none Interoperability considerations: none
Published specification: Section 4 of RFC XXXX Published specification: Section 4 of RFC XXXX
Applications that use this media type: No known applications Applications that use this media type: Applications that need to
currently use this media type. convey structured authorization data for identified resources,
conveying sets of permissions.
Fragment identifier considerations: The syntax and semantics of Fragment identifier considerations: The syntax and semantics of
fragment identifiers is as specified for "application/cbor". (At fragment identifiers is as specified for "application/cbor". (At
publication of RFC XXXX, there is no fragment identification publication of RFC XXXX, there is no fragment identification
syntax defined for "application/cbor".) syntax defined for "application/cbor".)
Person & email address to contact for further information: ACE WG Person & email address to contact for further information: ACE WG
mailing list (ace@ietf.org), or IETF Applications and Real-Time mailing list (ace@ietf.org), or IETF Applications and Real-Time
Area (art@ietf.org) Area (art@ietf.org)
Intended usage: COMMON Intended usage: COMMON
Restrictions on usage: none Restrictions on usage: none
Author/Change controller: IETF Author/Change controller: IETF
Provisional registration: no Provisional registration: no
For application/aif+json: For application/aif+json:
Type name: application Type name: application
Subtype name: aif+json Subtype name: aif+json
Required parameters: Required parameters: none
Optional parameters:
* Toid: the identifier for the object for which permissions are * Toid: the identifier for the object for which permissions are
supplied. A value from the subregistry for Toid. Default supplied. A value from the media-type parameter sub-registry
value: "local-uri" (RFC XXXX). for Toid. Default value: "local-uri" (RFC XXXX).
* Tperm: the data type of a permission set for the object * Tperm: the data type of a permission set for the object
identified via a Toid. A value from the subregistry for Tperm. identified via a Toid. A value from the media-type parameter
Default value: "REST-method-set" (RFC XXXX). sub-registry for Tperm. Default value: "REST-method-set" (RFC
Optional parameters: none XXXX).
Encoding considerations: binary (JSON is UTF-8-encoded text) Encoding considerations: binary (JSON is UTF-8-encoded text)
Security considerations: Section 6 of RFC XXXX Security considerations: Section 6 of RFC XXXX
Interoperability considerations: none Interoperability considerations: none
Published specification: Section 4 of RFC XXXX Published specification: Section 4 of RFC XXXX
Applications that use this media type: No known applications Applications that use this media type: Applications that need to
currently use this media type. convey structured authorization data for identified resources,
conveying sets of permissions.
Fragment identifier considerations: The syntax and semantics of Fragment identifier considerations: The syntax and semantics of
fragment identifiers is as specified for "application/json". (At fragment identifiers is as specified for "application/json". (At
publication of RFC XXXX, there is no fragment identification publication of RFC XXXX, there is no fragment identification
syntax defined for "application/json".) syntax defined for "application/json".)
Person & email address to contact for further information: ACE WG Person & email address to contact for further information: ACE WG
mailing list (ace@ietf.org), or IETF Applications and Real-Time mailing list (ace@ietf.org), or IETF Applications and Real-Time
Area (art@ietf.org) Area (art@ietf.org)
Intended usage: COMMON Intended usage: COMMON
Restrictions on usage: none Restrictions on usage: none
Author/Change controller: IETF Author/Change controller: IETF
Provisional registration: no Provisional registration: no
5.2. Registries 5.2. Registries
IANA is requested to create a registry for AIF with two sub- IANA is requested to create a sub-registry for application/aif+cbor
registries for Toid and Tperm, populated with: and application/aif+json within [IANA.media-type-sub-parameters] for
the two media-type parameters Toid and Tperm, populated with:
+=============+=================+=================================+ +===========+=================+=====================+===========+
| Subregistry | name | Description/Specification | | Parameter | name | Description/ | Reference |
+=============+=================+=================================+ | | | Specification | |
| Toid | local-part | local-part of URI as specified | +===========+=================+=====================+===========+
| | | in RFC XXXX | | Toid | local-part | local-part of URI | RFC XXXX |
+-------------+-----------------+---------------------------------+ +-----------+-----------------+---------------------+-----------+
| Tperm | REST-method-set | set of REST methods represented | | Tperm | REST-method-set | set of REST methods | RFC XXXX |
| | | as specified in RFC XXXX | | | | represented | |
+-------------+-----------------+---------------------------------+ +-----------+-----------------+---------------------+-----------+
Table 4 Table 4
The registration policy is Specification required [RFC8126]. The The registration policy is Specification required [RFC8126]. The
designated expert will engage with the submitter to ascertain the designated expert will engage with the submitter to ascertain the
requirements of this document are addressed. requirements of this document are addressed.
// RFC Ed.: please replace RFC XXXX with this RFC number and remove
this note.
5.3. Content-Format 5.3. Content-Format
IANA is requested to register Content-Format numbers in the "CoAP IANA is requested to register Content-Format numbers in the "CoAP
Content-Formats" subregistry, within the "Constrained RESTful Content-Formats" sub-registry, within the "Constrained RESTful
Environments (CoRE) Parameters" Registry [IANA.core-parameters], as Environments (CoRE) Parameters" Registry [IANA.core-parameters], as
follows: follows:
+======================+================+======+===========+ +======================+================+======+===========+
| Media Type | Content Coding | ID | Reference | | Media Type | Content Coding | ID | Reference |
+======================+================+======+===========+ +======================+================+======+===========+
| application/aif+cbor | - | TBD1 | RFC XXXX | | application/aif+cbor | - | TBD1 | RFC XXXX |
+----------------------+----------------+------+-----------+ +----------------------+----------------+------+-----------+
| application/aif+json | - | TBD2 | RFC XXXX | | application/aif+json | - | TBD2 | RFC XXXX |
+----------------------+----------------+------+-----------+ +----------------------+----------------+------+-----------+
Table 5 Table 5
// RFC Ed.: please replace TBD1 and TBD2 with assigned IDs and remove // RFC Ed.: please replace TBD1 and TBD2 with assigned IDs and remove
this note. // RFC Ed.: please replace RFC XXXX with this RFC number this note.
and remove this note.
Note that applications that register Toid and Tperm values are Note that applications that register Toid and Tperm values are
encouraged to also register Content-Formats for the relevant encouraged to also register Content-Formats for the relevant
combinations. combinations.
6. Security Considerations 6. Security Considerations
The security considerations of [RFC7252] apply. Some wider issues The security considerations of [RFC7252] apply. Some wider issues
are discussed in [RFC8576]. are discussed in [RFC8576].
When applying these formats, the referencing specification must be The semantics of the authorization information defined in this
careful to: documents are that of an _allow-list_: everything is denied until it
is explicitly allowed.
When applying these formats, the referencing specification needs to
be careful to:
* ensure that the cryptographic armor employed around this format * ensure that the cryptographic armor employed around this format
fulfills the security objectives, and that the armor or some fulfills the referencing specification's security objectives, and
additional information included in it with the AIF information that the armor or some additional information included in it with
unambiguously identifies the subject to which the authorizations the AIF information (1) unambiguously identifies the subject to
shall apply, and which the authorizations shall apply and provides (2) any context
information needed to derive the identity of the object to which
authorization is being granted from the object identifiers (such
as, for the data models defined in the present specification, the
scheme and authority information that is used to construct the
full URI), and
* ensure that the types used for Toid and Tperm provide the * ensure that the types used for Toid and Tperm provide the
appropriate granularity so that application requirements on the appropriate granularity and precision so that application
precision of the authorization information are fulfilled, and that requirements on the precision of the authorization information are
all parties understand Toid/Tperm pairs to signify the same fulfilled, and that all parties understand Toid/Tperm pairs to
operations. signify the same operations.
For the data formats, the security considerations of [RFC8259] and For the data formats, the security considerations of [RFC8259] and
[RFC8949] apply. [RFC8949] apply.
A generic implementation of AIF might implement just the basic REST A plain implementation of AIF might implement just the basic REST
model as per Section 2.1. If it receives authorizations that include model as per Section 2.1. If it receives authorizations that include
permissions that use the Section 2.3, it needs to either reject the permissions that use the REST-specific Model With Dynamic Resource
AIF data item entirely or act only on the permissions that it does Creation Section 2.3, it needs to either reject the AIF data item
understand. In other words, the usual principle "everything is entirely or act only on the permissions that it does understand. In
denied until it is explicitly allowed" needs to hold here as well. other words, the semantics underlying an allow-list as discussed
above need to hold here as well.
An implementation of the REST-specific Model With Dynamic Resource
Creation Section 2.3 needs to carefully keep track of the dynamically
created objects and the subjects to which the Dynamic-X permissions
apply -- both on the server side to enforce the permissions and on
the client side to know which permissions are available.
7. References 7. References
7.1. Normative References 7.1. Normative References
[I-D.ietf-httpbis-semantics]
Fielding, R. T., Nottingham, M., and J. Reschke, "HTTP
Semantics", Work in Progress, Internet-Draft, draft-ietf-
httpbis-semantics-19, 12 September 2021,
<https://www.ietf.org/archive/id/draft-ietf-httpbis-
semantics-19.txt>.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>. <https://www.rfc-editor.org/info/rfc2119>.
[RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform
Resource Identifier (URI): Generic Syntax", STD 66,
RFC 3986, DOI 10.17487/RFC3986, January 2005,
<https://www.rfc-editor.org/info/rfc3986>.
[RFC7252] Shelby, Z., Hartke, K., and C. Bormann, "The Constrained [RFC7252] Shelby, Z., Hartke, K., and C. Bormann, "The Constrained
Application Protocol (CoAP)", RFC 7252, Application Protocol (CoAP)", RFC 7252,
DOI 10.17487/RFC7252, June 2014, DOI 10.17487/RFC7252, June 2014,
<https://www.rfc-editor.org/info/rfc7252>. <https://www.rfc-editor.org/info/rfc7252>.
[RFC8126] Cotton, M., Leiba, B., and T. Narten, "Guidelines for [RFC8126] Cotton, M., Leiba, B., and T. Narten, "Guidelines for
Writing an IANA Considerations Section in RFCs", BCP 26, Writing an IANA Considerations Section in RFCs", BCP 26,
RFC 8126, DOI 10.17487/RFC8126, June 2017, RFC 8126, DOI 10.17487/RFC8126, June 2017,
<https://www.rfc-editor.org/info/rfc8126>. <https://www.rfc-editor.org/info/rfc8126>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/info/rfc8174>. May 2017, <https://www.rfc-editor.org/info/rfc8174>.
[RFC8610] Birkholz, H., Vigano, C., and C. Bormann, "Concise Data [RFC8610] Birkholz, H., Vigano, C., and C. Bormann, "Concise Data
Definition Language (CDDL): A Notational Convention to Definition Language (CDDL): A Notational Convention to
Express Concise Binary Object Representation (CBOR) and Express Concise Binary Object Representation (CBOR) and
JSON Data Structures", RFC 8610, DOI 10.17487/RFC8610, JSON Data Structures", RFC 8610, DOI 10.17487/RFC8610,
June 2019, <https://www.rfc-editor.org/info/rfc8610>. June 2019, <https://www.rfc-editor.org/info/rfc8610>.
[RFC9165] Bormann, C., "Additional Control Operators for the Concise
Data Definition Language (CDDL)", RFC 9165,
DOI 10.17487/RFC9165, December 2021,
<https://www.rfc-editor.org/info/rfc9165>.
7.2. Informative References 7.2. Informative References
[I-D.ietf-ace-oauth-authz] [I-D.ietf-ace-oauth-authz]
Seitz, L., Selander, G., Wahlstroem, E., Erdtman, S., and Seitz, L., Selander, G., Wahlstroem, E., Erdtman, S., and
H. Tschofenig, "Authentication and Authorization for H. Tschofenig, "Authentication and Authorization for
Constrained Environments (ACE) using the OAuth 2.0 Constrained Environments (ACE) using the OAuth 2.0
Framework (ACE-OAuth)", Work in Progress, Internet-Draft, Framework (ACE-OAuth)", Work in Progress, Internet-Draft,
draft-ietf-ace-oauth-authz-46, 8 November 2021, draft-ietf-ace-oauth-authz-46, 8 November 2021,
<https://www.ietf.org/archive/id/draft-ietf-ace-oauth- <https://www.ietf.org/archive/id/draft-ietf-ace-oauth-
authz-46.txt>. authz-46.txt>.
[IANA.core-parameters] [IANA.core-parameters]
IANA, "Constrained RESTful Environments (CoRE) IANA, "Constrained RESTful Environments (CoRE)
Parameters", Parameters",
<https://www.iana.org/assignments/core-parameters>. <https://www.iana.org/assignments/core-parameters>.
[RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform [IANA.media-type-sub-parameters]
Resource Identifier (URI): Generic Syntax", STD 66, IANA, "MIME Media Type Sub-Parameter Registries",
RFC 3986, DOI 10.17487/RFC3986, January 2005, <https://www.iana.org/assignments/media-type-sub-
<https://www.rfc-editor.org/info/rfc3986>. parameters>.
[RFC4949] Shirey, R., "Internet Security Glossary, Version 2", [RFC4949] Shirey, R., "Internet Security Glossary, Version 2",
FYI 36, RFC 4949, DOI 10.17487/RFC4949, August 2007, FYI 36, RFC 4949, DOI 10.17487/RFC4949, August 2007,
<https://www.rfc-editor.org/info/rfc4949>. <https://www.rfc-editor.org/info/rfc4949>.
[RFC6570] Gregorio, J., Fielding, R., Hadley, M., Nottingham, M., [RFC6570] Gregorio, J., Fielding, R., Hadley, M., Nottingham, M.,
and D. Orchard, "URI Template", RFC 6570, and D. Orchard, "URI Template", RFC 6570,
DOI 10.17487/RFC6570, March 2012, DOI 10.17487/RFC6570, March 2012,
<https://www.rfc-editor.org/info/rfc6570>. <https://www.rfc-editor.org/info/rfc6570>.
[RFC7228] Bormann, C., Ersue, M., and A. Keranen, "Terminology for [RFC7228] Bormann, C., Ersue, M., and A. Keranen, "Terminology for
Constrained-Node Networks", RFC 7228, Constrained-Node Networks", RFC 7228,
DOI 10.17487/RFC7228, May 2014, DOI 10.17487/RFC7228, May 2014,
<https://www.rfc-editor.org/info/rfc7228>. <https://www.rfc-editor.org/info/rfc7228>.
[RFC7231] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer
Protocol (HTTP/1.1): Semantics and Content", RFC 7231,
DOI 10.17487/RFC7231, June 2014,
<https://www.rfc-editor.org/info/rfc7231>.
[RFC7493] Bray, T., Ed., "The I-JSON Message Format", RFC 7493, [RFC7493] Bray, T., Ed., "The I-JSON Message Format", RFC 7493,
DOI 10.17487/RFC7493, March 2015, DOI 10.17487/RFC7493, March 2015,
<https://www.rfc-editor.org/info/rfc7493>. <https://www.rfc-editor.org/info/rfc7493>.
[RFC8132] van der Stok, P., Bormann, C., and A. Sehgal, "PATCH and [RFC8132] van der Stok, P., Bormann, C., and A. Sehgal, "PATCH and
FETCH Methods for the Constrained Application Protocol FETCH Methods for the Constrained Application Protocol
(CoAP)", RFC 8132, DOI 10.17487/RFC8132, April 2017, (CoAP)", RFC 8132, DOI 10.17487/RFC8132, April 2017,
<https://www.rfc-editor.org/info/rfc8132>. <https://www.rfc-editor.org/info/rfc8132>.
[RFC8259] Bray, T., Ed., "The JavaScript Object Notation (JSON) Data [RFC8259] Bray, T., Ed., "The JavaScript Object Notation (JSON) Data
skipping to change at page 14, line 31 skipping to change at page 15, line 16
Representation (CBOR)", STD 94, RFC 8949, Representation (CBOR)", STD 94, RFC 8949,
DOI 10.17487/RFC8949, December 2020, DOI 10.17487/RFC8949, December 2020,
<https://www.rfc-editor.org/info/rfc8949>. <https://www.rfc-editor.org/info/rfc8949>.
Acknowledgements Acknowledgements
Jim Schaad, Francesca Palombini, Olaf Bergmann, Marco Tiloca, and Jim Schaad, Francesca Palombini, Olaf Bergmann, Marco Tiloca, and
Christian Amsüss provided comments that shaped the direction of this Christian Amsüss provided comments that shaped the direction of this
document. Alexey Melnikov pointed out that there were gaps in the document. Alexey Melnikov pointed out that there were gaps in the
media type specifications, and Loganaden Velvindron provided a media type specifications, and Loganaden Velvindron provided a
shepherd review with further comments. shepherd review with further comments. Benjamin Kaduk provided an
extensive review as responsible Area Director, and indeed is
responsible for much improvement in the document.
Author's Address Author's Address
Carsten Bormann Carsten Bormann
Universität Bremen TZI Universität Bremen TZI
Postfach 330440 Postfach 330440
D-28359 Bremen D-28359 Bremen
Germany Germany
Phone: +49-421-218-63921 Phone: +49-421-218-63921
 End of changes. 54 change blocks. 
155 lines changed or deleted 188 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/