Markdown Version | Transcript | Session Recording | Session Materials

Session Date/Time: 17 Mar 2026 03:30

ACE

Summary

The ACE working group met at IETF 125 to discuss the progress of several active drafts. The session began with an acknowledgment of the Area Director (AD) transition from Paul Wouters to Christopher Wood. Technical discussions focused on finalizing the draft-ietf-ace-coap-est-oscore for submission to the IESG, updates to the CoAP Pub-Sub and EDHOC/OSCORE profiles, and architectural improvements to the Short Distribution Chain (SDC) workflow.

Key Discussion Points

Protecting EST Payloads with OSCORE

Presenter: Mališa Vučinić

• Status: Working Group Last Call (WGLC) concluded. Version -10 addresses the final open issues.
• Certificate Handling: Discussed issue 113 regarding whether a "bag of certificates" is mandatory. The group concluded that explicit chains do not support CA re-keying post-deployment. The profile now requires support for application/cose-x509 (aligned with draft-ietf-cose-cbor-encoded-cert), where a "bag" can represent a chain if necessary.
• Certificate References: Clarified that mixing X.509 and CBOR-encoded references in the same multipart response is not supported to avoid ambiguity.
• Outcome: The draft is considered ready for the Shepherd Write-up.

CoAP Publish-Subscribe Profile for ACE

Presenter: Marco Tiloca

• Updates: Version -03 incorporates feedback from the draft-ietf-ace-group-oscore-profile WGLC, including better alignment of terminology (e.g., proof-of-possession of the private key) and clearer group re-keying triggers.
• Optimization: Introduced a "sentinel value" (empty CBOR byte string) for the authentication credential parameter. This allows a client to rejoin a group without re-sending its full credential if the KDC already possesses it.
• Operational Considerations: A new section was added to cover logging at the KDC, emphasizing that secret information must not be logged and logs should be redacted for privacy.
• Dependencies: The draft has a normative dependency on draft-ietf-core-coap-pubsub, which is currently in the CORE working group.

Short Distribution Chain (SDC) Workflow and New OAuth Parameters for ACE

Presenter: Marco Tiloca

• Workflow Improvements: Discussion on handling failures when the Authorization Server (AS) attempts to upload a token to a Resource Server (RS) during a dynamic update. If the RS has terminated the session/token series (e.g., due to memory constraints), the AS should be able to locally start a new token series and inform the client.
• New Error Code: A proposal was made to define a new ACE error code for the RS to signal specifically to the AS that a token series has been terminated.
• Parameter Logic: Dave Robin provided feedback on the RS_CNF parameter guidance. Marco Tiloca agreed to clarify the "must not null" vs. "should not false" logic in the next version.
• Framework Updates: The draft will formally update RFC 9200 to include the new Operational Considerations section.

Ephemeral Diffie-Hellman Over COSE (EDHOC) and Object Security for Constrained Environments (OSCORE) Profile for ACE

Presenter: Rikard Höglund

• Parameter Reduction: Several parameters were removed from the EDHOC information object (e.g., maximum message size, transport types) to simplify the protocol, as they were deemed excessive.
• Nonce/Challenge Derivation: For application profiles requiring a challenge (N_S) for proof-of-possession, this profile proposes deriving N_S via the EDHOC exporter. This is necessary because the standard .authz-info exchange is bypassed when the token is carried in an EDHOC EAD item.
• IANA Requests: The authors requested early allocation for several registries, including JWT/CWT confirmation methods and EDHOC External Authorization Data (EAD) labels.

Decisions and Action Items

• Decision: draft-ietf-ace-coap-est-oscore has finished WGLC and will proceed to the Shepherd Write-up phase.
• Action: Chairs to coordinate the Shepherd Write-up for draft-ietf-ace-coap-est-oscore.
• Action: Marco Tiloca to submit version -04 of draft-ietf-ace-coap-pubsub-profile incorporating recent IESG feedback from related drafts.

Next Steps

• draft-ietf-ace-workflow-and-params: Marco Tiloca to refine the logic for the AS starting a new token series and update the RS_CNF parameter description.
• draft-ietf-ace-edhoc-oscore-profile: Authors to investigate the privacy and security implications of placing access tokens in different EDHOC messages (EAD_2 vs. EAD_3 vs. EAD_4) and address review comments from Christian Amsüss.
• AD Transition: Chairs to meet with Christopher Wood to facilitate the transition.

Related Documents

draft-ietf-ace-coap-est-oscore, draft-ietf-ace-coap-est-oscore-10-00, draft-ietf-ace-coap-pubsub-profile, draft-ietf-ace-coap-pubsub-profile-00, draft-ietf-ace-edhoc-oscore-profile, draft-ietf-ace-group-oscore-profile, draft-ietf-ace-workflow-and-params, draft-ietf-ace-workflow-and-params-00, draft-ietf-core-coap-pubsub, draft-ietf-cose-cbor-encoded-cert