Internet-Draft EDHOC Application Profiles December 2024
Tiloca & Höglund Expires 13 June 2025 [Page]
Workgroup:
LAKE Working Group
Internet-Draft:
draft-ietf-lake-app-profiles-00
Published:
Intended Status:
Standards Track
Expires:
Authors:
M. Tiloca
RISE AB
R. Höglund
RISE AB

Coordinating the Use of Application Profiles for Ephemeral Diffie-Hellman Over COSE (EDHOC)

Abstract

The lightweight authenticated key exchange protocol Ephemeral Diffie-Hellman Over COSE (EDHOC) requires certain parameters to be agreed out-of-band, in order to ensure its successful completion. To this end, application profiles specify the intended use of EDHOC to allow for the relevant processing and verifications to be made. This document defines a number of means to coordinate the use and discovery of EDHOC application profiles. Also, it defines a canonical, CBOR-based representation that can be used to describe, distribute, and store EDHOC application profiles. Finally, this document defines a set of well-known EDHOC application profiles.

Discussion Venues

This note is to be removed before publishing as an RFC.

Discussion of this document takes place on the Lightweight Authenticated Key Exchange Working Group mailing list (lake@ietf.org), which is archived at https://mailarchive.ietf.org/arch/browse/lake/.

Source for this draft and an issue tracker can be found at https://github.com/lake-wg/app-profiles.

Status of This Memo

This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.

Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.

Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."

This Internet-Draft will expire on 13 June 2025.

Table of Contents

1. Introduction

Ephemeral Diffie-Hellman Over COSE (EDHOC) [RFC9528] is a lightweight authenticated key exchange protocol, especially intended for use in constrained scenarios.

In order to successfully run EDHOC, the two peers acting as Initiator and Responder have to agree on certain parameters. Some of those are in-band and communicated through the protocol execution, during which a few of them may even be negotiated. However, other parameters have to be known out-of-band, before running the EDHOC protocol.

As discussed in Section 3.9 of [RFC9528], applications can use EDHOC application profiles, which specify the intended usage of EDHOC to allow for the relevant processing and verifications to be made. In particular, an EDHOC application profile may include both in-band and out-of-band parameters.

This document defines a number of means to coordinate the use and discovery of EDHOC application profiles, that is:

In order to ensure the applicability of such parameters beyond transport- or setup-specific scenarios, this document also defines a canonical, CBOR-based representation that can be used to describe, distribute, and store EDHOC application profiles as CBOR data items (see Section 5). The defined representation is transport- and setup-independent, and avoids the need to reinvent an encoding for the available options to run the EDHOC protocol or the selection logic to apply on those.

The CBOR-based representation of an EDHOC application profile can be, for example: retrieved as a result of a discovery process; or retrieved/provided during the retrieval/provisioning of an EDHOC peer's public authentication credential; or obtained during the execution of a device on-boarding/registration workflow.

Finally, this document defines a set of well-known EDHOC application profiles (see Section 6). These application profiles are meant to reflect what is most common and expected to be supported by EDHOC peers, while they are not to be intended as "default" application profiles or as a deviation from what is mandatory to support for EDHOC peers (see Section 8 of [RFC9528]).

1.1. Terminology

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.

The reader is expected to be familiar with terms and concepts defined in EDHOC [RFC9528], and with the use of EDHOC with CoAP [RFC7252] and OSCORE [RFC8613] defined in [I-D.ietf-core-oscore-edhoc].

Concise Binary Object Representation (CBOR) [RFC8949] and Concise Data Definition Language (CDDL) [RFC8610] are used in this document. CDDL predefined type names, especially bstr for CBOR byte strings and tstr for CBOR text strings, are used extensively in this document.

CBOR data items are represented using the CBOR extended diagnostic notation as defined in Section 8 of [RFC8949] and Appendix G of [RFC8610] ("diagnostic notation"). Diagnostic notation comments are used to provide a textual representation of the parameters' keys and values.

In the CBOR diagnostic notation used in this document, constructs of the form e'SOME_NAME' are replaced by the value assigned to SOME_NAME in the CDDL model shown in Figure 2 of Appendix A. For example, {e'methods' : [0, 1, 2, 3], e'cipher_suites': 3} stands for {1 : [0, 1, 2, 3], 2 : 3}.

Note to RFC Editor: Please delete the paragraph immediately preceding this note. Also, in the CBOR diagnostic notation used in this document, please replace the constructs of the form e'SOME_NAME' with the value assigned to SOME_NAME in the CDDL model shown in Figure 2 of Appendix A. Finally, please delete this note.

2. Identifying EDHOC Application Profiles by Profile ID

This section defines two means to identify EDHOC application profiles by their Profile IDs, i.e., the parameter "ed-prof" for web linking (see Section 2.1) and the parameter "app_prof" of the EDHOC_Information object (see Section 2.2).

2.1. Web Linking

Section 6 of [I-D.ietf-core-oscore-edhoc] defines a number of target attributes that can be used in a web link [RFC8288] with resource type "core.edhoc" (see Section 10.10 of [RFC9528]). This is the case, e.g., when using a link-format document [RFC6690] describing EDHOC resources at a server, when EDHOC is transferred over CoAP [RFC7252] as defined in Appendix A.2 of [RFC9528]. This allows a client to obtain relevant information about the EDHOC application profile(s) to be used with a certain EDHOC resource.

In the same spirit, this section defines the following additional parameter, which can be optionally specified as a target attribute with the same name in the link to the respective EDHOC resource, or among the filter criteria in a discovery request from a client.

  • 'ed-prof', specifying an EDHOC application profile supported by the server. This parameter MUST specify a single value, which is taken from the 'Profile ID' column of the "EDHOC Application Profiles" registry defined in Section 11.5 of this document. This parameter MAY occur multiple times, with each occurrence specifying an EDHOC application profile.

When specifying the parameter 'ed-prof' in a link to an EDHOC resource, the target attribute rt="core.edhoc" MUST be included.

If a link to an EDHOC resource includes occurrences of the target attribute 'ed-prof', then the following applies.

  • The link MUST NOT include other target attributes that provide information about an EDHOC application profile (see, e.g., Section 6 of [I-D.ietf-core-oscore-edhoc] and Section 3 of this document), with the exception of the target attribute 'ed-ead' that MAY be included.

    The recipient MUST ignore other target attributes that provide information about an EDHOC application profile, with the exception of the target attribute 'ed-ead'.

  • If the link includes occurrences of the target attribute 'ed-ead', the link provides the following information: when using the target EDHOC resource as per the EDHOC application profile indicated by any occurrence of the target attribute 'ed-prof', the server supports the EAD items that are specified in the definition of that EDHOC application profile, as well as the EAD items indicated by the occurrences of the target attribute 'ed-ead'.

The example in Figure 1 shows how a CoAP client discovers two EDHOC resources at a CoAP server, and obtains information about the application profile corresponding to each of those resources. The Link Format notation from Section 5 of [RFC6690] is used.

The example assumes the existence of an EDHOC application profile identified by the integer Profile ID 500, which is supported by the EDHOC resource at /edhoc-alt and whose definition includes the support for the EAD items with EAD label 111 and 222.

Therefore, the link to the EDHOC resource at /edhoc-alt indicates that, when using that EDHOC resource as per the EDHOC application profile with Profile ID 500, the server supports the EAD items with EAD label 111, 222, and 333.

2.2. EDHOC_Information Object

Section 3.4 of [I-D.ietf-ace-edhoc-oscore-profile] defines the EDHOC_Information object, as including information that guides two peers towards executing the EDHOC protocol, and defines an initial set of its parameters.

This document defines the new parameter "app_prof" of the EDHOC_Information object, as summarized in Table 1 and described further below.

Table 1: EDHOC_Information Parameter "app_prof"
Name CBOR label CBOR type Registry Description
app_prof 18 int or array EDHOC Application Profiles Registry Set of supported EDHOC Application Profiles
  • app_prof: This parameter specifies a set of supported EDHOC application profiles, identified by their Profile ID. If the set is composed of a single EDHOC application profile, its Profile ID is encoded as an integer. Otherwise, the set is encoded as an array of integers, where each array element encodes one Profile ID. In JSON, the "app_prof" value is an integer or an array of integers. In CBOR, "app_prof" is an integer or an array of integers, and has label 18. The integer values are taken from the 'Profile ID' column of the "EDHOC Application Profiles" registry defined in Section 11.5 of this document.

2.2.1. Use in the EDHOC and OSCORE Profile of the ACE Framework

Section 3 of [I-D.ietf-ace-edhoc-oscore-profile] defines how the EDHOC_Information object can be used within the workflow of the EDHOC and OSCORE transport profile of the ACE framework for authentication and authorization in constrained environments (ACE) [RFC9200].

In particular, the AS-to-C Access Token Response includes the parameter "edhoc_info", with value an EDHOC_Information object. This allows the ACE authorization server (AS) to provide the ACE client (C) with information about how to run the EDHOC protocol with the ACE resource server (RS) for which the access token is issued.

Similarly, the access token includes the corresponding claim "edhoc_info", with value an EDHOC_Information object. This allows the AS to provide the ACE RS with information about how to run the EDHOC protocol with the ACE client, according to the issued access token.

In turn, the EDHOC_Information object can include the parameter "app_prof" defined in this document. This parameter indicates a set of EDHOC application profiles associated with the EDHOC resource to use at the RS, which is either implied or specified by the parameter "uri_path" within the same EDHOC_Information object.

If the EDHOC_Information object specified as value of "edhoc_info" includes the "app_prof" parameter, then the following applies.

  • The object MUST NOT include other parameters that provide information pertaining to an EDHOC application profile, with the exception of the parameter "eads" that MAY be included.

    C and RS MUST ignore other parameters present in the EDHOC_Information object, with the exception of the parameter "eads".

    At the time of writing this document, such parameters are: "methods", "cipher_suites", "message_4", "comb_req", "osc_ms_len", "osc_salt_len", "osc_version", "cred_types", "id_cred_types", "initiator", and "responder" (which are all defined in Section 3.4 of [I-D.ietf-ace-edhoc-oscore-profile]), as well as those defined in Section 4 of this document.

  • If the EDHOC_Information object specified in the parameter "edhoc_info" of the AS-to-C Access Token Response includes the parameter "eads", the object provides the following information.

    When using the target EDHOC resource as per any EDHOC application profile indicated by the parameter "app_prof", the ACE RS for which the access token is issued supports the EAD items that are specified in the definition of that EDHOC application profile, as well as the EAD items indicated by the parameter "eads".

  • If the EDHOC_Information object specified in the claim "edhoc_info" of the access token includes the parameter "eads", the object provides the following information.

    When using the target EDHOC resource as per any EDHOC application profile indicated by the parameter "app_prof", the ACE client to which the access token is issued supports the EAD items that are specified in the definition of that EDHOC application profile, as well as the EAD items indicated by the parameter "eads".

3. Additional Parameters for Web Linking

Building on what is defined and prescribed in Section 6 of [I-D.ietf-core-oscore-edhoc], this section defines additional parameters for web linking [RFC8288], which can be used to obtain relevant pieces of information from the EDHOC application profile associated with an EDHOC resource.

These parameters can be optionally specified as target attributes with the same name in a link with resource type "core.edhoc" (see Section 10.10 of [RFC9528]) targeting an EDHOC resource, or as filter criteria in a discovery request from a client.

When specifying any of the parameters defined below in a link to an EDHOC resource, the target attribute rt="core.edhoc" MUST be included.

4. Additional Parameters of the EDHOC_Information Object

This section defines additional parameters of the EDHOC_Information object defined in Section 3.4 of [I-D.ietf-ace-edhoc-oscore-profile]. These parameters are summarized in Table 2 and described further below.

Editor's note: these parameters can better be defined directly in Section 3.4 of [I-D.ietf-ace-edhoc-oscore-profile].

Table 2: EDHOC_Information Parameters
Name CBOR label CBOR type Registry Description
max_msgsize 14 uint   Maximum size of EDHOC messages in bytes
coap_cf 15 True of False   Requested use of the CoAP Content-Format Option in CoAP messages whose payload includes exclusively an EDHOC message, possibly prepended by an EDHOC connection identifier
id_ep_types 16 int or array EDHOC Endpoint Identity Types Registry Set of supported types of endpoint identities for EDHOC
transports 17 int or array EDHOC Transports Registry Set of supported means for transporting EDHOC messages

5. Representation of an EDHOC Application Profile

This section defines the EDHOC_Application_Profile object, which can be used as a canonical representation of EDHOC application profiles for their description, distribution, and storage.

An EDHOC_Application_Profile object is encoded as a CBOR map [RFC8949]. Each element of the CBOR map is an element of the CBOR-encoded EDHOC_Information object defined in Section 3.4 of [I-D.ietf-ace-edhoc-oscore-profile], and thus uses the corresponding CBOR abbreviations from the 'CBOR label' column of the "EDHOC Information" registry defined in [I-D.ietf-ace-edhoc-oscore-profile].

The CBOR map encoding an EDHOC_Application_Profile object MUST include the element "app_prof" defined in this document. The value of the element "app_prof" is the unique identifier of the EDHOC application profile described by the EDHOC_Application_Profile object, taken from the 'Profile ID' column of the "EDHOC Application Profiles" registry defined in this document, and encoded as a CBOR integer.

The CBOR map MUST include the following elements defined for the EDHOC_Information object: "methods" and "cred_types".

The CBOR map MUST NOT include the following elements defined for the EDHOC_Information object: "session_id", "uri_path", "initiator", and "responder".

The CBOR map MAY include other elements defined for the EDHOC_Information object. These also comprise the new parameters defined in Section 4 of this document.

Furthermore, consistent with Sections 8 and A.1 of [RFC9528] and with Section 5.4 of [RFC8613], the following applies:

If an element is present in the CBOR map and the information that it specifies is intrinsically a set of one or more co-existing alternatives, then all the specified alternatives apply for the EDHOC application profile in question.

For example, the element "cipher_suites" with value the CBOR array [0, 2] means that, in order to adhere to the EDHOC application profile in question, an EDHOC peer has to implement both the EDHOC cipher suites 0 and 2, because either of them can be used by another EDHOC peer also adhering to the same EDHOC application profile.

The CDDL grammar describing the EDHOC_Application_Profile object is:

EDHOC_Application_Profile = {
      1 => int / array,    ; methods
      9 => int / array,    ; cred_types
     18 => int,            ; app_prof
   * int / tstr => any
}

6. Well-known EDHOC Application Profiles

This section defines a set of well-known EDHOC application profiles that are meant to reflect what is most common and expected to be supported by EDHOC peers.

The well-known application profiles are not to be intended as "default" profiles to use, in case no other indication is provided to EDHOC peers.

In particular, an EDHOC peer MUST NOT assume that, unless otherwise indicated, any of such profiles is used when running EDHOC through a well-known EDHOC resource, such as the resource at /.well-known/edhoc when EDHOC messages are transported as payload of CoAP messages (see Appendix A.2 of [RFC9528]).

Building on the above, the well-known application profiles are not intended to deviate from what is mandatory to support for EDHOC peers, which is defined by the compliance requirements in Section 8 of [RFC9528].

The rest of this section defines the well-known application profiles, each of which is represented by means of an EDHOC_Application_Profile object (see Section 5) using the CBOR extended diagnostic notation.

An entry for each well-known application profile is also registered at the "EDHOC Application Profiles" registry defined in Section 11.5 of this document.

6.1. Well-Known Application Profile WK-MINIMAL_CS_2

{
        e'methods' : 3, / EDHOC Method Type 3 /
  e'cipher_suites' : 2, / EDHOC Cipher Suite 2 /
     e'cred_types' : 1, / CWT Claims Set (CCS) /
  e'id_cred_types' : 4, / kid /
       e'app_prof' : e'APP-PROF-WK-MINIMAL-CS-2'
}

This application profile is aligned with the example trace of EDHOC compiled in Section 3 of [RFC9529].

6.2. Well-Known Application Profile WK-MINIMAL_CS_0

{
        e'methods' : 3, / EDHOC Method Type 3 /
  e'cipher_suites' : 0, / EDHOC Cipher Suite 0 /
     e'cred_types' : 1, / CWT Claims Set (CCS) /
  e'id_cred_types' : 4, / kid /
       e'app_prof' : e'APP-PROF-WK-MINIMAL-CS-0'
}

6.3. Well-Known Application Profile WK-BASIC_CS_2_X509

{
        e'methods' : [0, 3], / EDHOC Method Types 0 and 3 /
  e'cipher_suites' : 2, / EDHOC Cipher Suite 2 /
     e'cred_types' : [1, 2], / CWT Claims Set (CCS)
                               and X.509 certificate /
  e'id_cred_types' : [4, 34], / kid and x5t /
       e'app_prof' : e'APP-PROF-WK-BASIC-CS-2-X509'
}

This application profile is aligned with the example trace of EDHOC compiled in Section 3 of [RFC9529].

6.4. Well-Known Application Profile WK-BASIC_CS_0_X509

{
        e'methods' : [0, 3], / EDHOC Method Types 0 and 3 /
  e'cipher_suites' : 0, / EDHOC Cipher Suite 0 /
     e'cred_types' : [1, 2], / CWT Claims Set (CCS)
                               and X.509 certificate /
  e'id_cred_types' : [4, 34], / kid and x5t /
       e'app_prof' : e'APP-PROF-WK-BASIC-CS-0-X509'
}

This application profile is aligned with the example trace of EDHOC compiled in Section 2 of [RFC9529].

6.5. Well-Known Application Profile WK-BASIC_CS_2_C509

{
        e'methods' : [0, 3], / EDHOC Method Types 0 and 3 /
  e'cipher_suites' : 2, / EDHOC Cipher Suite 2 /
     e'cred_types' : [1, e'c509_cert'], / CWT Claims Set (CCS)
                                          and C509 certificate /
  e'id_cred_types' : [4, e'c5t'], / kid and c5t /
       e'app_prof' : e'APP-PROF-WK-BASIC-CS-2-C509'
}

6.6. Well-Known Application Profile WK-BASIC_CS_0_C509

{
        e'methods' : [0, 3], / EDHOC Method Types 0 and 3 /
  e'cipher_suites' : 0, / EDHOC Cipher Suite 0 /
     e'cred_types' : [1, e'c509_cert'], / CWT Claims Set (CCS)
                                          and C509 certificate /
  e'id_cred_types' : [4, e'c5t'], / kid and c5t /
       e'app_prof' : e'APP-PROF-WK-BASIC-CS-0-C509'
}

6.7. Well-Known Application Profile WK-INTERMEDIATE_CS_2

{
        e'methods' : [0, 3], / EDHOC Method Types 0 and 3 /
  e'cipher_suites' : 2, / EDHOC Cipher Suite 2 /
     e'cred_types' : [1, 2, e'c509_cert'], / CWT Claims Set (CCS),
                                             X.509 certificate,
                                             and C509 certificate /
  e'id_cred_types' : [4, 14, 34, 33, e'c5t', e'c5c'], / kid, kccs,
                                                        x5t, x5chain,
                                                        c5t, and c5c /
       e'app_prof' : e'APP-PROF-WK-INTERMEDIATE-CS-2'
}

This application profile is aligned with the example trace of EDHOC compiled in Section 3 of [RFC9529].

6.8. Well-Known Application Profile WK-INTERMEDIATE_CS_0

{
        e'methods' : [0, 3], / EDHOC Method Types 0 and 3 /
  e'cipher_suites' : 0, / EDHOC Cipher Suite 0 /
     e'cred_types' : [1, 2, e'c509_cert'], / CWT Claims Set (CCS),
                                             X.509 certificate,
                                             and C509 certificate /
  e'id_cred_types' : [4, 14, 34, 33, e'c5t', e'c5c'], / kid, kccs,
                                                        x5t, x5chain,
                                                        c5t, and c5c /
       e'app_prof' : e'APP-PROF-WK-INTERMEDIATE-CS-0'
}

This application profile is aligned with the example trace of EDHOC compiled in Section 2 of [RFC9529].

6.9. Well-Known Application Profile WK-ADVANCED

{
        e'methods' : [0, 1, 2, 3], / EDHOC Method Types
                                     0, 1, 2, and 3 /
  e'cipher_suites' : [0, 1, 2, 3], / EDHOC Cipher Suites
                                     0, 1, 2, and 3 /
     e'cred_types' : [1, 0, 2, e'c509_cert'], / CWT Claims Set (CCS),
                                                CWT, X.509 certificate,
                                                and C509 certificate /
  e'id_cred_types' : [4, 14, 13, 34, 33, e'c5t', e'c5c'], / kid, kccs,
                                                            kcwt, x5t,
                                                            x5chain,
                                                            c5t, and
                                                            c5c /
       e'app_prof' : e'APP-PROF-WK-ADVANCED'
}

This application profile is aligned with the example traces of EDHOC compiled in Sections 2 and 3 of [RFC9529].

7. EDHOC Well-known Application Profiles

This document defines the following identifiers of well-known EDHOC application profiles.

Table 3: EDHOC Well-known Application Profiles
Profile ID Name Description Reference
0 WK-MINIMAL-CS-2 Method 3; Cipher Suite 2; CCS; kid [RFC-XXXX]
1 WK-MINIMAL-CS-0 Method 3; Cipher Suite 0; CCS; kid [RFC-XXXX]
2 WK-BASIC-CS-2-X509 Methods (0, 3); Cipher Suite 2; (CCS, X.509 certificates); (kid, x5t) [RFC-XXXX]
3 WK-BASIC-CS-0-X509 Methods (0, 3); Cipher Suite 0; (CCS, X.509 certificates); (kid, x5t) [RFC-XXXX]
4 WK-BASIC-CS-2-C509 Methods (0, 3); Cipher Suite 2; (CCS, C509 certificates); (kid, c5t) [RFC-XXXX]
5 WK-BASIC-CS_0-C509 Methods (0, 3); Cipher Suite 0; (CCS, C509 certificates); (kid, c5t) [RFC-XXXX]
6 WK-INTERMEDIATE-CS-2 Methods (0, 3); Cipher Suite 2; (CCS, X.509/C509 certificates); (kid, kccs, x5t, x5chain, c5t, c5c) [RFC-XXXX]
7 WK-INTERMEDIATE-CS-0 Methods (0, 3); Cipher Suite 0; (CCS, X.509/C509 certificates); (kid, kccs, x5t, x5chain, c5t, c5c) [RFC-XXXX]
8 WK-ADVANCED Methods (0, 1, 2, 3); Cipher Suites (0, 1, 2, 3); (CCS, CWT, X.509/C509 certificates); (kid, kccs, kcwt, x5t, x5chain, c5t, c5c) [RFC-XXXX]

8. EDHOC Endpoint Identity Types

This document defines the following identifier of type of endpoint identity for EDHOC.

Table 4: EDHOC Endpoint Identity Types
Name CBOR label Description Reference
EUI-64 0 An EUI-64 identity [RFC-XXXX][RFC4291]

9. EDHOC Transports

This document defines the following identifiers of means for transporting EDHOC messages.

Table 5: EDHOC Transports
Transport ID Name Description Reference
0 CoAP over UDP EDHOC messages are transported as payload of CoAP messages, in turn transported over UDP [RFC7252], Appendix A.2 of [RFC9528]
1 CoAP over TCP EDHOC messages are transported as payload of CoAP messages, in turn transported over TCP [RFC7252][RFC8323]
2 CoAP over WebSockets EDHOC messages are transported as payload of CoAP messages, in turn transported over WebSockets [RFC7252][RFC8323]

10. Security Considerations

TBD

11. IANA Considerations

This document has the following actions for IANA.

Note to RFC Editor: Please replace all occurrences of "[RFC-XXXX]" with the RFC number of this specification and delete this paragraph.

11.1. Media Type Registrations

IANA is asked to register the media type "application/edhoc-app-profile+cbor-seq". This registration follows the procedures specified in [RFC6838].

Type name: application

Subtype name: edhoc-app-profile+cbor-seq

Required parameters: N/A

Optional parameters: N/A

Encoding considerations: Must be encoded as a CBOR sequence [RFC8742] of CBOR maps [RFC8949]. Each element of each CBOR map is also defined as an element of the CBOR-encoded EDHOC_Information object from Section 3.4 of [I-D.ietf-ace-edhoc-oscore-profile].

Security considerations: See Section 10 of [RFC-XXXX].

Interoperability considerations: N/A

Published specification: [RFC-XXXX]

Applications that use this media type: Applications that need to describe, distribute, and store a representation of an EDHOC application profile (see Section 3.9 of [RFC9528]).

Fragment identifier considerations: N/A

Additional information: N/A

Person & email address to contact for further information: LAKE WG mailing list (lake@ietf.org) or IETF Applications and Real-Time Area (art@ietf.org)

Intended usage: COMMON

Restrictions on usage: None

Author/Change controller: IETF

Provisional registration: No

11.2. CoAP Content-Formats Registry

IANA is asked to add the following entry to the "CoAP Content-Formats" registry within the "Constrained RESTful Environments (CoRE) Parameters" registry group.

Content Type: application/edhoc-app-profile+cbor-seq

Content Coding: -

ID: TBD

Reference: [RFC-XXXX]

11.3. Target Attributes Registry

IANA is asked to register the following entries in the "Target Attributes" registry within the "Constrained RESTful Environments (CoRE) Parameters", as per [RFC9423].

  • Attribute Name: ed-max-msgsize

  • Brief Description: The admitted maximum size of EDHOC messages in bytes

  • Change Controller: IETF

  • Reference: [RFC-XXXX]


  • Attribute Name: ed-coap-cf

  • Brief Description: Requested use of the CoAP Content-Format Option in CoAP messages whose payload includes exclusively an EDHOC message, possibly prepended by an EDHOC connection identifier

  • Change Controller: IETF

  • Reference: [RFC-XXXX]


  • Attribute Name: ed-idep-t

  • Brief Description: A supported type of endpoint identity for EDHOC

  • Change Controller: IETF

  • Reference: [RFC-XXXX]


  • Attribute Name: ed-tp

  • Brief Description: A supported means for transporting EDHOC messages

  • Change Controller: IETF

  • Reference: [RFC-XXXX]


  • Attribute Name: ed-prof

  • Brief Description: A supported EDHOC application profile

  • Change Controller: IETF

  • Reference: [RFC-XXXX]

11.4. EDHOC Information Registry

IANA is asked to register the following entries in the "EDHOC Information" registry defined in [I-D.ietf-ace-edhoc-oscore-profile].

  • Name: max_msgsize

  • CBOR label: 14

  • CBOR type: uint

  • Registry:

  • Description: The admitted maximum size of EDHOC messages in bytes

  • Specification: [RFC-XXXX][RFC9528]


  • Name: coap_cf

  • CBOR label: 15

  • CBOR type: True or False

  • Registry:

  • Description: Requested use of the CoAP Content-Format Option in CoAP messages whose payload includes exclusively an EDHOC message, possibly prepended by an EDHOC connection identifier

  • Specification: [RFC-XXXX][RFC9528]


  • Name: id_ep_types

  • CBOR label: 16

  • CBOR type: int or array

  • Registry: EDHOC Endpoint Identity Types

  • Description: Set of supported types of endpoint identities for EDHOC

  • Specification: [RFC-XXXX]


  • Name: transports

  • CBOR label: 17

  • CBOR type: int or array

  • Registry: EDHOC Transports Registry

  • Description: Set of supported means for transporting EDHOC messages

  • Specification: [RFC-XXXX]


  • Name: app_prof

  • CBOR label: 18

  • CBOR type: int or array

  • Registry: EDHOC Application Profiles Registry

  • Description: Set of supported EDHOC Application Profiles

  • Specification: [RFC-XXXX][RFC9528]

11.5. EDHOC Application Profiles Registry

IANA is requested to create a new "EDHOC Application Profiles" registry within the "Ephemeral Diffie-Hellman Over COSE (EDHOC)" registry group defined in [RFC9528].

The registration policy is either "Private Use", "Standards Action with Expert Review", or "Specification Required" per Section 4.6 of [RFC8126]. "Expert Review" guidelines are provided in Section 11.8.

All assignments according to "Standards Action with Expert Review" are made on a "Standards Action" basis per Section 4.9 of [RFC8126], with Expert Review additionally required per Section 4.5 of [RFC8126]. The procedure for early IANA allocation of Standards Track code points defined in [RFC7120] also applies. When such a procedure is used, IANA will ask the designated expert(s) to approve the early allocation before registration. In addition, WG chairs are encouraged to consult the expert(s) early during the process outlined in Section 3.1 of [RFC7120].

The columns of this registry are:

  • Profile ID: This field contains the value used to identify the EDHOC application profile. These values MUST be unique. The value can be a positive integer or a negative integer. Different ranges of values use different registration policies [RFC8126]. Integer values from -24 to 23 are designated as "Standards Action With Expert Review". Integer values from -65536 to -25 and from 24 to 65535 are designated as "Specification Required". Integer values smaller than -65536 and greater than 65535 are marked as "Private Use".

  • Name: This field contains the name of the EDHOC application profile.

  • Description: This field contains a short description of the EDHOC application profile.

  • Reference: This field contains a pointer to the public specification for the EDHOC application profile.

This registry has been initially populated with the values in Table 3.

11.6. EDHOC Endpoint Identity Types Registry

IANA is requested to create a new "EDHOC Endpoint Identity Types" registry within the "Ephemeral Diffie-Hellman Over COSE (EDHOC)" registry group defined in [RFC9528].

The registration policy is either "Private Use", "Standards Action with Expert Review", or "Specification Required" per Section 4.6 of [RFC8126]. "Expert Review" guidelines are provided in Section 11.8.

All assignments according to "Standards Action with Expert Review" are made on a "Standards Action" basis per Section 4.9 of [RFC8126], with Expert Review additionally required per Section 4.5 of [RFC8126]. The procedure for early IANA allocation of Standards Track code points defined in [RFC7120] also applies. When such a procedure is used, IANA will ask the designated expert(s) to approve the early allocation before registration. In addition, WG chairs are encouraged to consult the expert(s) early during the process outlined in Section 3.1 of [RFC7120].

The columns of this registry are:

  • Name: This field contains the name of the EDHOC endpoint identity type.

  • CBOR Label: The value to be used to identify this EDHOC endpoint identity type. These values MUST be unique. The value can be a positive integer or a negative integer. Different ranges of values use different registration policies [RFC8126]. Integer values from -24 to 23 are designated as "Standards Action With Expert Review". Integer values from -65536 to -25 and from 24 to 65535 are designated as "Specification Required". Integer values smaller than -65536 and greater than 65535 are marked as "Private Use".

  • Description: This field contains a short description of the EDHOC endpoint identity type.

  • Reference: This field contains a pointer to the public specification for the EDHOC endpoint identity type.

This registry has been initially populated with the values in Table 4.

11.7. EDHOC Transport Registry

IANA is requested to create a new "EDHOC Transport" registry within the "Ephemeral Diffie-Hellman Over COSE (EDHOC)" registry group defined in [RFC9528].

The registration policy is either "Private Use", "Standards Action with Expert Review", or "Specification Required" per Section 4.6 of [RFC8126]. "Expert Review" guidelines are provided in Section 11.8.

All assignments according to "Standards Action with Expert Review" are made on a "Standards Action" basis per Section 4.9 of [RFC8126], with Expert Review additionally required per Section 4.5 of [RFC8126]. The procedure for early IANA allocation of Standards Track code points defined in [RFC7120] also applies. When such a procedure is used, IANA will ask the designated expert(s) to approve the early allocation before registration. In addition, WG chairs are encouraged to consult the expert(s) early during the process outlined in Section 3.1 of [RFC7120].

The columns of this registry are:

  • Transport ID: The value to be used to identify this means for transporting EDHOC messages. These values MUST be unique. The value can be a positive integer or a negative integer. Different ranges of values use different registration policies [RFC8126]. Integer values from -24 to 23 are designated as "Standards Action With Expert Review". Integer values from -65536 to -25 and from 24 to 65535 are designated as "Specification Required". Integer values smaller than -65536 and greater than 65535 are marked as "Private Use".

  • Name: This field contains the name of the means for transporting EDHOC messages.

  • Description: This field contains a short description of the means used for transporting EDHOC messages.

  • Reference: This field contains a pointer to the public specification for the means used for transporting EDHOC messages.

This registry has been initially populated with the values in Table 5.

11.8. Expert Review Instructions

"Standards Action with Expert Review" and "Specification Required" are two of the registration policies defined for the IANA registries established in this document. This section gives some general guidelines for what the experts should be looking for, but they are being designated as experts for a reason so they should be given substantial latitude.

Expert reviewers should take into consideration the following points:

  • Clarity and correctness of registrations. Experts are expected to check the clarity of purpose and use of the requested entries. Experts need to make sure that the object of registration (i.e., an EDHOC application profile, an EDHOC endpoint identity type, or a means for transporting EDHOC messages) is clearly defined in the corresponding specification. Entries that do not meet these objective of clarity and completeness must not be registered.

  • Point squatting should be discouraged. Reviewers are encouraged to get sufficient information for registration requests to ensure that the usage is not going to duplicate one that is already registered and that the point is likely to be used in deployments. The zones tagged as "Private Use" are intended for testing purposes and closed environments. Code points in other ranges should not be assigned for testing.

  • Specifications are required for the "Standards Action With Expert Review" range of point assignment. Specifications should exist for "Specification Required" ranges, but early assignment before a specification is available is considered to be permissible. When specifications are not provided, the description provided needs to have sufficient information to identify what the point is being used for.

  • Experts should take into account the expected usage of fields when approving point assignment. Documents published via Standards Action can also register points outside the Standards Action range. The length of the encoded value should be weighed against how many code points of that length are left, the size of device it will be used on, and the number of code points left that encode to that size.

12. References

12.1. Normative References

[COSE.Header.Parameters]
IANA, "COSE Header Parameters", <https://www.iana.org/assignments/cose/cose.xhtml#header-parameters>.
[I-D.ietf-ace-edhoc-oscore-profile]
Selander, G., Mattsson, J. P., Tiloca, M., and R. Höglund, "Ephemeral Diffie-Hellman Over COSE (EDHOC) and Object Security for Constrained Environments (OSCORE) Profile for Authentication and Authorization for Constrained Environments (ACE)", Work in Progress, Internet-Draft, draft-ietf-ace-edhoc-oscore-profile-06, , <https://datatracker.ietf.org/doc/html/draft-ietf-ace-edhoc-oscore-profile-06>.
[I-D.ietf-core-oscore-edhoc]
Palombini, F., Tiloca, M., Höglund, R., Hristozov, S., and G. Selander, "Using Ephemeral Diffie-Hellman Over COSE (EDHOC) with the Constrained Application Protocol (CoAP) and Object Security for Constrained RESTful Environments (OSCORE)", Work in Progress, Internet-Draft, draft-ietf-core-oscore-edhoc-11, , <https://datatracker.ietf.org/doc/html/draft-ietf-core-oscore-edhoc-11>.
[RFC2119]
Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, , <https://www.rfc-editor.org/rfc/rfc2119>.
[RFC4291]
Hinden, R. and S. Deering, "IP Version 6 Addressing Architecture", RFC 4291, DOI 10.17487/RFC4291, , <https://www.rfc-editor.org/rfc/rfc4291>.
[RFC6690]
Shelby, Z., "Constrained RESTful Environments (CoRE) Link Format", RFC 6690, DOI 10.17487/RFC6690, , <https://www.rfc-editor.org/rfc/rfc6690>.
[RFC6838]
Freed, N., Klensin, J., and T. Hansen, "Media Type Specifications and Registration Procedures", BCP 13, RFC 6838, DOI 10.17487/RFC6838, , <https://www.rfc-editor.org/rfc/rfc6838>.
[RFC7120]
Cotton, M., "Early IANA Allocation of Standards Track Code Points", BCP 100, RFC 7120, DOI 10.17487/RFC7120, , <https://www.rfc-editor.org/rfc/rfc7120>.
[RFC7252]
Shelby, Z., Hartke, K., and C. Bormann, "The Constrained Application Protocol (CoAP)", RFC 7252, DOI 10.17487/RFC7252, , <https://www.rfc-editor.org/rfc/rfc7252>.
[RFC8126]
Cotton, M., Leiba, B., and T. Narten, "Guidelines for Writing an IANA Considerations Section in RFCs", BCP 26, RFC 8126, DOI 10.17487/RFC8126, , <https://www.rfc-editor.org/rfc/rfc8126>.
[RFC8174]
Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, , <https://www.rfc-editor.org/rfc/rfc8174>.
[RFC8288]
Nottingham, M., "Web Linking", RFC 8288, DOI 10.17487/RFC8288, , <https://www.rfc-editor.org/rfc/rfc8288>.
[RFC8323]
Bormann, C., Lemay, S., Tschofenig, H., Hartke, K., Silverajan, B., and B. Raymor, Ed., "CoAP (Constrained Application Protocol) over TCP, TLS, and WebSockets", RFC 8323, DOI 10.17487/RFC8323, , <https://www.rfc-editor.org/rfc/rfc8323>.
[RFC8610]
Birkholz, H., Vigano, C., and C. Bormann, "Concise Data Definition Language (CDDL): A Notational Convention to Express Concise Binary Object Representation (CBOR) and JSON Data Structures", RFC 8610, DOI 10.17487/RFC8610, , <https://www.rfc-editor.org/rfc/rfc8610>.
[RFC8613]
Selander, G., Mattsson, J., Palombini, F., and L. Seitz, "Object Security for Constrained RESTful Environments (OSCORE)", RFC 8613, DOI 10.17487/RFC8613, , <https://www.rfc-editor.org/rfc/rfc8613>.
[RFC8742]
Bormann, C., "Concise Binary Object Representation (CBOR) Sequences", RFC 8742, DOI 10.17487/RFC8742, , <https://www.rfc-editor.org/rfc/rfc8742>.
[RFC8949]
Bormann, C. and P. Hoffman, "Concise Binary Object Representation (CBOR)", STD 94, RFC 8949, DOI 10.17487/RFC8949, , <https://www.rfc-editor.org/rfc/rfc8949>.
[RFC9200]
Seitz, L., Selander, G., Wahlstroem, E., Erdtman, S., and H. Tschofenig, "Authentication and Authorization for Constrained Environments Using the OAuth 2.0 Framework (ACE-OAuth)", RFC 9200, DOI 10.17487/RFC9200, , <https://www.rfc-editor.org/rfc/rfc9200>.
[RFC9423]
Bormann, C., "Constrained RESTful Environments (CoRE) Target Attributes Registry", RFC 9423, DOI 10.17487/RFC9423, , <https://www.rfc-editor.org/rfc/rfc9423>.
[RFC9528]
Selander, G., Preuß Mattsson, J., and F. Palombini, "Ephemeral Diffie-Hellman Over COSE (EDHOC)", RFC 9528, DOI 10.17487/RFC9528, , <https://www.rfc-editor.org/rfc/rfc9528>.

12.2. Informative References

[RFC9529]
Selander, G., Preuß Mattsson, J., Serafin, M., Tiloca, M., and M. Vučinić, "Traces of Ephemeral Diffie-Hellman Over COSE (EDHOC)", RFC 9529, DOI 10.17487/RFC9529, , <https://www.rfc-editor.org/rfc/rfc9529>.

Appendix A. CDDL Model

This section is to be removed before publishing as an RFC.

; EDHOC Information
methods = 1
cipher_suites = 2
cred_types = 9
id_cred_types = 10
app_prof = 18

; EDHOC Application Profiles
APP-PROF-WK-MINIMAL-CS-2 = 0
APP-PROF-WK-MINIMAL-CS-0 = 1
APP-PROF-WK-BASIC-CS-2-X509 = 2
APP-PROF-WK-BASIC-CS-0-X509 = 3
APP-PROF-WK-BASIC-CS-2-C509 = 4
APP-PROF-WK-BASIC-CS-0-C509 = 5
APP-PROF-WK-INTERMEDIATE-CS-2 = 6
APP-PROF-WK-INTERMEDIATE-CS-0 = 7
APP-PROF-WK-ADVANCED = 8

; COSE Header Parameters
c5t = 22
c5c = 25

; EDHOC Authentication Credential Types
c509_cert = 3
Figure 2: CDDL model

Acknowledgments

The authors sincerely thank Christian Amsüss, Göran Selander, and Brian Sipos for their feedback and comments.

This work was supported by the Sweden's Innovation Agency VINNOVA within the EUREKA CELTIC-NEXT project CYPRESS.

Authors' Addresses

Marco Tiloca
RISE AB
Isafjordsgatan 22
SE-16440 Stockholm Kista
Sweden
Rikard Höglund
RISE AB
Isafjordsgatan 22
SE-16440 Stockholm Kista
Sweden