Standardization is a major dissemination effort in the SIFIS-Home project, for which a specific Task T7.2 “Standardization” is dedicated in WP7 “Dissemination, Standardization and Exploitation”. This leverages the presence in the SIFIS-Home consortium of some partners with a strong participation and involvement in international standardization activities.
In particular, SIFIS-Home partners RISE and Ericsson have a long-term successful track record in the premier international body Internet Engineering Task Force (IETF), where for several years they have led the standardization of IoT security protocols, across multiple Working Groups. These Working Groups include “Constrained RESTful Environments” (CoRE), “Authentication and Authorization for Constrained Environments” (ACE) and “Lightweight Authenticated Key Exchange” (LAKE).
The following list includes the IETF documents with RISE and/or Ericsson as co-author. For each of them, a brief description is provided.
1) Ephemeral Diffie-Hellman Over COSE (EDHOC)
A very compact and lightweight authenticated Diffie-Hellman key exchange with ephemeral keys, providing mutual authentication, forward secrecy, and identity protection. EDHOC is intended for constrained scenarios, and a main use case is to establish a Security Context for the security protocol Object Security for Constrained RESTful Environments (OSCORE).
2) Group Communication for the Constrained Application Protocol (CoAP)
Usage of the Constrained Application Protocol for group communication, using UDP/IP multicast as the underlying data transport.
3) Group OSCORE – Secure Group Communication for CoAP
A method for protecting group communication over CoAP, based on OSCORE.
4) Observe Notifications as CoAP Multicast Responses
Method for a CoAP server to send (secure) observe notifications as response messages over IP multicast.
5) Discovery of OSCORE Groups with the CoRE Resource Directory
Method for a CoAP endpoint to use the CoRE Resource Directory for discovering OSCORE groups and acquiring information to join them.
6) Proxy Operations for CoAP Group Communication
A method to enable CoAP forward-proxies to operate in group communication scenarios. The proxy forwards a client’s request to multiple servers, e.g., over IP multicast. Then, it receives the servers’ responses and forwards them back to the client, in such a way that the client is able to distinguish each response’s origin.
7) Using EDHOC with CoAP and OSCORE
Additional and optional features for the authenticated key establishment protocol EDHOC when run over the CoAP protocol. These especially include a method to efficiently combine the execution EDHOC with a following message exchange protected with OSCORE.
8) Cacheable OSCORE
A method to enable CoAP forward proxies to cache response messages protected with Group OSCORE.
9) Key Update for OSCORE (KUDOS)
A lightweight method for two OSCORE peers to update their keying material and establish a new OSCORE Security Context.
10) Key Usage Limits for OSCORE
Definition of key usage limits for AEAD algorithms used by two OSCORE peers, and of the steps to take to address those limits and preserve security of OSCORE-protected communications.
11) OSCORE-capable Proxies
A method for protecting CoAP messages with OSCORE also between an origin application endpoint and an intermediary, or between two intermediaries. This includes the possible double-protection of a message through “OSCORE-in-OSCORE”, i.e., both end-to-end between origin application endpoints, as well as between an application endpoint and an intermediary.
https://datatracker.ietf.org/doc/html/draft-tiloca-core-oscore-capable-proxies
12) The Object Security for Constrained RESTful Environments (OSCORE) Profile of the Authentication and Authorization for Constrained Environments (ACE) Framework
A profile for the ACE framework, which utilizes OSCORE in order to achieve communication
security, server authentication, and proof-of-possession.
13) Key Provisioning for Group Communication using ACE
Definition of message formats and procedures based on the ACE framework, to request and distribute group keying material, which is then used to protect communications among members of a group.
14) Key Management for OSCORE Groups in ACE
A method to request and provision keying material in group communication scenarios where the group communication is based on CoAP and secured with Group OSCORE, building on the ACE framework for Authentication and Authorization.
15) Admin Interface for the OSCORE Group Manager
A RESTful admin interface at the OSCORE Group Manager, that allows an Administrator entity to create and delete OSCORE groups, as well as to retrieve and update their configuration. The ACE framework for Authentication and Authorization is used to enforce authentication and authorization of the Administrator at the Group Manager.
16) Using the Constrained RESTful Application Language (CoRAL) with the Admin Interface for the OSCORE Group Manager
A specification of how to use CoRAL for interacting with the RESTful admin interface at the OSCORE Group Manager based on the ACE framework for Authentication and Authorization.
https://datatracker.ietf.org/doc/draft-ietf-ace-oscore-gm-admin-coral/
17) Group OSCORE Profile of the Authentication and Authorization for Constrained Environments Framework
A profile for the ACE framework, which utilizes Group OSCORE possibly together with OSCORE, to provide communication security between a client and (a group of) resource server(s), while achieving server authentication, proof-of-possession and proof of client’s group membership.
18) Publish-Subscribe Profile for Authentication and Authorization for Constrained Environments (ACE)
A method to request and provision keying material in group communication scenarios where the group communication relies on publish-subscribe through a CoAP pub-sub Broker and is secured end-to-end between publisher and subscribers, building on the ACE framework for Authentication and Authorization.
https://datatracker.ietf.org/doc/draft-ietf-ace-pubsub-profile/
19) Notification of Revoked Access Tokens in the Authentication and Authorization for Constrained Environments (ACE) Framework
A method for the ACE framework to allow an authorization server to notify registered devices (i.e., clients and resource servers) about issued access tokens that have been revoked but are not expired yet.
20) Ephemeral Diffie-Hellman Over COSE (EDHOC) and Object Security for Constrained Environments (OSCORE) Profile for Authentication and Authorization for Constrained Environments (ACE)
A profile for the ACE framework, which utilizes OSCORE in order to achieve communication security, following the execution of the authenticated key establishment protocol EDHOC.
21) Additional Authentication Credentials for the Datagram Transport Layer Security (DTLS) Profile for Authentication and Authorization for Constrained Environments (ACE)
An extension to the DTLS transport profile of the ACE framework for authentication and authorization, enabling the use of additional public authentication credentials, e.g., CWT Claims Sets (CCSs) as Raw Public Keys as well as public key certificates.
https://datatracker.ietf.org/doc/draft-tiloca-ace-authcred-dtls-profile/
22) Alternative Workflow and OAuth Parameters for the Authentication and Authorization for Constrained Environments (ACE) Framework
An extension to the ACE framework for authentication and authorization, which enables an
alternative workflow with the upload of access credentials delegated to the Authorization Server,
and defines additional message parameters to extend the framework’s functionalities and support
new ones.
https://datatracker.ietf.org/doc/draft-tiloca-ace-workflow-and-params/
23) Clarifications and Updates on using Static Context Header Compression (SCHC) for the Constrained Application Protocol (CoAP)
A set of clarifications, updates and extensions to the standard RFC 8824 on using the Static Context Header Compression and fragmentation (SCHC) framework for CoAP messages, also when using the security protocol OSCORE to protect communications end-to-end.
https://datatracker.ietf.org/doc/draft-tiloca-schc-8824-update/