Universität Bremen TZI

Postfach 330440 Bremen D-28359 Germany +49-421-218-63921 cabo@tzi.org

sec ACE Information about which entities are authorized to perform what operations on which constituents of other entities is a crucial component of producing an overall system that is secure. Conveying precise authorization information is especially critical in highly automated systems with large numbers of entities, such as the Internet of Things. This specification provides a generic information model and format for representing such authorization information, as well as two variants of a specific instantiation of that format for use with Representational State Transfer (REST) resources identified by URI path.

Status of This Memo This is an Internet Standards Track document. This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Further information on Internet Standards is available in Section 2 of RFC 7841. Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at .

Copyright Notice Copyright (c) 2022 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents () in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.

Table of Contents

• .  Introduction
  • .  Terminology
• .  Information Model
  • .  REST-Specific Model
  • .  Limitations
  • .  REST-Specific Model with Dynamic Resource Creation
• .  Data Model
• .  Media Types
• .  IANA Considerations
  • .  Media Types
    • .  application/aif+cbor
    • .  application/aif+json
  • .  Registries
  • .  Content-Format
• .  Security Considerations
• .  References
  • .  Normative References
  • .  Informative References
• Acknowledgements
• Author's Address

Introduction Constrained devices, as they are used in the Internet of Things, need security in order to operate correctly and prevent misuse. One important element of this security is that devices in the Internet of Things need to be able to decide which operations requested of them should be considered authorized, ascertain that the authorization to request the operation does apply to the actual requester as authenticated, and ascertain that other devices they make requests of are the ones they intended. To transfer detailed authorization information from an authorization manager (such as an ACE-OAuth authorization server ) to a device, a compact representation format is needed. This document defines such a format -- the Authorization Information Format (AIF). AIF is defined both as a general structure that can be used for many different applications and as a specific instantiation tailored to REST resources and the permissions on them, including some provision for dynamically created resources.

Terminology This memo uses terms from the Constrained Application Protocol (CoAP) and the Internet Security Glossary ; CoAP is used for the explanatory examples as it is a good fit for constrained devices. The shape of data is specified in Concise Data Definition Language (CDDL) . Terminology for constrained devices is defined in . The term "byte", abbreviated by "B", is used in its now customary sense as a synonym for "octet". The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here.

Information Model Authorizations are generally expressed through some data structures that are cryptographically secured (or transmitted in a secure way). This section discusses the information model underlying the payload of that data (as opposed to the cryptographic armor around it). The semantics of the authorization information defined in this document are that of an allow-list: everything is denied until it is explicitly allowed. For the purposes of this specification, the underlying access control model will be that of an access matrix, which gives a set of permissions for each possible combination of a subject and an object. We are focusing the AIF data item on a single row in the access matrix (such a row has often been called a "capability list") without concern to the subject for which the data item is issued. As a consequence, AIF MUST be used in a way that the subject of the authorizations is unambiguously identified (e.g., as part of the armor around it). The generic model of such a capability list is a list of pairs of object identifiers (of type Toid) and the permissions (of type Tperm) that the subject has on the object(s) identified.

Definition of Generic AIF AIF-Generic<Toid, Tperm> = [* [Toid, Tperm]]

In a specific data model (such as the one specified in this document), the object identifier (Toid) will often be a text string, and the set of permissions (Tperm) will be represented by a bit set, which in turn is represented as a number (see ).

Commonly Used Shape of a Specific AIF AIF-Specific = AIF-Generic<tstr, uint>

REST-Specific Model In the specific instantiation of the REST resources and the permissions on them, we use the URI of a resource on a CoAP server for the object identifier (Toid). More specifically, since the parts of the URI that identify the server ("authority" in ) are authenticated during REST resource access ( and ), they naturally fall into the realm handled by the cryptographic armor; we therefore focus on the "path" ("path-abempty") and "query" parts of the URI (URI-local-part in this specification, as expressed by the Uri-Path and Uri-Query options in CoAP). As a consequence, AIF MUST be used in a way that it is clear who is the target (enforcement point) of these authorizations (note that there may be more than one target that the same authorization applies to, e.g., in a situation with homogeneous devices). For the permissions (Tperm), we use a simple permissions model that lists the subset of the REST (CoAP or HTTP) methods permitted. This model is summarized in . An Authorization Instance in the REST-Specific AIF Information Model

URI-local-part	Permission Set
/s/temp	GET
/a/led	PUT, GET
/dtls	POST

In this example, a device offers a temperature sensor /s/temp for read-only access, a LED actuator /a/led for read/write, and a /dtls resource for POST access. As shown in the data model (), the representations of REST methods provided are limited to those that have a CoAP method number assigned; an extension to the model may be necessary to represent permissions for exotic HTTP methods.

Limitations This simple information model only allows granting permissions for statically identifiable objects, e.g., URIs for the REST-specific instantiation. One might be tempted to extend the model towards URI templates (for instance, to open up an authorization for many parameter values as in /s/temp{?any*}). However, that requires some considerations of the ease and unambiguity of matching a given URI against a set of templates in an AIF data item. This simple information model also does not allow expressing conditionalized access based on state outside the identification of objects (e.g., "opening a door is allowed if it is not locked"). Finally, the model does not provide any special access for a set of resources that are specific to a subject, e.g., that the subject created itself by previous operations (PUT, POST, or PATCH/iPATCH ) or that were specifically created for the subject by others.

REST-Specific Model with Dynamic Resource Creation The REST-specific model with dynamic resource creation addresses the need to provide defined access to dynamic resources that were created by the subject itself, specifically, a resource that is made known to the subject by providing Location-* options in a CoAP response or using the Location header field in HTTP (the Location-indicating mechanisms). (The concept is somewhat comparable to "Access Control List (ACL) inheritance" in the Network File System version 4 (NFSv4) protocol , except that it does not use a containment relationship but rather the fact that the dynamic resource was created from a resource to which the subject had access.) In other words, it addresses an important subset of the third limitation mentioned in . An Authorization Instance in the REST-Specific AIF Information Model with Dynamic Resource Creation

URI-local-part	Permission Set
/a/make-coffee	POST, Dynamic-GET, Dynamic-DELETE

For a method X, the presence of a Dynamic-X permission means that the subject holds permission to exercise the method X on resources that have been returned in a 2.01 (201 Created) response by a Location-indicating mechanism to a request that the subject made to the resource listed. In the example shown in , POST operations on /a/make-coffee might return the location of a resource dynamically created on the coffee machine that allows GET to find out about the status of, and DELETE to cancel, the coffee-making operation. Since the use of the extension defined in this section can be detected by the mentioning of the Dynamic-X permissions, there is no need for another explicit switch between the basic and the model extended by dynamic resource creation; the extended model is always presumed once a Dynamic-X permission is present.

Data Model Different data model specializations can be defined for the generic information model given above. In this section, we will give the data model for simple REST authorization as per Sections and . As discussed, in this case the object identifier is specialized as a text string giving a relative URI (URI-local-part as the absolute path on the server serving as the enforcement point). The permission set is specialized to a single number REST-method-set by the following steps:

• The entries in the table that specify the same URI-local-part are merged into a single entry that specifies the union of the permission sets.
• The (non-dynamic) methods in the permission sets are converted into their CoAP method numbers, minus 1.
• Dynamic-X permissions are converted into what the number would have been for X, plus a Dynamic-Offset that has been chosen as 32 (e.g., 35 is the number for Dynamic-DELETE as the number for DELETE is 3).
• The set of numbers is converted into a single number REST-method-set by taking two to the power of each (decremented) method number and computing the inclusive OR of the binary representations of all the power values.

This data model could be interchanged in the JSON representation given in .

An Authorization Instance Encoded in JSON (40 Bytes) [["/s/temp",1],["/a/led",5],["/dtls",2]]

In , a straightforward specification of the data model (including both the methods from and the new ones from , identified by the method code minus 1) is shown in CDDL :

AIF in CDDL AIF-REST = AIF-Generic<local-path, REST-method-set> local-path = tstr ; URI relative to enforcement point REST-method-set = uint .bits methods methods = &( GET: 0 POST: 1 PUT: 2 DELETE: 3 FETCH: 4 PATCH: 5 iPATCH: 6 Dynamic-GET: 32; 0 .plus Dynamic-Offset Dynamic-POST: 33; 1 .plus Dynamic-Offset Dynamic-PUT: 34; 2 .plus Dynamic-Offset Dynamic-DELETE: 35; 3 .plus Dynamic-Offset Dynamic-FETCH: 36; 4 .plus Dynamic-Offset Dynamic-PATCH: 37; 5 .plus Dynamic-Offset Dynamic-iPATCH: 38; 6 .plus Dynamic-Offset ) Dynamic-Offset = 32

For the information shown in and , a representation in Concise Binary Object Representation (CBOR) is given in ; again, several optimizations and improvements are possible.

An Authorization Instance Encoded in CBOR (28 Bytes) 83 # array(3) 82 # array(2) 67 # text(7) 2f732f74656d70 # "/s/temp" 01 # unsigned(1) 82 # array(2) 66 # text(6) 2f612f6c6564 # "/a/led" 05 # unsigned(5) 82 # array(2) 65 # text(5) 2f64746c73 # "/dtls" 02 # unsigned(2)

Note that having chosen 32 as Dynamic-Offset means that all future CoAP methods that are registered can be represented both as themselves and in the Dynamic-X variant, but that only the dynamic forms of methods 1 to 21 are typically usable in a JSON form .

Media Types This specification defines media types for the generic information model, expressed in JSON (application/aif+json) or in CBOR (application/aif+cbor). These media types have parameters for specifying Toid and Tperm; default values are the values "URI-local-part" for Toid and "REST-method-set" for Tperm, as per of the present specification. A specification that wants to use generic AIF with different Toid and/or Tperm is expected to request these as media type parameters () and register a corresponding Content-Format ().

IANA Considerations

Media Types IANA has added the following media types to the "Media Types" registry. The registration entries are in the following subsections. New Media Types

Name	Template	Reference
aif+cbor	application/aif+cbor	RFC 9237,
aif+json	application/aif+json	RFC 9237,

application/aif+cbor

Type name:

application

Subtype name:

aif+cbor

Required parameters:

N/A

Optional parameters:

Toid:

the identifier for the object for which permissions are supplied. A value from the "Sub-Parameter Registry for application/aif+cbor and application/aif+json" subregistry for Toid. Default value: "URI-local-part" (RFC 9237).

Tperm:

the data type of a permission set for the object identified via a Toid. A value from the "Sub-Parameter Registry for application/aif+cbor and application/aif+json" subregistry for Tperm. Default value: "REST-method-set" (RFC 9237).

Encoding considerations:

binary (CBOR)

Security considerations:

of RFC 9237

Interoperability considerations:

N/A

Published specification:

of RFC 9237

Applications that use this media type:

Applications that need to convey structured authorization data for identified resources, conveying sets of permissions.

Fragment identifier considerations:

The syntax and semantics of fragment identifiers is as specified for "application/cbor". (At publication of RFC 9237, there is no fragment identification syntax defined for "application/cbor".)

Person & email address to contact for further information:

ACE WG mailing list (ace@ietf.org) or IETF Applications and Real-Time Area (art@ietf.org)

Intended usage:

COMMON

Restrictions on usage:

N/A

Author/Change controller:

IETF

Provisional registration:

no

application/aif+json

Type name:

application

Subtype name:

aif+json

Required parameters:

N/A

Optional parameters:

Toid:

the identifier for the object for which permissions are supplied. A value from the media-type parameter subregistry for Toid. Default value: "URI-local-part" (RFC 9237).

Tperm:

the data type of a permission set for the object identified via a Toid. A value from the media-type parameter subregistry for Tperm. Default value: "REST-method-set" (RFC 9237).

Encoding considerations:

binary (JSON is UTF-8-encoded text)

Security considerations:

of RFC 9237

Interoperability considerations:

N/A

Published specification:

of RFC 9237

Applications that use this media type:

Applications that need to convey structured authorization data for identified resources, conveying sets of permissions.

Fragment identifier considerations:

The syntax and semantics of fragment identifiers is as specified for "application/json". (At publication of RFC 9237, there is no fragment identification syntax defined for "application/json".)

Person & email address to contact for further information:

ACE WG mailing list (ace@ietf.org) or IETF Applications and Real-Time Area (art@ietf.org)

Intended usage:

COMMON

Restrictions on usage:

N/A

Author/Change controller:

IETF

Provisional registration:

no

Registries For the media types application/aif+cbor and application/aif+json, IANA has created a subregistry within for the media-type parameters Toid and Tperm, populated with the following: New Media Type Parameters

Parameter	name	Description/Specification	Reference
Toid	URI-local-part	local-part of URI	RFC 9237
Tperm	REST-method-set	set of REST methods represented	RFC 9237

The registration policy is Specification Required . The designated expert will engage with the submitter to ascertain whether the requirements of this document are addressed:

• The specifications for Toid and Tperm need to realize the general ideas of unambiguous object identifiers and permission lists in the context where the AIF data item is intended to be used, and their structure needs to be usable with the intended media types (application/aif+cbor and application/aif+json) as identified in the specification.
• The parameter names need to conform to , but preferably they are in so they can be easily translated into names used in APIs with popular programming languages.

The designated experts will develop further criteria and guidelines as needed.

Content-Format IANA has registered Content-Format numbers in the "CoAP Content-Formats" subregistry, within the "Constrained RESTful Environments (CoRE) Parameters" registry , as follows: New Content-Formats

Media Type	Encoding	ID	Reference
application/aif+cbor	-	290	RFC 9237
application/aif+json	-	291	RFC 9237

Note that applications that register Toid and Tperm values are encouraged to also register Content-Formats for the relevant combinations.

Security Considerations The security considerations of apply when AIF is used with CoAP; specifically applies if complex formats such as URIs are used for Toid or Tperm. Some wider issues are discussed in . When applying these formats, the referencing specification needs to be careful to ensure:

• that the cryptographic armor employed around this format fulfills the referencing specification's security objectives and that the armor or some additional information included in it with the AIF data item (1) unambiguously identifies the subject to which the authorizations shall apply and (2) provides any context information needed to derive the identity of the object to which authorization is being granted from the object identifiers (such as, for the data models defined in the present specification, the scheme and authority information that is used to construct the full URI), and
• that the types used for Toid and Tperm provide the appropriate granularity and precision so that application requirements on the precision of the authorization information are fulfilled and that all parties have the same understanding of each Toid/Tperm pair in terms of specified objects (resources) and operations on those.

For the data formats, the security considerations of and apply. A plain implementation of AIF might implement just the basic REST model as per . If it receives authorizations that include permissions that use the REST-specific model with dynamic resource creation (), it needs to either reject the AIF data item entirely or act only on the permissions that it does understand. In other words, the semantics underlying an allow-list as discussed above need to hold here as well. An implementation of the REST-specific model with dynamic resource creation () needs to carefully keep track of the dynamically created objects and the subjects to which the Dynamic-X permissions apply -- both on the server side to enforce the permissions and on the client side to know which permissions are available.

References Normative References In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. A Uniform Resource Identifier (URI) is a compact sequence of characters that identifies an abstract or physical resource. This specification defines the generic URI syntax and a process for resolving URI references that might be in relative form, along with guidelines and security considerations for the use of URIs on the Internet. The URI syntax defines a grammar that is a superset of all valid URIs, allowing an implementation to parse the common components of a URI reference without knowing the scheme-specific requirements of every possible identifier. This specification does not define a generative grammar for URIs; that task is performed by the individual specifications of each URI scheme. [STANDARDS-TRACK] This document defines procedures for the specification and registration of media types for use in HTTP, MIME, and other Internet protocols. This memo documents an Internet Best Current Practice. The Constrained Application Protocol (CoAP) is a specialized web transfer protocol for use with constrained nodes and constrained (e.g., low-power, lossy) networks. The nodes often have 8-bit microcontrollers with small amounts of ROM and RAM, while constrained networks such as IPv6 over Low-Power Wireless Personal Area Networks (6LoWPANs) often have high packet error rates and a typical throughput of 10s of kbit/s. The protocol is designed for machine- to-machine (M2M) applications such as smart energy and building automation. CoAP provides a request/response interaction model between application endpoints, supports built-in discovery of services and resources, and includes key concepts of the Web such as URIs and Internet media types. CoAP is designed to easily interface with HTTP for integration with the Web while meeting specialized requirements such as multicast support, very low overhead, and simplicity for constrained environments. Many protocols make use of points of extensibility that use constants to identify various protocol parameters. To ensure that the values in these fields do not have conflicting uses and to promote interoperability, their allocations are often coordinated by a central record keeper. For IETF protocols, that role is filled by the Internet Assigned Numbers Authority (IANA). To make assignments in a given registry prudently, guidance describing the conditions under which new values should be assigned, as well as when and how modifications to existing values can be made, is needed. This document defines a framework for the documentation of these guidelines by specification authors, in order to assure that the provided guidance for the IANA Considerations is clear and addresses the various issues that are likely in the operation of a registry. This is the third edition of this document; it obsoletes RFC 5226. RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings. This document proposes a notational convention to express Concise Binary Object Representation (CBOR) data structures (RFC 7049). Its main goal is to provide an easy and unambiguous way to express structures for protocol messages and data formats that use CBOR or JSON. The Hypertext Transfer Protocol (HTTP) is a stateless application-level protocol for distributed, collaborative, hypertext information systems. This document describes the overall architecture of HTTP, establishes common terminology, and defines aspects of the protocol that are shared by all versions. In this definition are core protocol elements, extensibility mechanisms, and the "http" and "https" Uniform Resource Identifier (URI) schemes. This document updates RFC 3864 and obsoletes RFCs 2818, 7231, 7232, 7233, 7235, 7538, 7615, 7694, and portions of 7230. The Concise Data Definition Language (CDDL), standardized in RFC 8610, provides "control operators" as its main language extension point. The present document defines a number of control operators that were not yet ready at the time RFC 8610 was completed: , , and for the construction of constants; / for including ABNF (RFC 5234 and RFC 7405) in CDDL specifications; and for indicating the use of a non-basic feature in an instance. Informative References IANA IANA This Glossary provides definitions, abbreviations, and explanations of terminology for information system security. The 334 pages of entries offer recommendations to improve the comprehensibility of written material that is generated in the Internet Standards Process (RFC 2026). The recommendations follow the principles that such writing should (a) use the same term or definition whenever the same concept is mentioned; (b) use terms in their plainest, dictionary sense; (c) use terms that are already well-established in open publications; and (d) avoid terms that either favor a particular vendor or favor a particular technology or mechanism over other, competing techniques that already exist or could be developed. This memo provides information for the Internet community. A URI Template is a compact sequence of characters for describing a range of Uniform Resource Identifiers through variable expansion. This specification defines the URI Template syntax and the process for expanding a URI Template into a URI reference, along with guidelines for the use of URI Templates on the Internet. [STANDARDS-TRACK] The Internet Protocol Suite is increasingly used on small devices with severe constraints on power, memory, and processing resources, creating constrained-node networks. This document provides a number of basic terms that have been useful in the standardization work for constrained-node networks. I-JSON (short for "Internet JSON") is a restricted profile of JSON designed to maximize interoperability and increase confidence that software can process it successfully with predictable results. The methods defined in RFC 7252 for the Constrained Application Protocol (CoAP) only allow access to a complete resource, not to parts of a resource. In case of resources with larger or complex data, or in situations where resource continuity is required, replacing or requesting the whole resource is undesirable. Several applications using CoAP need to access parts of the resources. This specification defines the new CoAP methods, FETCH, PATCH, and iPATCH, which are used to access and update parts of a resource. JavaScript Object Notation (JSON) is a lightweight, text-based, language-independent data interchange format. It was derived from the ECMAScript Programming Language Standard. JSON defines a small set of formatting rules for the portable representation of structured data. This document removes inconsistencies with other specifications of JSON, repairs specification errors, and offers experience-based interoperability guidance. The Internet of Things (IoT) concept refers to the usage of standard Internet protocols to allow for human-to-thing and thing-to-thing communication. The security needs for IoT systems are well recognized, and many standardization steps to provide security have been taken -- for example, the specification of the Constrained Application Protocol (CoAP) secured with Datagram Transport Layer Security (DTLS). However, security challenges still exist, not only because there are some use cases that lack a suitable solution, but also because many IoT devices and systems have been designed and deployed with very limited security capabilities. In this document, we first discuss the various stages in the lifecycle of a thing. Next, we document the security threats to a thing and the challenges that one might face to protect against these threats. Lastly, we discuss the next steps needed to facilitate the deployment of secure IoT systems. This document can be used by implementers and authors of IoT specifications as a reference for details about security considerations while documenting their specific security challenges, threat models, and mitigations. This document is a product of the IRTF Thing-to-Thing Research Group (T2TRG). This document describes the Network File System (NFS) version 4 minor version 1, including features retained from the base protocol (NFS version 4 minor version 0, which is specified in RFC 7530) and protocol extensions made subsequently. The later minor version has no dependencies on NFS version 4 minor version 0, and is considered a separate protocol. This document obsoletes RFC 5661. It substantially revises the treatment of features relating to multi-server namespace, superseding the description of those features appearing in RFC 5661. The Concise Binary Object Representation (CBOR) is a data format whose design goals include the possibility of extremely small code size, fairly small message size, and extensibility without the need for version negotiation. These design goals make it different from earlier binary serializations such as ASN.1 and MessagePack. This document obsoletes RFC 7049, providing editorial improvements, new details, and errata fixes while keeping full compatibility with the interchange format of RFC 7049. It does not create a new version of the format.

Acknowledgements , , , , and provided comments that shaped the direction of this document. pointed out that there were gaps in the media type specifications, and provided a shepherd review with further comments. Many thanks also to the IESG reviewers, who provided several small but significant observations. provided an extensive review as Responsible Area Director and indeed is responsible for much improvement in the document.

Author's Address Universität Bremen TZI

Postfach 330440 Bremen D-28359 Germany +49-421-218-63921 cabo@tzi.org