You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: draft-ietf-core-oscore-id-update.md
+253-3Lines changed: 253 additions & 3 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -95,8 +95,6 @@ Furthermore, this procedure can be executed stand-alone, or instead seamlessly i
95
95
96
96
As defined in {{id-update-additional-actions}}, the two peers must take additional actions to ensure a safe execution of the OSCORE ID update procedure.
97
97
98
-
A peer can safely discard the old OSCORE Security Context including the old OSCORE Sender/Recipient IDs after the following two events have occurred, in this order: first, the peer has sent to the other peer a message protected with the new OSCORE Security Context including the new OSCORE Sender/Recipient IDs; then, the peer has received from the other peer and successfully verified a message protected with that new OSCORE Security Context.
99
-
100
98
The new OSCORE Sender/Recipient IDs MUST NOT be used with the OSCORE Security Context CTX\_OLD, and MUST NOT be used with the temporary OSCORE Security Context CTX\_TEMP used to protect the first KUDOS message of a KUDOS execution.
101
99
102
100
A peer MUST NOT initiate an OSCORE ID update procedure with another peer, if it has another such procedure ongoing with that other peer.
@@ -204,7 +202,7 @@ The Recipient-ID-Ack Option is of class E in terms of OSCORE processing (see {{S
204
202
205
203
### OSCORE ID Update Procedure Initiated with a Request Message {#example-client-initiated-id-update}
206
204
207
-
{{fig-id-update-client-init}} shows an example of the OSCORE ID update procedure, run stand-alone and initiated by the client sending a request message. On each peer, SID and RID denote the OSCORE Sender ID and Recipient ID of that peer, respectively.
205
+
{{fig-id-update-client-init}} shows an example of the OSCORE ID update procedure, run stand-alone and initiated by the client sending a request message. On each peer, SID and RID denote the OSCORE Sender ID and Recipient ID of that peer, respectively. An example where the server initiates the procedure is shown in {{example-server-initiated-id-update}}.
208
206
209
207
~~~~~~~~~~~ aasvg
210
208
Client Server
@@ -419,9 +417,261 @@ Note to RFC Editor: Following the registration of the CoAP Option Number 32, ple
419
417
420
418
--- back
421
419
420
+
# Examples
421
+
422
+
This appendix provides examples where the OSCORE ID update procedure is used. In particular:
423
+
424
+
* {{example-server-initiated-id-update}} shows an example of the OSCORE ID update procedure initiated by the server sending a response message.
425
+
* {{example-client-initiated-id-update-failure}} shows an example of the OSCORE ID update procedure initiated by the client sending a request message where the procedure fails to complete.
426
+
427
+
## OSCORE ID Update Procedure Initiated with a Response Message {#example-server-initiated-id-update}
428
+
429
+
{{fig-id-update-server-init}} shows an example of the OSCORE ID update procedure, run stand-alone and initiated by the server sending a response message. On each peer, SID and RID denote the OSCORE Sender ID and Recipient ID of that peer, respectively. The prerequisites and the actions taken by the peers involved are aligned with what is described in {{example-client-initiated-id-update}}, except that it is the server that takes the initiative to perform the OSCORE ID update procedure.
{: #fig-id-update-server-init title="Example of the OSCORE ID update procedure initiated with a response message" artwork-align="center"}
549
+
550
+
## Failure of the OSCORE ID Update Procedure Initiated with a Request Message {#example-client-initiated-id-update-failure}
551
+
552
+
{{fig-id-update-client-init-failure}} shows an example of the OSCORE ID update procedure, run stand-alone and initiated by the client sending a request message where the procedure fails to complete due to the server not including the Recipient-ID-Ack option or the Recipient-ID in its response messages. On each peer, SID and RID denote the OSCORE Sender ID and Recipient ID of that peer, respectively. This example assumes that the value of the REPEAT\_TIMER on the client is such that it expires between each request the client sends.
553
+
554
+
The client repeatedly tries sending requests to the client including the Recipient-ID option, but does not receive acknowledgments in the form of responses containing the Response-ID-Ack option from the server. Thus the client eventually reaches the expiration of its ENDING\_TIMER, aborts the OSCORE ID update procedure, and proceeds to continue communication with normal OSCORE messages.
{: #fig-id-update-client-init-failure title="Example of the OSCORE ID update procedure failing when initiated with a request message" artwork-align="center"}
665
+
422
666
# Document Updates # {#sec-document-updates}
423
667
{:removeinrfc}
424
668
669
+
## Version -04 to -05 ## {#sec-04-05}
670
+
671
+
* Editorial updates.
672
+
673
+
* Add additional message flow examples, including a failure case.
0 commit comments