Using the Constrained RESTful Application Language (CoRAL) with the Admin Interface for the OSCORE Group Manager

Internet-Draft	CoRAL Admin Interface for the OSCORE GM	July 2023
Tiloca & Höglund	Expires 2 January 2024	[Page]

Abstract

Group communication for CoAP can be secured using Group Object Security for Constrained RESTful Environments (Group OSCORE). A Group Manager is responsible to handle the joining of new group members, as well as to manage and distribute the group keying material. The Group Manager can provide a RESTful admin interface that allows an Administrator entity to create and delete OSCORE groups, as well as to retrieve and update their configuration. This document specifies how an Administrator entity interacts with the admin interface at the Group Manager by using the Constrained RESTful Application Language (CoRAL). The ACE framework for Authentication and Authorization is used to enforce authentication and authorization of the Administrator at the Group Manager. Protocol-specific transport profiles of ACE are used to achieve communication security, proof-of-possession and server authentication.¶

1. Introduction

The Constrained Application Protocol (CoAP) [RFC7252] can also be used for group communication [I-D.ietf-core-groupcomm-bis], where messages are exchanged between members of a group, e.g., over IP multicast. Applications relying on CoAP can achieve end-to-end security at the application layer by using Object Security for Constrained RESTful Environments (OSCORE) [RFC8613], and especially Group OSCORE [I-D.ietf-core-oscore-groupcomm] in group communication scenarios.¶

When group communication for CoAP is protected with Group OSCORE, nodes are required to explicitly join the correct OSCORE group. To this end, a joining node interacts with a Group Manager (GM) entity responsible for that group, and retrieves the required keying material to securely communicate with other group members using Group OSCORE.¶

The method in [I-D.ietf-ace-key-groupcomm-oscore] specifies how nodes can join an OSCORE group through the respective Group Manager. Such a method builds on the ACE framework for Authentication and Authorization [RFC9200], so ensuring a secure joining process as well as authentication and authorization of joining nodes (clients) at the Group Manager (resource server).¶

[I-D.ietf-ace-oscore-gm-admin] specifies a RESTful admin interface at the Group Manager, intended for an Administrator as a separate entity external to the Group Manager and its application. The interface allows the Administrator to create and delete OSCORE groups, as well as to configure and update their configuration.¶

This document builds on [I-D.ietf-ace-oscore-gm-admin], and specifies how an Administrator interacts with the same RESTful admin interface by using the Constrained RESTful Application Language (CoRAL) [I-D.ietf-core-coral]. Compared to [I-D.ietf-ace-oscore-gm-admin], there is no change in the admin interface and its operations, nor in the way the group configurations are organized and represented.¶

Interaction examples using Packed CBOR [I-D.ietf-cbor-packed] are provided, and are expressed in CBOR diagnostic notation [RFC8949]. Section 1.2 provides the notation and assumptions used in the examples.¶

The ACE framework is used to ensure authentication and authorization of the Administrator (client) at the Group Manager (resource server). In order to achieve communication security, proof-of-possession and server authentication, the Administrator and the Group Manager leverage protocol-specific transport profiles of ACE, such as [RFC9202][RFC9203]. These include also possible forthcoming transport profiles that comply with the requirements in Appendix C of [RFC9200].¶

1.1. Terminology

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.¶

Readers are expected to be familiar with the terms and concepts from the following specifications.¶

CBOR [RFC8949], Packed CBOR [I-D.ietf-cbor-packed], and COSE [RFC9052][RFC9053].¶
The Constrained RESTful Application Language (CoRAL) [I-D.ietf-core-coral] and Constrained Resource Identifiers (CRIs) [I-D.ietf-core-href].¶
The CoAP protocol [RFC7252], also in group communication scenarios [I-D.ietf-core-groupcomm-bis]. These include the concepts of:¶
- "application group", as a set of CoAP nodes that share a common set of resources; and of¶
- "security group", as a set of CoAP nodes that share the same security material, and use it to protect and verify exchanged messages.¶
The OSCORE [RFC8613] and Group OSCORE [I-D.ietf-core-oscore-groupcomm] security protocols. These especially include the concepts of:¶
- Group Manager, as the entity responsible for a set of OSCORE groups where communications among members are secured using Group OSCORE. An OSCORE group is used as security group for one or many application groups.¶
- Authentication credential, as the set of information associated with an entity, including that entity's public key and parameters associated with the public key. Examples of authentication credentials are CBOR Web Tokens (CWTs) and CWT Claims Sets (CCSs) [RFC8392], X.509 certificates [RFC5280] and C509 certificates [I-D.ietf-cose-cbor-encoded-cert].¶
The ACE framework for authentication and authorization [RFC9200]. The terminology for entities in the considered architecture is defined in OAuth 2.0 [RFC6749]. In particular, this includes Client (C), Resource Server (RS), and Authorization Server (AS).¶
The management of keying material for groups in ACE [I-D.ietf-ace-key-groupcomm] and specifically for OSCORE groups [I-D.ietf-ace-key-groupcomm-oscore]. These include the concept of group-membership resource hosted by the Group Manager, that new members access to join the OSCORE group, while current members can access to retrieve updated keying material.¶

Readers are also expected to be familiar with the terms and concepts used in [I-D.ietf-ace-oscore-gm-admin], with particular reference to: "Administrator", "group name", "group-collection resource", and "group-configuration resource".¶

Like in [I-D.ietf-ace-oscore-gm-admin], the url-path to a group-configuration resource has GROUPNAME as last segment, with GROUPNAME the invariant group name assigned upon its creation. Building on the considered url-path of the group-collection resource, this document uses /manage/GROUPNAME as the url-path of a group-configuration resource; implementations are not required to use this name, and can define their own instead.¶

Note that, unless otherwise indicated, the term "endpoint" is used here following its OAuth definition, aimed at denoting resources such as /token and /introspect at the AS, and /authz-info at the RS. This document does not use the CoAP definition of "endpoint", which is "An entity participating in the CoAP protocol".¶

1.2. Notation and Assumptions in the Examples

As per Section 2.4 of [I-D.ietf-core-coral], CoRAL expresses Uniform Resource Identifiers (URIs) [RFC3986] as Constrained Resource Identifier (CRI) references [I-D.ietf-core-href].¶

The examples in this document use the following notation.¶

When using the CURIE syntax [CURIE-20101216], the following applies.¶

'core.osc.gcoll' stands for http://coreapps.org/core.osc.gcoll#¶
'core.osc.gconf' stands for http://coreapps.org/core.osc.gconf#¶
'linkformat' stands for http://www.iana.org/assignments/linkformat¶

This URI is to be defined with IANA, together with other URIs that build on it through further path segments, e.g., http://www.iana.org/assignments/linkformat/rt¶

When using a URI http://www.iana.org/assignments/linkformat/SEG1/SEG2¶

The path segment SEG1 is the name of a web link target attribute.¶

Names of target attributes used in Link Format [RFC6690] are expected to be coordinated through the "Target Attributes" registry defined in [I-D.ietf-core-target-attr].¶
The path segment SEG2 is the value of the target attribute.¶

The notation cri'' introduced in [I-D.ietf-cbor-edn-literals] is used to represent CRIs [I-D.ietf-core-href]. This format is not expected to be sent over the network.¶

Packed CBOR [I-D.ietf-cbor-packed] is also used, thus reducing representation size. The examples especially refer to the values from the two shared item tables in Appendix A.¶

Finally, the examples consider a Group Manager with address [2001:db8::ab], and use the CoAP Content-Format ID 65087 for the media-type application/coral+cbor.¶

6. Interactions with the Group Manager

The same as defined in Section 6 of [I-D.ietf-ace-oscore-gm-admin] holds, with the following differences.¶

The Content-Format in messages containing a payload is set to application/coral+cbor, defined in Section 7.2 of [I-D.ietf-core-coral].¶
The parameters 'sign_params', 'ecdh_params', 'app_groups' and 'group_policies' are referred to as "structured parameters".¶
If a message payload specifies a link element corresponding to a structured parameter, then:¶
- The payload MUST NOT include any link element corresponding to an inner information element of that structured parameter.¶
- The link element MUST have the link target with value "false" (0xf4) for indicating the structured parameter with no elements.¶
  
  Editor's note: this should change to using an empty CBOR array or an empty CBOR map as appropriate, once this is made explicitly possible in the binary format of link items in CoRAL (see Section 3.1.4 of [I-D.ietf-core-coral]).¶
If a message payload specifies an information element of a structured parameter from the group configuration, then that information element MUST be specified by means of the corresponding link element.¶

6.1. Retrieve the Full List of Group Configurations

This operation MUST be supported by the Group Manager and an Administrator.¶

The Administrator can send a GET request to the group-collection resource, in order to retrieve a list of the existing OSCORE groups at the Group Manager.¶

The same as defined in Section 6.1 of [I-D.ietf-ace-oscore-gm-admin] holds.¶

An example of message exchange is shown below.¶

=> 0.01 GET
   Uri-Path: manage

<= 2.05 Content
   Content-Format: 65087 (application/coral+cbor)

   Payload:

   [
     [1, cri'coap://[2001:db8::ab]/manage'],
     [2, 6(17) / item 50 for core.osc.gcoll:item /, cri'/gp1', [
       [2, simple(6) / item 6 for linkformat:rt /,
        6(-200) / item 415 for cri'http://www.iana.org/assignments
                                   /linkformat/rt/core.osc.gconf' /]
     ]],
     [2, 6(17) / item 50 for core.osc.gcoll:item /, cri'/gp2', [
       [2, simple(6) / item 6 for linkformat:rt /,
        6(-200) / item 415 for cri'http://www.iana.org/assignments
                                   /linkformat/rt/core.osc.gconf' /]
     ]],
     [2, 6(17) / item 50 for core.osc.gcoll:item /, cri'/gp3', [
       [2, simple(6) / item 6 for linkformat:rt /,
        6(-200) / item 415 for cri'http://www.iana.org/assignments
                                   /linkformat/rt/core.osc.gconf' /]
     ]]
   ]

6.2. Retrieve a List of Group Configurations by Filters

This operation MUST be supported by the Group Manager and MAY be supported by an Administrator.¶

The Administrator can send a FETCH request to the group-collection resource, in order to retrieve a list of the existing OSCORE groups that fully match a set of specified filter criteria.¶

The same as defined in Section 6.2 of [I-D.ietf-ace-oscore-gm-admin] holds, with the following differences.¶

The filter criteria are specified in the request payload with top-level link elements, each of which corresponds to an entry of the group configuration (see Section 5.1), with the exception of non-empty structured parameters.¶
If names of application groups are used as filter criteria, each element of the 'app_groups' array from the status properties is included as a separate link element with name 'app_group'.¶
With the exception of the 'app_group' element, a valid request MUST NOT include the same element multiple times. Element values are the ones admitted for the corresponding labels in the POST request for creating a group configuration (see Section 6.3).¶

An example of message exchange is shown below.¶

=> 0.05 FETCH
   Uri-Path: manage
   Content-Format: 65087 (application/coral+cbor)

   Payload:

   [
     [2, 6(27) / item 70 for core.osc.gconf:group_mode /, true],
     [2, 6(-28) / item 71 for core.osc.gconf:gp_enc_alg /, 10],
     [2, 6(26) / item 68 for core.osc.gconf:hkdf /, 5]
   ]

<= 2.05 Content
   Content-Format: 65087 (application/coral+cbor)

   Payload:

   [
    [1, cri'coap://[2001:db8::ab]/manage'],
    [2, 6(17) / item 50 for core.osc.gcoll:item /, cri'/gp1', [
      [2, simple(6) / item 6 for linkformat:rt /,
       6(-200) / item 415 for cri'http://www.iana.org/assignments
                                  /linkformat/rt/core.osc.gconf' /]
    ]],
    [2, 6(17) / item 50 for core.osc.gcoll:item /, cri'/gp2', [
      [2, simple(6) / item 6 for linkformat:rt /,
       6(-200) / item 415 for cri'http://www.iana.org/assignments
                                  /linkformat/rt/core.osc.gconf' /]
    ]],
    [2, 6(17) / item 50 for core.osc.gcoll:item /, cri'/gp3', [
      [2, simple(6) / item 6 for linkformat:rt /,
       6(-200) / item 415 for cri'http://www.iana.org/assignments
                                  /linkformat/rt/core.osc.gconf' /]
    ]]
   ]

6.3. Create a New Group Configuration

This operation MUST be supported by the Group Manager and an Administrator.¶

The Administrator can send a POST request to the group-collection resource, in order to create a new OSCORE group at the Group Manager.¶

The same as defined in Section 6.3 of [I-D.ietf-ace-oscore-gm-admin] holds, with the following differences.¶

In the request payload, each link element corresponds to an entry of the group configuration (see Section 5.1), with the exception of non-empty structured parameters.¶
In the request payload, each element of the 'app_groups' array from the status properties is included as a separate element with name 'app_group'.¶
The Group Manager MUST respond with a 4.00 (Bad Request) response if any link element is specified multiple times in the payload of the POST request, with the exception of the 'app_group' link element.¶
The response payload includes one link element for each specified parameter, with the exception of non-empty structured parameters.¶
In the response payload, each element of the 'app_groups' array from the status properties is included as a separate element with name 'app_group'.¶
If the Administrator performs the registration of the group-membership resource to a Resource Directory on behalf of the Group Manager, then the names of the application groups using the OSCORE group MUST take the values possibly specified by the different 'app_group' link elements in the POST request.¶

An example of message exchange is shown below.¶

=> 0.02 POST
   Uri-Path: manage
   Content-Format: 65087 (application/coral+cbor)

   Payload:

   [
     [2, 6(-28) / item 71 for core.osc.gconf:gp_enc_alg /, 10],
     [2, 6(26) / item 68 for core.osc.gconf:hkdf /, 5],
     [2, 6(-31) / item 77 for core.osc.gconf:pairwise_mode /, true],
     [2, 6(-36) / item 87 for core.osc.gconf:active /, true],
     [2, 6(36) / item 88 for core.osc.gconf:group_name /, "gp4"],
     [2, 6(-37) / item 89 for core.osc.gconf:group_title /,
      "rooms 1 and 2"],
     [2, 6(39) / item 94 for core.osc.gconf:app_group /, "room 1"],
     [2, 6(39) / item 94 for core.osc.gconf:app_group /, "room 2"],
     [2, 6(43) / item 102 for core.osc.gconf:as_uri /,
      cri'coap://as.example.com/token']
   ]

<= 2.01 Created
   Location-Path: manage
   Location-Path: gp4
   Content-Format: 65087 (application/coral+cbor)

   Payload:

   [
     [2, 6(36) / item 88 for core.osc.gconf:group_name /, "gp4"],
     [2, 6(-41) / item 97 for core.osc.gconf:joining_uri /,
      cri'coap://[2001:db8::ab]/ace-group/gp4/'],
     [2, 6(43) / item 102 for core.osc.gconf:as_uri /,
      cri'coap://as.example.com/token']
   ]

6.4. Retrieve a Group Configuration

This operation MUST be supported by the Group Manager and an Administrator.¶

The Administrator can send a GET request to the group-configuration resource manage/GROUPNAME associated with an OSCORE group with group name GROUPNAME, in order to retrieve the complete current configuration of that group.¶

The same as defined in Section 6.4 of [I-D.ietf-ace-oscore-gm-admin] holds, with the following differences.¶

The response payload includes one link element for each entry of the group configuration (see Section 5.1), with the exception of non-empty status parameters.¶
Each element of the 'app_groups' array from the status properties is included as a separate link element with name 'app_group'.¶

An example of message exchange is shown below.¶

=> 0.01 GET
   Uri-Path: manage
   Uri-Path: gp4

<= 2.05 Content
   Content-Format: 65087 (application/coral+cbor)

   Payload:

   [
     [2, 6(26) / item 68 for core.osc.gconf:hkdf /, 5],
     [2, 6(-27) / item 69 for core.osc.gconf:cred_fmt /, 33],
     [2, 6(27) / item 70 for core.osc.gconf:group_mode /, true],
     [2, 6(-28) / item 71 for core.osc.gconf:gp_enc_alg /, 10],
     [2, 6(28) / item 72 for core.osc.gconf:sign_alg /, -8],
     [2, 6(29) / item 74 for
      core.osc.gconf:sign_params.alg_capab.key_type /, 1],
     [2, 6(-30) / item 75 for
      core.osc.gconf:sign_params.key_type_capab.key_type /, 1],
     [2, 6(30) / item 76 for
      core.osc.gconf:sign_params.key_type_capab.curve /, 6],
     [2, 6(-31) / item 77 for core.osc.gconf:pairwise_mode /, true],
     [2, 6(31) / item 78 for core.osc.gconf:alg /, 10],
     [2, 6(-32) / item 79 for core.osc.gconf:ecdh_alg /, -27],
     [2, 6(-33) / item 81 for
      core.osc.gconf:ecdh_params.alg_capab.key_type /, 1],
     [2, 6(33) / item 82 for
      core.osc.gconf:ecdh_params.key_type_capab.key_type /, 1],
     [2, 6(-34) / item 83 for
      core.osc.gconf:ecdh_params.key_type_capab.curve /, 6],
     [2, 6(34) / item 84 for core.osc.gconf:det_req /, false],
     [2, 6(35) / item 86 for core.osc.gconf:rt /, "core.osc.gconf"],
     [2, 6(-36) / item 87 for core.osc.gconf:active /, true],
     [2, 6(36) / item 88 for core.osc.gconf:group_name /, "gp4"],
     [2, 6(-37) / item 89 for core.osc.gconf:group_title /,
      "rooms 1 and 2"],
     [2, 6(37) / item 90 for core.osc.gconf:ace_groupcomm_profile /,
      "coap_group_oscore_app"],
     [2, 6(-38) / item 91 for core.osc.gconf:max_stale_sets /, 3],
     [2, 6(38) / item 92 for core.osc.gconf:exp /, 1360289224],
     [2, 6(-39) / item 93 for core.osc.gconf:gid_reuse /, false],
     [2, 6(39) / item 94 for core.osc.gconf:app_group /, "room 1"],
     [2, 6(39) / item 94 for core.osc.gconf:app_group /, "room 2"],
     [2, 6(-41) / item 97 for core.osc.gconf:joining_uri /,
      cri'coap://[2001:db8::ab]/ace-group/gp4/'],
     [2, 6(43) / item 102 for core.osc.gconf:as_uri /,
      cri'coap://as.example.com/token']
   ]

6.5. Retrieve Part of a Group Configuration by Filters

This operation MUST be supported by the Group Manager and MAY be supported by an Administrator.¶

The Administrator can send a FETCH request to the group-configuration resource manage/GROUPNAME associated with an OSCORE group with group name GROUPNAME, in order to retrieve part of the current configuration of that group.¶

The same as defined in Section 6.5 of [I-D.ietf-ace-oscore-gm-admin] holds, with the following differences.¶

The request payload includes one link element for each requested configuration parameter or status parameter of the current group configuration (see Section 5.1). All the specified link elements MUST have the link target with value "null".¶
The request payload MUST NOT include any link element corresponding to an inner information element of a structured parameter.¶
The response payload includes the requested configuration parameters and status parameters, and is formatted as in the response payload of a GET request to a group-configuration resource (see Section 6.4).¶

If the request payload specifies a parameter that is not included in the group configuration, then the response payload MUST NOT include a corresponding link element.¶

An example of message exchange is shown below.¶

=> 0.05 FETCH
   Uri-Path: manage
   Uri-Path: gp4
   Content-Format: 65087 (application/coral+cbor)

   Payload:

   [
     [2, 6(-28) / item 71 for core.osc.gconf:gp_enc_alg /, null],
     [2, 6(26) / item 68 for core.osc.gconf:hkdf /, null],
     [2, 6(-31) / item 77 for core.osc.gconf:pairwise_mode /, null],
     [2, 6(-36) / item 87 for core.osc.gconf:active /, null],
     [2, 6(-37) / item 89 for core.osc.gconf:group_title /, null],
     [2, 6(41) / item 98 for core.osc.gconf:app_groups /, null]
   ]

<= 2.05 Content
   Content-Format: 65087 (application/coral+cbor)

   Payload:

   [
     [2, 6(-28) / item 71 for core.osc.gconf:gp_enc_alg /, 10],
     [2, 6(26) / item 68 for core.osc.gconf:hkdf /, 5],
     [2, 6(-31) / item 77 for core.osc.gconf:pairwise_mode /, true],
     [2, 6(-36) / item 87 for core.osc.gconf:active /, true],
     [2, 6(-37) / item 89 for core.osc.gconf:group_title /,
      "rooms 1 and 2"],
     [2, 6(39) / item 94 for core.osc.gconf:app_group /, "room 1"],
     [2, 6(39) / item 94 for core.osc.gconf:app_group /, "room 2"]
   ]

6.6. Overwrite a Group Configuration

This operation MAY be supported by the Group Manager and an Administrator.¶

The Administrator can send a PUT request to the group-configuration resource manage/GROUPNAME associated with an OSCORE group with group name GROUPNAME, in order to overwrite the current configuration of that group with a new one.¶

The same as defined in Section 6.6 of [I-D.ietf-ace-oscore-gm-admin] holds, with the following difference.¶

If the Administrator updates the registration of the group-membership resource in the Resource Directory on behalf of the Group Manager, then the names of the application groups using the OSCORE group MUST take the values possibly specified by the different 'app_group' link elements in the PUT request.¶

An example of message exchange is shown below.¶

=> 0.03 PUT
   Uri-Path: manage
   Uri-Path: gp4
   Content-Format: 65087 (application/coral+cbor)

   Payload:

   [
     [2, 6(-28) / item 71 for core.osc.gconf:gp_enc_alg /, 11],
     [2, 6(26) / item 68 for core.osc.gconf:hkdf /, 5]
   ]

<= 2.04 Changed
   Content-Format: 65087 (application/coral+cbor)

   Payload:

   [
     [2, 6(36) / item 88 for core.osc.gconf:group_name /, "gp4"],
     [2, 6(-41) / item 97 for core.osc.gconf:joining_uri /,
      cri'coap://[2001:db8::ab]/ace-group/gp4/'],
     [2, 6(43) / item 102 for core.osc.gconf:as_uri /,
      cri'coap://as.example.com/token']
   ]

6.6.1. Effects on Joining Nodes

The same as defined in Section 6.6.1 of [I-D.ietf-ace-oscore-gm-admin] holds.¶

6.6.2. Effects on the Group Members

The same as defined in Section 6.6.2 of [I-D.ietf-ace-oscore-gm-admin] holds.¶

6.7. Selective Update of a Group Configuration

This operation MAY be supported by the Group Manager and an Administrator.¶

The Administrator can send a PATCH/iPATCH request [RFC8132] to the group-configuration resource manage/GROUPNAME associated with an OSCORE group with group name GROUPNAME, in order to update the value of only part of the group configuration.¶

The same as defined in Section 6.7 of [I-D.ietf-ace-oscore-gm-admin] holds, with the following differences.¶

If the request payload specifies names of application groups to be removed from or added to the 'app_groups' status parameter, then such names are specified by means of the following top-level link elements.¶
- 'app_group_del', with value a text string specifying the name of an application group to remove from the 'app_groups' status parameter. This link element can be included multiple times.¶
- 'app_group_add', with value a text string specifying the name of an application group to add to the 'app_groups' status parameter. This link element can be included multiple times.¶
The Group Manager MUST respond with a 4.00 (Bad Request) response, in case the request payload includes both any 'app_group' link element as well as any 'app_group_del' and/or 'app_group_add' link element.¶
The Group Manager MUST respond with a 4.00 (Bad Request) response, if the request payload includes no link elements.¶
When the request uses specifically the iPATCH method, the Group Manager MUST respond with a 4.00 (Bad Request) response, in case any link element 'app_group_del' and/or 'app_group_add' is included.¶
When updating the 'app_groups' status parameter by difference, the Group Manager:¶
- Deletes from the 'app_groups' status parameter the names of the application groups specified in the different 'app_group_del' link elements.¶
- Adds to the 'app_groups' status parameter the names of the application groups specified in the different 'app_group_add' link elements.¶

An example of message exchange is shown below.¶

=> 0.06 PATCH
   Uri-Path: manage
   Uri-Path: gp4
   Content-Format: 65087 (application/coral+cbor)

   Payload:

   [
     [2, 6(-28) / item 71 for core.osc.gconf:gp_enc_alg /, 10],
     [2, 6(-40) / item 95 for core.osc.gconf:app_group_del /, "room1"],
     [2, 6(40) / item 96 for core.osc.gconf:app_group_add /, "room3"],
     [2, 6(40) / item 96 for core.osc.gconf:app_group_add /, "room4"]
   ]

<= 2.04 Changed
   Content-Format: 65087 (application/coral+cbor)

   Payload:

   [
     [2, 6(36) / item 88 for core.osc.gconf:group_name /, "gp4"],
     [2, 6(-41) / item 97 for core.osc.gconf:joining_uri /,
      cri'coap://[2001:db8::ab]/ace-group/gp4/'],
     [2, 6(43) / item 102 for core.osc.gconf:as_uri /,
      cri'coap://as.example.com/token']
   ]

The same as defined in Section 6.8 of [I-D.ietf-ace-oscore-gm-admin] holds.¶

[CURIE-20101216]: Birbeck, M. and S. McCarron, "CURIE Syntax 1.0 - A syntax for expressing Compact URIs - W3C Working Group Note", 16 December 2010, <http://www.w3.org/TR/2010/NOTE-curie-20101216>.
[I-D.ietf-ace-key-groupcomm]: Palombini, F. and M. Tiloca, "Key Provisioning for Group Communication using ACE", Work in Progress, Internet-Draft, draft-ietf-ace-key-groupcomm-16, 5 September 2022, <https://datatracker.ietf.org/doc/html/draft-ietf-ace-key-groupcomm-16>.
[I-D.ietf-ace-key-groupcomm-oscore]: Tiloca, M., Park, J., and F. Palombini, "Key Management for OSCORE Groups in ACE", Work in Progress, Internet-Draft, draft-ietf-ace-key-groupcomm-oscore-16, 6 March 2023, <https://datatracker.ietf.org/doc/html/draft-ietf-ace-key-groupcomm-oscore-16>.
[I-D.ietf-ace-oscore-gm-admin]: Tiloca, M., Höglund, R., Van der Stok, P., and F. Palombini, "Admin Interface for the OSCORE Group Manager", Work in Progress, Internet-Draft, draft-ietf-ace-oscore-gm-admin-09, 1 July 2023, <https://datatracker.ietf.org/doc/html/draft-ietf-ace-oscore-gm-admin-09>.
[I-D.ietf-cbor-edn-literals]: Bormann, C., "Application-Oriented Literals in CBOR Extended Diagnostic Notation", Work in Progress, Internet-Draft, draft-ietf-cbor-edn-literals-00, 14 June 2023, <https://datatracker.ietf.org/doc/html/draft-ietf-cbor-edn-literals-00>.
[I-D.ietf-cbor-packed]: Bormann, C., "Packed CBOR", Work in Progress, Internet-Draft, draft-ietf-cbor-packed-08, 23 January 2023, <https://datatracker.ietf.org/doc/html/draft-ietf-cbor-packed-08>.
[I-D.ietf-core-coral]: Amsüss, C. and T. Fossati, "The Constrained RESTful Application Language (CoRAL)", Work in Progress, Internet-Draft, draft-ietf-core-coral-05, 7 March 2022, <https://datatracker.ietf.org/doc/html/draft-ietf-core-coral-05>.
[I-D.ietf-core-groupcomm-bis]: Dijk, E., Wang, C., and M. Tiloca, "Group Communication for the Constrained Application Protocol (CoAP)", Work in Progress, Internet-Draft, draft-ietf-core-groupcomm-bis-08, 11 January 2023, <https://datatracker.ietf.org/doc/html/draft-ietf-core-groupcomm-bis-08>.
[I-D.ietf-core-href]: Bormann, C. and H. Birkholz, "Constrained Resource Identifiers", Work in Progress, Internet-Draft, draft-ietf-core-href-12, 6 March 2023, <https://datatracker.ietf.org/doc/html/draft-ietf-core-href-12>.
[I-D.ietf-core-oscore-groupcomm]: Tiloca, M., Selander, G., Palombini, F., Mattsson, J. P., and J. Park, "Group Object Security for Constrained RESTful Environments (Group OSCORE)", Work in Progress, Internet-Draft, draft-ietf-core-oscore-groupcomm-18, 22 June 2023, <https://datatracker.ietf.org/doc/html/draft-ietf-core-oscore-groupcomm-18>.
[RFC2119]: Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, <https://www.rfc-editor.org/rfc/rfc2119>.
[RFC3986]: Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform Resource Identifier (URI): Generic Syntax", STD 66, RFC 3986, DOI 10.17487/RFC3986, January 2005, <https://www.rfc-editor.org/rfc/rfc3986>.
[RFC6690]: Shelby, Z., "Constrained RESTful Environments (CoRE) Link Format", RFC 6690, DOI 10.17487/RFC6690, August 2012, <https://www.rfc-editor.org/rfc/rfc6690>.
[RFC6749]: Hardt, D., Ed., "The OAuth 2.0 Authorization Framework", RFC 6749, DOI 10.17487/RFC6749, October 2012, <https://www.rfc-editor.org/rfc/rfc6749>.
[RFC7252]: Shelby, Z., Hartke, K., and C. Bormann, "The Constrained Application Protocol (CoAP)", RFC 7252, DOI 10.17487/RFC7252, June 2014, <https://www.rfc-editor.org/rfc/rfc7252>.
[RFC8132]: van der Stok, P., Bormann, C., and A. Sehgal, "PATCH and FETCH Methods for the Constrained Application Protocol (CoAP)", RFC 8132, DOI 10.17487/RFC8132, April 2017, <https://www.rfc-editor.org/rfc/rfc8132>.
[RFC8174]: Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, May 2017, <https://www.rfc-editor.org/rfc/rfc8174>.
[RFC8613]: Selander, G., Mattsson, J., Palombini, F., and L. Seitz, "Object Security for Constrained RESTful Environments (OSCORE)", RFC 8613, DOI 10.17487/RFC8613, July 2019, <https://www.rfc-editor.org/rfc/rfc8613>.
[RFC8949]: Bormann, C. and P. Hoffman, "Concise Binary Object Representation (CBOR)", STD 94, RFC 8949, DOI 10.17487/RFC8949, December 2020, <https://www.rfc-editor.org/rfc/rfc8949>.
[RFC9052]: Schaad, J., "CBOR Object Signing and Encryption (COSE): Structures and Process", STD 96, RFC 9052, DOI 10.17487/RFC9052, August 2022, <https://www.rfc-editor.org/rfc/rfc9052>.
[RFC9053]: Schaad, J., "CBOR Object Signing and Encryption (COSE): Initial Algorithms", RFC 9053, DOI 10.17487/RFC9053, August 2022, <https://www.rfc-editor.org/rfc/rfc9053>.
[RFC9200]: Seitz, L., Selander, G., Wahlstroem, E., Erdtman, S., and H. Tschofenig, "Authentication and Authorization for Constrained Environments Using the OAuth 2.0 Framework (ACE-OAuth)", RFC 9200, DOI 10.17487/RFC9200, August 2022, <https://www.rfc-editor.org/rfc/rfc9200>.
[RFC9202]: Gerdes, S., Bergmann, O., Bormann, C., Selander, G., and L. Seitz, "Datagram Transport Layer Security (DTLS) Profile for Authentication and Authorization for Constrained Environments (ACE)", RFC 9202, DOI 10.17487/RFC9202, August 2022, <https://www.rfc-editor.org/rfc/rfc9202>.
[RFC9203]: Palombini, F., Seitz, L., Selander, G., and M. Gunnarsson, "The Object Security for Constrained RESTful Environments (OSCORE) Profile of the Authentication and Authorization for Constrained Environments (ACE) Framework", RFC 9203, DOI 10.17487/RFC9203, August 2022, <https://www.rfc-editor.org/rfc/rfc9203>.
[RFC9237]: Bormann, C., "An Authorization Information Format (AIF) for Authentication and Authorization for Constrained Environments (ACE)", RFC 9237, DOI 10.17487/RFC9237, August 2022, <https://www.rfc-editor.org/rfc/rfc9237>.

11.2. Informative References

[I-D.hartke-t2trg-coral-reef]: Hartke, K., "Resource Discovery in Constrained RESTful Environments (CoRE) using the Constrained RESTful Application Language (CoRAL)", Work in Progress, Internet-Draft, draft-hartke-t2trg-coral-reef-04, 9 May 2020, <https://datatracker.ietf.org/doc/html/draft-hartke-t2trg-coral-reef-04>.
[I-D.ietf-core-target-attr]: Bormann, C., "CoRE Target Attributes Registry", Work in Progress, Internet-Draft, draft-ietf-core-target-attr-04, 5 March 2023, <https://datatracker.ietf.org/doc/html/draft-ietf-core-target-attr-04>.
[I-D.ietf-cose-cbor-encoded-cert]: Mattsson, J. P., Selander, G., Raza, S., Höglund, J., and M. Furuhed, "CBOR Encoded X.509 Certificates (C509 Certificates)", Work in Progress, Internet-Draft, draft-ietf-cose-cbor-encoded-cert-05, 10 January 2023, <https://datatracker.ietf.org/doc/html/draft-ietf-cose-cbor-encoded-cert-05>.
[RFC5280]: Cooper, D., Santesson, S., Farrell, S., Boeyen, S., Housley, R., and W. Polk, "Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008, <https://www.rfc-editor.org/rfc/rfc5280>.
[RFC8392]: Jones, M., Wahlstroem, E., Erdtman, S., and H. Tschofenig, "CBOR Web Token (CWT)", RFC 8392, DOI 10.17487/RFC8392, May 2018, <https://www.rfc-editor.org/rfc/rfc8392>.
[RFC9147]: Rescorla, E., Tschofenig, H., and N. Modadugu, "The Datagram Transport Layer Security (DTLS) Protocol Version 1.3", RFC 9147, DOI 10.17487/RFC9147, April 2022, <https://www.rfc-editor.org/rfc/rfc9147>.

Appendix A. Shared item tables for Packed CBOR

This appendix defines the two shared item tables that the examples in this document refer to for using Packed CBOR [I-D.ietf-cbor-packed].¶

The notation cri'' introduced in [I-D.ietf-cbor-edn-literals] is used to represent CRIs [I-D.ietf-core-href].¶

A.1. Compression of CoRAL predicates

The following shared item table is used for compressing CoRAL predicates, as per Section 2.2 of [I-D.ietf-cbor-packed].¶

+-------+--------------------------------------------------------+
| Index | Item                                                   |
+-------+--------------------------------------------------------+
| 6     | cri'http://www.iana.org/assignments/linkformat/rt'     |
+-------+--------------------------------------------------------+
| 50    | cri'http://coreapps.org/core.osc.gcoll#item'           |
+-------+--------------------------------------------------------+
| 68    | cri'http://coreapps.org/core.osc.gconf#hkdf'           |
+-------+--------------------------------------------------------+
| 69    | cri'http://coreapps.org/core.osc.gconf#cred_fmt'       |
+-------+--------------------------------------------------------+
| 70    | cri'http://coreapps.org/core.osc.gconf#group_mode'     |
+-------+--------------------------------------------------------+
| 71    | cri'http://coreapps.org/core.osc.gconf#gp_enc_alg'     |
+-------+--------------------------------------------------------+
| 72    | cri'http://coreapps.org/core.osc.gconf#sign_alg'       |
+-------+--------------------------------------------------------+
| 73    | cri'http://coreapps.org/core.osc.gconf#sign_params'    |
+-------+--------------------------------------------------------+
| 74    | cri'http://coreapps.org/core.osc.gconf#sign_params     |
|       |     .alg_capab.key_type'                               |
+-------+--------------------------------------------------------+
| 75    | cri'http://coreapps.org/core.osc.gconf#sign_params     |
|       |     .key_type_capab.key_type'                          |
+-------+--------------------------------------------------------+
| 76    | cri'http://coreapps.org/core.osc.gconf#sign_params     |
|       |     .key_type_capab.curve'                             |
+-------+--------------------------------------------------------+
| 77    | cri'http://coreapps.org/core.osc.gconf#pairwise_mode'  |
+-------+--------------------------------------------------------+
| 78    | cri'http://coreapps.org/core.osc.gconf#alg'            |
+-------+--------------------------------------------------------+
| 79    | cri'http://coreapps.org/core.osc.gconf#ecdh_alg'       |
+-------+--------------------------------------------------------+
| 80    | cri'http://coreapps.org/core.osc.gconf#ecdh_params'    |
+-------+--------------------------------------------------------+
| 81    | cri'http://coreapps.org/core.osc.gconf#ecdh_params     |
|       |     .alg_capab.key_type'                               |
+-------+--------------------------------------------------------+
| 82    | cri'http://coreapps.org/core.osc.gconf#ecdh_params     |
|       |     .key_type_capab.key_type'                          |
+-------+--------------------------------------------------------+
| 83    | cri'http://coreapps.org/core.osc.gconf#ecdh_params     |
|       |     .key_type_capab.curve'                             |
+-------+--------------------------------------------------------+
| 84    | cri'http://coreapps.org/core.osc.gconf#det_req'        |
+-------+--------------------------------------------------------+
| 85    | cri'http://coreapps.org/core.osc.gconf#det_hash_alg'   |
+-------+--------------------------------------------------------+
| 86    | cri'http://coreapps.org/core.osc.gconf#rt'             |
+-------+--------------------------------------------------------+
| 87    | cri'http://coreapps.org/core.osc.gconf#active'         |
+-------+--------------------------------------------------------+
| 88    | cri'http://coreapps.org/core.osc.gconf#group_name'     |
+-------+--------------------------------------------------------+
| 89    | cri'http://coreapps.org/core.osc.gconf#group_title'    |
+-------+--------------------------------------------------------+
| 90    | cri'http://coreapps.org/core.osc.gconf                 |
|       |     #ace_groupcomm_profile'                            |
+-------+--------------------------------------------------------+
| 91    | cri'http://coreapps.org/core.osc.gconf#max_stale_sets' |
+-------+--------------------------------------------------------+
| 92    | cri'http://coreapps.org/core.osc.gconf#exp'            |
+-------+--------------------------------------------------------+
| 93    | cri'http://coreapps.org/core.osc.gconf#gid_reuse'      |
+-------+--------------------------------------------------------+
| 94    | cri'http://coreapps.org/core.osc.gconf#app_group'      |
+-------+--------------------------------------------------------+
| 95    | cri'http://coreapps.org/core.osc.gconf#app_group_del'  |
+-------+--------------------------------------------------------+
| 96    | cri'http://coreapps.org/core.osc.gconf#app_group_add'  |
+-------+--------------------------------------------------------+
| 97    | cri'http://coreapps.org/core.osc.gconf#joining_uri'    |
+-------+--------------------------------------------------------+
| 98    | cri'http://coreapps.org/core.osc.gconf#app_groups'     |
+-------+--------------------------------------------------------+
| 99    | cri'http://coreapps.org/core.osc.gconf#group_policies' |
+-------+--------------------------------------------------------+
| 100   | cri'http://coreapps.org/core.osc.gconf#group_policies  |
|       |     .key_update_check_interval'                        |
+-------+--------------------------------------------------------+
| 101   | cri'http://coreapps.org/core.osc.gconf#group_policies  |
|       |     .exp_delta'                                        |
+-------+--------------------------------------------------------+
| 102   | cri'http://coreapps.org/core.osc.gconf#as_uri'         |
+-------+--------------------------------------------------------+

Figure 1: Shared item table for compressing CoRAL predicates.

A.2. Compression of Values of the rt= Target Attribute

The following shared item table is used for compressing values of the rt= target attribute, as per Section 2.2 of [I-D.ietf-cbor-packed].¶

+-------+--------------------------------------------------------+
| Index | Item                                                   |
+-------+--------------------------------------------------------+
| 415   | cri'http://www.iana.org/assignments/linkformat/rt      |
|       |     /core.osc.gconf'                                   |
+-------+--------------------------------------------------------+

Figure 2: Shared item table for compressing values of the rt= target attribute.