Internet Engineering Task Force (IETF)                        C. Bormann
Request for Comments: 9237                        Universität Bremen TZI
Category: Standards Track                                    August 2022
ISSN: 2070-1721

An Authorization Information Format (AIF) for Authentication and Authorization for Constrained Environments (ACE)




Information about which entities are authorized to perform what operations on which constituents of other entities is a crucial component of producing an overall system that is secure. Conveying precise authorization information is especially critical in highly automated systems with large numbers of entities, such as the Internet of Things.


This specification provides a generic information model and format for representing such authorization information, as well as two variants of a specific instantiation of that format for use with Representational State Transfer (REST) resources identified by URI path.

この仕様は、そのような認証情報を表現するための一般的な情報モデルと形式と、URI Pathによって特定された表現状態転送(REST)リソースで使用するためのその形式の特定のインスタンス化の2つのバリアントを提供します。

Status of This Memo


This is an Internet Standards Track document.


This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Further information on Internet Standards is available in Section 2 of RFC 7841.

このドキュメントは、インターネットエンジニアリングタスクフォース(IETF)の製品です。IETFコミュニティのコンセンサスを表しています。公開レビューを受けており、インターネットエンジニアリングステアリンググループ(IESG)からの出版が承認されています。インターネット標準の詳細については、RFC 7841のセクション2で入手できます。

Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at


Copyright Notice


Copyright (c) 2022 IETF Trust and the persons identified as the document authors. All rights reserved.

著作権(c)2022 IETF Trustおよび文書著者として特定された人。全著作権所有。

This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents ( in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.

このドキュメントは、BCP 78およびIETFドキュメント(に関連するIETF Trustの法的規定の対象となります。この文書に関するあなたの権利と制限を説明するので、これらの文書を注意深く確認してください。このドキュメントから抽出されたコードコンポーネントには、セクション4.Eで説明されている法的規定のセクション4.Eで説明されており、修正されたBSDライセンスで説明されているように保証なしで提供される修正されたBSDライセンステキストを含める必要があります。

Table of Contents


   1.  Introduction
     1.1.  Terminology
   2.  Information Model
     2.1.  REST-Specific Model
     2.2.  Limitations
     2.3.  REST-Specific Model with Dynamic Resource Creation
   3.  Data Model
   4.  Media Types
   5.  IANA Considerations
     5.1.  Media Types
       5.1.1.  application/aif+cbor
       5.1.2.  application/aif+json
     5.2.  Registries
     5.3.  Content-Format
   6.  Security Considerations
   7.  References
     7.1.  Normative References
     7.2.  Informative References
   Author's Address
1. Introduction
1. はじめに

Constrained devices, as they are used in the Internet of Things, need security in order to operate correctly and prevent misuse. One important element of this security is that devices in the Internet of Things need to be able to decide which operations requested of them should be considered authorized, ascertain that the authorization to request the operation does apply to the actual requester as authenticated, and ascertain that other devices they make requests of are the ones they intended.


To transfer detailed authorization information from an authorization manager (such as an ACE-OAuth authorization server [RFC9200]) to a device, a compact representation format is needed. This document defines such a format -- the Authorization Information Format (AIF). AIF is defined both as a general structure that can be used for many different applications and as a specific instantiation tailored to REST resources and the permissions on them, including some provision for dynamically created resources.

承認マネージャー(ACE-OAuth Authorization Server [RFC9200]など)から詳細な承認情報をデバイスに転送するには、コンパクトな表現形式が必要です。このドキュメントでは、そのような形式 - 認証情報形式(AIF)を定義します。AIFは、多くの異なるアプリケーションに使用できる一般的な構造として、また、動的に作成されたリソースの提供を含む、リソースとそれらの許可に合わせた特定のインスタンス化として定義されています。

1.1. Terminology
1.1. 用語

This memo uses terms from the Constrained Application Protocol (CoAP) [RFC7252] and the Internet Security Glossary [RFC4949]; CoAP is used for the explanatory examples as it is a good fit for constrained devices.


The shape of data is specified in Concise Data Definition Language (CDDL) [RFC8610] [RFC9165]. Terminology for constrained devices is defined in [RFC7228].

データの形状は、簡潔なデータ定義言語(CDDL)[RFC8610] [RFC9165]で指定されています。制約されたデバイスの用語は[RFC7228]で定義されています。

The term "byte", abbreviated by "B", is used in its now customary sense as a synonym for "octet".


The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.

この文書のキーワード "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", および "OPTIONAL" はBCP 14 [RFC2119] [RFC8174]で説明されているように、すべて大文字の場合にのみ解釈されます。

2. Information Model
2. 情報モデル

Authorizations are generally expressed through some data structures that are cryptographically secured (or transmitted in a secure way). This section discusses the information model underlying the payload of that data (as opposed to the cryptographic armor around it).


The semantics of the authorization information defined in this document are that of an _allow-list_: everything is denied until it is explicitly allowed.


For the purposes of this specification, the underlying access control model will be that of an access matrix, which gives a set of permissions for each possible combination of a subject and an object. We are focusing the AIF data item on a single row in the access matrix (such a row has often been called a "capability list") without concern to the subject for which the data item is issued. As a consequence, AIF MUST be used in a way that the subject of the authorizations is unambiguously identified (e.g., as part of the armor around it).


The generic model of such a capability list is a list of pairs of object identifiers (of type Toid) and the permissions (of type Tperm) that the subject has on the object(s) identified.


   AIF-Generic<Toid, Tperm> = [* [Toid, Tperm]]

Figure 1: Definition of Generic AIF


In a specific data model (such as the one specified in this document), the object identifier (Toid) will often be a text string, and the set of permissions (Tperm) will be represented by a bit set, which in turn is represented as a number (see Section 3).


   AIF-Specific = AIF-Generic<tstr, uint>

Figure 2: Commonly Used Shape of a Specific AIF


2.1. REST-Specific Model
2.1. REST固有のモデル

In the specific instantiation of the REST resources and the permissions on them, we use the URI of a resource on a CoAP server for the object identifier (Toid). More specifically, since the parts of the URI that identify the server ("authority" in [RFC3986]) are authenticated during REST resource access (Section 4.2.2 of [RFC9110] and Section 6.2 of [RFC7252]), they naturally fall into the realm handled by the cryptographic armor; we therefore focus on the "path" ("path-abempty") and "query" parts of the URI (_URI-local-part_ in this specification, as expressed by the Uri-Path and Uri-Query options in CoAP). As a consequence, AIF MUST be used in a way that it is clear who is the target (enforcement point) of these authorizations (note that there may be more than one target that the same authorization applies to, e.g., in a situation with homogeneous devices).


For the permissions (Tperm), we use a simple permissions model that lists the subset of the REST (CoAP or HTTP) methods permitted. This model is summarized in Table 1.


                    | URI-local-part | Permission Set |
                    | /s/temp        | GET            |
                    | /a/led         | PUT, GET       |
                    | /dtls          | POST           |

Table 1: An Authorization Instance in the REST-Specific AIF Information Model


In this example, a device offers a temperature sensor /s/temp for read-only access, a LED actuator /a/led for read/write, and a /dtls resource for POST access.

この例では、デバイスは、読み取り専用アクセス用の温度センサー /S /TEMP、読み取り /書き込み用のLEDアクチュエータ /A /LED、およびポストアクセス用のA /DTLSリソースを提供します。

As shown in the data model (Section 3), the representations of REST methods provided are limited to those that have a CoAP method number assigned; an extension to the model may be necessary to represent permissions for exotic HTTP methods.


2.2. Limitations
2.2. 制限

This simple information model only allows granting permissions for statically identifiable objects, e.g., URIs for the REST-specific instantiation. One might be tempted to extend the model towards URI templates [RFC6570] (for instance, to open up an authorization for many parameter values as in /s/temp{?any*}). However, that requires some considerations of the ease and unambiguity of matching a given URI against a set of templates in an AIF data item.

この単純な情報モデルは、静的に識別可能なオブジェクトの許可を付与することのみを許可します。モデルをURIテンプレート[RFC6570]に向けて拡張するように誘惑されるかもしれません(たとえば、 /s /temp {?any*}のように多くのパラメーター値の承認を開くため)。ただし、AIFデータ項目のテンプレートのセットに対して、特定のURIを一致させる容易さと曖昧さのいくつかの考慮事項が必要です。

This simple information model also does not allow expressing conditionalized access based on state outside the identification of objects (e.g., "opening a door is allowed if it is not locked").


Finally, the model does not provide any special access for a set of resources that are specific to a subject, e.g., that the subject created itself by previous operations (PUT, POST, or PATCH/iPATCH [RFC8132]) or that were specifically created for the subject by others.

最後に、このモデルは、サブジェクトに固有のリソースセットに特別なアクセスを提供しません。たとえば、主題が以前の操作(Put、Path/Ipatch [RFC8132])によって作成された、または特別に作成されたものではありません。他の人による主題のために。

2.3. REST-Specific Model with Dynamic Resource Creation
2.3. 動的リソース作成を備えたREST固有のモデル

The _REST-specific model with dynamic resource creation_ addresses the need to provide defined access to dynamic resources that were created by the subject itself, specifically, a resource that is made known to the subject by providing Location-* options in a CoAP response or using the Location header field in HTTP [RFC9110] (the Location-indicating mechanisms). (The concept is somewhat comparable to "Access Control List (ACL) inheritance" in the Network File System version 4 (NFSv4) protocol [RFC8881], except that it does not use a containment relationship but rather the fact that the dynamic resource was created from a resource to which the subject had access.) In other words, it addresses an important subset of the third limitation mentioned in Section 2.2.

動的リソースCREATIONを備えた_rest固有のモデルは、主題自体によって作成された動的リソースへの定義されたアクセスを提供する必要性に対処します。HTTP [RFC9110]の位置ヘッダーフィールド(場所を指定するメカニズム)。(概念は、ネットワークファイルシステムバージョン4(NFSV4)プロトコル[RFC8881]の「アクセス制御リスト(ACL)継承」に多少匹敵しますが、封じ込め関係を使用しないが、動的リソースが作成されたという事実を使用することを除きます。言い換えれば、セクション2.2で言及された3番目の制限の重要なサブセットに対処します。

          | URI-local-part | Permission Set                    |
          | /a/make-coffee | POST, Dynamic-GET, Dynamic-DELETE |

Table 2: An Authorization Instance in the REST-Specific AIF Information Model with Dynamic Resource Creation


For a method X, the presence of a Dynamic-X permission means that the subject holds permission to exercise the method X on resources that have been returned in a 2.01 (201 Created) response by a Location-indicating mechanism to a request that the subject made to the resource listed. In the example shown in Table 2, POST operations on /a/make-coffee might return the location of a resource dynamically created on the coffee machine that allows GET to find out about the status of, and DELETE to cancel, the coffee-making operation.

メソッドXの場合、動的X許可の存在は、被験者が被験者が主題が要求するメカニズムに応じて2.01(201)応答で返されたリソースでメソッドXを行使する許可を被験者が行うことを意味することを意味します。リストされているリソースに作成されました。表2に示す例では、 /a /make-coffeeのポスト操作は、コーヒーマシンで動的に作成されたリソースの場所を返す可能性があります。手術。

Since the use of the extension defined in this section can be detected by the mentioning of the Dynamic-X permissions, there is no need for another explicit switch between the basic and the model extended by dynamic resource creation; the extended model is always presumed once a Dynamic-X permission is present.


3. Data Model
3. データ・モデル

Different data model specializations can be defined for the generic information model given above.


In this section, we will give the data model for simple REST authorization as per Sections 2.1 and 2.3. As discussed, in this case the object identifier is specialized as a text string giving a relative URI (URI-local-part as the absolute path on the server serving as the enforcement point). The permission set is specialized to a single number _REST-method-set_ by the following steps:


* The entries in the table that specify the same URI-local-part are merged into a single entry that specifies the union of the permission sets.

* 同じURI-Local-Partを指定するテーブル内のエントリは、許可セットの組合を指定する単一のエントリにマージされます。

* The (non-dynamic) methods in the permission sets are converted into their CoAP method numbers, minus 1.

* 許可セットの(非ダイナミック)メソッドは、COAPメソッド番号(マイナス1)に変換されます。

* Dynamic-X permissions are converted into what the number would have been for X, plus a Dynamic-Offset that has been chosen as 32 (e.g., 35 is the number for Dynamic-DELETE as the number for DELETE is 3).

* Dynamic-X許可は、Xの数値に変換され、さらに32として選択された動的オフセットに変換されます(たとえば、35はDeleteの数が3であるため、動的deleteの数値です)。

* The set of numbers is converted into a single number REST-method-set by taking two to the power of each (decremented) method number and computing the inclusive OR of the binary representations of all the power values.

* 数字のセットは、それぞれ(減少)メソッド番号の電力に2つを取得し、すべてのパワー値の包括的またはバイナリ表現を計算することにより、単一の数値測定値セットに変換されます。

This data model could be interchanged in the JSON [RFC8259] representation given in Figure 3.

このデータモデルは、図3に示すJSON [RFC8259]の表現で交換できます。


Figure 3: An Authorization Instance Encoded in JSON (40 Bytes)


In Figure 4, a straightforward specification of the data model (including both the methods from [RFC7252] and the new ones from [RFC8132], identified by the method code minus 1) is shown in CDDL [RFC8610] [RFC9165]:

図4では、メソッドコードを差し引いたメソッド[RFC8132]から識別された[RFC7252]のメソッドと[RFC8132]の新しい方法の両方を含むデータモデルの簡単な仕様をCDDL [RFC8610] [RFC9165]:::

   AIF-REST = AIF-Generic<local-path, REST-method-set>
   local-path = tstr   ; URI relative to enforcement point
   REST-method-set = uint .bits methods
   methods = &(
     GET: 0
     POST: 1
     PUT: 2
     DELETE: 3
     FETCH: 4
     PATCH: 5
     iPATCH: 6
     Dynamic-GET: 32; 0 .plus Dynamic-Offset
     Dynamic-POST: 33; 1 .plus Dynamic-Offset
     Dynamic-PUT: 34; 2 .plus Dynamic-Offset
     Dynamic-DELETE: 35; 3 .plus Dynamic-Offset
     Dynamic-FETCH: 36; 4 .plus Dynamic-Offset
     Dynamic-PATCH: 37; 5 .plus Dynamic-Offset
     Dynamic-iPATCH: 38; 6 .plus Dynamic-Offset
   Dynamic-Offset = 32

Figure 4: AIF in CDDL


For the information shown in Table 1 and Figure 3, a representation in Concise Binary Object Representation (CBOR) [RFC8949] is given in Figure 5; again, several optimizations and improvements are possible.


   83                        # array(3)
      82                     # array(2)
         67                  # text(7)
            2f732f74656d70   # "/s/temp"
         01                  # unsigned(1)
      82                     # array(2)
         66                  # text(6)
            2f612f6c6564     # "/a/led"
         05                  # unsigned(5)
      82                     # array(2)
         65                  # text(5)
            2f64746c73       # "/dtls"
         02                  # unsigned(2)

Figure 5: An Authorization Instance Encoded in CBOR (28 Bytes)


Note that having chosen 32 as Dynamic-Offset means that all future CoAP methods that are registered can be represented both as themselves and in the Dynamic-X variant, but that only the dynamic forms of methods 1 to 21 are typically usable in a JSON form [RFC7493].


4. Media Types
4. メディアタイプ

This specification defines media types for the generic information model, expressed in JSON (application/aif+json) or in CBOR (application/aif+cbor). These media types have parameters for specifying Toid and Tperm; default values are the values "URI-local-part" for Toid and "REST-method-set" for Tperm, as per Section 3 of the present specification.

この仕様では、JSON(アプリケーション/AIF JSON)またはCBOR(Application/AIF CBOR)で表現された汎用情報モデルのメディアタイプを定義します。これらのメディアタイプには、TOIDとTPERMを指定するためのパラメーターがあります。デフォルト値は、現在の仕様のセクション3に従って、TOIDの値「URI-Local-Part」とTPERMの「REST-METHOD-SET」です。

A specification that wants to use generic AIF with different Toid and/or Tperm is expected to request these as media type parameters (Section 5.2) and register a corresponding Content-Format (Section 5.3).


5. IANA Considerations
5. IANAの考慮事項
5.1. Media Types
5.1. メディアタイプ

IANA has added the following media types to the "Media Types" registry. The registration entries are in the following subsections.


   | Name     | Template             | Reference           |
   | aif+cbor | application/aif+cbor | RFC 9237, Section 4 |
   | aif+json | application/aif+json | RFC 9237, Section 4 |

Table 3: New Media Types


5.1.1. application/aif+cbor
5.1.1. アプリケーション/aif cbor

Type name: application


Subtype name: aif+cbor

サブタイプ名:AIF CBOR

Required parameters: N/A


Optional parameters:


Toid: the identifier for the object for which permissions are supplied. A value from the "Sub-Parameter Registry for application/aif+cbor and application/aif+json" subregistry for Toid. Default value: "URI-local-part" (RFC 9237).

TOID:アクセス許可が提供されるオブジェクトの識別子。「アプリケーションのサブパラメーターレジストリ/AIF CBORおよびApplication/AIF JSON」SubRegistry for TOIDからの値。デフォルト値:「URI-Local-Part」(RFC 9237)。

Tperm: the data type of a permission set for the object identified via a Toid. A value from the "Sub-Parameter Registry for application/aif+cbor and application/aif+json" subregistry for Tperm. Default value: "REST-method-set" (RFC 9237).

TPERM:TOIDを介して識別されたオブジェクトの許可セットのデータ型。「アプリケーションのサブパラメーターレジストリ/AIF CBORおよびアプリケーション/AIF JSON」TPERMのサブレジストリからの値。デフォルト値:「REST-METHOD-SET」(RFC 9237)。

Encoding considerations: binary (CBOR)


Security considerations: Section 6 of RFC 9237

セキュリティ上の考慮事項:RFC 9237のセクション6

Interoperability considerations: N/A


Published specification: Section 4 of RFC 9237

公開された仕様:RFC 9237のセクション4

Applications that use this media type: Applications that need to convey structured authorization data for identified resources, conveying sets of permissions.


Fragment identifier considerations: The syntax and semantics of fragment identifiers is as specified for "application/cbor". (At publication of RFC 9237, there is no fragment identification syntax defined for "application/cbor".)

フラグメント識別子の考慮事項:フラグメント識別子の構文とセマンティクスは、「アプリケーション/CBOR」で指定されているとおりです。(RFC 9237の公開では、「アプリケーション/CBOR」に対して定義されたフラグメント識別構文はありません。)

Person & email address to contact for further information: ACE WG mailing list ( or IETF Applications and Real-Time Area (

詳細については、個人とメールアドレスをお問い合わせ:ACE WGメーリングリスト(またはIETFアプリケーションとリアルタイムエリア(

Intended usage: COMMON


Restrictions on usage: N/A


Author/Change controller: IETF


Provisional registration: no


5.1.2. application/aif+json
5.1.2. アプリケーション/aif json

Type name: application


Subtype name: aif+json

サブタイプ名:AIF JSON

Required parameters: N/A


Optional parameters:


Toid: the identifier for the object for which permissions are supplied. A value from the media-type parameter subregistry for Toid. Default value: "URI-local-part" (RFC 9237).

TOID:アクセス許可が提供されるオブジェクトの識別子。TOIDのメディアタイプのパラメーターサブレジストリからの値。デフォルト値:「URI-Local-Part」(RFC 9237)。

Tperm: the data type of a permission set for the object identified via a Toid. A value from the media-type parameter subregistry for Tperm. Default value: "REST-method-set" (RFC 9237).

TPERM:TOIDを介して識別されたオブジェクトの許可セットのデータ型。TPERMのメディアタイプのパラメーターサブレジストリからの値。デフォルト値:「REST-METHOD-SET」(RFC 9237)。

Encoding considerations: binary (JSON is UTF-8-encoded text)


Security considerations: Section 6 of RFC 9237

セキュリティ上の考慮事項:RFC 9237のセクション6

Interoperability considerations: N/A


Published specification: Section 4 of RFC 9237

公開された仕様:RFC 9237のセクション4

Applications that use this media type: Applications that need to convey structured authorization data for identified resources, conveying sets of permissions.


Fragment identifier considerations: The syntax and semantics of fragment identifiers is as specified for "application/json". (At publication of RFC 9237, there is no fragment identification syntax defined for "application/json".)

フラグメント識別子の考慮事項:フラグメント識別子の構文とセマンティクスは、「アプリケーション/JSON」で指定されているとおりです。(RFC 9237の公開時に、「アプリケーション/JSON」に対して定義されたフラグメント識別構文はありません。)

Person & email address to contact for further information: ACE WG mailing list ( or IETF Applications and Real-Time Area (

詳細については、個人とメールアドレスをお問い合わせ:ACE WGメーリングリスト(またはIETFアプリケーションとリアルタイムエリア(

Intended usage: COMMON


Restrictions on usage: N/A


Author/Change controller: IETF


Provisional registration: no


5.2. Registries
5.2. レジストリ

For the media types application/aif+cbor and application/aif+json, IANA has created a subregistry within [] for the media-type parameters Toid and Tperm, populated with the following:

Media Types Application/AIF CBORおよびApplication/AIF JSONの場合、IANAは、メディアタイプのパラメーターTOIDおよびTPERMの[IANA.Media-Type-Sub-Parameters]内にサブレジストリを作成しました。

   | Parameter | name            | Description/        | Reference |
   |           |                 | Specification       |           |
   | Toid      | URI-local-part  | local-part of URI   | RFC 9237  |
   | Tperm     | REST-method-set | set of REST methods | RFC 9237  |
   |           |                 | represented         |           |

Table 4: New Media Type Parameters


The registration policy is Specification Required [RFC8126]. The designated expert will engage with the submitter to ascertain whether the requirements of this document are addressed:


* The specifications for Toid and Tperm need to realize the general ideas of unambiguous object identifiers and permission lists in the context where the AIF data item is intended to be used, and their structure needs to be usable with the intended media types (application/aif+cbor and application/aif+json) as identified in the specification.

* TOIDとTPERMの仕様は、AIFデータ項目を使用することを目的としており、意図したメディアタイプ(Application/AIF CBOR)で使用できるコンテキストで、明確なオブジェクト識別子と許可リストの一般的なアイデアを実現する必要があります。仕様で特定されているように、アプリケーション/aif json)。

* The parameter names need to conform to Section 4.3 of [RFC6838], but preferably they are in [KebabCase] so they can be easily translated into names used in APIs with popular programming languages.

* パラメーター名は[RFC6838]のセクション4.3に準拠する必要がありますが、好ましくは[kebabcase]にあるため、一般的なプログラミング言語でAPIで使用される名前に簡単に翻訳できます。

The designated experts will develop further criteria and guidelines as needed.


5.3. Content-Format
5.3. コンテンツフォーマット

IANA has registered Content-Format numbers in the "CoAP Content-Formats" subregistry, within the "Constrained RESTful Environments (CoRE) Parameters" registry [IANA.core-parameters], as follows:


   | Media Type           | Encoding | ID  | Reference |
   | application/aif+cbor | -        | 290 | RFC 9237  |
   | application/aif+json | -        | 291 | RFC 9237  |

Table 5: New Content-Formats


Note that applications that register Toid and Tperm values are encouraged to also register Content-Formats for the relevant combinations.


6. Security Considerations
6. セキュリティに関する考慮事項

The security considerations of [RFC7252] apply when AIF is used with CoAP; Section 11.1 of [RFC7252] specifically applies if complex formats such as URIs are used for Toid or Tperm. Some wider issues are discussed in [RFC8576].


When applying these formats, the referencing specification needs to be careful to ensure:


* that the cryptographic armor employed around this format fulfills the referencing specification's security objectives and that the armor or some additional information included in it with the AIF data item (1) unambiguously identifies the subject to which the authorizations shall apply and (2) provides any context information needed to derive the identity of the object to which authorization is being granted from the object identifiers (such as, for the data models defined in the present specification, the scheme and authority information that is used to construct the full URI), and

* この形式で採用された暗号化装甲が参照仕様のセキュリティ目標を満たし、ARMORまたは追加情報がAIFデータ項目に含まれるいくつかの追加情報を満たしていること(1)認可が適用される件を明確に識別し、(2)コンテキストを提供するオブジェクト識別子から許可が許可されているオブジェクトのIDを導き出すために必要な情報(現在の仕様で定義されているデータモデル、完全なURIの構築に使用されるスキームおよび権限情報など)、および

* that the types used for Toid and Tperm provide the appropriate granularity and precision so that application requirements on the precision of the authorization information are fulfilled and that all parties have the same understanding of each Toid/Tperm pair in terms of specified objects (resources) and operations on those.

* TOIDとTPERMに使用されるタイプは、認可情報の精度に関するアプリケーション要件が満たされ、すべての当事者が指定されたオブジェクト(リソース)およびリソースに関して各TOID/TPERMペアについて同じ理解を持っているように、適切な粒度と精度を提供することそれらの操作。

For the data formats, the security considerations of [RFC8259] and [RFC8949] apply.


A plain implementation of AIF might implement just the basic REST model as per Section 2.1. If it receives authorizations that include permissions that use the REST-specific model with dynamic resource creation (Section 2.3), it needs to either reject the AIF data item entirely or act only on the permissions that it does understand. In other words, the semantics underlying an allow-list as discussed above need to hold here as well.


An implementation of the REST-specific model with dynamic resource creation (Section 2.3) needs to carefully keep track of the dynamically created objects and the subjects to which the Dynamic-X permissions apply -- both on the server side to enforce the permissions and on the client side to know which permissions are available.


7. References
7. 参考文献
7.1. Normative References
7.1. 引用文献

[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, <>.

[RFC2119] Bradner、S。、「要件レベルを示すためにRFCで使用するためのキーワード」、BCP 14、RFC 2119、DOI 10.17487/RFC2119、1997年3月、<>。

[RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform Resource Identifier (URI): Generic Syntax", STD 66, RFC 3986, DOI 10.17487/RFC3986, January 2005, <>.

[RFC3986] Berners-Lee、T.、Fielding、R。、およびL. Masinter、「Uniform Resource Identifier(URI):Generic Syntax」、Std 66、RFC 3986、DOI 10.17487/RFC3986、2005年1月、<>。

[RFC6838] Freed, N., Klensin, J., and T. Hansen, "Media Type Specifications and Registration Procedures", BCP 13, RFC 6838, DOI 10.17487/RFC6838, January 2013, <>.

[RFC6838] Freed、N.、Klensin、J。、およびT. Hansen、「メディアタイプの仕様と登録手順」、BCP 13、RFC 6838、DOI 10.17487/RFC6838、2013年1月、<>。

[RFC7252] Shelby, Z., Hartke, K., and C. Bormann, "The Constrained Application Protocol (CoAP)", RFC 7252, DOI 10.17487/RFC7252, June 2014, <>.

[RFC7252] Shelby、Z.、Hartke、K。、およびC. Bormann、「制約付きアプリケーションプロトコル(COAP)」、RFC 7252、DOI 10.17487/RFC7252、2014年6月、<https://www.rfc-editor。org/info/rfc7252>。

[RFC8126] Cotton, M., Leiba, B., and T. Narten, "Guidelines for Writing an IANA Considerations Section in RFCs", BCP 26, RFC 8126, DOI 10.17487/RFC8126, June 2017, <>.

[RFC8126] Cotton、M.、Leiba、B。、およびT. Narten、「RFCSでIANA考慮事項セクションを書くためのガイドライン」、BCP 26、RFC 8126、DOI 10.17487/RFC8126、2017年6月、<https://>。

[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, May 2017, <>.

[RFC8174] Leiba、B。、「RFC 2119キーワードの大文字と小文字のあいまいさ」、BCP 14、RFC 8174、DOI 10.17487/RFC8174、2017年5月、<>。

[RFC8610] Birkholz, H., Vigano, C., and C. Bormann, "Concise Data Definition Language (CDDL): A Notational Convention to Express Concise Binary Object Representation (CBOR) and JSON Data Structures", RFC 8610, DOI 10.17487/RFC8610, June 2019, <>.

[RFC8610] Birkholz、H.、Vigano、C。、およびC. Bormann、「Scise Data Definition Language(CDDL):簡潔なバイナリオブジェクト表現(CBOR)およびJSONデータ構造を表現する表記規則」、RFC 8610、DOI 10.17487/RFC8610、2019年6月、<>。

[RFC9110] Fielding, R., Ed., Nottingham, M., Ed., and J. Reschke, Ed., "HTTP Semantics", STD 97, RFC 9110, DOI 10.17487/RFC9110, June 2022, <>.

[RFC9110] Fielding、R.、Ed。、Ed。、Nottingham、M.、Ed。、およびJ. Reschke、ed。、 "HTTP Semantics"、Std 97、RFC 9110、DOI 10.17487/RFC9110、2022年6月、<>。

[RFC9165] Bormann, C., "Additional Control Operators for the Concise Data Definition Language (CDDL)", RFC 9165, DOI 10.17487/RFC9165, December 2021, <>.

[RFC9165] Bormann、C。、「簡潔なデータ定義言語(CDDL)の追加制御演算子」、RFC 9165、DOI 10.17487/RFC9165、2021年12月、<>。

7.2. Informative References
7.2. 参考引用

[IANA.core-parameters] IANA, "Constrained RESTful Environments (CoRE) Parameters", <>.

[iana.core-parameters] iana、「制約付きの安らかな環境(コア)パラメーター」、<>。

[] IANA, "MIME Media Type Sub-Parameter Registries", <>.

[] iana、 "Mime Media Type Sub-Parameter Registries"、<>。

[KebabCase] "Kebab Case", 29 August 2014, <>.

[Kebabcase]「Kebab Case」、2014年8月29日、<>。

[RFC4949] Shirey, R., "Internet Security Glossary, Version 2", FYI 36, RFC 4949, DOI 10.17487/RFC4949, August 2007, <>.

[RFC4949] Shirey、R。、「インターネットセキュリティ用語集、バージョン2」、FYI 36、RFC 4949、DOI 10.17487/RFC4949、2007年8月、<>

[RFC6570] Gregorio, J., Fielding, R., Hadley, M., Nottingham, M., and D. Orchard, "URI Template", RFC 6570, DOI 10.17487/RFC6570, March 2012, <>.

[RFC6570]グレゴリオ、J。、フィールディング、R。、ハドリー、M。、ノッティンガム、M。、およびD.オーチャード、「ウリテンプレート」、RFC 6570、doi 10.17487/rfc6570、2012年3月、<https://>。

[RFC7228] Bormann, C., Ersue, M., and A. Keranen, "Terminology for Constrained-Node Networks", RFC 7228, DOI 10.17487/RFC7228, May 2014, <>.

[RFC7228] Bormann、C.、Ersue、M。、およびA. Keranen、「制約ノードネットワークの用語」、RFC 7228、DOI 10.17487/RFC7228、2014年5月、<>。

[RFC7493] Bray, T., Ed., "The I-JSON Message Format", RFC 7493, DOI 10.17487/RFC7493, March 2015, <>.

[RFC7493] Bray、T.、ed。、「I-JSONメッセージ形式」、RFC 7493、DOI 10.17487/RFC7493、2015年3月、<>

[RFC8132] van der Stok, P., Bormann, C., and A. Sehgal, "PATCH and FETCH Methods for the Constrained Application Protocol (CoAP)", RFC 8132, DOI 10.17487/RFC8132, April 2017, <>.

[RFC8132] Van Der Stok、P.、Bormann、C。、およびA. Sehgal、「制約付きアプリケーションプロトコル(COAP)のパッチおよびフェッチ方法」、RFC 8132、DOI 10.17487/RFC8132、2017年4月、<https:/<>。

[RFC8259] Bray, T., Ed., "The JavaScript Object Notation (JSON) Data Interchange Format", STD 90, RFC 8259, DOI 10.17487/RFC8259, December 2017, <>.

[RFC8259] Bray、T.、ed。、「JavaScriptオブジェクト表記(JSON)データインターチェンジ形式」、STD 90、RFC 8259、DOI 10.17487/RFC8259、2017年12月、<>。

[RFC8576] Garcia-Morchon, O., Kumar, S., and M. Sethi, "Internet of Things (IoT) Security: State of the Art and Challenges", RFC 8576, DOI 10.17487/RFC8576, April 2019, <>.

[RFC8576] Garcia-Morchon、O.、Kumar、S。、およびM. Sethi、「モノのインターネット(IoT)セキュリティ:最先端の課題」、RFC 8576、DOI 10.17487/RFC8576、2019年4月、<>。

[RFC8881] Noveck, D., Ed. and C. Lever, "Network File System (NFS) Version 4 Minor Version 1 Protocol", RFC 8881, DOI 10.17487/RFC8881, August 2020, <>.

[RFC8881] Noveck、D.、ed。およびC.レバー、「ネットワークファイルシステム(NFS)バージョン4マイナーバージョン1プロトコル」、RFC 8881、DOI 10.17487/RFC8881、2020年8月、<>。

[RFC8949] Bormann, C. and P. Hoffman, "Concise Binary Object Representation (CBOR)", STD 94, RFC 8949, DOI 10.17487/RFC8949, December 2020, <>.

[RFC8949] Bormann、C。and P. Hoffman、「Concise binary Object Lepressation(CBOR)」、STD 94、RFC 8949、DOI 10.17487/RFC8949、2020年12月、<>。

[RFC9200] Seitz, L., Selander, G., Wahlstroem, E., Erdtman, S., and H. Tschofenig, "Authentication and Authorization for Constrained Environments Using the OAuth 2.0 Framework (ACE-OAuth)", RFC 9200, DOI 10.17487/RFC9200, August 2022, <>.

[RFC9200] Seitz、L.、Selander、G.、Wahlstroem、E.、Erdtman、S.、およびH. Tschofenig、「OAuth 2.0フレームワーク(ACE-OAUTH)を使用した制約された環境の認証と承認」、RFC 9200、doi 10.17487/rfc9200、2022年8月、<>。



Jim Schaad, Francesca Palombini, Olaf Bergmann, Marco Tiloca, and Christian Amsüss provided comments that shaped the direction of this document. Alexey Melnikov pointed out that there were gaps in the media type specifications, and Loganaden Velvindron provided a shepherd review with further comments. Many thanks also to the IESG reviewers, who provided several small but significant observations. Benjamin Kaduk provided an extensive review as Responsible Area Director and indeed is responsible for much improvement in the document.

Jim Schaad、Francesca Palombini、Olaf Bergmann、Marco Tiloca、およびChristianAmsüssは、この文書の方向を形作ったコメントを提供しました。Alexey Melnikovは、メディアタイプの仕様にギャップがあると指摘し、Loganaden Velvindronはさらなるコメントでシェパードのレビューを提供しました。IESGレビュアーにも感謝しています。IESGレビュアーは、いくつかの小さなが重要な観察を提供してくれました。Benjamin Kadukは、責任あるエリアディレクターとしての広範なレビューを提供し、実際、文書の多くの改善を担当しています。

Author's Address


Carsten Bormann Universität Bremen TZI Postfach 330440 D-28359 Bremen Germany Phone: +49-421-218-63921 Email:

Carsten BormannUniversitätBremenTziPostfach 330440 D-28359 Bremen Germany電話:49-421-218-63921メール