From 3e8bba009017cb3919f5b9348c8d93336aaf0cab Mon Sep 17 00:00:00 2001
From: chrysn <chrysn@fsfe.org>
Date: Thu, 22 Feb 2024 12:11:12 +0100
Subject: [PATCH] Explain EDHOC or alternatives as OSCORE boostraps, add
 citations for the ACE profiles

---
 draft-lenders-core-dnr.md | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/draft-lenders-core-dnr.md b/draft-lenders-core-dnr.md
index 00ce6bc..bfa820b 100644
--- a/draft-lenders-core-dnr.md
+++ b/draft-lenders-core-dnr.md
@@ -71,6 +71,8 @@ informative:
       org: OMA SpecWorks
     date: 2018-10
     target: https://omaspecworks.org/white-paper-lightweight-m2m-1-1/
+  I-D.ietf-ace-edhoc-oscore-profile: ace-edhoc
+  RFC9203: ace-oscore
 
 --- abstract
 
@@ -103,8 +105,13 @@ CoAP comes with 3 security modes that would need to be covered by the SvcParams:
   transfered over TCP {{-coap-tcp}}.
 - **Object Security:** Application-layer based object encryption within CoAP based on OSCORE
   {{-oscore}}. OSCORE can be either used as an alternative or in addition to transport security.
-  EDHOC {{-edhoc}} is used to establish the encryption context between two hosts and OSCORE-ACE
-  [citation?] can be used for authentication of a server.
+
+  OSCORE keys are not usable indefinitely and need to be set up,
+  for example through an EDHOC key exchange {{-edhoc}},
+  which may use credentials from trusted authorization server (AS)
+  as described in the ACE EDHOC profile {{-ace-edhoc}}.
+  As an alternative to EDHOC,
+  keys can be set up by such an AS as described in the ACE OSCORE profile {{-ace-oscore}}.
 
 ## Problems