Internet-Draft | Profiling EDHOC for CoAP and OSCORE | July 2022 |
Palombini, et al. | Expires 12 January 2023 | [Page] |
The lightweight authenticated key exchange protocol EDHOC can be run over CoAP and used by two peers to establish an OSCORE Security Context. This document further profiles this use of the EDHOC protocol, by specifying a number of additional and optional mechanisms. These especially include an optimization approach for combining the execution of EDHOC with the first subsequent OSCORE transaction. This combination reduces the number of round trips required to set up an OSCORE Security Context and to complete an OSCORE transaction using that Security Context.¶
This note is to be removed before publishing as an RFC.¶
Discussion of this document takes place on the Constrained RESTful Environments Working Group mailing list (core@ietf.org), which is archived at https://mailarchive.ietf.org/arch/browse/core/.¶
Source for this draft and an issue tracker can be found at https://github.com/core-wg/oscore-edhoc.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 12 January 2023.¶
Copyright (c) 2022 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
Ephemeral Diffie-Hellman Over COSE (EDHOC) [I-D.ietf-lake-edhoc] is a lightweight authenticated key exchange protocol, especially intended for use in constrained scenarios. In particular, EDHOC messages can be transported over the Constrained Application Protocol (CoAP) [RFC7252] and used for establishing a Security Context for Object Security for Constrained RESTful Environments (OSCORE) [RFC8613].¶
This document profiles this use of the EDHOC protocol, and specifies a number of additional and optional mechanisms. These especially include an optimization approach, that combines the EDHOC execution with the first subsequent OSCORE transaction (see Section 3). This allows for a minimum number of round trips necessary to setup the OSCORE Security Context and complete an OSCORE transaction, e.g., when an IoT device gets configured in a network for the first time.¶
This optimization is desirable, since the number of protocol round trips impacts on the minimum number of flights, which in turn can have a substantial impact on the latency of conveying the first OSCORE request, when using certain radio technologies.¶
Without this optimization, it is not possible, not even in theory, to achieve the minimum number of flights. This optimization makes it possible also in practice, since the last message of the EDHOC protocol can be made relatively small (see Section 1.2 of [I-D.ietf-lake-edhoc]), thus allowing additional OSCORE-protected CoAP data within target MTU sizes.¶
Furthermore, this document defines a number of parameters corresponding to different information elements of an EDHOC application profile (see Section 7). These can be specified as target attributes in the link to an EDHOC resource associated with that application profile, thus enabling an enhanced discovery of such resource for CoAP clients.¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.¶
The reader is expected to be familiar with terms and concepts defined in CoAP [RFC7252], CBOR [RFC8949], CBOR sequences [RFC8742], OSCORE [RFC8613] and EDHOC [I-D.ietf-lake-edhoc].¶
The EDHOC protocol allows two peers to agree on a cryptographic secret, in a mutually-authenticated way and by using Diffie-Hellman ephemeral keys to achieve forward secrecy. The two peers are denoted as Initiator and Responder, as the one sending or receiving the initial EDHOC message_1, respectively.¶
After successful processing of EDHOC message_3, both peers agree on a cryptographic secret that can be used to derive further security material, and especially to establish an OSCORE Security Context [RFC8613]. The Responder can also send an optional EDHOC message_4 to achieve key confirmation, e.g., in deployments where no protected application message is sent from the Responder to the Initiator.¶
Appendix A.2 of [I-D.ietf-lake-edhoc] specifies how to transfer EDHOC over CoAP. That is, the EDHOC data (referred to as "EDHOC messages") are transported in the payload of CoAP requests and responses. The default message flow consists in the CoAP Client acting as Initiator and the CoAP Server acting as Responder. Alternatively, the two roles can be reversed. In the rest of this document, EDHOC messages are considered to be transferred over CoAP.¶
Figure 1 shows a CoAP Client and Server running EDHOC as Initiator and Responder, respectively. That is, the Client sends a POST request to a reserved EDHOC resource at the Server, by default at the Uri-Path "/.well-known/edhoc". The request payload consists of the CBOR simple value "true" (0xf5) concatenated with EDHOC message_1, which also includes the EDHOC connection identifier C_I of the Client represented as per Section 3.3 of [I-D.ietf-lake-edhoc]. The Content-Format of the request may be set to application/cid-edhoc+cbor-seq.¶
This triggers the EDHOC exchange at the Server, which replies with a 2.04 (Changed) response. The response payload consists of EDHOC message_2, which also includes the EDHOC connection identifier C_R of the Server represented as per Section 3.3 of [I-D.ietf-lake-edhoc]. The Content-Format of the response may be set to application/edhoc+cbor-seq.¶
Finally, the Client sends a POST request to the same EDHOC resource used earlier to send EDHOC message_1. The request payload consists of the EDHOC connection identifier C_R represented as per Section 3.3 of [I-D.ietf-lake-edhoc], concatenated with EDHOC message_3. The Content-Format of the request may be set to application/cid-edhoc+cbor-seq.¶
After this exchange takes place, and after successful verifications as specified in the EDHOC protocol, the Client and Server can derive an OSCORE Security Context, as defined in Appendix A.1 of [I-D.ietf-lake-edhoc]. After that, they can use OSCORE to protect their communications as per [RFC8613].¶
The Client and Server are required to agree in advance on certain information and parameters describing how they should use EDHOC. These are specified in an application profile see Section 3.9 of [I-D.ietf-lake-edhoc], associated with the used EDHOC resource.¶
As shown in Figure 1, this purely-sequential flow where EDHOC is run first and then OSCORE is used takes three round trips to complete.¶
Section 3 defines an optimization for combining EDHOC with the first subsequent OSCORE transaction. This reduces the number of round trips required to set up an OSCORE Security Context and to complete an OSCORE transaction using that Security Context.¶
This section defines an optimization for combining the EDHOC exchange with the first subsequent OSCORE transaction, thus minimizing the number of round trips between the two peers.¶
This approach can be used only if the default EDHOC message flow is used, i.e., when the Client acts as Initiator and the Server acts as Responder, while it cannot be used in the case with reversed roles.¶
When running the purely-sequential flow of Section 2, the Client has all the information to derive the OSCORE Security Context already after receiving EDHOC message_2 and before sending EDHOC message_3.¶
Hence, the Client can potentially send both EDHOC message_3 and the subsequent OSCORE Request at the same time. On a semantic level, this requires sending two REST requests at once, as in Figure 2.¶
To this end, the specific approach defined in this section consists of sending a single EDHOC + OSCORE request, which conveys the pair (C_R, EDHOC message_3) within an OSCORE-protected CoAP message.¶
That is, the EDHOC + OSCORE request is in practice the OSCORE Request from Figure 1, as still sent to a protected resource and with the correct CoAP method and options intended for accessing that resource. At the same time, the EDHOC + OSCORE request also transports the pair (C_R, EDHOC message_3) required for completing the EDHOC exchange. Note that C_R is not transported precisely in the request payload.¶
Since EDHOC message_3 may be too large to be included in a CoAP Option, e.g., if conveying a protected large public key certificate chain as ID_CRED_I (see Section 3.5.3 of [I-D.ietf-lake-edhoc]) or if conveying protected External Authorization Data as EAD_3 (see Section 3.8 of [I-D.ietf-lake-edhoc]), EDHOC message_3 has to be transported in the CoAP payload of the EDHOC + OSCORE request.¶
The rest of this section specifies how to transport the data in the EDHOC + OSCORE request and their processing order. In particular, the use of this approach is explicitly signalled by including an EDHOC Option (see Section 3.1) in the EDHOC + OSCORE request. The processing of the EDHOC + OSCORE request is specified in Section 3.2 for the Client side and in Section 3.3 for the Server side.¶
This section defines the EDHOC Option. The option is used in a CoAP request, to signal that the request payload conveys both an EDHOC message_3 and OSCORE-protected data, combined together.¶
The EDHOC Option has the properties summarized in Figure 3, which extends Table 4 of [RFC7252]. The option is Critical, Safe-to-Forward, and part of the Cache-Key. The option MUST occur at most once and is always empty. If any value is sent, the value is simply ignored. The option is intended only for CoAP requests and is of Class U for OSCORE [RFC8613].¶
The presence of this option means that the message payload contains also EDHOC data, that must be extracted and processed as defined in Section 3.3, before the rest of the message can be processed.¶
Figure 4 shows the format of a CoAP message containing both the EDHOC data and the OSCORE ciphertext, using the newly defined EDHOC option for signalling.¶
The Client prepares an EDHOC + OSCORE request as follows.¶
Encrypt the original CoAP request as per Section 8.1 of [RFC8613], using the new OSCORE Security Context established after receiving EDHOC message_2.¶
Note that the OSCORE ciphertext is not computed over EDHOC message_3, which is not protected by OSCORE. That is, the result of this step is the OSCORE Request as in Figure 1.¶
Build a CBOR sequence [RFC8742] composed of two CBOR byte strings in the following order.¶
Compose the EDHOC + OSCORE request, as the OSCORE-protected CoAP request resulting from step 2, where the payload is replaced with the CBOR sequence built at step 3.¶
Note that the new payload includes EDHOC message_3, but it does not include the EDHOC connection identifier C_R. As the Client is the EDHOC Initiator, C_R is the OSCORE Sender ID of the Client, which is already specified as 'kid' in the OSCORE Option of the request from step 2, hence of the EDHOC + OSCORE request.¶
Signal the usage of this approach, by including the new EDHOC Option defined in Section 3.1 into the EDHOC + OSCORE request.¶
The application/cid-edhoc+cbor-seq media type does not apply to this message, whose media type is unnamed.¶
With the same Server, the Client SHOULD NOT have multiple simultaneous outstanding interactions (see Section 4.7 of [RFC7252]) such that: they consist of an EDHOC + OSCORE request; and their EDHOC data pertain to the EDHOC session with the same connection identifier C_R.¶
If Block-wise [RFC7959] is supported, the Client may fragment the original CoAP request before protecting it with OSCORE, as defined in Section 4.1.3.4.1 of [RFC8613]. In such a case, the OSCORE processing in step 2 of Section 3.2 is performed on each inner block of the original CoAP request, and the following also applies.¶
The Client takes the additional following step between steps 2 and 3 of Section 3.2.¶
A. If the OSCORE-protected request from step 2 conveys a non-first inner block of the original CoAP request (i.e., the Block1 Option processed at step 2 had NUM different than 0), then the Client skips the following steps and sends the OSCORE-protected request to the Server. In particular, the Client MUST NOT include the EDHOC Option in the OSCORE-protected request.¶
The Client takes the additional following step between steps 3 and 4 of Section 3.2.¶
B. If the size of the built CBOR sequence exceeds MAX_UNFRAGMENTED_SIZE (see Section 4.1.3.4.2 of [RFC8613]), the Client MUST stop processing the request and MUST abort the Block-wise transfer. Then, the Client can continue by switching to the purely sequential workflow shown in Figure 1. That is, the Client first sends EDHOC message_3 prepended by the EDHOC Connection Identifier C_R represented as per Section 3.3 of [I-D.ietf-lake-edhoc], and then sends the OSCORE-protected CoAP request once the EDHOC execution is completed.¶
Further considerations about the use of Block-wise together with the EDHOC + OSCORE request are provided in Section 6.¶
In order to process a request containing the EDHOC option, i.e., an EDHOC + OSCORE request, the Server MUST perform the following steps.¶
Retrieve the correct EDHOC session by using the connection identifier C_R from step 3.¶
If the application profile used in the EDHOC session specifies that EDHOC message_4 shall be sent, the Server MUST stop the EDHOC processing and consider it failed, as due to a client error.¶
Otherwise, perform the EDHOC processing on the EDHOC message_3 extracted at step 2 as per Section 5.4.3 of [I-D.ietf-lake-edhoc], based on the protocol state of the retrieved EDHOC session.¶
The application profile used in the EDHOC session is the same one associated with the EDHOC resource where the server received the request conveying EDHOC message_1 that started the session. This is relevant in case the server provides multiple EDHOC resources, which may generally refer to different application profiles.¶
Decrypt and verify the OSCORE-protected CoAP request rebuilt at step 7, as per Section 8.2 of [RFC8613], by using the OSCORE Security Context established at step 5.¶
If the decrypted request includes an EDHOC option but it does not include an OSCORE option, the Server MUST stop processing the request and MUST reply with a 4.00 (Bad Request) error response.¶
If steps 4 (EDHOC processing) and 8 (OSCORE processing) are both successfully completed, the Server MUST reply with an OSCORE-protected response (see Section 5.4.2 of [I-D.ietf-lake-edhoc]). The usage of EDHOC message_4 as defined in Section 5.5 of [I-D.ietf-lake-edhoc] is not applicable to the approach defined in this document.¶
If step 4 (EDHOC processing) fails, the server discontinues the protocol as per Section 5.4.3 of [I-D.ietf-lake-edhoc] and responds with an EDHOC error message with error code 1, formatted as defined in Section 6.2 of [I-D.ietf-lake-edhoc]. In particular, the CoAP response conveying the EDHOC error message MUST have Content-Format set to application/edhoc+cbor-seq defined in Section 9.9 of [I-D.ietf-lake-edhoc].¶
If step 4 (EDHOC processing) is successfully completed but step 8 (OSCORE processing) fails, the same OSCORE error handling as defined in Section 8.2 of [RFC8613] applies.¶
If Block-wise [RFC7959] is supported, the following applies, the Server takes the additional following step before any other in Section 3.3.¶
A. If Block-wise is present in the request, then process the Outer Block options according to [RFC7959], until all blocks of the request have been received (see Section 4.1.3.4 of [RFC8613]).¶
Figure 5 shows an example of EDHOC + OSCORE Request. In particular, the example assumes that:¶
The OSCORE Sender ID of the Client is 0x01.¶
As per Section 3.3.3 of [I-D.ietf-lake-edhoc], this straightforwardly corresponds to the EDHOC connection identifier C_R 0x01.¶
As per Section 3.3.2 of [I-D.ietf-lake-edhoc], when using the purely-sequential flow shown in Figure 1, the same C_R with value 0x01 would be represented on the wire as the CBOR integer 1 (0x01 in CBOR encoding), and prepended to EDHOC message_3 in the payload of the second EDHOC request.¶
Section 3.3.3 of [I-D.ietf-lake-edhoc] defines the straightforward mapping from an EDHOC connection identifier to an OSCORE Sender/Recipient ID. That is, an EDHOC identifier and the corresponding OSCORE Sender/Recipient ID are both byte strings with the same value.¶
Therefore, the conversion from an OSCORE Sender/Recipient ID to an EDHOC identifier is equally straightforward. In particular, at step 3 of Section 3.3, the value of 'kid' in the OSCORE Option of the EDHOC + OSCORE request is both the Server's Recipient ID (i.e., the Client's Sender ID) as well as the EDHOC Connection Identifier C_R of the Server.¶
Compared to what is specified in Section 5 of [I-D.ietf-lake-edhoc], the Client and Server MUST perform the additional message processing specified in the rest of this section.¶
The Initiator selects C_I as follows. If the Initiator possibly performs multiple EDHOC executions concurrently, the following sequence of steps MUST be atomic.¶
The Initiator selects an available OSCORE Recipient ID, namely ID*, which is not included in ID_SET. Consistently with the requirements in Section 3.3 of [RFC8613], when selecting ID*:¶
The Responder selects C_R as follows. If the Responder possibly performs multiple EDHOC executions concurrently, the following sequence of steps MUST be atomic.¶
The Responder selects an available OSCORE Recipient ID, namely ID*, which is not included in ID_SET. Consistently with the requirements in Section 3.3 of [RFC8613], when selecting ID*:¶
If the following condition holds, the Initiator MUST discontinue the protocol and reply with an EDHOC error message with error code 1, formatted as defined in Section 6.2 of [I-D.ietf-lake-edhoc].¶
The application profile referred by the Client and Server can include the information elements introduced below, in accordance with the specified consistency rules.¶
If the Server supports the EDHOC + OSCORE request within an EDHOC execution started at a certain EDHOC resource, then the application profile associated with that resource:¶
This section provides guidelines and recommendations for Clients supporting both the EDHOC + OSCORE request defined in this document as well as Block-wise [RFC7959].¶
The following especially considers a Client that may perform only "inner" Block-wise, but not "outer" Block-wise operations. That is, the considered Client does not (further) split an OSCORE-protected request like an intermediary (e.g., a proxy) might do. This is the typical case for OSCORE endpoints (see Section 4.1.3.4 of [RFC8613]).¶
The rest of this section refers to the following notation.¶
Before sending an EDHOC + OSCORE request, the Client has to perform the following checks. Note that, while the Client is able to fragment the application data, it cannot fragment the EDHOC + OSCORE request or the EDHOC message_3 added therein.¶
If inner Block-wise is not used, hence SIZE_APP <= LIMIT, the Client must verify whether all the following conditions hold:¶
If inner Block-wise is used, the Client must verify whether all the following conditions hold:¶
In either case, if not all the corresponding conditions hold, the Client MUST NOT send the EDHOC + OSCORE request. Instead, the Client can continue by switching to the purely sequential workflow shown in Figure 1. That is, the Client first sends EDHOC message_3 prepended by the EDHOC Connection Identifier C_R represented as per Section 3.3 of [I-D.ietf-lake-edhoc], and then sends the OSCORE-protected CoAP request once the EDHOC execution is completed.¶
In order to avoid further fragmentation at lower layers when sending an EDHOC + OSCORE request, the Client has to use inner Block-wise if any of the following conditions holds:¶
In particular, consistently with Section 6.1, the used SIZE_BLOCK has to be such that the following condition also holds:¶
Note that the Client might still use Block-wise due to reasons different from exceeding the size indicated by LIMIT.¶
If both the conditions COND5 and COND6 hold, the use of Block-wise results in the following number of round trips for completing both the EDHOC execution and the first OSCORE-protected exchange.¶
It follows that RT_COMB < RT_ORIG, i.e., the optimized workflow always yields a lower number of round trips.¶
Instead, the conveniency of using the optimized workflow becomes questionable if both the following conditions hold:¶
That is, since SIZE_APP <= LIMIT, using Block-wise would not be required when using the original workflow, provided that SIZE_EDHOC <= LIMIT still holds.¶
At the same time, using the combined workflow is in itself what actually triggers the use of blockwise, since (SIZE_APP + SIZE_EDHOC) > LIMIT.¶
Therefore, the following round trips are experienced by the Client.¶
It follows that RT_COMB >= RT_ORIG, i.e., the optimized workflow might still be not worse than the original workflow in terms of round trips. This is the case only if the used SIZE_BLOCK is such that ceil(SIZE_APP / SIZE_BLOCK) is equal to 2, i.e., the EDHOC + OSCORE request is fragmented into only 2 inner blocks. However, even in such a case, there would be no advantage in terms or round trips compared to the original workflow, while still requiring the Client and Server to perform the processing due to using the EDHOC + OSCORE request and Block-wise transferring.¶
Therefore, if both the conditions COND8 and COND9 hold, the Client SHOULD NOT send the EDHOC + OSCORE request. Instead, the Client SHOULD continue by switching to the purely sequential workflow shown in Figure 1. That is, the Client first sends EDHOC message_3 prepended by the EDHOC Connection Identifier C_R represented as per Section 3.3 of [I-D.ietf-lake-edhoc], and then sends the OSCORE-protected CoAP request once the EDHOC execution is completed.¶
Section 9.10 of [I-D.ietf-lake-edhoc] registers the resource type "core.edhoc", which can be used as target attribute in a web link [RFC8288] to an EDHOC resource, e.g., using a link-format document [RFC6690]. This enables Clients to discover the presence of EDHOC resources at a Server, possibly using the resource type as filter criterion.¶
At the same time, the application profile associated with an EDHOC resource provides a number of information describing how the EDHOC protocol can be used through that resource. While a Client may become aware of the application profile through several means, it would be convenient to obtain its information elements upon discovering the EDHOC resources at the Server. This might aim at discovering especially the EDHOC resources whose associated application profile denotes a way of using EDHOC which is most suitable to the Client, e.g., with EDHOC cipher suites or authentication methods that the Client also supports or prefers.¶
That is, it would be convenient that a Client discovering an EDHOC resource contextually obtains relevant pieces of information from the application profile associated with that resource. The resource discovery can occur by means of a direct interaction with the Server, or instead by means of the CoRE Resource Directory [RFC9176], where the Server may have registered the links to its resources.¶
In order to enable the above, this section defines a number of parameters, each of which can be optionally specified as a target attribute with the same name in the link to the respective EDHOC resource, or as filter criteria in a discovery request from the Client. When specifying these parameters in a link to an EDHOC resource, the target attribute rt="core.edhoc" MUST be included, and the same consistency rules defined in Section 5 for the corresponding information elements of an application profile MUST be followed.¶
The following parameters are defined.¶
'idcred_t', specifying the type of identifiers supported by the Server for identifying authentication credentials. This parameter MUST specify a single value, which is taken from the 'Label' column of the "COSE Headers Parameters" registry [COSE.Header.Parameters]. This parameter MAY occur multiple times, with each occurrence specifying a different type of identifier for authentication credentials.¶
Note that the values in the 'Label' column of the "COSE Headers Parameters" registry are strongly typed. On the contrary, Link Format is weakly typed and thus does not distinguish between, for instance, the string value "-10" and the integer value -10. Thus, if responses in Link Format are returned, string values which look like an integer are not supported. Therefore, such values MUST NOT be used in the 'idcred_t' parameter.¶
'ead_1', 'ead_2', 'ead_3' and 'ead_4', specifying, if present, that the Server supports the use of External Authorization Data EAD_1, EAD_2, EAD_3 and EAD_4, respectively (see Section 3.8 of [I-D.ietf-lake-edhoc]). For each of these parameters, the following applies.¶
The example in Figure 6 shows how a Client discovers two EDHOC resources at a Server, obtaining information elements from the respective application profiles. The Link Format notation from Section 5 of [RFC6690] is used.¶
The same security considerations from OSCORE [RFC8613] and EDHOC [I-D.ietf-lake-edhoc] hold for this document. In addition, the following considerations also apply.¶
Section 3.2 defines that a Client SHOULD NOT have multiple outstanding EDHOC + OSCORE requests pertaining to the same EDHOC session. Even if a Client did not fulfill this requirement, it would not have any impact in terms of security. That is, the Server would still not process different instances of the same EDHOC message_3 more than once in the same EDHOC session (see Section 5.1 of [I-D.ietf-lake-edhoc]), and would still enforce replay protection of the OSCORE-protected request (see Section 7.4 of [RFC8613]).¶
TODO: more considerations¶
This document has the following actions for IANA.¶
Note to RFC Editor: Please replace all occurrences of "[RFC-XXXX]" with the RFC number of this specification and delete this paragraph.¶
IANA is asked to enter the following option number to the "CoAP Option Numbers" registry within the "CoRE Parameters" registry group.¶
[¶
The CoAP option numbers 13 and 21 are both consistent with the properties of the EDHOC Option defined in Section 3.1, and they both allow the EDHOC Option to always result in an overall size of 1 byte. This is because:¶
At the time of writing, the CoAP option numbers 13 and 21 are both unassigned in the "CoAP Option Numbers" registry, as first available and consistent option numbers for the EDHOC option.¶
This document suggests 21 (TBD21) as option number to be assigned to the new EDHOC option, since both 13 and 21 are consistent for the use case in question, but different use cases or protocols may make better use of the option number 13.¶
]¶
+--------+-------+------------+ | Number | Name | Reference | +--------+-------+------------+ | TBD21 | EDHOC | [RFC-XXXX] | +--------+-------+------------+¶
RFC Editor: Please remove this section.¶
The authors sincerely thank Christian Amsüss, Esko Dijk, Klaus Hartke, Jim Schaad and Mališa Vučinić for their feedback and comments.¶
The work on this document has been partly supported by VINNOVA and the Celtic-Next project CRITISEC; and by the H2020 project SIFIS-Home (Grant agreement 952652).¶