In Section 6.1.1 of version -16, point 2 refers to the TLS exporter method from Section 7.5 of RFC 8446. However, that method is actually applicable only if DTLS 1.3 is used.
To correctly distinguish between the case of DTLS 1.2 and of DTLS 1.3, the text in Section 6.1.1 can be updated as follows:
OLD
If the provisioning of the Access Token to the Group Manager has relied on the DTLS profile of ACE [RFC9202], and the Access Token was specified:
in the "psk_identity" field of the ClientKeyExchange message when using DTLS 1.2 [RFC6347]; or
in the "identity" field of a PskIdentity within the PreSharedKeyExtension of the ClientHello message when using DTLS 1.3 [RFC9147],
then N_S is an exporter value computed as defined in Section 7.5 of [RFC8446]. Specifically, N_S is exported from the DTLS session between the joining node and the Group Manager, using an empty 'context_value', 32 bytes as 'key_length', and the exporter label "EXPORTER-ACE-Sign-Challenge-coap-group-oscore-app" defined in Section 16.7 of this document.
NEW:
If the provisioning of the Access Token to the Group Manager has relied on the DTLS profile of ACE [RFC9202], and the Access Token was specified in the "psk_identity" field of the ClientKeyExchange message when using DTLS 1.2 [RFC6347], then N_S is an exporter value computed as defined in Section 4 of [RFC 5705].
Specifically, N_S is exported from the DTLS session between the joining node and the Group Manager, using an empty context value (i.e., a context value of zero-length), 32 as length value in bytes, and the exporter label "EXPORTER-ACE-Pop-Input-coap-group-oscore-app" defined in Section 16.7 of this document.
If the provisioning of the Access Token to the Group Manager has relied on the DTLS profile of ACE [RFC9202], and the Access Token was specified in the "identity" field of a PskIdentity within the PreSharedKeyExtension of the ClientHello message when using DTLS 1.3 [RFC9147], then N_S is an exporter value computed as defined in Section 7.5 of [RFC8446].
Specifically, N_S is exported from the DTLS session between the joining node and the Group Manager, using an empty 'context_value' (i.e., a 'context_value' of zero length), 32 as 'key_length' in bytes, and the exporter label "EXPORTER-ACE-Sign-Challenge-coap-group-oscore-app" defined in Section 16.7 of this document.
In Section 6.1.1 of version -16, point 2 refers to the TLS exporter method from Section 7.5 of RFC 8446. However, that method is actually applicable only if DTLS 1.3 is used.
To correctly distinguish between the case of DTLS 1.2 and of DTLS 1.3, the text in Section 6.1.1 can be updated as follows:
OLD
NEW:
The new text uses the new name for the TLS exporter label as suggested in issue https://github.com/ace-wg/ace-key-groupcomm-oscore/issues/63