Re: [hrpc] When are HRPCs normative in an IETF protocol?
Adrian Gropper <agropper@healthurl.com> Fri, 02 December 2022 18:51 UTC
Return-Path: <agropper@gmail.com>
X-Original-To: hrpc@ietfa.amsl.com
Delivered-To: hrpc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 68C07C14CF0C for <hrpc@ietfa.amsl.com>; Fri, 2 Dec 2022 10:51:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.396
X-Spam-Level:
X-Spam-Status: No, score=-6.396 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.249, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id F2PbkaTOd6ef for <hrpc@ietfa.amsl.com>; Fri, 2 Dec 2022 10:51:02 -0800 (PST)
Received: from mail-yb1-f171.google.com (mail-yb1-f171.google.com [209.85.219.171]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 315F9C14CF05 for <hrpc@irtf.org>; Fri, 2 Dec 2022 10:51:02 -0800 (PST)
Received: by mail-yb1-f171.google.com with SMTP id e141so7105797ybh.3 for <hrpc@irtf.org>; Fri, 02 Dec 2022 10:51:02 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=2oviQCb79qkl29qE+4KcdhkSTFgJSNyMjUIn74Nr9rs=; b=pYwbjAy3sKI41YpPAYVHKe0CR1lNMV3J+GmfMKSFyX5wFQ5yUL89OzBwLq1JD+vuOQ ezr/IETOAYl2V0sNZLjd+XNcFDKQmkky4pXeyisdtISjDKiZwSl6l6E3jkYbiMNkDJZM ZzuX2JwpdAwQN2KfrhTnqyA3d64Crpl1UG0friFdqHdeDzchRgYheoX17IuU62vqBCeR e9wsX7OyBquCDOJhuq75B4odNSHiO1lN63uy1yz/D3jSZb8C73f1KmNXVM1Oz475+oLs d7fvWWkwfg1h6o+WeeP9P6WrmNWec0VM0SD3yYn/q/g22h8iI6A+atENEyZwN+A3XdaB Yxjw==
X-Gm-Message-State: ANoB5pnBePVtND/No6Tsv/FB1kayjKeLyI6TXoSYoN5jZe8qnCyzFJhB Ixi56rdwAKDAcow1BjpOnaHIOAZPW4mVL29offs=
X-Google-Smtp-Source: AA0mqf7FcCCjT1m5AtEcF68+JnqZpXOGteIZEQHKrdpaC2ikP6yqFav/Mj1EoYpqgO1WEqhkBk+tOXcuF+wxzJW8IZw=
X-Received: by 2002:a25:3c86:0:b0:6ef:1a00:40d4 with SMTP id j128-20020a253c86000000b006ef1a0040d4mr45405813yba.425.1670007061179; Fri, 02 Dec 2022 10:51:01 -0800 (PST)
MIME-Version: 1.0
References: <CANYRo8ivdeQOc8KkroQ8ZZCoif-CPwNcc9qG0jU6nW8GUHTe1w@mail.gmail.com> <cd45f2f9-a3fd-8516-5635-ebf3280568cc@cs.tcd.ie> <CABcZeBMwBTM-gR9+ODk31nuBzpg5etqRfU8nH73azTuhWhdOgw@mail.gmail.com> <CANYRo8j32kthypqiokAUsiFYnkxVLN5NH=PdoEzRCdp+0MJz5Q@mail.gmail.com>
In-Reply-To: <CANYRo8j32kthypqiokAUsiFYnkxVLN5NH=PdoEzRCdp+0MJz5Q@mail.gmail.com>
From: Adrian Gropper <agropper@healthurl.com>
Date: Fri, 02 Dec 2022 13:50:49 -0500
Message-ID: <CANYRo8h3ZnPo+Zpu0XFxV73wsdUvQdP0mhsSBp3Q5LSD4G06Ew@mail.gmail.com>
To: Eric Rescorla <ekr@rtfm.com>
Cc: Stephen Farrell <stephen.farrell@cs.tcd.ie>, hrpc@irtf.org, Alan Karp <alanhkarp@gmail.com>
Content-Type: multipart/alternative; boundary="000000000000a772ad05eedcd17a"
Archived-At: <https://mailarchive.ietf.org/arch/msg/hrpc/FW78YvFerkFHsrYDFcSWp-SYNqI>
Subject: Re: [hrpc] When are HRPCs normative in an IETF protocol?
X-BeenThere: hrpc@irtf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: hrpc discussion list <hrpc.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/hrpc>, <mailto:hrpc-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/hrpc/>
List-Post: <mailto:hrpc@irtf.org>
List-Help: <mailto:hrpc-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/hrpc>, <mailto:hrpc-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 02 Dec 2022 18:51:06 -0000
Over the past few days, this thread has turned technical. The tech status is here https://mailarchive.ietf.org/arch/msg/hrpc/VhroNqqmg9SuqXlsOWieijuobCI/ and I hope this discussion will continue to consensus on the GNAP list txauth@ietf.org What should be the next steps to try and answer the two questions below? - Adrian On Sun, Nov 27, 2022 at 3:27 PM Adrian Gropper <agropper@healthurl.com> wrote: > It's premature to consider authority. > > What's on the table is HRPC's ability to document, educate, and suggest > how mitigations relate to normative language in GNAP. > > More specifically, > > 1 - Is the right to choose an AS separately from an RS a human right per > HRPC? > > and then, > > 2 - Depending on 1, when both the RO (data subject) and the RS (resource > server) have a legitimate interest in choosing the AS, should GNAP give > normative priority to RO choice and treat RS choice as a security > mitigation rather than the current GNAP framing? > > - Adrian > > On Sun, Nov 27, 2022 at 2:43 PM Eric Rescorla <ekr@rtfm.com> wrote: > >> >> >> On Sun, Nov 27, 2022 at 7:20 AM Stephen Farrell < >> stephen.farrell@cs.tcd.ie> wrote: >> >>> >>> Hiya, >>> >>> On 26/11/2022 20:00, Adrian Gropper wrote: >>> > IETF GNAP is a new delegated authorization protocol intended to replace >>> > OAuth in many use-cases, including Alice-to-Bob cases. In the HRPC >>> context, >>> > delegated authorization presents the risk of forced association as a >>> > violation of human rights. >>> >>> I had a quick look at the google doc and the description >>> seems a bit abstract if you want to convince people that >>> the flaw you're calling out exists. (I'm unclear if it >>> does or not myself fwiw.) >>> >>> Could you provide a much more specific example, e.g. in >>> the context of medical devices, of how the problem >>> manifests itself? >>> >>> Thanks, >>> S. >>> >>> PS: I dropped the gnap list for now, my guess is that it'd >>> be better to bring the discussion back there after the >>> problem description has been made more crisp. >>> >> >> Well, certainly if you want to have any change made to the protocol, >> given that HRPC has no authority to require WGs to do anything. >> >> -Ekr >> >> >>> _______________________________________________ >>> hrpc mailing list >>> hrpc@irtf.org >>> https://www.irtf.org/mailman/listinfo/hrpc >>> >>
- [hrpc] When are HRPCs normative in an IETF protoc… Adrian Gropper
- Re: [hrpc] When are HRPCs normative in an IETF pr… Stephen Farrell
- Re: [hrpc] When are HRPCs normative in an IETF pr… Adrian Gropper
- Re: [hrpc] When are HRPCs normative in an IETF pr… Eric Rescorla
- Re: [hrpc] When are HRPCs normative in an IETF pr… Adrian Gropper
- Re: [hrpc] When are HRPCs normative in an IETF pr… Stephen Farrell
- Re: [hrpc] When are HRPCs normative in an IETF pr… Adrian Gropper
- Re: [hrpc] When are HRPCs normative in an IETF pr… Stephen Farrell
- Re: [hrpc] When are HRPCs normative in an IETF pr… Eliot Lear
- Re: [hrpc] When are HRPCs normative in an IETF pr… Adrian Gropper
- Re: [hrpc] When are HRPCs normative in an IETF pr… Eliot Lear
- Re: [hrpc] When are HRPCs normative in an IETF pr… Adrian Gropper
- Re: [hrpc] When are HRPCs normative in an IETF pr… Eric Rescorla
- Re: [hrpc] When are HRPCs normative in an IETF pr… Eliot Lear
- Re: [hrpc] When are HRPCs normative in an IETF pr… Stephen Farrell
- Re: [hrpc] When are HRPCs normative in an IETF pr… Justin Richer
- Re: [hrpc] When are HRPCs normative in an IETF pr… Eric Rescorla
- Re: [hrpc] When are HRPCs normative in an IETF pr… Alan Karp
- Re: [hrpc] When are HRPCs normative in an IETF pr… Fabien Imbault
- Re: [hrpc] When are HRPCs normative in an IETF pr… Abdussalam Baryun
- Re: [hrpc] When are HRPCs normative in an IETF pr… Adrian Gropper
- Re: [hrpc] When are HRPCs normative in an IETF pr… Fabien Imbault
- Re: [hrpc] When are HRPCs normative in an IETF pr… Adrian Gropper
- Re: [hrpc] When are HRPCs normative in an IETF pr… Justin Richer
- Re: [hrpc] When are HRPCs normative in an IETF pr… Adrian Gropper
- Re: [hrpc] When are HRPCs normative in an IETF pr… Abdussalam Baryun
- Re: [hrpc] When are HRPCs normative in an IETF pr… Alan Karp
- Re: [hrpc] When are HRPCs normative in an IETF pr… Adrian Gropper
- Re: [hrpc] When are HRPCs normative in an IETF pr… Stephen Farrell
- Re: [hrpc] When are HRPCs normative in an IETF pr… Fabien Imbault
- Re: [hrpc] When are HRPCs normative in an IETF pr… Adrian Gropper
- Re: [hrpc] When are HRPCs normative in an IETF pr… Justin Richer
- Re: [hrpc] When are HRPCs normative in an IETF pr… Adrian Gropper
- Re: [hrpc] When are HRPCs normative in an IETF pr… Justin Richer
- Re: [hrpc] When are HRPCs normative in an IETF pr… Stephen Farrell
- Re: [hrpc] When are HRPCs normative in an IETF pr… Adrian Gropper
- Re: [hrpc] When are HRPCs normative in an IETF pr… Fabien Imbault
- Re: [hrpc] When are HRPCs normative in an IETF pr… Adrian Gropper
- Re: [hrpc] When are HRPCs normative in an IETF pr… Justin Richer
- Re: [hrpc] When are HRPCs normative in an IETF pr… Fabien Imbault
- Re: [hrpc] When are HRPCs normative in an IETF pr… Alan Karp
- Re: [hrpc] When are HRPCs normative in an IETF pr… Adrian Gropper
- Re: [hrpc] When are HRPCs normative in an IETF pr… Justin Richer
- Re: [hrpc] When are HRPCs normative in an IETF pr… Alan Karp
- Re: [hrpc] When are HRPCs normative in an IETF pr… Justin Richer
- Re: [hrpc] When are HRPCs normative in an IETF pr… Alan Karp
- Re: [hrpc] When are HRPCs normative in an IETF pr… Fabien Imbault
- Re: [hrpc] When are HRPCs normative in an IETF pr… Alan Karp
- Re: [hrpc] When are HRPCs normative in an IETF pr… Fabien Imbault
- Re: [hrpc] When are HRPCs normative in an IETF pr… Adrian Gropper
- Re: [hrpc] When are HRPCs normative in an IETF pr… Vittorio Bertola
- Re: [hrpc] When are HRPCs normative in an IETF pr… Mallory Knodel