Re: [OAUTH-WG] We appear to still be litigating OAuth, oops

Bron Gondwana <brong@fastmailteam.com> Wed, 24 February 2021 22:31 UTC

Return-Path: <brong@fastmailteam.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0B8BD3A1CA0; Wed, 24 Feb 2021 14:31:01 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fastmailteam.com header.b=Anvpf44l; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=qsKYpQ0Y
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wKLfwUOCP2k6; Wed, 24 Feb 2021 14:30:58 -0800 (PST)
Received: from out1-smtp.messagingengine.com (out1-smtp.messagingengine.com [66.111.4.25]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 979433A1C9E; Wed, 24 Feb 2021 14:30:58 -0800 (PST)
Received: from compute2.internal (compute2.nyi.internal [10.202.2.42]) by mailout.nyi.internal (Postfix) with ESMTP id C6E6D5C00DA; Wed, 24 Feb 2021 17:30:57 -0500 (EST)
Received: from imap7 ([10.202.2.57]) by compute2.internal (MEProxy); Wed, 24 Feb 2021 17:30:57 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= fastmailteam.com; h=mime-version:message-id:in-reply-to :references:date:from:to:cc:subject:content-type; s=fm2; bh=ZRZC SzbcgcQfSUd0+eD539BCP8kLRsyQxDWjL+rmQwo=; b=Anvpf44ll48zrRStJPmH IYsZW0Pr9IFvBcONqRZItMTnVjF+/4U304VcxQ3ALSQAMg9WJ8XBkfdrgmCzAr2Q 02WXkkjRHahuUlOyLtFCkB8N3QckAKkNT/F4ccIQoSEEXpRKeciN1YtvViH/+kbY M0eEd2tgQcuJQHooxN+cxjbz7Z9q7IxQ0E0tDPJhf/N/h3/5XFXYJfIzulO4aTTm akK/3E6kfK+zdj3uvWq0dyI2HczIhjJcOuXpQ0+1KFG+H6QFKth7cK7gT5IJvy5D 5Twd7WiS9jpaOfF5+0B5IMa/CZGK9/hmqOY7HjsfkK+3OKEK66iV6idru6Dq54mc Dw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=ZRZCSz bcgcQfSUd0+eD539BCP8kLRsyQxDWjL+rmQwo=; b=qsKYpQ0YTCcd3b8+TGcNGW Hdo+QLJ30w9tS33B2/9Hb2Y5xZmy6NHXefXDxwD1he8xlbh53w3rE+uXgQYesPjZ 8ZMQhDaI800lgmcLKovCwbBmXHLrNIqYYaDsd5OGMgua5+2iFUl6meEEzw9nuEvt P7CIYQnVwZhf6bqVyGoUSvHG4WZCwMZvzGAw9/J6PKZ6QYxNqn4n07lAde9+zaIg dUJirnICjaYoIZriRwDRSQOHsWOY9I64qvveYPa3m6biSsBnIeld9r+S4NJUk2yi 5zNQLfs7MRn93EkZqNc/BktJgbprHXXiaj2b1eMbUnwGYSc84UljZTVI9oK9bgkg ==
X-ME-Sender: <xms:odM2YGV74t5rpWLGicjuABtOwRl8jwekCbmuVJWUAFljftoZ2H0Kag> <xme:odM2YClkXQCWE3XDtQ_5d3klitiV6risugiiAxYwvU3w0-dikh7k-g0EAxDai_dCY ynm-_LWAHw>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduledrkeejgdduiedtucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne cujfgurhepofgfggfkjghffffhvffutgesrgdtreerreerjeenucfhrhhomhepfdeurhho nhcuifhonhgufigrnhgrfdcuoegsrhhonhhgsehfrghsthhmrghilhhtvggrmhdrtghomh eqnecuggftrfgrthhtvghrnheptdehteegfeevteduffevteehfffghefhvdevkeeuhfeh ueetudehgfegieekjeetnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrg hilhhfrhhomhepsghrohhnghesfhgrshhtmhgrihhlthgvrghmrdgtohhm
X-ME-Proxy: <xmx:odM2YKbT7OrfxzgDXf99_MukiPjMIZFJzVrsRVejBZLGw3Pj9lrsEw> <xmx:odM2YNWt6CLdIGrnI9YfgQT3dwINMwJvirZvuzK_bQ_3YqAJuqgNqw> <xmx:odM2YAkm3xvBe_xb5mNwNzwx_gm_WKMhmOPdquyRFKiIVwQXbxFCAA> <xmx:odM2YFyLewObuyjCfsbVQSB8ADV5ZQTQFf3BjIBbLVfeKSkLYwPd8A>
Received: by mailuser.nyi.internal (Postfix, from userid 501) id 23EEA3605AC; Wed, 24 Feb 2021 17:30:57 -0500 (EST)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.5.0-alpha0-179-g81f7aba968-fm-20210222.002-g81f7aba9
Mime-Version: 1.0
Message-Id: <6b5d0e34-340f-4f93-83ef-817d4624ec7d@dogfood.fastmail.com>
In-Reply-To: <E84B4446-5F74-402B-8071-A1164EF0B02C@mit.edu>
References: <CAMm+LwgbK3HYDjSHnTN3f6hWSQCQrEjHLNn6z0JpfY7hdxaQpg@mail.gmail.com> <A8128346-B557-472F-B94F-8F624F955FCE@manicode.com> <eb2eaaa7-7f7e-4170-ab87-1cc1fdd3359b@www.fastmail.com> <CAJot-L0PS_3LxEkC-jd1aqXDdYF+z8BajSs4Rhx3LgRPn6wkdQ@mail.gmail.com> <DAB127D7-809F-4EC2-A043-9B15E2DB8E07@tzi.org> <CAJot-L1e8GegjXjADRQ87tGqnSREoO4bEKLX+kPkZFsQpevGQA@mail.gmail.com> <66be0ffe-a638-45a0-ba05-1585ea02e6bf@www.fastmail.com> <CAJot-L2KO2dOzZQJJeB1kbk6_KTQwUYUsoJOoRt=9maynS1jZg@mail.gmail.com> <121f52be-4747-45f3-ad75-79fa2f693d75@beta.fastmail.com> <E84B4446-5F74-402B-8071-A1164EF0B02C@mit.edu>
Date: Thu, 25 Feb 2021 09:30:33 +1100
From: "Bron Gondwana" <brong@fastmailteam.com>
To: "Justin Richer" <jricher@mit.edu>
Cc: "Warren Parad" <wparad@rhosys.ch>, "Phillip Hallam-Baker" <phill@hallambaker.com>, "oauth@ietf.org" <oauth@ietf.org>, ietf@ietf.org
Subject: Re: [OAUTH-WG] We appear to still be litigating OAuth, oops
Content-Type: multipart/alternative; boundary=8fee5ed3ff744ba3a90a56c03f03a7d4
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf/1Ds7-pxU3HgND9EEwFYQtvpeFV0>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Feb 2021 22:31:01 -0000

On Thu, Feb 25, 2021, at 02:18, Justin Richer wrote:
> I agree that the NxM problem is the purview of the whole IETF, but it’s something that we’re particularly interested in over in GNAP. As the editor of OAuth’s dynamic registration extension and the GNAP core protocol, I hope I can add to this conversation.
> 
> From a technical standpoint, OAuth’s dynamic client registration lets arbitrary clients talk to an AS, but the trust isn’t there in practice. On top of that I think this problem is exacerbated by a fundamental protocol design element of OAuth: the client_id that’s required. That field means there’s an assumption that a relationship was set up between the pieces of software, implied to be trusted by admins at the AS. Sure you can get that client_id under special circumstances, but there’s still a special weight handed to that and the dynamic stuff feels like you’re giving up control as an AS. In GNAP, the relationship is inverted, and it’s designed as “dynamic-first”, with pre-registered clients being an optimization on top of that.

Yep, this is the big point - OAuth is designed to require the the third leg of trust that creates the NxM problem.



If that dotted line between client and server requires a pre-existing trust relationship rather than the trust being entirely mediated by the user choosing to connect client A with server B, then you have the NxM problem.  This is the "you can only have your John Deere tractor serviced by an approved John Deere service centre" problem.  You can only use this client with servers who have pre-approved it.  Or fall back to the "cash of the internet" - plain text passwords.

> Does this solve the NxM problem? No, because companies are still going to decide that they only talk to keys or identifiers that they know ahead of time. But the protocol puts the dynamic case forward as baseline and fits in much better with the likes of JMAP than OAuth ever could:
> 
> - {The Bat} creates a key pair.
> - {User} enters their email address into {Bat}, {Bat} does discovery (maybe that’s a JMAP thing? Webfinger?) and finds the JMAP server and the GNAP endpoint for authentication as an option.
> - {Bat} talks to the GNAP AS at {ISP} and presents the key it just made up. {ISP} has never seen this key, but knows how to talk GNAP and get the user to authorize {Bat} to access email.
> - {User} does this using GNAP and gets back an access token that’s tied to the key {Bat} made back at the beginning. That token is tied (at the {ISP}) to the user’s account.
> 
> Yes, you can do all of this today with OAuth (and people have done so), but OAuth’s basic model of “go do discovery and registration first and THEN talk to me” is a trust impediment more than it is a technical impediment. The “negotiation” part of the GNAP name comes from the philosophy of “start talking first and figure out what you need as you go”. Instead of jumping through hoops to get something you can trust, you just start in and then decide how much you trust it. A corporate rollout could use its own key distribution mechanism and static registration to limit which client instances talk back to the company server, regardless of which accounts would authorize access on top of that. An internet-facing service is going to be more likely to take a TLS approach, of “I’ll talk to you in a secure fashion without caring who you are right now”.
> 
> We really are trying to make GNAP a consistent protocol at its core and learn from problems with OAuth in the wild, all while letting GNAP address a wider variety of use cases. I agree that GNAP could be clearer about specific use cases, and we’re working on the spec still so any help here is appreciated. 

Excellent.  This is precisely what I've been waiting for for these very many years as a viable replacement for storing a password locally on disk.  Just having the server able to distinguish between different client instances for the same user is a big start, because you can de-authorise one without having to lock out every connection - even if the user is still entering their password during the setup phase each time.

This is what Fastmail already do with our own app, creating a long-lived access token and storing that on the device rather than storing the password itself - and you can log out any one client from your security settings page.  What's missing is a standard way to do that with any IMAP client.  The initial JMAP authentication proposal was a very simple case of pretty much this, build into to the protocol so everyone would do it.

Making it easy to connect up arbitrary clients with per-client tokens the default, and easy rather than almost impossible to do in practice is where the big difference comes in.

Bron.

--
  Bron Gondwana, CEO, Fastmail Pty Ltd
  brong@fastmailteam.com