IETF Logo Mail Archive

Re: [OAUTH-WG] Feed back on draft-sh-rats-oidc at-00

"Smith, Ned" <ned.smith@intel.com> Sat, 29 July 2023 03:30 UTC

Return-Path: <ned.smith@intel.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 31C9AC151068 for <oauth@ietfa.amsl.com>; Fri, 28 Jul 2023 20:30:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.309
X-Spam-Level:
X-Spam-Status: No, score=-1.309 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, RDNS_NONE=0.793, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=intel.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id W4sxgTWw-1xc for <oauth@ietfa.amsl.com>; Fri, 28 Jul 2023 20:30:04 -0700 (PDT)
Received: from mgamail.intel.com (unknown [192.55.52.88]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 56C15C14CE4F for <oauth@ietf.org>; Fri, 28 Jul 2023 20:30:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1690601404; x=1722137404; h=from:to:subject:date:message-id:references:in-reply-to: mime-version; bh=An4WzFQt2DBnW1X/jlXatil1eD9MwidudA0YeIHWevs=; b=n2c455NQXMyKrnPmoL3qIUeAtIPNSrYLVSv5L0KCYzxDKUqvvZlhjGIA kqkB/c7JoDjDdnWvlEiF5byEsVXqPaXGmvRt+6w8OR6MamYDOMt7iVOxl LR/Tv4JiA/lUtGogzDNoUB68kH9hpVpoA44CNFtYEr+8QLe6k3yryT6St zjbLnmNX5C+54azwGp0OQIRNj2OiYbqO3W4DVI9WSfgv34FehX1tuEucu FkY2Gc11rk/ZE4tNLvo03Vhuy2oaKoXPeKzZ6Z2h7pelNABLu5KLHYTkF JwTLhNcskDOEqf2KtE+XItGUQIb5dZTUdMjPg3h5yAv5bK2AlNI0u/9JJ w==;
X-IronPort-AV: E=McAfee;i="6600,9927,10785"; a="399669003"
X-IronPort-AV: E=Sophos;i="6.01,239,1684825200"; d="scan'208,217";a="399669003"
Received: from orsmga002.jf.intel.com ([10.7.209.21]) by fmsmga101.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 28 Jul 2023 20:29:28 -0700
X-ExtLoop1: 1
X-IronPort-AV: E=McAfee;i="6600,9927,10785"; a="727675963"
X-IronPort-AV: E=Sophos;i="6.01,239,1684825200"; d="scan'208,217";a="727675963"
Received: from fmsmsx601.amr.corp.intel.com ([10.18.126.81]) by orsmga002.jf.intel.com with ESMTP; 28 Jul 2023 20:29:28 -0700
Received: from fmsmsx611.amr.corp.intel.com (10.18.126.91) by fmsmsx601.amr.corp.intel.com (10.18.126.81) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.27; Fri, 28 Jul 2023 20:29:28 -0700
Received: from fmsedg601.ED.cps.intel.com (10.1.192.135) by fmsmsx611.amr.corp.intel.com (10.18.126.91) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.27 via Frontend Transport; Fri, 28 Jul 2023 20:29:28 -0700
Received: from NAM10-MW2-obe.outbound.protection.outlook.com (104.47.55.105) by edgegateway.intel.com (192.55.55.70) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2507.27; Fri, 28 Jul 2023 20:29:27 -0700
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=BECtABJiGRhZSSxGeaAMpuHbQEHeFmxJSWdLU0WNe0jBrapa3NBRQ1d2ZnKRVmbRd/+psufVtfWkM7F3juYmMTG1PYvHaz/RwE59N1Gqplz9EXmLSLytlSEvm/bBKh0rZWDd0CWUr31PBCvA/nuHMKRuFxbPlDstKuk4O5GzgPl7735UpUlnJpIj9YXtUJD2xH66V0G2mw27H+9JAy3LWgTZY13aPF3lN4g5Wv03TaPo0eekPWffbmm0l+1GYSqaDuypI8oZkv0fG5xs5bEmLcc/uQjVx8yIxS22mSeeVS6oYsSlz0B/KlGnkTdwe6ZqdAxxh+g98a7zWjqft1bJYw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=An4WzFQt2DBnW1X/jlXatil1eD9MwidudA0YeIHWevs=; b=NgZZHujBlCOIVYXb8+l8bF5ASq1E34YlLqYaPh9XCLBCzT6cM8xWZS57cTQyumE11qVB4y17yqIWhlsL06qRjGvID9btzvffIlopKsOpd5S1NxoVf4kxlPeiqQeEgGU1QFLmngpnY8RR43Zx4RMUKFi/BAYJFEbi9jYPiSjB5mZX5BehAq6CmROIDRihYpX4+CtjOaxm0x7H3/7BsHhwwCgK2FH0vOu09w7oEesjxpgECMNSmV0TzVNGt46jjE3Hf37LptskpgpzONoKG4WeL4eB0yzot9xiPM98oatTWLEwvzXhBp6E3mNKgrA5YkbHvB2nwWlyerGFfTrSCsvNjQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=intel.com; dmarc=pass action=none header.from=intel.com; dkim=pass header.d=intel.com; arc=none
Received: from CO1PR11MB5169.namprd11.prod.outlook.com (2603:10b6:303:95::19) by DS0PR11MB7358.namprd11.prod.outlook.com (2603:10b6:8:135::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6631.29; Sat, 29 Jul 2023 03:29:25 +0000
Received: from CO1PR11MB5169.namprd11.prod.outlook.com ([fe80::d02:c4ed:49e3:2400]) by CO1PR11MB5169.namprd11.prod.outlook.com ([fe80::d02:c4ed:49e3:2400%3]) with mapi id 15.20.6631.039; Sat, 29 Jul 2023 03:29:25 +0000
From: "Smith, Ned" <ned.smith@intel.com>
To: George Fletcher <george.fletcher@capitalone.com>, "hardjono@mit.edu" <hardjono@mit.edu>, "oauth@ietf.org" <oauth@ietf.org>
Thread-Topic: Feed back on draft-sh-rats-oidc at-00
Thread-Index: AQHZwXuNiQYtemeWgUqYu4S4Ldf86a/PoW0A
Date: Sat, 29 Jul 2023 03:29:25 +0000
Message-ID: <3B170001-DED5-4D93-AE28-C9AC6380BFCE@intel.com>
References: <CAJnLd9+FRG7DfLK4xrFfVqKwrL0Bf5Y=2Rs4NsX_zmNt9qkhDQ@mail.gmail.com>
In-Reply-To: <CAJnLd9+FRG7DfLK4xrFfVqKwrL0Bf5Y=2Rs4NsX_zmNt9qkhDQ@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.75.23072301
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=intel.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: CO1PR11MB5169:EE_|DS0PR11MB7358:EE_
x-ms-office365-filtering-correlation-id: fc6e8ede-6cf8-4343-cb98-08db8fe4024a
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: UsWf9UBPpQKKjLX2IPOKlG2OyRj7z51/Glshl6wWQw91W/ob4sGymMGeieGC5gcYNnA0dfnfCUbN7S985qh9N2yvi7WzVKa5ioXX9VoMLGj1cfTdI9Xk5GvJZjUORC+GzWtZwMUOvojgmCKEa/TgXHudv5bCJl0ttB2R3GzgqerS8RQw6LN8uze4tMQTKRRT359GKWyPuh9nUwdZ7/XNTMcgOampCvohMBaO5rGuzzwuwD6uFxMzWClMusgliFPp0MbpVCB0pXk0dW0YXk5iHlHbJ1r1vWp+b0pnbjMfeC1m4/0wwwrfQq95jcmbdOgTPrHM8ic71IB+Jjzt2sMFw2T4LdVdxtphjfDJICIx81drIz1RmEgoP5AcxVbttaqQbZqKT8eRM8am0Hf8NCklQf1j9RHfMOMHD8rQm7LYiuF3l9ByCAfrlYW8WBvbJkfoKVqDO4q3pCeSpkeBDDaHpCcHugNQNnr485r1XiZWuazbB/8pqDl1Vkz4yyCpmTrd4u5t6dEHt5bGT9XoyN7FXvh7Wvpr3OEiJ/KpmxTTGDx7CmaEDR/hSQ28fNBl+0Y5z3xtU7QHy6WAQNLDz8F5iBKpEU06G4mlLuCModWCjtWhFHoHjPrZiyzy9uJLucDLJiKVhI9d5eiu5WGLItZo+A==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CO1PR11MB5169.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230028)(376002)(39860400002)(136003)(366004)(396003)(346002)(451199021)(71200400001)(478600001)(82960400001)(6486002)(83380400001)(166002)(53546011)(6506007)(26005)(6512007)(66476007)(66946007)(66556008)(64756008)(76116006)(38100700002)(66446008)(122000001)(110136005)(186003)(66574015)(91956017)(2616005)(5660300002)(86362001)(33656002)(41300700001)(38070700005)(316002)(2906002)(8676002)(8936002)(36756003)(40140700001)(45980500001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: AzB3ac9ORqVGlWz0SmlFKskHSJXvTInRb2PhqeZ8qucIgkN0zpofILowVpkJsIlwzvtBb07W40//pn+WhIqaRdbrFBWyn7+TqqVwDa1b5SCxPbnSTeOc0axGMbifQoeXCiuGrn3QT3hJNufj6vVsucLaWmqZHAwWQBUwxVJATHd/EH9jCzKtmOq0ql1rCEGxZ6vYx9uT1bkU4hn9uw4yV1h12JASdcL95ac+R59VnZrvdhGfTnnVJ/P2hGCunZ4CL/hemaXO3Lwx+4xcNU/V1ZIy4hv4Ztq+Psevgf2LV9UerXByAPoQZWNa/QbqjpKWkmjrcKWPJ0Sekk8ZZ96cZqN1x6+N+TLycAe5Qyd9/ClF4FklWGRSLNPR9xif4IJMdwNlAkM2d1O0auwzlcS3ZuyAWmiK91Hqo9Dbx7nhSJjabmzKO7J1AQamFg9oK38cXmUKSEdJWfgT/Zacu2sH2ZyZ48pMNYLGWS7ILF5ndWLeU7vLyUk5CJF465FGFRsCgOq5gIGhJJ0k+g3Cc02dNoPVRMQXAeH3AL4cu3/5CX4x0lxheLVrEAp0Akfeet8N9KxP+cnidFNUzhMOMPalicnExZFXMvB9dpJSEykW1FHdDbkS6ANUGgnInwKXE26OvDPaaPDwiEk66n0DT4ylBmShNLNsOCszJ300gfKxFtPTdPbPFFssvtBEtXwWDpw1E8xGtIC5HZZGthX1+Ka4Axqm50yigkjOXaeIxhLwAymTZJybNr5zKum6sn92/QmHGjvfQUeD26PT6f2bQ7V0vjBS7vzwH8wPonTHAATJfirz8hvOFX9EC099aCzLsXq5XM+OvjYeh5uw+tpvdpdgUvjISXT+zRfFswkIt1PiGjPR+S4JuGMoa6PdpnqbgapupxiEcGLRxsv3TrjbOvAxX5ifCdONWhBneQv6TifbB7BLuXsB3yFNuNLUY+ncOGPXWp58pGv9T+LI6NXF9Kvz6+6RDuLSizLqkqAOM0/cnnY9ykvFL46y7yF/G4hgLqo0LDkH6pKCCNLqLP7Xe9FH8y4SYEyHHIXxuRUZVBv75oMEnCNCWDZRnhs5Gn3N3XFhlZCm+1sewQmpnOUBU7ty0QzA6BlhlWy1XXUeY+XGQY1kLNRcSk1FHjSjV68Mv8uurmnPY7aGYsWZqSnSVI7hp6balkAc1ePiXV6VghKhX4/IypFeZLgYJILzBSPAEgXojVfRvAZFEJLb5Q7Kep1HOqJ15vx/j1fIyiA4EV+4aNbQBMwVH9MJW2PSU6mTU+P827vvJV1bCgViXDDL1QREyp9qbnPVdJPhpPC8+UNXasPOdNFhhY/rdNU1ZeKKfDsGKk1ogH8qaVHvJ2LdNz2MbWNxxBGeYk3smDUqBrD1OzoBS2AuJUyOroKK1jw9Qzvzl8v6DXxNutUO91DiTi6eheA54JgCT8ZRubWc+ibqhtq7Nt8HLbtAvqVnenBUB1Dy5hEhROaca+4DMRrLDCtr/phYO/AeDxG7X36QnPjGp5LjIMtrMUO7GbOIS+JS3/W81iyweHbULdWCsE/n/sjYDFZsaiRKDYRg9gdOKHTTLIz1oWda35wQd/dZ7e0R9jR2
Content-Type: multipart/alternative; boundary="_000_3B170001DED54D93AE28C9AC6380BFCEintelcom_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: CO1PR11MB5169.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: fc6e8ede-6cf8-4343-cb98-08db8fe4024a
X-MS-Exchange-CrossTenant-originalarrivaltime: 29 Jul 2023 03:29:25.6484 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 46c98d88-e344-4ed4-8496-4ed7712e255d
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: wQjGhtdgHyOlWiDznlKkDIzd5pHe8qm172CDhxEhNaw/7+G0Qqz3PG/0aKSrmRVAR1Ay2g0BGC0vtZGJ3K+EHw==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DS0PR11MB7358
X-OriginatorOrg: intel.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/5MSiTcmh6NW-EDbSF6luKszkYCw>
Subject: Re: [OAUTH-WG] Feed back on draft-sh-rats-oidc at-00
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 29 Jul 2023 03:30:08 -0000

George,
Thanks for the detailed responses. I have a few questions / comments inline.
Thanks,
Ned

From: George Fletcher <george.fletcher@capitalone.com>
Date: Friday, July 28, 2023 at 11:47 AM
To: "Smith, Ned" <ned.smith@intel.com>, Thomas Hardjono <hardjono@mit.edu>, "oauth@ietf.org" <oauth@ietf.org>
Subject: Feed back on draft-sh-rats-oidc at-00

Hi Ned/Thomas,

Thanks so much for the conversation at IETF on the potential value of combining the attestation work with OpenID Connect and OAuth. Given the spec references a lot of OpenID Connect artifacts, I’ve used OpenID Connect points in this response. However, from an IETF perspective, this would be connected to OAuth and the Authorization Server. It might be useful to map the work to OAuth directly and then let OpenID Connect (which is built on top of OAuth) to “inherit” the capability.

As promised, here is some feedback on the presented draft…

Section 2.1
* The userinfo endpoint is an API specified by the OpenID Connect protocol. It’s usually part of the OpenID Provider. Regardless it’s not a useragent/browser.

Section 3.1
* userinfo (see previous comment)
* End user (EU/Alice) is not an application. In OAuth the end user is called the Resource Owner. The application is called the ‘client’. So the Resource Owner uses the client to access the RO’s resources.
* Relying Party - generally in OAuth/OpenID Connect the relying party is not looking for attestations. It’s looking for an authorization token to be presented by a client. In the case of attestations… it would be the OpenID Provider that would be interested in the attestations (in this context it may be possible to consider the OpenID
                                                                         ^^^^^^^^^^
[nms] I’m still confused about the OAUTH WG use of “attestations”. The noun form of attestation doesn’t seem to be defined anywhere. The RATS Architecture carefully avoided defining “attestation” opting instead to define roles and conceptual messages. draft-tschofenig-oauth-attested-dclient-reg seemed to do a good job of mapping terminology to RFC9334. However, based on clarification from the session III OAUTH meeting in 117, it seems the definition of attestations might be “attributes that have provenance metadata”. This definition differs from what is intended in draft-sh-rats-oidcattest. Maybe it makes sense to try to capture some definitions for what seems to be tribal knowledge of the OAUTH WG?

Provider playing the role of a RRP).

[nms] The draft-tschofenig-oauth-attested-dclient-reg seems to take this approach also. I’m confused by that because the entity taking the risk associated with interacting with the client is the RS (OIDC RP). If the AS is providing a blanket policy for the Internet that all agree to, then I can see this approach (AS as RRP) making sense. But not sure such a broad policy would be meaningful for anyone.

Section 3.2.1
* this isn’t really how the OpenID connect protocol works. In a general mobile app flow, the mobile app (aka the client) will open a browser to the OpenID Provider’s /authorization endpoint which starts the authentication/consent/authorization flow. Once the user has authenticated, the OpenID Provider provides a ‘code’ back to the native application which then exchanges that ‘code’ for the ‘id-token and access-token’ at the /token endpoint of the OpenID Provider

Beyond this part of the spec I got confused on how the protocol is supposed to work and who the core agents are in the flow. A diagram would be really helpful showing the core steps.

[nms] Thomas and I have a busy sequence diagram that isn’t easily included in a draft. Having mermaid would help. Nevertheless, we did include most of the sequences broken up in the various sections. However, they don’t seem to be rendering properly. The Editor’s Copy at nedmsmith/draft-sh-rats-oidc-attest: Internet draft describing integration of attestation flows with openID-connect (github.com)<https://github.com/nedmsmith/draft-sh-rats-oidc-attest> seems to render properly.

In my view, it’s more likely that the OpenID Provider will be the entity desiring an attestation about the client

[nms] By “attestation” I assume you mean Evidence?

making the request. This could be just an attestation about the client software, or could also include an attestation about general characteristics of the device (e.g. is it jail broken or not).

[nms] RFC9334 tries to point out that an Attester shouldn’t attempt to self-attest as that implies the Attester can lie about its state. Rather, an Attesting Environment (which is trusted) should collect Evidence about the “client”.

There are two main use cases…
1. The client is a mobile app in which case it may be able to obtain an attestation before starting the authorization flow
2. The client is a web service (or relying party) and the OpenID Provider wants some attestation about the software and environment in which that client is running.

I suspect we can address both cases with the same flow. We might need an initial step for the client to obtain a

[nms] We struggled with the lack of an “initial step” in OIDC / OAUTH examples. This would be tremendously helpful.

nonce from the OpenID Provider before presenting the attestation so that the attestation can contain the nonce

[nms] I agree a nonce would be useful. However, there are use cases where the Attester is composed of multiple environments and some of those environments are measured at different times (e.g., at boot time). Therefore, it isn’t practical (usually) for a single nonce from the AS to be the sole form of Evidence freshness.

allowing the OpenID provider to know this is a fresh attestation and bound into the authorization process requested by the client.

[nms] I agree that binding the attestation Evidence to the process is important. Likewise, binding Attestation Results to the process is also important. Due to the use of “attestations” terminology, it is unclear to me whether that implies Evidence, Attestation Results, or both.

Thanks,
George
--
[Image removed by sender. Capital One]

George Fletcher (he/him)

Executive Distinguished Engineer • Identity Architect
[Image removed by sender. address]8020 Towers Crescent Drive, Vienna, VA 22128
[Image removed by sender. mobile]616-498-8240

assistant:  genevieve.morgan@capitalone.com<mailto:genevieve.morgan@capitalone.com>

________________________________


The information contained in this e-mail is confidential and/or proprietary to Capital One and/or its affiliates and may only be used solely in performance of work or services for Capital One. The information transmitted herewith is intended only for use by the individual or entity to which it is addressed. If the reader of this message is not the intended recipient, you are hereby notified that any review, retransmission, dissemination, distribution, copying or other use of, or taking of any action in reliance upon this information is strictly prohibited. If you have received this communication in error, please contact the sender and delete the material from your computer.

v2.23.0 | Report a Bug | By Email