IETF Logo Mail Archive

Re: [OAUTH-WG] Your opinion about draft-ideskog-assisted-token

Travis Spencer <travis@curity.io> Sat, 20 February 2021 17:28 UTC

Return-Path: <travis.spencer@curity.io>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7B1253A1564 for <oauth@ietfa.amsl.com>; Sat, 20 Feb 2021 09:28:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=curity-io.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WEqVw2f0veNi for <oauth@ietfa.amsl.com>; Sat, 20 Feb 2021 09:28:52 -0800 (PST)
Received: from mail-yb1-xb2c.google.com (mail-yb1-xb2c.google.com [IPv6:2607:f8b0:4864:20::b2c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0F15D3A15B6 for <oauth@ietf.org>; Sat, 20 Feb 2021 09:28:51 -0800 (PST)
Received: by mail-yb1-xb2c.google.com with SMTP id c131so8786813ybf.7 for <oauth@ietf.org>; Sat, 20 Feb 2021 09:28:51 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=curity-io.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=aN8iJ9QTKzoaVcfEIBSmKo9jpHn6dx9r8v955/vlmrk=; b=qx0bQ8BCm3Liwr15vjScDQmQXpfQ6xM8EVLP5S8dvE3ZRvj6PZYd2pdqDVP/luirG5 23zcQuVWQaqfp8QsHXSmmV0hV8s5BALUYn4Yx4yUf6vUKpi2pz/gom+cIUdGaULdJKRo RcaCxwfp4brP72pNVU2ZfE/vfGxLeSQ6sC16xVqUTG6wIWAhmkWQmkT4HQ+1SZy0PP/6 /7BF2ueBqDdGwim7sBcTFxfIFKxHa7mqSWX69JdA2v6AShJkpiuKuzcY4+d62R8UTJiJ xtC0TMnI6+3J6g1OR9Z9sdEf6EuZ9qJOwkW3Ajoq2WUlSKdacUwat/0dXdsdRn2EsW6O jFRA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=aN8iJ9QTKzoaVcfEIBSmKo9jpHn6dx9r8v955/vlmrk=; b=ACbAfxBGDSZ6f1FKo4ZsTBJeGDT5QUzzknJ9bfYSmhYvKP+04hQSHozRfEWl5v06Xp fNCTYLWVFhAIrzEsZ+38k1Ws7CrVtfMuN3r73KrdR4jp7fy3zbTnPiBtC7AUS1qkA7ko 9MT3TIf1m6poQ5s+kyKOvnp53PnAdHdS7W5249DGcH218GMp9+5e/N6nBcb0NLEtWz0+ 56Ib2AgvMK6lZWkM7rPjBYHG50vq6uf7FYizY3bV8TdPe4qxC+Wl7QXU0ZxNhOr9UOC7 dHCFLYgMi9MrA++kzmqRuhhfYycXxFRFG+W0+nF4LLkxG3JsbcCpM37zb+jBIHim3aN+ T5wA==
X-Gm-Message-State: AOAM532n6Z7HxysO45DMGqVhTgBFiwMsKdd8U7U3YRyAtWRP2Qx+H7ey k9EQU/vDcI7hmN7uQV8Dij5cNXQqvQWm0HSLqo7HoIsxPqAbgA==
X-Google-Smtp-Source: ABdhPJxvrjflJDHJqQdmFuWv2FHtp0SyP2XN3UxRtgFwMadrzbHf33Nr8zs8lcvH226mufqTA96gIfzPgXTyapBmUbg=
X-Received: by 2002:a25:2186:: with SMTP id h128mr20522386ybh.369.1613842130853; Sat, 20 Feb 2021 09:28:50 -0800 (PST)
MIME-Version: 1.0
References: <1e5f0e825a2580f68c92aa5a1d798090.squirrel@www.rfc-editor.org> <702cf2e8d762ba733becdb5c735f72a9.squirrel@www.rfc-editor.org> <CA+k3eCRAUGoxM=pvHj2p+TUf1iVYfkVMi97oLzVo1rD8CgQzaA@mail.gmail.com>
In-Reply-To: <CA+k3eCRAUGoxM=pvHj2p+TUf1iVYfkVMi97oLzVo1rD8CgQzaA@mail.gmail.com>
From: Travis Spencer <travis@curity.io>
Date: Sat, 20 Feb 2021 18:28:40 +0100
Message-ID: <CAEKOcs23Y1o+O_fj2m16MkFsH4g9X01ADyv7J5cMZeW3D5M2zg@mail.gmail.com>
To: Brian Campbell <bcampbell@pingidentity.com>
Cc: rfc-ise@rfc-editor.org, draft-ideskog-assisted-token@ietf.org, oauth <oauth@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/8ColQpOTTusA3uJZ-TCt8Uy_f8g>
Subject: Re: [OAUTH-WG] Your opinion about draft-ideskog-assisted-token
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 20 Feb 2021 17:28:54 -0000

On Fri, Feb 19, 2021 at 10:09 PM Brian Campbell
<bcampbell@pingidentity.com> wrote:
> Publishing an independent stream RFC that runs contrary to the BCP
> coming out of the WG does seem potentially harmful.
>
> On Mon, Feb 15, 2021 at 11:59 AM RFC ISE (Adrian Farrel) <rfc-ise@rfc-editor.org> wrote:
>> I want to be sure that ... there is no perceived harm to existing
>> OAuth work if this goes ahead

It is my understanding that the procedure that an informational RFC
goes through is that if "(a) the IESG recommends that the document
be brought within the IETF and progressed within the IETF context,
but the author declines to do so, or (b) the IESG considers that
the document proposes something that conflicts with, or is actually
inimical [i.e., 'harmful'] to, an established IETF effort, the
document may still be published as an Experimental or Informational
RFC," (RFC 2026, section 4.2.3). RFC 5742 updates this with a
"compatible" description that states in section 3 that the IESG
review of an independent submission may recommend not to publish
the draft because the IESG "concluded that publication could
potentially disrupt the IETF work done in WG <X>". My question is
how could this draft disrupt this working group's work?

Is it because it will be unclear to the market what advice they
should follow when implementing single page applications? That could
be a reason, some may argue, to not publish this document by this
working group. This is not justification, in my opinion, however,
for recommending that it not at least be published outside this
working group. I say this because RFC 7221 says in section 5.3 that
"[e]ngineering for interesting topics often produces competing,
interesting proposals... Although it is far more comfortable to
entertain only one proposal, a working group is free to pursue
more than one. Often this is necessary until a clear preference
develops. Sometimes, multiple versions are formally published,
absent consensus among the alternatives."

RFC 7221 goes on to describe how to deal with competing drafts. We
feel that we have followed those guidelines for the betterment of
all. For instance, we have contributed to the BCP that Brian
mentioned[1], and agree that this is a good set of recommendations.
The results proposed in the BCP are ones that our customers will
hopefully follow when applicable. The combined results in the BCP do
not detract from the usefulness of the assisted token protocol we
have defined, in my opinion. This should not surprise us when we
consider that we "IETF participants devise solutions for the global
Internet that meet the needs of diverse technical and operational
environments," (RFC 7153, section 3). This diversity will require
multiple methods to solve a wide array of problems. This need is
reflected in the enthusiasm of reviewers' comments I have received
since draft 4 was published recently wherein one reviewer states,
that they are "looking forward to see the assisted token endpoint
being implemented by clients and IdPs." I have received similar
comments before as well. This leads me to conclude that it isn't
just me that thinks that this protocol is generally useful.

Furthermore, RFC 7221 also says in section 5.2 that "If a working
group drops a draft, then anyone is permitted to pursue it as an
Individual or Independent Submission." While the working group never
adopted this draft, the implication of the statement is that any I-D
that the working group opted not to take up can also be submitted to
the independent stream. One of the reasons for this non-standard
track, as stated in RFC 4846 section 2, is to describe "Documents
considered by IETF Working Groups but not standardized."

Another is to give place to dissenting views, so they can reach the
broader Internet community when consensus cannot be established
within a working group. If a working group has the possibility to
prevent publication outside of its boundaries (e.g., in the
independent stream), this purpose of an alternative publication
venue cannot be achieved. When I read RFC 4846, I am left
with the view that this is one of the primary purposes of the
independent stream. There it says in section 2:

    Independent Submissions are especially important as checks on
    the IETF processes even though such checks are not the only, or
    even a common, reason for them. That role is compromised if IETF-
    related entities are able to block or deprecate such documents to
    a degree beyond that needed to avoid difficulties with the
    standards process....Independent Submissions have become
    important....[because they include] ....Critiques and discussions
    of alternatives to IETF Standards-Track protocols. The potential
    for such critiques provides an important check on the IETF's
    standards processes and should be seen in that light.

For this reason, I think the OAuth working group should either
accept this document (though I'm not sure I'm willing to yield
control of it any longer) or not hinder its publication outside
the group. If the IESG recommends that it not be published as
an independent publication, I would ask for very clear
explanation of the harm it does to this working group's efforts
beyond "we have a BCP for single page apps."

Another purposes of the independent stream, also stated in RFC
4846 section 2, is for the "publication of vendor-specific
protocols". Even if no other vendor or authorization server adopts
the assisted token flow, it is useful to describe it in an open
manner. This allows for open dialog and is our explicit request
for comments on our work.

A final reason to ratify this document as an RFC (in this working
group or the independent stream) that I'll mention here is for the
sake of interoperability. Our product supports this protocol
already. To help with those seeking to interoperate with it, a
ratified RFC would align with the broader Internet community's best
interests, in my view. The fact that this protocol is already
implemented by at least one vendor aligns with the IETF's credo
that we, as an community, value running code.[2] Our adherence to
this aim is further reflected in our publication of multiple open
source client libraries[3] and explanations of the protocol in
various other Internet forums.[4, 5]

Therefore, I firmly believe that this working group cannot
prevent publication of this I-D in the independent stream. I used
to think that it would be better that it was worked on in this
group, but have accepted the consensus opinion the body voiced at
IETF 101 that they would not accept it. For this reason, we have
submitted it outside of this group and expect that work to conclude
without prevention by this working group. If this expectation is set
by an incorrect understanding of the purpose of the independent
stream, I welcome objective facts from cited RFCs, bylaws, etc.
that will clarify how my view is inaccurate. If it is correct but
this group believes this work should not be published independently
because it would disrupt its own, I welcome a clear and complete
explanation of how.

[1] https://github.com/travisspencer/draft-ietf-oauth-security-topics/commit/ef94ccd0784341e4fedb4c6fdc5afb4fea058cd4
[2] https://tools.ietf.org/html/rfc7282#section-1
[3] https://github.com/curityio?q=assisted
[4] https://www.youtube.com/watch?v=h_wT-58L5ZY
[5] https://zisc.ethz.ch/oauth-security-workshop-2017/

v2.23.0 | Report a Bug | By Email