Re: [OAUTH-WG] Httpdir telechat review of draft-ietf-oauth-step-up-authn-challenge-13
Mark Nottingham <mnot@mnot.net> Wed, 05 April 2023 23:44 UTC
Return-Path: <mnot@mnot.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 793C0C15257C; Wed, 5 Apr 2023 16:44:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.795
X-Spam-Level:
X-Spam-Status: No, score=-2.795 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=mnot.net header.b="hmD78WKh"; dkim=pass (2048-bit key) header.d=messagingengine.com header.b="CFoiwGzg"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id o5EkoMdtTiYT; Wed, 5 Apr 2023 16:44:32 -0700 (PDT)
Received: from out1-smtp.messagingengine.com (out1-smtp.messagingengine.com [66.111.4.25]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BC718C1524B3; Wed, 5 Apr 2023 16:44:31 -0700 (PDT)
Received: from compute6.internal (compute6.nyi.internal [10.202.2.47]) by mailout.nyi.internal (Postfix) with ESMTP id DF1115C0170; Wed, 5 Apr 2023 19:44:30 -0400 (EDT)
Received: from mailfrontend2 ([10.202.2.163]) by compute6.internal (MEProxy); Wed, 05 Apr 2023 19:44:30 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mnot.net; h=cc :cc:content-type:content-type:date:date:from:from:in-reply-to :in-reply-to:message-id:mime-version:references:reply-to:sender :subject:subject:to:to; s=fm3; t=1680738270; x=1680824670; bh=s3 YY34oH30zV5dcTYyS3t9Agx+9069jiPB1j8z1JlvE=; b=hmD78WKhHWRWRA/puD qWvp3A6/X+o3bFqeUFHIXP+LER5w3AjIaqN+1k+UPPeW2LuQRUYz4HRJhzpkXt8o hCTnTdmjD+3Qx4rFBxYiqcYAlt8tNfc5G7V+nY4n/EJ213n14lJedX5bVH5/gM+S g6f1wu8mGOtwffl9NRkApY/uvUGyd39qrQ/1fZ3ildpccdxAViKPPl98tZEGd232 ID0Z5k+xc8zDVc+clWa86cDah32XCw7CDLyGA+7oPk6OKoUCKXgxg7pMf1WbPWP1 YHqvkvwjbnmvMi5MIzcz13r0FtF6J9iPHr3t5DF5BViiOhmF8DBUgwY6wzu79+zx IkKg==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-type:content-type:date:date :feedback-id:feedback-id:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:sender:subject :subject:to:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm2; t=1680738270; x=1680824670; bh=s3YY34oH30zV5 dcTYyS3t9Agx+9069jiPB1j8z1JlvE=; b=CFoiwGzgXASoloQEWRLdw22uxhWVu Twzh82lKY8HyPUAwbkjOOmM7T8/mB5OSfmBjeWT9YBN0fOiE+0KoIMmN4mHtfPde h1BlCNcY9gAiwu6FieIGd964JBw7wFyROAC0HsqWBjYyK/EdSylLS9umpeup0Mrt mJHyKEHhzchPPiC/EPgbqmCvrv5bjMXmiWNmv9p0B1s48pyLtFapmhvbaowJYPK+ vi+rgEKntuTD/7Bo3fYKS5IE0Mpa64PnMoxiPYeO/zsuC/QrUauE8YjdNQT41Bk4 b5qtLK6/kPT6XUt/E1ttjL9BTj1x+rKVs6DIwv0DxZyuNTIAvyMGUExnw==
X-ME-Sender: <xms:3gcuZJC-ny8pM9KG3DJ5QElCzwKwNrWgAfDXQai8KRFShCUZVeNl2g> <xme:3gcuZHif76BsnguPLgmI6dl3kN3we4u4h_ZlWWlU1EdRB_H-xMLIh4K1iC5-rq9ew EqG2HxfqwnZbPkSrg>
X-ME-Received: <xmr:3gcuZEkOTdm5yfrT-IE6xv7GQX9lnd1Zg16BObNDmF74FGtqowoaOKlaWaj_rNnmbKDPwdMbdOHGEb-dbxdOICKpLuC8PpjbLbuVRE16E_fNCsYb-vuXDgXA>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvhedrvdejvddgvdeiucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne cujfgurhephffktgggufffjgevvfhfofesrgdtmherhhdtjeenucfhrhhomhepofgrrhhk ucfpohhtthhinhhghhgrmhcuoehmnhhothesmhhnohhtrdhnvghtqeenucggtffrrghtth gvrhhnpeehtddtfefftedtfeevvedvfeehudffhfeitdffudeguedvheejhefgvdfhjeev feenucffohhmrghinhepghhithhhuhgsrdgtohhmpdhivghtfhdrohhrghdpmhhnohhtrd hnvghtnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomhep mhhnohhtsehmnhhothdrnhgvth
X-ME-Proxy: <xmx:3gcuZDwX1H6kjpjD3DuGTYUP4-T3ZE2-5dmqR5V0XJUfPJ-N9H5q4g> <xmx:3gcuZOSQwTwmff3s7yGIzpg48nG-A5qVfQfouVs-bqK8g67giHVYYg> <xmx:3gcuZGYlrpF8kiFVxcQBK78FgNi5K03H2o9PHhs2lbTeiP7Z5eMQ5g> <xmx:3gcuZMeRE5jSxCNeGUdbe3BkPmwNfF5K8hZf4MmiqQP0lST0tFGsVw>
Feedback-ID: ie6694242:Fastmail
Received: by mail.messagingengine.com (Postfix) with ESMTPA; Wed, 5 Apr 2023 19:44:28 -0400 (EDT)
From: Mark Nottingham <mnot@mnot.net>
Message-Id: <4937AF57-7AA1-45A0-8953-61E5F4393160@mnot.net>
Content-Type: multipart/alternative; boundary="Apple-Mail=_1D6CDD54-E994-4A0E-88F8-B1A87FC319B4"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3731.400.51.1.1\))
Date: Thu, 06 Apr 2023 09:44:24 +1000
In-Reply-To: <CA+k3eCTz=HTkrSUtT7Ajm1MM7=b3C40wOj6wvQViBSc=9NTnPQ@mail.gmail.com>
Cc: HTTP Working Group <ietf-http-wg@w3.org>, draft-ietf-oauth-step-up-authn-challenge.all@ietf.org, Last Call <last-call@ietf.org>, oauth@ietf.org
To: Brian Campbell <bcampbell@pingidentity.com>
References: <168067189092.39779.15720008876679882297@ietfa.amsl.com> <CA+k3eCTPwx5D26+a7Ny1ShOGctpCGLOuq4b+ZKeYbRN1y0PT3Q@mail.gmail.com> <CA+k3eCTz=HTkrSUtT7Ajm1MM7=b3C40wOj6wvQViBSc=9NTnPQ@mail.gmail.com>
X-Mailer: Apple Mail (2.3731.400.51.1.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/9Ki6elIUlsXkbW_FIYwYncBWrwA>
Subject: Re: [OAUTH-WG] Httpdir telechat review of draft-ietf-oauth-step-up-authn-challenge-13
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 05 Apr 2023 23:44:37 -0000
Thanks -- that looks good. Cheers, > On 6 Apr 2023, at 5:31 am, Brian Campbell <bcampbell@pingidentity.com> wrote: > > And that PR is here https://github.com/oauth-wg/oauth-step-up-authn-challenge/pull/3/files > > On Wed, Apr 5, 2023 at 10:59 AM Brian Campbell <bcampbell@pingidentity.com> wrote: > Thank you for the review Mark. I've replied inline below with some context or explanation as best I can. And I'll put together a PR with corresponding changes/clarifications. > > On Tue, Apr 4, 2023 at 11:18 PM Mark Nottingham via Datatracker <noreply@ietf.org> wrote: > Reviewer: Mark Nottingham > Review result: Not Ready > > # HTTPDIR review of drat-ietf-oauth-step-up-authn-challenge-13 > > I am an assigned HTTP directorate reviewer for draft-ietf-masque-connect-ip. > These comments were written primarily for the benefit of the ART Area > Directors. Document editors and shepherd(s) should treat these comments just > like they would treat comments from any other IETF contributors and resolve > them along with any other Last Call comments that have been received. For more > details on the HTTP Directorate, see > https://datatracker.ietf.org/group/intdir/about/. > > I've entered a 'not ready' position because of the first issue below; the > remaining are relatively easy to address. > > ## Comments > > ### Global HTTP Authentication Parameters > > This draft seems to modify the HTTP authentication mechanism globally, > regardless of the scheme in use. For example: > > "This specification introduces a new error code value for the error parameter > of [RFC6750] or authentication schemes, such as [I-D.ietf-oauth-dpop], which > use the error parameter" > > [...] > > "Furthermore, this specification defines additional WWW-Authenticate auth-param > values to convey the authentication requirements back to the client." > > [...] > > "A client receiving an authorization error from the resource server carrying > the error code insufficient_user_authentication SHOULD parse the > WWW-Authenticate header for acr_values and max_age and use them, if present, in > constructing an authorization request" > > If that is the intent, you need to update RFC9110 (which is likely to be > contentious); otherwise, you need to scope it in such a way that authentication > schemes 'opt into' their use. > > The intent is definitely not to globally modify the HTTP authentication mechanism. Rather the intent is to provide a new error code and two new parameters for the "Bearer" authentication scheme challenge from RFC6750 (and other OAuth schemes like "DPoP" that use the RFC6750 challenge params). > > > > ### Header Definition > > "This document also introduces acr_values and max_age parameters for the > WWW-Authenticate response header defined by [RFC6750]" > > RFC6750 does not define WWW-Authenticate; RFC9110 does. > > Yeah, that was sloppy language. Apologies. The parameters are introduced for the Bearer authentication scheme challenge defined by [RFC6750] not the WWW-Authenticate response header in general. > > > ## Nits > > I found the terminology in this draft confused, and confusing. E.g., > > * Use of the term 'resource server' throughout is very jarring -- on the Web, > it's just a 'resource'. The 'server' is responsible for the resource; if you > mean the server, say 'server'; if you mean the resource, say 'resource'. Don't > combine them. > > * Likewise, 'resource request' is redundant; every request is for a resource. > Just say 'request'. > > * Similarly, the diagram on page 4 shows a 'resource server' returning a > 'protected resource'. Resources are never transferred over the network; they > send representations in responses -- one of those terms should be used. > > As Aaron mentioned in his reply to this thread - these terms are defined in RFC6749 and used throughout the OAuth family of specs providing useful context and disambiguation for OAuth roles and functionality etc. I agree with Aaron about adding a terminology paragraph to the draft to make it more explicit. > > CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you. -- Mark Nottingham https://www.mnot.net/
- [OAUTH-WG] Httpdir telechat review of draft-ietf-… Mark Nottingham via Datatracker
- Re: [OAUTH-WG] Httpdir telechat review of draft-i… Aaron Parecki
- Re: [OAUTH-WG] Httpdir telechat review of draft-i… Brian Campbell
- Re: [OAUTH-WG] Httpdir telechat review of draft-i… Brian Campbell
- Re: [OAUTH-WG] Httpdir telechat review of draft-i… Mark Nottingham
- Re: [OAUTH-WG] Httpdir telechat review of draft-i… Brian Campbell