IETF Logo Mail Archive

Re: [OAUTH-WG] WGLC for Step-up Authentication

Pieter Kasselman <pieter.kasselman@microsoft.com> Mon, 10 October 2022 14:52 UTC

Return-Path: <pieter.kasselman@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6AB5CC14CF0D for <oauth@ietfa.amsl.com>; Mon, 10 Oct 2022 07:52:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.578
X-Spam-Level:
X-Spam-Status: No, score=-2.578 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.571, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ScelYQDB5xgz for <oauth@ietfa.amsl.com>; Mon, 10 Oct 2022 07:52:06 -0700 (PDT)
Received: from EUR01-DB5-obe.outbound.protection.outlook.com (mail-eopbgr150093.outbound.protection.outlook.com [40.107.15.93]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 49EBAC14F727 for <oauth@ietf.org>; Mon, 10 Oct 2022 07:52:06 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Fdec9sVfq+Y4pHKqf/PbzNZb1v8kiXjK2Ij98FdUeVLE1NGxNtTVnzwgXLAbr64OoQbJ+K54idkHNYjofdM0zF0KjBzz0ofdQqGxTqLi9rXED2xpa7OuNmdJvLDDODTqz57XgaIvEOPoMccncj9l59Z8IqYIjEvoXN2imV8sTr6ByuFSRK+0Kasv6DnIHhYFIdu9reavOZ8XYF3zAp8OAuMxOj7emehyXTUJvUkbNIEHeJgntp5ll35cBhTvEaKsdwH5OO5scUTQBnYn3ZPn0xXJroaeKmZOXXRvevNF1iBg5v/2nRe/mUg9vJdbth/orB6+fBqLwDJyV5VqQ+Kjiw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=aEvZZN2DynzTA9GqX/ViY39qS2GCPkCm0br86ut52SA=; b=KPBEbGp1QnhZS5KOtr9DUsdkiCOqjDAWOIxrJ6u2H0kLwwRMBKZC2Cr4V8RcrAt93Lh/b/7SqlM0I0WeN6WcNmDbKoFj2cSYDhmNbVh21IAjzyRw4namKLiHClNP4rlASfKnj4m04104AgoZqwLIwePiSBn6rEnE7/mbWYSsaH9SEoR5mxQbx7XYNLp1B7Fi/1C5zvUXY1EJAcy3ZUjDf7ZIrLxvl9YBMchCiK1Vpk+paMIg0gGuu/jBp6kACYlNhtFdfnG28FL1kdtD50uJngJZB41vIba/7s1JeeAwxPlmpRR4C0hV/NzUwc6qmORmkWtcd8G0NxqzG+q6gn4fRg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=microsoft.com; dmarc=pass action=none header.from=microsoft.com; dkim=pass header.d=microsoft.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=aEvZZN2DynzTA9GqX/ViY39qS2GCPkCm0br86ut52SA=; b=Lfh4wKhsIrTtRbwIWXmkSHvNg0Y7e1TYzartE0bVkU6rKi4/tZAlWw/K47zZkfTGI+WCpts0Uw8v05/vep7O8fAZLUU0JxxnvZckx6jYSZ5tdsZ5ajbrbBnQU0/J4s8qPehP996CsdWncJVOp6ZVShpTFfrbnQ3EV4Mda3MwA80=
Received: from DBAPR83MB0422.EURPRD83.prod.outlook.com (2603:10a6:10:195::11) by DBBPR83MB0490.EURPRD83.prod.outlook.com (2603:10a6:10:208::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5723.9; Mon, 10 Oct 2022 14:51:57 +0000
Received: from DBAPR83MB0422.EURPRD83.prod.outlook.com ([fe80::c216:12c:99f3:34db]) by DBAPR83MB0422.EURPRD83.prod.outlook.com ([fe80::c216:12c:99f3:34db%6]) with mapi id 15.20.5723.009; Mon, 10 Oct 2022 14:51:57 +0000
From: Pieter Kasselman <pieter.kasselman@microsoft.com>
To: Pieter Kasselman <pieter.kasselman=40microsoft.com@dmarc.ietf.org>, Rifaat Shekh-Yusef <rifaat.s.ietf@gmail.com>, oauth <oauth@ietf.org>
Thread-Topic: [OAUTH-WG] WGLC for Step-up Authentication
Thread-Index: AQHYzoqaumsHg67UHkWvfehzc+NO4K3resqAgBX5ykCABlrnMA==
Date: Mon, 10 Oct 2022 14:51:57 +0000
Message-ID: <DBAPR83MB0422D01D72F7F3D099A5A19F91209@DBAPR83MB0422.EURPRD83.prod.outlook.com>
References: <CADNypP9ypW35=CSJaOfaEqZGDLXGLjnMs4_x5Ue10-yP6BcVoQ@mail.gmail.com> <CADNypP95pWPndeBydEbThrrWrPCVDg2Jmor-68HFGHpqRqFtyA@mail.gmail.com> <DBAPR83MB04227E5BB028F94FD337032A915F9@DBAPR83MB0422.EURPRD83.prod.outlook.com>
In-Reply-To: <DBAPR83MB04227E5BB028F94FD337032A915F9@DBAPR83MB0422.EURPRD83.prod.outlook.com>
Accept-Language: en-IE, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=true; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2022-10-06T13:49:32Z; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Method=Standard; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=Internal; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ActionId=c503a8bf-0be9-4519-a206-d834abcc2bb3; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ContentBits=0
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=microsoft.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: DBAPR83MB0422:EE_|DBBPR83MB0490:EE_
x-ms-office365-filtering-correlation-id: 68717603-68b6-4c57-6485-08daaacefac3
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: dTpQ2UPPDZeu7w46UI1B2P1PHlUKn+jOOzeUwZtB+X5dcL/uKdW/gRN9AmsBJa8VvfPQklKlXgCS/p80qFmQfYfzdOzxxKsY3Y1ymbj1+5gsUeAsvAMQh2Z6Lceumexwb77NOUqidf9OXA6fJhzrgl3cx23R/9xzBVTszmRitf3gZT7tAPqKWBwwO3S5OzJJWFF9kB9kbUHtle61/0oRLSN/LikRSyUjWuTKmTtp+/Kg0cPYIa+6Us+jku+YeuLBGyg7vEnWKIpcHjSPxcOUaPCuyFuB+HmqAt2yUkqeX8UlavqnJynv7NhF7QDdK+E6SoC3LjrdYmqH5+d0R5qT1Mz3gzUJhbPFl6bJwHYoc24B/VKv1uHnxSoII5flyG3fnxYRFqoKC7+tLoyZc3XiY0T9OHQzeuVdIHbXKTuB3bjN8dBE7WlmCfTOTUQNYgKA4sGgDDI7JzhVX7z35cjOjMpYlzGBZr9+I/AdEX3Z9WAIWW5UvVWKnCC6wn+UkwDoAs+Rrvw0ezUBDhmaiLeVyQjT7OghzU1d6kHA7Qmu/5YIvISGpw3MOcfpaZKnxp7c7lRyBsNudkwrea4aIZYTjUT1nts5jtXCk28SSSP4UowAWFyMe6hSX1nNCPxd8N4ic9hTA+GaOh8J8C37aXCZ+9/3ddwLKIGdEK9fpPmjN9l7IvEjzIKabRjmI7Mn1Po7IUj/Cr8qFG4FiZF9fvVgLM24qyGjCOv+8X7t2toNziDzWVZwB0VrBr33+OviuREWMe8S+eQ68J7fPFdKSxWtLLH47Xvb6vDNwY9u3p3gPXFuTg5OEu6NVj2ZJ9C8kqYtzZRaEqolPXbX8aJQsONx3Q==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DBAPR83MB0422.EURPRD83.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230022)(4636009)(396003)(376002)(39860400002)(346002)(366004)(136003)(451199015)(66556008)(33656002)(86362001)(38100700002)(122000001)(38070700005)(44832011)(83380400001)(166002)(8676002)(55016003)(82950400001)(82960400001)(186003)(66476007)(6506007)(64756008)(26005)(66946007)(53546011)(71200400001)(66446008)(76116006)(7696005)(10290500003)(316002)(8990500004)(478600001)(9686003)(41300700001)(52536014)(2906002)(5660300002)(8936002)(966005)(110136005); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: FQKFfXZIQ2pKj/qjR2Jgfm7cMXoX2dOje66RIg/xGMl4PqzgldPIaE/k5GPzQrcdBwSQNhcKf50NT2cPmGGTqtDwPNfYu+UbnUqhjsE8y1lqIJ2qff+3zNLGibFDXZP6Ddd4Yb55TzaW5VXYoagro6FSl9Kqt2aJqmTzgw2G5PGs0A+ES3G/DapM7mWm3nc9FNG4g9j/aTtlrlEm1HD8ey93HgWNz02sFKD9Vd4b1J9wya/bheo2/hrN7OMi8Y9bpi22S8dZZweO0GuvBNuIAqjQtBi7acPXpmOjmHXTe0FZlcfBPwqqzM59k7v2epViwvi5mEfysVydnvIz6jXckDkElIcZTX1dUHyWYF4CPDfCk3eKn3oAOwseQqmQR9RjhYWIV5n7FPnuEn7kS/bKPxiTgjoPURuNIWzTLRPugdxqzmPa6wZirQZoA0HJ8lf/hXEJmQ5rlqlP9MRjpxGMAGIc+xtV3yQ4FarrEVynRzdn2PPtz/LUI6/YSsIivyqan6voTE460nxEIPouZr47nP7RNXxeS1iBsBmSpNTasbtV3ZsBxxaak98kQKs17U5NLwsrmO/MHjvzZabEFmzquoXR86mdWgufsxGVgGQmwUN4Kskl20shMlF3ER5VIcBrjckF6czRAB1NLA3Vh0fiCZTRfs7udxdR45AEZerlJ2z11s6dPNS2uzhmdKREZW49CrRe2DxC1xj88Gn0NAMqopyjk4QVb+TtZtzrlrD1AOTSq7wNnpVoEpyastJ3miSUv4Gy4K8tyVk7OP7ktqkN1lJ/4zT1HI5iol3q63e5sKM3xurBEEcqIfZNtQvaCHM9KfEZ41pG/J31Mj4jdgxoN9crW4/QQ2q5vO9dH19Bi761bKeMsnh9aD68d93jmvx9jDfh2Ttw4IbxEd3GVQHh3HruP/y95ClDUVxuvJMSkG8vrVYU7j/acbFzsLcHHCDf8dqKENHAN+fMl9LgIHIoJZiMeWPkHxoyQEY9BXvPkfWlkQLclFrBjwcNAWFJcwpAqYjUxKfhK2aJNhJ1WKidS6qIt1v3J4VRVwpgyRMSjvMQYl4v/gsp9sWmZBJj/5JlHgeqnKDO1Cy1EE8Mi7+mrtJkxLS7PWYz5j6B2YBCSDbtBr+o/R2hy4PHwtpQKBwb8pnZUn33YoephLDehR31oDHj3j0JGxOC4zqER+n+MnQlz/WEXOJGf35bcqt7Q2y09X3/pBpMTWaY6cr0NvJHld4BwAs6TbvCjBr+OzRs7yZ8vDcrsHxn/EEKAzbXmLCQrRrh+AS7OcH2Gn2uHW7/LsdaDxy61uem55OF27UmUSzkMS5yVigdSYjMlxOnI/VfWrak6beUK5T7HjQBP9j8zEyaCVo5QRo4Jsb6yOGqS+GsIWVFoZnW0vrohB2ErX6OvO3o48OdxK8Zzx4KOVwVDbyBqg64LgdD2dUbBl9Phh78gUhvQIwcFxbrPWEcSOJaWzrY1/cIcvoMc2CHyCH240nbSgrHVaPRhJtin6ljGaqQxgRflGmikKyZYvRMFAWc
Content-Type: multipart/alternative; boundary="_000_DBAPR83MB0422D01D72F7F3D099A5A19F91209DBAPR83MB0422EURP_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: DBAPR83MB0422.EURPRD83.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 68717603-68b6-4c57-6485-08daaacefac3
X-MS-Exchange-CrossTenant-originalarrivaltime: 10 Oct 2022 14:51:57.2816 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: LEE9xW1E1WLHecLxzGA4icwP1P43vc34dfIFFh1qSaIzBm9DYvnFiINVNNAMKvtIaWvxOeWPb0fcVyoNvMvt2WOdJNQPoEHn1/PdSfLZe+s=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DBBPR83MB0490
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/Tu8smGESSXNqrct4wuzu4shdAso>
Subject: Re: [OAUTH-WG] WGLC for Step-up Authentication
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 10 Oct 2022 14:52:10 -0000

I want to clarify that I don't see any blockers to using the step-up auth proposal from working with fine-grained policies.

The comment and question was more to outline use cases being evaluated and to see whether others are observing this shift as well.

Cheers

Pieter

From: OAuth <oauth-bounces@ietf.org> On Behalf Of Pieter Kasselman
Sent: Friday, October 7, 2022 9:29 PM
To: Rifaat Shekh-Yusef <rifaat.s.ietf@gmail.com>; oauth <oauth@ietf.org>
Subject: Re: [OAUTH-WG] WGLC for Step-up Authentication


I am very supportive of this work and have been working through different use cases to see whether it can satisfy the requirements that arise from them.



One observation from working through these uses cases is that as customers move to Zero Trust architectures, we are seeing customers adopting finer grained policy segmentation. Consequently customers are planning to deploy segmented access control by data or action sensitivity, within a service. This approach to policy design makes it more common for a single service to depend on multiple authentication context values or combinations of authentication context values.



An example of this is a policy that has multiple acr values (e.g. acr1=password, acr2=FIDO, acr3=selfie check, acr4=trusted network). A customer may define a policy that requires different combinations of these acr values, for example, a file server may requires password for general access (e.g. acr1), FIDO authentication (acr2) or password access and being on a trusted network to read sensitive data (acr 2 of (acr1 + acr 4), FIDO authentication and password (acr1 + acr2) for accessing editing sensitive documents and a real-time selfie check on top of FIDO and presence on a trusted network  (acr1 + acr2 + acr3 + acr4) to initiate a sensitive workflow (e.g. check-in code). Other variations of this includes database access with different types of access requirement for certain rows (row-level permissions) or columns (column level permissions) with different combinations of acr values.



I was curious if this type of scenario where multiple authentication contexts and combinations of contexts are required is something others see (or are beginning to see) as well?

Cheers

Pieter

From: OAuth <oauth-bounces@ietf.org<mailto:oauth-bounces@ietf.org>> On Behalf Of Rifaat Shekh-Yusef
Sent: Thursday, September 22, 2022 3:02 PM
To: oauth <oauth@ietf.org<mailto:oauth@ietf.org>>
Subject: Re: [OAUTH-WG] WGLC for Step-up Authentication

Correction:

Please, review the document and provide your feedback on the mailing list by Oct 7th, 2022.

On Thu, Sep 22, 2022 at 9:52 AM Rifaat Shekh-Yusef <rifaat.s.ietf@gmail.com<mailto:rifaat.s.ietf@gmail.com>> wrote:
All,

This is to start a WG Last Call for the Step-up Authentication document:
https://www.ietf.org/archive/id/draft-ietf-oauth-step-up-authn-challenge-03.html<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Farchive%2Fid%2Fdraft-ietf-oauth-step-up-authn-challenge-03.html&data=05%7C01%7Cpieter.kasselman%40microsoft.com%7Ca9927281814243e628ac08daa8a2b9a7%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638007714137535915%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=eajkqEWpu4%2BIbWJhY%2F89IzEB36JAh6zxW3JppdQuCH8%3D&reserved=0>

Please, review the document and provide your feedback on the mailing list by Sep 30th, 2022.

Regards,
 Rifaat & Hannes

v2.23.0 | Report a Bug | By Email