IETF Logo Mail Archive

[OAUTH-WG] Re: Call for adoption - PIKA

Giuseppe De Marco <demarcog83@gmail.com> Mon, 10 June 2024 22:49 UTC

Return-Path: <demarcog83@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A3F96C1519B2 for <oauth@ietfa.amsl.com>; Mon, 10 Jun 2024 15:49:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.855
X-Spam-Level:
X-Spam-Status: No, score=-6.855 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JRWGiYiiFlNq for <oauth@ietfa.amsl.com>; Mon, 10 Jun 2024 15:49:54 -0700 (PDT)
Received: from mail-ed1-x52d.google.com (mail-ed1-x52d.google.com [IPv6:2a00:1450:4864:20::52d]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9E182C1840CD for <oauth@ietf.org>; Mon, 10 Jun 2024 15:49:54 -0700 (PDT)
Received: by mail-ed1-x52d.google.com with SMTP id 4fb4d7f45d1cf-57c685bfd86so3471034a12.2 for <oauth@ietf.org>; Mon, 10 Jun 2024 15:49:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1718059793; x=1718664593; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=7ABBjdviEqvUlr/VbFYk4My4YNvHJnc3D8rynAr2To0=; b=FDHRhSQ52bXZ2+dKgKAtARtFVowVp630LtYhoF2e2UBd7/pIzGv1h9R8HOnG7UnCxr LKkrHLwxnJioi/4JrLAHYawif9ZaZB2UlV5Cak6cgo8r2E0DZ6LLrPSCkOOdARioLeWx 8flIqwc2sMMpcuU6taFYykyMefZjMdvESW57X3nnUKIOEK/2P/j7BkZOPMz66xDnY8q4 QsOiO7DOY2uJNYPe2zhhMFjXPHLNQO5QW8qy1Zx8kqFV6UWelZ91LoRZwzGJ2r91cT1o 2QDFzVP6iYZGJUzO3RF+Z9FGH4imyT1uSfSOVZPUpHxNVEW/K8qgg+qp4F6EygOgPuzy 5pZA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1718059793; x=1718664593; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=7ABBjdviEqvUlr/VbFYk4My4YNvHJnc3D8rynAr2To0=; b=YDeSPh4unbygytkR8veMf1f6WN3HDH4Z+1bOnEZYBofdXHs1MY6PDzp9MOR5GQ1qF7 uttg7oaBIZb6jlo9KUsaLXhOl3bxP/yDSPY/p+jBdRsh7PrKApgCCFh5lMDTBSoORMQF +aJLm4f6TeYfpcChxEuRxBBWiOKfl5w0uxU2o8VnoJQk9XDhI8ryS3MJ+/ClutEO43bc gU2L4Y5P1d80IK5ARdftB0niMaTGpyg1BazXX4gGyMm+1SHOXNzt4Rkk6LwYpUDqVWbp sy+t58FU8LTK3TQfzTsNMl/ExIlB9Gl9mKgdzBsvRcN8soTTkU/S9oIu2Kj6Y7MZZZ3T FbMg==
X-Gm-Message-State: AOJu0YwBV58Rh20GCYWA0k6EWaGnDkOKJbavShqJDumsxhozAHXAK6Sw Bz5BSPgpwUM2RpjBFYMvuCZoL0Y3C46ISqEowNp4hLXEH0x6TpY5AxKKd36T1i6OuB1BXh7jkBv H2f+VzFhugQ3jFv7yz1WZqTkqOcY=
X-Google-Smtp-Source: AGHT+IGyf+79M27wskYfEgQw/ZOEZRCRVVLltbUBVUZL/3NxEBhFYXOLjjtfmRVzyj3sXyFm6MuLmd9e0rI9fMQEksQ=
X-Received: by 2002:a50:d69a:0:b0:57c:7063:2ad2 with SMTP id 4fb4d7f45d1cf-57c70632bd9mr4793207a12.12.1718059792655; Mon, 10 Jun 2024 15:49:52 -0700 (PDT)
MIME-Version: 1.0
References: <CADNypP9GmF4vp1uzLXK0YYZAHUDjK7RHbhEb4MCXkB7N3Oq4+w@mail.gmail.com>
In-Reply-To: <CADNypP9GmF4vp1uzLXK0YYZAHUDjK7RHbhEb4MCXkB7N3Oq4+w@mail.gmail.com>
From: Giuseppe De Marco <demarcog83@gmail.com>
Date: Tue, 11 Jun 2024 00:49:41 +0200
Message-ID: <CAP_qYykW=+e3Dc_ARFRrt077Tg_4BzPjdOcaXO5paTLfVpcDsA@mail.gmail.com>
To: Rifaat Shekh-Yusef <rifaat.s.ietf@gmail.com>
Content-Type: multipart/alternative; boundary="000000000000a4ebe0061a90f700"
Message-ID-Hash: 3D7QR3XSOPN5VKPR7Z4SAPHIVYKQJ2DT
X-Message-ID-Hash: 3D7QR3XSOPN5VKPR7Z4SAPHIVYKQJ2DT
X-MailFrom: demarcog83@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-oauth.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: oauth <oauth@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [OAUTH-WG] Re: Call for adoption - PIKA
List-Id: OAUTH WG <oauth.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/cNWwFhuhvQlI1kMcq0Q6DiNaG7k>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Owner: <mailto:oauth-owner@ietf.org>
List-Post: <mailto:oauth@ietf.org>
List-Subscribe: <mailto:oauth-join@ietf.org>
List-Unsubscribe: <mailto:oauth-leave@ietf.org>

Hi,

I appreciate the introduction of PIKA, which demonstrates a commitment to
addressing current challenges. However, I have identified some key areas of
concern that need attention:

1. The current documentation lacks clarity regarding the number and scope
of cryptographic keys, particularly in terms of their intended use across
different protocols. Given that an issuer can serve multiple roles, such as
an authorization server, a credential issuer, or a relying party issuing
signed request objects, it is important to consider the benefits of using
distinct, specialized keys for different protocols and roles and how PIKA
would propose a model to achieve this.

2. We already have a mechanism to bring multiple public keys, for multiple
scopes/protocols, in a chain of signed JWT. This is OpenID Federation which
doesn't depend to X.509 but at the same time is able to distribute also
X.509 certificates using the `x5c` claim within the jwk claims and for
legacy applications. I believe that this last point is important, since I
see X.509 as a requirement only for legacy applications. I would not design
a new infrastructure using X.509 as a foundamental requirement for a trust
framework.

3. I kindly suggest to clarify which is the meaning/intention of the term
trust, from which kind of perspective PIKA aims to approach the mechanisms
of the trust evaluations and for which trust topology (federative, end to
end, hybrid ...), the roles of the trust authorities or trusted third
parties and so on.

4. I read that PIKA reuses the same requirements of openid federation.
Probably this needs more clarifications. OpenID Federation provides a
mechanism to establish the trust to a subject and obtain its public keys
and not only this, since it allow a secure interoperability through a
secure metadata exchange and also the distribution of compliance assertions
called trust marks.

5. The trust model proposed in PIKA relies fundamentally on a WWW CA
(Certificate Authority) for purposes beyond its original design.
Specifically, assessing compliance with shared rules, such as a trust
framework or national regulations, falls outside the scope of WWW X.509
CAs. Consequently, using this type of binding to establish a higher level
of trust may not be appropriate. The use of the term "trust" in this
context could potentially be misleading. It would be beneficial to
reconsider the terminology and mechanisms used to better align with the
intended functions and limitations of the technologies employed.

therefore,

I would therefore suggest defining the terms trust and trust model, and the
purposes of the specification in relation to these.
Then list the problems that this specification intends to solve and the
requirements identified by it.

If it is trust and the mechanisms for validating trust in relation to
common elements or properties between different entities (and mutual
recognition) we could start working on common elements already well
established in openid federation and that they could be further explored
with your contribution and requirements.

>From my side, I find the use of openid federation as a broad-based solution
evident. Today I am having a positive conversation with other authors about
the birth of two new drafts dedicated to openid federation and I believe
that this is a good time to join forces to build something together with
strong harmonizations, not just some endpoint picking.

>From my perspective Iam probably more interested in understand what
obstacles you have found in using federation and what additional features
or endpoints you intend to use to satisfy your requirements that, in fact,
I would mark with greater determination within the draft.

Even If I read it with pleasure and curiosity, appreciating the work and
the effort spent of it, I look forward to receiving more information here
in this thread from the pika's authors.
Currently, I am hesitant to support this specification as it requires
additional time and comparative analysis before I can evaluate it
positively.

Thank you for sharing and for the work made todate
Giuseppe

Il giorno lun 10 giu 2024 alle ore 13:48 Rifaat Shekh-Yusef <
rifaat.s.ietf@gmail.com> ha scritto:

> All,
>
> This is an official call for adoption for the *Proof of Issuer Key
> Authority (PIKA)* draft:
> https://datatracker.ietf.org/doc/draft-barnes-oauth-pika/
>
> Please, reply *on the mailing list* and let us know if you are in favor
> or against adopting this draft as WG document, by *June 24th*.
>
> Regards,
>  Rifaat & Hannes
>
> _______________________________________________
> OAuth mailing list -- oauth@ietf.org
> To unsubscribe send an email to oauth-leave@ietf.org
>

v2.37.1 | Report a Bug | By Email | System Status