[OAUTH-WG] Review of https://datatracker.ietf.org/doc/draft-barnes-oauth-pika/

Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com> Wed, 23 October 2024 18:32 UTC

Return-Path: <kathleen.moriarty.ietf@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6DEFEC14F708 for <oauth@ietfa.amsl.com>; Wed, 23 Oct 2024 11:32:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.105
X-Spam-Level:
X-Spam-Status: No, score=-2.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JcB-VSFPlU4u for <oauth@ietfa.amsl.com>; Wed, 23 Oct 2024 11:32:12 -0700 (PDT)
Received: from mail-lf1-x132.google.com (mail-lf1-x132.google.com [IPv6:2a00:1450:4864:20::132]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 974A8C14F619 for <oauth@ietf.org>; Wed, 23 Oct 2024 11:32:12 -0700 (PDT)
Received: by mail-lf1-x132.google.com with SMTP id 2adb3069b0e04-539fbbadf83so121120e87.0 for <oauth@ietf.org>; Wed, 23 Oct 2024 11:32:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1729708330; x=1730313130; darn=ietf.org; h=to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=wUVHASCD6Lpb/ldMWTWr2eEzpJgeUOz4wApL4OjYCsA=; b=O5jOkGMmJ236g9jyUInyGJkoLCHSD4sM9m3+XPjkcQGFtCzf025l0+EKwOBqD3nvQY Zl1F3z/d1yhm9Y9JrFMSS4ceQ9PLkRdy9qHVYZM/fxWBqHJ1yHEvlrjol1CmlrRlRdAV ChRDERrxf5U34BsXzd+VwdTGBDYp4F5EttSbfn25wukgbDNVdL98WuPW6d4Nfjx+XHgv sbcN/stCRcGQM/XGne9+nR8U8MasUWPBTPkHX7lD6SxkqyG8h0hPyyXJMLe403TN89qW Vtoi7722ND+xEbsBgDOwV8iqDuyac42T2iI2KJzZQhTSg/drX5nmYR6rH/LcfcYnLSv/ ifZw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1729708330; x=1730313130; h=to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=wUVHASCD6Lpb/ldMWTWr2eEzpJgeUOz4wApL4OjYCsA=; b=E1AXXiZxmEc91FkoepBTCuviA5ChKj5gmcM9cnNB4dcMQG85hwItMoWuy8PxblsWlF 9qg17lepiXJVHWojFE91fwzqdoQBe1gzQUiugbgCb8xEJk2L1L7DtTw2icTREXKe+CNh COdJTovbaBuiiWlJ8m6zJ65hvxcZbiVR2DlFmOc1kQE1dZM77LWBX8IXWJNbVkTa0G2Y sPuleQS4683O4DgcnPbe5D8vyjG2AWv8CHS24j3qUG862DLA3yG0WVMptbXfUDI5VF+q jNLjcbwbmlAB++JSJ3sPGF5s4G6hKWQWWPYNAo7tYaWKGBCuIIThDixGbxIBf9DrokEs 864A==
X-Gm-Message-State: AOJu0YxScFrbD46q8+yjoMtQtsk/3JrhxnEYRNwe8VGYxSV63rlsoHBS Q2uWzNIiyY9V2Dhb3DneS3Gv210k6jCTOvvUavo610hBKRKISBCX3m3LtA9uRhtPntiG/VyOeVT TFRAHJdi4fE6mHkk7drhEPZ1M7ti6fNiX
X-Google-Smtp-Source: AGHT+IEjRTXzLFuTYyF4XOUgGPOE3rUpT5QFS4cE78mPM7e2oEi/krMI1bJdNSaPwq6LUSIpBYmhNSYRX8J8nhaUrxA=
X-Received: by 2002:a05:6512:3402:b0:53a:aea:a9e1 with SMTP id 2adb3069b0e04-53b1a3a3521mr2185561e87.54.1729708329873; Wed, 23 Oct 2024 11:32:09 -0700 (PDT)
MIME-Version: 1.0
From: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
Date: Wed, 23 Oct 2024 14:31:33 -0400
Message-ID: <CAHbuEH4KWoGuADN=yNUxd6_E=FVM86G9BwnEwz33Ue8j+GzaZw@mail.gmail.com>
To: oauth@ietf.org
Content-Type: multipart/alternative; boundary="000000000000913c050625291ae3"
Message-ID-Hash: U6GKNHIPOVCJVSJRZXO35HJDRSEXXFFM
X-Message-ID-Hash: U6GKNHIPOVCJVSJRZXO35HJDRSEXXFFM
X-MailFrom: kathleen.moriarty.ietf@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-oauth.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [OAUTH-WG] Review of https://datatracker.ietf.org/doc/draft-barnes-oauth-pika/
List-Id: OAUTH WG <oauth.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/jREk7M5JGoJX_ZwGiCgi-YRwrRo>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Owner: <mailto:oauth-owner@ietf.org>
List-Post: <mailto:oauth@ietf.org>
List-Subscribe: <mailto:oauth-join@ietf.org>
List-Unsubscribe: <mailto:oauth-leave@ietf.org>

Greetings!

I believe I volunteered to review the PIKA draft at IETF 120. The version
reviewed:
https://datatracker.ietf.org/doc/draft-barnes-oauth-pika/ is the -01

The problem statement is clear and I appreciate the authors leaving a few
questions open in order to gain consensus views on those particular points.

The design choice in section 1 seems appropriate to maintain the same trust
model as HTTPS, it would be confusing to developers to have a different
model used together.

I see mention of OPenID connect in the MLS proposal, but PKI seems to just
be a JWT independent of OpenID connect framework and of any ties to OAuth.
Is that correct? I also see you follow similar requirements to OpenID
Federation.

I do think it makes sense to keep this independent of OAuth, especially
given the container signing aspect with the ability to look up prior
signatures from particular points in time on particular package instances.

In the options in section 5.2, I prefer the use of PIKA signing
certificates & keys instead of using HTTPS certificates.

General: I see the need for this work and like the design in that it is
simple to get the specific functions performed. I am in support of this
draft moving forward in a WG. Are other WGs being considered in addition to
OAuth?

Thank you!
-- 

Best regards,
Kathleen