Re: [OAUTH-WG] A few comments on draft-ietf-oauth-rar-01

Dave Tonge <dave.tonge@momentumft.co.uk> Thu, 09 July 2020 07:28 UTC

Return-Path: <dave.tonge@moneyhub.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C31B33A083E for <oauth@ietfa.amsl.com>; Thu, 9 Jul 2020 00:28:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.739
X-Spam-Level:
X-Spam-Status: No, score=-1.739 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.249, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=momentumft.co.uk
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SQ-oVCk0Lo7g for <oauth@ietfa.amsl.com>; Thu, 9 Jul 2020 00:28:44 -0700 (PDT)
Received: from mail-oi1-x235.google.com (mail-oi1-x235.google.com [IPv6:2607:f8b0:4864:20::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7069D3A083F for <oauth@ietf.org>; Thu, 9 Jul 2020 00:28:44 -0700 (PDT)
Received: by mail-oi1-x235.google.com with SMTP id r8so1145205oij.5 for <oauth@ietf.org>; Thu, 09 Jul 2020 00:28:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=momentumft.co.uk; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=LS9qBiQUuxIespJzgAQgr9e+9Jy3/r7Mhehumn0yPDQ=; b=NaHn9CGz5icNWU9Mvwcu8wQIqvg2IVkIaf/n9zv2EoRWrSexoVgx5LyJbHw3IFjLGb ZpfM3Ve7KQcSXExwVTiSD7lhd5kC/e2qbncwFeHvTQjN5XUkd607ouzasMvQADlBVds9 U4m3DUsrMwlqmnbq/UqqxncBinsbOScPkHb9M=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=LS9qBiQUuxIespJzgAQgr9e+9Jy3/r7Mhehumn0yPDQ=; b=L3hOIAM+ZbE7D8Qfxnqk6z3nyXHVh/viJpIEhNfUWNKpACf7I4Bf1/H2C+85SkF4To Fmrm0Q162dyTEJb2JNuz32ie8ZMnBc3pdZ9M/MpclUJypBlG3udeKPduEty9XHA3pEKn xTEJHw87DL3Ro/pTDwCZY8JtglpRmfDdb8X93T0lTRaIxRtKEHWXwgx6yUI8dzlW2kNm qq0IlZYDwb4vhNDKLxI4TjdKhU5LrkgqqJaYrmbGi4p6KfIMPVxfBEuItZ+Bgug8GwGw kMpdvuIeQYtfXjqf67HtvYuFrJt5AXOcWFLKzloRnD57yErgfN6XQJtPrf+sRmFGWyMb w6sw==
X-Gm-Message-State: AOAM532TdKe7IlA/38g1LJ8djR+unXx5M1oLivVaeujRH3pAOwawkaL3 pvBsaKHF6zZK1CY7Ped+WBVEuQwnbvIhq1Ub8JjtVLOWH91mIUd9w+iihVk7B9+pjXQCPH6lyY1 uzEMLoESXmYCO9g==
X-Google-Smtp-Source: ABdhPJwi7fEmbifh2xFNecCxs995Tc92n1LF6GT+bE8PYnADQMfayjYv81dbqbIHMcpMkKb7NXjlOdb5EtGHkeg+9cI=
X-Received: by 2002:aca:4c0d:: with SMTP id z13mr10464468oia.34.1594279723412; Thu, 09 Jul 2020 00:28:43 -0700 (PDT)
MIME-Version: 1.0
References: <65F58D4B-4ECB-49CE-B681-169CBBFDCED9@lodderstedt.net> <C65E3F43-B7C8-42AE-98AE-3C6409892F2D@forgerock.com> <6F0ACCC8-98F7-46AE-BC45-7444F08C6C6E@lodderstedt.net>
In-Reply-To: <6F0ACCC8-98F7-46AE-BC45-7444F08C6C6E@lodderstedt.net>
From: Dave Tonge <dave.tonge@momentumft.co.uk>
Date: Thu, 9 Jul 2020 09:28:32 +0200
Message-ID: <CAP-T6TSBiOnSAMHLPtGpNyFz2h2XRRyT8zL-EnNNSrvuhCGXxA@mail.gmail.com>
To: Neil Madden <neil.madden@forgerock.com>
Cc: oauth <oauth@ietf.org>, Torsten Lodderstedt <torsten=40lodderstedt.net@dmarc.ietf.org>
Content-Type: multipart/alternative; boundary="0000000000009649a105a9fd2c83"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/jiOP5RoL86xxk-oTBXnKmHF5j1c>
Subject: Re: [OAUTH-WG] A few comments on draft-ietf-oauth-rar-01
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Jul 2020 07:28:47 -0000

Hi Neil

>From a conceptual point of view I'm not really sure what RAR changes from
vanilla OAuth?
For example what is the difference between a client redirecting a user to
an AS in order to:
 - grant access to sensitive health data
 - initiate a specific payment
 - grant full read/write access to file storage containing
sensitive commercial data

All of the above could happen with RAR or vanilla OAuth.

Ironically in most jurisdictions, there is more protection for a user if
they are tricked into initiating a payment vs whether they are tricked into
granting access to data. Payments can be refunded, data cannot.

>From my perspective if an AS is granting access to sensitive data,
payments, etc. then it has an obligation to protect its users by not
allowing any random client to to start an authorization flow. In the case
of Open Banking, this obligation is taken care of by national regulators,
but other commercial OAuth deployments often employ some form of vetting of
clients before allowing them to request sensitive data. In addition certain
sensitive actions can always require step-up authentication - this is also
the case in OpenBanking, a payment to a new payee or over a certain amount
will always require multi-factor authentication even if the user has a
valid logged in session.

An AS is always free to implement the 2 step solution that you proposed and
indeed it could be easier to implement with RAR in the manner you
described, but I don't think it should be the prescribed approach.

Dave


On Thu, 9 Jul 2020 at 08:34, Torsten Lodderstedt <torsten=
40lodderstedt.net@dmarc.ietf.org> wrote:

>
>
> > On 8. Jul 2020, at 23:52, Neil Madden <neil.madden@forgerock.com> wrote:
> >
> >>
> >> On 8 Jul 2020, at 20:56, Torsten Lodderstedt <torsten@lodderstedt.net>
> wrote:
> >>
> >>> Am 08.07.2020 um 20:46 schrieb Neil Madden <neil.madden@forgerock.com
> >:
> >>>
> >>> On 8 Jul 2020, at 19:03, Torsten Lodderstedt <torsten@lodderstedt.net>
> wrote:
> >>>>>>
> >>>>>> What in particular should the use consent with in this step?
> >>>>>
> >>>>> “FooPay would like to:
> >>>>> - initiate payments from your account (you will be asked to approve
> each one)”
> >>>>>
> >>>>> The point is that a client that I don’t have any kind of
> relationship with can’t just send me a request to transfer $500 to some
> account.
> >>>>
> >>>> Are we talking about legal consent or a security measures here?
> >>>
> >>> Normal OAuth consent. My phone is my resource, and I am its resource
> owner. If a client wants to send payment requests to my phone (e.g. via
> CIBA backchannel) then it should have to get my permission first. Even
> without backchannel requests, I’d much rather that only the three clients
> I’ve explicitly consented to can ask me to initiate payments rather than
> the hundreds/thousands clients my bank happens to have a relationship with.
> >>
> >> To me it sounds like you would like to require a client to get user
> authorization to send an authorization request. Would you require the same
> if I would use scope values to encode a payment initiation request?
> >
> > Yes. If something is sufficiently high value to require per-transaction
> authorization then initiating transactions itself becomes a privileged
> operation.
>
> The per transaction authorization alone is a significant increase in
> security. What is the added value of requiring an authorization to send a
> per-transaction authorisation request in an additional step?
>
> >
> >>>>
> >>>> In case of open banking the user legally consents to this process at
> the client (TPP) even before the OAuth/Payment Initiation dance starts.
> >>>
> >>> How does the bank (ASPSP) confirm that this actually happened?
> >>
> >> It does not because it is not the responsibility of the ASPSP. The TPP
> is obliged by law to obtain consent.
> >
> > If the TPP can be trusted to obey the law about this, why not also trust
> them to be honest about transactions? Why enforce one thing with access
> tokens but take the other on trust? Especially as the actual transactions
> are more likely to have a rigorous audit trail.
> >
> > If we could trust clients to obtain consent we wouldn’t need OAuth at
> all.
>
> I thought the same initially, but we must distinguish between legal
> consent and strong authentication/transaction authorization in such a case.
> Legal consent can be obtained in various ways including the traditional
> OAuth user consent but also in other places. Authenticating the user
> (probably with 2FA) and getting authorization for a certain transaction
> (the meaning of PSD2 SCA) must be conducted by the AS.
>
> >
> > — Neil
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>


-- 
Dave Tonge
CTO
[image: Moneyhub Enterprise]
<http://www.google.com/url?q=http%3A%2F%2Fmoneyhubenterprise.com%2F&sa=D&sntz=1&usg=AFQjCNGUnR5opJv5S1uZOVg8aISwPKAv3A>
Moneyhub Financial Technology, 5th Floor, 10 Temple Back, Bristol, BS1 6FL
t: +44 (0)117 280 5120

Moneyhub Enterprise is a trading style of Moneyhub Financial Technology
Limited which is authorised and regulated by the Financial Conduct
Authority ("FCA"). Moneyhub Financial Technology is entered on the
Financial Services Register (FRN 809360) at fca.org.uk/register.
Moneyhub Financial
Technology is registered in England & Wales, company registration number
06909772 .
Moneyhub Financial Technology Limited 2018 ©

DISCLAIMER: This email (including any attachments) is subject to copyright,
and the information in it is confidential. Use of this email or of any
information in it other than by the addressee is unauthorised and unlawful.
Whilst reasonable efforts are made to ensure that any attachments are
virus-free, it is the recipient's sole responsibility to scan all
attachments for viruses. All calls and emails to and from this company may
be monitored and recorded for legitimate purposes relating to this
company's business. Any opinions expressed in this email (or in any
attachments) are those of the author and do not necessarily represent the
opinions of Moneyhub Financial Technology Limited or of any other group
company.

-- 


Moneyhub Enterprise is a trading style of Moneyhub Financial Technology 
Limited which is authorised and regulated by the Financial Conduct 
Authority ("FCA"). Moneyhub Financial Technology is entered on the 
Financial Services Register (FRN 809360) at https://register.fca.org.uk/ 
<https://register.fca.org.uk/>. Moneyhub Financial Technology is registered 
in England & Wales, company registration number 06909772. Moneyhub 
Financial Technology Limited 2020 © Moneyhub Enterprise, Regus Building, 
Temple Quay, 1 Friary, Bristol, BS1 6EA. 

DISCLAIMER: This email 
(including any attachments) is subject to copyright, and the information in 
it is confidential. Use of this email or of any information in it other 
than by the addressee is unauthorised and unlawful. Whilst reasonable 
efforts are made to ensure that any attachments are virus-free, it is the 
recipient's sole responsibility to scan all attachments for viruses. All 
calls and emails to and from this company may be monitored and recorded for 
legitimate purposes relating to this company's business. Any opinions 
expressed in this email (or in any attachments) are those of the author and 
do not necessarily represent the opinions of Moneyhub Financial Technology 
Limited or of any other group company.