IETF Logo Mail Archive

Re: [OAUTH-WG] WGLC for Step-up Authentication

Vittorio Bertocci <vittorio@auth0.com> Mon, 10 October 2022 18:57 UTC

Return-Path: <vittorio.bertocci@okta.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D66C1C15257E for <oauth@ietfa.amsl.com>; Mon, 10 Oct 2022 11:57:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.455
X-Spam-Level:
X-Spam-Status: No, score=-2.455 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.249, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=okta.com header.b=Y0uCImRg; dkim=pass (2048-bit key) header.d=auth0.com header.b=ddoThOxE
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rty8ks2yP0JB for <oauth@ietfa.amsl.com>; Mon, 10 Oct 2022 11:57:00 -0700 (PDT)
Received: from mx0a-00553301.pphosted.com (mx0a-00553301.pphosted.com [205.220.164.21]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DB584C15257C for <oauth@ietf.org>; Mon, 10 Oct 2022 11:57:00 -0700 (PDT)
Received: from pps.filterd (m0209335.ppops.net [127.0.0.1]) by mx0b-00553301.pphosted.com (8.17.1.5/8.17.1.5) with ESMTP id 29AI78Aa009181 for <oauth@ietf.org>; Mon, 10 Oct 2022 11:57:00 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=okta.com; h=mime-version : references : in-reply-to : from : date : message-id : subject : to : cc : content-type; s=proofpoint-2020; bh=Q1m12hfr6V0VyQB8wWLWVa3Y94LWZaejl2BozwEQGis=; b=Y0uCImRgbO7C8FlBXsS25JbkqAwsTHCKf3OXXQjhzIP3HJdrCglYctHxGGf/RgqJIAkU oPjtckTmO6ZY1xaZR0e7J7rC7fkTIjCgphs/1AXzCbclX04sLi+IViAVDI7PCezYVhvK jzcLvr/CYN4KRuKYuXc7L42AJZg/UVKLFmUL7yQ1TehM9HBCb7oAD3+3erXRV0NTshmm XyHQiQ7Qz+F7pAoFpe/FnQ8BZ4pxZmETke9IgdM8XaqNGZSO4uk8+H8EN0se9Z77M0Qd yO3f+Pg/Jmdn+z5tUVHu9bgcgDZdXLCJPQNqGgB0IHbVV/WREuvuryBIBohK2ZnjXgcg ng==
Received: from mail-oi1-f198.google.com (mail-oi1-f198.google.com [209.85.167.198]) by mx0b-00553301.pphosted.com (PPS) with ESMTPS id 3k38d6ttwc-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for <oauth@ietf.org>; Mon, 10 Oct 2022 11:57:00 -0700
Received: by mail-oi1-f198.google.com with SMTP id m21-20020a0568080f1500b00350c7fc362cso6720518oiw.11 for <oauth@ietf.org>; Mon, 10 Oct 2022 11:57:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=auth0.com; s=newauth0; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=Q1m12hfr6V0VyQB8wWLWVa3Y94LWZaejl2BozwEQGis=; b=ddoThOxEqNiD3rN3SySssEM8P6BsW1QISwfA5/WQQuaTitgybHzaflY7mEuq016rjd n1SqrGUWG4vCIQRQNzJLQwkVndc2Tbqz1/aG1gta0KoCQ7CHJnv+f4Wp8b9WQE1smsE4 avtbIgyJGvfhbqAVq5fT69Alg9PKD8oAbc1VpoimS1xxLpCJWLBCDjuNXSb3BxqlYO3r gV9KoO6Tit1MUo4LsVXs/ueFc/bvzcmpotOzrs9CxyFWdz/MJ34zFnfqB/61aVrgSjeK YYKGUgv2sUiHu8KYgwJeLlbSMQopx5v+evGXaWS+c5Ce3iNwACo9JdpaRwGk7t8mmAfZ RcFA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=Q1m12hfr6V0VyQB8wWLWVa3Y94LWZaejl2BozwEQGis=; b=URzbJf+6sK9lKxVrf6IaYUL+AHKttpJYLUmOb1d7G/NXYS6G7iHHVpMLxNQm6nAWUx YPRivTZfLeqRp+c1AvdlatrGnbaqvhBxtPIGbEFLl9O+g7eCgqjUWxUHUJc+uE+Ip5b2 ZCT1UrNYttrgj7uOgtdW/cpyla8XKo15McKjpnw3Qsdx31KPwTAZ2VvdOyJd7oMznhBB VPwOtbgqQ5EHllu5pv0KI8isUW3JmrbpKzHKf4WWp5HqERTI/e9y38LibThpdWaHAsJS T6AAP1UJ2L2aBK65FZICNibyiA8QhvZRsHD8g3mDkSBkrMjraJXzX+zmk2hXJehiPbH2 bUcg==
X-Gm-Message-State: ACrzQf2m1LZDWxmQfVW3nqAhc82vUUGDVch9MagmyVa/ah6n8cZLGFBW /LQJF18BJl75S9dFAJqa2MCI7hxnxQx5J3ooaV0O736QpAgdFC9yLVb63yfrWn1bvx2L1CidrGN L1Oue5vt/XR14I7KoRyfV
X-Received: by 2002:a05:6871:590:b0:132:7a26:19a1 with SMTP id u16-20020a056871059000b001327a2619a1mr15901440oan.213.1665428218550; Mon, 10 Oct 2022 11:56:58 -0700 (PDT)
X-Google-Smtp-Source: AMsMyM61vt1+GMgq2bHpkq2sFF4qN60LLwhnrLFYgismFeuZsZyrNLtni+/hdtnYYqPhEE+tnAiOKPHAy0ItcYl22qo=
X-Received: by 2002:a05:6871:590:b0:132:7a26:19a1 with SMTP id u16-20020a056871059000b001327a2619a1mr15901424oan.213.1665428218119; Mon, 10 Oct 2022 11:56:58 -0700 (PDT)
MIME-Version: 1.0
References: <CADNypP9ypW35=CSJaOfaEqZGDLXGLjnMs4_x5Ue10-yP6BcVoQ@mail.gmail.com> <CADNypP95pWPndeBydEbThrrWrPCVDg2Jmor-68HFGHpqRqFtyA@mail.gmail.com> <DBAPR83MB04227E5BB028F94FD337032A915F9@DBAPR83MB0422.EURPRD83.prod.outlook.com> <DBAPR83MB0422D01D72F7F3D099A5A19F91209@DBAPR83MB0422.EURPRD83.prod.outlook.com>
In-Reply-To: <DBAPR83MB0422D01D72F7F3D099A5A19F91209@DBAPR83MB0422.EURPRD83.prod.outlook.com>
From: Vittorio Bertocci <vittorio@auth0.com>
Date: Mon, 10 Oct 2022 11:56:48 -0700
Message-ID: <CAEFJvao6KZogn4aiwQHZ+8W8FA8aVZOqK0xDzANNZ9=F0T3PRQ@mail.gmail.com>
To: Pieter Kasselman <pieter.kasselman=40microsoft.com@dmarc.ietf.org>
Cc: Rifaat Shekh-Yusef <rifaat.s.ietf@gmail.com>, oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000571d5605eab2b9c9"
X-Gmail-Okta-Auth: Authenticated
X-Gm-Spam: 0
X-Gm-Phishy: 0
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.895,Hydra:6.0.528,FMLib:17.11.122.1 definitions=2022-10-10_12,2022-10-10_02,2022-06-22_01
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/tCf5c7ONsZdN26pqevBMD-Eu5ts>
Subject: Re: [OAUTH-WG] WGLC for Step-up Authentication
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 10 Oct 2022 18:57:04 -0000

Hi Pieter,
thank you for your clarification and support! :)
Cheers
V.

On Mon, Oct 10, 2022 at 7:52 AM Pieter Kasselman <pieter.kasselman=
40microsoft.com@dmarc.ietf.org> wrote:

> *This message originated outside your organization.*
>
> ------------------------------
>
> I want to clarify that I don’t see any blockers to using the step-up auth
> proposal from working with fine-grained policies.
>
>
>
> The comment and question was more to outline use cases being evaluated and
> to see whether others are observing this shift as well.
>
>
>
> Cheers
>
>
>
> Pieter
>
>
>
> *From:* OAuth <oauth-bounces@ietf.org> *On Behalf Of *Pieter Kasselman
> *Sent:* Friday, October 7, 2022 9:29 PM
> *To:* Rifaat Shekh-Yusef <rifaat.s.ietf@gmail.com>; oauth <oauth@ietf.org>
> *Subject:* Re: [OAUTH-WG] WGLC for Step-up Authentication
>
>
>
> I am very supportive of this work and have been working through different
> use cases to see whether it can satisfy the requirements that arise from
> them.
>
>
>
> One observation from working through these uses cases is that as customers
> move to Zero Trust architectures, we are seeing customers adopting finer
> grained policy segmentation. Consequently customers are planning to deploy
> segmented access control by data or action sensitivity, within a service.
> This approach to policy design makes it more common for a single service to
> depend on multiple authentication context values or combinations of
> authentication context values.
>
>
>
> An example of this is a policy that has multiple acr values (e.g.
> acr1=password, acr2=FIDO, acr3=selfie check, acr4=trusted network). A
> customer may define a policy that requires different combinations of these
> acr values, for example, a file server may requires password for general
> access (e.g. acr1), FIDO authentication (acr2) or password access and being
> on a trusted network to read sensitive data (acr 2 of (acr1 + acr 4), FIDO
> authentication and password (acr1 + acr2) for accessing editing sensitive
> documents and a real-time selfie check on top of FIDO and presence on a
> trusted network  (acr1 + acr2 + acr3 + acr4) to initiate a sensitive
> workflow (e.g. check-in code). Other variations of this includes database
> access with different types of access requirement for certain rows
> (row-level permissions) or columns (column level permissions) with
> different combinations of acr values.
>
>
>
> I was curious if this type of scenario where multiple authentication
> contexts and combinations of contexts are required is something others see
> (or are beginning to see) as well?
>
>
>
> Cheers
>
>
>
> Pieter
>
>
>
> *From:* OAuth <oauth-bounces@ietf.org> *On Behalf Of *Rifaat Shekh-Yusef
> *Sent:* Thursday, September 22, 2022 3:02 PM
> *To:* oauth <oauth@ietf.org>
> *Subject:* Re: [OAUTH-WG] WGLC for Step-up Authentication
>
>
>
> *Correction:*
>
>
>
> Please, review the document and provide your feedback on the mailing list
> by *Oct 7th, 2022*.
>
>
>
> On Thu, Sep 22, 2022 at 9:52 AM Rifaat Shekh-Yusef <
> rifaat.s.ietf@gmail.com> wrote:
>
> All,
>
>
>
> This is to start a *WG Last Call *for the *Step-up Authentication *
> document:
>
> https://www.ietf.org/archive/id/draft-ietf-oauth-step-up-authn-challenge-03.html
> <https://urldefense.com/v3/__https://nam06.safelinks.protection.outlook.com/?url=https*3A*2F*2Fwww.ietf.org*2Farchive*2Fid*2Fdraft-ietf-oauth-step-up-authn-challenge-03.html&data=05*7C01*7Cpieter.kasselman*40microsoft.com*7Ca9927281814243e628ac08daa8a2b9a7*7C72f988bf86f141af91ab2d7cd011db47*7C1*7C0*7C638007714137535915*7CUnknown*7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0*3D*7C3000*7C*7C*7C&sdata=eajkqEWpu4*2BIbWJhY*2F89IzEB36JAh6zxW3JppdQuCH8*3D&reserved=0__;JSUlJSUlJSUlJSUlJSUlJSUlJSUlJSUl!!PwKahg!6IgRKGK3Fpu4GAuGOSAixZrwkaJwm2uOdYDGSk62prPkvevR595rjA5IfFxI-ulULBUWKxM0UIR2hMgRLV-LI45bajBjXw8$>
>
>
> Please, review the document and provide your feedback on the mailing list
> by *Sep 30th, 2022*.
>
> Regards,
>  Rifaat & Hannes
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>

v2.23.0 | Report a Bug | By Email