IETF Logo Mail Archive

Re: [regext] I-D Action: draft-ietf-regext-rdap-openid-18.txt

Mario Loffredo <mario.loffredo@iit.cnr.it> Wed, 19 October 2022 09:16 UTC

Return-Path: <mario.loffredo@iit.cnr.it>
X-Original-To: regext@ietfa.amsl.com
Delivered-To: regext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2861CC14CE37 for <regext@ietfa.amsl.com>; Wed, 19 Oct 2022 02:16:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.896
X-Spam-Level:
X-Spam-Status: No, score=-6.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, T_SPF_TEMPERROR=0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JprnxxxBv5hJ for <regext@ietfa.amsl.com>; Wed, 19 Oct 2022 02:16:34 -0700 (PDT)
Received: from smtp.iit.cnr.it (mx4.iit.cnr.it [146.48.58.11]) by ietfa.amsl.com (Postfix) with ESMTP id 4A310C14CE3E for <regext@ietf.org>; Wed, 19 Oct 2022 02:16:27 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by smtp.iit.cnr.it (Postfix) with ESMTP id 6958AB80BB6; Wed, 19 Oct 2022 11:16:25 +0200 (CEST)
X-Virus-Scanned: Debian amavisd-new at mx4.iit.cnr.it
Received: from smtp.iit.cnr.it ([127.0.0.1]) by localhost (mx4.iit.cnr.it [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id U-SYtXeZ6hTd; Wed, 19 Oct 2022 11:16:22 +0200 (CEST)
Received: from [192.168.16.66] (sa.nic.it [192.12.193.247]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by smtp.iit.cnr.it (Postfix) with ESMTPSA id 216C6B80AE0; Wed, 19 Oct 2022 11:16:22 +0200 (CEST)
Content-Type: multipart/alternative; boundary="------------olKmSuA5ylv71oNUTHh4r6O0"
Message-ID: <17e912c8-fd69-1fef-5825-b37eac226af2@iit.cnr.it>
Date: Wed, 19 Oct 2022 11:13:28 +0200
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Thunderbird/102.3.3
To: Pawel Kowalik <kowalik@denic.de>, regext@ietf.org, "Hollenbeck, Scott" <shollenbeck=40verisign.com@dmarc.ietf.org>
References: <166601174018.24122.2194661681253850980@ietfa.amsl.com> <d5943e3bac624018872f50fd52b51ec1@verisign.com> <c6ccba8c-204d-ecf3-3675-f6998db83e9f@denic.de>
From: Mario Loffredo <mario.loffredo@iit.cnr.it>
In-Reply-To: <c6ccba8c-204d-ecf3-3675-f6998db83e9f@denic.de>
Archived-At: <https://mailarchive.ietf.org/arch/msg/regext/MTqcDobOmE1ChIMrxII6oHooP-0>
Subject: Re: [regext] I-D Action: draft-ietf-regext-rdap-openid-18.txt
X-BeenThere: regext@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Registration Protocols Extensions <regext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/regext>, <mailto:regext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/regext/>
List-Post: <mailto:regext@ietf.org>
List-Help: <mailto:regext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/regext>, <mailto:regext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 19 Oct 2022 09:16:38 -0000

Il 18/10/2022 09:27, Pawel Kowalik ha scritto:
> Am 17.10.22 um 15:32 schrieb Hollenbeck, Scott:
>
>>> [SAH] This update addresses most of the feedback received during the 
>>> recent WG last call. There are still a few open issues for which I'm 
>>> hoping to see WG discussion:
> Thank you Scott.
>>> 1. How do we address web service clients?
>
> [PK] I think the elements we need for web service clients were already 
> elaborated in the discussion over the version 17.
> I'm happy to support with text proposal if needed.
>
>
> One additional point that appeared in the side discussion is whether 
> such client shall be able to request additional claims from the OP.
> Currently the specification only allows RDAP server to request claims 
> which leaves the web client without such possibility, which in turn 
> may end up in a broken experience.
> The proposal here is to add a "scope" query parameter to the /login 
> path which RDAP server may use to request additional claims from the 
> OP on behalf of the client.
>
>>>
>>> 2. Are there any security concerns associated with return of the 
>>> "userID", "iss", and "userClaims" members of the "farv1_session" 
>>> data structure?
>
> [PK] The specification does not foresee any (even optional) 
> authentication of the client application. In this sense each client 
> has to be treated as a public client.
> There is a risk of malicious client obtaining access to those PII data 
> because all the user sees in the consent step is RDAP requesting data 
> to the OP.
> Device flow is in this sense more vulnerable to phishing attacks to 
> obtain PII and also access to RDAP data as such.
> A countermeasure could be the RDAP server offering an own 
> consent/confirmation screen displaying some identifiable information 
> about the client requesting access.

[ML] Sounds unusual to me that an RP asks the end-user for the consent 
for using claims on behalf of another application.

An RP should ask the user for that consent with respect to a precise 
purpose.

In addition, according to what is written about PII in the "Privacy 
Considerations" section of OIDCC, "only necessary UserInfo data should 
be stored at the Client and the Client SHOULD associate the received 
data with the purpose of use statement." (please note that "Client" 
means the RP here)

That said, it seems to me that we are talikng about two different 
purposes for two different applications.

In the proposed OpendID implementation, the RDAP server is the RP and 
its purpose is to make access control decisions based on client identity 
while the RDAP client purpose might be to improve the UX.

Therefore, IMO, an RDAP client other than a browser should be a 
registered application that at login could ask the user for using some 
claims for its own purpose.

As a consequence, the RDAP server shouldn't provide the client with the 
user claims or, alternatively, should return only those claims that 
don't correspond to PII.

>
>>> 3. Anything else I might have inadvertently missed.

[ML] In the following sentence of section 3.1.3.6, I would clarify who 
the word "server" refers to:

The server provides returned claims in the ID Token.

Given that the RDAP server no longer returns the ID Token since version 
-10, guess it refers to the AS. Correct ?

Best,

Mario

>
> [PK] "userClaim" is marked OPTIONAL in 4.1.1 whereas the following 
> chapters indicate it is mandatory most of the times:
>
> 4.2.3.  Login Response
> 4.4.  Session Status
> 4.5.  Session Refresh
>
> I suggested to change:
> ...response MUST include a "farv1_session" data structure that 
> includes a "userClaims" object and a "sessionInfo" object.
>
> to
>
> ..response MUST include a "farv1_session" data structure that includes 
> a "sessionInfo" object and an optional "userClaims" object.
>
>
> Kind Regards,
>
> Pawel
>
> _______________________________________________
> regext mailing list
> regext@ietf.org
> https://www.ietf.org/mailman/listinfo/regext

-- 
Dr. Mario Loffredo
Technological Unit “Digital Innovation”
Institute of Informatics and Telematics (IIT)
National Research Council (CNR)
via G. Moruzzi 1, I-56124 PISA, Italy
Phone: +39.0503153497
Web:http://www.iit.cnr.it/mario.loffredo

v2.23.0 | Report a Bug | By Email