IETF Logo Mail Archive

Re: [regext] I-D Action: draft-ietf-regext-rdap-openid-15.txt

"Hollenbeck, Scott" <shollenbeck@verisign.com> Tue, 05 July 2022 18:17 UTC

Return-Path: <shollenbeck@verisign.com>
X-Original-To: regext@ietfa.amsl.com
Delivered-To: regext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7DF27C13C543 for <regext@ietfa.amsl.com>; Tue, 5 Jul 2022 11:17:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.103
X-Spam-Level:
X-Spam-Status: No, score=-2.103 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=verisign.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZXwceiwzbadq for <regext@ietfa.amsl.com>; Tue, 5 Jul 2022 11:17:15 -0700 (PDT)
Received: from mail4.verisign.com (mail4.verisign.com [69.58.187.30]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2DFAEC15AD4A for <regext@ietf.org>; Tue, 5 Jul 2022 11:17:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=verisign.com; l=53578; q=dns/txt; s=VRSN; t=1657045036; h=from:to:date:message-id:references:in-reply-to: mime-version:subject; bh=TFm4Fekq20s6jUvMor1cE3plMupJQBLI8tlvos2pJaE=; b=b3tyGJ6uWf5mtkl6+7QVcRw8hWbbimSILj8Lq9ufsD6NVR8Mxt/Ctjri kvFAN1tzeXeLSWl29buJwcKcfQDmtO5yx65WHmx+soYuToG1i5xfpHtad Jfy76K+OpmzEiG33zpJM9HNp+i3wUCA9pYdmEObo9nvtIdq6/A5yksXZR 2ydLzJdcj7iv2rKUrBDP0YzKzFWlVs+tqa6Yzp/cAa/PCDUyqBtEZUPTR lxu7F0mMBMWIdgSxUA1f+zmYpC1QVxA3v3ifzsbW3DwU46ehU6bW5KM5B sWuB7+hbYbTEJEi2dJ7tyDaoPzU5QzihKeN4p+UGpDnWvta4/p0en7mCW g==;
IronPort-Data: A9a23:l++ilq1JnlXHjnesifbD5ZRwkn2cJEfYwER7XKvMYLTBsI5bpzIEm GEZXm2APvqLYWCgftgjOYW/8UNX7J+EnIcwQAQ4qSg9HnlHl5HIVI+TRqvS04F+DeWYFR46s J9OAjXkBJppJpMJjk71atANlZT4vE2xbuKU5NTsY0idfic5DnZ74f5fs7Rh2NQw3oDkW1nlV e7a+KUzBnf0g1aYDUpJs8pvmDs31BglkGpF1rCWTakjUG72zxH5PrpGTU2CByKQrr1vIwKPb 72rIIeRpTqFokh3WrtJpZ6gGqECaua60QGm1CIKC/D66vRIjnRaPq0TbJLwZarL4tkgch8YJ Nhl7PSNpQkV0qLkqt0jAhkAHxtFIZYB5oDEHlWuksed9hiTG5fs660G4EAeF7c+o9lRLFEWr 7oGIzcXdlaKi6So2qm9DOJrg6zPLuGyZMVG5SomlGyCS6p3KXzAa/yiCdtwxzc3gsRDG/zTb Mkxdzd1bQ/BbBsJMVASYH47tL712CiuLmEDwL6TjYQJu07o0k9X677gLuPZa8Swa5VFvm/N8 woq+Ey8WHn2Lue38yWE9nKhgurnhSLhHoUIG9WQ7PNljU2P7m0eFBNQUkG0ycRVkWa0QdQGN EoZ6nJ06LMs7gquT8K4VRr+qmSC51gCQcFWVeY97Wlh15bp3upQPUBcJhYpVTDsnJZeqeACv rNRo+7UOA==
IronPort-HdrOrdr: A9a23:lIpIJK9N4I6SA63w5VNuk+AFI+orL9Y04lQ7vn2ZLiYlF/Bw9v re/sjzuiWVtN98Yh8dcLO7V5VoKEm0naKdirNhXotKMjOGhEKYaK9v6of4yyDtFmnU5odmuZ tIQuxbBMfrBVZ3yeT38GCDeeoI8Z2i/LqzjenTi01xSxpnApsM0y5iBh2FHlZNSA5KOJo8GP OnjfZ6mw==
X-IronPort-AV: E=Sophos; i="5.92,247,1650945600"; d="scan'208,217"; a="15699543"
Received: from BRN1WNEX02.vcorp.ad.vrsn.com (10.173.153.49) by BRN1WNEX02.vcorp.ad.vrsn.com (10.173.153.49) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2375.24; Tue, 5 Jul 2022 14:17:12 -0400
Received: from BRN1WNEX02.vcorp.ad.vrsn.com ([10.173.153.49]) by BRN1WNEX02.vcorp.ad.vrsn.com ([10.173.153.49]) with mapi id 15.01.2375.024; Tue, 5 Jul 2022 14:17:12 -0400
From: "Hollenbeck, Scott" <shollenbeck@verisign.com>
To: "Rwilhelm@PIR.org" <Rwilhelm@PIR.org>, "regext@ietf.org" <regext@ietf.org>
Thread-Topic: [EXTERNAL] [regext] I-D Action: draft-ietf-regext-rdap-openid-15.txt
Thread-Index: AQHYgahQg/QW8FOpeUagzQ7NqKq0la1duVuAgBJZDbA=
Date: Tue, 05 Jul 2022 18:17:12 +0000
Message-ID: <7ca7afff4039420ca54cff618f824898@verisign.com>
References: <165540128008.60709.5285260183313271799@ietfa.amsl.com> <BY5PR10MB4179B2C81239396CEA5C0FEDC9B59@BY5PR10MB4179.namprd10.prod.outlook.com>
In-Reply-To: <BY5PR10MB4179B2C81239396CEA5C0FEDC9B59@BY5PR10MB4179.namprd10.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [10.170.148.18]
Content-Type: multipart/alternative; boundary="----=_NextPart_000_00AC_01D89079.EB2B84D0"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/regext/TIVJMvNv9ArRkddsL9ssIQvXK2A>
Subject: Re: [regext] I-D Action: draft-ietf-regext-rdap-openid-15.txt
X-BeenThere: regext@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Registration Protocols Extensions <regext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/regext>, <mailto:regext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/regext/>
List-Post: <mailto:regext@ietf.org>
List-Help: <mailto:regext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/regext>, <mailto:regext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 05 Jul 2022 18:17:19 -0000

Notes below, Rick. Thanks for the feedback.

 

From: Rick Wilhelm <Rwilhelm@PIR.org> 
Sent: Thursday, June 23, 2022 4:07 PM
To: regext@ietf.org; Hollenbeck, Scott <shollenbeck@verisign.com>
Subject: [EXTERNAL] Re: [EXTERNAL] [regext] I-D Action:
draft-ietf-regext-rdap-openid-15.txt

 


Caution: This email originated from outside the organization. Do not click
links or open attachments unless you recognize the sender and know the
content is safe. 

Scott,

 

Thanks for your ongoing work on rdap-openid.  I am, by no measure, an expert
in OpenID, so some (all?) of this feedback may miss the mark.  But perhaps
some will be helpful.  

 

I don't think that any of the below is new to the -15 version.  (The second
item is from -14).  But I'm hoping that this feedback helps to move this
draft forward, as I think that it's an important step for RDAP.

 

These are in the order provided in the doc, not in any order of importance.

 

First some more macro things:

 

Section 3.1.1:  Terminology

 

For this section, which currently focuses on RDAP terminology, I think that
it would be helpful echo something like the terminology section of RFC 8414
(an Informative Reference from 12.2).    Pasting a snippet.

 

   This specification uses the terms "Access Token", "Authorization

   Code", "Authorization Endpoint", "Authorization Grant",

   "Authorization Server", "Client", "Client Authentication", "Client

   Identifier", "Client Secret", "Grant Type", "Protected Resource",

   "Redirection URI", "Refresh Token", "Resource Owner", "Resource

   Server", "Response Type", and "Token Endpoint" defined by OAuth 2.0

   [RFC6749]; the terms "Claim Name", "Claim Value", and "JSON Web Token

   (JWT)" defined by JSON Web Token (JWT) [JWT];

 

(I'll offer that JWT := RFC 7519, already a Normative Reference.)  The
actual text would need a careful edit, I just pasted this.

 

[SAH] OK, good idea. I'll add this and check the term set.

 

Section 4.5:

 

Regarding the text:

 

   Alternatively, an RDAP server MAY implicitly attempt to refresh an

   access token upon receipt of a query if the access token associated

   with an existing session has expired and the corresponding OP

   supports token refresh.  The default RDAP server behavior is

   described in the "implicitTokenRefreshSupported" value that's include

   in the "roidc1_openidcConfiguration" data structure (see

   Section 4.1.3).  If the value of "implicitTokenRefreshSupported" is

   "true", the client MAY either explicitly attempt to refresh the

   session using the "roidc1_session/refresh" query, or it MAY depend on

   the RDAP server to implicitly attempt to refresh the session as

   necessary when an RDAP query is received by the server.  If the value

   of "implicitTokenRefreshSupported" is "false", the client MUST

   explicitly attempt to refresh the session using the "roidc1_session/

   refresh" query to extend an existing session.  If a session cannot be

   extended for any reason, the client MUST establish a new session to

   continue authenticated query processing by submitting a

   "roidc1_session/login" query.  If the OP does not support token

   refresh, the client MUST submit a new "roidc1_session/login" request

   to establish a new session once an access token has expired.

 

If the server has "true" for "implicitTokenRefreshSupported", there doesn't
seem to be a MUST requirement on the server to actually attempt a refresh.
Is that on purpose?  

[SAH] No, I'll add a "MUST".

 

In the last sentence: Is the client required to wait until the access token
has expired before submitting the new login request?  Or can it send logout
and login back-to-back?  (Or even just a login command while currently
logged in?)

[SAH] Let's talk about this. What's appropriate behavior? IF the server gets
a "login" during an active session, it can either ignore the second "login",
or it can return an error. Similarly, it the server gets a "logout" when
there's no active session, it can either ignore the "logout" or return an
error. I'm inclined to return an error to explicitly note that the submitted
query/command wasn't processed as requested.

 

Nit:  This block might be easier to parse if broken into multiple
paragraphs.

[SAH] Will do.

 

Section 10.  Security Considerations:

 

This section defers the security considerations for OIDCC to that
specification.  Section 3.1.2 contains the statement:  "Communication with
the Authorization Endpoint MUST use TLS." Section 5.3 makes a similar
statement related to the UserInfo Endpoint However, due to its publication
date (2014) the document does not appear to have a prohibition on older
versions of TLS.  Perhaps there should be some mention of BCP 195 (RFC 8996)
in this draft?

[SAH] Agreed! Will add.

 

 

Now on to nits/semi-nits:

 

Section 3.1.3.1:  para 3:

 

Regarding: 

An RDAP server MUST support at least one of these

   methods of OP discovery.

 

I think that would be more clear as:

An RDAP server/RP MUST support at least one of these

   methods of OP discovery.

(which would be consistent with para 1 in this section).  The main point is
that we don't want to imply that all RDAP servers need to support this.  You
might choose to clarify by just switching to "RP"?

[SAH] I'll make the change to "RDAP server/RP".

 

 

Section 3.1.3.3:

 

I think that for clarity, it would be helpful to use the word "consent"
somewhere in the first sentence of this section.  This makes for stronger
linkage with 3.1.2 Step 6 and the heading in OIDCC 3.1.2.4.

[SAH] OK, I'll change the first sentence to "After the End-User is
authenticated, the OP MUST obtain consent from the End-User to release
authorization information to the RDAP Server/RP.".

 

 

Section 3.1.3.4:

 

Regarding: 

   After the End-User is authenticated, the OP will send a response to

   the RP that describes the result of the authorization process in the

   form of an Authorization Grant. 

 

The beginning of the sentence seems to focus on authentication (not
authorization) and only on the successful path.  It also uses the term
"Authorization Grant", which is inconsistent with 3.1.2 Step 7 and my
reading of OIDCC 3.1.1.  Suggest clarifying with:

 

   After obtaining an authorization result, the OP will send a response to

  the RP that provides the result of the authorization process using an

  Authorization Code.

[SAH] Agreed, I'll make that change.

 

 

Section 3.1.3.5:

 

Regarding:

 

The RP MUST validate the Token

   Response.  This process is described in Section 3.1.3 of the OpenID

   Connect Core protocol [OIDCC].

 

I think that the reference could be more specific and point to OIDC 3.1.3.5

[SAH] OK.

 

 

Section 3.1.3.6:

 

Regarding:

 

   The set of claims can be retrieved by sending a request to a UserInfo

   Endpoint using the Access Token.  The claims MAY be returned in the

   ID Token. 

 

I think that the structure of the second sentence and the use of the
capitalized "MAY" doesn't quite capture the intent.  My read of OIDCC 5.3
indicates that the UserInfo Endpoint is not required to return UserInfo
Claims (for various reasons), but if they are going to be returned, they are
going to be returned in the ID Token.

 

Perhaps replace the second sentence with:

   The server provides returned claims in the ID Token.

[SAH] Agreed.

 

 

Section 3.1.4:

 

Regarding: 

 

   OpenID Connect claims are pieces of information used to make

   assertions about an entity.  Section 5 of the OpenID Connect Core

   protocol [OIDCC] describes a set of standard claims that can be used

   to identify a person.  

 

My read of OIDCC Section 5 didn't indicate anything about a person.  Suggest
the following edit:

 

   OpenID Connect claims are pieces of information used to make

   assertions about an entity.  Section 5 of the OpenID Connect Core

   protocol [OIDCC] describes a set of standard claims.

 

(Which also happens to align with OIDCC 5.1, almost verbatim.)

[SAH] Agreed.

 

 

Section 3.1.4.1:

 

Regarding: 

 

   There are communities of RDAP users and operators who wish to make

   and validate claims about a user's "need to know" when it comes to

   requesting access to a resource.  For example, a law enforcement

   agent or a trademark attorney may wish to be able to assert that they

   have a legal right to access a protected resource, and a server

   operator will need to be able to receive and validate that claim.

 

Suggest minor edits to avoid needing to support certain statements.  As in:

 

   Communities of RDAP users and operators may wish to make

   and validate claims about a user's "need to know" when it comes to

   requesting access to a resource.  For example, a law enforcement

   agent or a trademark attorney may wish to be able to assert that they

   have a legal right to access a protected resource, and a server

   operator may need to be able to receive and validate that claim.

[SAH] Agreed.

 

 

Section 3.1.4.2:

 

Regarding:

 

   There are also communities of RDAP users and operators who wish to

   make and validate claims about a user's wish to not have their

   queries logged, tracked, or recorded.  For example, a law enforcement

   agent may wish to be able to assert that their queries are part of a

   criminal investigation and should not be tracked due to a risk of

   query exposure compromising the investigation, and a server operator

   will need to be able to receive and validate that claim.

 

As above, suggest minor edits to avoid needing to support certain
statements.  As in:

 

   Communities of RDAP users and operators may wish to

   make and validate claims about a user's wish to not have their

   queries logged, tracked, or recorded.  For example, a law enforcement

   agent may wish to be able to assert that their queries are part of a

   criminal investigation and should not be tracked due to a risk of

   query exposure compromising the investigation, and a server operator

   may need to be able to receive and validate that claim.

[SAH] Agreed.

 

 

Section 4.3.1:

 

Regarding:

 

If this parameter is not present, the server

   MUST proces the query and make an acces control decision based on any

   other information known to the server about the End-User and the

   information they are requesting. 

 

Suggested minor edit to remove the ambiguity of "this parameter" (and fix
two typos)

 

If the "roidc1_qp" parameter is not present, the server

   MUST process the query and make an access control decision based on any

   other information known to the server about the End-User and the

   information they are requesting. 

[SAH] Agreed.

 

 

Section 4.6:

 

Regarding:

 

   The server should also take appropriate steps to ensure that the

   tokens associated with the terminated session cannot be reused.  

 

Suggest an edit to move this "should" to "SHOULD"

[SAH] Agreed.

 

 

Section 4.7:

 

Regarding:

 

Servers MUST reject queries

   that include identification information that is not associated with a

   supported OP by returning an HTTP 501 (Not Implemented) response.  

 

For clarity, suggest adding "RDAP" before "Servers". as in:

 

RDAP servers MUST reject queries

   that include identification information that is not associated with a

   supported OP by returning an HTTP 501 (Not Implemented) response.  

 

(Or if this doesn't refer to the RDAP Server, then something else to
disambiguate.) 

[SAH] Agreed.

 

 

Section 5:

 

Regarding:

 

   ID tokens include an audience parameter that contains the OAuth 2.0

   client_id of the RP as an audience value.

 

>From my read of OIDCC Section 2 ("ID Token"), it appears that this "audience
parameter" refers to an item that is described as a "claim" in that
document.

 

However, later in Section 5, there is a reference to RFC 8693, which in
Section 2.1 describes an "audience parameter".

 

So, I'm not sure which is correct. perhaps something to direct the reader.
(Or maybe they are largely equivalent and my ignorance is on full display!)

[SAH] They're related to each other (8693 describes the request, OIDCC
describes the output), but yes, the ID Token contains a claim so the text
can be clarified. How about this:

 

"ID tokens include an "aud" (audience) claim that contains the OAuth 2.0
client_id of the RP as an audience value. In some operational scenarios
(such as a client that is providing a proxy service), an RP can receive
tokens with an "aud" value that does not include the RP's client_id. These
tokens might not be trusted by the RP, and the RP might refuse to accept the
tokens. This situation can be remedied by having the RP exchange these
tokens with the OP for a set of trusted tokens that reset the "aud" claim."

 

 

Hope these help. 

 

Thanks,

 

Rick

v2.23.0 | Report a Bug | By Email