IETF Logo Mail Archive

Re: [regext] Federated Authentication for Machine-to-Machine Interactions in RDAP

"Hollenbeck, Scott" <shollenbeck@verisign.com> Tue, 09 August 2022 14:43 UTC

Return-Path: <shollenbeck@verisign.com>
X-Original-To: regext@ietfa.amsl.com
Delivered-To: regext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 081D5C13CCED for <regext@ietfa.amsl.com>; Tue, 9 Aug 2022 07:43:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=verisign.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DluJSFsjZCYP for <regext@ietfa.amsl.com>; Tue, 9 Aug 2022 07:43:10 -0700 (PDT)
Received: from mail1.verisign.com (mail1.verisign.com [72.13.63.30]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3CD2DC13CCEF for <regext@ietf.org>; Tue, 9 Aug 2022 07:43:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=verisign.com; l=4374; q=dns/txt; s=VRSN; t=1660056190; h=from:to:cc:date:message-id:references:in-reply-to: content-transfer-encoding:mime-version:subject; bh=EfCifi/U3uNsbLxJhT7BuD46D5Hbb1Knb1C7ZSY5gnM=; b=P4z8CK5Y24Hws4Ltbz3aXkkIZM6cnSZOgVvCcpZHHE/LnOK6i8RoFmKy WLWWNM1OEmXHel9KXhRGS/h768ZKoScwOww0yReCTlxT1/h7iqMJrnwsr Y/suiKRSXT58XxBaGVXC4jzJrXvDKIAGD0AUlTujVcgIRsERwPds6q7pw SruuRlGGWRJulMyQcot9j2HueUJk66rvq/YIF6fJLEW14xPUG3IvrlheU Iti+X6ugIA6mkD1heSnVxEa/zancfhD/JuYa6IwEmIheZEai/PMyGOa7o 1z+PFQsNfQSNGKmLvgg46/XFzUDQCektTo5VGUP7Xm54mk8L7KFX70eyj w==;
IronPort-Data: A9a23:aNwgw6B+PxiDZBVW/3Tiw5YqxClBgxIJ4kV8jS/XYbTApDwi0TcBy zFNUGvXPv+LYjD2eNh+at60phgHu5XUyocyTANkpHpgcSlH+JHPbTi7wuUcHAvJd5GeExg3h yk6QoOdRCzhZiaE/n9BClVlxJVF/fngqoDUUYYoAQgsA14/IMsdoUg7wbRh0tY52YHR7z6l4 rseneWOYDdJ5BYpagr424rbwP+4lK2v0N+wlgVWicFj5DcypVFMZH4sDfjZw0/Df2VhNrXSq 9Drl+jlozyDr3/BPfv++lrzWhVirrf6Y1DS2iIOM0SoqkAqSicais7XOBeAAKv+Zvrgc91Zk b1wWZKMpQgBD6DXs+4QDxJkMnt1PbJZ9LP5cGO9mJnGp6HGWyOEL/RGJnsQZLI+19YvWCdQ/ vsCMHYEYladnfmwhrm8T4GAhOx6dI+yY9hZ4yw7i22JZRolacmrr6Hi/t9f2DM9gMpDFvX2e ccDaCFuYxKGaBpKUrsSIMthzb342CekG9FegF6pp60suzny9VQv9p3tEveMVd6Fb+wAyy50o UqDpQwVGCoyPdqT2BKF4mjqm/SntSbyQoMVUrm/+PBwjVGU7m0SFFsdU0H9oOXRolSzVN9PN 2QV9zYg668o+ySWosLVVQe++WGCsw5EAp9LDfd87QCWj6DTpQyDADFCUCRabpots8peqSEW6 2JlVujBXVRH2IB5g1rDnltIhVte4RQoEFI=
IronPort-HdrOrdr: A9a23:xS1zX6FabjzYCwLWpLqEyseALOsnbusQ8zAXPhhKOHhomszxra yTdYcgpHjJYVEqKQsdcLG7SdK9qBznlaKdjbN6AV7mZniChILKFvAe0WKB+UyCJ8SWzIc0vp uIMZIOauEYZmIUsS+O2miF+qEbruVvnprEuQ6U9QYKcegjUdAY0+5WMHfiLnFL
X-IronPort-AV: E=Sophos;i="5.93,224,1654560000"; d="scan'208";a="17928663"
Received: from BRN1WNEX02.vcorp.ad.vrsn.com (10.173.153.49) by BRN1WNEX01.vcorp.ad.vrsn.com (10.173.153.48) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2375.28; Tue, 9 Aug 2022 10:42:51 -0400
Received: from BRN1WNEX02.vcorp.ad.vrsn.com ([10.173.153.49]) by BRN1WNEX02.vcorp.ad.vrsn.com ([10.173.153.49]) with mapi id 15.01.2375.028; Tue, 9 Aug 2022 10:42:51 -0400
From: "Hollenbeck, Scott" <shollenbeck@verisign.com>
To: "andy@hxr.us" <andy@hxr.us>, "mario.loffredo@iit.cnr.it" <mario.loffredo@iit.cnr.it>
CC: "regext@ietf.org" <regext@ietf.org>
Thread-Topic: [EXTERNAL] Re: [regext] Federated Authentication for Machine-to-Machine Interactions in RDAP
Thread-Index: Adih5DMCEp6v43VfSnSxcjRQLNyVKQBf6WsAAKjSSYABfaw2sA==
Date: Tue, 09 Aug 2022 14:42:50 +0000
Message-ID: <abfff65eb62b4b8caa4098db0db6986d@verisign.com>
References: <5a9b171385c5492e8d64492aa8cf6092@verisign.com> <55f36ead-3377-5ba4-9846-932656434668@iit.cnr.it> <CAAQiQRe7dDgekAU=5jE_hOTsFU6DX6yO+Kyu2rd7g6aUxKqxUQ@mail.gmail.com>
In-Reply-To: <CAAQiQRe7dDgekAU=5jE_hOTsFU6DX6yO+Kyu2rd7g6aUxKqxUQ@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.170.148.18]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/regext/gN2_mXGbmvYsbKsefdenCar-RNc>
Subject: Re: [regext] Federated Authentication for Machine-to-Machine Interactions in RDAP
X-BeenThere: regext@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Registration Protocols Extensions <regext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/regext>, <mailto:regext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/regext/>
List-Post: <mailto:regext@ietf.org>
List-Help: <mailto:regext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/regext>, <mailto:regext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Aug 2022 14:43:15 -0000

> -----Original Message-----
> From: Andrew Newton <andy@hxr.us>
> Sent: Monday, August 1, 2022 4:31 PM
> To: Mario Loffredo <mario.loffredo@iit.cnr.it>
> Cc: Hollenbeck, Scott <shollenbeck@verisign.com>; regext@ietf.org
> Subject: [EXTERNAL] Re: [regext] Federated Authentication for Machine-to-
> Machine Interactions in RDAP
>
> Caution: This email originated from outside the organization. Do not click links
> or open attachments unless you recognize the sender and know the content
> is safe.
>
> On Fri, Jul 29, 2022 at 7:59 AM Mario Loffredo <mario.loffredo@iit.cnr.it>
> wrote:
> >
> >
> > The authentication flows explored so far fit well the use cases where
> > a human occasionally submits a request. The case of authenticated
> > software agents submitting a lot of requests routinely doesn't find a
> > practical solution in this draft. I would like to remind everyone that
> > EU Parliament and EU Council has recently reached an agreement on core
> > elements of the e-Evidence proposal. Therefore, I guess that soon we
> > will have to figure out how to provide regular authenticated access to
> > registration data to categories of users legitimated for their
> > purposes such as authorities and cybercrime agencies.
> >
> > That being said, I see two big drawbacks in using the Client
> > Credential flow, at least as is:
> >
> > - Client Credential flow is for trusted clients. Clients need to be
> > registered by the OP before submitting a request for an access token.
> > But, RDAP clients are generally untrusted and I don't consider
> > scalable a solution where several RDAP clients are required to
> > register by many OPs including the local ones. In the approach
> > described in this draft, the trusted client is the RDAP server.
> >
> > - Roles and access grants are generally assigned to users not to
> > clients. In addition, think there would be a potential risk of
> > providing access to illegitimate users via legitimate clients.
> >
> > The Resource Owner Password Credential Flow would have fiited better
> > but it has been rightly deprecated by OAuth. I'm afraid that a usage
> > of CC Flow in a manner similar to the ROPC flow wouldn't be welcome by
> > security experts.
> >
> > I would suggest to explore another approach where a third-party
> > authority interconnects clients and servers that are mutually authenticated.
>
> As long as one method is not to the exclusion of the others, I think we should
> consider both types of use cases.
>
> I agree that there are internet-wide scalability issues in an OP handing out
> credentials to specific clients.
> Yet, we have that today. LACNIC rate limits anonymous RDAP queries, and
> those rate limits may be exceeded if a client uses a LACNIC authorized
> credential.

[SAH] So does it make sense to add support for the "Client Credentials Grant" in the draft? I agree that there are some risks to consider, but we can document those to the best of our ability. Mario, what exactly do you have in mind when you say, "another approach where a third-party authority interconnects clients and servers that are mutually authenticated"?

Scott

v2.23.0 | Report a Bug | By Email