IETF Logo Mail Archive

Re: [Txauth] Call for charter consensus - TxAuth WG

Mike Jones <Michael.Jones@microsoft.com> Thu, 19 March 2020 18:28 UTC

Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C50213A0CC7 for <txauth@ietfa.amsl.com>; Thu, 19 Mar 2020 11:28:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.101
X-Spam-Level:
X-Spam-Status: No, score=-2.101 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sSVl3Oa75TCM for <txauth@ietfa.amsl.com>; Thu, 19 Mar 2020 11:28:20 -0700 (PDT)
Received: from NAM06-DM3-obe.outbound.protection.outlook.com (mail-eopbgr640125.outbound.protection.outlook.com [40.107.64.125]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9935B3A0CC4 for <txauth@ietf.org>; Thu, 19 Mar 2020 11:28:20 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=AUH9DtGzxw6QV/iH8rUGQCEWwTkacXgzYqeWEE3mX6P+CWuXKu3VpzmbW1gDOa8i0GkDfe3I50S5OFHyFoAdhFTIP/pvHbX5Y/vjWT4q3UCKPDPjetrxBLCYG9pOQgp4ba2eEsj8qWOQ93hdqrZ3JLIGASCRlqjaUdxbZfjIqu1dxG18RVGOh74etWJjBS22T/aQF90CideUiNHLXyHnWy+dslhQWXwUAJihOuFzDARZ5PyOd6nBoFpPOR+Jsy9LBSxejf0agt6KUPbO1syIFMR+lBnfS9MzirsN2EaGFCtTY1AewNh+helCwAseNuGYLsUDA/AxMadKDioIpdRQyg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;bh=n4QoFE1AeQKSzMItRfzZaHdVpuoKbJSQPgnIUzkWwU0=; b=Rxb/je0NwuwbGMCrvfmKYqv5K/5EHSmcGrPqQezvSLagRmTtLyLXEh1mM7zoGhDhYAVTpc+dNV/LGO19IyLGIXJJQ4Tut8pEdGScmZmJQjZWqqNl7tyMiTn6nmaIWH+4OOS8cv218mixqqHYRdnHmtbRoT/lXJlZC+q36eu2Sw3a6hOmU5YFmS+dDZqMbuYmnIOI2VVSIogu7p9i4o+DkxiaEIJboCrVkOo0LH1EWpi2ZggiMwqXtaPP9uTs10i03ijAq+oAYNoUZEEmIG3opB9AbhviP9KPfNu1QbHoAJp/eMrWXGTh+2s3ssgP+cqznkgmpTeyRBvN4Gv5hE+jsg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=microsoft.com; dmarc=pass action=none header.from=microsoft.com; dkim=pass header.d=microsoft.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;bh=n4QoFE1AeQKSzMItRfzZaHdVpuoKbJSQPgnIUzkWwU0=; b=FaIfVcastCuLG/JoSPrPoHZDSNB7tRzt8PQ0nWrjo1JgcKvC03I4KcsmS9FgbDrhJrO3PH8f8yA3886PklYjBBMu7VcrnpuHxTfJ79UQqN3BjmYGaWBhf2prvJ8emBtbjtWcUe6ROGkSjs8j7cyJ+HhAfn34/R2/56208jbpiw0=
Received: from DM6PR00MB0682.namprd00.prod.outlook.com (2603:10b6:5:213::24) by DM6PR00MB0816.namprd00.prod.outlook.com (2603:10b6:5:208::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2877.0; Thu, 19 Mar 2020 18:28:18 +0000
Received: from DM6PR00MB0682.namprd00.prod.outlook.com ([fe80::dd11:a6cf:2334:5de1]) by DM6PR00MB0682.namprd00.prod.outlook.com ([fe80::dd11:a6cf:2334:5de1%9]) with mapi id 15.20.2877.000; Thu, 19 Mar 2020 18:28:18 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: Torsten Lodderstedt <torsten=40lodderstedt.net@dmarc.ietf.org>, "txauth@ietf.org" <txauth@ietf.org>
CC: Vladimir Dzhuvinov <vladimir@connect2id.com>
Thread-Topic: [Txauth] Call for charter consensus - TxAuth WG
Thread-Index: AdX+HCaFHXmvC7lDQRSXgxyQomJj5Q==
Date: Thu, 19 Mar 2020 18:28:18 +0000
Message-ID: <DM6PR00MB0682B749EFF0A482DE72B1A0F5F40@DM6PR00MB0682.namprd00.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ActionId=c44f6e9f-3fa6-450f-9d2b-00000d84d85f; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ContentBits=0; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=true; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Method=Standard; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=Internal; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2020-03-19T18:27:34Z; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47;
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Michael.Jones@microsoft.com;
x-originating-ip: [50.47.87.252]
x-ms-publictraffictype: Email
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: 90c97a2c-ac0f-464c-21a7-08d7cc334bfb
x-ms-traffictypediagnostic: DM6PR00MB0816:
x-microsoft-antispam-prvs: <DM6PR00MB081615EF5EA527D48556A0FDF5F40@DM6PR00MB0816.namprd00.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 0347410860
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6029001)(4636009)(396003)(346002)(376002)(136003)(39860400002)(366004)(199004)(7696005)(316002)(52536014)(5660300002)(2906002)(8936002)(8990500004)(81156014)(81166006)(8676002)(86362001)(33656002)(71200400001)(9686003)(966005)(186003)(66446008)(66476007)(64756008)(26005)(10290500003)(76116006)(110136005)(55016002)(66556008)(6506007)(53546011)(4326008)(478600001)(66946007); DIR:OUT; SFP:1102; SCL:1; SRVR:DM6PR00MB0816; H:DM6PR00MB0682.namprd00.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1;
received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: Q+fqXrxH9yN1HJO4R8znrkQdQBsxrR11XDlI/v1hSqReBsD2OZiu5DaplqTFjJmGyLPcXagBGEmlcrvheUmYij83acWcYkNhQVbzHKriZhnM3i6xMbCqjlpqQoLTFcKfiOQfPT62acYmyuih3yQHgvpC4lRLgEuqqYN5/z69oMsSad0t+xoznXsoulQ0CApeytsoAnacjJELPmUSxb/45MZZBwbLD1um5QX+1EIge898kNaC69E7EUMRHedAF+0Nkr5El2f2IceNlcRkNwJIVlI6BhgdXdC+s9kiJ7babM08JL06upapLDLFnUS+taRlsKe6abCEII5L1rcAODx4hVw4Sn/zncf7plivhwxMG0k6T5RnxAux9oxHwh6eVHfnsQhtAXfJthyyPFDnLGdflbiNjxhLvuow7ma5PlI+EezzIQ08HtBZc1JiNsLJ5CoImKeIJaKTHqqArJmeHjxbkxvVkyFyNfW/wd72b7uzMaIZ21fe1rppiyyt/gYkeiFAxk8UtBr2lkyTNMej8fxcfQ==
x-ms-exchange-antispam-messagedata: nkZb1UWLc7t4xpF3To3gcxH9cGGohKpyMgW9tCblGFtHP76zBe+lOnC3bUvor4rL/CKzhHoLmHyPe5E2BOKIsWLSe7uNiYhFgY/ICGtz6b4aCOLPfcR7EWDCjvP28MIChFLMsDpaoG2dcaxJQx20xA==
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 90c97a2c-ac0f-464c-21a7-08d7cc334bfb
X-MS-Exchange-CrossTenant-originalarrivaltime: 19 Mar 2020 18:28:18.4898 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: PvGa3ICAw5DVeIx9oFnUa37szJfknT4Fw1MKzgJE9RsRn5UZLZ3xWP31cPGJ20hn5p7U004VNPwWZ2BO+NknZw==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR00MB0816
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/FHh9F4Hz4NlerVM1XgicbSpxw-U>
Subject: Re: [Txauth] Call for charter consensus - TxAuth WG
X-BeenThere: txauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <txauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/txauth>, <mailto:txauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth/>
List-Post: <mailto:txauth@ietf.org>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/txauth>, <mailto:txauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Mar 2020 18:28:24 -0000

I support adding this requirement to the charter.

				-- Mike

-----Original Message-----
From: Txauth <txauth-bounces@ietf.org> On Behalf Of Torsten Lodderstedt
Sent: Thursday, March 19, 2020 11:09 AM
To: txauth@ietf.org
Cc: Vladimir Dzhuvinov <vladimir@connect2id.com>
Subject: Re: [Txauth] Call for charter consensus - TxAuth WG

Hi all,

I suggest to add the following requirement to the charter:
	• Support for RS-specific access tokens in Multi-RS deployments 

I don’t mind HOW this requirement is supported in TXAuth. I want to make sure we try to build a protocol that serves the needs of a broad set of deployments. My concern is otherwise TXAuth will be not innovative enough to gain traction in the market rapidly. Speaking for myself, I realised in the last couple of days, mostly in conversations with Justin, that the result of this working group as envisioned now is not of particular interest to us (yes.com) because it does not solve our real problems. 

And here is my explanation: 

OAuth traditionally has the philosophy of a single access token. That’s fine for single service deployments, but it had reached its limits already before RFC6749 was published. There are a real implementations out there forcing clients to use different access tokens for different services, typically for privacy and security reasons. There is also an “ancient" technology called Kerberos that uses exactly this pattern and is well known for security, performance, and scalability. 

And there are even more examples today for multi API environments that would benefit from that feature: 
	• Open banking: most banks I worked with have multiple APIs, segregation between APIs is today achieved by maintaining different grants, basically resulting in the fact that the users cannot consent to different services at once. What a terrible UX!
	• Everyone is doing micro services today. Have you every thought about the coupling caused by a single token across micro services? This reminds me of how easy it is to test services independently using self-contained RS-specific tokens.
	• IoT - every device in a household is a potential RS (in my opinion). Conveying all necessary data in an access token needed to meet access control decisions locally would be a huge benefit in terms of performance and decoupling. Using symmetric cryptography for token integrity, authenticity and confidentiality would result in lower compute requirements.

Since we are preparing to define a completely new protocol for API access authorization and delegation, I think this new protocol should support this kind of scenarios. It will require significant work to get it right and simple, but if we just stick to the “a single access token is enough” mantra, we miss the chance to give implementers a broader range of design choices out of the box and we won’t success in achieving true interoperability.

Here are more advantages we can gain by supporting such a feature: 
	• Privacy:
		• A single access token can be used to track user across services.
		• RS-specific access tokens cannot.
		• RS-specific access tokens can also be encrypted to protect data confidentiality in transit.
	• Security: RS-specific access tokens have a baseline replay detection.
	• Performance: RS-specific access tokens allow the AS to convey all data required to authorize an API call in a token (e.g. a JWT) and to RS to meet the access control decision based on that data. This is a huge advantage in terms of performance, scalability and cost since there is no need for Token Introspection or other kinds of access to another services or database.

What do you think?

best regards,
Torsten. 

> On 19. Mar 2020, at 18:35, Vladimir Dzhuvinov <vladimir@connect2id.com> wrote:
> 
> 
> On 19/03/2020 19:11, Torsten Lodderstedt wrote:
>> On 19. Mar 2020, at 17:47, Justin Richer <jricher@mit.edu> wrote:
>>> Well, it’s in scope as much as describing any other aspect of what the token is for and what it represents is in scope. That is alongside things like the intended audience of the token, the access rights for the token, the presentation keys the token is bound to, etc. It could be information in the token text itself (like a JWT), it could be introspected from the AS, it could be referenced in some other way. So if we can define identity aspects in that, then we’re fine in covering it there. 
>>> 
>>> But here’s the thing: none of that has an impact on the core protocol. That is entirely up to the AS and the RS to agree on, and the client never sees or has any influence on it. That portion of the protocol is completely opaque to the client. Therefore, it doesn’t really affect the authorization and delegation portions of the client talking to the AS and the client talking to the RS.
>>> 
>>> This does raise the question of what our bar of interoperability is going to be with TxAuth: do we expect independent AS and RS implementations to talk to each other? That’s not something OAuth 2 was ever concerned with, though obviously JWT and introspection are both from the OAuth2 WG and solve that problem.
>> There are two aspects to it: interoperability and vendor support. 
>> 
>> Interoperability between AS and RS is important if deployments want to combine pre-packaged TXAuth and API implementations. I think that makes a lot of sense and should be included in the charter.
> 
> +1
> 
> The current OAuth 2.0 status quo of the largely unspecified 
> relationship between AS and RS is also making the life of web & sec 
> framework maintainers difficult. We witnessing this with people 
> integrating the OAuth SDK into frameworks. Vittorio's recent work to 
> put together a minimal interoperable JWT profile for access tokens is 
> helpful, but it has come after the fact. And there is not agreement on 
> things like authorising access to claims.
> 
> Integrating apps (RSs) with TxAuth should be straightforward and simple.
> 
> This can have a enormous effect on adoption.
> 
> 
>> Vendors support: vendor support when it comes to "what can go into an access token" and "what can be conveyed in a token introspection response” greatly deviates in my observation. This also means implementation use vendors specific features restricting their ability to use other solutions. TXAuth should aim at improving the situation.  
> 
> +1
> 
> 
>> I also think it is a good exercise for the group to think the whole process "from the end”. The purpose of TXAuth (and OAuth) is not to provide clients with access tokens. The purpose is to enable API request processing in a secure manner. What it really takes to achieve that goal is not obvious if the work always stops at the “you have your access token, good luck” stage. 
> 
> +1
> 
> Vladimir
> 
> 
> --
> Txauth mailing list
> Txauth@ietf.org
> https://www.ietf.org/mailman/listinfo/txauth

--
Txauth mailing list
Txauth@ietf.org
https://www.ietf.org/mailman/listinfo/txauth

v2.23.0 | Report a Bug | By Email