Re: [Txauth] TxAuth Charter (Take 3.5)
Dick Hardt <dick.hardt@gmail.com> Tue, 28 January 2020 16:09 UTC
Return-Path: <dick.hardt@gmail.com>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0B2EC120AB3 for <txauth@ietfa.amsl.com>; Tue, 28 Jan 2020 08:09:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kiuBtB5LFeCz for <txauth@ietfa.amsl.com>; Tue, 28 Jan 2020 08:09:15 -0800 (PST)
Received: from mail-lf1-x12f.google.com (mail-lf1-x12f.google.com [IPv6:2a00:1450:4864:20::12f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 04A82120A22 for <txauth@ietf.org>; Tue, 28 Jan 2020 08:09:15 -0800 (PST)
Received: by mail-lf1-x12f.google.com with SMTP id t23so9502737lfk.6 for <txauth@ietf.org>; Tue, 28 Jan 2020 08:09:14 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=fbHww13qRho1gd8Cy2/Xndn0sWChEZiI1hu8ILS7aHQ=; b=txgDXENVdLGO3neuU70rFOUfRRU3UtGyM6UUvn/KuIYdnvaU89OU/q3NV2Qv7XhtKx lYTNCuW+mDhBVsgvJQHwdQK+mTFcxk/Ux/dk13yBPpiDaRoEWrNI7z488jBeRJFlFmiH SDQJXpnUNwd/xQuMkfZc1xwtLWVcuFQTPcJdM276QU8Zk/4NUKc9X/oaq1EysaxurtV4 DDfMj4Hj8ngH3wPclMyifKEHTUj+vyOKD5UnuHhIF0Qlf+c4o2ZoLTZR0IKU31MufkWU Oe/YbGxcsaKmdSLRwSTtzcxqNDaubLyyUaD6PHZ/qNk85Gsjlferf2xBKtt9lKy9+z7G Q4RA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=fbHww13qRho1gd8Cy2/Xndn0sWChEZiI1hu8ILS7aHQ=; b=jeP4Sn0yqYwGxevfuzmdw4utlmPuIfddrE/Xf2dmChfEQVhbxtbbdW0UgLFvIw7YCi DihdHnScA4lqg0dSTredT4tXlsxZLW2nJpGNM0G+2eRY0t+2ksuxc5p8GG4Uv4SYic65 gLx1XE1XoZAR2qDMSa5cahF3kIeu1ZZxjPaE0OHH0D/Vcjo8rTrmQYfL0j6UMWYlLI0+ tXGSsNiK3I1KhXCst9iIAVZoOY8AD6p7OwI4bDmyfu9bAwJ2f1gs5N1/LZMXb6ogE6/u j9j4056R6/kAPYzcRCeJ5isJQ/hHqfCPe1XXeCVWsou5ozNwY1zz7Gnq00aLH+oapfZB XJuA==
X-Gm-Message-State: APjAAAWKgLKmJICckLHYRkFKMpyrEgGZx07urW3w/8rJcvBkgXoP41GZ 0sIQZnMDYrgcluuL25KCHz5D/jZrgiRKys8jizU=
X-Google-Smtp-Source: APXvYqzGyQ3XCYgI/9TI/zg2tWFnLryJ0P9FjwKzgus9oKW+CAgk3Qg1ntp5KvJublYG7HYq1YmUS00hFN6ttJWXoQE=
X-Received: by 2002:a19:7711:: with SMTP id s17mr2813277lfc.164.1580227753120; Tue, 28 Jan 2020 08:09:13 -0800 (PST)
MIME-Version: 1.0
References: <741262A9-A258-40DC-87AB-0ED7515D136E@mit.edu> <F7F47DEF-DB58-4F1D-A00A-8731D44F2FA0@amazon.com> <2B53E22D-2C4C-4364-9A45-285D1195E642@lodderstedt.net> <9A1D966F-F31D-4785-9FEF-6A87F1D80E37@mit.edu>
In-Reply-To: <9A1D966F-F31D-4785-9FEF-6A87F1D80E37@mit.edu>
From: Dick Hardt <dick.hardt@gmail.com>
Date: Tue, 28 Jan 2020 08:09:01 -0800
Message-ID: <CAD9ie-un+2TDb5YYunUrGbZP671ijUOY-eoHsLuQEep+M6oXPA@mail.gmail.com>
To: Justin Richer <jricher@mit.edu>
Cc: Torsten Lodderstedt <torsten@lodderstedt.net>, "txauth@ietf.org" <txauth@ietf.org>, "Richard Backman, Annabelle" <richanna=40amazon.com@dmarc.ietf.org>
Content-Type: multipart/alternative; boundary="000000000000e39793059d35716f"
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/0pqIVh-QAEUqpJphrKXAheEk4NQ>
Subject: Re: [Txauth] TxAuth Charter (Take 3.5)
X-BeenThere: txauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <txauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/txauth>, <mailto:txauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth/>
List-Post: <mailto:txauth@ietf.org>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/txauth>, <mailto:txauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Jan 2020 16:09:19 -0000
Small suggestion: s/porting/migrating/ Although the artifacts for this work are not intended or expected to be backwards-compatible with OAuth 2.0 or OpenID Connect, the group will attempt to simplify porting *migrating* from OAuth 2.0 and OpenID Connect to the new protocol where possible. On Tue, Jan 21, 2020 at 10:47 AM Justin Richer <jricher@mit.edu> wrote: > Thanks, both of those nits make sense and we’ll be sure to incorporate > them. > > — Justin > > > On Jan 21, 2020, at 5:56 AM, Torsten Lodderstedt < > torsten@lodderstedt.net> wrote: > > > > another NIT: Approval of “access to” multiple resources and APIs in a > single interaction > > > >> On 20. Jan 2020, at 19:05, Richard Backman, Annabelle <richanna= > 40amazon.com@dmarc.ietf.org> wrote: > >> > >> NIT: Mixed verb tenses in the last sentence of paragraph 2. Replace “as > well as providing” with “and provides”. > >> > >> – > >> Annabelle Richard Backman > >> AWS Identity > >> > >> > >> From: Txauth <txauth-bounces@ietf.org> on behalf of Justin Richer < > jricher@mit.edu> > >> Date: Saturday, January 18, 2020 at 6:16 AM > >> To: "txauth@ietf.org" <txauth@ietf.org> > >> Subject: [Txauth] TxAuth Charter (Take 3.5) > >> > >> Thanks for all the feedback and discussion on the last round of the > charter. I’ve made a few tweaks to it based on the conversations on this > list, and a couple off-list, and have incorporated them here. > >> > >>> > >>> This group is chartered to develop a delegation protocol for > authorization, identity, and API access. This protocol will allow an > authorizing party to delegate access to client software through an > authorization server. The use cases supported by this protocol will include > widely deployed use cases currently supported by OAuth 2.0 and OpenID > Connect (an extension of OAuth 2.0) as well as new use cases not enabled by > OAuth 2.0. > >>> > >>> The delegation process will be acted upon by multiple parties in the > protocol, each performing a specific role. The protocol will decouple the > interaction channels, such as the end user’s browser, from the delegation > channel, which happens directly between the client and the authorization > server (in contrast with OAuth 2.0 which is initiated by the client > redirecting the user’s browser). The client and AS will involve the > authorizing party as necessary through interaction mechanisms indicated by > the protocol. This decoupling avoids many of the security concerns and > technical challenges of OAuth 2.0 as well as providing a non-invasive path > for supporting future types of clients and interaction channels. > >>> > >>> Additionally, the delegation process will allow for: > >>> > >>> - Fine-grained specification of access > >>> - Approval of AS attestation to identity claims > >>> - Approval of multiple resources and APIs in a single interaction > >>> - Separation between the party authorizing access and the party > operating the client requesting access > >>> - Web, mobile, single-page, interaction-constrained, and other types > of client applications > >>> > >>> The group will define extension points for this protocol to allow for > flexibility in areas including: > >>> > >>> - Cryptographic agility for keys, message signatures, and proof of > possession > >>> - User interaction mechanisms including web and non-web methods > >>> - Mechanisms for providing user, software, organization, and other > pieces of information used in authorization decisions > >>> - Token presentation mechanisms and key bindings > >>> - Optimization of information and API access beyond identity through > the delegation process > >>> > >>> Additionally, the group will provide mechanisms for management of the > protocol lifecycle including: > >>> > >>> - Discovery of the authorization server > >>> - Revocation of active tokens > >>> - Query of token rights by resource servers > >>> > >>> Although the artifacts for this work are not intended or expected to > be backwards-compatible with OAuth 2.0 or OpenID Connect, the group will > attempt to simplify porting from OAuth 2.0 and OpenID Connect to the new > protocol where possible. > >>> > >>> While the initial work will focus on using HTTP for communication > between the client and the authorization server, the working group will > seek to take advantage of optimization features of HTTP2 and HTTP3 where > possible, and will strive to enable simple mapping to other protocols such > as COAP. > >> > >> I would really appreciate the security AD’s weighing in at this stage. > Thanks again everyone! > >> > >> — Justin > >> -- > >> Txauth mailing list > >> Txauth@ietf.org > >> https://www.ietf.org/mailman/listinfo/txauth > > > > -- > Txauth mailing list > Txauth@ietf.org > https://www.ietf.org/mailman/listinfo/txauth >
- [Txauth] TxAuth Charter (Take 3.5) Justin Richer
- Re: [Txauth] TxAuth Charter (Take 3.5) Richard Backman, Annabelle
- Re: [Txauth] TxAuth Charter (Take 3.5) Torsten Lodderstedt
- Re: [Txauth] TxAuth Charter (Take 3.5) Justin Richer
- Re: [Txauth] TxAuth Charter (Take 3.5) Dick Hardt
- Re: [Txauth] TxAuth Charter (Take 3.5) Roman Danyliw
- Re: [Txauth] TxAuth Charter (Take 3.5) Dick Hardt
- Re: [Txauth] TxAuth Charter (Take 3.5) Torsten Lodderstedt
- Re: [Txauth] TxAuth Charter (Take 3.5) Dick Hardt
- Re: [Txauth] TxAuth Charter (Take 3.5) Torsten Lodderstedt
- Re: [Txauth] TxAuth Charter (Take 3.5) Justin Richer
- Re: [Txauth] TxAuth Charter (Take 3.5) Justin Richer
- Re: [Txauth] TxAuth Charter (Take 3.5) Adrian Hope-Bailie
- Re: [Txauth] TxAuth Charter (Take 3.5) Justin Richer
- Re: [Txauth] TxAuth Charter (Take 3.5) Torsten Lodderstedt
- Re: [Txauth] TxAuth Charter (Take 3.5) Dick Hardt