IETF Logo Mail Archive

Re: [Txauth] TxAuth Charter (Take 3.5)

Dick Hardt <dick.hardt@gmail.com> Tue, 28 January 2020 16:09 UTC

Return-Path: <dick.hardt@gmail.com>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0B2EC120AB3 for <txauth@ietfa.amsl.com>; Tue, 28 Jan 2020 08:09:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kiuBtB5LFeCz for <txauth@ietfa.amsl.com>; Tue, 28 Jan 2020 08:09:15 -0800 (PST)
Received: from mail-lf1-x12f.google.com (mail-lf1-x12f.google.com [IPv6:2a00:1450:4864:20::12f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 04A82120A22 for <txauth@ietf.org>; Tue, 28 Jan 2020 08:09:15 -0800 (PST)
Received: by mail-lf1-x12f.google.com with SMTP id t23so9502737lfk.6 for <txauth@ietf.org>; Tue, 28 Jan 2020 08:09:14 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=fbHww13qRho1gd8Cy2/Xndn0sWChEZiI1hu8ILS7aHQ=; b=txgDXENVdLGO3neuU70rFOUfRRU3UtGyM6UUvn/KuIYdnvaU89OU/q3NV2Qv7XhtKx lYTNCuW+mDhBVsgvJQHwdQK+mTFcxk/Ux/dk13yBPpiDaRoEWrNI7z488jBeRJFlFmiH SDQJXpnUNwd/xQuMkfZc1xwtLWVcuFQTPcJdM276QU8Zk/4NUKc9X/oaq1EysaxurtV4 DDfMj4Hj8ngH3wPclMyifKEHTUj+vyOKD5UnuHhIF0Qlf+c4o2ZoLTZR0IKU31MufkWU Oe/YbGxcsaKmdSLRwSTtzcxqNDaubLyyUaD6PHZ/qNk85Gsjlferf2xBKtt9lKy9+z7G Q4RA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=fbHww13qRho1gd8Cy2/Xndn0sWChEZiI1hu8ILS7aHQ=; b=jeP4Sn0yqYwGxevfuzmdw4utlmPuIfddrE/Xf2dmChfEQVhbxtbbdW0UgLFvIw7YCi DihdHnScA4lqg0dSTredT4tXlsxZLW2nJpGNM0G+2eRY0t+2ksuxc5p8GG4Uv4SYic65 gLx1XE1XoZAR2qDMSa5cahF3kIeu1ZZxjPaE0OHH0D/Vcjo8rTrmQYfL0j6UMWYlLI0+ tXGSsNiK3I1KhXCst9iIAVZoOY8AD6p7OwI4bDmyfu9bAwJ2f1gs5N1/LZMXb6ogE6/u j9j4056R6/kAPYzcRCeJ5isJQ/hHqfCPe1XXeCVWsou5ozNwY1zz7Gnq00aLH+oapfZB XJuA==
X-Gm-Message-State: APjAAAWKgLKmJICckLHYRkFKMpyrEgGZx07urW3w/8rJcvBkgXoP41GZ 0sIQZnMDYrgcluuL25KCHz5D/jZrgiRKys8jizU=
X-Google-Smtp-Source: APXvYqzGyQ3XCYgI/9TI/zg2tWFnLryJ0P9FjwKzgus9oKW+CAgk3Qg1ntp5KvJublYG7HYq1YmUS00hFN6ttJWXoQE=
X-Received: by 2002:a19:7711:: with SMTP id s17mr2813277lfc.164.1580227753120; Tue, 28 Jan 2020 08:09:13 -0800 (PST)
MIME-Version: 1.0
References: <741262A9-A258-40DC-87AB-0ED7515D136E@mit.edu> <F7F47DEF-DB58-4F1D-A00A-8731D44F2FA0@amazon.com> <2B53E22D-2C4C-4364-9A45-285D1195E642@lodderstedt.net> <9A1D966F-F31D-4785-9FEF-6A87F1D80E37@mit.edu>
In-Reply-To: <9A1D966F-F31D-4785-9FEF-6A87F1D80E37@mit.edu>
From: Dick Hardt <dick.hardt@gmail.com>
Date: Tue, 28 Jan 2020 08:09:01 -0800
Message-ID: <CAD9ie-un+2TDb5YYunUrGbZP671ijUOY-eoHsLuQEep+M6oXPA@mail.gmail.com>
To: Justin Richer <jricher@mit.edu>
Cc: Torsten Lodderstedt <torsten@lodderstedt.net>, "txauth@ietf.org" <txauth@ietf.org>, "Richard Backman, Annabelle" <richanna=40amazon.com@dmarc.ietf.org>
Content-Type: multipart/alternative; boundary="000000000000e39793059d35716f"
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/0pqIVh-QAEUqpJphrKXAheEk4NQ>
Subject: Re: [Txauth] TxAuth Charter (Take 3.5)
X-BeenThere: txauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <txauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/txauth>, <mailto:txauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth/>
List-Post: <mailto:txauth@ietf.org>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/txauth>, <mailto:txauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Jan 2020 16:09:19 -0000

Small suggestion: s/porting/migrating/

Although the artifacts for this work are not intended or expected to be
backwards-compatible with OAuth 2.0 or OpenID Connect, the group
will attempt to simplify porting *migrating* from OAuth 2.0 and OpenID
Connect to the new protocol where possible.

On Tue, Jan 21, 2020 at 10:47 AM Justin Richer <jricher@mit.edu> wrote:

> Thanks, both of those nits make sense and we’ll be sure to incorporate
> them.
>
>  — Justin
>
> > On Jan 21, 2020, at 5:56 AM, Torsten Lodderstedt <
> torsten@lodderstedt.net> wrote:
> >
> > another NIT: Approval of “access to” multiple resources and APIs in a
> single interaction
> >
> >> On 20. Jan 2020, at 19:05, Richard Backman, Annabelle <richanna=
> 40amazon.com@dmarc.ietf.org> wrote:
> >>
> >> NIT: Mixed verb tenses in the last sentence of paragraph 2. Replace “as
> well as providing” with “and provides”.
> >>
> >> –
> >> Annabelle Richard Backman
> >> AWS Identity
> >>
> >>
> >> From: Txauth <txauth-bounces@ietf.org> on behalf of Justin Richer <
> jricher@mit.edu>
> >> Date: Saturday, January 18, 2020 at 6:16 AM
> >> To: "txauth@ietf.org" <txauth@ietf.org>
> >> Subject: [Txauth] TxAuth Charter (Take 3.5)
> >>
> >> Thanks for all the feedback and discussion on the last round of the
> charter. I’ve made a few tweaks to it based on the conversations on this
> list, and a couple off-list, and have incorporated them here.
> >>
> >>>
> >>> This group is chartered to develop a delegation protocol for
> authorization, identity, and API access. This protocol will allow an
> authorizing party to delegate access to client software through an
> authorization server. The use cases supported by this protocol will include
> widely deployed use cases currently supported by OAuth 2.0 and OpenID
> Connect (an extension of OAuth 2.0) as well as new use cases not enabled by
> OAuth 2.0.
> >>>
> >>> The delegation process will be acted upon by multiple parties in the
> protocol, each performing a specific role. The protocol will decouple the
> interaction channels, such as the end user’s browser, from the delegation
> channel, which happens directly between the client and the authorization
> server (in contrast with OAuth 2.0 which is initiated by the client
> redirecting the user’s browser). The client and AS will involve the
> authorizing party as necessary through interaction mechanisms indicated by
> the protocol. This decoupling avoids many of the security concerns and
> technical challenges of OAuth 2.0 as well as providing a non-invasive path
> for supporting future types of clients and interaction channels.
> >>>
> >>> Additionally, the delegation process will allow for:
> >>>
> >>> - Fine-grained specification of access
> >>> - Approval of AS attestation to identity claims
> >>> - Approval of multiple resources and APIs in a single interaction
> >>> - Separation between the party authorizing access and the party
> operating the client requesting access
> >>> - Web, mobile, single-page, interaction-constrained, and other types
> of client applications
> >>>
> >>> The group will define extension points for this protocol to allow for
> flexibility in areas including:
> >>>
> >>> - Cryptographic agility for keys, message signatures, and proof of
> possession
> >>> - User interaction mechanisms including web and non-web methods
> >>> - Mechanisms for providing user, software, organization, and other
> pieces of information used in authorization decisions
> >>> - Token presentation mechanisms and key bindings
> >>> - Optimization of information and API access beyond identity through
> the delegation process
> >>>
> >>> Additionally, the group will provide mechanisms for management of the
> protocol lifecycle including:
> >>>
> >>> - Discovery of the authorization server
> >>> - Revocation of active tokens
> >>> - Query of token rights by resource servers
> >>>
> >>> Although the artifacts for this work are not intended or expected to
> be backwards-compatible with OAuth 2.0 or OpenID Connect, the group will
> attempt to simplify porting from OAuth 2.0 and OpenID Connect to the new
> protocol where possible.
> >>>
> >>> While the initial work will focus on using HTTP for communication
> between the client and the authorization server, the working group will
> seek to take advantage of optimization features of HTTP2 and HTTP3 where
> possible, and will strive to enable simple mapping to other protocols such
> as COAP.
> >>
> >> I would really appreciate the security AD’s weighing in at this stage.
> Thanks again everyone!
> >>
> >> — Justin
> >> --
> >> Txauth mailing list
> >> Txauth@ietf.org
> >> https://www.ietf.org/mailman/listinfo/txauth
> >
>
> --
> Txauth mailing list
> Txauth@ietf.org
> https://www.ietf.org/mailman/listinfo/txauth
>

v2.23.0 | Report a Bug | By Email