[GNAP] Re: Intdir early review of draft-ietf-gnap-resource-servers-05
Justin Richer <jricher@mit.edu> Wed, 19 June 2024 16:42 UTC
Return-Path: <jricher@mit.edu>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AC2B1C15106E; Wed, 19 Jun 2024 09:42:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.108
X-Spam-Level:
X-Spam-Status: No, score=-2.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=mit.edu
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PAhKimSr_7vY; Wed, 19 Jun 2024 09:42:41 -0700 (PDT)
Received: from NAM04-DM6-obe.outbound.protection.outlook.com (mail-dm6nam04on2110.outbound.protection.outlook.com [40.107.102.110]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AD380C151065; Wed, 19 Jun 2024 09:42:40 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=iwC0ALPdowUkhBLzg3GKREE4KDqz1AJEmmk7eUJQalWiqlDcvsHZ9UlVA4DQ9CRcTdCYc0mGGJ/B6uwRwuWbHX47AnM4nFyUrGPKlocysPUKY5mzWW5bbodH5PqnsAvS24v+0FApBzm0qSN8oqfpPHWFLGmfLg4HSRJtQsTXZhrHIpJmVe87aU83evsRoUriDKK4A6jOCgP4fVgzMzKDiSJPjOpPfft4fYHjsv1czTEvGN7jdNnG7oJZbY+4ZwbdSbCTqVa5lYbrlrbSmuTub8ot8Sexy5gfGjBedWepW9hE3d+Wtz/oKjQzCGxf7m7gkuPrbkh/ngzz0NxQEi81KQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=0OU1V7YoZ3aJRBftnaS0/G23tKNkto+hTl7kEStBgSw=; b=I88nNshUadoc7DZhDF1XDpVwX03lvpIw3s7tjN3Lgz5nCDiM1+NtJVKdtatbVBbXzUpgvZh8kqXjH9ZcLqDXjIy+QJnPurDfYONWNRDC3+UenXlahkFBfV312GdwLbS4Bbi8CHkagPsmHFFLdrF9TooNYqlLKUwrdGmmFeCPmNXQxVrUKwn+i93pRXSE+bDvyvy4UI7QfZZT7tETGEml4morvPvYedfa7j9ioSUM2Wo9EX8kMknj72Ap7sUV3H4lV7U/v2yWE/VKAeKA+vKjrbf8kiJ1HGPOmfUMbbSHu0F/S7kiU0ykv3zOfmQqMbtINQfqZYdEirSvAmNfYttoow==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=mit.edu; dmarc=pass action=none header.from=mit.edu; dkim=pass header.d=mit.edu; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mit.edu; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=0OU1V7YoZ3aJRBftnaS0/G23tKNkto+hTl7kEStBgSw=; b=c05CSjq2mLpZXC1rU4jPPncVzAmz8InmMp3vKHdYItJ7VgSfTrztLhbKp4yzUF1lt0DAPZX0cfU0zwA5Isl8iWVMRxPDEszAUt6TXrMBUlngrd1REfRBpWIJg+wVGSQA8ZQy0DW2OdH3KVvq71IvtA8JrZv+ua5A/xtvvHZe6jY=
Received: from LV8PR01MB8677.prod.exchangelabs.com (2603:10b6:408:1e8::20) by BN0PR01MB7120.prod.exchangelabs.com (2603:10b6:408:153::15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7698.19; Wed, 19 Jun 2024 16:42:38 +0000
Received: from LV8PR01MB8677.prod.exchangelabs.com ([fe80::e7d6:999:270f:a820]) by LV8PR01MB8677.prod.exchangelabs.com ([fe80::e7d6:999:270f:a820%5]) with mapi id 15.20.7698.017; Wed, 19 Jun 2024 16:42:38 +0000
From: Justin Richer <jricher@mit.edu>
To: Tommy Pauly <tpauly@apple.com>
Thread-Topic: Intdir early review of draft-ietf-gnap-resource-servers-05
Thread-Index: AQHawmexjlJ2L8rPkUK0mEDK1NzQOQ==
Date: Wed, 19 Jun 2024 16:42:38 +0000
Message-ID: <ECF796EB-A565-450B-96F4-055C95473E06@mit.edu>
References: <171875527668.3177.17110443481512457533@ietfa.amsl.com>
In-Reply-To: <171875527668.3177.17110443481512457533@ietfa.amsl.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=mit.edu;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: LV8PR01MB8677:EE_|BN0PR01MB7120:EE_
x-ms-office365-filtering-correlation-id: 9b9eabe5-85ae-4911-10f4-08dc907ed47a
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;ARA:13230037|1800799021|366013|376011|38070700015;
x-microsoft-antispam-message-info: N/qS+dv6v6ZS4VB0EzaTsiKRTb0nPSM7du03cfpRjO1MKIUU7yUXHpIrDeujysMVbUN8WJ2bopb6yY6Hau88n9AloMMGzBM/QnRVFNDTKLwJx023TOzv6Yv2rCRSakdqrRXHmJYdj8eAeK3XdNvi4+dxyxhGoBRjUi0Xp+ZBuytU6vQcTLQ0UXu8iJBNfaZ98WoQVILdIKSLiW0enzk8wPS/a2JX09Q2nJpzCuaU8ZKvI0Oz3+gv93HGj7DpxjTS35rlN1Eg8+mF2bwW0cAxEdCd7vw+cLnAbjrHJZemuicYZAdsIjreDHzfMEVZc7/DVemkKcYNyg69LL0jJGv57z1uZLq+sb36L9cRQLkpQFtj1Z5LqYoc6HmNOUQcJkzvR6234SAys/08z46DjTZwR9ngnnNMx6wH7KPD5GsmADgGkbj7Aa/hDTZi0te/vamDFqTFLLeqUDtFyxYnppY3gVU2PiUCWrEUiqEUTUKAFcNU7FSfIS0K8ktO0SgF5v0Bx7AOkOzWtnuU0mbcW2538eaXuds8R3pbqYDICJ6ZiXRSs7T3VhpVIXvuIMWPDaW7liodT4+vZBU16fsVmNIQ8JS0lrknwElCXv1U1QNC4F2pSO5Gpk+YhYnKBOvgMuNmrtQayfcNE20d+AuTJxdfYNtmeR6iuNtm37LFRlTuVyKBj2leSKdS9lIrGaDVlWlGrv+9BSGwg9zq0lJ96jtcbNaEf1mcDh91Q6kv5qM+eOwaGCMiX7GGf+YTiCb3m54TDjzf4VA8nM2u5L7aNQAVzgN7+AEZyJpjX5gAApPrZU8vsBuyalQXc50Ruy9whJXeXeu5b3FhJ7OlwWVHg6vX6pgUk07dtY/w/2dA07kr9/+wwMqtt33diuyWo+5d6+vrkfnyA3x6DU5y0Kc9RCbVCwW6FkVHG0diplZ7HCitbsQM0kKLnygP3bDINeRGHamUEVNo8ko0e0pvr+Yzv9t32/C9hNccUg63c1APe7vigVUWhHL/rNfdD8A+LSxIcTIIzKf0LSQTA5jPxDuBpAoK0NeNYXQg7pKtlQqEkpbVwZTpiFfacSAUOyWS9hc6Ln3DZAoCynlrTbi2tLGkZlm5AG0bEkG9kAyIfF5eODsBwoWo/B9dBKEiokIt0kxlnQluefY9CPN5yv7Gm1ncRHXjLXV4/CVsTupIkvoGboJAg5hH/ing35/5tsFwVi5Gh42YdH0gKxcz6cQHc6jPHxZZA0kDW6Va/HHGPn7r20DUW3ohxcFAlugle3WXRncoYaCh/l3e6t4EIAQ0oSCCkN/Cg6jwGsDmRifuMXe5irGeyIEMIRHzE0lo7j6ZaUYec/Mwvt1jPcX8Nq+JRrea809wpbh1QZVBJtfQRBxd6Rg2kjk=
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:LV8PR01MB8677.prod.exchangelabs.com;PTR:;CAT:NONE;SFS:(13230037)(1800799021)(366013)(376011)(38070700015);DIR:OUT;SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: glqPtXz7F7gHrNKYILU4PmL/OgrXjFAtWvQQ42eKuUFgBay5RmXRvWQ3YbYHod1GuT8nd0iaXqgNJxqQ3C6WeMh+xugZ+gC6FBIEca5ctSX1T7jpYfNk3pFgdrhqw1Krz5F8H111FUCWdHlOmWh/HL+IzGjHroHcAB5mtwNU+Az2PkA+4U/DX9SkJ/QpX+xQiY2kN3F05lzfwpGiapWCRCu/qkLmDIWxcpJzF8ZF8kIR6luJl7tBI1ZZk2qK2fh262IWNDdsl86TOO1tKdn5l0HunlnUhQVNQOQkhwBAPp4GI/Sd+fCaMsCegUA8oITj9vha8G5G1Bbdn/mGquHrgdLp8057ZL+hmtN1HzQIqSTJ60FC6vFShbv69IJCgXs4Pi9MhmBFnwIXGeQFwTCpykAN93kzp8Tg/wFk/e00oR9tSnllR1XGeXIv7t2R8Tj3zP20hjMEtYyRJURIZd9FbK3aZY1gT3Y0FfBbipCcv8f7vihrED3DuOBrPhtYkKKgDBrkem9j/Y8OM4aBJXdk9OrsBnGhg5HiiTP+gYtWUQpWTlr/i/pMGuBIob9hsTyJnXLGxl+5rHm2o5KUOr8wM6z1b58Qc2fxNop4On1IeKXkAqDkrgHNzs1vYDoHoO+l0E/Wv2YNNEjdeY26/HDV2tXFOsWba1wrMk9ZgruYwAXEsin6WyxBcHyGvm8VZci1W5nsz5+TJ8sqSsUdnr6CGAZilRCiJt+8Ej7r7tHs95qXjd2E24Sk9hHA6OdAH7TQD7E/x8SERLay+X3ZC9wYPknhIp7kwOiUwgrjQ57dk6wDdUBfTC1Sn+b0eLKVcTRArcBlisZjv7h0gR/2Y4U7tjkJTftZm3mJ1QYz+GEP6RW5Dq4Np3WE+twjZC0EWufyBIX+CBcu1V8QTSWAAXOdEjF7BPO/GVxROsj8AyWytmPSTiVD+bESYXU6/fY9UdMsv8YRhkf3E/upv/kc9dPFoH1Dyxd3QPuPAL0SkEi8WtJ69ySHs5nt//0/kQQEPbROoDj1DJ0gzQqWYeQYvd512+8DUiftDfwFgAnH6OwzTQjlEcyY4gsUVX6XMIl0pJPyRGPXiczpQtr8ZtsbKdUQoHLhyu3jjSql5g8Wi2O5sQkzFRnknGv0eRS82ycPI96pHaAnWQhxprCObbuAoWdRj5poE+kF6LddBypRfHTrMbKxNgsiZgolENK4HXCSO5IK1fAf08+wcnYsi/j6c03uuUB+oFTq8OljHGu4MQ+LEDkyikOs0+cwaiuYpNovfTMfofO+m53/9bmB3fNsAF/POWsC3z6JvT4wkly1Yj8Os1+C9xBOmSBPHS135Kly5FG0AyvnCstQElfN2rsgdOKhghtPFDQ6IWB4WvC0Sv8L0EkwlWtslQ4iDmXViXPzC3J9uo3TEQHCq+NCftSby/jJ27qNlrIjNJFhrE3svS15EFdMBIAiRSdGGUxQEGhxHnaEKMUL4Fm/RLpqZN9LeWx+yv1yNsBj5Ip+uUAUOqmgO4ggwfx21DzkzA0XSaYdV03ixJLdSLYlvSyBqeoyvNUrO5Th0mZPCT4CyMXNSF4sG0zQbFrMHAmA9LG1TyMY8xs4
Content-Type: multipart/alternative; boundary="_000_ECF796EBA565450B96F4055C95473E06mitedu_"
MIME-Version: 1.0
X-OriginatorOrg: mit.edu
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: LV8PR01MB8677.prod.exchangelabs.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 9b9eabe5-85ae-4911-10f4-08dc907ed47a
X-MS-Exchange-CrossTenant-originalarrivaltime: 19 Jun 2024 16:42:38.4621 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: U9zEkCuVQYYxb08C6yAumqx0gAGkxGyAiU+S+6KJ/XidmXJlyPgXwnS1pFaRY3d+
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN0PR01MB7120
Message-ID-Hash: KA45F5FEHHZXMN5BCTB2OTXGGXRDWLEY
X-Message-ID-Hash: KA45F5FEHHZXMN5BCTB2OTXGGXRDWLEY
X-MailFrom: jricher@mit.edu
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "int-dir@ietf.org" <int-dir@ietf.org>, GNAP Mailing List <txauth@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [GNAP] Re: Intdir early review of draft-ietf-gnap-resource-servers-05
List-Id: GNAP <txauth.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/2bvCQLOAcL5P6hUZf2NChP7r2I8>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Owner: <mailto:txauth-owner@ietf.org>
List-Post: <mailto:txauth@ietf.org>
List-Subscribe: <mailto:txauth-join@ietf.org>
List-Unsubscribe: <mailto:txauth-leave@ietf.org>
Hi Tommy, thanks for the review. Some comments inline.
— Justin
On Jun 18, 2024, at 8:01 PM, Tommy Pauly via Datatracker <noreply@ietf.org> wrote:
Reviewer: Tommy Pauly
Review result: On the Right Track
This is an early review on behalf of the Internet Area Directorate.
From an INTDIR perspective, I don't see any particular issues — the document
doesn't discuss much at the Internet layer (no addressing, tunneling, etc).
However, I do think the document has some nits that can be improved, and
overall could be structured more clearly. Some points to consider:
- Much of
Section 2.1 refers to a particular format of token (the "JWT-formatted token"),
but continually is just referencing the main JWT RFC instead of a reference for
the JWT token definition for this protocol. Having this link within the
document to the common/canonical JWT-formatted token would make things much
clearer, so the reader can see the full list of properties in their concrete
instantiation. You may even want to consider moving the concrete definition, or
an example of it, up to the top of Section 2 so readers can have an idea of the
scope of the token before reading the abstract field descriptions. Having
concrete examples for each field would be useful as well.
This document does not seek to define JWT again, but rather to map the concepts to existing JWT claims where possible, and define new JWT claims where they don’t exist. I’m not sure of a better way to do that than to point to JWT itself — we aren’t defining a new token format so much as mapping into an existing one.
- In Section 2.1.2,
it says "The access token is issued by the AS in a standard GNAP transaction".
Can we get a reference for this standard transaction?
This is just a call out to the GNAP Core spec, plus any extensions that might come along in the future. Basically, it doesn’t matter as much how you :get: the token for this statement.
- It would be useful to
add step-by-step instructions for generating and validating the tokens, with
concrete examples and test vectors if possible.
This is the purview of GNAP Core for tokens in general, and JWT for JWT-formatted tokens specifically.
- The registry in Section 6.5
seems to match against the "JWT-formatted" token fields ("is conveyed in the
nbf claim of a [JWT] formatted token"). Do these apply outside of JWT?
Clarifying how things work for the non-JWT case, if that is supported, would be
good.
The JWT claims are only for JWT tokens. If there’s another token format that wants to be defined, it would need to map the concepts from the token model into whatever claims structure
- In the security considerations, why is TLS protection not a MUST
instead of a "have to"? Also, why give the exception where TLS is only required
on untrusted networks? Do we actually want to encourage insecure connections on
"trusted networks"?
Security considerations should not have any normative requirements, so this is a declarative description of a needed requirement to be fulfilled. If this connection is happening over a trusted private network — such as a VLAN between containers inside a cluster, for example — TLS might not really be a reasonable requirement.
Nits:
Section 7.3: "Cacheing" -> "Caching"
Section 8.1: "Medial" -> "Medical"; this sentence is also not a complete
sentence.
Got it, thank you, we’ll fix!
— Justin
- [GNAP] Intdir early review of draft-ietf-gnap-res… Tommy Pauly via Datatracker
- [GNAP] Re: Intdir early review of draft-ietf-gnap… Justin Richer