Re: [GNAP] Support of FIDO
Steinar Noem <steinar@udelt.no> Wed, 19 August 2020 08:50 UTC
Return-Path: <steinar@udelt.no>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4C1D33A1452 for <txauth@ietfa.amsl.com>; Wed, 19 Aug 2020 01:50:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=udelt-no.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YzNi4_5PIaa6 for <txauth@ietfa.amsl.com>; Wed, 19 Aug 2020 01:50:09 -0700 (PDT)
Received: from mail-ot1-x331.google.com (mail-ot1-x331.google.com [IPv6:2607:f8b0:4864:20::331]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C1A9E3A1451 for <txauth@ietf.org>; Wed, 19 Aug 2020 01:50:09 -0700 (PDT)
Received: by mail-ot1-x331.google.com with SMTP id v21so18449591otj.9 for <txauth@ietf.org>; Wed, 19 Aug 2020 01:50:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=udelt-no.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=JDUZUsXi89lTNS2RduEqaHmT7Xb1UrvJBBkWNk1VDW4=; b=yMIKHm7oaGfJH8QIjHZQW8UC5eJBdHCoYWpunFpJ3KUtX66FsDB97TtlfkBTFmtlOp /JJ0YG1krB8V9zsT5GFT3upLDMYBsRgR676Xao7xlMlSPDTpWggftV40amxePaRbbmWd h1fFGSGpmzl8c0zuMJNLe7XMaTZgYUqTZKhtsI+HyBeJBI/tcTlTIcBxCfcuVXpA/EWo RryABFHDRcQI7hlfl7+b6P+IlGxwmDZpDr3IybKID6OZ0nk3UURuwUc2OYKD6goRVBbc EYQ1ZdokQvbP/zcLdxd200CzGMFpZusAgkF/1aK7RH6YRGlFTHC2uPq9gMVLYPH3spFq U3FA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=JDUZUsXi89lTNS2RduEqaHmT7Xb1UrvJBBkWNk1VDW4=; b=MI/CT6yhUgXT5deSlHT2N4ercP3Wn9ohC2JkSTFMK5Maas2HtPzhSq4i+aqJUD+boU ExxRUpCi+B16JryuD7s0ACePTUDzskEkBJj25wM64dLaF+edt3jPxmntfuAS1WBvuKQW gqbpMMB10t+G0oXc5SYen0aXAqYoAaWh7iBI6j1YnEYF8LP5jR66K3DaNQd8jVy3ZNNR QtNKq6NdHaE1diqTJQ6BqjEaUoAVnSjmgjdWcS5UDu2JiwxuNr5IfOK+E36VD35QmeIQ MlmaV2uAUvxtFVV+g3Wf+l1wWs8udLk1+0V8nIjuyrGiL63G6UoFW3MQBse5w+2V+EKD lkNw==
X-Gm-Message-State: AOAM530W+ouM11NAS+W9TJCZgr+KqT1zLnPGk1a69VwEgCjde4BggspP MLzzUGy4v8U5kyJLtwZ8GFJXYBrjHQNEc2vqI+/rHQ==
X-Google-Smtp-Source: ABdhPJzGMpajA7Uf9N7W+uD1Y3x5O8JjSa9hR1kgFsjYFVCkzbzw1I7Jv9pRTzRkwFIW5sDYrDyR9tU9z+JNACt+HD8=
X-Received: by 2002:a9d:38f:: with SMTP id f15mr18344475otf.74.1597827008436; Wed, 19 Aug 2020 01:50:08 -0700 (PDT)
MIME-Version: 1.0
References: <a6c47318-6f61-7fd5-6a36-c31b3b7b2ed5@free.fr> <018901d6719f$22593a20$670bae60$@prodigy.net> <9db6ee29-9e43-5893-6779-e5f863418890@free.fr> <015801d67245$933b3850$b9b1a8f0$@prodigy.net> <96aaaff7-5f11-4c7b-bc93-d4d355284018@free.fr> <01fd01d67585$fca832f0$f5f898d0$@prodigy.net> <0c2e0e75-808c-2859-3bad-e1b5cadda9ee@free.fr>
In-Reply-To: <0c2e0e75-808c-2859-3bad-e1b5cadda9ee@free.fr>
From: Steinar Noem <steinar@udelt.no>
Date: Wed, 19 Aug 2020 10:49:56 +0200
Message-ID: <CAHsNOKei=NdqS5n4EcgZ=FfUSoEdybz5h-GKDs3+qqC5P4PvqQ@mail.gmail.com>
To: Denis <denis.ietf@free.fr>
Cc: nadalin@prodigy.net, txauth@ietf.org
Content-Type: multipart/alternative; boundary="00000000000040366e05ad371729"
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/2lIPvUo-WMeT6DPlAJEwh6v_08g>
Subject: Re: [GNAP] Support of FIDO
X-BeenThere: txauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <txauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/txauth>, <mailto:txauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth/>
List-Post: <mailto:txauth@ietf.org>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/txauth>, <mailto:txauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 19 Aug 2020 08:50:12 -0000
I personally like FIDO2 a lot, and think that it would serve well as an example of how to solve authentication. But I also think that it is just one of many examples of how authentication can be handled, and that it should not be presented as a "preferred" solution or any other form of tight coupling between FIDO and GNAP. There are well founded reasons for choosing other mechanisms (e.g. national eIDs etc). -S ons. 19. aug. 2020 kl. 10:39 skrev Denis <denis.ietf@free.fr>: > Hi Tony, > > Functionally, private keys are stored and used by the authenticator. For > capacity limitations, they can be stored elsewhere if both correctly > integrity and confidentiality protected. > That additional storage is an extension of the limited storage of the > authenticator. > > I was attempting to promote the use of FIDO within this WG. Are you > against or in favour of such a possibility ? > > Denis > > U2F is not CTAP2 or FIDO2, U2F device usually do not store the > cryptographic material on the device as the device has limited capabilities > > > > *From:* Denis <denis.ietf@free.fr> <denis.ietf@free.fr> > *Sent:* Tuesday, August 18, 2020 9:37 AM > *To:* nadalin@prodigy.net; txauth@ietf.org > *Subject:* Re: [GNAP] Support of FIDO > > > > Hi Tony, > > Not quite Dennis, the U2F device does not store the private key, it only > creates the private key. > > Please read the Client to Authenticator Protocol (CTAP) specification from > the FIDO Alliance: > > > https://fidoalliance.org/specs/fido-v2.0-ps-20190130/fido-client-to-authenticator-protocol-v2.0-ps-20190130.pdf > > Extract: > > (...) the ASPSP (Account Servicing Payment Service Providers) server > sends a challenge message to the authenticator > which is then cryptographically signed by a *private key stored in the > authenticator.* > > Denis > > > > *From:* TXAuth <txauth-bounces@ietf.org> <txauth-bounces@ietf.org> *On > Behalf Of *Denis > *Sent:* Friday, August 14, 2020 3:04 AM > *To:* nadalin@prodigy.net; txauth@ietf.org > *Subject:* Re: [GNAP] Support of FIDO > > > > Hi Tony, > > Dennis, not all the way correct > > 1. It is also possible to get rid of IDs and passwords using FIDO. > FIDO discloses no private information at all about the user > and no trust relationships need to be defined since there is no AS > > Depends on if you only consider “private information” PII, there can be > all sorts of information passed in ClientData field of the FIDO response, > not desirable but perfectly OK > > 1. None of these two semantics fit with the FIDO use case where the > subject value is scoped to be locally unique in the context of one RS. > Hence, the linkage of users between two RSs (or between one RS and any > other server) becomes impossible > > There is nothing that prohibits the RS from sharing registration > information between RS > > I am speaking of FIDO U2F where there are two main phases: registration > and authentication. > > The U2F device gives the public key and a Key Handle to the origin online > service or website during the user registration step. > Later, when the user performs an authentication, the origin online service > or website sends the Key Handle back to the U2F device > via the browser. The U2F device uses the Key Handle to identify the user's > private key, and creates a signature which is sent back > to the origin to verify the presence of the U2F device. Thus, the Key > Handle is simply an identifier of a particular key on the U2F device. > > There is no other registration information needed. Sharing such an > information between RSs does not allow to link user accounts. > > Denis > > > > *From:* TXAuth <txauth-bounces@ietf.org> <txauth-bounces@ietf.org> *On > Behalf Of *Denis > *Sent:* Thursday, August 13, 2020 10:31 AM > *To:* txauth@ietf.org > *Subject:* [GNAP] Support of FIDO > > > > This topic has already been tackled on the list, but I open a new thread > for it. > > In OAuth 2.0, one of the goals was to get rid of IDs and passwords. Since > the solution in OAuth 2.0 was to use access tokens, > there have been used everywhere, even when they were not strictly needed. > > > > It is also possible to get rid of IDs and passwords using FIDO. FIDO > discloses no private information at all about the user > and no trust relationships need to be defined since there is no AS. > > > > FIDO should be one allowed possibility for the user authentication. In the > case of FIDO, the user is authenticated under a pseudonym > specific to the RS. It may observed that there is no equivalent in OAuth > because of the two different semantics of the subject claim. > > > > RFC 7519 states: > > The "sub" (subject) claim identifies the principal that is the subject of > the JWT. The claims in a JWT are normally statements about the subject. > The subject value MUST either be scoped to be locally unique in the > context of the issuer or be globally unique. > > In one case, it is possible to link the subject claim of two users between > two RSs (i.e. using a locally unique identifier in the context of the > issuer) > while in the other case (i.e. using a globally unique identifier) it is > possible, in addition, to link the subject claim between one RS and any > other server > (i.e. not supporting OAuth) that is using the same globally unique > identifier. > > > > None of these two semantics fit with the FIDO use case where the subject > value is scoped to be locally unique in the context of one RS. > > Hence, the linkage of users between two RSs (or between one RS and any > other server) becomes impossible. > > > > There are cases where a user would like to enjoy the unlinkeability > properties of FIDO which cannot be met using the claims currently defined > in OAuth. > > > > Denis > > > > > > > -- > TXAuth mailing list > TXAuth@ietf.org > https://www.ietf.org/mailman/listinfo/txauth > -- Vennlig hilsen Steinar Noem Partner Udelt AS Systemutvikler | steinar@udelt.no | hei@udelt.no | +47 955 21 620 | www.udelt.no |
- Re: [GNAP] Support of FIDO Denis
- [GNAP] Support of FIDO Denis
- Re: [GNAP] Support of FIDO Dick Hardt
- Re: [GNAP] Support of FIDO nadalin
- Re: [GNAP] Support of FIDO nadalin
- Re: [GNAP] Support of FIDO Denis
- Re: [GNAP] Support of FIDO Mike Varley
- Re: [GNAP] Support of FIDO Denis
- Re: [GNAP] Support of FIDO Steinar Noem
- Re: [GNAP] Support of FIDO nadalin
- Re: [GNAP] Support of FIDO nadalin
- Re: [GNAP] Support of FIDO Denis
- Re: [GNAP] Support of FIDO David
- Re: [GNAP] Support of FIDO nadalin
- Re: [GNAP] Support of FIDO Denis
- Re: [GNAP] Support of FIDO Denis
- Re: [GNAP] Support of FIDO Steinar Noem
- Re: [GNAP] Support of FIDO David Waite