Re: [GNAP] Feedback on polymorphism
Fabien Imbault <fabien.imbault@gmail.com> Sun, 25 October 2020 12:48 UTC
Return-Path: <fabien.imbault@gmail.com>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6C38A3A03F3 for <txauth@ietfa.amsl.com>; Sun, 25 Oct 2020 05:48:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fvLQlTmqE7V8 for <txauth@ietfa.amsl.com>; Sun, 25 Oct 2020 05:48:06 -0700 (PDT)
Received: from mail-il1-x12a.google.com (mail-il1-x12a.google.com [IPv6:2607:f8b0:4864:20::12a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AB0943A03F2 for <txauth@ietf.org>; Sun, 25 Oct 2020 05:48:06 -0700 (PDT)
Received: by mail-il1-x12a.google.com with SMTP id q1so5686068ilt.6 for <txauth@ietf.org>; Sun, 25 Oct 2020 05:48:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=OXlfpjsFodkgkPsqp9f5cPYQF+br8eOfS+uCKgN26SE=; b=TwKiXyb9G910r+EsTs8ctBIF82GK3WQZCWwXeIgijv6mTnv/wyNDTzCVBHBjLqPPRY scaOVT7x3DynP1vbXD4u8id2CQ0JDAKA3NFzErYXjZ4aezTsEJhWMlXvEmTeWvCHfVSX 3Cym9HMZD5zNX1eNWgy4LiU+so2REhfdDVBBe6uEYB4BTu76NWmQZ4UABJHibmieWnx0 2POKI06bKJa1R5H8u6YoZWSkb1E0meQdD3NM1hioeqZtVprUqcNvFk6QAa99oEJssXHo /C4UEusPVeCERXXgHxFv32RKDXtNVqn/NnfisZRSOGnURArRNlMhmnqZYu+Pz33H0LWK YroA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=OXlfpjsFodkgkPsqp9f5cPYQF+br8eOfS+uCKgN26SE=; b=IcooMyWQCJuubuVroHg8XjtXlXu5aDK797isFp2Bz0PlQLh55SFMdFrGHdD0w4tbrh a0mVtTayRDWzRjeU4fHlNzPB3FUTZ20RoqAk25/Yw+ny/2yvCWrEOPK9eM4lfY0FZoi6 V10/gkXQtcRM6aOOuswTE+Q0wmb10niv48X93UO5ZXcjE2bDjHNpd5fG4f9j3ztuR6JS h6kbXxjZqBdaQO3b0nWWe0+bV8kHNSeTH8Mb60dCM/LDD7GO+pVpWlH9lyxDCrKFXDQZ Es0Vfo14n/yyNGtOHOGeiUMxBbWv7CKKE/FxzvgtIt6pIXrJIA4rXnyQFcSyUK+hPZNU odgQ==
X-Gm-Message-State: AOAM5319y8syEu1XwZGz4O8agulMIR3N+5cC9Blv1HSLZ1Vl+RfaV3LN 4wSYSYHY3rZ8eBMWO4LD7KW8q947EyxYgnNT3wfKPC53
X-Google-Smtp-Source: ABdhPJzBH8C2Ipp6gQQYWJSK7BQOlxugJG4G2cJgEBpDFzCDZS2atcyUL+KTi14j1hw8TqPcXi4GKkInU7Gy5BIFsdQ=
X-Received: by 2002:a92:1548:: with SMTP id v69mr2975266ilk.68.1603630085617; Sun, 25 Oct 2020 05:48:05 -0700 (PDT)
MIME-Version: 1.0
References: <CADxMOMf016Rq2GhRF5utT6KsiQiS3ir4QXjrnW_1+buiqtG7uA@mail.gmail.com> <AAF5364C-F337-483F-B011-A2B11779290E@mit.edu> <CAD9ie-v-RygTSh4VBnAzMDFy6O21sH-Jhh+_7QMVTT0mn_ur2g@mail.gmail.com> <30AE73A0-6A18-454A-AA20-0ECE5AEBD49A@mit.edu> <CAD9ie-s1ENJv610qGYLB=OJaX7q2g3G1zWA+YeNWoRPdktVi2A@mail.gmail.com> <14F2A48D-F6CC-4DF4-9F5F-D3A01776907A@mit.edu> <CAM8feuRWn8Hyd-kcODBTtfmNquhkKHgtONfsD-W3VrmPXGDf+A@mail.gmail.com> <CAD9ie-sckXpX_2JYPRMnk34naZ4Yi4LSsU6o4ep-OtzaWqadyw@mail.gmail.com> <CAM8feuSXN3jfUvVbV0pB-WyKFJtQ_LCPrTR+mko9N25hC7sQLA@mail.gmail.com> <068A8288-6894-4320-B1C0-56DB9A38D714@gmail.com> <CAM8feuS4ENJTYfy8ZGDsSdCqOabRpk245VkaSL9hj8efgOAFfQ@mail.gmail.com> <BFC2B38C-A699-4ACF-A9C8-215186B639C0@gmail.com>
In-Reply-To: <BFC2B38C-A699-4ACF-A9C8-215186B639C0@gmail.com>
From: Fabien Imbault <fabien.imbault@gmail.com>
Date: Sun, 25 Oct 2020 13:47:53 +0100
Message-ID: <CAM8feuS+phBs2VDcpP5nL5CJcEMNe+khGFeEX8n9tVFkcrXytg@mail.gmail.com>
To: Yaron Sheffer <yaronf.ietf@gmail.com>
Cc: Dick Hardt <dick.hardt@gmail.com>, Mika Boström <mika.bostrom=40smarkets.com@dmarc.ietf.org>, GNAP Mailing List <txauth@ietf.org>, Justin Richer <jricher@mit.edu>
Content-Type: multipart/alternative; boundary="0000000000009abc8605b27e3995"
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/5H268Ac_N8aOs-yJWQ2C-KXIYYA>
Subject: Re: [GNAP] Feedback on polymorphism
X-BeenThere: txauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <txauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/txauth>, <mailto:txauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth/>
List-Post: <mailto:txauth@ietf.org>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/txauth>, <mailto:txauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 25 Oct 2020 12:48:12 -0000
Hi Yaron, As Justin explained that's the kind of idea we tested. For instance https://github.com/fimbault/test_gnap_schema (in rust). Cheers Fabien Le dim. 25 oct. 2020 à 13:36, Yaron Sheffer <yaronf.ietf@gmail.com> a écrit : > Personally, I would support polymorphism in the protocol if it (the RFC) > came with a well-defined JSON Schema [1] document, so a recipient can > automatically validate incoming messages at run-time. I would expect > senders to also validate messages as part of their testing. It’s not an > ideal solution, because: > > > > - Some people at the IETF don’t like JSON Schema, for various reasons. > - JSON Schema is not a standard, so it’s painful to require it > normatively. > - Even if it’s normative, some recipients will not validate messages > anyway. > > > > This would be shifting some of the complexity from the library developer > to the spec developer, which is the right thing to do IMO. > > > > Thanks, > > Yaron > > > > [1] https://json-schema.org/ > > > > > > *From: *Fabien Imbault <fabien.imbault@gmail.com> > *Date: *Sunday, October 25, 2020 at 12:39 > *To: *Yaron Sheffer <yaronf.ietf@gmail.com> > *Cc: *Dick Hardt <dick.hardt@gmail.com>, Mika Boström <mika.bostrom= > 40smarkets.com@dmarc.ietf.org>, GNAP Mailing List <txauth@ietf.org>, > Justin Richer <jricher@mit.edu> > *Subject: *Re: [GNAP] Feedback on polymorphism > > > > Hi Yaron, > > > > Thanks for the feedback. > > > > Regarding client libraries, I think we can indeed learn a great deal from > cryptographic libraries. Cryptographic design provides a great amount of > flexibility for the specialists (including many parameters that you really > need to get right). We might think this is great to provide options but it > actually increases the cognitive load of library users. > > > > Look instead at what Google has provided with tink as an alternative and > you'll see it is a much easier way for cryptographic engineers (who aren't > cryptographers) to avoid mistakes or misuses. > > > > That's the *security* issue I'm referring to (not the fact that being open > they're tasty targets, although that may be related in some cases). And > tink is the kind of design we should be trying to achieve. > > > > I agree that it should be applicable to a wide range of well known > programming tools, including the likes of java and go. > > But I don't really see a limitation here. Might not be the most idiomatic > feel, but it can be made to work. > > > > Just so I understand, what alternatives would you prefer to polymorphism? > I can suggest json-ld but even Justin will Teel you it's even more complex > :-) > > > > Cheers > > Fabien > > > > Le dim. 25 oct. 2020 à 11:17, Yaron Sheffer <yaronf.ietf@gmail.com> a > écrit : > > Hi Fabien, > > > > I think your product management model has a lot of merit, but it does not > capture the security issue well. > > > > I agree that as we look at different customer personas, the “end user” > (the developer that’s using the libraries) should be our highest priority. > But I disagree about end-user mistakes being the top **security** issue. > Libraries are often open source in our space and used very widely. So they > make for tasty targets, and people are attacking them and are still finding > security issues in libraries that we’ve been talking about forever [1]. > > > > (Yes, my example is actually an app flaw, but I think it could have been > prevented by a better designed library.) > > > > In other words, we do need to care about how easy it is to implement the > protocol correctly by **library** developers. From Justin describing his > own experience and other people on the thread that Dick referred to, I > would say that JSON polymorphism is painful for Java and Go developers. > With all due respect, I care about them much more than I care about > Haskell, as many more implementations are likely to use these languages. > > > > Thanks, > > Yaron > > > > [1] > https://www.zofrex.com/blog/2020/10/20/alg-none-jwt-nhs-contact-tracing-app/ > > > > *From: *TXAuth <txauth-bounces@ietf.org> on behalf of Fabien Imbault < > fabien.imbault@gmail.com> > *Date: *Sunday, October 25, 2020 at 01:25 > *To: *Dick Hardt <dick.hardt@gmail.com> > *Cc: *Mika Boström <mika.bostrom=40smarkets.com@dmarc.ietf.org>, GNAP > Mailing List <txauth@ietf.org>, Justin Richer <jricher@mit.edu> > *Subject: *Re: [GNAP] Feedback on polymorphism > > > > Hi Dick, > > > > Independantly from the debate on polyphormism, I beg to differ on your > order preference. > > > > Your assumption is that AS devs matter the most, because they're doing > the important security implementation. But eating our own dogfood might > help a lot to change that view. Most security issues occur because users of > the spec are unable to deal with the complexity that is passed onto them. > > > > 99% of the people that will actually use the output of the work are > application developers (client or RS) and their own users. > > > > Our intent as well as the protocol drive the usage. Client libraries may > help, but they're not a silver bullet, especially because GNAP ultimately > has no control about what people do there (for better or worse). And > everything we do here will help get to the better part. > > > > I'm not saying we don't intend to also care about AS developers (beginning > with ourselves) but it's a second order optimisation. And since it's a > tendancy we're leaning towards by default, I'm pretty sure we won't forget > that anyway. > > > > Fabien > > > > > > Le sam. 24 oct. 2020 à 23:50, Dick Hardt <dick.hardt@gmail.com> a écrit : > > I'm confused by your logic Fabien. > > > > If a client library developer wants to expose polymorphism, they can do > that independent of what is in the protocol. > > > > I differ on who our stakeholders are. > > > > I think our stakeholders are in least to most important: > > > > - AS developer > - RS developer > - client developer > - user > > > > A client library developer can expose whatever interface they want to > simplify implementation. > > > > I list the user so that we don't lose site of a critical role. > > > > /Dick > > > > > > *Error! Filename not specified.*ᐧ > > > > On Fri, Oct 23, 2020 at 6:27 PM Fabien Imbault <fabien.imbault@gmail.com> > wrote: > > Hi there, > > > > Let me try to approach the issue under a different light. More like a > product manager would deal with feature selection to make it intuitive for > its users. > > > > For most people, riding a bike is far easier than using a unicycle. Feels > more stable. And yet it's way easier to design for a single wheel than to > build with 2. Because then you'll need a lot more accessories (chain, chain > ring, etc.). Even so producing a bike doesn't have to be a brittle process, > it can be industrialized. > > > > Back to the GNAP topic. > > Ultimately we should strive to make the spec as simple as can be. But we > need to ask: simple for whom? For the bike owner or for the bike vendor? > > (short answer: the priority should be simplicity for spec users, not spec > implementers and even less spec designers). > > > > The initial question that is asked is very interesting: isn't the design > flawed if GNAP is using json polyphormism? Or if the AS needs to handle the > state of the request? Or if we must handle token revocation? Or if we are > looking for a global unique identifier? The argument stems of the fact that > is still arguably harder and more error prone to implement. Fair enough. > > > > From a spec implementer's perspective, it may well be more complex. It > mostly impacts the json library you'll end up using, plus a bit of > input/output decoration around it. Even golang provides utilities for this, > despite not exactly being made for this kind of purpose. > > My practical experience implementing it is that it's not that big a deal. > I mean, I wished it could be simpler, but it's manageable and there are > other ways to reach levels of insurance that it does work as intended (json > schema, test cases to validate the implementation, etc.). Arguably it is > still easier from an implementation perspective than say, json-ld, which is > massively used in the SSI community. > > > > But ultimately who are we designing for? Are we striving to go easy on the > spec implementer? Or are we trying to make sure end-developers using the > client libraries won't shoot themselves in the foot? > > > > The job to be done (JTBD), from the end-developer's perspective, is to > efficiently ship an application. And provide authN/authZ capabilities for > end-users by relying on some well known implementation. > > In turn, this spec implementer will rely on cryptographic utility > libraries that deals internally with the complexity of their own domain, so > that we don't have to. And here we could launch another HN flame war that > starts with the title "JWT sucks because". Which does have its set of very > real issues but that's beyond the point. > > Note that any decent flamewar will be efficiently fueled by people hating > medium. Is it outrageous for blog posts to be behind a paywall? Maybe but > it's even more outrageous to lack consistency, either by not knowing how to > get around a paywall if you're into a hacker punk movement, or on the > contrary by to not paying a subscription if you believe that surveillance > capitalism, to reuse Zuboff's terms, should be eradicated. > > What likely seems an unnecessary sidenote tries to illustrate the point: > for Justin it was easier to publish on medium, because as a blog publisher, > you might not want to deal with hosting your own blog. But maybe as a > reader you'll find that annoying. Different audiences, different JTBD, > different tradeoffs. > > > > Polyphormism is a tool that enables the end-developer to have minimal > knowledge of what it means to deal with a GNAP client library. You prepare > the request, send to the endpoint and you're good to go. Massively simpler > than OAuth2 or any similar protocol by the way (as anyone with teaching > experience on the subject might acknowledge). And there's a lot more to be > done to make sure we indeed reduce the complexity for the end-developer and > the end-user. > > > > If we find a better way to deal with that simplicity balance, I'm all in. > But the arguments need to be way more convincing than just saying that it > may be difficult to implement or validate. > > > > Cheers. > > Fabien > > > > > > > > > > > > Le ven. 23 oct. 2020 à 22:35, Justin Richer <jricher@mit.edu> a écrit : > > > > > > On Oct 23, 2020, at 3:52 PM, Dick Hardt <dick.hardt@gmail.com> wrote: > > > > Justin > > > > I did note that I was the one that argued for instance_id being in the > object. Since it is in the object in the current draft, not including a > pass by reference option would be preferable. > > > > As for concrete examples: > > - version of client > > - version of OS > > - security attestation of OS / device > > - location of client device > > - network client is operating on > > > > These are all attributes of the client that an AS may require on the > initial grant request, and in future grant requests (which is when an > instance_id) would be used. > > > > > > This is where our interpretations differ: I don’t see these as “attributes > of the client” in the same way that the key, display information, class > identifiers, and other items currently represented by an instance_id are > attributes of the client instance. The attestation components don’t modify > the instance so much as present additional information on top of the client > instance itself. This is why I argue that they ought to be handled in a > separate object, so you’d have something like this strawman: > > > > { > > > > posture: { > > software_version: 1.2.3, > > os_version: 14.3.2 > > device_attestation: { … some structure or signed blob? … } > > location: { lat: …, lon: …, alt: … } > > }, > > > > client: “client-541-ab" > > > > } > > > > This is a more fundamental question about GNAP than whether the syntax > uses polymorphism: this is about GNAP being very explicit about the data > model of its elements. OAuth 2’s incredibly loose and broad model of what > the term “client” is referring to, exactly, is deeply problematic in > practice. We’re even seeing that in the OAuth 2.1 work with having to > define a “credentialed client”, and even then that doesn’t fully capture > the different aspects that are out there. I think we’re getting closer here > in GNAP with explicit definition of “client instance”, but we still need to > be more precise about what exactly a client instance includes, and what it > does not. > > > > — Justin > > > > > > /Dick > > > > *Error! Filename not specified.*ᐧ > > > > On Fri, Oct 23, 2020 at 12:42 PM Justin Richer <jricher@mit.edu> wrote: > > Dick, > > > > As you’ll recall, I argued against including the client instance > identifier inside of the object as a mutually-exclusive field precisely > because of the principle violation that you are pointing out here, and so > it’s important to point out that the current text is a compromise that > needs to be examined in the wider experience of the working group. I am on > the side of removing the mutually-exclusive “instance_id” option within an > object, but this needs to be explored. > > > > The crux of my argument is that is exactly a case of pass-by-reference vs > pass-by-value, and that runtime attestations are not part of the “client > instance” value itself but rather belong outside of that object in a > another part of the request. As stated in the editorial notes in this > section, we need to look carefully at how these concepts fit within the > model and where we would want to put them. Without concrete examples of > what these extensions look like and how they’re generated, that is nearly > impossible to do at this stage. I look forward to seeing examples of this > kind of data and how it can fit into the protocol. > > > > — Justin > > > > On Oct 23, 2020, at 3:07 PM, Dick Hardt <dick.hardt@gmail.com> wrote: > > > > Hey Justin, > > > > As the draft has evolved, I question the continued use of polymorphism. > Note that I appreciate the elegance of using a string for > pass-by-reference, and an object for pass-by-value. > > > > In the current draft, the > > > > Every time you create or process a field it will mean only one thing, and > there’s only one field to look at to answer a question. > > > > is violated in 2.3.1. Identifying the RC Instance > <https://tools.ietf.org/html/draft-ietf-gnap-core-protocol-00#section-2.3.1> > > > > > > instance_id An identifier string that the AS can use to identify the > > particular instance of this RC. The content and structure of this > > identifier is opaque to the RC. > > > > "client": { > > "instance_id": "client-541-ab" > > } > > > > If there are no additional fields to send, the RC MAY send the > > instance identifier as a direct reference value in lieu of the > > object. > > > > "client": "client-541-ab" > > > > The instance identifier can be sent two ways. Polymorphism is a > convenience for the client, but requires the server to have two code paths > for "instance_id". We discussed this in the design team, and I argued for > having "instance_id" in the "client" object so that any updates, such as > new devices assertions, could be in the "client" object. As noted above, > while I appreciate the elegance of using a string (handle) to reference a > previously provided object, it complicates how to update an existing object > while providing the reference. > > > > In your example of the "key" object below, setting "proof" to bearer would > avoid the issue you describe: > > > > { > "key": { > "proof": "bearer" > } > } > > > > In your example, when processing the "key" object, code is having to check > both the JSON type of the property, as well as check the value of the > "proof" property. In the example I provided, only the value of "proof" > needs to be checked. The "proof" property is acting as a type for the "key" > object. > > > > Not being a Java programmer, I don't know how this would work in a Java > implementation, but node.js, the processing would need to be done as above. > > > > On a related note, there was significant negative feedback on handles and > polymorphism in the Hacker News article > https://news.ycombinator.com/item?id=24855750 > > > > /Dick > > > > > > On Fri, Oct 23, 2020 at 10:20 AM Justin Richer <jricher@mit.edu> wrote: > > Hi Mika, > > > > Thanks for bringing this topic here — I was able to see the forum > discussion that brought you here, and hopefully I can help clear up what I > mean with how polymorphism is used in the proposal. The short version is > that the goal is to *avoid* the kinds of ambiguity that make insecure > protocols, and so in that goal we’re fully aligned. I think that using > polymorphism in very specific ways can help that goal — just as I agree > that misusing it or applying it sloppily can lead to ambiguous and insecure > systems. > > > > Some background: I built out the XYZ protocol (one of the predecessors to > the initial GNAP Draft) in Java using strongly typed parsers and Java > objects specifically to prove to myself that it could be done in a way that > made any sense in the code. (My own open source implementation is at > https://github.com/bspk/oauth.xyz-java, but note that it’s not yet up to > date with the GNAP spec). It was important to me that I be able to use the > system-wide configured parsers to implement this and not have to resort to > stepping through elements completely by hand. Java doesn’t make it simple > to get the hooks into the right places (especially with the Jackson parser > that I used), but it is definitely possible to create a deterministic and > strongly-typed parser and serializer for this kind of data structure. Some > of the rationale for using polymorphism is covered in the trailing appendix > of the draft document ( > https://www.ietf.org/archive/id/draft-ietf-gnap-core-protocol-00.html#name-json-structures-and-polymor), > but it’s still good to discuss this here as the working group decides which > approaches to take. > > > > The driving reason for using polymorphism at the protocol level was to > simplify the protocol and make it :more: deterministic to create and > process, not less. Every time you create or process a field it will mean > only one thing, and there’s only one field to look at to answer a question. > Without polymorphic field values, you usually need to rely on mutual > exclusivity of fields, which is prone to failure and requires additional > error checking. Take for example the key binding of access tokens. An > access token could be bound to the RC’s key used during the request, to a > different key chosen by the AS, or it could be a bearer token with no key > at all. By making the “key” field polymorphic, we can define it in terms of > boolean values and objects and express this set of mutually-exclusive > options in a non-ambiguous way. Without that, you’d need to have different > fields for the options and include additional checks in your parser to make > sure they weren’t sent simultaneously, otherwise you could get hit with > this potential security vulnerability in an object: > > > > { > > key: { > > proof: httpsig, > > jwk: { … key value … } > > }, > > bearer_token: true, > > bind_to_rc_key: true > > } > > > > This would be an illegal object as per this alternate proposal, but then > you’d have to check each field and make sure it wasn’t put next to others > in the same object. I’ve done this exercise with many other protocols and > it’s both error prone and easy to ignore since all the “good” examples > would pass code that doesn’t check this. With the polymorphic approach to > this same field, each of these three mutually-exclusive states is written > in a way that they cannot be sent together. It’s not just illegal, it’s > impossible and enforced by the syntax of JSON itself. > > > > { > > key: { > > proof: httpsig, > > jwk: { … key value … } > > } > > } > > > > // bearer token > > > > { > > key: false > > } > > > > // bound to the RC’s presented key > > > > { > > key: true > > } > > > > If someone sends a different type for this field, like an array or number > or a null, this doesn’t have a defined interpretation in the protocol and > would be a protocol level error. > > > > While it might sound like polymorphism means that any field could have any > type or value, the opposite is true: each possible value is explicitly > typed, it’s just that there are potentially different types that express > meaning for the field. This applies to all members of all objects > (dictionaries) as well as all members of an array (list). Every time you > process a field value or other element, you look at the type and then the > value to determine what to do with that typed value. > > > > In your example below, each field within the dictionary would also need to > be typed, and each type would need to have a clear indication of its > meaning. To take your strawman key format below, the “modulus” field could > be defined polymorphically as either a “bigint” (a JSON number) or an > “encoded string” (a JSON string). The definition would further say what > exactly the encoding of the string would be. That means that when you read > the “modulus” field there wouldn’t be any confusion on what the value was > or how it was represented, regardless of the input format. Seeing a number > there means exactly one interpretation and seeing a string means exactly > one (different) interpretation — but importantly, both of them are a > “modulus”, since that’s the field that determines the type. An > implementation would likely use an internal BigInteger type of object to > represent the field value after parsing, so the question is how to go from > the JSON value (which is typed) into the BigInteger value.You don’t just > apply the type rules on the “public_key” field, you apply it to all > sub-fields of that object. > > > > So let’s dig into the specific bug you bring up in the strawman, because > it’s interesting: A JSON encoder that encodes numbers as strings, and not > numbers, is not compliant with the JSON definitions of the field in > question. For another example, the quoted string value of “true” is not > equivalent to the boolean value true in JSON, and they shouldn’t be treated > the same by a parser implementation when mapping to a concrete object. It’s > in this kind of automated guessing that this class of bugs occur, and > that’s going to be the case whether or not you take advantage of JSON’s > polymorphic nature. I’ve run into cases where a parser library was trying > to be overly “helpful” in doing this kind of mapping, but ended up > introducing errors in more strict components downstream. This is something > that protocol designers need to be aware of and guard against in the design > of the protocol to reduce possible ambiguities. Within GNAP today, we > generally have things that branch whether they’re an object (for a rich > description of something) or some non-structured special value (for a > reference or other item). > > > > The design team created some simple JSON Schemas for parts of the protocol > during our discussion, but we didn’t include them in the design document > due to both lack of time to keep it updated with the rapid changes to the > protocol during the design team discussion, and not knowing if there would > be interest in such material. I personally think it would be helpful to > include as an informative reference in the final document, but that’s > something for the working group to take up eventually. > > > > — Justin > > > > On Oct 23, 2020, at 10:18 AM, Mika Boström < > mika.bostrom=40smarkets.com@dmarc.ietf.org> wrote: > > > > Hello, everyone. > > > > For background: GNAP/TxAuth/XYZ/Oauth3 came up on a discussion forum and > when I made note about certain concerns, I was requested to send my > comments to this working group. > > > > In short, I believe that the use of polymorphic JSON in the protocol > invites subtle and confusing implementation problems. I also searched > through the WG archives, and noticed that similar concerns were noted, > briefly, in a thread in July. > > > > The problem with polymorphic values, as I see it, is that implementations > will need to branch on the (inferred) type of a given field. This isn't > quite as bad if the types are strictly different, but allows for subtle > bugs when the value in question is a dictionary. What makes this > unappealing is that "subtle bugs" in security protocols have a habit of > turning into vulnerabilities. > > > > Let's say we have these imaginary payloads, both possible and valid in the > same protocol step: > > > > # payload 1 > > { > > ..., > > "public_key": { > > "alg": "rsa", > > "modulus": <BIGINT> > > } > > } > > > > # payload 2 > > { > > ..., > > "public_key": { > > "alg": "rsa", > > "modulus": "<encoded string>" > > } > > } > > > > In both cases, the type of "public_key" field is a dictionary. In both > cases, they even have the same keys. However, the values in the > dictionaries are entirely different, and an implementation will have to > branch to at least two possible decoding mechanisms. To make things worse, > some JSON implementations may choose to encode non-dictionary values as > strings, so it is possible for an originator to transmit what they expect > and believe to be payload 1 format, but which the receiver will interpret > to be in payload 2 format. And if the encoded string contains only digits, > it will even parse correctly as a bignum. > > > > While the above is clearly a manufactured scenario, it nonetheless > demonstrates the potential for logic bugs with polymorphic JSON. With > richer types and more complex dictionaries, there will surely be more room > for errors. > > > > Ambiguity in protocols is always a source of implementation complexity and > interoperability snags, but in an AuthN/AuthZ protocol it is worse: it's > terrifying. If GNAP/Oauth3 is intended to supersede Oauth1/2, wouldn't it > be in everyone's interest to keep implementation complexity and mistake > potential to a minimum? > > > > Best regards, > > Mika > > > > -- > > Mika Boström > > Smarkets > > -- > TXAuth mailing list > TXAuth@ietf.org > https://www.ietf.org/mailman/listinfo/txauth > > > > -- > TXAuth mailing list > TXAuth@ietf.org > https://www.ietf.org/mailman/listinfo/txauth > > *Error! Filename not specified.*ᐧ > > > > > > -- > TXAuth mailing list > TXAuth@ietf.org > https://www.ietf.org/mailman/listinfo/txauth > > -- TXAuth mailing list TXAuth@ietf.org > https://www.ietf.org/mailman/listinfo/txauth > >
- [GNAP] Feedback on polymorphism Mika Boström
- Re: [GNAP] Feedback on polymorphism Justin Richer
- Re: [GNAP] Feedback on polymorphism Dick Hardt
- Re: [GNAP] Feedback on polymorphism Justin Richer
- Re: [GNAP] Feedback on polymorphism Dick Hardt
- Re: [GNAP] Feedback on polymorphism Justin Richer
- Re: [GNAP] Feedback on polymorphism Fabien Imbault
- Re: [GNAP] Feedback on polymorphism Dick Hardt
- Re: [GNAP] Feedback on polymorphism Fabien Imbault
- Re: [GNAP] Feedback on polymorphism Fabien Imbault
- Re: [GNAP] Feedback on polymorphism Yaron Sheffer
- Re: [GNAP] Feedback on polymorphism Fabien Imbault
- Re: [GNAP] Feedback on polymorphism Yaron Sheffer
- Re: [GNAP] Feedback on polymorphism Fabien Imbault
- Re: [GNAP] Feedback on polymorphism Huang, Peter (HPE HQ)
- Re: [GNAP] Feedback on polymorphism Justin Richer
- Re: [GNAP] Feedback on polymorphism Yaron Sheffer
- Re: [GNAP] Feedback on polymorphism Justin Richer
- Re: [GNAP] Feedback on polymorphism Dick Hardt
- Re: [GNAP] Feedback on polymorphism Dick Hardt
- Re: [GNAP] Feedback on polymorphism Fabien Imbault
- Re: [GNAP] Feedback on polymorphism Mika Boström
- Re: [GNAP] Feedback on polymorphism Fabien Imbault
- Re: [GNAP] Feedback on polymorphism Justin Richer
- Re: [GNAP] Feedback on polymorphism Yaron Sheffer
- Re: [GNAP] Feedback on polymorphism Justin Richer
- Re: [GNAP] Feedback on polymorphism Justin Richer
- Re: [GNAP] Feedback on polymorphism Fabien Imbault
- Re: [GNAP] Feedback on polymorphism Andrii Deinega
- Re: [GNAP] Feedback on polymorphism Fabien Imbault
- Re: [GNAP] Feedback on polymorphism Yaron Sheffer
- Re: [GNAP] Feedback on polymorphism Fabien Imbault
- Re: [GNAP] Feedback on polymorphism Dick Hardt
- Re: [GNAP] Feedback on polymorphism Fabien Imbault
- Re: [GNAP] Feedback on polymorphism Justin Richer
- Re: [GNAP] Feedback on polymorphism Fabien Imbault