IETF Logo Mail Archive

Re: [GNAP] Review of draft-ietf-gnap-core-protocol-00

Francis Pouatcha <fpo@adorsys.de> Mon, 16 November 2020 16:35 UTC

Return-Path: <fpo@adorsys.de>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 351BD3A139B for <txauth@ietfa.amsl.com>; Mon, 16 Nov 2020 08:35:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.699
X-Spam-Level:
X-Spam-Status: No, score=-1.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_INVALID=0.1, DKIM_SIGNED=0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (public key: not available)" header.d=adorsys.de
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GzrarVxzGrnM for <txauth@ietfa.amsl.com>; Mon, 16 Nov 2020 08:35:53 -0800 (PST)
Received: from DEU01-FR2-obe.outbound.protection.outlook.com (mail-fr2deu01on2071d.outbound.protection.outlook.com [IPv6:2a01:111:f400:7e24::71d]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2EDD63A12CD for <txauth@ietf.org>; Mon, 16 Nov 2020 08:35:44 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=NIDQHofLy8zlOjmbRz1/StZgoewJnRsLSKqdvnNOpm7F8Ej387BeGbMy70uRWgY29PZXwFwts9M7NS78RMf4VdQ7GRvnxnLr6JSc29cq2CRBVo5yq0+Oshmpnc+aU6/xNNlnHka7h1fM86t5FuXL57VxN7fTvwb7jLCkAG6gTBoe2qDfqw+wb9HUy+Q3JqYCEuKQWxCZBp67FKPYcQPW+CWKpx8yKyXZn+kn/Wmr2xOLBBZYSVN2PNFxrYEn2FDHBdUJ9nGBdMymYYTKn0enESlyRn41+G4cX1O16J5xaTIySpk7chu3m3YmT2ZhgRylktdeaxMfi3BEfJ7glJi6uw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=2zuAxzCGXcWY3QuqsEADSdHjD00r9efzwuC1gRiSwL0=; b=BzzEY8aoyoDO3eS4+xqAEEJs24bdj6gF6LspPYX/1tdG1Mn8+igL0l4zLWNqzNbMaSbs58i6heUhmMLH45NYzrh/74TFrqSpqF8G7FSI/Zy5dVnvlM4eqZtvZ34rpR4UPrT0HPID6rno9swzMFKwbAc93zuoU5GXjOfCegi1wzPIan86FFFWtmAs3X9NRBaKjJ08OFnAQYZi8X84nM8Mg6xbrad4HEiPeYqlF5xFesS0pfuGlGk4/gZ+z9Nk04OfPQKyT7RIlANg86O618QZqd2yuStxLvjhkPzOHGvr0felMcR1FHaWfev+FcJd+Wlm7+BD2Rrzd8diOJ189N+LcA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=adorsys.de; dmarc=pass action=none header.from=adorsys.de; dkim=pass header.d=adorsys.de; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=adorsys.de; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=2zuAxzCGXcWY3QuqsEADSdHjD00r9efzwuC1gRiSwL0=; b=9Y5D43yfSKjM8FPCU/PvxyifHuMzjUuWiVwodeoY/AWXJ5lfRha1OTiT72/3KjJTg1ciBekwAJTTAj/De1KnA/gWCe1KaK22zmM7n39YYQe9bTvR6/O42y732li6exPGeKIEheBktaZtH8M3j1KCi9I+5sm9MhnN5b56EDQTO+grvCQRD7Uup3YTGZAq2B0zkHyLPpJh6UV3g+an7OM0JLZhFVxHfVGwh6YC129aRJVuAZUFLzvzsc/jSNm706/ImsyBBFO29jKW/ogqtcsv0cqJAbSrzQKL4zuzcpyOXUK4evehUvdCkgVIGbkssq2zqmjM2DFukkqd6Me2XHr4yw==
Received: from FR2P281MB0106.DEUP281.PROD.OUTLOOK.COM (2603:10a6:d10:11::11) by FR2P281MB0059.DEUP281.PROD.OUTLOOK.COM (2603:10a6:d10:f::10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3589.15; Mon, 16 Nov 2020 16:35:42 +0000
Received: from FR2P281MB0106.DEUP281.PROD.OUTLOOK.COM ([fe80::b06b:117e:61f0:138b]) by FR2P281MB0106.DEUP281.PROD.OUTLOOK.COM ([fe80::b06b:117e:61f0:138b%3]) with mapi id 15.20.3589.017; Mon, 16 Nov 2020 16:35:42 +0000
From: Francis Pouatcha <fpo@adorsys.de>
To: Fabien Imbault <fabien.imbault@gmail.com>, Francis Pouatcha <fpo=40adorsys.de@dmarc.ietf.org>
CC: GNAP Mailing List <txauth@ietf.org>
Thread-Topic: [GNAP] Review of draft-ietf-gnap-core-protocol-00
Thread-Index: AQHWsiy3H8is1hHc2keFJtXpCHRvoKnGFMOAgATzTCY=
Date: Mon, 16 Nov 2020 16:35:42 +0000
Message-ID: <FR2P281MB0106C83420ED3F8DF2723BFD8DE30@FR2P281MB0106.DEUP281.PROD.OUTLOOK.COM>
References: <160433257633.23038.15047041472414640530@ietfa.amsl.com> <AB11DC08-C6ED-4045-A8F5-872AD263035D@mit.edu> <FR2P281MB01063C2EA739E892B549611D8D110@FR2P281MB0106.DEUP281.PROD.OUTLOOK.COM>, <CAM8feuQcCdQFGUKy-ou7H3Ta38yyN1LR+0XJd9WophRMRdPDEA@mail.gmail.com>
In-Reply-To: <CAM8feuQcCdQFGUKy-ou7H3Ta38yyN1LR+0XJd9WophRMRdPDEA@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: gmail.com; dkim=none (message not signed) header.d=none;gmail.com; dmarc=none action=none header.from=adorsys.de;
x-ms-exchange-messagesentrepresentingtype: 1
x-originating-ip: [65.33.157.159]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 5b060a20-3038-4aa1-1734-08d88a4da8e7
x-ms-traffictypediagnostic: FR2P281MB0059:
x-microsoft-antispam-prvs: <FR2P281MB00591CCAA3101AA8DF451FB7CDE30@FR2P281MB0059.DEUP281.PROD.OUTLOOK.COM>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: B0aQtFopH5aTo33UxzDaIPCRbJMNjf6lYxbMwlkdbj69fIXew0y6b3H+Q4cchzDpj5YeFUjuVtbTIun39tAMXW0hJmRzAOHoCP90xFpBeTmC2QAC+QxiFz9IjAyaCwCmkf5KN9vLywUVIPfXvn/0LrdeTXjK2zG6NoDPTeZ1ms2XZrAcsTbQn/LwuCHv2JYqZuoNFUlHIYtvtThRktzaPOS4H7XNUx+iVR6f72sMJQ1XNnAQeA4NiwxbOudXuMDRciZyOK642Vt6zu/TeBVdADxfxgUVtt2ojV8d/pwoG2EQE70O0vhW3eV+kM9ehG9gawyvPlFrpD9IPWKZ/7Dsk/pSqIOqG1pA/6MVcKTzPmCrOiQzwqAbiwDBb92O8ik0wxJxsT8CXYaayFSCYrVzoQ==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:FR2P281MB0106.DEUP281.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(4636009)(396003)(376002)(366004)(136003)(346002)(39840400004)(110136005)(9686003)(7696005)(186003)(86362001)(6506007)(53546011)(26005)(4326008)(478600001)(33656002)(19627405001)(55016002)(8936002)(2906002)(316002)(66946007)(66556008)(8676002)(166002)(66574015)(83380400001)(52536014)(71200400001)(5660300002)(64756008)(66446008)(66476007)(76116006)(91956017); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata: jl0RzYA8khyPit7bnixbylgFN/+xvQhM8+VHQSdOaKT7zEfk1NrFyuW0DJI4tpflb0kOQEcI6IMvl8YjmQ5zSeOz1U4NytjhPuNuhs/NuUTCNYWI7oT6Ho4C9iD1FLkk7qSfJ/95+q9FKKdYanr51a0Yu0aq2jPPaFDg0Xg1gJPwDcR++3BKnakcIXjRFNYg2jlnilKBEHuPGtjuq9xEbwFlvvU4lfV1vn0x12d4h/EADyH/01KCt+olGmxwAMTkU8lbsx7ayPXK0zSOamDKIBPVGuWsVI4ywVir9yOR/l8EC6KP5T1aYZiCvv6FkhCEhFhZ8UixO3bh1iAfCBrwkdrbH4DmvGh3NIw2EFndWfzejqbOv0ByOWpt/DJyexxc0lblORsChzZmFSQOj1cAO5Pai5jbLC239Olm1FvGJCJIeYq/pCxtLGAfvyJOY3L2M6LjJ+er4DvOpcJAkEoAuPsRPniwpGY6Wky2/DCCKsxHYcykNTPmoMoG9yWxbV9G1uxxAx41zF9BOkqRsWSEaF1Yb1xo/s5kgkau+Pp02NWC+dt7oZ3FDeyHAKa8jyfTJGNVtgDwZ+SRJR3IdUDcNCQfysoLkx30981TJ8Tp9don7ixeeBW8IUVsbUhMEtwLvVL1N6BJfo/RIgyUNzNxISwGrMkafiiAcKOPOKbcju7BvR/wOdeNpdaog8wnMcX/cC9TwbkqxaZf8fRypbiwduWkjPlsf62dGjnNGq9PQgqp85GVo/sHBLCTpb3bYrP/P6OyFLq2f1dhoBcnlft68w==
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_FR2P281MB0106C83420ED3F8DF2723BFD8DE30FR2P281MB0106DEUP_"
MIME-Version: 1.0
X-OriginatorOrg: adorsys.de
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: FR2P281MB0106.DEUP281.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 5b060a20-3038-4aa1-1734-08d88a4da8e7
X-MS-Exchange-CrossTenant-originalarrivaltime: 16 Nov 2020 16:35:42.2701 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5e2c5484-e522-479d-91ca-515d6e0ce228
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: rj18TjeYMagMJWR4h8m/viBdvIjvC61tsRXvOFCgduReLyY05rnGR3FKQkX1Db8Tcsixjj1fUFYnjmz2nwp0ISOqJLySt2AkqVsaGQzmkhs=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: FR2P281MB0059
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/um-GxDERTfRuwwxnCIF9L41ekPI>
Subject: Re: [GNAP] Review of draft-ietf-gnap-core-protocol-00
X-BeenThere: txauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: GNAP <txauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/txauth>, <mailto:txauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth/>
List-Post: <mailto:txauth@ietf.org>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/txauth>, <mailto:txauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 16 Nov 2020 16:35:59 -0000

On Tue, Nov 3, 2020 at 11:00 PM Francis Pouatcha <fpo=40adorsys.de@dmarc.ietf.org<mailto:40adorsys.de@dmarc.ietf.org>> wrote:

B) Current Document

Roles description shall not hold any assumption on the physical structure of the party fulfilling the roles.
[FI] not sure what you mean
 [FP] for example, we assume the AS is a server! In most SSI based use cases, the AS will be running on the user device. See SIOP (https://identity.foundation/did-siop/).

Roles:
-> grant endpoint of the AS: Why is this a post request? This eliminates the chance of having user device hosted AS (no server).
[FI] what would you propose instead?
Would also be interested to understand better the deployment model when there is no server. That's something that was discussed several times but I'm still missing the underlying architecture and use case.
 [FP] See above (SIOP). There will be a lot of identity wallets operated on end user device.

-> Resource Owner (RO) : Authorizes the request? Does it authorize the request or the access to a resource?
[FI] yes, we should make the wording clearer

Missing Section Interactions:
--> This section shall introduce the notion of interaction before we start listing interaction types.
[FI] yes

Interaction Types:
--> I prefer a classification with Redirect, Decoupled and Embedded is. In the draft, we have one redirect and 2 decouple interactions and nothing else.
[FI] this should be handled as a specific discussion item. As a reminder, how would you define embedded?

In practice there's at least these modes:
- redirect and redirect back
- redirect to different browser or device
- user code
- CIBA
[FP] This classification is limited.

  *   Redirect: same device, same or different user agents (browser, mobile app, desktop app, ...)
  *   Decoupled: different devices
  *   Embedded : RC carries RO authorization to AS


Resource Access Request vs. Resource Request
--> Both are mixed up. No clarification of the context of each section.
[FI] could you clarify what you'd expect.  Btw on this topic, there's a more general discussion on whether we should make a distinction or not.
​[FP]: Here:

  *   Resource Access Request: Requesting Access to a resource. Response is an access token (or any type of grant)
  *   Resource Request: Request the resource. Response is the resource (or a corresponding execution)

Token Content Negotiation
--> Not expressed as such. This is central to GNAP and not represented enough  in the document.
[FI] right. This should be a specific discussion item.

Requesting "User" Information
we identify two types of users: RQ and RO. It will be better not to refer to a user in this draft, but either to a RQ or an RO.
[FI] yes that would avoid potential misunderstandings. Although in the end, people will translate RQ into user or end-user most of the time. Cf in definition, currently we have Requesting Party (RQ, aka "user")


Interaction Again
-> For each interaction type, we will have to describe the protocol flow and the nature and behavior of involved Roles (Parties), Elements, Requests.
[FI] yes

[FP] Will these and into tickets?

Best regards.
/Francis

v2.23.0 | Report a Bug | By Email