IETF Logo Mail Archive

Re: [Txauth] TxAuth Charter (Take 3.5)

"Richard Backman, Annabelle" <richanna@amazon.com> Mon, 20 January 2020 18:05 UTC

Return-Path: <prvs=281046ed8=richanna@amazon.com>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C573512008A for <txauth@ietfa.amsl.com>; Mon, 20 Jan 2020 10:05:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.498
X-Spam-Level:
X-Spam-Status: No, score=-14.498 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=amazon.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id u97Buj5Y91V0 for <txauth@ietfa.amsl.com>; Mon, 20 Jan 2020 10:05:53 -0800 (PST)
Received: from smtp-fw-4101.amazon.com (smtp-fw-4101.amazon.com [72.21.198.25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 02C9C1200A4 for <txauth@ietf.org>; Mon, 20 Jan 2020 10:05:52 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amazon.com; i=@amazon.com; q=dns/txt; s=amazon201209; t=1579543553; x=1611079553; h=from:to:subject:date:message-id:references:in-reply-to: mime-version; bh=UkaDjZxUSyBhH5UukS6ICmO0KUrrIGKAEca21VJNi94=; b=UZz5sKNmUrjgVEu8UMA9mxfIbci2bNxtj2R8xcSYQcn3G446fL5KZU4M 5icGdgoKfGnvzPRnGhcA1PLJLyIC+T8EW2S3Q0Gp4zwZs1eGkqFFHJOnJ uidwYIhu1PGqIG/W05aFAjjVnOJnKkIfDqCVsljxdBpRTCOTwzshpYdhr c=;
IronPort-SDR: vBwQhqCAlwWRvZY3dK0f6Wh8esFinYdPOcmj87pPc50nXlKz/tz19Wvy0+nBd4j4lE3XZo32qM 2e4Xm8Rxxr4g==
X-IronPort-AV: E=Sophos; i="5.70,342,1574121600"; d="scan'208,217"; a="13202522"
Received: from iad12-co-svc-p1-lb1-vlan3.amazon.com (HELO email-inbound-relay-2c-168cbb73.us-west-2.amazon.com) ([10.43.8.6]) by smtp-border-fw-out-4101.iad4.amazon.com with ESMTP; 20 Jan 2020 18:05:50 +0000
Received: from EX13MTAUWC001.ant.amazon.com (pdx4-ws-svc-p6-lb7-vlan2.pdx.amazon.com [10.170.41.162]) by email-inbound-relay-2c-168cbb73.us-west-2.amazon.com (Postfix) with ESMTPS id BD460A219D; Mon, 20 Jan 2020 18:05:49 +0000 (UTC)
Received: from EX13D11UWC001.ant.amazon.com (10.43.162.151) by EX13MTAUWC001.ant.amazon.com (10.43.162.135) with Microsoft SMTP Server (TLS) id 15.0.1367.3; Mon, 20 Jan 2020 18:05:48 +0000
Received: from EX13D11UWC004.ant.amazon.com (10.43.162.101) by EX13D11UWC001.ant.amazon.com (10.43.162.151) with Microsoft SMTP Server (TLS) id 15.0.1367.3; Mon, 20 Jan 2020 18:05:48 +0000
Received: from EX13D11UWC004.ant.amazon.com ([10.43.162.101]) by EX13D11UWC004.ant.amazon.com ([10.43.162.101]) with mapi id 15.00.1367.000; Mon, 20 Jan 2020 18:05:48 +0000
From: "Richard Backman, Annabelle" <richanna@amazon.com>
To: Justin Richer <jricher@mit.edu>, "txauth@ietf.org" <txauth@ietf.org>
Thread-Topic: [Txauth] TxAuth Charter (Take 3.5)
Thread-Index: AQHVzgnRN98YkPBboUqjc2m+EFLyh6fzVkwA
Date: Mon, 20 Jan 2020 18:05:48 +0000
Message-ID: <F7F47DEF-DB58-4F1D-A00A-8731D44F2FA0@amazon.com>
References: <741262A9-A258-40DC-87AB-0ED7515D136E@mit.edu>
In-Reply-To: <741262A9-A258-40DC-87AB-0ED7515D136E@mit.edu>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.1d.0.190908
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.43.160.48]
Content-Type: multipart/alternative; boundary="_000_F7F47DEFDB584F1DA00A8731D44F2FA0amazoncom_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/6kbYiU1UnvA1e0ymGjz_VrAyt9U>
Subject: Re: [Txauth] TxAuth Charter (Take 3.5)
X-BeenThere: txauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <txauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/txauth>, <mailto:txauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth/>
List-Post: <mailto:txauth@ietf.org>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/txauth>, <mailto:txauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 20 Jan 2020 18:05:56 -0000

NIT: Mixed verb tenses in the last sentence of paragraph 2. Replace “as well as providing” with “and provides”.

–
Annabelle Richard Backman
AWS Identity


From: Txauth <txauth-bounces@ietf.org> on behalf of Justin Richer <jricher@mit.edu>
Date: Saturday, January 18, 2020 at 6:16 AM
To: "txauth@ietf.org" <txauth@ietf.org>
Subject: [Txauth] TxAuth Charter (Take 3.5)

Thanks for all the feedback and discussion on the last round of the charter. I’ve made a few tweaks to it based on the conversations on this list, and a couple off-list, and have incorporated them here.


This group is chartered to develop a delegation protocol for authorization, identity, and API access. This protocol will allow an authorizing party to delegate access to client software through an authorization server. The use cases supported by this protocol will include widely deployed use cases currently supported by OAuth 2.0 and OpenID Connect (an extension of OAuth 2.0) as well as new use cases not enabled by OAuth 2.0.

The delegation process will be acted upon by multiple parties in the protocol, each performing a specific role. The protocol will decouple the interaction channels, such as the end user’s browser, from the delegation channel, which happens directly between the client and the authorization server (in contrast with OAuth 2.0 which is initiated by the client redirecting the user’s browser). The client and AS will involve the authorizing party as necessary through interaction mechanisms indicated by the protocol. This decoupling avoids many of the security concerns and technical challenges of OAuth 2.0 as well as providing a non-invasive path for supporting future types of clients and interaction channels.

Additionally, the delegation process will allow for:

- Fine-grained specification of access
- Approval of AS attestation to identity claims
- Approval of multiple resources and APIs in a single interaction
- Separation between the party authorizing access and the party operating the client requesting access
- Web, mobile, single-page, interaction-constrained, and other types of client applications

The group will define extension points for this protocol to allow for flexibility in areas including:

- Cryptographic agility for keys, message signatures, and proof of possession
- User interaction mechanisms including web and non-web methods
- Mechanisms for providing user, software, organization, and other pieces of information used in authorization decisions
- Token presentation mechanisms and key bindings
- Optimization of information and API access beyond identity through the delegation process

Additionally, the group will provide mechanisms for management of the protocol lifecycle including:

- Discovery of the authorization server
- Revocation of active tokens
- Query of token rights by resource servers

Although the artifacts for this work are not intended or expected to be backwards-compatible with OAuth 2.0 or OpenID Connect, the group will attempt to simplify porting from OAuth 2.0 and OpenID Connect to the new protocol where possible.

While the initial work will focus on using HTTP for communication between the client and the authorization server, the working group will seek to take advantage of optimization features of HTTP2 and HTTP3 where possible, and will strive to enable simple mapping to other protocols such as COAP.

I would really appreciate the security AD’s weighing in at this stage. Thanks again everyone!

 — Justin

v2.23.0 | Report a Bug | By Email