Re: [Txauth] Support of FIDO and data minimization by RSs

Denis <denis.ietf@free.fr> Tue, 07 July 2020 12:26 UTC

Return-Path: <denis.ietf@free.fr>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2A89D3A0C17 for <txauth@ietfa.amsl.com>; Tue, 7 Jul 2020 05:26:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.62
X-Spam-Level:
X-Spam-Status: No, score=-1.62 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, KHOP_HELO_FCRDNS=0.276, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dBpT9TruWbTb for <txauth@ietfa.amsl.com>; Tue, 7 Jul 2020 05:26:27 -0700 (PDT)
Received: from smtp.smtpout.orange.fr (smtp05.smtpout.orange.fr [80.12.242.127]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DF9A13A0C12 for <txauth@ietf.org>; Tue, 7 Jul 2020 05:26:25 -0700 (PDT)
Received: from [192.168.1.11] ([86.238.65.197]) by mwinf5d40 with ME id 0CSM2300A4FMSmm03CSNSN; Tue, 07 Jul 2020 14:26:24 +0200
X-ME-Helo: [192.168.1.11]
X-ME-Auth: ZGVuaXMucGlua2FzQG9yYW5nZS5mcg==
X-ME-Date: Tue, 07 Jul 2020 14:26:24 +0200
X-ME-IP: 86.238.65.197
To: Justin Richer <jricher@mit.edu>
Cc: Dick Hardt <dick.hardt@gmail.com>, "rdd@cert.org" <rdd@cert.org>, "txauth@ietf.org" <txauth@ietf.org>, The IESG <iesg@ietf.org>
References: <02ea0d99-a8b8-7957-8d16-de0a105f9362@free.fr> <CAD9ie-uHo1hNs6Y767NHyNj1TxmfzcbDk-6iZxBT0QWtqpe+Fg@mail.gmail.com> <c91a9ecf-0f8c-a62d-aa4f-66e15cc6fba2@free.fr> <46705E7E-D657-4CF1-80DA-0ADDFD6D8B41@mit.edu>
From: Denis <denis.ietf@free.fr>
Message-ID: <85b03911-d1c6-127f-2480-bfab4b94ffe2@free.fr>
Date: Tue, 7 Jul 2020 14:26:18 +0200
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:68.0) Gecko/20100101 Thunderbird/68.9.0
MIME-Version: 1.0
In-Reply-To: <46705E7E-D657-4CF1-80DA-0ADDFD6D8B41@mit.edu>
Content-Type: multipart/alternative; boundary="------------3619D94840491F1ABB5FEDD1"
Content-Language: en-GB
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/9bzHTsrtPqkiR171UU7tIMsZL5c>
Subject: Re: [Txauth] Support of FIDO and data minimization by RSs
X-BeenThere: txauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <txauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/txauth>, <mailto:txauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth/>
List-Post: <mailto:txauth@ietf.org>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/txauth>, <mailto:txauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Jul 2020 12:26:29 -0000

Hi Justin,

> I think removing the opacity of access tokens to clients is going to 
> be a non-starter for most of this community.

Token opacity is considered as a dogma in OAuth 2.0. More explanations 
why access tokens should not be opaque in GNAP.

Token introspection mandates a dialogue from the RS to the AS which 
allows the AS to know which RS
got a given access token. So token introspection allows the AS to trace 
the client. This should be avoided.
Using NON-OPAQUE access tokens solves the issue both for the RSs and for 
the clients. This means that
access tokens used for GNAP shall include a version number or a format 
identifier.

Applying a "security by design" approach leads to specific design 
requirements. The key question is whether
this BoF prefers a "Privacy by design" approach or /implicitly /a "Big 
Brother by design" approach.

Denis

>
>  — Justin
>
>> On Jul 6, 2020, at 3:17 PM, Denis <denis.ietf@free.fr 
>> <mailto:denis.ietf@free.fr>> wrote:
>>
>> Hi Dick,
>>
>> Congratulations ! You made a good guess (but the guess was easy): my 
>> approach is indeed privacy related.
>>
>> _Note_: Since it is close to the end of the day in my time zone (and 
>> since it is the last day for comments to the charter),
>> I copy both the IESG and Roman so that they can know that GNAP should 
>> also consider a*bridge with FIDO*.
>>
>> I have several goals:
>>
>>     1 - make a bridge with FIDO U2F (I will illustrate this with a
>>     specific scenario).
>>
>>     2 - prevent every AS to know which RSs are going to be accessed
>>     or which kind of operation the client will be doing.
>>         This is to prevent an AS to act as "Big Brother".
>>
>>     3 - apply both "privacy by default" and "data minimization" (when
>>     the user authenticates it may authenticate using FIDO or
>>          by presenting one or more access tokens. Then after, the
>>     necessary attributes that are necessary to perform a given operation
>>         are only requested and released at the time they are indeed
>>     needed to perform the given operation (i.e. they are not released
>>         when the user logs on).
>>
>>     4 - the proposed RS Authorization algorithm allows a great
>>     flexibility, in particular it supports FIDO and different attributes
>>          from different ASs may be requested by the RS.
>>
>>     5 - the rules associated with the RS Authorization algorithm are
>>     making these rules only available at the time the client indicates
>>          which operation it is willing to perform (i.e. by default,
>>     they are not public).
>>
>>     6 - access tokens are NOT OPAQUE to the clients so that every
>>     client can make sure that their content reflects what has been
>>     requested.
>>
>> *A simple scenario to illustrate*
>>
>> A student wants to apply for a new university. He connects to the RS 
>> of the University. He first creates an account using FIDO.
>> He then selects the button "Preliminary information for applying to 
>> the university". He is asked to enter two categories of information:
>>
>>       * citizenship information and
>>       * prior graduations.
>>
>> The student can interrupt the preliminary registration procedure at 
>> any time and continue it at any time later on.
>>
>> When the student is finished, it selects the button "Application to 
>> the university".
>>
>>     The university RS "reads" the citizen ship of the student and let
>>     know to the student whether a paper form
>>     and/or an electronic form of the identity of the student may be
>>     provided. Let us assume the later case and that
>>     the student is a citizen from France. Then the university RS
>>     indicates which French banks or other French organisations
>>     are trusted to provide an access token. The client checks whether
>>     this list fits one of the AS with which it has a relationship.
>>
>>     The university RS "reads" the prior graduations of the student
>>     and then let know to the student whether a paper form
>>     and/or an electronic form of the last graduation of the student
>>     may be provided. Let us assume the later case and
>>     that the student is from Yale University. Then the university
>>     indicates the address of the AS from Yale University.
>>     If the student is indeed from Yale University, he should be able
>>     to provide the requested access token.
>>
>> Such scenario which follows some privacy principles cannot be 
>> constructed "/after the design"/ (it will not happen by magic or by 
>> accident)
>> This is why the approach is called "privacy by design".
>>
>> Denis
>>
>>> Hi Denis
>>>
>>> Would you provide some background on what you are trying to solve 
>>> with this? I'm guessing it is privacy related.
>>>
>>> Perhaps a use case would help make it more concrete?
>>>
>>> /Dick
>>>
>>>
>>> On Mon, Jul 6, 2020 at 5:39 AM Denis <denis.ietf@free.fr 
>>> <mailto:denis.ietf@free.fr>> wrote:
>>>
>>>     **eThis is a new thread: a proposal for a RS authorization
>>>     algorithmand a way to support FIDO by RSs
>>>
>>>     In order to support the privacy principle of "data minimization"
>>>     by RSs, only the attributes that are strictly necessary to perform
>>>     an operation requested by a client should be requested by the RS.
>>>
>>>     When a client wants to authenticate, it will usually be informed
>>>     by the RS on how to do it (see more details about two exceptions
>>>     at the end of this email).
>>>     Which conditions are needed to perform other operations will
>>>     only be disclosed to authenticated users at the time they are
>>>     willing to perform an operation.
>>>
>>>     Two categories of operations will be considered: authentication
>>>     operations and other operations.
>>>
>>>     For the "authentication" operation, two cases will be supported:
>>>
>>>     -FIDO U2F or
>>>
>>>     -one or more attributes from one or more ASs.
>>>
>>>     In the second case, an access will be granted by a RS based on
>>>     an mathematical expression which is formed using some
>>>     combination of ANDand ORconditions.
>>>
>>>     Examples of combinations:
>>>
>>>         /Condition 1/AND/Condition 2
>>>         Condition 1/OR /Condition 2/
>>>         (/Condition 1/AND/Condition 2)/OR/Condition 3
>>>         (Condition 1/OR /Condition 2)/AND/Condition 3/
>>>
>>>     The following notation is being used for /a Condition /:
>>>
>>>     /Condition x/= { AS identifier + set of attributes types +
>>>     optional scope identifier }
>>>
>>>     The presence of the /optional/ scope identifier allows to
>>>     provide a backward compatibility with ASs from the OAuth 2.0.
>>>     world:
>>>     the optional scope identifier is only present when a bilateral
>>>     relationship has been established between a RS and an AS prior
>>>     to any access (/and will continue to be maintained/) using
>>>     "out-of-bands" means.
>>>
>>>     Each RS internally constructs an /authorization table/ with the
>>>     following content:
>>>
>>>     1°For the "authentication" operation : either FIDO U2For a
>>>     mathematical expression using conditions;
>>>
>>>     2°For any other operation : a mathematical expression using
>>>     conditions.
>>>
>>>     An example is used to explain the concepts.
>>>
>>>     "Operation(s)/ Mathematical expression" pairs managed by the RO
>>>     of a RS.
>>>
>>>     *Operation*
>>>
>>>     	
>>>
>>>     *Mathematical expression*
>>>
>>>     Authentication
>>>
>>>     	
>>>
>>>     /Condition 1/OR/Condition 2/
>>>
>>>     Operation A OROperation Z
>>>
>>>     	
>>>
>>>     /Condition 3/AND/Condition 4/
>>>
>>>     Conditions table:
>>>
>>>     Condition 1
>>>
>>>     	
>>>
>>>     FIDO U2F 1.2
>>>
>>>     	
>>>
>>>     -
>>>
>>>     	
>>>
>>>     -
>>>
>>>     Condition 2
>>>
>>>     	
>>>
>>>     AS 1
>>>
>>>     	
>>>
>>>     set 1 of attributes types
>>>
>>>     	
>>>
>>>     Condition 3
>>>
>>>     	
>>>
>>>     AS 4
>>>
>>>     	
>>>
>>>     set 2 of attributes types
>>>
>>>     	
>>>
>>>     scope identifier : 21
>>>
>>>     Condition 4
>>>
>>>     	
>>>
>>>     AS 9
>>>
>>>     	
>>>
>>>     set 3 of attributes types
>>>
>>>     	
>>>
>>>     -
>>>
>>>     Given the operation selected by the client, the RS returns the
>>>     appropriate mathematical expression and only the associated
>>>     conditions
>>>     used in that mathematical expression. The user may then decide
>>>     whether the set of attributes types which are indicated for a
>>>     given AS
>>>     are appropriate to him or not and then select that AS if it has
>>>     a relationship with it.
>>>
>>>     In this example, one mathematical expression for the combination
>>>     of conditions using AND and OR operators is "/Condition
>>>     3/OR/Condition 4",//
>>>     which means that///some types of attributes from AS 4 AND some
>>>     other types of attributes from AS 9 are both needed by RSx to
>>>     perform on RSx
>>>     either the Operation A or the Operation Z.
>>>
>>>     In this example, RS 1 and AS 4 have established a bilateral
>>>     relationship (and have agreed to define and use scope identifiers)
>>>     whereas RS 1 and AS 9 have not established any bilateral
>>>     relationship prior to the exchange.
>>>
>>>     The user makes up his mind whether the attributes requested by
>>>     AS 1 and AS 9 are reasonable and if so, requests two access tokens:
>>>     one to AS 4 and another one to AS 9.
>>>
>>>     For AS 4, the client shall use the scope identifier with the
>>>     value 21.
>>>     For AS 9, the client shall use the set 3 of attributes types
>>>     indicated in the Condition 4.
>>>
>>>     In order to save one exchange, a RS could publicly publish how
>>>     its clients can authenticate.
>>>     However,  it is also possible to consider no guidance at all: in
>>>     such a case, using "out-of-bands" means, the clients should know
>>>     how to authenticate.
>>>
>>>     Denis
>>>
>>>     -- 
>>>     Txauth mailing list
>>>     Txauth@ietf.org <mailto:Txauth@ietf.org>
>>>     https://www.ietf.org/mailman/listinfo/txauth
>>>
>>
>> -- 
>> Txauth mailing list
>> Txauth@ietf.org <mailto:Txauth@ietf.org>
>> https://www.ietf.org/mailman/listinfo/txauth
>