IETF Logo Mail Archive

Re: [Txauth] alternative charter writeup

Dick Hardt <dick.hardt@gmail.com> Tue, 14 January 2020 00:34 UTC

Return-Path: <dick.hardt@gmail.com>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ACE42120020 for <txauth@ietfa.amsl.com>; Mon, 13 Jan 2020 16:34:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.996
X-Spam-Level:
X-Spam-Status: No, score=-1.996 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gbHKQTC6g60s for <txauth@ietfa.amsl.com>; Mon, 13 Jan 2020 16:34:32 -0800 (PST)
Received: from mail-lj1-x233.google.com (mail-lj1-x233.google.com [IPv6:2a00:1450:4864:20::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D291712001B for <txauth@ietf.org>; Mon, 13 Jan 2020 16:34:31 -0800 (PST)
Received: by mail-lj1-x233.google.com with SMTP id y6so12296779lji.0 for <txauth@ietf.org>; Mon, 13 Jan 2020 16:34:31 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=gEtU58Nlo5pQTUTJudX/cyOw3kUuVE7TmQJXKhOrK1k=; b=c77ef+8zv7rbxh/EFtrJxspCxHh1W0nGwqz0JhfJfByqOhpz3RgHusFBl8hNxDlQpT ayhSqFy3owca61Iw2+9KZMkHBBrieRETS9YLs7bWM3yjH/9SQy3sP7jXykYk1i7VO8cd ABcPwV2r9ZwnxbCn+wQ+qWl2b6Nv3fw6isJMwDh+J4m/HKwQCc6EPfD9cnILIWQcUi6f c31Nqs6pGtbtK36MlK2lCzoeBv6ND09NydvAyv+yTdY0JHJhMekbfUbvAe9Cg2vjq6L5 Ld5WS4yJ6/me4tbhaX7wfkkHkND9yjl4ru0x7XM7jOzzIYAf7PFllxcCgyU4JV9h6DRI 4WYw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=gEtU58Nlo5pQTUTJudX/cyOw3kUuVE7TmQJXKhOrK1k=; b=DzpBY9Pulh2OZCaozf5JfymKGzwAMnBCwWW+EuqTBmfbsR5xvg+/wb2JJ40pCnbwMp gL3ZQBeo1NVATlf3Ja1Xl/PxhiWjnD/3r4GiSJ8wK1RoLs7W+avOvKwyXCXw/PhhqR1e Hdnc7XhevBshvWLqkUFUoe+0qlnS/vvl5HLhDxcKpL8k7V3OKAStsw6F5S5sroUHzr1f 1eIWQ8YNTXKhmmfbnLomFv3bA+w97rXZgwtXoSRB2I+4EeRYemJT/STvF10Lgpou2td8 2Otot2aaVwBL0zw4qW7yV592Qkdu1GcBJLqgoLBDv+U0iz8XpEQE9cVOwZ3GjGWHQZWN 7ejg==
X-Gm-Message-State: APjAAAUDxqSUyu1maIq+e9LY7FvCpTaOqAQgeHBuawrYaau3ptTM3dgR si4ZOXuqYYbWiGTFrhZL03qA2UbDQe0vjXVLIxQ=
X-Google-Smtp-Source: APXvYqxm3eE7t13u5enoot5iHJCQjpR+EgULCWe1r5eJOjSZOdWEZDcDA2ktmx8ibwt91bKi35qNObNDlRbgTJAaiPc=
X-Received: by 2002:a2e:a404:: with SMTP id p4mr12826748ljn.234.1578962070015; Mon, 13 Jan 2020 16:34:30 -0800 (PST)
MIME-Version: 1.0
References: <CAD9ie-sGfRGPFa4jBUeoVcG+CO=PvG-Ys-HrUMs7kVdt1zT3vA@mail.gmail.com> <FE8064D0-02CF-4BF1-AF25-0E52D9362D27@mit.edu> <CAD9ie-tAquhg=o1_cmKg_rO3mn9FeqCTDtY07XMqMOdhRWrD5Q@mail.gmail.com> <B758A8F2-211F-4637-84AE-3FD6974C546F@amazon.com>
In-Reply-To: <B758A8F2-211F-4637-84AE-3FD6974C546F@amazon.com>
From: Dick Hardt <dick.hardt@gmail.com>
Date: Mon, 13 Jan 2020 16:34:18 -0800
Message-ID: <CAD9ie-u5aV+FShiseuNRu_Ayp3EJjrN=zM1XBJW+vc9wDdL3NQ@mail.gmail.com>
To: "Richard Backman, Annabelle" <richanna@amazon.com>
Cc: Justin Richer <jricher@mit.edu>, "txauth@ietf.org" <txauth@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000004c1ded059c0ec1d5"
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/9xfFkhD7Hi8bqvmRPcqB-68IDB4>
Subject: Re: [Txauth] alternative charter writeup
X-BeenThere: txauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <txauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/txauth>, <mailto:txauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth/>
List-Post: <mailto:txauth@ietf.org>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/txauth>, <mailto:txauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Jan 2020 00:34:35 -0000

I agree, some more "why" would help a broader audience understand the
motivations. How about this change to the first paragraph?

This group is chartered to develop a delegated identity and authorization
protocol. The use cases supported by this protocol will include widely
deployed use cases currently supported by OAuth 2.0, and OpenID Connect, an
extension of OAuth 2.0. In contrast to OAuth 2.0, where the protocol is
initiated by redirecting the user's browser to an authorization server,
this protocol will be initiated by the client directly interacting with the
authorization server, which will mitigate many of the security concerns and
technical challenges of OAuth 2.0.


On Mon, Jan 13, 2020 at 3:38 PM Richard Backman, Annabelle <
richanna@amazon.com> wrote:

> While I agree with the goals stated in this charter, if I read this from
> the perspective of someone who hasn’t been our meetings or listened to
> Justin’s presentations, I’m hard pressed to see what the point of this
> group is, relative to the OAuth WG. I’d expect this charter to provide at
> least a cursory explanation of what problem it is trying to solve. In this
> case, the problem should be partially defined in relation to OAuth. What
> will this WG do that the OAuth WG hasn’t already done or isn’t already
> doing?
>
>
>
> How about adding something like the following to paragraph 2:
>
>
>
> The protocol will mitigate many of the security concerns and technical
> challenges of OAuth 2.0 by communicating over secure channels between the
> client and the authorization server, and minimizing the amount of
> information transmitted over untrusted channels.
>
>
>
> –
>
> Annabelle Richard Backman
>
> AWS Identity
>
>
>
>
>
> *From: *Txauth <txauth-bounces@ietf.org> on behalf of Dick Hardt <
> dick.hardt@gmail.com>
> *Date: *Friday, January 10, 2020 at 6:57 PM
> *To: *Justin Richer <jricher@mit.edu>
> *Cc: *"txauth@ietf.org" <txauth@ietf.org>
> *Subject: *Re: [Txauth] alternative charter writeup
>
>
>
> This looks even better! Thanks Justin.
>
>
>
> What do others think of the proposed charter now?
>
> ᐧ
>
>
>
> On Fri, Jan 10, 2020 at 12:43 PM Justin Richer <jricher@mit.edu> wrote:
>
> Thanks, Dick. I’ve been working on an updated charter based on everyone’s
> feedback, and I was aiming to have out today anyway, so this timing is
> helpful. So here’s my take on a new charter, incorporating some of your
> points below:
>
>
>
> This group is chartered to develop a delegation protocol for identity,
> authorization, and API access. This protocol will allow an authorizing
> party to delegate access to client software through an authorization
> server. The use cases supported by this protocol will include widely
> deployed use cases currently supported by OAuth 2.0 and OpenID Connect.
>
>
>
> The delegation process will be acted upon by multiple parties in the
> protocol, each performing a specific role. The protocol will be initiated
> by the client interacting directly with the authorization server (in
> contrast with OAuth 2 which is initiated by the client redirecting the
> user’s browser). The client will involve the authorizing party as necessary
> through interaction mechanisms indicated by the protocol.
>
>
>
> Additionally, the delegation process will allow for:
>
>
>
> - Fine-grained specification of resource access
>
> - Approval of identity claims and multiple resources in a single
> interaction
>
> - Delegation between multiple users
>
> - Web, mobile, single-page, and other types of client applications
>
>
>
> The group will define extension points for this protocol to allow for
> flexibility in areas including:
>
>
>
> - Cryptographic agility for keys, message signatures, and proof of
> possession
>
> - User interaction mechanisms including web and non-web methods
>
> - Mechanisms for providing user, software, organization, and other pieces
> of information used in authorization decisions
>
> - Token presentation mechanisms and key bindings
>
>
>
> Additionally, the group will provide mechanisms for management of the
> protocol lifecycle including:
>
>
>
> - Discovery of the authorization server
>
> - Revocation of active tokens
>
> - Query of token rights by resource servers
>
>
>
> Although the artifacts for this work are not intended or expected to be
> backwards-compatible with OAuth 2.0 or OpenID Connect, the group
> will attempt to simplify porting from OAuth 2.0 and OpenID Connect to the
> new protocol where possible.
>
> While the initial work will focus on using HTTP for communication between
> the client and the authorization server, the working group will seek to
> take advantage of optimization features of HTTP2 and HTTP3, and will strive
> to enable simple mapping to other protocols such as COAP.
>
>
>
> On Jan 10, 2020, at 12:04 PM, Dick Hardt <dick.hardt@gmail.com> wrote:
>
>
>
> Hey
>
>
>
> I've written an alternative charter that I hope captures some of the
> feedback on Justin's charter.
>
>
>
> I found it easier to rewrite the charter to broaden the marketplace of
> ideas.
>
>
>
> Key ideas:
>
>
>
> - This work supports existing OAuth 2.0, and OpenID Connect use cases.
>
>
>
> - The client interacts directly with the authorization server.
>
>
>
> /Dick
>
>
>
> ----
>
>
>
> This group is chartered to develop a delegated identity and authorization
> protocol.. The use cases supported by this protocol will include widely
> deployed use cases currently supported by OAuth 2.0, and OpenID Connect. In
> contrast to OAuth 2.0 and OpenID Connect, where the protocol is initiated
> by redirecting the user's browser to an authorization server, this protocol
> will be initiated by the client directly interacting with the authorization
> server..
>
>
> Additionally, the protocol will allow:
>
> - fine-grained specification of resource access
>
> - the user to approve requests for identity claims and access to multiple
> resources in one interaction
>
> - web, mobile, single-page, and other client applications
>
> - taking advantage of optimization features in HTTP2 and HTTP3
>
>
> The group will define extension points for this protocol to allow for
> flexibility in areas including:
>
>
> - discovery of the authorization server
>
> - cryptographic agility for keys, message signatures, and proof of
> possession
>
> - user interaction mechanisms including web and non-web methods- token
> presentation mechanisms and key bindings
>
>
> Although the artifacts for this work are not intended or expected to be
> backwards-compatible with OAuth 2.0 or OpenID Connect, they will attempt to
> simplify porting from OAuth 2.0 and OpenID Connect, and strive to reuse
> existing semantics such as client identifiers, OAuth 2.0 scopes and access
> tokens, and OpenID Connect ID Tokens and claims.
>
>
> While the initial work will focus on using HTTP for communication between
> the client and the authorization server, the working group will strive to
> enable simple mapping to other protocols such as COAP.
>
>
>
>
>
> ᐧ
>
> --
> Txauth mailing list
> Txauth@ietf.org
> https://www.ietf.org/mailman/listinfo/txauth
>
>
>
>

v2.23.0 | Report a Bug | By Email