IETF Logo Mail Archive

Re: [GNAP] Consensus Call on Continuation Request

Aaron Parecki <aaron@parecki.com> Mon, 14 December 2020 19:46 UTC

Return-Path: <aaron@parecki.com>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 05BAA3A1903 for <txauth@ietfa.amsl.com>; Mon, 14 Dec 2020 11:46:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.196
X-Spam-Level:
X-Spam-Status: No, score=-0.196 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_FONT_LOW_CONTRAST=0.001, HTML_IMAGE_ONLY_32=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=parecki.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bJvp-XzSe1xY for <txauth@ietfa.amsl.com>; Mon, 14 Dec 2020 11:46:10 -0800 (PST)
Received: from mail-il1-x12b.google.com (mail-il1-x12b.google.com [IPv6:2607:f8b0:4864:20::12b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8F4F83A190B for <txauth@ietf.org>; Mon, 14 Dec 2020 11:46:09 -0800 (PST)
Received: by mail-il1-x12b.google.com with SMTP id r17so16913015ilo.11 for <txauth@ietf.org>; Mon, 14 Dec 2020 11:46:09 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=parecki.com; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Sy73nFTe1Wy/53MD37zvkd/TxuQRVmWQw2AyppTuUK8=; b=Eqe70V/JKmG8u0VVo/HNxCHTtjoGUoY+lhUVpguriNcArfCIMGCW1pRiUbCMwqzlYr d0Tibux3h6A3nRgxCzEvea/YbTVFpFEOhnmyUb8pZwTFh19I7o2epFF11razkpc3uVdu g2DV2x5Uf/oX/wpEa5j90qeyWHmZuVszNIqPsdeIr7UOC12hG6mVDu2iFIpXlHObVR5n indMGLM5GO3wa11xyjBzerSkXq1xgMbhfVw3vhT/+gpTR9UL55rW5PyR4GkYqlUvKWcq HoHVFbUUOhmO4GkksaT+dsLYBbdYVlQlWF12goYGYmRZV/VHQTVw2MfeJpixTk6PDAeT tjZg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Sy73nFTe1Wy/53MD37zvkd/TxuQRVmWQw2AyppTuUK8=; b=MPwTNdfxcnZh5swJqBDGdeZGw73eXBzCSWrrSL4WhqbRPO1SEiIzSnGYznmTACfpuD JH4LHSt3oNjLWXWzsrBoF2/8fDXeyD+a4rjkFidgGE9T4uL0lZmlYP1CHe848E4z3/c3 wC5LrAkBsVwao2tigTlB2r1bOZ6GzEmKMUYYNqp/N8VIgAL6XB1VT23BuvJl7qgbzHSD E33F4CzWwgcv52IQJcRgsPBWpbT/6S/Yaim8ZQuZAIaIsdoWYyNsiwrWrJ1+VXeNMMad CuPogiE5uNDNdvmBWEwE8ccBfhV/W5GdBg5+tP1sJK+XvN4bofSTuHbXN+t6CcnGhkFh D10A==
X-Gm-Message-State: AOAM5303m/JY50hYPJU+ARybRTUdTyEFR84wEbuMr/CH1P6W0+iefL/B skIJbvTShU/iEfViZ9avtnRyAs5ESZW+Kp2Q
X-Google-Smtp-Source: ABdhPJxonuT+XZB7w9owlD2fZv9AK5hfTWg/Qe5m5fenzR92RdUTSHd71QzoOTZcqKYQss4eRm9ecw==
X-Received: by 2002:a92:d03:: with SMTP id 3mr38223055iln.197.1607975168138; Mon, 14 Dec 2020 11:46:08 -0800 (PST)
Received: from mail-il1-f169.google.com (mail-il1-f169.google.com. [209.85.166.169]) by smtp.gmail.com with ESMTPSA id e25sm9660932iom.40.2020.12.14.11.46.07 for <txauth@ietf.org> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 14 Dec 2020 11:46:07 -0800 (PST)
Received: by mail-il1-f169.google.com with SMTP id g1so16958862ilk.7 for <txauth@ietf.org>; Mon, 14 Dec 2020 11:46:07 -0800 (PST)
X-Received: by 2002:a05:6e02:148f:: with SMTP id n15mr8716856ilk.17.1607975166748; Mon, 14 Dec 2020 11:46:06 -0800 (PST)
MIME-Version: 1.0
References: <94973397-0354-4B02-9EC8-EF972A7F1867@mit.edu> <CAD9ie-v-j=PBGjLmiWT+z1Whimfmqo=+Pqw1DVFmXZO-bm7=4w@mail.gmail.com> <8E2FF25A-4BE1-4EA1-A0FE-CB5194DEAC52@mit.edu> <CAD9ie-spy7fX-9+5cXzyrau62sX=wViqdpMYzmFBfz-Qbi63ZQ@mail.gmail.com> <CAK5Vu_DW=8V8qNH-MnjjrUsnganpdwKxCCE1ZTJmENGYEvFoew@mail.gmail.com> <CAD9ie-vWgOVqcXiTTLfBBLx2AKDw_ry0A06CuL2DpKFmjYQ8YQ@mail.gmail.com> <CAK5Vu_DqO+iZHWaov94PXTfD5tKdN9R4w08o8Dd4RxFD3UGxOA@mail.gmail.com> <CAD9ie-ud4i51dF-PEY4r+QpAu2fYNob==R7Ek69rwU6cjy-zBQ@mail.gmail.com> <CAM8feuRBvjx_2nBNy95dDtc6v8A1ebKGKfNE4SwkcFA0-7SYCw@mail.gmail.com> <CAD9ie-tEpVFfgB8KT3XK=G98wOTcVZxpXXRezCKbVuAP4hZoXQ@mail.gmail.com> <CAM8feuR9x7eMzWtTLeWHNEtjkFUk39kMw3ArFXp5rcFmXCw6BQ@mail.gmail.com> <CAD9ie-tMjNvewwof7W8Nof7D9FXuTEdwV3wTywyhB6gTurktmQ@mail.gmail.com>
In-Reply-To: <CAD9ie-tMjNvewwof7W8Nof7D9FXuTEdwV3wTywyhB6gTurktmQ@mail.gmail.com>
From: Aaron Parecki <aaron@parecki.com>
Date: Mon, 14 Dec 2020 11:45:55 -0800
X-Gmail-Original-Message-ID: <CAGBSGjqer-kEz0=vbqu-=qsNg8gGRaWaxPjYd1q2eMeboF+yYg@mail.gmail.com>
Message-ID: <CAGBSGjqer-kEz0=vbqu-=qsNg8gGRaWaxPjYd1q2eMeboF+yYg@mail.gmail.com>
To: Dick Hardt <dick.hardt@gmail.com>
Cc: Fabien Imbault <fabien.imbault@gmail.com>, txauth gnap <txauth@ietf.org>, Justin Richer <jricher@mit.edu>, Stephen Moore <srmoore@gmail.com>
Content-Type: multipart/alternative; boundary="0000000000009f2e9b05b671e481"
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/AQ6ynyCanhD-KSgPRjZJ5Txj99g>
Subject: Re: [GNAP] Consensus Call on Continuation Request
X-BeenThere: txauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: GNAP <txauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/txauth>, <mailto:txauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth/>
List-Post: <mailto:txauth@ietf.org>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/txauth>, <mailto:txauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 14 Dec 2020 19:46:12 -0000

Thanks for the clear description. However saying "has no security concerns"
is a bold claim. Can you clarify how you will ensure that there are no
security concerns with this method?

My main worry with this is people will start to get "creative" with the
values of the things in this URL. We've seen this over and over, everything
from using plaintext data in JWT access tokens in OAuth (now the access
token contents are visible to clients), to putting data in the OAuth
"state" parameter (easy to exploit unless it's signed/encrypted), and I'm
sure someone somewhere is putting things in the authorization code that
they shouldn't.

Aaron


On Mon, Dec 14, 2020 at 11:39 AM Dick Hardt <dick.hardt@gmail.com> wrote:

>
> I am proposing a URI that is straight forward, and has no
> security concerns.
>
> For example, the URI could be:
>
> <as uri>/grant/<unique grant id>
>
> eg: https://example.com/as/grant/a3ce6053-ca48-4c04-af46-c2384ec8b89f
>
> The routing code in the AS then is:
>
> router.post(      '/', grant.create);
> router.get(        '/grant/:grant', grant.read);
> router.post(      '/grant/:grant', grant.update);
> router.delete(   '/grant/:grant', grant.delete);
> router.options( '/grant/:grant', grant.options);
>
>
> Where there is a "grant" module to manage for working with grant requests.
>
> /Dick
>
> ps: your previous email, and this one, are making the discussion personal.
> Happy to discuss privately.
>
> ᐧ
> --
> TXAuth mailing list
> TXAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/txauth
>

v2.23.0 | Report a Bug | By Email