IETF Logo Mail Archive

[GNAP] Summarizing status from SECDIR IETF LC review of draft-ietf-gnap-core-protocol-16

Roman Danyliw <rdd@cert.org> Wed, 07 February 2024 18:53 UTC

Return-Path: <rdd@cert.org>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5D7B6C14CE55 for <txauth@ietfa.amsl.com>; Wed, 7 Feb 2024 10:53:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cert.org
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1L5wAPWnfKeF for <txauth@ietfa.amsl.com>; Wed, 7 Feb 2024 10:53:23 -0800 (PST)
Received: from USG02-BN3-obe.outbound.protection.office365.us (mail-bn3usg02on0049.outbound.protection.office365.us [23.103.208.49]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6E8F0C14CE52 for <txauth@ietf.org>; Wed, 7 Feb 2024 10:53:23 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector5401; d=microsoft.com; cv=none; b=kz0A5tSV+pfxgT1cAhRYlLgCHQo6v1m7aSLsqbcpe/jX325OolPw5oh1fiIjkbkJuoM4Px06qrVkK2xsOqw+a3dTpjUHt+dGm//XJoXEwRi7lSin4mSrMTrvd1VcAwEIVKiDgshExX+WZYQudLPprifQuGBn3bcnfvS+glT+Cq85qc/sJpHvJd+sjWQ8fCfXoC5u5Fy6zOnbGV+9DRlEiHZ7UJSqDHdbXlu4pWbSxkQRTAGaFPYtOgTSzwMnRq+BBGV350pAt/K9ZsG8YguuoLyJTaonuCQA3mRz3sumQWEDlrw0d4yl/oApfG8u9VizGAoZIzc3fPWeNUu2ekK4WQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector5401; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=6hALKjepc23yX7s3CPSmKq6PlUhYcOYc7ZdOHVEp6w4=; b=ItlQ6SEMnWhaVGIYC0oUg3DCLHO1OQABSmEQH8x9DcJ+XNDWr6Mb6Stx2mfaCMo1uAJNWl7pxfv21urlOr5ysx2W537CXwki5ph8m0ayhQ0wPFcaXIYFqZtHUKXPz+BeHkTacUFQwC6VvBbZ3x0W0jXWIj4AtRJOSY//+ZIMPEzj8N2ZBHZ0QQ+u57Q/42K0KmtFYnsp1EV9ez6/6vu6IOyiheaywc4El+nC3jPoqN/C/RwWtoXa+Ma35cTsO6RNxfNTzo9ED/kVg764yOINhEmXlAwruVYK1YO8zkupwegUzL6sFWOfW2M3v/CvpVF4cgPdYDuTwzePnk1dnM4owA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cert.org; dmarc=pass action=none header.from=cert.org; dkim=pass header.d=cert.org; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cert.org; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=6hALKjepc23yX7s3CPSmKq6PlUhYcOYc7ZdOHVEp6w4=; b=k+kg92ej2hCcJ6lF4AgqqXgMKdewLocfPUm22CUsy21p4wZLcX/2t/nCCEnJey6pl/84Nsl+oLy3x24f122a9ynnR+h2J8INbkBJzX7HzGiNaWOO7MgfGuIDFgh3cIEHg9v0+sHhz1PMsmQcCJna9ydbgXfH4BW2UVR0Q010+Xk=
Received: from BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM (2001:489a:200:168::11) by BN2P110MB1480.NAMP110.PROD.OUTLOOK.COM (2001:489a:200:17e::8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7249.31; Wed, 7 Feb 2024 18:53:20 +0000
Received: from BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM ([fe80::364:96fe:e2d6:b29f]) by BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM ([fe80::364:96fe:e2d6:b29f%4]) with mapi id 15.20.7249.032; Wed, 7 Feb 2024 18:53:20 +0000
From: Roman Danyliw <rdd@cert.org>
To: "txauth@ietf.org" <txauth@ietf.org>
CC: Russ Housley <housley@vigilsec.com>, Justin Richer <jricher@mit.edu>
Thread-Topic: Summarizing status from SECDIR IETF LC review of draft-ietf-gnap-core-protocol-16
Thread-Index: AdpZ9ROUOAGI7nyfTNWlob7LkU2+DQ==
Date: Wed, 07 Feb 2024 18:53:20 +0000
Message-ID: <BN2P110MB11074A36A14E33B0F4A9ECEBDC45A@BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=cert.org;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: BN2P110MB1107:EE_|BN2P110MB1480:EE_
x-ms-office365-filtering-correlation-id: af27a455-32a7-43ff-a4b3-08dc280e0dd4
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: yqCZGLHslw5pWUnrJx/5dsGSBDeG4f7qLWrmlsSggfY40HHOm0XlzVUbbxfVlLSdBsDwvrH2L5afd/dSW6p+iGcMWny92lYrRSH88RL4BejIDUfO76hzSDGgj1gkD3RzZMK8rNPPE4lL9G242r6ey4/YvfqWBjlneIZII+gT9K6At1or3PtQ6J/ICXbbNyEtXpxT5HLqoRtVg8Hk/Yyo+NjXSy2qDyfoOVHjqPwizZWzlxNrNSu7EF7nygnH7vZ80Z3UcNjupVOcTV8agKlzZcmAD/mS9xUGFNrdvpq7LOES3t6tT3Tv8rmerR3OfiY9Pq6GhVAs85/N7eUXVhTpJVu8DsglU/V5OJdUGYJtv+ZWV84R25VCok04a1P6U0rjPlBHu8DFayp5HDiRSLLq9hbScBMWrkZPTUl29ARF+5yfGNdjsR+J/ZnMRb5gZcDb/KkCD4SXx0XIPqwDPA1y7Cbwh/uh+OrITTEBUIQbs43FnapRIUl5CzAkpQV3fPCnA/dmfRUq6c55aRS4x9z/LKxmMEC4PXt5sB9bMh+vyVH73mmY+T8wrfr6OScIx247Sg4hy9M/9dR/TDIJoW1UhwU2CQKMimJvwiNVW/9NtUI=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230031)(136003)(39830400003)(366004)(396003)(230922051799003)(186009)(64100799003)(451199024)(1800799012)(41320700001)(966005)(86362001)(38070700009)(66476007)(66946007)(76116006)(54906003)(66446008)(26005)(66556008)(6916009)(82960400001)(83380400001)(6506007)(71200400001)(64756008)(508600001)(55016003)(7696005)(9686003)(38100700002)(122000001)(52536014)(33656002)(4326008)(8676002)(5660300002)(41300700001)(8936002)(4001150100001)(2906002); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: smHRad05uj3OyWTyd2wnoGIAl4lbNGAXoZC9ZvNfOZbx6W34HaM+9flEc9KydgW54XlMcKYK5VrtdUr/TRHCIn0g0EkfW0/OVZEkjrynSXC5YwS+gv4BSl24Yc3zl1fnCYqJIGQSrAw5PwEk3ypt0xfD0DvRDD49GwbeRCrFz81XzrugfxX6Y7WYJCltGUYde+ZljCG8YNQG5eVgbXOarFxjmvEVZb6ZOJ9E8fRHEzF4+i1DMC968sSqGp6kNI3PrXvU6J8Z4IeSdfVWJevYcPINd2/8ATlcFpzKsMqulILuMadfO5bd68hMYisSHvYfCk+oXT/YtkhwQDulP5rfPeIwyjzsggnoI6c/VK60BDaKGw0YFvltjwU2uVhUsbB+qXiIWoRluGdI+tNCHXSRi6TEZ63kZ9cHmM9Hbw6gnc+kLYHOlTZTxgy8CBpt6hwTls6tCLV6oNAQOE87k1R/qrZSpWxziVbW5U/wfKyedZIJw3tLbaWz/oHAQyP1yQLAB7JqZp7mWo7cFtV0BccuiCOARKIn4lsfwuLWbHqDUe/uvMQqPBQXLKEAT94o1f8jvWUStOmb5u1k+Zn/wMRqBHk/+sniY5dkLP3l61IZ5IdM7JDvctCCQe9zAC8wU/GM806Aq1RMMNlSbVI9PQRMvYvIO2Icx1fApB8ebtltOgIuAWix+Gl10hB0KikmF8FRY5vjaoYBAkZqdwm94Tna3mCvg5PMujAJ2eIdEjd00e/I16LukrSjUi4atuLFIOPmKAyT3//cqj+Ueto73NvyZdNJJwkcIZtL0RBg9vCR00MjGEIi5EKHs2OvV9XR0tnJd0aAOpED9fgYDWE0r+KZzfvaJoZZenq0EpnVblzVDcoLvto3wEYBX1hJd+pn7YRqtLsKo65fNigQs4N6cLQI9BhxL06CK8JPm2y1RRbde7pMJLCijLILtpNYlHNutvjmgVKiRkGPZVNvaZj9+3K2p1YcOWG8ausTAp6rWuTc4SZ6TZ6VE6dBXb3LNmzqXCoUKwmh0FYAtgT8Z4tFGrdUprPRg5l3ZchMM0ZVbtRNx9w6+sM4BSfR0u3KyToxpoS0a4DnnewPujFVfLTi4uZ/JUz0G8bEKEHLFsR80rmgbbS1N2d4PIA+nX6eP3QSNenah2+K+XuDPikL9QvqYxzgKJjodVmPA+ujq3EiwE6SOhLmwJLf+eFZ/nB7GsrlqS0+86FZ9N/csfTYPxV7w6FW3BQkhbUAPaeymRmx1dD6Qt8x3pR1k+qxlsbfB0ufFo6BhUB2/yKZcwrcKDBl/4wB6NHZcPrQip2oQJEhTJFTo/9lOyH1OImQZSIBnxg1VVWvit3cVFs4/TxcK0gv3m50lbT5AejVN7HMJmFqSshEsa+rrNNRYZ8Td+66KqBh/2IxTsN0dMGWsfG2s37WHBD1jT8Fua9tJNDW5vUzL8pA0qRQ8ex0gBNijlqIt8CT4luYunmGkg9EB/UQNbmS/fccTKVFKsow9q50lOof6eDDI5M=
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: cert.org
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: af27a455-32a7-43ff-a4b3-08dc280e0dd4
X-MS-Exchange-CrossTenant-originalarrivaltime: 07 Feb 2024 18:53:20.6230 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 95a9dce2-04f2-4043-995d-1ec3861911c6
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN2P110MB1480
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/CPFpidhhNuAO_tZHnJZ96T3hr6k>
Subject: [GNAP] Summarizing status from SECDIR IETF LC review of draft-ietf-gnap-core-protocol-16
X-BeenThere: txauth@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: GNAP <txauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/txauth>, <mailto:txauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth/>
List-Post: <mailto:txauth@ietf.org>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/txauth>, <mailto:txauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Feb 2024 18:53:27 -0000

Hi!

During IETF LC, SECDIR (Russ Housley) performed a review on draft-ietf-gnap-core-protocol-16.  See https://mailarchive.ietf.org/arch/msg/txauth/i9NEvnr2l1p8hW7U_l382NZbLxg/.  Justin (Richer) responded and iterated on this review. Here are the relevant messages in the thread since it is not linked from the SECDIR review link in the Datatracker.

(Justin-2023-11-27) https://mailarchive.ietf.org/arch/msg/txauth/-Zl-mKGKC0WgujAlj8cd3sOgr2Q/
(Russ-2023-11-28) https://mailarchive.ietf.org/arch/msg/txauth/ZArrGJN06Tsyi1o9g48P2J4fzIo/
(Justin-2023-11-29) https://mailarchive.ietf.org/arch/msg/txauth/Ek0NCQeiUfuiJv7EdSFzPq2s-ao/

A -17 of the document has been released.  I very much appreciate the deep review and iteration.  I am trying to re-review the document and identify unresolved issues.  The following is my assessment.  The inline thread was broken at some point making it difficult to attribute text so I'm repeating the initial feedback from the SECDIR review here and annotating it with [Roman].  Please consult the above links for some of the details.  I'm looking for resolution of the issues below with further discussion or a document change; or a correction that that this issue been addressed in a way I didn't immediately recognize.

** (Russ on -16) Section 1.2: I am having trouble getting my head around the idea that
the AS role grants subject information to client instances.  This feels
like a purposeful confusion between authentication and authorization.

** (Russ on -16) Section 1.3: Elsewhere in the document, there is a careful distinction
between software that acts on behalf of a subject and the natural person
that uses the software.  This distinction is missing in the definition
of Subject.  It is made worse by including organizations.  Please say
how people and organizations "decide whether and under which conditions
its attributes can be disclosed to other parties."  I believe this is
done by interacting with the software or initial configuration of the
software.

[Roman] Is it possible to be specific on where there is a mismatch?

** (Russ on -16)  Section 2.1.2: I expected a parallel structure to Section 2.1.1.  I
think it would really help the reader if the sections had the same
structure.

** (Russ on -16) Section 2.3.2: I am not worried about logo_uri if only data: URIs are
allowed, but that does not seem to be the case.  Since the logo might
be fetched, there need to be an integrity protection mechanism to 
ensure that the web server does not provide a different image than
was intended.  RFC 3709 has this same concern and it uses a hash of
the image to ensure that the intended image was provided.

[Roman] Section 13.15 has several relevant considerations.  Building on Russ’s point of having confidence in fetched image and the intent to provide flexibility, isn’t there a residual security considerations to document where an AS provides a URI which 

** (Russ on -16)  Section 2.5.1: I do not understand what an implementer is supposed to
do based on this MUST statement:

   "All interaction start method definitions MUST provide enough
   information to uniquely identify the grant request during the
   interaction."

[Roman] These seems like guidance which should be included (moved to?) Section 11.8 which contains the evaluation criteria for the DE.  That sections already has a number of items to consider.

** (Russ on -16)  Section 2.5.2.1: How does the use of an application-specific URI scheme
provide for the same security as HTTPS?  It seems like an way to avoid
them.  This text appears several places in the document.

[Roman] This doesn’t appear to have been resolved.  There was an indication that improved definitions would be added to Section 1.1

** (Russ on -16) Section 7: Please consider a reference to RFC 4107.  I'm not sure where
in this section is the best place to add a cite.

[Roman] -16 already contained a reference to RFC4107 in Section 13.7.  The discussion thread seems to indicate that additional pointers would be added in a version after -16.  I don't see it.

** (Russ on -16) Section 9.1: I do not understand what an implementer is supposed to
do based on this MUST statement:

   "client instance MUST check its value to protect itself"

(Justin) The client instance checks whether the value of the `referrer` parameter is the URI of the resource server that it made the request to. The rationale for this is discussed a little more in §13.36 (https://www.ietf.org/archive/id/draft-ietf-gnap-core-protocol-16.html#security-compromised-rs).

(Russ) What checks MUST the client instance perform?  Section 13.36 does not address my concern.  Section 13.36 is about protections that are implemented at the resource server.

(Justin) The client instance compares the referrer parameter returned to the URL of the RS.

[Roman] Perhaps this clarifying guidance can be added directly into the text.

** (Russ on -16) Section 13.24: This section does not seem like a Security Consideration.
If the calculation of the interaction hash is not done the same, then
there will be interoperability issues.

[Roman] Doesn’t seem like we have resolution on the issue.

Regards,
Roman

v2.23.0 | Report a Bug | By Email