Re: [Txauth] Reviewing draft-hardt-xauth-protocol-11
Dick Hardt <dick.hardt@gmail.com> Tue, 21 July 2020 18:50 UTC
Return-Path: <dick.hardt@gmail.com>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BAA903A0780 for <txauth@ietfa.amsl.com>; Tue, 21 Jul 2020 11:50:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GGsuA3HoQYqD for <txauth@ietfa.amsl.com>; Tue, 21 Jul 2020 11:50:08 -0700 (PDT)
Received: from mail-lj1-x22f.google.com (mail-lj1-x22f.google.com [IPv6:2a00:1450:4864:20::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C7BC03A0772 for <txauth@ietf.org>; Tue, 21 Jul 2020 11:50:07 -0700 (PDT)
Received: by mail-lj1-x22f.google.com with SMTP id e8so25237318ljb.0 for <txauth@ietf.org>; Tue, 21 Jul 2020 11:50:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=iE7dtHb/hQLbONaABuUfgzJhqlXqCImgkvJ+YJnC0S8=; b=VL46TWOhjdGh6UNDdT/aY6nMdIbVaosRR2zQ6Pzb9GbvhidZ9+oOTpFbGpcifPHzPo UGmGJBh5aIyGelt6hgfju6nU/NmCb9aRFaLchzFFLLG3icIKH0icov0kNdTuVU9VIXXV haZSDRkAVDfrPOc+NAiljD91KDEvWZmya1nveEf2FB9XB1UkI9UGxhjwdBpF4GBGGJmG e7I/2N+066J1kJzmbJJg8Cu634iqSUXYOnCBQ6QWJ8FyYRkgRoHRsUQC+nXC7F0bllbl 2Q3osgYIju+U0duiZc5lbdM2Dp8+lyqP+OmGlkyg76smxRD1EnBdqrPgozuB9OqioZMV yWFQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=iE7dtHb/hQLbONaABuUfgzJhqlXqCImgkvJ+YJnC0S8=; b=nwA/sr/MEZ24ZUR0frHs/JSP0BL6qKZjxBYdE2XYYEjNihAnsSKGwvARy+hn/zYyDH UNtA22EypVsfStrl8gkXp49CCGWMJi4vejSsq/3s8v/TgGNl3oTti3DdWHbr1/EL+Vim aYFRSQb86f5n7BQqDixNq+vct7wf/rPTBEkx9xG3+SD79tLuk2DaXz8GE3faBbpOz13a 7ed1OSQssyt/9v6XoIKZ/Jiyg9hwFMeLhc2n9++tTOup4bK4WA3LeXFodB0uxyF+HYq5 slVpUxr59BAuy5AEI0fbWayg+mWjhmRILzLPL2TM+EmRrO2VAWg2QTAGaneNod+05/uh jVMg==
X-Gm-Message-State: AOAM531sCR0VbwgBs2LiHONM3kPVuvIysAhTrxh/GP62oCUCyIo5Ahmc ywYlMT5hxfDgn1MJKeaeKpbWbBWc/ZyXCtESvG4=
X-Google-Smtp-Source: ABdhPJxxikMP/JI/Z4Hn6CvQxu+PVfDc0mAYZAv6FMk7mxziipXR0PM1LaMikpGH+gveVyQGkH1619x68+vH9UNCFP4=
X-Received: by 2002:a2e:b607:: with SMTP id r7mr14077728ljn.5.1595357405574; Tue, 21 Jul 2020 11:50:05 -0700 (PDT)
MIME-Version: 1.0
References: <CAOW4vyPqjcWz7njW9cVb6wejY+KaASnskefSpwMqCPs+3WPmfg@mail.gmail.com> <CAOW4vyM0LycEf8q1T4jF=1g8aFyeLw1b4z9emNKWOG=+4iGgzw@mail.gmail.com> <CAM8feuSWeianPu=BD0WVTv5oB+U4ZkjhtKjnAG9RFk15VqJqWA@mail.gmail.com> <CAOW4vyNTXso=tusCrzDVgM63xH4hDsx6epO6tAhh1YekbWBA0A@mail.gmail.com> <f00c75a5-f930-81a6-a50e-2eeffedac691@free.fr> <CAOW4vyOHO1We4UpCPJBKYvj22rsFd1EN6fAXw8w6YOYTUDhF=g@mail.gmail.com> <aa1381a2-5b11-f7c7-a547-cddb36732c0b@free.fr> <CAD9ie-t7ZFrODeXy=Xzvsv-6gvUY=KjW0ETf8vJYkW2p=G4boQ@mail.gmail.com> <CAOW4vyN26rnOFb+vsaxgaMzeBOsyeSUBougvjHuhQkHyYhnn2w@mail.gmail.com> <b8a83294-771f-c1d7-0956-d0a50accbbb3@free.fr> <CAD9ie-soUmghr-qxWFRhHkX3rx3qaf3wBqxkwRZ=ZfQaSoDwbw@mail.gmail.com> <df110f7d-7928-4dd2-9c09-4b169860623a@free.fr> <CAD9ie-tLpufcTACXxzCER7t=eebnPhNN9VGbyuRgQOHzQ8=Ctg@mail.gmail.com> <37645bac-6769-a4dd-9e4f-d3f1afdb7a4e@free.fr> <CAD9ie-uXgLrkvEJ5txkR2Un9NJ-yfYy0AhE9gZaKvAF8qjqWFw@mail.gmail.com> <60671fa0-7f41-0ba2-4f44-f9db7004b7d3@free.fr>
In-Reply-To: <60671fa0-7f41-0ba2-4f44-f9db7004b7d3@free.fr>
From: Dick Hardt <dick.hardt@gmail.com>
Date: Tue, 21 Jul 2020 11:49:28 -0700
Message-ID: <CAD9ie-uL_rm73imCe5kMZWd_HvZPQcC_zx3HphHeNXK5JqxNwg@mail.gmail.com>
To: Denis <denis.ietf@free.fr>
Cc: Francis Pouatcha <fpo@adorsys.de>, txauth@ietf.org
Content-Type: multipart/alternative; boundary="00000000000072fba805aaf81758"
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/CwuvTeQZhqP0eo6iKo3NMf1fyYY>
Subject: Re: [Txauth] Reviewing draft-hardt-xauth-protocol-11
X-BeenThere: txauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <txauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/txauth>, <mailto:txauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth/>
List-Post: <mailto:txauth@ietf.org>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/txauth>, <mailto:txauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Jul 2020 18:50:12 -0000
On Tue, Jul 21, 2020 at 11:26 AM Denis <denis.ietf@free.fr> wrote: > Hello Dick, > > Thank you for your feedback. Comments are between the lines. > > comments inserted ... > > On Tue, Jul 21, 2020 at 6:03 AM Denis <denis.ietf@free.fr> wrote: > >> Hello Dick, >> >> I duplicate the most important comment at the beginning of this email: >> >> You are considering using an access control model to build a workflow >> model. >> >> While it may be interesting to define a workflow model, this should be >> considered >> as a separate and different work item. >> >> See the other comments between the lines. >> >> On Mon, Jul 20, 2020 at 2:05 AM Denis <denis.ietf@free.fr> wrote: >> >>> Hi Dick, >>> >>> On Fri, Jul 17, 2020 at 9:21 AM Denis <denis.ietf@free.fr> wrote: >>> >>>> Hello Francis and Dick, >>>> >>>> The good news first: we are making some progress. We are now close to >>>> an agreement with steps (1) up to (3), >>>> ... except that the place where the user consent is captured is not >>>> mentioned/indicated. >>>> >>> >>> This major question which is currently left unanswered is where, when >>> and how the user consent is captured. >>> >> >> When is covered, per the sequence. How and where are out of scope of what >> I drafted. >> >> It is clear that the "User consent and choice" is not currently addressed >> in the draft, but it should. >> The support of the "User consent and choice" has strong implications not >> only in the sequences of the exchanges >> but also by which entity it should be performed. >> > "consent" is in the latest draft 7 times. > > "Consent" is present 5 times. The User consent is different from the RO > consent (when/if it is required). > > The server acquires consent and authorization from the user *and/**or > resource owner **if required.* > > User consent is *often required* at the GS. GNAP enables a Client and GS > to negotiate the interaction mode for the GS to obtain consent. > > The GS *may *require explicit consent from the RO or User to provide > these to the Client. > > The User consent is not an alternative to the RO consent. So using > "and/or" in the first sentence is incorrect. > My language is sloppy there. Consent is always from the RO. The User may be the RO. > Since the second sentence is using the wording "often required" there is > no requirement to get the User consent. > User consent may not be required. There may not be a User. The consent may have been gathered previously. > The second sentence does not consider the possibility to get the User > consent in a place different from the GS. > Agreed. But we do agree that the GS gets the consent, either directly from the RO, or from the Client (in your example) > IMO, the User consent should be captured by the Client, i.e. not by the > GS. > The information used to obtain the User consent should be standardized > (... and it can be standardized). > > > I think the abstract sequence as proposed by Francis is a great addition, > and would clarify where consent is in the sequence. > > The current sketch does not illustrate the place the User Consent is > captured, in particular by the Client. > It is an abstraction. The GS receives the consent. How consent is gathered is a detail that is dependent on the use case. > > >> Another important point to consider and to explain is related to the >>> assurances that the user can obtain about >>> the respect of his choices. This point is currently left unanswered in >>> draft-hardt-xauth-protocol-13. >>> >> This point is equally important: such assurance can only be obtained if >> the access token returned to the client >> is not considered to be opaque to the client. This is a necessary >> condition but not the single condition: >> the Client must also be in a position to capture/memorize the "User >> consent and choice" of the user in order to be able >> to verify it afterwards using the content of the access token(s). >> > > We disagree on this being a requirement for all use cases. It may be in > some. > > OK. Then this means that there will be no sentence in the draft such as : > "access tokens returned to the client are not considered to be opaque to > the client". > For OAuth use cases, which GNAP supports, the access token is opaque to the Client. As you have noted, there are use cases where the access token is NOT opaque. > > >> >>> If a RO needs to be involved and since a RO is directly associated with >>>> a RS, why can't it be directly queried >>>> by the appropriate RS after step (2) or later on ? >>>> >>> >>> Good question. Perhaps you can expand on a use case where that would be >>> useful? >>> >>> Before I expand, would you be able to explain first under which >>> circumstances a RO needs to be queried by a GS ? >>> How can the GS identify which RO to query ? >>> >> If the User is the RO, then the GS knows who to query. >> >> I still have difficulties to understand what you mean here. >> How could a GS know that "the User is the RO" ? If "the User is the RO", >> why does the GS needs to query the User ? >> > > To get consent? > > To get a "RO consent" to himself ??? > The GS needs consent from the RO. If the RO is the User, then consent from the RO is equivalent to consent from the User. > > >> If the RO is a separate entity, then the GS knows the RO from the RS >> being queried. >> >> ... and this gives the ability for the GS to log/trace all the RSs >> accessed by a given User and at which instant of time the access token has >> been granted. >> >> An example is a user would like access to an enterprise asset where a >> workflow is started to gain approval, and an administrator or manager >> provides consent. >> >> Thanks for this example. I finally understand what you have in mind: you >> are considering using an access control model to build a *workflow model*. >> >> While it may be interesting to define a workflow model, this should be >> considered as a *separate and different work item*. >> > > The actual workflow is out of scope. > > I am glad you agree with this. But this means that your example was not > appropriate to illustrate your point. > It illustrates a use case where the RO and User are not the same party, and why the GS needs to query the RO, which was your question if I understood it correctly. > > As soon as there is a RO consent obtained at the GS, the major problem is > that the GS is able to act as Big Brother. > If a RO consent is performed at the RS, then the GS will not know who the > RS is: it is then unable to act as Big Brother, > even if it would enjoy to play that role. > In an enterprise use case, the GS's knowledge of who is accessing which RS is a feature. In your use cases, it seems that the RO is the User. The GS knows the User is wanting to let a Client access something. If the access token is generic, and could be presented to any RS that provides a standardized function, then the GS does not know which RS is being accessed by a Client for the User. This seems to meet your privacy objectives. If not, what is wrong? > if the admin grants access, then the access granted to the client changes. > >> The model you propose may be suited for an enterprise environment but is >> not scalable over the Internet. >> > It is one of the use cases we are working to address. > >> What is needed is an access control model usable over the Internet with >> millions of RSs and thousands of ASs/GSs. >> > I agree the model should also scale to internet scale. > > Fine. Another point on which we are in agreement. > > The model can scale to the Internet based on the following assumptions: > > The flow starts with the steps (1) to (4) as illustrated by Francis, i.e. > the flow starts with a contact with a RS. > > > > > > > > > > > > *+----+ +------+ +---+ +---+ +---+ |User| |Client| |RS | |GS | |RO > | +----+ +------+ +---+ +-+-+ +-+-+ |(1) Service Request | | > |-------->| | | | | |(2) Service Intent | | > |------>| | | | |(3) AuthZ Challenge | | > |<------| | | | |(4) AuthZ Request | | > |------------->| |* > > The GS/AS does not need to have any prior relationship with ROs and/or RSs. > > Furthermore, it is possible to prevent the GS to act as Big Brother when > the identity of the RS is not disclosed to the GS. > What happens after (4) above? > Which information is supposed to be presented to the RO ? >>>> Which information is supposed to be returned by the RO ? >>>> >>> >>> Just like how the user authenticates to an AS, how the AS and RO >>> communicate is out of scope. >>> >>> At the moment, the usefulness of a dialogue between a GS and a RO has >>> not been explained, nor demonstrated. >>> The question is about the functionality of that dialogue in terms of >>> input and output information (and not about >>> the design of a protocol or of a user interface). Anyway, AFAIU a >>> dialogue between a GS and a RO is optional. >>> >> >> See enterprise example above. >> >> It is not an access control example, but a workflow example. >> >> Access control has been defined a long time ago and the last edition of >> the model has been confirmed in year 1996: ISO/IEC 10181-3: 1996. >> "Information technology — Open Systems Interconnection — Security >> frameworks for open systems: Access control framework — Part 3". >> >> Two major functions have ben defined: an Access Control Enforcement Function >> (AEF) and an Access Control Decision Function(ADF). >> >> Access Control Enforcement Function (AEF): >> A specialized function that is part of the access path between an >> initiator and a target on each access request and enforces the decision >> made by the ADF. >> Access Control Decision Function (ADF) : >> A specialized function that makes access control decisions by applying >> access control policy rules to an access request, ADI (of initiators, >> targets, access requests, >> or that retained from prior decisions), and the context in which the >> access request is made. >> >> The role of the RO is to define the "access control policy rules" at the >> RS according to the context in which the access request is made. >> > I'm pretty familiar with access control systems. :) > > I would say that the access control is happening at the RS. The client > presents a token when accessing an API. > The RS uses the token, and any policy required, to make an access decision. > > Fine. It looks like we are in agreement. Unfortunately, this is not the > case just below. > > Here is flow: > > 1) The Client requests access to an RS from the GS. > > No. We are no more in agreement. This is different from the flow drawn by > Francis. > My bad. Typo. I meant RO. > 2) The GS queries the RS if access should be granted. > > No. The GS should not be forced to have a flow with the RS. > Same mistake as above, I meant RO. > 3) If access is granted, the GS creates an access token representing the > granted access, and returns it to the Client. > > This model is by no way conformant to ISO/IEC 10181-3: 1996 > I'm unclear on why, or why it is even relevant. > 4) The Client presents the access token to the RS to show it has been > granted access. > > No. The client presents a token when accessing an API. The RS uses the > token, and any policy required, to make an access decision. > The token never contains an information like "Please grant an access to > the holder of this token". > Let me provide more clarity in the sentence: The Client presents the access token to the RS, to show the RS that the Client has been granted access to a resource at the RS by the GS. > > A couple advantages of this model: > - that the RS does not need to know much, if anything about the Client. > - the access token MAY be self contained so that the Client does not need > to query the GS on each access. > > There are so many disadvantages that I will not list them. > Darn: I clearly was not firing on all cylinders when I typed this out. Let me correct: - the access token MAY be self contained so that the RS does not need to query the GS on each access to the RS by the Client. > I would not say that GNAP is an access control protocol, as how the RS > uses the token to determine access is out of scope. > > This is where we have a major discrepancy: how the RS uses the token to > determine access is *within* the scope. > > The RS announces in advance to the client what it needs so that the client > can perform a a given operation and if the client supplies the requested > attributes > obtained from some GS/AS(s) trusted by the RS, then access to that RS is > granted by the RS. If the RS cannot perform the requested operation on its > own, > then the client should be informed about some requested attributes that > need to be obtained from some GS/AS(s) trusted by the next RS(s) in a chain > for subsequent operations. The User consent should also be obtained before > performing the chaining operation. > > Chaining operations between RSs over the Internet is within the scope (... > and may be achieved). > > >> >>> For many use cases, the User is the RO, and the interaction is through a >>> user interface, not a machine protocol. >>> >>> Wait a second. You wrote "the User is the RO". The User is attempting to >>> make an access to a RS by using a Client. >>> *That* User is not the RO of the RS. >>> >> The user being the RO is the initial use case for OAuth. >> >> OAuth 2.0 is no more mandating such a case. >> > > I don't know what you mean by that. > > Copy and paste from draft-ietf-oauth-security-topics: > > OAuth initially assumed a static relationship between client, > authorization server and resource servers. (...) > With the increasing adoption of OAuth, this simple model dissolved and, in > several scenarios, was replaced > by a dynamic establishment of the relationship between clients on one side > and the authorization and > resource servers of a particular deployment on the other side. > > This way, the same client could be used to access services of different > providers (in case of standard APIs, > such as e-mail or OpenID Connect) or serve as a frontend to a particular > tenant in a multi-tenancy environment. > > This sentence does not mention the RO or the Client. I'm confused what we are talking about > > >> A client application would like access to the user's photos at a photo >> sharing site. The resource is the user's photos. The user is the owner of >> that resource. >> >> If the user has already pre established the access control policy rules >> so that it can access to his own photos >> then he does not need to grant in real time any additional authorization. >> > I don't understand what you are trying to say. The photo sharing example > was a driving use case for the creation of OAuth. > > We would need to revisit the original scenario and consider if it can be > addressed in a different way than the original way. > The use case is the same. Is there a different solution you are proposing?
- Re: [Txauth] Reviewing draft-hardt-xauth-protocol… Dick Hardt
- [Txauth] Reviewing draft-hardt-xauth-protocol-11 Francis Pouatcha
- Re: [Txauth] Reviewing draft-hardt-xauth-protocol… Dick Hardt
- Re: [Txauth] Reviewing draft-hardt-xauth-protocol… Tom Jones
- Re: [Txauth] Reviewing draft-hardt-xauth-protocol… Francis Pouatcha
- Re: [Txauth] Reviewing draft-hardt-xauth-protocol… Dick Hardt
- Re: [Txauth] Reviewing draft-hardt-xauth-protocol… Francis Pouatcha
- Re: [Txauth] Reviewing draft-hardt-xauth-protocol… Fabien Imbault
- Re: [Txauth] Reviewing draft-hardt-xauth-protocol… Francis Pouatcha
- Re: [Txauth] Reviewing draft-hardt-xauth-protocol… Denis
- Re: [Txauth] Reviewing draft-hardt-xauth-protocol… Francis Pouatcha
- Re: [Txauth] Reviewing draft-hardt-xauth-protocol… Denis
- Re: [Txauth] Reviewing draft-hardt-xauth-protocol… Dick Hardt
- Re: [Txauth] Reviewing draft-hardt-xauth-protocol… Francis Pouatcha
- Re: [Txauth] Reviewing draft-hardt-xauth-protocol… Denis
- Re: [Txauth] Reviewing draft-hardt-xauth-protocol… Denis
- Re: [Txauth] Reviewing draft-hardt-xauth-protocol… Francis Pouatcha
- Re: [Txauth] Reviewing draft-hardt-xauth-protocol… Denis
- Re: [Txauth] Reviewing draft-hardt-xauth-protocol… Tom Jones
- Re: [Txauth] Reviewing draft-hardt-xauth-protocol… Francis Pouatcha
- Re: [Txauth] Reviewing draft-hardt-xauth-protocol… Francis Pouatcha
- Re: [Txauth] Reviewing draft-hardt-xauth-protocol… Dick Hardt
- Re: [Txauth] Reviewing draft-hardt-xauth-protocol… Tom Jones
- Re: [Txauth] Reviewing draft-hardt-xauth-protocol… Denis
- Re: [Txauth] Reviewing draft-hardt-xauth-protocol… Denis
- Re: [Txauth] Reviewing draft-hardt-xauth-protocol… Dick Hardt
- Re: [Txauth] Reviewing draft-hardt-xauth-protocol… Denis
- Re: [Txauth] Reviewing draft-hardt-xauth-protocol… Dick Hardt
- Re: [Txauth] Reviewing draft-hardt-xauth-protocol… Denis
- Re: [Txauth] Reviewing draft-hardt-xauth-protocol… Fabien Imbault
- Re: [Txauth] Reviewing draft-hardt-xauth-protocol… Dick Hardt
- Re: [Txauth] Reviewing draft-hardt-xauth-protocol… Denis
- Re: [Txauth] Reviewing draft-hardt-xauth-protocol… Dick Hardt
- Re: [Txauth] Reviewing draft-hardt-xauth-protocol… Denis
- Re: [Txauth] Reviewing draft-hardt-xauth-protocol… Dick Hardt
- Re: [Txauth] Reviewing draft-hardt-xauth-protocol… Denis
- Re: [Txauth] Reviewing draft-hardt-xauth-protocol… Dick Hardt
- Re: [Txauth] Reviewing draft-hardt-xauth-protocol… Denis
- Re: [Txauth] Reviewing draft-hardt-xauth-protocol… Dick Hardt
- Re: [Txauth] Reviewing draft-hardt-xauth-protocol… Denis
- Re: [Txauth] Reviewing draft-hardt-xauth-protocol… Dick Hardt