IETF Logo Mail Archive

Re: [Txauth] TxAuth Charter (Take 3.5)

Roman Danyliw <rdd@cert.org> Wed, 29 January 2020 00:13 UTC

Return-Path: <rdd@cert.org>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 24FF71200EF for <txauth@ietfa.amsl.com>; Tue, 28 Jan 2020 16:13:51 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cert.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cRzmfh32ideo for <txauth@ietfa.amsl.com>; Tue, 28 Jan 2020 16:13:49 -0800 (PST)
Received: from veto.sei.cmu.edu (veto.sei.cmu.edu [147.72.252.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 67A161200B7 for <txauth@ietf.org>; Tue, 28 Jan 2020 16:13:49 -0800 (PST)
Received: from korb.sei.cmu.edu (korb.sei.cmu.edu [10.64.21.30]) by veto.sei.cmu.edu (8.14.7/8.14.7) with ESMTP id 00T0Dmva033159 for <txauth@ietf.org>; Tue, 28 Jan 2020 19:13:48 -0500
DKIM-Filter: OpenDKIM Filter v2.11.0 veto.sei.cmu.edu 00T0Dmva033159
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cert.org; s=yc2bmwvrj62m; t=1580256828; bh=6g1TOYJwWpcuDrino2OQJYT8n2UN357RN5lHta/ADXU=; h=From:To:Subject:Date:References:In-Reply-To:From; b=tumdncUH6opOb65w8CYKmrN3cYwb36XF6NDxumxm2vAKQLj6TKLvagjpe5n8JNMCZ RCK4VJ9Lczb3NgbSnloniDxUuSbirQVw7V1+cwO/Uh/CgR00YwB/dX9ET4WgqX8sX3 m+wfhaGl1VuTF9MVtYhOWBlBb5UoT7DEI1CYPqqA=
Received: from CASSINA.ad.sei.cmu.edu (cassina.ad.sei.cmu.edu [10.64.28.249]) by korb.sei.cmu.edu (8.14.7/8.14.7) with ESMTP id 00T0Di4V026392 for <txauth@ietf.org>; Tue, 28 Jan 2020 19:13:44 -0500
Received: from MARCHAND.ad.sei.cmu.edu ([10.64.28.251]) by CASSINA.ad.sei.cmu.edu ([10.64.28.249]) with mapi id 14.03.0468.000; Tue, 28 Jan 2020 19:13:44 -0500
From: Roman Danyliw <rdd@cert.org>
To: "txauth@ietf.org" <txauth@ietf.org>
Thread-Topic: [Txauth] TxAuth Charter (Take 3.5)
Thread-Index: AdXWN/J4UErM8Xu+S0Oa4ahuXDKSvgAAASAQ
Date: Wed, 29 Jan 2020 00:13:44 +0000
Message-ID: <359EC4B99E040048A7131E0F4E113AFC0216F15F4E@marchand>
References: <359EC4B99E040048A7131E0F4E113AFC0216F15F2E@marchand>
In-Reply-To: <359EC4B99E040048A7131E0F4E113AFC0216F15F2E@marchand>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.64.22.6]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/Dhxyv5sl8l7Cy7CBVktLX_nra0o>
Subject: Re: [Txauth] TxAuth Charter (Take 3.5)
X-BeenThere: txauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <txauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/txauth>, <mailto:txauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth/>
List-Post: <mailto:txauth@ietf.org>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/txauth>, <mailto:txauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Jan 2020 00:13:51 -0000

Hi!

> -----Original Message-----
> From: TxAuth <txauth-bounces@ietf.org> On Behalf of Justin Richer
> Sent: Sat, 18 January 2020 14:15 UTCShow
> To: IETF TxAuth <txauth@ietf.org>
> Subject: [Txauth] TxAuth Charter (Take 3.5)
> 

[snip]
> I would really appreciate the security AD's weighing in at this stage. Thanks
> again everyone!

The Sec ADs have reviewed the charter (as of v3.5) and at a high level believe the scope could use a bit more precision.  If there was no prior work, the situation would be different.  However, in this case, relationships with the existing OAuth WG needs to be navigated.  Topics that require discussion and clarity include:

** is TxAuth intended to solve all existing OAuth use cases (i.e., is TxAuth is a superset of OAuth) in a new, non-backward compatible way?  If not all, which would not be addressed?
** what new use cases would TxAuth address (that aren't in scope for OAuth)?
** given a new use case requirement for delegated authorization/identity, what would be the decision process to decide to which WG or WGs it would go?
** notional milestones (not the dates, but the deliverables)

In the details of the text:

(1) Distinguish what's new (instance #1):
OLD:
This group is chartered to develop a delegation protocol for authorization, identity, and API access.

NEW:
This group is chartered to develop a fine-grained delegation protocol for authorization, identity, and API access.

(2) Distinguish what's new (instance #2):
OLD:
The use cases supported by this protocol will include widely deployed use cases currently supported by OAuth 2.0 and OpenID Connect (an extension of OAuth 2.0) as well as new use cases not enabled by OAuth 2.0.

NEW:
It will expand upon the uses cases currently supported by OAuth 2.0 and OpenID Connect (itself an extension of OAuth 2.0) to support authorizations scoped as narrowly as a single transaction, provide a clear framework for interaction among all parties involved in the protocol flow, and remove unnecessary dependence on a browser or user-agent for coordinating interactions.

(3) Style Nit:
OLD:
Web, mobile, single-page, interaction-constrained, and other types of client applications

NEW: 
A variety of client applications, including Web, mobile, single-page, and interaction-constrained applications

(4) Per "Token presentation mechanisms and key bindings", perhaps it might be clearer to say "Mechanisms for presenting tokens to resource servers and binding resource requests to cryptographic keys"

(5) Per "Mechanisms for providing user, software ...", perhaps it might be clearer to say "Mechanism for conveying user, software ..."

(6) Per "Optimization of information and API access beyond identity through the delegation process", is this suggesting the need for optimizing access to TxAuth information for use cases beyond identity? Or the inclusion of information that isn't identity information into the delegation process?  

(7) Refine the protocol focus:
OLD:
While the initial work will focus on using HTTP for communication between the client and the authorization server, the working group will seek to take advantage of optimization features of HTTP2 and HTTP3 where possible, and will strive to enable simple mapping to other protocols such as COAP.

NEW:
The initial work will focus on using HTTP for communication between the client and the authorization server, taking advantage of optimization features of HTTP2 and HTTP3 where possible, and will strive to enable simple mapping to other protocols such as COAP when doing so does not conflict with the primary focus.

Regards,
Roman and Ben

v2.23.0 | Report a Bug | By Email