IETF Logo Mail Archive

Re: [Txauth] WG Review: Grant Negotiation and Authorization Protocol (gnap)

Justin Richer <jricher@mit.edu> Fri, 26 June 2020 21:03 UTC

Return-Path: <jricher@mit.edu>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 69B243A0C79; Fri, 26 Jun 2020 14:03:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.885
X-Spam-Level:
X-Spam-Status: No, score=-1.885 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_FILL_THIS_FORM_SHORT=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pJbYB96_K-KA; Fri, 26 Jun 2020 14:02:59 -0700 (PDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C4FD03A0C77; Fri, 26 Jun 2020 14:02:58 -0700 (PDT)
Received: from [192.168.1.14] (static-71-174-62-56.bstnma.fios.verizon.net [71.174.62.56]) (authenticated bits=0) (User authenticated as jricher@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id 05QL2ufd030553 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 26 Jun 2020 17:02:56 -0400
From: Justin Richer <jricher@mit.edu>
Message-Id: <830A4653-5912-46DE-8173-BA149899FDD3@mit.edu>
Content-Type: multipart/alternative; boundary="Apple-Mail=_66E0A1F7-F8B7-4C74-A5C0-2D150F06FB82"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.80.23.2.2\))
Date: Fri, 26 Jun 2020 17:02:56 -0400
In-Reply-To: <CAD9ie-voeZUSaYVwWHHTN8ocsHq6OCReiOLOixxqOZ2qO3aOSw@mail.gmail.com>
Cc: txauth@ietf.org, Dick Hardt <dick.hardt@gmail.com>
To: The IESG <iesg@ietf.org>
References: <159318778098.29096.6482921706088845432@ietfa.amsl.com> <CAD9ie-voeZUSaYVwWHHTN8ocsHq6OCReiOLOixxqOZ2qO3aOSw@mail.gmail.com>
X-Mailer: Apple Mail (2.3608.80.23.2.2)
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/ETEpo6Yljl6bM2Za5dwQeTKi0h8>
Subject: Re: [Txauth] WG Review: Grant Negotiation and Authorization Protocol (gnap)
X-BeenThere: txauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <txauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/txauth>, <mailto:txauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth/>
List-Post: <mailto:txauth@ietf.org>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/txauth>, <mailto:txauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 26 Jun 2020 21:03:02 -0000

I agree with this proposed change in wording for the milestones. We don’t want to artificially limit the key binding presentation mechanisms. While I think the three listed are likely to be among the first ones we see (based on prior art and current community interest), I don’t think we can predict entirely what will be developed by the group and when. 

 — Justin

> On Jun 26, 2020, at 1:21 PM, Dick Hardt <dick.hardt@gmail.com> wrote:
> 
> 
> 
> I am concerned with the following milestones:
> 
> 
>   Oct 2021 - Key presentation mechanism binding to the core protocol, TLS, to
>   WGLC
> 
>   Oct 2021 - Key presentation mechanism binding to the core protocol,
>   detached HTTP signatures, to WGLC
> 
>   Oct 2021 - Key presentation mechanism binding to the core protocol,
>   embedded HTTP signature, to WGLC
> 
> I think it is overly prescriptive to specify which key presentation mechanisms will be created, and it implies that other key presentation mechanisms will not be worked on. While it is possible that channel binding mechanisms such as TLS, detached HTTP signatures, and embedded HTTP signatures will be appropriate key presentation mechanisms for GNAP, it is also quite possible that the WG will determine one or more are not appropriate, or the underlying mechanism may not gain acceptance, or channel binding is not always needed. For example, the effort to bind OAuth access tokens using RFC8471 was disbanded.
> 
> Additionally, there are two primary communication channels in the protocol that have different security requirements. The client to authorization server, and the client to resource server. The term "core protocol" is vague and could be construed that the same mechanism MUST be used in both channels.
> 
> I propose the following new wording:
> 
> Oct 2021 - Key presentation mechanism binding for each communication channel to WGLC.
> 
> 
> ---------- Forwarded message ---------
> From: The IESG <iesg-secretary@ietf.org <mailto:iesg-secretary@ietf.org>>
> Date: Fri, Jun 26, 2020 at 9:10 AM
> Subject: WG Review: Grant Negotiation and Authorization Protocol (gnap)
> To: IETF-Announce <ietf-announce@ietf.org <mailto:ietf-announce@ietf.org>>
> Cc: <txauth@ietf.org <mailto:txauth@ietf.org>>
> 
> 
> A new IETF WG has been proposed in the Security Area. The IESG has not made
> any determination yet. The following draft charter was submitted, and is
> provided for informational purposes only. Please send your comments to the
> IESG mailing list (iesg@ietf.org <mailto:iesg@ietf.org>) by 2020-07-06.
> 
> Grant Negotiation and Authorization Protocol (gnap)
> -----------------------------------------------------------------------
> Current status: Proposed WG
> 
> Chairs:
>   Yaron Sheffer <yaronf.ietf@gmail.com <mailto:yaronf.ietf@gmail.com>>
>   Leif Johansson <leifj@sunet.se <mailto:leifj@sunet.se>>
> 
> Assigned Area Director:
>   Roman Danyliw <rdd@cert.org <mailto:rdd@cert.org>>
> 
> Security Area Directors:
>   Benjamin Kaduk <kaduk@mit.edu <mailto:kaduk@mit.edu>>
>   Roman Danyliw <rdd@cert.org <mailto:rdd@cert.org>>
> 
> Mailing list:
>   Address: txauth@ietf.org <mailto:txauth@ietf.org>
>   To subscribe: https://www.ietf.org/mailman/listinfo/txauth <https://www.ietf.org/mailman/listinfo/txauth>
>   Archive: https://mailarchive.ietf.org/arch/browse/txauth/ <https://mailarchive.ietf.org/arch/browse/txauth/>
> 
> Group page: https://datatracker.ietf.org/group/gnap/ <https://datatracker.ietf.org/group/gnap/>
> 
> Charter: https://datatracker.ietf.org/doc/charter-ietf-gnap/ <https://datatracker.ietf.org/doc/charter-ietf-gnap/>
> 
> This group is chartered to develop a fine-grained delegation protocol for
> authorization and API access, as well as requesting and providing user
> identifiers and claims. This protocol will allow an authorizing party to
> delegate access to client software through an authorization server. It will
> expand upon the uses cases currently supported by OAuth 2.0 and OpenID Connect
> (itself an extension of OAuth 2.0) to support authorizations scoped as
> narrowly as a single transaction, provide a clear framework for interaction
> among all parties involved in the protocol flow, and remove unnecessary
> dependence on a browser or user-agent for coordinating interactions.
> 
> The delegation process will be acted upon by multiple parties in the protocol,
> each performing a specific role. The protocol will decouple the interaction
> channels, such as the end user’s browser, from the delegation channel, which
> happens directly between the client and the authorization server (in contrast
> with OAuth 2.0, which is initiated by the client redirecting the user’s
> browser). The protocol will include a means of specifying how the user can
> potentially be involved in an interactive fashion during the delegation
> process. The client and Authorization Server (AS) will use these interaction
> mechanisms to involve the user, as necessary, to make authorization decisions.
> This decoupling avoids many of the security concerns and technical challenges
> of OAuth 2.0 and provides a non-invasive path for supporting future types of
> clients and interaction channels.
> 
> The group will define interoperability for this protocol between different
> parties, including
>  - client and authorization server;
>  - client and resource server; and
>  - authorization server and resource server.
> 
> The group will seek to minimize assumptions about the form of client
> applications, allowing for:
> - Fine-grained specification of access
> - Approval of AS attestation to identifiers and other identity claims
> - Approval of access to multiple resources and APIs in a single interaction
> - Support for multiple access tokens in a single request and response
> - Support for directed, audience-restricted access tokens
> - Separation between the party authorizing access and the party operating the
> client requesting access
> 
> The group will define extension points for this protocol to allow for
> flexibility in areas including:
> 
> - Cryptographic agility for keys, message signatures, and proof of possession
> - User interaction mechanisms including web and non-web methods
> - Mechanisms for conveying user, software, organization, and other
> information used in authorization decisions
> - Mechanisms for presenting tokens to resource servers and binding resource
> requests to tokens and associated cryptographic keys
> - Optimized inclusion of additional information (including identifiers and
> identity assertions) through the delegation process
> 
> Additionally, the group will provide mechanisms for management of the protocol
> lifecycle including:
> 
> - Discovery of the authorization server
> - Revocation of active tokens
> - Mechanisms for the AS and RS to communicate the access granted by an access
> token
> 
> Although the artifacts for this work are not intended or expected to be
> backwards-compatible with OAuth 2.0 or OpenID Connect, the group will attempt
> to simplify migrating from OAuth 2.0 and OpenID Connect to the new protocol
> where possible.
> 
> This group is not chartered to develop extensions to OAuth 2.0, and as such
> will focus on new technological solutions not necessarily compatible with
> OAuth 2.0. Functionality that builds directly on OAuth 2.0 will be directed
> to the OAuth Working Group, including functionality back-ported from the
> protocol developed here to OAuth 2.0.
> 
> The group is chartered to develop mechanisms for applying cryptographic
> methods, such as JOSE and COSE, to the delegation process. This group is not
> chartered to develop new cryptographic methods.
> 
> The group is chartered to develop mechanisms for conveying identity
> information within the protocol including existing identifiers (such as email
> addresses, phone numbers, usernames, and subject identifiers) and assertions
> (such as OpenID Connect ID Tokens, SAML Assertions, and Verifiable
> Credentials). The group is not chartered to develop new formats for
> identifiers or assertions, nor is the group chartered to develop schemas for
> user information, profiles, or other identity attributes, unless a viable
> existing format is not available.
> 
> The initial work will focus on using HTTPS for communication between the
> client and the authorization server, taking advantage of optimization
> features of HTTP/2 and HTTP/3 where possible, and will strive to enable
> simple mapping to other protocols such as COAP when doing so does not
> conflict with the primary focus.
> 
> Milestones to include:
> - Core delegation protocol
> - Key presentation mechanism bindings to the core protocol including TLS,
> detached HTTP signature, and embedded HTTP signatures
> - Conveyance mechanisms for identifiers and assertions
> - Guidelines for use of protocol extension points
> - (if needed) Guidelines on migration paths, implementation, and operations
> 
> Where possible, the group will seek to make use of tools to guide and inform
> the standardization process including formal analysis, architecture documents,
> and use case documents. These artifacts will not be considered as working
> group milestones or deliverables.
> 
> The working group will cooperate and coordinate with other IETF WGs such as
> OAUTH, and work with external organizations, such as the OpenID Foundation,
> as appropriate.
> 
> Milestones:
> 
>   Jul 2021 - Core delegation protocol in WGLC
> 
>   Oct 2021 - Key presentation mechanism binding to the core protocol, TLS, to
>   WGLC
> 
>   Oct 2021 - Key presentation mechanism binding to the core protocol, 
>   detached HTTP signatures, to WGLC
> 
>   Oct 2021 - Key presentation mechanism binding to the core protocol,
>   embedded HTTP signature, to WGLC
> 
>   Dec 2021 - Guidelines for use of protocol extension points to WGLC
> 
>   Feb 2022 - Guidelines on migration paths, implementation, and operations to
>    WGLC
> 
> 
> 
> _______________________________________________
> IETF-Announce mailing list
> IETF-Announce@ietf.org <mailto:IETF-Announce@ietf.org>
> https://www.ietf.org/mailman/listinfo/ietf-announce <https://www.ietf.org/mailman/listinfo/ietf-announce>
> ᐧ
> -- 
> Txauth mailing list
> Txauth@ietf.org <mailto:Txauth@ietf.org>
> https://www.ietf.org/mailman/listinfo/txauth <https://www.ietf.org/mailman/listinfo/txauth>

v2.23.0 | Report a Bug | By Email