IETF Logo Mail Archive

Re: [Txauth] WG Review: Grant Negotiation and Authorization Protocol (gnap)

Mike Varley <mike.varley@securekey.com> Mon, 29 June 2020 16:02 UTC

Return-Path: <mike.varley@securekey.com>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2DE8C3A0400 for <txauth@ietfa.amsl.com>; Mon, 29 Jun 2020 09:02:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=securekeytechnologies.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lbMWsk8EFYtg for <txauth@ietfa.amsl.com>; Mon, 29 Jun 2020 09:02:39 -0700 (PDT)
Received: from CAN01-QB1-obe.outbound.protection.outlook.com (mail-eopbgr660091.outbound.protection.outlook.com [40.107.66.91]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 303573A03F6 for <txauth@ietf.org>; Mon, 29 Jun 2020 09:02:39 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=cN/iJTiPyStGP/eZ5+k80Cav91lbcQPTIMaFtXnhbimgdkcuM3TuUQEWAjQN7mUuOu/Cl/i1CYV4R2ehFy9OsbFn5p0hp01FxTpqw3CwChFmfcUstTZIddRmw+6wn5mIJ/1fgt2Lr/nmm9znj76/8UVL2BVSscLTfOCDYDgCMEl0GwKwfGSTXoFkLPZQ5ga0WteVk8LUMheOBw2L1dwaa7Yh/1Hs9ZSxNva9mjP2l88gIZiexEbu8KtYF37QC8Nr/a1WzfhEca36jMnmh5GewFcB8SiwLOiF/Ieef/Ytn24sMSRqhw1epv/obPSH+zH62TyycGfye3c2nGBBE0qvNw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=FAbLCJSHTyrpuRImDFc8V1RZhcQqg+AtjRs6h/E/QCo=; b=ZWhBMv+FW/+SVxV9PLfJE+YIVfYFrjd/Y6o0cUL33wj6Qbtj4CRmmd9PbyaW98J9DNvjqn6bV56DM6L9CJMP4dvmkaPjHYh+PePnH0jzYeoie615aQ7xcxByynsEwb8G97+geWpbIYgDsQ6550l7Yq3449fG4N5ZDtURHA4ahUyQ3SjRrtCYQFS9gceWIYkqvLZf7ePNTCpgS3FqkazauMT/6kDsO8NZmrKhcd20jO+WbxzjRq2X+sSMyv2jL6Q7+RbiyLdhnskKxYQlNjQsFmasZ4vbmmEcibttND1TaHC5Ij0XFzG9dnRPelaNryluGmpyam+x/D+MfkGl2/rhKw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=securekey.com; dmarc=pass action=none header.from=securekey.com; dkim=pass header.d=securekey.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=securekeytechnologies.onmicrosoft.com; s=selector1-securekeytechnologies-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=FAbLCJSHTyrpuRImDFc8V1RZhcQqg+AtjRs6h/E/QCo=; b=xgp/6H1iUojUFEwShG8tOFWuH4Eagt3D0zm7+NxvKvofpf72kBNalsuga5omvf+EO4+k+6nZNSFtJ6SZ3W7t/3G0JNH1UNoN9gVq8+PGtOgpLMJLH3ZnXYL0U5h6ArMTHWux4xVR65NY/F2lkB0oraIWw2MBXEYT2dJhLATElY8=
Received: from YTOPR0101MB2316.CANPRD01.PROD.OUTLOOK.COM (2603:10b6:b00:20::25) by YTBPR01MB3437.CANPRD01.PROD.OUTLOOK.COM (2603:10b6:b01:1c::19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3131.21; Mon, 29 Jun 2020 16:02:32 +0000
Received: from YTOPR0101MB2316.CANPRD01.PROD.OUTLOOK.COM ([fe80::1146:fc82:c5e4:b710]) by YTOPR0101MB2316.CANPRD01.PROD.OUTLOOK.COM ([fe80::1146:fc82:c5e4:b710%6]) with mapi id 15.20.3131.026; Mon, 29 Jun 2020 16:02:32 +0000
From: Mike Varley <mike.varley@securekey.com>
To: Denis <denis.ietf@free.fr>, Justin Richer <jricher@mit.edu>, "txauth@ietf.org" <txauth@ietf.org>
CC: Dick Hardt <dick.hardt@gmail.com>
Thread-Topic: [Txauth] WG Review: Grant Negotiation and Authorization Protocol (gnap)
Thread-Index: AQHWS9R4OmNt+Q5cMEqZqmxQCAM7BqjrGeIAgAAQEoCAAbiGAIACT42AgABQpgA=
Date: Mon, 29 Jun 2020 16:02:32 +0000
Message-ID: <9668FD63-A2E3-4DC1-BF13-558B87C05E86@securekey.com>
References: <159318778098.29096.6482921706088845432@ietfa.amsl.com> <cdbb228a-1412-e2e2-fe15-852fdd4649ac@free.fr> <CAD9ie-vrMk_D8WSz7h5aAw_FmnBJDkRJyWQeXTTsAP3ofH0iNg@mail.gmail.com> <353AF4E4-4939-4994-960E-54B0AADC6253@mit.edu> <624d15e8-48c0-4ef6-9429-d8fb79407d81@free.fr>
In-Reply-To: <624d15e8-48c0-4ef6-9429-d8fb79407d81@free.fr>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.38.20061401
authentication-results: free.fr; dkim=none (message not signed) header.d=none;free.fr; dmarc=none action=none header.from=securekey.com;
x-originating-ip: [50.101.239.135]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 8c6b971b-8c11-4085-b24f-08d81c45d514
x-ms-traffictypediagnostic: YTBPR01MB3437:
x-microsoft-antispam-prvs: <YTBPR01MB3437F482E064CF4B48B27630E46E0@YTBPR01MB3437.CANPRD01.PROD.OUTLOOK.COM>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-forefront-prvs: 044968D9E1
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 54scbOymMPMl3gesQ/IPzNryvqOqu+MysYs3/9kuXwrThOpMqjEtVxFDIqBKLmcB0iUqFNZ44IL6k6Gr7hxAAffuCGAuColi4bUk5oELmXpY9nRkaiRC3E8mMHiq5Hy9L28V3PN9DosNkSQ/kCNkniXJFqrXkEm8PrPWMiY8wdO0EG9X6t7/MQkt4LqrHvBBWk+ID2xQg0S2+JZG2NFr+65E7byFh5pCN/Dbqwl1eOq97PQVWjlDMuPcpzGgN0+m6m6KvkuvmGu9U32V2bMfSQa5XkTDmb04vP29gT8bNDRKnDEBFMQhwQ4B6qh9/Ly6m4VfDo0c2ANPqyHx57u7rnVjVtpDchYy27cPZhVqSGpXECflV76kwc+puDn9LYVn
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:YTOPR0101MB2316.CANPRD01.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFTY:; SFS:(4636009)(136003)(39840400004)(366004)(396003)(376002)(346002)(26005)(2616005)(44832011)(33656002)(66446008)(316002)(4326008)(478600001)(66556008)(76116006)(66946007)(91956017)(2906002)(66476007)(6486002)(6512007)(36756003)(64756008)(5660300002)(8936002)(6506007)(110136005)(8676002)(186003)(83380400001)(86362001)(71200400001)(15866825006); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata: m9OiVUW2OIXIq4CY48d2gmqZ1kv7n7sPHfAm2qWfkobTq9Faa5Ubgonw85VDdwvUINwLUwWmgp33PsAlWtpA9TRcojG2tA9/XLTbC0pVFhn3hls4RZQ3ETkC8NCl1x9gaEaH3ZOCARA80GkYxNcUgxqqvE20+StKpZeoP5jFb2ghyAuq7vy1+Ia3FMCthejTlZsEKRQzBidz9nKbWPM6LZ17z7MmIOHzYi5oczyllJUHc+apbhlH28JwhdI7iqvGNytvCXc/mTN30fgvOemofhutB18uJ8FW0zX/Bn5hRdvM4nqoDAn3jTjGGgygomgCy4fk6hVqwPYtOovLnewfVN6aL1cpIGVvrw+qWFMmhtMs8hchK/gbWJzpFYPKk9iFqlAEWC6dsTv7FehM8nlozgK8g65t4x+M0skQ0Pr+L8AwEvNwg/ZE+ZeQBsN7cUX0uZ4KOgYHtfcpLlMyfq1974fpzCULe6I2JlY5nBxJKCh6VPP7hDvtrJ3ArHiUNy0K
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_9668FD63A2E34DC1BF13558B87C05E86securekeycom_"
MIME-Version: 1.0
X-OriginatorOrg: securekey.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: YTOPR0101MB2316.CANPRD01.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 8c6b971b-8c11-4085-b24f-08d81c45d514
X-MS-Exchange-CrossTenant-originalarrivaltime: 29 Jun 2020 16:02:32.5530 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: e211fbf0-7d88-4a7c-b5b5-09a66b0b7ad0
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: kvnCZ68vyPWb5XFxllETOHMdKVaHctQhHDgOYQd0w489Yrv/VJiMgPlS/kwT4VTZNUZJw7vSVTBTwAO2znufSAGHkMJy4V0U+eJ0OmzJKEo=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: YTBPR01MB3437
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/FrYOqPiaoMIHo7bM92q3oWteedc>
Subject: Re: [Txauth] WG Review: Grant Negotiation and Authorization Protocol (gnap)
X-BeenThere: txauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <txauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/txauth>, <mailto:txauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth/>
List-Post: <mailto:txauth@ietf.org>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/txauth>, <mailto:txauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 29 Jun 2020 16:02:41 -0000

Hello Denis, all, I just wanted to jump in on this point below:

From: Txauth <txauth-bounces@ietf.org> on behalf of Denis <denis.ietf@free.fr>
Date: Monday, June 29, 2020 at 3:14 AM


Any trust relationship may be described using the following construction:  entity A trusts entity B for some action C.
If you have in mind additional trust relationships, would you be able to express them using this construction ?
Maybe you also have in mind some relationships that do not imply a form of trust ?



There is a proxy/broker model which sort of is described by the above, but I’d like to call out below.

There are cases where A trusts Z and  B trusts Z, but A and B do not know/trust each other directly, and Z is Not the AS (but there is a trust relationship between Z and the AS – this allows for more than one AS in the trust framework). In order for A and B to interact, the AS will act as a ‘locator’ service and subject-representative, but any associated access tokens the AS generate will require assurances from Z that the participants in the transaction are legitimate entities in the transaction.

Here is a for example: A is a rental car company, B is a DMV. The AS is a personal digital identity management service (*cough* wallet *cough*) that interacts with the license holder/Renter. A, B, and AS have a trust relationship and defined role in an organization Z. When the Renter wishes to provide his eligibility to drive to A, the AS must provide:

  1.  Evidence to A from Z that B is a qualified DMV (permitted to provide the required info).
  2.  Evidence to B from Z that A is a qualified Rental Car Company (permitted to collect the required into).
  3.  Evidence to both A and B from Z that the AS is a trusted subject representative.
  4.  A route for A and B to communicate with each other with all these access permissions.

Note in this model the AS can also be a trusted participant in another Z+1 trust framework.

I see GNAP as an opportunity to support the above model with flexible user agents, AS, discovery, token structures and crypto.

Thanks,

MV

This email and any attachments are for the sole use of the intended recipients and may be privileged, confidential or otherwise exempt from disclosure under law. Any distribution, printing or other use by anyone other than the intended recipient is prohibited. If you are not an intended recipient, please contact the sender immediately, and permanently delete this email and its attachments.

v2.23.0 | Report a Bug | By Email