IETF Logo Mail Archive

Re: [Txauth] TxAuth Charter (Take 3.5)

Dick Hardt <dick.hardt@gmail.com> Wed, 29 January 2020 01:13 UTC

Return-Path: <dick.hardt@gmail.com>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 95A021200EC for <txauth@ietfa.amsl.com>; Tue, 28 Jan 2020 17:13:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Level:
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QCrPGKPscFjM for <txauth@ietfa.amsl.com>; Tue, 28 Jan 2020 17:13:25 -0800 (PST)
Received: from mail-lf1-x135.google.com (mail-lf1-x135.google.com [IPv6:2a00:1450:4864:20::135]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 46AA01200B3 for <txauth@ietf.org>; Tue, 28 Jan 2020 17:13:25 -0800 (PST)
Received: by mail-lf1-x135.google.com with SMTP id v201so10584783lfa.11 for <txauth@ietf.org>; Tue, 28 Jan 2020 17:13:25 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=qKXArOjkgght1MCZgfbETIKajPzHhO4znbpPwPMiuzQ=; b=vJ37f8PaL4E31r+KrxQGI3LDYbv5HYx6Ac7XcL+Gn/U36h/k96jC2Qgp9WqlTn2jZX Y12IyW+iEi8cU3Uj1KAWwZmftDQ2xJ7z0hojsxM4VnswJsq/PTGnDSrxLMe6EvcGhoRU ery6JTJSCNIsQwWSdP+vZBocduLy7nfKPg9V29ae9OyLUguk+lmtxEZbIifqlNI00Rcj uKDW+psAb2rIfjhWYigiXu/4k/RFbDhmjp3yr2p0VMfQielqLzJKl8at0uaqmxcw91D2 VcRT0vKR263bPhj0hNI2EwiL35kgSH3C7NZOg4zm6w14CUN7cxuBWFzQXAGX1rWxhNA+ 6xNQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=qKXArOjkgght1MCZgfbETIKajPzHhO4znbpPwPMiuzQ=; b=pq/SEc0kLlNoJCkxaPMQ07Jrudjlu46AtNANSwoNRH7aPbJdca+clH5FIJIuXF2nnq dwAAcjDE7pld1KnXjtEQWI6anC+j0fZL29/cwsSat5Mrz+wa4PXqnb+19V0w6lSiPa9s 5NggTa0ls3rQFfiCYUwC7JkZ9CzFPird3/ANO+M663GNvVLEWYLa9/me2SzFmAB/BGOh medml020T7IzcyUgZ0mJwb/ZT2pOIcDuU2JbHNqRWuohLmkZooV0tfFqHV2hRXW60VQw h9XK5tUdwqtrad5GAeWd+xZzIZTi4s9ILl50EfmdHZ/FPSpyBoViseRBVkkJCjc4pUeE Yyhw==
X-Gm-Message-State: APjAAAW6FtkOLGvk3Z3y9ckW1RLUgcN7bYL2paEQGJ2sV4csyWDhGO66 aUB1omobAdotmeUccac1A1YnobxBNCndDZGsckHwBF6syr8=
X-Google-Smtp-Source: APXvYqxf8o+vnqlALFq4xrry5uitOWjYj4VV5gQDwfEAZN1AzJpmnFKu/KdblRG5lOPq1l3PUs3STL+jAHekahaFiSc=
X-Received: by 2002:a19:7711:: with SMTP id s17mr4009086lfc.164.1580260403303; Tue, 28 Jan 2020 17:13:23 -0800 (PST)
MIME-Version: 1.0
References: <359EC4B99E040048A7131E0F4E113AFC0216F15F2E@marchand> <359EC4B99E040048A7131E0F4E113AFC0216F15F4E@marchand>
In-Reply-To: <359EC4B99E040048A7131E0F4E113AFC0216F15F4E@marchand>
From: Dick Hardt <dick.hardt@gmail.com>
Date: Tue, 28 Jan 2020 17:13:11 -0800
Message-ID: <CAD9ie-tb8V9vHNUxeHiyTV805Q6OwgKmb260wn9CyzeZxyWFJw@mail.gmail.com>
To: Roman Danyliw <rdd@cert.org>
Cc: "txauth@ietf.org" <txauth@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000fddb4c059d3d0b37"
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/G7t0Kmjp1gFc--qCowW5uIfBfTg>
Subject: Re: [Txauth] TxAuth Charter (Take 3.5)
X-BeenThere: txauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <txauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/txauth>, <mailto:txauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth/>
List-Post: <mailto:txauth@ietf.org>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/txauth>, <mailto:txauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Jan 2020 01:13:29 -0000

 I'll take a stab at answering your questions:

The Sec ADs have reviewed the charter (as of v3.5) and at a high level
> believe the scope could use a bit more precision.  If there was no prior
> work, the situation would be different.  However, in this case,
> relationships with the existing OAuth WG needs to be navigated.  Topics
> that require discussion and clarity include:
> ** is TxAuth intended to solve all existing OAuth use cases (i.e., is
> TxAuth is a superset of OAuth) in a new, non-backward compatible way?
>

Yes. See below for non-backward compatibility.


> ** what new use cases would TxAuth address (that aren't in scope for
> OAuth)?
>

All identity claim use cases. A set of these are solved by OpenID Connect,
which is an extension to OAuth 2.0. TxAuth would also be a superset of
OpenID Connect in addition to OAuth.


> ** given a new use case requirement for delegated authorization/identity,
> what would be the decision process to decide to which WG or WGs it would go?


Identity claim use cases would be in the TxAuth WG, as identity claims are
not in the latest OAuth WG charter.

Some new authorization use cases will be applicable to both, where there is
a desire for the use case to be supported by both protocols. In situations
where the same document can be used by both OAuth and TxAuth such as the
Rich Authorization Request work, I would suggest it be done in the OAuth WG.

Other use cases will require different mechanisms, as the protocols are
different, and work will happen in both.

*How are OAuth 2.0 and TxAuth different?*

OAuth 2.0 uses browser redirects, and query parameters for the Client and
Authorization Server to communicate initially, and then the Client makes a
form encoded POST to the Authorization Server.

Extensions to OAuth 2.0 have added additional parameters, but have been
limited by what can be added to a URL redirect, and the name / value pair
constraints of a form encoded POST.

In contrast, TxAuth uses JSON to encode messages between the Client and the
Authorization Server, and the Client starts the the protocol sending a rich
JSON message to the Authorization Server. TxAuth is a new protocol.

Just as OAuth 2.0 was incompatible with OAuth 1.0, TxAuth is incompatible
with OAuth 2.0. If the work was done in the OAuth WG, it would likely be
called OAuth 3.0. To do that, the OAuth WG Charter would need to be
updated, as identity claims are not in scope. Excerpts from the OAuth WG
Charter https://tools.ietf.org/wg/oauth/charters

  The Web Authorization (OAuth) protocol allows a user to grant a
  third-party web site or application access to the user's protected
  resources, without necessarily revealing their long-term credentials,
  or even their identity.

<snip>

  The ongoing standardization efforts within the OAuth working group
  focus on increasing interoperability of OAuth deployments and to
  improve security.




On Tue, Jan 28, 2020 at 4:13 PM Roman Danyliw <rdd@cert.org> wrote:

> Hi!
>
> > -----Original Message-----
> > From: TxAuth <txauth-bounces@ietf.org> On Behalf of Justin Richer
> > Sent: Sat, 18 January 2020 14:15 UTCShow
> > To: IETF TxAuth <txauth@ietf.org>
> > Subject: [Txauth] TxAuth Charter (Take 3.5)
> >
>
> [snip]
> > I would really appreciate the security AD's weighing in at this stage.
> Thanks
> > again everyone!
>
> The Sec ADs have reviewed the charter (as of v3.5) and at a high level
> believe the scope could use a bit more precision.  If there was no prior
> work, the situation would be different.  However, in this case,
> relationships with the existing OAuth WG needs to be navigated.  Topics
> that require discussion and clarity include:
>
> ** is TxAuth intended to solve all existing OAuth use cases (i.e., is
> TxAuth is a superset of OAuth) in a new, non-backward compatible way?  If
> not all, which would not be addressed?
> ** what new use cases would TxAuth address (that aren't in scope for
> OAuth)?
> ** given a new use case requirement for delegated authorization/identity,
> what would be the decision process to decide to which WG or WGs it would go?
> ** notional milestones (not the dates, but the deliverables)
>
> In the details of the text:
>
> (1) Distinguish what's new (instance #1):
> OLD:
> This group is chartered to develop a delegation protocol for
> authorization, identity, and API access.
>
> NEW:
> This group is chartered to develop a fine-grained delegation protocol for
> authorization, identity, and API access.
>
> (2) Distinguish what's new (instance #2):
> OLD:
> The use cases supported by this protocol will include widely deployed use
> cases currently supported by OAuth 2.0 and OpenID Connect (an extension of
> OAuth 2.0) as well as new use cases not enabled by OAuth 2.0.
>
> NEW:
> It will expand upon the uses cases currently supported by OAuth 2.0 and
> OpenID Connect (itself an extension of OAuth 2.0) to support authorizations
> scoped as narrowly as a single transaction, provide a clear framework for
> interaction among all parties involved in the protocol flow, and remove
> unnecessary dependence on a browser or user-agent for coordinating
> interactions.
>
> (3) Style Nit:
> OLD:
> Web, mobile, single-page, interaction-constrained, and other types of
> client applications
>
> NEW:
> A variety of client applications, including Web, mobile, single-page, and
> interaction-constrained applications
>
> (4) Per "Token presentation mechanisms and key bindings", perhaps it might
> be clearer to say "Mechanisms for presenting tokens to resource servers and
> binding resource requests to cryptographic keys"
>
> (5) Per "Mechanisms for providing user, software ...", perhaps it might be
> clearer to say "Mechanism for conveying user, software ..."
>
> (6) Per "Optimization of information and API access beyond identity
> through the delegation process", is this suggesting the need for optimizing
> access to TxAuth information for use cases beyond identity? Or the
> inclusion of information that isn't identity information into the
> delegation process?
>
> (7) Refine the protocol focus:
> OLD:
> While the initial work will focus on using HTTP for communication between
> the client and the authorization server, the working group will seek to
> take advantage of optimization features of HTTP2 and HTTP3 where possible,
> and will strive to enable simple mapping to other protocols such as COAP.
>
> NEW:
> The initial work will focus on using HTTP for communication between the
> client and the authorization server, taking advantage of optimization
> features of HTTP2 and HTTP3 where possible, and will strive to enable
> simple mapping to other protocols such as COAP when doing so does not
> conflict with the primary focus.
>
> Regards,
> Roman and Ben
>
> --
> Txauth mailing list
> Txauth@ietf.org
> https://www.ietf.org/mailman/listinfo/txauth
>

v2.23.0 | Report a Bug | By Email