Re: [Txauth] Support of FIDO and data minimization by RSs

Denis <denis.ietf@free.fr> Wed, 08 July 2020 07:14 UTC

Return-Path: <denis.ietf@free.fr>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B84AB3A0C22 for <txauth@ietfa.amsl.com>; Wed, 8 Jul 2020 00:14:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.619
X-Spam-Level:
X-Spam-Status: No, score=-1.619 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, KHOP_HELO_FCRDNS=0.276, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5ZIimL3lg8Cc for <txauth@ietfa.amsl.com>; Wed, 8 Jul 2020 00:14:53 -0700 (PDT)
Received: from smtp.smtpout.orange.fr (smtp01.smtpout.orange.fr [80.12.242.123]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9EAF63A0C2E for <txauth@ietf.org>; Wed, 8 Jul 2020 00:14:50 -0700 (PDT)
Received: from [192.168.1.11] ([86.238.65.197]) by mwinf5d53 with ME id 0XEm2300D4FMSmm03XEm7H; Wed, 08 Jul 2020 09:14:48 +0200
X-ME-Helo: [192.168.1.11]
X-ME-Auth: ZGVuaXMucGlua2FzQG9yYW5nZS5mcg==
X-ME-Date: Wed, 08 Jul 2020 09:14:48 +0200
X-ME-IP: 86.238.65.197
To: Dick Hardt <dick.hardt@gmail.com>
Cc: Justin Richer <jricher@mit.edu>, "rdd@cert.org" <rdd@cert.org>, "txauth@ietf.org" <txauth@ietf.org>, The IESG <iesg@ietf.org>
References: <02ea0d99-a8b8-7957-8d16-de0a105f9362@free.fr> <CAD9ie-uHo1hNs6Y767NHyNj1TxmfzcbDk-6iZxBT0QWtqpe+Fg@mail.gmail.com> <c91a9ecf-0f8c-a62d-aa4f-66e15cc6fba2@free.fr> <46705E7E-D657-4CF1-80DA-0ADDFD6D8B41@mit.edu> <85b03911-d1c6-127f-2480-bfab4b94ffe2@free.fr> <CAD9ie-tnj1ufCmiZ2MHHKPZ9kM7YQzoNMo4YErcu_coUX_35+g@mail.gmail.com>
From: Denis <denis.ietf@free.fr>
Message-ID: <c9fd6fc8-12cb-998b-d001-00eb9abcf866@free.fr>
Date: Wed, 8 Jul 2020 09:14:43 +0200
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:68.0) Gecko/20100101 Thunderbird/68.9.0
MIME-Version: 1.0
In-Reply-To: <CAD9ie-tnj1ufCmiZ2MHHKPZ9kM7YQzoNMo4YErcu_coUX_35+g@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------F0FB495A4A776B72668E1E45"
Content-Language: en-GB
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/GopfW8yzLtj7BshenB9TfXOfvow>
Subject: Re: [Txauth] Support of FIDO and data minimization by RSs
X-BeenThere: txauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <txauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/txauth>, <mailto:txauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth/>
List-Post: <mailto:txauth@ietf.org>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/txauth>, <mailto:txauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Jul 2020 07:14:59 -0000

Hi Dick,

> Denis: you seem to keep implying that other architectures don't 
> preserve privacy. A couple counterpoints:
>
> Token opacity helps privacy in another dimension -- the client does 
> not see the information about the user.

The client is not an adversary to the user.

> Many OAuth developments have self contained tokens. There is no token 
> introspection call.
> This, coupled with opaque tokens, is more privacy preserving than the 
> client being able to peek in a token.

When an access token contains personal information about a user, that 
user has the right to see that personal information.

Denis

>
> ᐧ
>
> On Tue, Jul 7, 2020 at 5:26 AM Denis <denis.ietf@free.fr 
> <mailto:denis.ietf@free.fr>> wrote:
>
>     Hi Justin,
>
>>     I think removing the opacity of access tokens to clients is going
>>     to be a non-starter for most of this community.
>
>     Token opacity is considered as a dogma in OAuth 2.0. More
>     explanations why access tokens should not be opaque in GNAP.
>
>     Token introspection mandates a dialogue from the RS to the AS
>     which allows the AS to know which RS
>     got a given access token. So token introspection allows the AS to
>     trace the client. This should be avoided.
>     Using NON-OPAQUE access tokens solves the issue both for the RSs
>     and for the clients. This means that
>     access tokens used for GNAP shall include a version number or a
>     format identifier.
>
>     Applying a "security by design" approach leads to specific design
>     requirements. The key question is whether
>     this BoF prefers a "Privacy by design" approach or /implicitly /a
>     "Big Brother by design" approach.
>
>     Denis
>
>>
>>      — Justin
>>
>>>     On Jul 6, 2020, at 3:17 PM, Denis <denis.ietf@free.fr
>>>     <mailto:denis.ietf@free.fr>> wrote:
>>>
>>>     Hi Dick,
>>>
>>>     Congratulations ! You made a good guess (but the guess was
>>>     easy): my approach is indeed privacy related.
>>>
>>>     _Note_: Since it is close to the end of the day in my time zone
>>>     (and since it is the last day for comments to the charter),
>>>     I copy both the IESG and Roman so that they can know that GNAP
>>>     should also consider a*bridge with FIDO*.
>>>
>>>     I have several goals:
>>>
>>>         1 - make a bridge with FIDO U2F (I will illustrate this with
>>>         a specific scenario).
>>>
>>>         2 - prevent every AS to know which RSs are going to be
>>>         accessed or which kind of operation the client will be doing.
>>>             This is to prevent an AS to act as "Big Brother".
>>>
>>>         3 - apply both "privacy by default" and "data minimization"
>>>         (when the user authenticates it may authenticate using FIDO or
>>>              by presenting one or more access tokens. Then after,
>>>         the necessary attributes that are necessary to perform a
>>>         given operation
>>>             are only requested and released at the time they are
>>>         indeed needed to perform the given operation (i.e. they are
>>>         not released
>>>             when the user logs on).
>>>
>>>         4 - the proposed RS Authorization algorithm allows a great
>>>         flexibility, in particular it supports FIDO and different
>>>         attributes
>>>              from different ASs may be requested by the RS.
>>>
>>>         5 - the rules associated with the RS Authorization algorithm
>>>         are making these rules only available at the time the client
>>>         indicates
>>>              which operation it is willing to perform (i.e. by
>>>         default, they are not public).
>>>
>>>         6 - access tokens are NOT OPAQUE to the clients so that
>>>         every client can make sure that their content reflects what
>>>         has been requested.
>>>
>>>     *A simple scenario to illustrate*
>>>
>>>     A student wants to apply for a new university. He connects to
>>>     the RS of the University. He first creates an account using FIDO.
>>>     He then selects the button "Preliminary information for applying
>>>     to the university". He is asked to enter two categories of
>>>     information:
>>>
>>>           * citizenship information and
>>>           * prior graduations.
>>>
>>>     The student can interrupt the preliminary registration procedure
>>>     at any time and continue it at any time later on.
>>>
>>>     When the student is finished, it selects the button "Application
>>>     to the university".
>>>
>>>         The university RS "reads" the citizen ship of the student
>>>         and let know to the student whether a paper form
>>>         and/or an electronic form of the identity of the student may
>>>         be provided. Let us assume the later case and that
>>>         the student is a citizen from France. Then the university RS
>>>         indicates which French banks or other French organisations
>>>         are trusted to provide an access token. The client checks
>>>         whether this list fits one of the AS with which it has a
>>>         relationship.
>>>
>>>         The university RS "reads" the prior graduations of the
>>>         student and then let know to the student whether a paper form
>>>         and/or an electronic form of the last graduation of the
>>>         student may be provided. Let us assume the later case and
>>>         that the student is from Yale University. Then the
>>>         university indicates the address of the AS from Yale University.
>>>         If the student is indeed from Yale University, he should be
>>>         able to provide the requested access token.
>>>
>>>     Such scenario which follows some privacy principles cannot be
>>>     constructed "/after the design"/ (it will not happen by magic or
>>>     by accident)
>>>     This is why the approach is called "privacy by design".
>>>
>>>     Denis
>>>
>>>>     Hi Denis
>>>>
>>>>     Would you provide some background on what you are trying to
>>>>     solve with this? I'm guessing it is privacy related.
>>>>
>>>>     Perhaps a use case would help make it more concrete?
>>>>
>>>>     /Dick
>>>>
>>>>
>>>>     On Mon, Jul 6, 2020 at 5:39 AM Denis <denis.ietf@free.fr
>>>>     <mailto:denis.ietf@free.fr>> wrote:
>>>>
>>>>         **eThis is a new thread: a proposal for a RS authorization
>>>>         algorithmand a way to support FIDO by RSs
>>>>
>>>>         In order to support the privacy principle of "data
>>>>         minimization" by RSs, only the attributes that are strictly
>>>>         necessary to perform
>>>>         an operation requested by a client should be requested by
>>>>         the RS.
>>>>
>>>>         When a client wants to authenticate, it will usually be
>>>>         informed by the RS on how to do it (see more details about
>>>>         two exceptions at the end of this email).
>>>>         Which conditions are needed to perform other operations
>>>>         will only be disclosed to authenticated users at the time
>>>>         they are willing to perform an operation.
>>>>
>>>>         Two categories of operations will be considered:
>>>>         authentication operations and other operations.
>>>>
>>>>         For the "authentication" operation, two cases will be
>>>>         supported:
>>>>
>>>>         -FIDO U2F or
>>>>
>>>>         -one or more attributes from one or more ASs.
>>>>
>>>>         In the second case, an access will be granted by a RS based
>>>>         on an mathematical expression which is formed using some
>>>>         combination of ANDand ORconditions.
>>>>
>>>>         Examples of combinations:
>>>>
>>>>             /Condition 1/AND/Condition 2
>>>>             Condition 1/OR /Condition 2/
>>>>             (/Condition 1/AND/Condition 2)/OR/Condition 3
>>>>             (Condition 1/OR /Condition 2)/AND/Condition 3/
>>>>
>>>>         The following notation is being used for /a Condition /:
>>>>
>>>>         /Condition x/= { AS identifier + set of attributes types +
>>>>         optional scope identifier }
>>>>
>>>>         The presence of the /optional/ scope identifier allows to
>>>>         provide a backward compatibility with ASs from the OAuth
>>>>         2.0. world:
>>>>         the optional scope identifier is only present when a
>>>>         bilateral relationship has been established between a RS
>>>>         and an AS prior
>>>>         to any access (/and will continue to be maintained/) using
>>>>         "out-of-bands" means.
>>>>
>>>>         Each RS internally constructs an /authorization table/ with
>>>>         the following content:
>>>>
>>>>         1°For the "authentication" operation : either FIDO U2For a
>>>>         mathematical expression using conditions;
>>>>
>>>>         2°For any other operation : a mathematical expression using
>>>>         conditions.
>>>>
>>>>         An example is used to explain the concepts.
>>>>
>>>>         "Operation(s)/ Mathematical expression" pairs managed by
>>>>         the RO of a RS.
>>>>
>>>>         *Operation*
>>>>
>>>>         	
>>>>
>>>>         *Mathematical expression*
>>>>
>>>>         Authentication
>>>>
>>>>         	
>>>>
>>>>         /Condition 1/OR/Condition 2/
>>>>
>>>>         Operation A OROperation Z
>>>>
>>>>         	
>>>>
>>>>         /Condition 3/AND/Condition 4/
>>>>
>>>>         Conditions table:
>>>>
>>>>         Condition 1
>>>>
>>>>         	
>>>>
>>>>         FIDO U2F 1.2
>>>>
>>>>         	
>>>>
>>>>         -
>>>>
>>>>         	
>>>>
>>>>         -
>>>>
>>>>         Condition 2
>>>>
>>>>         	
>>>>
>>>>         AS 1
>>>>
>>>>         	
>>>>
>>>>         set 1 of attributes types
>>>>
>>>>         	
>>>>
>>>>         Condition 3
>>>>
>>>>         	
>>>>
>>>>         AS 4
>>>>
>>>>         	
>>>>
>>>>         set 2 of attributes types
>>>>
>>>>         	
>>>>
>>>>         scope identifier : 21
>>>>
>>>>         Condition 4
>>>>
>>>>         	
>>>>
>>>>         AS 9
>>>>
>>>>         	
>>>>
>>>>         set 3 of attributes types
>>>>
>>>>         	
>>>>
>>>>         -
>>>>
>>>>         Given the operation selected by the client, the RS returns
>>>>         the appropriate mathematical expression and only the
>>>>         associated conditions
>>>>         used in that mathematical expression. The user may then
>>>>         decide whether the set of attributes types which are
>>>>         indicated for a given AS
>>>>         are appropriate to him or not and then select that AS if it
>>>>         has a relationship with it.
>>>>
>>>>         In this example, one mathematical expression for the
>>>>         combination of conditions using AND and OR operators is
>>>>         "/Condition 3/OR/Condition 4",//
>>>>         which means that///some types of attributes from AS 4 AND
>>>>         some other types of attributes from AS 9 are both needed by
>>>>         RSx to perform on RSx
>>>>         either the Operation A or the Operation Z.
>>>>
>>>>         In this example, RS 1 and AS 4 have established a bilateral
>>>>         relationship (and have agreed to define and use scope
>>>>         identifiers)
>>>>         whereas RS 1 and AS 9 have not established any bilateral
>>>>         relationship prior to the exchange.
>>>>
>>>>         The user makes up his mind whether the attributes requested
>>>>         by AS 1 and AS 9 are reasonable and if so, requests two
>>>>         access tokens:
>>>>         one to AS 4 and another one to AS 9.
>>>>
>>>>         For AS 4, the client shall use the scope identifier with
>>>>         the value 21.
>>>>         For AS 9, the client shall use the set 3 of attributes
>>>>         types indicated in the Condition 4.
>>>>
>>>>         In order to save one exchange, a RS could publicly publish
>>>>         how its clients can authenticate.
>>>>         However,  it is also possible to consider no guidance at
>>>>         all: in such a case, using "out-of-bands" means, the
>>>>         clients should know how to authenticate.
>>>>
>>>>         Denis
>>>>
>>>>         -- 
>>>>         Txauth mailing list
>>>>         Txauth@ietf.org <mailto:Txauth@ietf.org>
>>>>         https://www.ietf.org/mailman/listinfo/txauth
>>>>
>>>
>>>     -- 
>>>     Txauth mailing list
>>>     Txauth@ietf.org <mailto:Txauth@ietf.org>
>>>     https://www.ietf.org/mailman/listinfo/txauth
>>
>