IETF Logo Mail Archive

Re: [Txauth] Call for charter consensus - TxAuth WG

Kim <kim@identityblog.com> Fri, 20 March 2020 21:08 UTC

Return-Path: <kim@identityblog.com>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A07743A0EA5 for <txauth@ietfa.amsl.com>; Fri, 20 Mar 2020 14:08:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=humanpresent.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1-aYX5liOglz for <txauth@ietfa.amsl.com>; Fri, 20 Mar 2020 14:08:02 -0700 (PDT)
Received: from NAM04-BN3-obe.outbound.protection.outlook.com (mail-eopbgr680114.outbound.protection.outlook.com [40.107.68.114]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CD7503A0E9B for <txauth@ietf.org>; Fri, 20 Mar 2020 14:08:01 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=nWn/3Jze3+uQkpOD7dPCxNn+7n1E1EYaSMvD8EtZJ0imecLGUPt2PpUhDn7Ww56Oxh+3DJE8zuZ+ijKaVaD2yUjRxYE3zOsRstaaddQqO7P724eGsHjB29SUWkzZaZOyaAhAbHepbmoZLYxG4WErW6CFR+9bLaNYnw2cr6BPIqyBvarMNLVGRO/0pmWbDu7vSakCPL4kqRmT3brMMIP3E4outB/Bj3c8B/ZuR2ZDvgPmC437nz18PVdRs8qOjkhOo0HMENCybnbPjhXRTqesRVcRXy5M2j7TXyqkrGn9yaS5oCpJLrNB2D0Xnv9+Ey7maq1Y4dft2u3DiFM4NfhHBQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;bh=8Tn27LfVYTJEhYzCc+KqwmE8wQeeGcQ7dHAVzxgl69s=; b=eTBIwk02Jg+snlqlIsA0SFOxqVrZKGIes9ydJTz3jazEMFrwxX8Y1r2n1h2zkABUKs0fSfPmbI6ouswiGMSl/YZvDrngkexPwPQYSYkC1HHWc+T/JQm28rea0oKHkOX6SUr85rZ/rHrqHTwvfJUe4+yoE34e5n1em6VZ8R3rIg/GFs6Nf+w84QkuwiE2dRe8h8fgvbs8GAdJrVsFJMFuAp79Te8YSwvGd799OAt3z571/uWhK7RM/5S76NSRsLXCv8YrRtEpUd49/EGRtUPZz0I0MOXq8Fg9Ry7//VXUo3KKk/02iS5Bz5YN5StZsAEC3hpRTYE6h1ekoPzwQOWl8w==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=identityblog.com; dmarc=pass action=none header.from=identityblog.com; dkim=pass header.d=identityblog.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=humanpresent.onmicrosoft.com; s=selector2-humanpresent-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;bh=8Tn27LfVYTJEhYzCc+KqwmE8wQeeGcQ7dHAVzxgl69s=; b=kTu4EKXU4pyHxC8qVCcEoGUu7Pa7iiFGxucUuo9Gf2wDPYAtvpMtTK5falvHQX+/Hn3gP4EGSSyrAiRbSGx2jljgXFMcEMNZ16UtyJtYU4Gm2sbv/I9sxlQQMeKkpM6dOsc5wLwCfhVf5WT+V5P2+rZpKNsLLMIEFogz8KGYqvI=
Received: from SA0PR16MB3775.namprd16.prod.outlook.com (2603:10b6:806:80::13) by SA0PR16MB3679.namprd16.prod.outlook.com (2603:10b6:806:8c::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2835.18; Fri, 20 Mar 2020 21:07:59 +0000
Received: from SA0PR16MB3775.namprd16.prod.outlook.com ([fe80::c176:383c:f00f:d567]) by SA0PR16MB3775.namprd16.prod.outlook.com ([fe80::c176:383c:f00f:d567%7]) with mapi id 15.20.2835.017; Fri, 20 Mar 2020 21:07:59 +0000
From: Kim <kim@identityblog.com>
To: Torsten Lodderstedt <torsten=40lodderstedt.net@dmarc.ietf.org>, "txauth@ietf.org" <txauth@ietf.org>
CC: Vladimir Dzhuvinov <vladimir@connect2id.com>
Thread-Topic: [Txauth] Call for charter consensus - TxAuth WG
Thread-Index: AdX8qDR2vl6CizN9TBeow352Bw//MgAA6EaAAACHAoAAMjaigAAfaBKAAALCdwAAAw4qgAAAGQiAAAB8uQAAANszgAAA0meAAAEstYAANhSUYA==
Date: Fri, 20 Mar 2020 21:07:59 +0000
Message-ID: <SA0PR16MB3775C81683B97C8F5737F0A2CAF50@SA0PR16MB3775.namprd16.prod.outlook.com>
References: <MN2PR00MB0686B5459E642FE6E65686F7F5F60@MN2PR00MB0686.namprd00.prod.outlook.com> <CAGBSGjoMWjRE3zSsngwwpmzQ5D6JM29cHGj3A4ey7Q7gNvcHrQ@mail.gmail.com> <D2B641E1-131B-4E4B-83A6-214E223C3094@mit.edu> <CAKiOsZtV4oMC7QiDC1s20koc2f0Sjd8MzMEsWRf+KVsDN-8iKA@mail.gmail.com> <2D372D08-804D-4EF6-8C36-540CCA90244B@mit.edu> <44E06611-E67E-4ABA-B410-36D40FACF8B1@lodderstedt.net> <2F0CE6F6-DD9E-4DD4-99A0-E6CD78421D2B@mit.edu> <255028E2-8B99-438F-80DB-434B000114B1@lodderstedt.net> <A101613B-AB87-4335-8D82-57F996DC0DC2@mit.edu> <0CD3C061-D85F-45AC-898E-633682CF4C77@lodderstedt.net> <c56ae52d-e858-8a21-ea2e-32f799d20e18@connect2id.com> <11014BC4-4DA5-4A21-8D35-6F3B4698EC37@lodderstedt.net>
In-Reply-To: <11014BC4-4DA5-4A21-8D35-6F3B4698EC37@lodderstedt.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=kim@identityblog.com;
x-originating-ip: [199.167.24.151]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: f8b45c9e-9dba-41b9-8075-08d7cd12c529
x-ms-traffictypediagnostic: SA0PR16MB3679:
x-microsoft-antispam-prvs: <SA0PR16MB36798BCF3FC056DBB84FF31DCAF50@SA0PR16MB3679.namprd16.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 03484C0ABF
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6029001)(376002)(39830400003)(346002)(136003)(366004)(396003)(199004)(508600001)(66556008)(66946007)(66476007)(64756008)(76116006)(66446008)(52536014)(8676002)(966005)(110136005)(6506007)(55016002)(86362001)(81156014)(4326008)(53546011)(71200400001)(5660300002)(81166006)(7696005)(186003)(2906002)(9686003)(316002)(33656002)(8936002)(26005); DIR:OUT; SFP:1102; SCL:1; SRVR:SA0PR16MB3679; H:SA0PR16MB3775.namprd16.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1;
received-spf: None (protection.outlook.com: identityblog.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: xnOcOl3Mj+XUKHiKLYREDDnvSNde48AkZOe+V57hswOaX4QjPBHItVrtLMXsxwgKIMyg4C2kZYXmQ4w9XnvsxVMiA81fWe3RERar0J+wXmO86hXxIw8MCsu43hV4KFaVqTXTbMEt1e6+PnZQk3/VEqMOzptxw0Uxw0u+auVnAVZFchlC8JGiJEixtR9oc/eJDngKO4juNccDDIFqbcmvWxQrkNa8rWEyAZcx1ECV5QkSju2bwO5G6yJnwyeVnemSutORUcO6x6lMhmO/gYe/u6XHCrBoREDs7BK0SQeyn5dtAYQhgUDInWeuclYplqGeR+qPoVubjmr152iaFyE1srynrRQiXtT1hmrF/VT5tlBDLjizhtLzSeiPP1UxVQAwrrShpF3/xePQokpZKEoNy5TVU8v/hxdAxBYJmIoFn6DfyU3ob9qicXC66Rt1D8maLpv2zBXErAwvDi0pa254h0CxJVQZQTjH6KEcdLCUSoPBFArXrpnrnZY7uWI+qvN8T9lieb2w7YE6EnNCvTgTpg==
x-ms-exchange-antispam-messagedata: +1Dwijt9QSp+s+t4Zh1eZyQTeg/ccGVBBPtKWLYqOD/lY4cSslEA78LXozoYewvWWQp+zy4KjbVHRFudSfEWYQWLNH+ba2db+Uzv6FbVZb2SfrG0YZom3bPUXl9e8pcYs59+FffsnGi6cLRkQHSIVA==
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: identityblog.com
X-MS-Exchange-CrossTenant-Network-Message-Id: f8b45c9e-9dba-41b9-8075-08d7cd12c529
X-MS-Exchange-CrossTenant-originalarrivaltime: 20 Mar 2020 21:07:59.5379 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: c3439b4d-884a-42b8-8e49-94af41f1b711
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: CLB7VsRCZb+uwizPyHBpkZSnc32d/ocDdA/uHW9o00QAljISr7vljmp83o3kMiy/YYhwK0+kLDt1nSenHgmsKg==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SA0PR16MB3679
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/ZhnOI3xay_6v8cGNe4A1bpcc_qY>
Subject: Re: [Txauth] Call for charter consensus - TxAuth WG
X-BeenThere: txauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <txauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/txauth>, <mailto:txauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth/>
List-Post: <mailto:txauth@ietf.org>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/txauth>, <mailto:txauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 20 Mar 2020 21:08:21 -0000

I very much agree with Torsten's proposal and think it provides a way to focus TxAuth's initiatives on solving the many and deep problems of the authorization layer by better integrating it with the claims based model of identity.  

It is also clear to me that there is zero consensus that TxAuth should be chartered to be a replacement for all existing identity technology.  

Instead, there is wide consensus that TxAuth should integrate the claims based model into the authorization layer and attack the many unsolved problems we have experienced with increasingly interdependent networks of interacting services .  

Surely doing so is an immense task and a sufficient mandate.  Meanwhile, when people working on authorization encounter defects in existing identity protocols, those protocols should be fixed so the improvements accrue to all of the layers that are dependent on claims, not just authorization. 

Identity in general has big problems that remain to be solved.  But as the digital sphere expands the greatest of these is that of creating a holistic identity layer that serves the needs we have as human beings as well as it serves those who operate digital enterprises.  Identity technology will have to embrace much more than protocols for exchanging claims and deciding whether to trust them.  How can TxAuth possibly succeed at solving the difficult problems of authorization while at the same time taking on this other vast set of hard problems? 

It is far better for TxAuth to limit its scope to the kinds of initiatives proposed by Torsten and to prevail upon entities such as OIDC to correct any deficiencies that prevent their work from being reused in the authorization layer rather than reinventing everything.

I also agree with the comments and proposals made by Nat, Mike Jones and Vittorio.  If consensus is really being sought, focusing on the authorization layer and its use of claims rather than all of identity will certainly bring it about.

Best regards,

Kim Cameron


-----Original Message-----
From: Txauth <txauth-bounces@ietf.org> On Behalf Of Torsten Lodderstedt
Sent: Thursday, March 19, 2020 12:09 PM
To: txauth@ietf.org
Cc: Vladimir Dzhuvinov <vladimir@connect2id.com>
Subject: Re: [Txauth] Call for charter consensus - TxAuth WG

Hi all,

I suggest to add the following requirement to the charter:
	• Support for RS-specific access tokens in Multi-RS deployments 

I don’t mind HOW this requirement is supported in TXAuth. I want to make sure we try to build a protocol that serves the needs of a broad set of deployments. My concern is otherwise TXAuth will be not innovative enough to gain traction in the market rapidly. Speaking for myself, I realised in the last couple of days, mostly in conversations with Justin, that the result of this working group as envisioned now is not of particular interest to us (yes.com) because it does not solve our real problems. 

And here is my explanation: 

OAuth traditionally has the philosophy of a single access token. That’s fine for single service deployments, but it had reached its limits already before RFC6749 was published. There are a real implementations out there forcing clients to use different access tokens for different services, typically for privacy and security reasons. There is also an “ancient" technology called Kerberos that uses exactly this pattern and is well known for security, performance, and scalability. 

And there are even more examples today for multi API environments that would benefit from that feature: 
	• Open banking: most banks I worked with have multiple APIs, segregation between APIs is today achieved by maintaining different grants, basically resulting in the fact that the users cannot consent to different services at once. What a terrible UX!
	• Everyone is doing micro services today. Have you every thought about the coupling caused by a single token across micro services? This reminds me of how easy it is to test services independently using self-contained RS-specific tokens.
	• IoT - every device in a household is a potential RS (in my opinion). Conveying all necessary data in an access token needed to meet access control decisions locally would be a huge benefit in terms of performance and decoupling. Using symmetric cryptography for token integrity, authenticity and confidentiality would result in lower compute requirements.

Since we are preparing to define a completely new protocol for API access authorization and delegation, I think this new protocol should support this kind of scenarios. It will require significant work to get it right and simple, but if we just stick to the “a single access token is enough” mantra, we miss the chance to give implementers a broader range of design choices out of the box and we won’t success in achieving true interoperability.

Here are more advantages we can gain by supporting such a feature: 
	• Privacy:
		• A single access token can be used to track user across services.
		• RS-specific access tokens cannot.
		• RS-specific access tokens can also be encrypted to protect data confidentiality in transit.
	• Security: RS-specific access tokens have a baseline replay detection.
	• Performance: RS-specific access tokens allow the AS to convey all data required to authorize an API call in a token (e.g. a JWT) and to RS to meet the access control decision based on that data. This is a huge advantage in terms of performance, scalability and cost since there is no need for Token Introspection or other kinds of access to another services or database.

What do you think?

best regards,
Torsten. 

> On 19. Mar 2020, at 18:35, Vladimir Dzhuvinov <vladimir@connect2id.com> wrote:
> 
> 
> On 19/03/2020 19:11, Torsten Lodderstedt wrote:
>> On 19. Mar 2020, at 17:47, Justin Richer <jricher@mit.edu> wrote:
>>> Well, it’s in scope as much as describing any other aspect of what the token is for and what it represents is in scope. That is alongside things like the intended audience of the token, the access rights for the token, the presentation keys the token is bound to, etc. It could be information in the token text itself (like a JWT), it could be introspected from the AS, it could be referenced in some other way. So if we can define identity aspects in that, then we’re fine in covering it there. 
>>> 
>>> But here’s the thing: none of that has an impact on the core protocol. That is entirely up to the AS and the RS to agree on, and the client never sees or has any influence on it. That portion of the protocol is completely opaque to the client. Therefore, it doesn’t really affect the authorization and delegation portions of the client talking to the AS and the client talking to the RS.
>>> 
>>> This does raise the question of what our bar of interoperability is going to be with TxAuth: do we expect independent AS and RS implementations to talk to each other? That’s not something OAuth 2 was ever concerned with, though obviously JWT and introspection are both from the OAuth2 WG and solve that problem.
>> There are two aspects to it: interoperability and vendor support. 
>> 
>> Interoperability between AS and RS is important if deployments want to combine pre-packaged TXAuth and API implementations. I think that makes a lot of sense and should be included in the charter.
> 
> +1
> 
> The current OAuth 2.0 status quo of the largely unspecified 
> relationship between AS and RS is also making the life of web & sec 
> framework maintainers difficult. We witnessing this with people 
> integrating the OAuth SDK into frameworks. Vittorio's recent work to 
> put together a minimal interoperable JWT profile for access tokens is 
> helpful, but it has come after the fact. And there is not agreement on 
> things like authorising access to claims.
> 
> Integrating apps (RSs) with TxAuth should be straightforward and simple.
> 
> This can have a enormous effect on adoption.
> 
> 
>> Vendors support: vendor support when it comes to "what can go into an access token" and "what can be conveyed in a token introspection response” greatly deviates in my observation. This also means implementation use vendors specific features restricting their ability to use other solutions. TXAuth should aim at improving the situation.  
> 
> +1
> 
> 
>> I also think it is a good exercise for the group to think the whole process "from the end”. The purpose of TXAuth (and OAuth) is not to provide clients with access tokens. The purpose is to enable API request processing in a secure manner. What it really takes to achieve that goal is not obvious if the work always stops at the “you have your access token, good luck” stage. 
> 
> +1
> 
> Vladimir
> 
> 
> --
> Txauth mailing list
> Txauth@ietf.org
> https://www.ietf.org/mailman/listinfo/txauth

--
Txauth mailing list
Txauth@ietf.org
https://www.ietf.org/mailman/listinfo/txauth

v2.23.0 | Report a Bug | By Email