Re: [GNAP] AD review of draft-ietf-gnap-core-protocol-15
Justin Richer <jricher@mit.edu> Mon, 30 October 2023 15:52 UTC
Return-Path: <jricher@mit.edu>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 52819C151717 for <txauth@ietfa.amsl.com>; Mon, 30 Oct 2023 08:52:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.106
X-Spam-Level:
X-Spam-Status: No, score=-7.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=mit.edu
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id h2Ioo7eA6Nxp for <txauth@ietfa.amsl.com>; Mon, 30 Oct 2023 08:52:42 -0700 (PDT)
Received: from outgoing-exchange-1.mit.edu (outgoing-exchange-1.mit.edu [18.9.28.15]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B9B79C151701 for <txauth@ietf.org>; Mon, 30 Oct 2023 08:52:40 -0700 (PDT)
Received: from oc11exedge1.exchange.mit.edu (OC11EXEDGE1.EXCHANGE.MIT.EDU [18.9.3.17]) by outgoing-exchange-1.mit.edu (8.14.7/8.12.4) with ESMTP id 39UFqTPW023887; Mon, 30 Oct 2023 11:52:33 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mit.edu; s=outgoing; t=1698681153; bh=7c1m+0+QrBV2qye8PHGKk+pV4N1Q2CJN2tU6rpH91X0=; h=From:Subject:Date:Message-ID:Content-Type:MIME-Version; b=H9DiJMD/lSld1e6UChQ4M/OSMaK1iURod03HcC0Ek+hEGceDCEUMIaOPsrSGkdlqY 1b42H4IMmFEtrscSfJVYzQ9uxPzvb8va9aoOjmBdzmOBkNuWe7XaFzikyLg5e2db2D XIqzkVcUmfHjAFNPUbzhYG5x0gx3DA7vtXJi8QC83U3otSbJLydNtMozReHh3678Zm Hasf7NU4panmJDPPmP6rBesL9oKgVFiNviykalJxHY+yUG0lkz6FUxcZS0axAMb3rq LgSqzRV8ftIXm4EvjzZlDafIMjExgSmBJISzJoOb/SLxA90tLAK5+yDInrBhg0b8rB qFFV8XnYVz0TA==
Received: from oc11expo22.exchange.mit.edu (18.9.4.84) by oc11exedge1.exchange.mit.edu (18.9.3.17) with Microsoft SMTP Server (TLS) id 15.0.1497.48; Mon, 30 Oct 2023 11:51:12 -0400
Received: from oc11exhyb6.exchange.mit.edu (18.9.1.111) by oc11expo22.exchange.mit.edu (18.9.4.84) with Microsoft SMTP Server (TLS) id 15.0.1497.42; Mon, 30 Oct 2023 11:52:05 -0400
Received: from NAM12-MW2-obe.outbound.protection.outlook.com (104.47.66.40) by oc11exhyb6.exchange.mit.edu (18.9.1.111) with Microsoft SMTP Server (TLS) id 15.0.1497.48 via Frontend Transport; Mon, 30 Oct 2023 11:52:05 -0400
Received: from DM6PR01MB4444.prod.exchangelabs.com (2603:10b6:5:78::15) by PH0PR01MB6198.prod.exchangelabs.com (2603:10b6:510:16::24) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6907.33; Mon, 30 Oct 2023 15:52:00 +0000
Received: from DM6PR01MB4444.prod.exchangelabs.com ([fe80::fb3e:d193:f291:6d90]) by DM6PR01MB4444.prod.exchangelabs.com ([fe80::fb3e:d193:f291:6d90%6]) with mapi id 15.20.6907.032; Mon, 30 Oct 2023 15:52:00 +0000
From: Justin Richer <jricher@mit.edu>
To: "rdd@cert.org" <rdd@cert.org>
CC: "txauth@ietf.org" <txauth@ietf.org>, Fabien Imbault <fabien.imbault@acert.io>
Thread-Topic: [GNAP] AD review of draft-ietf-gnap-core-protocol-15
Thread-Index: AdnhEGaZz7I/z31LSuKdCt/5BASAXwK64eeAApEFTgAC6Es2gAI1q4bQACRH8YA=
Date: Mon, 30 Oct 2023 15:52:00 +0000
Message-ID: <E32D153B-BD15-461B-9FD9-80671E556A3E@mit.edu>
References: <BN2P110MB1107AE91B428DE2FEAC1C378DCEFA@BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM> <9465D39C-1E7C-4C97-9F17-83A215830BD4@mit.edu> <F3135CCA-58F7-4D8E-B614-3AA370DCA4FD@mit.edu> <A4AD1B79-B561-49D9-B962-04E95FC40141@mit.edu> <BN2P110MB11073F8096E98C2657CF0670DCA2A@BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM>
In-Reply-To: <BN2P110MB11073F8096E98C2657CF0670DCA2A@BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=mit.edu;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: DM6PR01MB4444:EE_|PH0PR01MB6198:EE_
x-ms-office365-filtering-correlation-id: 2f78521f-c3b8-411d-db7e-08dbd9602732
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: M+W96jP/bSmVdGvCZUX56idTPTLZObW3W8WszJ0tE/VrIt4zpmMQiGnRVX1brrmBJIInicZOPl96mxg9N6ggDfQVTD9AJwmNzan5rL8/HjfoJ5bhz5ezHT5Br6Prr3zn1Ol6W9KdFYaB3SyQ9W9a7qQMQNa1nU3Nl4sXzqfVAaple1bjfnLWguFqx1LjJZ/DHDtlY9TvwsmqW3PXJe22tSF9TKVufPcNO/C7mWvnK854Ino7cWgowKNbImvC2HOBr69Na4gxcYVTX41kH2O5ipqruuXK2q+Eq2XpJ/nv4JPyc4kYxpU5U0BkYr0SDjHjJi+w4ZkyCNd5IuBoAALwsIkpkp5w/AKbQAuy3Zx3RPa1UQ6cT36a+2zA8W1Z9MEpQU7sgQfJi+pWrEjk/1O2I64lNPPc2mkwCMXjgiIqX6B9uoTcM/dw734HGCj+RfYZCddn8n8V6zpHtHqJzxzRz1sxxojEkIMumyVWWkvziiaw18HNnp9YDmQ/NjQUgbtX3ruphLfZGijruud0vFcagarEmLGcNkCDGJm3O4nvFXFexrCHx3zbCO6w8z5gAZsv1FQ+qw4CbPaHf+/jsZfkTf6MaoZSUE2Gb5dNHEBDbqMboQKrl4+iPh72i4Mvx/D4qt9fFpW0yKNqobUS+1kZ5w==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DM6PR01MB4444.prod.exchangelabs.com; PTR:; CAT:NONE; SFS:(13230031)(346002)(376002)(39860400002)(396003)(366004)(136003)(230922051799003)(1800799009)(186009)(64100799003)(451199024)(166002)(122000001)(71200400001)(53546011)(36756003)(2616005)(6512007)(6506007)(33656002)(26005)(66556008)(316002)(6486002)(66476007)(966005)(54906003)(786003)(64756008)(478600001)(66446008)(66946007)(66574015)(83380400001)(38100700002)(76116006)(91956017)(86362001)(8936002)(38070700009)(41300700001)(2906002)(4326008)(8676002)(75432002)(6916009)(30864003)(66899024)(5660300002)(579004); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: RrMXEw1ORf2oVdIssY0xyQ4/57DhKid6Sj+jWwPs+icLAY6+prPJI4lMN06ov5I5Rh+1OHjFeXOgZvV5I8xnvgpfveUSLAHLXoUDk/EZ0zXXS0Fy1WhjOp8cN4irJKApg5wFVDZ75/8nmGYIcnbXSkyJpi5lK0K7QkvDK4P7yvPXkKzVBhVNPM4XTZPbqGdhDNE0Fun4OTNQwfk6BuV8iKeiSOdV+cYbQluIKAQAqqliDDKK/tUqLGQ6MzpxjAoJGpZkqYOUDekhfdPw7VJ9sArOUUONtHNTlJRDovdUkCq8j+7BDlDkvJTPEcZMaWoe3hBLDLRHRhGTw3MBLc2Ph7XjvwcTlKLy7J3E+OP+hiJs0bvCKOcGr9LuyEWlAeOanuqz2ZJ7sNODk/zb+FrMS/k77LT+sD7QBGh/BDolKZjcWIEFExyVxWhWQddIgG+ruTEFMoEK9ujNE1XGaU04dBGi8e0KfElL6A/0uoeOvEMnO0YUyjJjpSgdvVFPH+i0/skixjtjA0qP/+AXG+/81b9iWRfF3P7Y2XhnvgRq7dPBHcO1x/6BSfJw7j9WyihrI14FZUB56CM/mC49dhi3SzCM0XTGYkZoKaGQ0D4GhPyPibcLG+ofI+feV6TQb2DuKhtwCFqZCevxffCw79Q8RU3oqXnD1YfFh51vq1et2ksAK9phfhwwF8+bq+irPEnK8BfZQPxt8WDD/IpFd9AF4v2CmAw5G+akHJb9kaTYytHtpSRx6aYXEPm1gfDJB/A8F+KzdbDg/rOSkL/siF85omCtBAwhnarX7lC6TohwfP4FlfxXQ4H5tKMXCuFnAxTlODMmI6sFV5xicysZQpBWIZ9+wAz0ErbL0SMmSPria+7M6TWgEtxiCMP9zXW5q0Og89s28NehHbmbHkFke+GWQYKXGBAuyyOfNZjfwPeDLjZ4vXpiFa+4YaU8KBnhGk8SEZviv26IlRa5uzdWLu5S8K/gkuejtcrDrnk9K95rmRDF7GIx9ze9TROCNKBWjFv72k8NUUs9FN8MzK2AhY+dZgTNJXH3Y70leJwi71Lw/V9l/VR73w7HmwsUeT4ib03+iin6w2AAqU6PCaXksjZLizAK0X3YVchQ7QpTyY5Y51e5BwS7YHydrmVEk2sdFPwzYQKrPcxYTkHDGNK099d5w61PscNChSvKN8z51P01s+cvF8qvSQomI3o3xamV0LWoCkZU7laE5c0Ne0g3WyqyS6cxv9hhDaFzqcP+QyUAL1NeoqgCPKtRkcetJSisgyoPYCG+pSHv7eBKldudICxLPqMDvAk83/G6JWk0rF9TjP+wK1y/RwgIU95Qel5XjltD27dNFVdqBc6JmOxT50G02LCduy76litUv9DJ4ZuITWvMxTVEnOV56xPjUWirPGcU+bcwhYG82doh7h/9hOLTiV8K21/VZ2NozyYcj8lwO4zN9QKYotDskywPE0D7oeyEXSxJnnYjBZ+hQpcgNTfQ/U61lNLsaqVPzVB7pEtso+Zi4fzQymkXgU1qMGEZ5NQryDU7JKCV/TVDokmKYlu61sJS+PziX1p5l5TdA6pzCyr5rTbFILb+0GCuqZ7Plq6M
Content-Type: multipart/alternative; boundary="_000_E32D153BBD15461B9FD980671E556A3Emitedu_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: DM6PR01MB4444.prod.exchangelabs.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 2f78521f-c3b8-411d-db7e-08dbd9602732
X-MS-Exchange-CrossTenant-originalarrivaltime: 30 Oct 2023 15:52:00.0561 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: A8AYeWfVzl3vqHrOMBwUUHek6tTDOZPKwjhf7+Ni5IxXd1wx4cGKVkfYZeIQPwb/
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH0PR01MB6198
X-OriginatorOrg: mit.edu
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/HqUcj6hKueNhqf2peUiBxN9pBaU>
Subject: Re: [GNAP] AD review of draft-ietf-gnap-core-protocol-15
X-BeenThere: txauth@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: GNAP <txauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/txauth>, <mailto:txauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth/>
List-Post: <mailto:txauth@ietf.org>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/txauth>, <mailto:txauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 30 Oct 2023 15:52:46 -0000
Thank you, Roman! For the one remaining question from our side:
locations (array of strings): The location of the RS as an array of
strings. These strings are typically URIs identifying the
location of the RS.
If these strings aren’t URIs, how else would the RS location be defined? The text here seems to suggest that the locations could be something other than a URI, is that intended? If it’s not a URI, what would it be?
It’s a logical identifier that the RS is known by, not necessarily the URL that’s being used to access it. Since an RS is a functional role, not just a web server, sometimes a URI isn’t the appropriate identifier for an RS. For example, if the same service is offered at multiple distinct servers, but the authorization is the same across all of them, then the “location” field would have the logical AS name and not the physical server URI.
These could take the form of a random string assigned by the AS, a tenancy identifier from a customer account, a developer-friendly label, etc. Each of these is something that the RS software care recognize itself when processing the access token. A URI is going to be a common way to label an RS, but it’s far from the only reasonable way.
In the OAuth 2 version of this structure (RFC 9396, OAuth RAR), the “locations” field is defined as:
locations:
An array of strings representing the location of the resource or RS. These strings are typically URIs identifying the location of the RS. This field can allow a client to specify a particular RS, as discussed in Section 12<https://datatracker.ietf.org/doc/html/rfc9396#security_considerations>.
Section 12 is the security considerations section, which only has this to say about processing the field at the RS:
The common data field locations allows a client to specify where it intends to use a certain authorization, i.e., it is possible to unambiguously assign permissions to RSs. In situations with multiple RSs, this prevents unintended client authorizations (e.g., a read scope value potentially applicable for an email as well as a cloud service) through audience restriction.
The intent is to be compatible with this spec (really, RAR is a back port of this structure, but it was finished first), and to provide API developers with significant flexibility in how to address and manage their RS’s.
— Justin
On Oct 29, 2023, at 6:32 PM, Roman Danyliw <rdd@cert.org> wrote:
Hi Justin and Fabien!
Thanks for all of the work you and the WG did to respond to my AD review. The -16 is appreciated and addresses the overwhelming majority of my feedback. I’m sending the document to IETF LC. There is only the following residual feedback to sort out with LC.
==[ snip ]==
** Section 2.5.2. nonce. Is there a minimal or recommended nonce size?
** Section 3.5. Is there any minimum guidance on the length of an instance_id?
Section 7.3.1
The signer
SHOULD include the nonce parameter with a unique and unguessable
value. When included, the verifier MUST determine that the nonce
value is unique within a reasonably short time period such as several
minutes.
How does the verifier determine that the freshness of the nonce to a “short time period”?
[Roman follow-up on all of these] Per your response, let me ask around on what might be good guidance.
** Section 8. locations.
locations (array of strings): The location of the RS as an array of
strings. These strings are typically URIs identifying the
location of the RS.
If these strings aren’t URIs, how else would the RS location be defined? The text here seems to suggest that the locations could be something other than a URI, is that intended? If it’s not a URI, what would it be?
==[ snip ]==
Thanks,
Roman
From: Justin Richer <jricher@mit.edu>
Sent: Wednesday, October 18, 2023 12:36 PM
To: rdd@cert.org
Cc: txauth@ietf.org; Fabien Imbault <fabien.imbault@acert.io>
Subject: Re: [GNAP] AD review of draft-ietf-gnap-core-protocol-15
Hi Roman,
The editors have merged the PR and intend to publish an update to the draft before the deadline on Monday. When you can, we’d appreciate answers to the outstanding questions below. We’d like to address as many as we can in the next draft.
Thank you,
— Justin
On Oct 3, 2023, at 5:24 PM, Justin Richer <jricher@mit.edu<mailto:jricher@mit.edu>> wrote:
Hi Roman, I’ve made a pull request that hopefully addresses the majority of your comments:
https://github.com/ietf-wg-gnap/gnap-core-protocol/pull/513
I’ve snipped out a handful of places where no changes were made or where I had additional questions about the approach. Thanks again for the thorough review!
-- How does GNAP work is the end user doesn’t engage the AS? I ask because the text is written … “when the client support its …”, which would suggest a client at time when it does not. What happens then?
This is most notably the autonomous case, where the end-user (if there is one) doesn’t talk to the AS, as well as cases where no additional interaction is necessary (the client instance can provide attestations or other claims directly to the AS, for example a VC proof from a wallet), or the asynchronous case where the end-user and resource owner are different and the RO can approve the end-user’s request out of band from the GNAP protocol flow. The “when supported” is meant to echo text about interaction methods, as GNAP does not define a mandatory set of interactions.
We didn’t change the text here, but the upshot is that there isn’t the same kind of relationship between the end user and the AS and so the promises don’t really apply. Should this be called out?
** Section 2.3
it SHOULD return an
invalid_client error (Section 3.6) or choose to return lesser levels
of privileges.
Given the significant flexibility afforded to the “class_id”, is there confidence returning a lesser level of privilege is a normative SHOULD?
I believe so - especially because it’s going to be very API-specific what a “lesser level” is going to mean for any AS.
This was expanded to explicitly call out the fact that the AS could ignore a class_id it doesn’t understand and treat the client software as if it had never heard of it.
** Section 2.5.2. nonce. Is there a minimal or recommended nonce size?
I don’t have one but I’m open to suggestion on what good guidance would be here, especially if we can point to another document to establish that.
I don’t have good advice for what random values like nonce, instance_id, interaction_ref, or the like would want to have in them.
What is envisioned with “equivalent”? This phrase is used a few other times.
This is a pattern I’d pulled from other specs to allow for protections other than TLS, like a VPN tunnel or a localhost connection -- something where you could use a plain HTTP URL that you know the connection wouldn’t be sniffed otherwise.
This was called out explicitly in a number of places where similar language was used.
** Section 3.3.4. Please use one of the example domains instead of “srv.ex”
I was trying to show a shortened URL as an example of what you’d expect here. Do we have an example domain that’s fairly short? All of “example.com<http://example.com/>”, “example<http://example.com/example>.net”, and “foo.example” feel too long for this. If these are the only real options, we can use one.
I ended up with “s.example” but would love to be able to have something even shorter if anyone knows of a good candidate.
** Section 4.1.2 and 3.3.3. Could the text please be clearer on the permitted “alphabet” for the user code.
-- Section 3.3.3 says “To facilitate usability, this string MUST consist only of characters that can be easily typed by the end user (such as ASCII letters or numbers)”
-- Section 4.1.2 says “To facilitate this, it is RECOMMENDED that the AS use only ASCII letters and numbers as valid characters for the user code.”
The guidance in Section 3.3.3 seems subjective and doesn’t seem like it would lead to consistent implementations.
Same comments apply for Section 4.1.3.
Since this is a user-facing value that we expect people to type in by hand, it really should be contextual to whatever the target deployment is. For a lot of folks that’s printable US-ASCII, but that’s not a universal assumption, I think. From a protocol perspective, it’s a JSON string, so as long as the string can be displayed and entered unambiguously, it should be fine. It’s the AS that generates and receives the code, so the AS gets to make the decision of what goes in it. The considerations here are somewhat subjective because you need to account for people.
I think in practice, the US-ASCII recommendation is what we’ll likely see.
We’ve expanded the discussion here to say that it’s really about consideration of what the user needs to read and type, hopefully this is more clear now.
** Section 4.1.3. Editorial. Much of this guidance seems to be verbatim repetition of section 4.1.2. Is that needed?
That seems right - these were originally one section with options, now it’s two sections. Unless we wanted to extract a common section again, I don’t think it’s good to cut down the text. Especially if an implementor is going to read just the one piece that they’re building, we’d want them to have all the guidance right there.
This was left as it stood for the reasons stated.
** Section 5.4
The AS SHOULD revoke all associated
access tokens, if possible. The AS SHOULD disable all token rotation
and other token management functions on such access tokens, if
possible.
Wouldn’t the use of SHOULD instead of MUST here present an issue. If a client issues a “DELETE” for its access tokens with an AS how does it know that all of it’s tokens have been removed if this flexibility is provided?
Sometimes it’s not possible to proactively revoke a token already in flight, depending on the nature of the deployment of the overall system. GNAP doesn’t presume stateful or stateless access tokens as the result of the delegation process, so it’s revoke-if-possible, which to me feels like a SHOULD. Even in that case, it’s possible for the AS want to treat the grant request and its results separately — so revoking the grant request could still leave the tokens around as artifacts. You can’t alter the grant or use it to make new tokens, but the old tokens could time out and die of natural causes.
The client never can know for sure if all the tokens have been deleted, it can only make a best effort request to delete them, and then stop using those tokens itself. The same kind of pattern is found in OAuth’s token revocation (RFC7009) which this piece (6.2) is based on.
This was left as a SHOULD if possible.
** Section 7.3.1
The signer
SHOULD include the nonce parameter with a unique and unguessable
value. When included, the verifier MUST determine that the nonce
value is unique within a reasonably short time period such as several
minutes.
How does the verifier determine that the freshness of the nonce to a “short time period”?
This is meant to be guidance for implementors of the nonce check. We don’t expect people to store all nonces for all time, but instead to have a bunch around for a reasonable time period to prevent replay within that window. Can you suggest a better way to accomplish that?
Would appreciate some input on this, along with the nonce and other random value length requirements.
** Section 8.
Specific API
implementations SHOULD re-use these fields with the same semantics
and syntax.
Why wouldn’t deviations from the semantics defined here require custom labels from being defined?
Because ultimately they’re custom to the API. The common fields are provided as guidance for common usage. If an API designer wants to use “actions” to represent something else entirely, that’s not going to affect interoperability with other APIs, it’ll just be confusing for developers to make sense of.
We removed the normative SHOULD here, and like RAR are silent on the use of these in API design.
** Section 11. The OAuth registries (FWIW, all OAuth registries are specification required -- https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml.) were all very particular about having a change control column. Do the circumstances that necessitated that apply to GNAP?
I don’t know the story of why that was required in OAuth or whether it would also be required here. I would appreciate input from those that know better how to manage this.
I haven’t received any feedback on this, so I’m inclined to believe the same circumstances do not apply.
** Section 13.1. Editorial. This section seems to repeat itself a lot.
(a) All requests in GNAP have to be made over TLS or equivalent as
outlined in [BCP195] to protect the contents of the request and
response from manipulation and interception by an attacker. This
includes all requests from a client instance to the AS, all requests
from the client instance to an RS, any requests back to a client
instance such as the push-based interaction finish method, and any
back-end communications such as from an RS to an AS as described in
[I-D.ietf-gnap-resource-servers]. Additionally, all requests between
a browser and other components, such as during redirect-based
interaction, need to be made over TLS or use equivalent protection.
(b) The use of key-bound access tokens does not negate the requirement
for protecting calls to the RS with TLS.
(c) TLS or equivalent protection also needs to be used between the
browser and any other components.
The text in (a) seems helpfully clear that all GNAP communication regardless of the parties needs to be over TLS. (b) and (c) seem to repeat that.
Thanks, we’ll review and see if we can trim this down. We were trying to make it explicitly clear that “all” means “all”. I do think it’s worthwhile to point out (c) as a developer might not consider the browser-to-service connections as part of the protocol proper, but they need to account for this.
I didn’t see a good way to remove the repetition, apart from a little bit of editorial cleanup. The (a) is the requirement, the (b) and the (c) are more specifics as to why (a) is the requirement.
— Justin
--
TXAuth mailing list
TXAuth@ietf.org<mailto:TXAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/txauth
- [GNAP] AD review of draft-ietf-gnap-core-protocol… Roman Danyliw
- Re: [GNAP] AD review of draft-ietf-gnap-core-prot… Justin Richer
- Re: [GNAP] AD review of draft-ietf-gnap-core-prot… Justin Richer
- Re: [GNAP] AD review of draft-ietf-gnap-core-prot… Justin Richer
- Re: [GNAP] AD review of draft-ietf-gnap-core-prot… Justin Richer
- Re: [GNAP] AD review of draft-ietf-gnap-core-prot… Roman Danyliw
- Re: [GNAP] AD review of draft-ietf-gnap-core-prot… Justin Richer