[GNAP] RS draft - some comments
Yaron Sheffer <yaronf.ietf@gmail.com> Sun, 27 August 2023 20:21 UTC
Return-Path: <yaronf.ietf@gmail.com>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7766DC14CE3F for <txauth@ietfa.amsl.com>; Sun, 27 Aug 2023 13:21:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.563
X-Spam-Level:
X-Spam-Status: No, score=-0.563 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DATE_IN_PAST_06_12=1.543, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2AF0vCw92dBZ for <txauth@ietfa.amsl.com>; Sun, 27 Aug 2023 13:21:30 -0700 (PDT)
Received: from mail-pf1-x430.google.com (mail-pf1-x430.google.com [IPv6:2607:f8b0:4864:20::430]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7EF5AC14F738 for <txauth@ietf.org>; Sun, 27 Aug 2023 13:21:30 -0700 (PDT)
Received: by mail-pf1-x430.google.com with SMTP id d2e1a72fcca58-68a41035828so1730342b3a.1 for <txauth@ietf.org>; Sun, 27 Aug 2023 13:21:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1693167690; x=1693772490; h=mime-version:thread-topic:message-id:to:from:subject:date :user-agent:from:to:cc:subject:date:message-id:reply-to; bh=RXLpcUhKBj4xWvw0UDg70B+Ia+Mz3s2RAkLmJHVuRAs=; b=ctabYCMt4oQWGrKGRGutZZ2ZWtvpCUC0VgW0uJiMI+zxUA+lVsWcTGD+QsxvU4e3Lk HOqqdC0IzYA7N8sFAzSt7c4Ds4UGT7FxdGamTwg3CpEhhIs0ohtXhSgPIH0hUeJejRr9 iqXG5ygQDn5zwED/b58Rd1ylrEiGq7revm23gYG4Z+DBLDOstZta2P1JjxVI8ARSeDFR LQKeWXz0zXq4hWPNLFCeimZBjGIllA/fP8Eecnvw7WbqcG06aeZw8yajx9+twjavLmsd NlV+ZcHptqfuU/xrxqFrHFAD7m39VCJqcu7nnQcYXPjqI56IU5PAZjUuSAKkz+xAgdV4 o5kw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1693167690; x=1693772490; h=mime-version:thread-topic:message-id:to:from:subject:date :user-agent:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=RXLpcUhKBj4xWvw0UDg70B+Ia+Mz3s2RAkLmJHVuRAs=; b=AplFeh4dPnjfrapDu/EjbZEV4eMSfWryAU+EiKHRCxb8w5mkHE75KdWKagKF7CkFKI chjojg99V1Lj3InIrU4derLMaltqea9VDKl9pWTyIgyj+bef8e0c0gAf4urLJF5DuFA1 +GGrbHbMxL8ln+q1/LANEIC/aT3nMLdhKF07OFjBYeclBG1LG4vvQXCLHQTHWkQms+y5 uDSxfcX31erHd1Q6VSPNwoB+CO71zXzvcbw1qIP4QrVCx+yCipnV6Sg/IHrWCFD77agL WR6mmuiiATbq2uBsf2o4Pdf6vjdPx4invFA7Sy4l2YKvwuT8f6Wfc5QjHqKJwME00fLl ugXA==
X-Gm-Message-State: AOJu0YwT1r8w5g/nflnZVC/wjXm+f7yzt2uUPu317cXFg1yxwBGDuUg2 c+B9gpiLx7roCRbCgiWpZEB4nAmocHOSAA==
X-Google-Smtp-Source: AGHT+IFyDsdj03WWm8O30LWGbCjYckFADQwpEn/XSVH7IrTkPhIAk/mrDB4569kQ8HvTd/AIFvguhw==
X-Received: by 2002:a17:902:d488:b0:1bd:f71d:52ab with SMTP id c8-20020a170902d48800b001bdf71d52abmr22800212plg.56.1693167689564; Sun, 27 Aug 2023 13:21:29 -0700 (PDT)
Received: from [172.19.248.109] ([205.220.129.22]) by smtp.gmail.com with ESMTPSA id f15-20020a170902ff0f00b001bb8895848bsm5621441plj.71.2023.08.27.13.21.22 for <txauth@ietf.org> (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Sun, 27 Aug 2023 13:21:28 -0700 (PDT)
User-Agent: Microsoft-MacOutlook/16.76.23081101
Date: Sun, 27 Aug 2023 13:17:08 +0200
From: Yaron Sheffer <yaronf.ietf@gmail.com>
To: GNAP Mailing List <txauth@ietf.org>
Message-ID: <9C49C06C-84BA-4646-896F-82A916E895EB@gmail.com>
Thread-Topic: RS draft - some comments
Mime-version: 1.0
Content-type: multipart/alternative; boundary="B_3776019684_1996242970"
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/IKo3C9p8tD5-0jSoa-OecVd0rQM>
Subject: [GNAP] RS draft - some comments
X-BeenThere: txauth@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: GNAP <txauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/txauth>, <mailto:txauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth/>
List-Post: <mailto:txauth@ietf.org>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/txauth>, <mailto:txauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 27 Aug 2023 20:21:31 -0000
Hi, I have read the latest version of the draft (the editor’s copy). Here are some comments. Let’s discuss the on the list first, and then open issues as needed. Macaroons and Biscuits - please include references. RS-facing discovery: I suppose the .well-known URL needs to be registered in the IANA section. RS-facing discovery: please add Optional/Required to all fields in the discovery response. Introspection: semantics of the access element in the request is not clear, and it may be easier to remove it completely. Otherwise, we should say that the access element in the response MUST be filtered per the request. On a related note: is it explicitly stated anywhere that an empto access array means no access is allowed? Introspection: I'm wondering about the key element in the response. How does the AS know that the token is bound, and how does it know what key the Client should be using? In fact does it (and should it) even know who the Client is? Also, if I understand the situation correctly, the RS is supposed to send a not-fully-trusted access token to the AS first, and only then validate that it's bound to the correct key. This can easily go wrong. Resource registration: the token_introspection_required element doesn't seem useful. If set to false but the AS receives an introspection call, should it reject it? If set to true and the call is not made, the AS would never know! Resource registration: how is the returned resource_reference used? Perhaps it should also be returned in an introspection request, to allow the RS to validate that the Client is using the right token for the resource? Deriving a downstream token: should we say that the AS MUST verify that the existing_access_token is targeted at RS1? Thanks, Yaron
- [GNAP] RS draft - some comments Yaron Sheffer
- Re: [GNAP] RS draft - some comments Yaron Sheffer
- Re: [GNAP] RS draft - some comments Justin Richer