IETF Logo Mail Archive

Re: [Txauth] Proposed TxAuth charter Text

Dick Hardt <dick.hardt@gmail.com> Sun, 22 March 2020 19:42 UTC

Return-Path: <dick.hardt@gmail.com>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 197053A0870 for <txauth@ietfa.amsl.com>; Sun, 22 Mar 2020 12:42:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.087
X-Spam-Level:
X-Spam-Status: No, score=-2.087 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_FILL_THIS_FORM_SHORT=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tdh4s93hNTDv for <txauth@ietfa.amsl.com>; Sun, 22 Mar 2020 12:42:52 -0700 (PDT)
Received: from mail-lf1-x130.google.com (mail-lf1-x130.google.com [IPv6:2a00:1450:4864:20::130]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D72263A086F for <txauth@ietf.org>; Sun, 22 Mar 2020 12:42:51 -0700 (PDT)
Received: by mail-lf1-x130.google.com with SMTP id s1so8535427lfd.3 for <txauth@ietf.org>; Sun, 22 Mar 2020 12:42:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=LK5xpBfHjIi9a3yZQxK1iye2kxWN1ikwZKGMJj3FgJs=; b=OO9u5QUis84AMJ9/WmBlu4qQxdZyZoLar5gSM9p87c3QfAdRhsuh37c8fawEdosGLc A5e9hfdY9ashXKExyo1W+Ui7N40YUiIMAEjojnGl/aesIPnfh/KJLO7P1fPKwavrou9P W01GLMHlRBKIyHIhLIMQdQKNLjIONitWiFatqvsdutLj5OTb12YZ3zb6yVNndf1NWnQv 4hTlKQ+UO2/YiuWOEm0SkMFx1JMZxI9fxCo/jRdsm5xe7btcmRyFahynpAJ71SC5vi7a Y02aKtHM5oP8Eht45fx3lW80NxiQBfpXZk7tWH3Ix48GJyHy9xxNq/kY3S0HYuRMLE/n CY4g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=LK5xpBfHjIi9a3yZQxK1iye2kxWN1ikwZKGMJj3FgJs=; b=h2nYFcYoL1qIi/GZ7rp8ZvIBFcxi82EBC3KvQALOZM0XSRAxU+uFGHXdai8JEGhJTc NXi3hPeBm46O+u3QIqIes61ZvD/dv3zfSRwtjFRYAGXR2LZ8YJFL+bN2eGYM+YMJUn3u MuUXnV3o/FwNWbWgLSPT7UlBIa7HKCQWTv8Fot/RHykLaXKby438yVctrJshyYcEBEez LhhdHAWhIvcu9J7FZQml1p0JXB4AcBJbd58eTq0c/FWEgUsyEJj6OcN2+AeTHchVqXim FqB8vD3EbHrz1NMcgkMYx4omSLerJW73ofjww4WEVhvvJHFQhJmjnWuTopSB/2o9yjPO ASMw==
X-Gm-Message-State: ANhLgQ08wHsBn6ZjUrTlaxKZOfA7UiCXWhZ5gdWLt+dJoWRczsHIL5eb jSAwLB9/LLa8Uv+ulg3v/nj0pd+bI8ttfCpoq9A=
X-Google-Smtp-Source: ADFU+vu6X5jU/HiTEWt/0H9T+kBqvY7v8gixRkkeJbkkhMjv5/5SFFP1H4QYOa48WigMXzel9IMMz3nYyRxnJJNJjmU=
X-Received: by 2002:a05:6512:31d5:: with SMTP id j21mr11158263lfe.23.1584906169700; Sun, 22 Mar 2020 12:42:49 -0700 (PDT)
MIME-Version: 1.0
References: <DE673FFF-6590-43FE-B5D2-07F87FFE97CF@mit.edu> <CAD9ie-uEa1qEu7kjLoB=25PCH0PjT22ir_fPjqYB7kvSYJvO6g@mail.gmail.com> <EF6D7038-F0BA-4952-B677-DA529E39F81B@lodderstedt.net> <CAD9ie-u3b2qACC+4z4Z-p3Gha-Tpqnb8NXtbN4rLDiBemdyTXQ@mail.gmail.com> <1CE69263-A412-465D-AB19-7DF6D16AF1AF@gmail.com>
In-Reply-To: <1CE69263-A412-465D-AB19-7DF6D16AF1AF@gmail.com>
From: Dick Hardt <dick.hardt@gmail.com>
Date: Sun, 22 Mar 2020 12:42:23 -0700
Message-ID: <CAD9ie-u77KOf0KvwgboxmHoz9rXOScgqESK2Gv9GqELQ+3vUUQ@mail.gmail.com>
To: Yaron Sheffer <yaronf.ietf@gmail.com>
Cc: Torsten Lodderstedt <torsten@lodderstedt.net>, Kim Cameron <kim@identityblog.com>, Mike Jones <michael.jones@microsoft.com>, txauth@ietf.org, Filip Skokan <panva.ip@gmail.com>
Content-Type: multipart/alternative; boundary="0000000000003f559505a176b9c9"
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/LHkPeanKmlYpOEi1gx3vA2A1mBI>
Subject: Re: [Txauth] Proposed TxAuth charter Text
X-BeenThere: txauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <txauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/txauth>, <mailto:txauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth/>
List-Post: <mailto:txauth@ietf.org>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/txauth>, <mailto:txauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 22 Mar 2020 19:42:55 -0000

I'm fine with that. Makes it clear.

On Sun, Mar 22, 2020 at 11:43 AM Yaron Sheffer <yaronf.ietf@gmail.com>
wrote:

> If we have agreement on Torsten’s interoperability text (quoted below), I
> think we should add it. If only for the word “interoperability” to appear
> in the charter.
>
>
>
> “The delegation protocol will enable interoperability between client and
> authorization server, authorisation server and resource server and, as
> needed to perform delegation, client and resource server.”
>
>
>
> Thanks,
>
>                 Yaron
>
>
>
> *From: *Txauth <txauth-bounces@ietf.org> on behalf of Dick Hardt <
> dick.hardt@gmail.com>
> *Date: *Sunday, March 22, 2020 at 20:31
> *To: *Torsten Lodderstedt <torsten@lodderstedt.net>
> *Cc: *Kim Cameron <kim@identityblog.com>, Mike Jones <
> michael.jones@microsoft.com>, <txauth@ietf.org>, Filip Skokan <
> panva.ip@gmail.com>
> *Subject: *Re: [Txauth] Proposed TxAuth charter Text
>
>
>
>
>
>
>
> On Sun, Mar 22, 2020 at 10:50 AM Torsten Lodderstedt <
> torsten@lodderstedt.net> wrote:
>
> Hi Dick,
>
> thanks for trying to consider the concerns we have raced in an update to
> the proposed charter.
>
> > On 21. Mar 2020, at 20:55, Dick Hardt <dick.hardt@gmail.com> wrote:
> >
> > (replying with those that had expressed concerns about the charter on
> the To: list to bring it to the top of their inbox)
> >
> > Mike, Kim, Torsten, Filip: are your concerns addressed with the changes
> below?
> >
> > (apologies to anyone I missed in the To: list)
> >
> > On Sat, Mar 21, 2020 at 12:41 PM Justin Richer <jricher@mit.edu> wrote:
> > After some great discussions on the list in the last week, Yaron, Dick,
> and I have pulled together a new proposed charter. I think this is version
> 5.0? But I forget exactly. :)
> >
> > I’ve highlighted the new lines in bold here,  for those reading this
> email in HTML. There’s a diff available online at
> http://www.mergely.com/RehoJJvW/  (note: go to view->word wrap to be able
> to read it better). I’m attaching the .DIFF file generated by Mergely as
> well, for those of us crusty old unix type folks who like to see that.
> >
> >
> >
> >
> >
> > This group is chartered to develop a fine-grained delegation protocol
> for authorization, identity, and API access. This protocol will allow an
> authorizing party to delegate access to client software through an
> authorization server. It will expand upon the uses cases currently
> supported by OAuth 2.0 and OpenID Connect (itself an extension of OAuth
> 2.0) to support authorizations scoped as narrowly as a single transaction,
> provide a clear framework for interaction among all parties involved in the
> protocol flow, and remove unnecessary dependence on a browser or user-agent
> for coordinating interactions.
> >
> > The delegation process will be acted upon by multiple parties in the
> protocol, each performing a specific role. The protocol will decouple the
> interaction channels, such as the end user’s browser, from the delegation
> channel, which happens directly between the client and the authorization
> server (in contrast with OAuth 2.0 which is initiated by the client
> redirecting the user’s browser). The client and AS will involve a user to
> make an authorization decision as necessary through interaction mechanisms
> indicated by the protocol. This decoupling avoids many of the security
> concerns and technical challenges of OAuth 2.0 and provides a non-invasive
> path for supporting future types of clients and interaction channels.
> >
> > Additionally, the delegation process will allow for:
> >
>
> I don't see how this list captures the requirement I raised.
>
> > - Fine-grained specification of access
> > - Approval of AS attestation to identity claims
> > - Approval of access to multiple resources and APIs in a single
> interaction
> > - Support for multiple access tokens in a single request
>
> This item justifies Justin’s latest addition to XYZ to allow the client to
> allocate resources to access tokens.
>
>
>
> I've multiple access tokens in XAuth since the first draft.. No one told
> me that was not scope for the charter back then. I consider "fine grained
> specification of access" to include many different ways to be fine grained.
>
>
>
> We added multiple tokens to clarify
>
>
>
> That’s fine, but it’s geared towards the client deciding how to split
> tokens.
>
>
>
> I don't see why the scope is limited to the client deciding. In current
> OAuth 2.0 use cases, which is in scope, the AS decides what it will, and
> will not issue tokens for. Extending that to multiple tokens, and multiple
> resources to me implies the AS can still decide what each token can do.
>
>
>
>
> I’m looking for a way to let the RS (with the AS acting on its behalf)
> influence the token allocation and with that the token design. As I have
> explained several times, the token format & content is part of the AS to RS
> interface and the current charter limits this to a single design option:
> handles + token introspection, at least in multi RS scenarios.
>
>
>
> I don't think that is the case at all.
>
> XAuth has a different design pattern. Each Authorization is independent of
> each other. We also added the following to the charter.
>
>
>
> *- Mechanisms for the AS and RS to communicate the access granted by an
> access token*
>
>
>
> I would consider the token format and content to be one mechanism for the
> AS to communicate with the RS.
>
>
>
>
> The current charter therewith enshrines one of the big design limitations
> OAuth 2 had, which has significant consequences with respect to security,
> privacy, UX, performance, and cost.
>
> I understand the intention to keep things for clients as simple as
> possible, but it shouldn't be simpler and at the cost of other parties. In
> particular, this optimisation is at the cost of resource server
> implementers, whose options are very limited with the current charter. I
> think the new protocol should leave the optimisation decision to particular
> deployments and instead support a variety of design options implementers
> can choose from.
>
> I suggest to add the following bullet:
>
> - Support for a wide range of access token policies, including single
> token per transaction and RS-specific access tokens at the discretion of
> the AS
>
>
>
> I think that is already covered by the existing charter.
>
>
>
>
> > - Support for directed, audience-restricted access tokens
>
> This looks good on first sight but it misses the important point that the
> AS on behalf of the RS can decide to issue such tokens.
>
>
>
> The AS decides what tokens it will issue to a Client already in OAuth 2.0,
> so it is in scope. What am I missing?
>
>
>
>
> > - Separation between the party authorizing access and the party
> operating the client requesting access
> > - A variety of client applications, including Web, mobile, single-page,
> and interaction-constrained applications
> >
> > The group will define extension points for this protocol to allow for
> flexibility in areas including:
> >
> > - Cryptographic agility for keys, message signatures, and proof of
> possession
> > - User interaction mechanisms including web and non-web methods
> > - Mechanisms for conveying user, software, organization, and other
> pieces of information used in authorization decisions
> > - Mechanisms for presenting tokens to resource servers and binding
> resource requests to tokens and associated cryptographic keys
> > - Optimized inclusion of additional information through the delegation
> process (including asserted identity claims)
>
> wfm although I don't understand why this is an extension point and not
> incorporated in the bullet below.
>
> >
> > Additionally, the group will provide mechanisms for management of the
> protocol lifecycle including:
> >
> > - Discovery of the authorization server
> > - Revocation of active tokens
> > - Mechanisms for the AS and RS to communicate the access granted by an
> access token
>
> wfm
>
> >
> > Although the artifacts for this work are not intended or expected to be
> backwards-compatible with OAuth 2.0 or OpenID Connect, the group will
> attempt to simplify migrating from OAuth 2.0 and OpenID Connect to the new
> protocol where possible.
> >
> > This group is not chartered to develop extensions to OAuth 2.0, and as
> such will focus on new technological solutions not necessarily compatible
> with OAuth 2.0. Functionality that builds directly on OAuth 2.0 will be
> developed in the OAuth Working Group, including functionality back-ported
> from the protocol developed here to OAuth 2.0.
> >
> > The group is chartered to develop mechanisms for applying cryptographic
> methods, such as JOSE and COSE, to the delegation process. This group is
> not chartered to develop new cryptographic methods.
> >
> > The group is chartered to develop mechanisms for conveying identity
> information within the protocol including identifiers (such as email
> addresses, phone numbers, usernames, and subject identifiers) and
> assertions (such as OpenID Connect ID Tokens, SAML Assertions, and
> Verifiable Credentials). The group is not chartered to develop new formats
> for identifiers or assertions, nor is the group chartered to develop
> schemas for user information, profiles, or other identity attributes,
> unless a viable existing format is not available.
>
> I’m still not seeing the benefit of including identity at the "AS to
> client" interface in this charter. This paragraph could be removed without
> any impact on the rest of the charter.
>
>
>
> Are you questioning why identity is in scope, or that this statement is
> redundant?
>
>
>
>
> >
> > The initial work will focus on using HTTP for communication between the
> client and the authorization server, taking advantage of optimization
> features of HTTP2 and HTTP3 where possible, and will strive to enable
> simple mapping to other protocols such as COAP when doing so does not
> conflict with the primary focus.
> >
> > Milestones to include:
> > - Core delegation protocol
> > - Key presentation mechanism bindings to the core protocol for TLS,
> detached HTTP signature, and embedded HTTP signatures
> > - Identity and authentication conveyance mechanisms
> > - Guidelines for use of protocol extension points
>
> General observations:
>
> While I was reading the updated charter several times, I made the
> following observations:
>
> The word “interoperability” does not turn up at all in this charter.
>
> So I’m asking: Do we intend to build a protocol for interoperability?
>
>
>
> I would consider a protocol requires interoperability. A framework does
> not.
>
>
>
> The charter states that we are building a protocol, which appears
> throughout the charter text.
>
>
>
>
> If we are aiming for interoperability, what level of interoperability do
> we want to achieve? I think we must aim for "on the wire" interoperability
> that can be tested automatically. That would allow to truly use TXAuth
> based authorization wherever an API is being protected using TXAuth without
> the need for deployment specific customisation, just like BASIC auth and
> TLS.
>
> If we are aiming for interoperability, where do we seek for
> interoperability? At the client - AS interface only? Or do we consider the
> AS - RS interface as well? And what is about the client - RS interface? I
> think all of them should be in scope for various reasons.
>
> Client - AS: clearly in scope even if not stated
>
> AS - RS: would allow to combine ASs and RSs from different sources. That's
> an important requirement for us (yes.com), since we run a >1000 AS
> federation where the RSs can be invoked using tokens from all of those ASs
> (that are built using different products). Combining software on both ends
> from different sources (e.g. different vendors) is another example.
> Interoperability between AS and RS is a key success factor in such a
> scenario and is less than poorly supported today by OAuth 2. TXAuth should
> do better.
>
> Client - RS: there is an obvious reason, which is the way access tokens
> are conveyed. The less obvious reason is to take a look into how a client
> could find out what it takes to perform a suitable authorization process to
> be able to invoke a particular RS.
>
>
>
> To clarify, you would like discovery at the RS to be in scope? Rereading
> the charter, I can see that is not specifically called out, and discovery
> at the RS could be considered out of scope.
>
>
>
> I could also argue that it is in scope in order for the client to know how
> to present tokens to the RS.
>
>
>
>
> It totally strikes me that the latter two interfaces seem to be mostly out
> of scope. To me the current charter will cause the TXAuth WG to look onto a
> small portion of the overall process (client to AS) only. The result will
> be incomplete and needs to be patched together with the rest in real
> implementations.
>
>
>
> The former, how the client presents tokens, is in scope:
>
>
>
> - Mechanisms for presenting tokens to resource servers and binding
> resource requests to tokens and associated cryptographic keys
>
>
>
>
> I therefore suggest to add the following text after the first paragraph
>
> "The delegation protocol will enable interoperability between client and
> authorization server, authorisation server and resource server and, as
> needed to perform delegation, client and resource server. Conformance of an
> implementation with the specifications can be tested automatically."
>
>
>
>
>
> I think your first sentence is already covered, although each point is
> spread out through the charter.
>
>
>
> I think your second sentence is overly specific.
>
>
>
>
> Which also brings me to Nat’s proposal to write an architecture document.
> I’m not convinced we need an architecture document (in the sense of a RFC),
> but I’m sure we need to discuss and document overall use cases and design
> options. Understanding those is the prerequisite to design a suitable and
> as easy as possible protocol.
>
> So please add the following bullet to the charter under Milestones:
>
> "- documentation of the use cases and design options the new protocol will
> support"
>
>
>
> I think what we do to meet the "Core delegation protocol" milestone is up
> to the group to decide. I don't think we have to have it in the charter.
>
>
>
>
> best regards,
> Torsten.
>
>
> >
> >
> >
> >
> > --
> > Txauth mailing list
> > Txauth@ietf.org
> > https://www.ietf.org/mailman/listinfo/txauth
>
> -- Txauth mailing list Txauth@ietf.org
> https://www.ietf.org/mailman/listinfo/txauth
>

v2.23.0 | Report a Bug | By Email