Re: [Txauth] Proposed TxAuth charter Text
Dick Hardt <dick.hardt@gmail.com> Sun, 22 March 2020 19:42 UTC
Return-Path: <dick.hardt@gmail.com>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 197053A0870 for <txauth@ietfa.amsl.com>; Sun, 22 Mar 2020 12:42:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.087
X-Spam-Level:
X-Spam-Status: No, score=-2.087 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_FILL_THIS_FORM_SHORT=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tdh4s93hNTDv for <txauth@ietfa.amsl.com>; Sun, 22 Mar 2020 12:42:52 -0700 (PDT)
Received: from mail-lf1-x130.google.com (mail-lf1-x130.google.com [IPv6:2a00:1450:4864:20::130]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D72263A086F for <txauth@ietf.org>; Sun, 22 Mar 2020 12:42:51 -0700 (PDT)
Received: by mail-lf1-x130.google.com with SMTP id s1so8535427lfd.3 for <txauth@ietf.org>; Sun, 22 Mar 2020 12:42:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=LK5xpBfHjIi9a3yZQxK1iye2kxWN1ikwZKGMJj3FgJs=; b=OO9u5QUis84AMJ9/WmBlu4qQxdZyZoLar5gSM9p87c3QfAdRhsuh37c8fawEdosGLc A5e9hfdY9ashXKExyo1W+Ui7N40YUiIMAEjojnGl/aesIPnfh/KJLO7P1fPKwavrou9P W01GLMHlRBKIyHIhLIMQdQKNLjIONitWiFatqvsdutLj5OTb12YZ3zb6yVNndf1NWnQv 4hTlKQ+UO2/YiuWOEm0SkMFx1JMZxI9fxCo/jRdsm5xe7btcmRyFahynpAJ71SC5vi7a Y02aKtHM5oP8Eht45fx3lW80NxiQBfpXZk7tWH3Ix48GJyHy9xxNq/kY3S0HYuRMLE/n CY4g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=LK5xpBfHjIi9a3yZQxK1iye2kxWN1ikwZKGMJj3FgJs=; b=h2nYFcYoL1qIi/GZ7rp8ZvIBFcxi82EBC3KvQALOZM0XSRAxU+uFGHXdai8JEGhJTc NXi3hPeBm46O+u3QIqIes61ZvD/dv3zfSRwtjFRYAGXR2LZ8YJFL+bN2eGYM+YMJUn3u MuUXnV3o/FwNWbWgLSPT7UlBIa7HKCQWTv8Fot/RHykLaXKby438yVctrJshyYcEBEez LhhdHAWhIvcu9J7FZQml1p0JXB4AcBJbd58eTq0c/FWEgUsyEJj6OcN2+AeTHchVqXim FqB8vD3EbHrz1NMcgkMYx4omSLerJW73ofjww4WEVhvvJHFQhJmjnWuTopSB/2o9yjPO ASMw==
X-Gm-Message-State: ANhLgQ08wHsBn6ZjUrTlaxKZOfA7UiCXWhZ5gdWLt+dJoWRczsHIL5eb jSAwLB9/LLa8Uv+ulg3v/nj0pd+bI8ttfCpoq9A=
X-Google-Smtp-Source: ADFU+vu6X5jU/HiTEWt/0H9T+kBqvY7v8gixRkkeJbkkhMjv5/5SFFP1H4QYOa48WigMXzel9IMMz3nYyRxnJJNJjmU=
X-Received: by 2002:a05:6512:31d5:: with SMTP id j21mr11158263lfe.23.1584906169700; Sun, 22 Mar 2020 12:42:49 -0700 (PDT)
MIME-Version: 1.0
References: <DE673FFF-6590-43FE-B5D2-07F87FFE97CF@mit.edu> <CAD9ie-uEa1qEu7kjLoB=25PCH0PjT22ir_fPjqYB7kvSYJvO6g@mail.gmail.com> <EF6D7038-F0BA-4952-B677-DA529E39F81B@lodderstedt.net> <CAD9ie-u3b2qACC+4z4Z-p3Gha-Tpqnb8NXtbN4rLDiBemdyTXQ@mail.gmail.com> <1CE69263-A412-465D-AB19-7DF6D16AF1AF@gmail.com>
In-Reply-To: <1CE69263-A412-465D-AB19-7DF6D16AF1AF@gmail.com>
From: Dick Hardt <dick.hardt@gmail.com>
Date: Sun, 22 Mar 2020 12:42:23 -0700
Message-ID: <CAD9ie-u77KOf0KvwgboxmHoz9rXOScgqESK2Gv9GqELQ+3vUUQ@mail.gmail.com>
To: Yaron Sheffer <yaronf.ietf@gmail.com>
Cc: Torsten Lodderstedt <torsten@lodderstedt.net>, Kim Cameron <kim@identityblog.com>, Mike Jones <michael.jones@microsoft.com>, txauth@ietf.org, Filip Skokan <panva.ip@gmail.com>
Content-Type: multipart/alternative; boundary="0000000000003f559505a176b9c9"
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/LHkPeanKmlYpOEi1gx3vA2A1mBI>
Subject: Re: [Txauth] Proposed TxAuth charter Text
X-BeenThere: txauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <txauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/txauth>, <mailto:txauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth/>
List-Post: <mailto:txauth@ietf.org>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/txauth>, <mailto:txauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 22 Mar 2020 19:42:55 -0000
I'm fine with that. Makes it clear. On Sun, Mar 22, 2020 at 11:43 AM Yaron Sheffer <yaronf.ietf@gmail.com> wrote: > If we have agreement on Torsten’s interoperability text (quoted below), I > think we should add it. If only for the word “interoperability” to appear > in the charter. > > > > “The delegation protocol will enable interoperability between client and > authorization server, authorisation server and resource server and, as > needed to perform delegation, client and resource server.” > > > > Thanks, > > Yaron > > > > *From: *Txauth <txauth-bounces@ietf.org> on behalf of Dick Hardt < > dick.hardt@gmail.com> > *Date: *Sunday, March 22, 2020 at 20:31 > *To: *Torsten Lodderstedt <torsten@lodderstedt.net> > *Cc: *Kim Cameron <kim@identityblog.com>, Mike Jones < > michael.jones@microsoft.com>, <txauth@ietf.org>, Filip Skokan < > panva.ip@gmail.com> > *Subject: *Re: [Txauth] Proposed TxAuth charter Text > > > > > > > > On Sun, Mar 22, 2020 at 10:50 AM Torsten Lodderstedt < > torsten@lodderstedt.net> wrote: > > Hi Dick, > > thanks for trying to consider the concerns we have raced in an update to > the proposed charter. > > > On 21. Mar 2020, at 20:55, Dick Hardt <dick.hardt@gmail.com> wrote: > > > > (replying with those that had expressed concerns about the charter on > the To: list to bring it to the top of their inbox) > > > > Mike, Kim, Torsten, Filip: are your concerns addressed with the changes > below? > > > > (apologies to anyone I missed in the To: list) > > > > On Sat, Mar 21, 2020 at 12:41 PM Justin Richer <jricher@mit.edu> wrote: > > After some great discussions on the list in the last week, Yaron, Dick, > and I have pulled together a new proposed charter. I think this is version > 5.0? But I forget exactly. :) > > > > I’ve highlighted the new lines in bold here, for those reading this > email in HTML. There’s a diff available online at > http://www.mergely.com/RehoJJvW/ (note: go to view->word wrap to be able > to read it better). I’m attaching the .DIFF file generated by Mergely as > well, for those of us crusty old unix type folks who like to see that. > > > > > > > > > > > > This group is chartered to develop a fine-grained delegation protocol > for authorization, identity, and API access. This protocol will allow an > authorizing party to delegate access to client software through an > authorization server. It will expand upon the uses cases currently > supported by OAuth 2.0 and OpenID Connect (itself an extension of OAuth > 2.0) to support authorizations scoped as narrowly as a single transaction, > provide a clear framework for interaction among all parties involved in the > protocol flow, and remove unnecessary dependence on a browser or user-agent > for coordinating interactions. > > > > The delegation process will be acted upon by multiple parties in the > protocol, each performing a specific role. The protocol will decouple the > interaction channels, such as the end user’s browser, from the delegation > channel, which happens directly between the client and the authorization > server (in contrast with OAuth 2.0 which is initiated by the client > redirecting the user’s browser). The client and AS will involve a user to > make an authorization decision as necessary through interaction mechanisms > indicated by the protocol. This decoupling avoids many of the security > concerns and technical challenges of OAuth 2.0 and provides a non-invasive > path for supporting future types of clients and interaction channels. > > > > Additionally, the delegation process will allow for: > > > > I don't see how this list captures the requirement I raised. > > > - Fine-grained specification of access > > - Approval of AS attestation to identity claims > > - Approval of access to multiple resources and APIs in a single > interaction > > - Support for multiple access tokens in a single request > > This item justifies Justin’s latest addition to XYZ to allow the client to > allocate resources to access tokens. > > > > I've multiple access tokens in XAuth since the first draft.. No one told > me that was not scope for the charter back then. I consider "fine grained > specification of access" to include many different ways to be fine grained. > > > > We added multiple tokens to clarify > > > > That’s fine, but it’s geared towards the client deciding how to split > tokens. > > > > I don't see why the scope is limited to the client deciding. In current > OAuth 2.0 use cases, which is in scope, the AS decides what it will, and > will not issue tokens for. Extending that to multiple tokens, and multiple > resources to me implies the AS can still decide what each token can do. > > > > > I’m looking for a way to let the RS (with the AS acting on its behalf) > influence the token allocation and with that the token design. As I have > explained several times, the token format & content is part of the AS to RS > interface and the current charter limits this to a single design option: > handles + token introspection, at least in multi RS scenarios. > > > > I don't think that is the case at all. > > XAuth has a different design pattern. Each Authorization is independent of > each other. We also added the following to the charter. > > > > *- Mechanisms for the AS and RS to communicate the access granted by an > access token* > > > > I would consider the token format and content to be one mechanism for the > AS to communicate with the RS. > > > > > The current charter therewith enshrines one of the big design limitations > OAuth 2 had, which has significant consequences with respect to security, > privacy, UX, performance, and cost. > > I understand the intention to keep things for clients as simple as > possible, but it shouldn't be simpler and at the cost of other parties. In > particular, this optimisation is at the cost of resource server > implementers, whose options are very limited with the current charter. I > think the new protocol should leave the optimisation decision to particular > deployments and instead support a variety of design options implementers > can choose from. > > I suggest to add the following bullet: > > - Support for a wide range of access token policies, including single > token per transaction and RS-specific access tokens at the discretion of > the AS > > > > I think that is already covered by the existing charter. > > > > > > - Support for directed, audience-restricted access tokens > > This looks good on first sight but it misses the important point that the > AS on behalf of the RS can decide to issue such tokens. > > > > The AS decides what tokens it will issue to a Client already in OAuth 2.0, > so it is in scope. What am I missing? > > > > > > - Separation between the party authorizing access and the party > operating the client requesting access > > - A variety of client applications, including Web, mobile, single-page, > and interaction-constrained applications > > > > The group will define extension points for this protocol to allow for > flexibility in areas including: > > > > - Cryptographic agility for keys, message signatures, and proof of > possession > > - User interaction mechanisms including web and non-web methods > > - Mechanisms for conveying user, software, organization, and other > pieces of information used in authorization decisions > > - Mechanisms for presenting tokens to resource servers and binding > resource requests to tokens and associated cryptographic keys > > - Optimized inclusion of additional information through the delegation > process (including asserted identity claims) > > wfm although I don't understand why this is an extension point and not > incorporated in the bullet below. > > > > > Additionally, the group will provide mechanisms for management of the > protocol lifecycle including: > > > > - Discovery of the authorization server > > - Revocation of active tokens > > - Mechanisms for the AS and RS to communicate the access granted by an > access token > > wfm > > > > > Although the artifacts for this work are not intended or expected to be > backwards-compatible with OAuth 2.0 or OpenID Connect, the group will > attempt to simplify migrating from OAuth 2.0 and OpenID Connect to the new > protocol where possible. > > > > This group is not chartered to develop extensions to OAuth 2.0, and as > such will focus on new technological solutions not necessarily compatible > with OAuth 2.0. Functionality that builds directly on OAuth 2.0 will be > developed in the OAuth Working Group, including functionality back-ported > from the protocol developed here to OAuth 2.0. > > > > The group is chartered to develop mechanisms for applying cryptographic > methods, such as JOSE and COSE, to the delegation process. This group is > not chartered to develop new cryptographic methods. > > > > The group is chartered to develop mechanisms for conveying identity > information within the protocol including identifiers (such as email > addresses, phone numbers, usernames, and subject identifiers) and > assertions (such as OpenID Connect ID Tokens, SAML Assertions, and > Verifiable Credentials). The group is not chartered to develop new formats > for identifiers or assertions, nor is the group chartered to develop > schemas for user information, profiles, or other identity attributes, > unless a viable existing format is not available. > > I’m still not seeing the benefit of including identity at the "AS to > client" interface in this charter. This paragraph could be removed without > any impact on the rest of the charter. > > > > Are you questioning why identity is in scope, or that this statement is > redundant? > > > > > > > > The initial work will focus on using HTTP for communication between the > client and the authorization server, taking advantage of optimization > features of HTTP2 and HTTP3 where possible, and will strive to enable > simple mapping to other protocols such as COAP when doing so does not > conflict with the primary focus. > > > > Milestones to include: > > - Core delegation protocol > > - Key presentation mechanism bindings to the core protocol for TLS, > detached HTTP signature, and embedded HTTP signatures > > - Identity and authentication conveyance mechanisms > > - Guidelines for use of protocol extension points > > General observations: > > While I was reading the updated charter several times, I made the > following observations: > > The word “interoperability” does not turn up at all in this charter. > > So I’m asking: Do we intend to build a protocol for interoperability? > > > > I would consider a protocol requires interoperability. A framework does > not. > > > > The charter states that we are building a protocol, which appears > throughout the charter text. > > > > > If we are aiming for interoperability, what level of interoperability do > we want to achieve? I think we must aim for "on the wire" interoperability > that can be tested automatically. That would allow to truly use TXAuth > based authorization wherever an API is being protected using TXAuth without > the need for deployment specific customisation, just like BASIC auth and > TLS. > > If we are aiming for interoperability, where do we seek for > interoperability? At the client - AS interface only? Or do we consider the > AS - RS interface as well? And what is about the client - RS interface? I > think all of them should be in scope for various reasons. > > Client - AS: clearly in scope even if not stated > > AS - RS: would allow to combine ASs and RSs from different sources. That's > an important requirement for us (yes.com), since we run a >1000 AS > federation where the RSs can be invoked using tokens from all of those ASs > (that are built using different products). Combining software on both ends > from different sources (e.g. different vendors) is another example. > Interoperability between AS and RS is a key success factor in such a > scenario and is less than poorly supported today by OAuth 2. TXAuth should > do better. > > Client - RS: there is an obvious reason, which is the way access tokens > are conveyed. The less obvious reason is to take a look into how a client > could find out what it takes to perform a suitable authorization process to > be able to invoke a particular RS. > > > > To clarify, you would like discovery at the RS to be in scope? Rereading > the charter, I can see that is not specifically called out, and discovery > at the RS could be considered out of scope. > > > > I could also argue that it is in scope in order for the client to know how > to present tokens to the RS. > > > > > It totally strikes me that the latter two interfaces seem to be mostly out > of scope. To me the current charter will cause the TXAuth WG to look onto a > small portion of the overall process (client to AS) only. The result will > be incomplete and needs to be patched together with the rest in real > implementations. > > > > The former, how the client presents tokens, is in scope: > > > > - Mechanisms for presenting tokens to resource servers and binding > resource requests to tokens and associated cryptographic keys > > > > > I therefore suggest to add the following text after the first paragraph > > "The delegation protocol will enable interoperability between client and > authorization server, authorisation server and resource server and, as > needed to perform delegation, client and resource server. Conformance of an > implementation with the specifications can be tested automatically." > > > > > > I think your first sentence is already covered, although each point is > spread out through the charter. > > > > I think your second sentence is overly specific. > > > > > Which also brings me to Nat’s proposal to write an architecture document. > I’m not convinced we need an architecture document (in the sense of a RFC), > but I’m sure we need to discuss and document overall use cases and design > options. Understanding those is the prerequisite to design a suitable and > as easy as possible protocol. > > So please add the following bullet to the charter under Milestones: > > "- documentation of the use cases and design options the new protocol will > support" > > > > I think what we do to meet the "Core delegation protocol" milestone is up > to the group to decide. I don't think we have to have it in the charter. > > > > > best regards, > Torsten. > > > > > > > > > > > > -- > > Txauth mailing list > > Txauth@ietf.org > > https://www.ietf.org/mailman/listinfo/txauth > > -- Txauth mailing list Txauth@ietf.org > https://www.ietf.org/mailman/listinfo/txauth >
- [Txauth] Proposed TxAuth charter Text Justin Richer
- Re: [Txauth] Proposed TxAuth charter Text Dick Hardt
- Re: [Txauth] Proposed TxAuth charter Text David Skaife
- Re: [Txauth] Proposed TxAuth charter Text Torsten Lodderstedt
- Re: [Txauth] Proposed TxAuth charter Text Justin Richer
- Re: [Txauth] Proposed TxAuth charter Text Torsten Lodderstedt
- Re: [Txauth] Proposed TxAuth charter Text Dick Hardt
- Re: [Txauth] Proposed TxAuth charter Text Yaron Sheffer
- Re: [Txauth] Proposed TxAuth charter Text Torsten Lodderstedt
- Re: [Txauth] Proposed TxAuth charter Text Justin Richer
- Re: [Txauth] Proposed TxAuth charter Text Dick Hardt
- Re: [Txauth] Proposed TxAuth charter Text Dick Hardt
- Re: [Txauth] Proposed TxAuth charter Text Justin Richer
- Re: [Txauth] Proposed TxAuth charter Text Mike Jones
- Re: [Txauth] Proposed TxAuth charter Text Justin Richer
- Re: [Txauth] Proposed TxAuth charter Text Vijay IETF