Re: [GNAP] New I-D: draft-pinkas-gnap-core-protocol
Justin Richer <jricher@mit.edu> Thu, 19 August 2021 18:03 UTC
Return-Path: <jricher@mit.edu>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4F22E3A1261 for <txauth@ietfa.amsl.com>; Thu, 19 Aug 2021 11:03:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.497
X-Spam-Level:
X-Spam-Status: No, score=-1.497 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, KHOP_HELO_FCRDNS=0.399, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cW7NixvY5miO for <txauth@ietfa.amsl.com>; Thu, 19 Aug 2021 11:03:51 -0700 (PDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 63C093A125F for <txauth@ietf.org>; Thu, 19 Aug 2021 11:03:51 -0700 (PDT)
Received: from [192.168.1.49] (static-71-174-62-56.bstnma.fios.verizon.net [71.174.62.56]) (authenticated bits=0) (User authenticated as jricher@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id 17JI3ksj010413 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 19 Aug 2021 14:03:46 -0400
From: Justin Richer <jricher@mit.edu>
Message-Id: <BF261D8F-D5DA-43BD-BB46-FC9614CC2AB7@mit.edu>
Content-Type: multipart/alternative; boundary="Apple-Mail=_01ECEFAF-4291-4BBB-8B5D-9841E5C72674"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.120.23.2.7\))
Date: Thu, 19 Aug 2021 14:03:45 -0400
In-Reply-To: <fc61cf1c-d661-6403-479b-615bf86193a4@free.fr>
Cc: "txauth@ietf.org" <txauth@ietf.org>
To: Denis <denis.ietf@free.fr>
References: <fc61cf1c-d661-6403-479b-615bf86193a4@free.fr>
X-Mailer: Apple Mail (2.3608.120.23.2.7)
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/MkS7MlL3VWwvfcHyeoiQ6tTE4Pg>
Subject: Re: [GNAP] New I-D: draft-pinkas-gnap-core-protocol
X-BeenThere: txauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: GNAP <txauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/txauth>, <mailto:txauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth/>
List-Post: <mailto:txauth@ietf.org>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/txauth>, <mailto:txauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Aug 2021 18:03:57 -0000
I want to clarify one point of confusion here: > The charter of the GNAP WG states, close to its end : > > "The initial work will focus on using HTTPS for communication between the client and the authorization server, (...)" > > See: https://datatracker.ietf.org/doc/charter-ietf-gnap/ <https://datatracker.ietf.org/doc/charter-ietf-gnap/> > > Unfortunately, draft-ietf-gnap-core-protocol-06 does not mandate the use of HTTPS for communication between the client and the authorization server > and does not take advantage of the security properties obtained thanks to the use of HTTPS. This means that draft-ietf-gnap-core-protocol-06 > does not comply with the GNAP charter. > This was quoted out of context and misrepresents the goal. If you read the rest of that sentence, you’ll see that it’s talking about HTTP versions: The initial work will focus on using HTTPS for communication between the client and the authorization server, taking advantage of optimization features of HTTP/2 and HTTP/3 where possible, and will strive to enable simple mapping to other protocols such as CoAP when doing so does not conflict with the primary focus. What this is saying is that we shouldn’t make something that is only deployable on HTTP/1. Additionally, the GNAP core draft does already require HTTPS. While the security considerations section (section 12) is not yet filled out (though note — this one of the topics the editors are actively working on), the one item it does have in there mandates HTTPS: All requests have to be over TLS or equivalent as per [BCP195 <https://www.ietf.org/archive/id/draft-ietf-gnap-core-protocol-06.html#BCP195>]. Therefore, the statement as asserted in this email, and the conclusions that follow it, are not accurate. — Justin