Re: [GNAP] User code, was Re: Review of draft-ietf-gnap-core-protocol-00 (first half)
Fabien Imbault <fabien.imbault@gmail.com> Mon, 19 October 2020 14:58 UTC
Return-Path: <fabien.imbault@gmail.com>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 954473A005E for <txauth@ietfa.amsl.com>; Mon, 19 Oct 2020 07:58:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.194
X-Spam-Level:
X-Spam-Status: No, score=-0.194 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, NORMAL_HTTP_TO_IP=0.001, NUMERIC_HTTP_ADDR=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id w5lx3gb7J7L2 for <txauth@ietfa.amsl.com>; Mon, 19 Oct 2020 07:58:34 -0700 (PDT)
Received: from mail-il1-x134.google.com (mail-il1-x134.google.com [IPv6:2607:f8b0:4864:20::134]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 478373A00D2 for <txauth@ietf.org>; Mon, 19 Oct 2020 07:58:34 -0700 (PDT)
Received: by mail-il1-x134.google.com with SMTP id l16so368073ilj.9 for <txauth@ietf.org>; Mon, 19 Oct 2020 07:58:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=j34Jx6E0qMJhdAPTEDBxt1Tsv506QX+SlSE+PzLXgXA=; b=OStwB5X/5U6Foq5/cbsm7q1zvw2pasT1p7+SlHylsVvg5EvPgI6hrRko3BGB43iH9w XlL1PcRXT0oK59oKannjGdpZVJDyviiJf5aR1/OT/ab35ds4MMHOhL6CzMVMMB4Ln+Dn IYUfEJkKsCfOwexFyydF1VRXNNzicgUIX9MP62QnNHhwVw1FOYSEki18JCoLfX24GK92 6T+JIfXKp5jfbChipT/A7CsND5YvDIZM9YB/pUbZxLY2Pb5do/XB5lQ0ZJ4nhqeRW74+ 2lscQT1vCP4f5aCkXh7JGU8o8nAWfXGamabxeVCEg426aA68Augwjipke+P6Zc9rdPMT JIAQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=j34Jx6E0qMJhdAPTEDBxt1Tsv506QX+SlSE+PzLXgXA=; b=Rjs0kY4IP1aJbd9Eu1CSz1Hkp9RP1KysqZriHpbJlOPsQ2PX8pz3YVSTxuIvyedtFl oHCvpPyOnzVP66Rsn7606toGox4wgrwxZdo/Y+C07bzNmSRTE4yyxcNF3ADYUQxWPC7D Gxq4/qgj+MY5AwsszBsz0/xARYAs2NjDRqDvEKiBay07zwj2cE9+TVi6iaeMwhSZQ9e9 W8ZLpHFkuoQoWfz7YrLLF+6gmg8NyFMKqvGvFR+Z4qMMTnZvjonnyZR8xQt0Bp1flxIJ rGdzAikKn5l/WXYLP45qzyWJ5mCkD/zoO4unwWcmPpORjwXw4eIHxsFPCy00HtATxJau AlyA==
X-Gm-Message-State: AOAM5322FJ2EbtVr1V72goc7ivoVREndw9AyW0OT7DtwCdVKVpIKC22x eKFOlj4OSqmEODlje3RFZFtN+8+FPPep+VyuSUE=
X-Google-Smtp-Source: ABdhPJzWY1Ol3l6Y8ni70pbGosi8VC54NxcnZRJai9cwxr/ZoInvSNI1IBCtaOHVTdT3XNziIePwjGSEVhNxH5thnNc=
X-Received: by 2002:a92:ae0a:: with SMTP id s10mr245262ilh.289.1603119513361; Mon, 19 Oct 2020 07:58:33 -0700 (PDT)
MIME-Version: 1.0
References: <95C5E06D-C017-4BD1-8CA1-0AF07E3DB3AE@gmail.com>
In-Reply-To: <95C5E06D-C017-4BD1-8CA1-0AF07E3DB3AE@gmail.com>
From: Fabien Imbault <fabien.imbault@gmail.com>
Date: Mon, 19 Oct 2020 16:58:22 +0200
Message-ID: <CAM8feuQXVRibC6aGrDv27AvUUMXLaPDg=wBd_XrEec0QzwdO9Q@mail.gmail.com>
To: Yaron Sheffer <yaronf.ietf@gmail.com>
Cc: Tom Jones <thomasclinganjones@gmail.com>, GNAP Mailing List <txauth@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000020632505b20759be"
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/PtFWvMvB6SGMYigwRTDiu_S1ehc>
Subject: Re: [GNAP] User code, was Re: Review of draft-ietf-gnap-core-protocol-00 (first half)
X-BeenThere: txauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <txauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/txauth>, <mailto:txauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth/>
List-Post: <mailto:txauth@ietf.org>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/txauth>, <mailto:txauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 19 Oct 2020 14:58:36 -0000
User code is an interaction mode that you use when an interaction via a browser is not possible. For instance, a small device that can display a code, so that the end-user can easily enter that code through a predetermined endpoint (typically through a mobile phone). On Mon, Oct 19, 2020 at 11:52 AM Yaron Sheffer <yaronf.ietf@gmail.com> wrote: > Hi Tom, > > > > Thanks for your response. I would like to focus on one point. > > > > The document does not explain what the user code solution tries to > achieve, and I honestly don’t understand the exact use case(s) myself. If > you could write up a paragraph, we could include it in the document for my > own and others’ edification. > > > > Regards, > > Yaron > > > > *From: *Tom Jones <thomasclinganjones@gmail.com> > *Date: *Monday, October 19, 2020 at 00:38 > *To: *Yaron Sheffer <yaronf.ietf@gmail.com> > *Cc: *GNAP Mailing List <txauth@ietf.org> > *Subject: *Re: [GNAP] Review of draft-ietf-gnap-core-protocol-00 (first > half) > > > > then i guess we must address the entire email, which is not helpful. Here > are at least a few of my thoughts. > > 1.2, "key" is a too generic term in the context of a security protocol. > Can we call it something more specific, maybe "holder identity key"? > > >> that is not more specific. if you want to understand the source of the > key then perhaps the entire jwk element needs to be augmented. > > 1.3.2: it is unclear to me what the goal of the user-code interaction is, > in other words what is the threat model. If it's just "second factor, > something you have", then an OTP MFA device would be simpler and offer the > same security. > > >> first of all, you are wrong in your assessment, second that is not all > that the user-code interaction supplies. > > 2.1.2: I don't see the value of the notion of "expansion". It is > sufficient that the string is understood by the AS. > > >> I am already running into this as a problem with strings in OIDC. I > believe we need a better way to expand strings into structures. I proposed > the use of 3part jose structures as a solution. > > * 2.3: what's the benefit of including a URI (URL really) in "display"? Do > we really want the user (RO) to click links provided by the RC? > > >> I hope you are not proposing that users actually see any of this? That > would be grotesque. > > * 2.4: IMO assertion validation is a MUST, and we should specify what we > require for every assertion type we allow. > > >> I plan on including assertions that do not need to be validated. I > believe it is not up to the sender whether the receiver validates the > assertion. > > > > In general I find that many of your comments are not trivial and need > deeper analysis. > > Peace ..tom > > > > > > On Sun, Oct 18, 2020 at 1:00 PM Yaron Sheffer <yaronf.ietf@gmail.com> > wrote: > > We haven’t discussed this process yet, and the default IETF process is, > everything goes through the mailing list. > > > > IMO small things can be quickly cleaned up (fixed or rejected), and we can > open GH issues for bigger things. > > > > Thanks, > > Yaron > > > > *From: *Tom Jones <thomasclinganjones@gmail.com> > *Date: *Sunday, October 18, 2020 at 22:47 > *To: *Yaron Sheffer <yaronf.ietf@gmail.com> > *Cc: *GNAP Mailing List <txauth@ietf.org> > *Subject: *Re: [GNAP] Review of draft-ietf-gnap-core-protocol-00 (first > half) > > > > why are you doing this? Should these be issues now? > > Peace ..tom > > > > > > On Sun, Oct 18, 2020 at 12:44 PM Yaron Sheffer <yaronf.ietf@gmail.com> > wrote: > > Hi Justin, all, > > > > The draft has undergone major changes since we started the design team, so > I spent some time reviewing it. I only got as far as Sec. 3, and I fully > intend to review the remainder of the document. But I figured since I have > so many comments, I might as well send out what I have. > > > > * General comment: we have dozens, maybe hundreds of variants/options > here. I think we need to define a must-implement subset, or we will never > reach interoperability. > > * Abstract: the boilerplate text (MUST etc.) usually goes to the > Introduction, not the Abstract. > > * 1. "The requesting party operating the software" - I think these actions > are typically performed by the resource owner, who is not necessarily the > requesting party. > > * RS, aka API: we are using the word "API" several times in a more generic > sense (management API, identity API), so maybe replace with "RS, typically > a protected API". > > * 1.2, "key" is a too generic term in the context of a security protocol. > Can we call it something more specific, maybe "holder identity key"? > > * 1.3.1. "augmented with a hash of the security information" - this is too > implementation-specific, suggest "is cryptographically bound to the > security information". In general, step (7) is way too detailed, and verges > on the normative. > > * 1.3.2: it is unclear to me what the goal of the user-code interaction > is, in other words what is the threat model. If it's just "second factor, > something you have", then an OTP MFA device would be simpler and offer the > same security. > > * 1.3.5 (4): Typically the access token would not be sent once it is > expired, right? Let's make the example more realistic. > > * 2: "OpenID Connect claims request" - why not "identity claims request" > (which just happens to be similar to the OpenID request)? > > * Never liked the "dolphin" here... If this is listed under "actions", it > should be a verb, e.g. "swim". > > * 2.1: an array for a single AT vs. an object for multiple ATs? This is > extremely non-intuitive and probably ugly to code. Also, why should > (multiple) tokens be named if a single token doesn't have to, why not list > them in an array instead? > > * 2.1.1, "locations": are these really URIs or just URLs? On the other > hand, if these are URIs, why do we need a separate "identifier"? There's > too much semantic overlap between "type", "location" and "identifier" - > specifying just "type" may be sufficient. > > * 2.1.1: it's implied but should be spelled out that the semantics of this > example is the cross product of permissions: I am requesting to read and > write and "dolphin" both "metadata" and "images", and that applies to both > "locations" - 12 different possible actions. > > * 2.1.2: I don't see the value of the notion of "expansion". It is > sufficient that the string is understood by the AS. > > * 2.1.2, "in some situations the value is intended to be seen and > understood be the RC developer" - shouldn't we require this value to be > always fully documented by the AS owner, so that the RC knows what it is > requesting? > > * 2.1.4: why are flags represented as resources? The answer, "this is how > OAuth 2 does it" is not great. > > * "the each access tokens" -> each access token. > > * I suggest to extend the editor's note to clarify what is the use case, > so that the group can decide whether split tokens are indeed necessary. > > * Why is key binding of the access token even optional? > > * 2.2, "Subject identifiers requested by the RC serve only to identify the > RO in the context of the AS and can't be used as communication channels by > the RC" - this sounds a bit naive, people will do that anyway. So why is > this a useful statement? (And similarly in 3.4) > > * 2.3: what's the benefit of including a URI (URL really) in "display"? Do > we really want the user (RO) to click links provided by the RC? > > * 2.3: why are we sending a JWK *as well as* a cert? Are we checking that > the cert contains the same public key as the cert? > > * 2.3, " the AS MUST ensure that the key used to sign the request... is > associated with the instance identifier" - can we be much more specific > here, e.g. the instance_id MUST be byte-identical to the Common Name of the > cert? This "association" is never clarified, either here or in Sec. 8. > > * 2.3.2: allowing to send the key in multiple formats virtually invites > security vulnerabilities. Why is this a good thing? > > * 2.3.2: cert#256 is not a key, it's an identifier. Why do we include it > here? Note that in Sec. 8.3 you are using the full certificate rather than > the fingerprint. > > * 2.3.2: why are we using raw PEM certificates instead of the JOSE > representation? > > * 2.3.3: For obvious security reasons, I suggest adding: The AS MAY choose > to avoid displaying an arbitrary URI. RC developers must only assume that > the "name" field will be displayed. > > * 2.3.4, "created just for this request" -> created just for this series > of requests. > > * 2.3.4: I suggest referring to RCs that present unknown keys as > "anonymous RC", and then in 2.4, say that the AS MUST NOT accept any > assertions from an anonymous RC. > > * 2.4: IMO assertion validation is a MUST, and we should specify what we > require for every assertion type we allow. > > * 2.4: moreover, when possible, the AS MUST match the assertions to the > presented sub_id. It may be a hint, but you're not allowed to lie. > > * 2.4, "If the identified RQ does not match the RO present at the AS" - I > thought there are cases where the RQ is different from the RO. Also, I am > wondering why this is a SHOULD, not a MUST. > > * 2.4.1 (but probably applicable to any references): what is the lifetime > of the reference? As an RC, how long can I assume the user reference is > still valid? > > * 2.5: "preferred_locales" is obviously not a mode of interaction. Why is > it bundled here? > > * 2.5: the way "callback" is described here is as a capability, not an > interaction mode. The example only strengthens this view, "callback" is a > modifier of the "redirect" mode. > > * 2.5: "use code" -> user code. > > * 2.5.1: this unnecessary polymorphism IMO just complicates > implementations and prevents extensibility. Instead, I would suggest: > > redirect: {} > > redirect:{max_length: 255} > > redirect:{max_length: 255, callback: {...}} > > * 2.5.2: the "app" option is problematic, as you already note. The RC may > not even know if a given URL will result in an application launching. > > * 2.5.2: and shouldn't the RC include a list of supported applications? > (Which would have lovely privacy implications.) > > * 2.5.3: there's a parenthetical discussion on whether the URL is unique. > But the nonce parameter implies that the "hash" parameter is unique per > request, making this discussion moot. > > * 2.5.3: even if we need a different kind of post-interaction "redirect", > where the RC is not involved, there must be a way to ensure that the RC > receives positive (cryptographically protected) confirmation that the > authorization was successful. In other words, what we're discussing here is > not an RC interaction mode, it is something else, and should probably have > a separate protocol element to describe it. > > * 2.5.3: In the example for "interact" as an array (which I support), the > second "redirect" and "user_code" should be independent elements of the > array, not members of an object. This assumes they are truly independent > interaction modes. > > * 2.5.3.1: what does "RQ is present on the request" mean? > > * 2.5.3.2: typo: HTTP the request. > > * 2.7: this seems to assume a short access token (which implies a bearer > token). What if we want to use longer self-contained access tokens > containing full keys? Should we have a separate "grant_id" value instead? > > * 2.8: another problem with this stanza is that the RC needs to know a > priority that the AS supports it. What happens if the AS doesn't? > > * 2.8: I suggest to move this section into a separate I-D, or at least a > separate appendix. > > * 2.9: it makes sense to bundle extensions and the "capabilities" section > into one. > > * 2.9: The AS MUST ignore any unknown extension. > > * 3: it's confusing that we're using access_token for two different > things. Maybe we could change the RC/AS one to "as_access_token"? > > * 3.1: MAY vary *by* request. > > * 3.1: how is the client behavior "deterministic in all cases" - how does > the RC know whether the AS allows continuation or only allows one request > at a time? > > * 3.2.1: the "value" of the access token is opaque in some cases (bearer > token) but not in others. > > * 3.2.1: The ASCII restriction on "value" is insufficient. Needs to be > printable ASCII, 0x20<v<=0x7f. And I'm not sure if this doesn't leave some > characters that still need to be escaped. > > * 3.2.1: why is "expires_in" optional? Typically access tokens are not > revoked, and the RC needs a way to manage their lifetime. > > * 3.2.1: "resources" refers to this same section. Did you mean 2.1.2, or > are we missing a subsection describing resources/rights? > > * 3.2.1: "key": another polymorphism alert! > > * 3.2.1: the example at the bottom of the section talks about a way to > present the token, I believe this discussion is out of context here. > > * 3.3: the AS knows now which interaction modes are available. Why not > pick just one for its response, to simplify the protocol? As one example, > the AS can then more easily decide on timeout behavior. > > * 3.3.3: Suggest to add to the last paragraph: If the RC does not receive > a callback until an RC-determined timeout occurs, the RC MUST act as if the > entire request failed. > > * 3.4: "updated_at": Unix time is nice, but for absolute time it's common > to use ISO 8601 format. > > * 3.6: YES, the "error" element is exclusive! > > * 3.6: in SecEvent we tried to use RFC 7807 "problem details", I think it > could work nicely here. > > * 10.4: "indicating that GNAP" - sentence is broken. > > * This "speculative" access is not useful if the response is only a MAY. > Why would the RC try it if it is unlikely to provide useful information? > > * 15: the BCP195 ref is broken - the author names are missing (yes I am > one of them...). > > * Appendix D: can we name the first scenario, maybe "Simple API Access"? > > -- > TXAuth mailing list > TXAuth@ietf.org > https://www.ietf.org/mailman/listinfo/txauth > > -- > TXAuth mailing list > TXAuth@ietf.org > https://www.ietf.org/mailman/listinfo/txauth >
- [GNAP] User code, was Re: Review of draft-ietf-gn… Yaron Sheffer
- Re: [GNAP] User code, was Re: Review of draft-iet… Fabien Imbault
- Re: [GNAP] User code, was Re: Review of draft-iet… Tom Jones