Re: [Txauth] Kathleen's review

Dick Hardt <> Thu, 30 July 2020 20:36 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 86FC53A0C86 for <>; Thu, 30 Jul 2020 13:36:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id ETqtJJFILgMI for <>; Thu, 30 Jul 2020 13:35:59 -0700 (PDT)
Received: from ( [IPv6:2a00:1450:4864:20::12a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id B39163A0C46 for <>; Thu, 30 Jul 2020 13:35:58 -0700 (PDT)
Received: by with SMTP id v15so11143450lfg.6 for <>; Thu, 30 Jul 2020 13:35:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=lCek9M9K2FCyeVufJ8JZXesveybujmxO7gICdsF0bZw=; b=oR7fW89M0BQGi9EzBUYU+J8j2/9UE7PwLuMiIIqu9ptu/gHI7H7VHRGmP2OhA/3PWC tvWpcils535cTFfklHRIR9YK1XFdQN6koji75vKIBFrQMlYJGaSQfScJq0v0Oq66Lqj2 ybRVfK5PZRF2Ptm0Z9nA6jAu1Fu6J+rZX9JLv00vW/6WIHbFJzeLftbpkTe4b7xj0zYd e/CTmmxk5egtFnlDwrjtHmLrUrLvwE5hHFqJVA8x8pIeKiMEFcENdHL97OQ0knsy2ZJk qVYfoJswEcYyMIUuJF49N6d4Jh97hLVWXZzUxphTkhgroxLTYXgu4c6lBCBFenInNVr3 Hkxw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=lCek9M9K2FCyeVufJ8JZXesveybujmxO7gICdsF0bZw=; b=qttFSNw1K4v5Zb/pCqPnE3c0YeKpXnDn87yosIzA7VjSq7TXz48RIcBXMeY1H9uXR/ Wc+6QARLqH3BT8sZp6B/ERUWeS7s/n+7QR8M/div7GpdjzBB+ICr/yRk3/FU8hpQ4ZzG tHd3QZKiUxsJ8mYq7gAD1pDUQDUb7egyTPmJ1di51ox8oFYoo8bslubxI+sZuY2DxUEt oqDlyPmdztSPgWNWkKixPk3XhJwVOql4cfIeLE/u2YmPJl56cbY/CdNzKCEcMxdSuOsR mRmhRIJxBzkq3V3qxD6ke+Qz4PufpgPpcO9h6D1FOgPAz++CHkVQNvciUAT9Jg6xRpMr FuVA==
X-Gm-Message-State: AOAM533OLxMPALwn7FotXZSkOpE7wc7ZwiLf2uSjxBnKs8HQAW4FFpo8 TgUThr/YOQiFZOd3Fw1ZdC1n2Ky8uaXpxyhixQU=
X-Google-Smtp-Source: ABdhPJxBuufQ9BqWFXDY0Pirfq+Yt/k50qGEZ5zBnicGd4G9Z52JIhEoRLheOOdCkLFlmJ5sSqP6DGCUAu7sgAhepH8=
X-Received: by 2002:a19:8044:: with SMTP id b65mr194619lfd.91.1596141356502; Thu, 30 Jul 2020 13:35:56 -0700 (PDT)
MIME-Version: 1.0
References: <> <>
In-Reply-To: <>
From: Dick Hardt <>
Date: Thu, 30 Jul 2020 13:35:20 -0700
Message-ID: <>
To: Kathleen Moriarty <>
Cc: GNAP Mailing List <>
Content-Type: multipart/alternative; boundary="00000000000090d4b705abae9e09"
Archived-At: <>
Subject: Re: [Txauth] Kathleen's review
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 30 Jul 2020 20:36:02 -0000

(adding in a subject)

Thanks for the clarification Kathleen!

I fully agree with you that we want developers to think of security when
reviewing the document.

Ironically, I wanted to ensure a Client developer knew they needed to
authenticate in all calls to the AS, and I had JOSE in every section in the
first drafts I sent to Justin for feedback, and he suggested I factor it
out into its own section, so that it would be easier to specify
other client authentication mechanisms such as MTLS and http signing. I
factored it into its own section, and then got feedback that people
preferred the JOSE client authentication to be a separate document.

In the milestones for the WG[1], the core delegation protocol is a
milestone targeted for July 2021, and a key presentation mechanism is an
independent milestone targeted for Oct 2021.

In the charter we have anticipated having numerous key presentation
mechanisms, so separating the key presentation documents from the core
protocol seemed the right choice.

Q: Are you suggesting we combine the documents? Or is there a different
recommendation to overcome what you saw as a security deficiency in XAuth
vs XYZ?

As you know, there is much more to security than cryptography, and I
considered how to encourage best practices in the design. One of those is
the separation of concerns, which I wanted to encourage by using URIs and
HTTP methods so that GS decomposition was straight forward per slides 11-13
of my presentation [2].

In contrast to XYZ, XAuth requires the Grant URI and AZ URI to start with
the GS URI, so the Client has certainty on which GS a Grant or AZ is for on
receipt, and when working with the URIs later on. An opaque token or handle
stored in a database could be associated with any GS -- so a self
describing URI can assist in detecting an error in which GS it belongs to.
I think constraints like these improve security as more errors can be
detected, and attack vectors are reduced.

btw: A GS could have just one entry point if desired, the GS URI, and the
Grant URI and AZ URI could be represented by query parameters.




Would you confirm you were looking at -13 of XAuth? (The datatracker tools
are confused and depending on how you land on the page, the latest version
is not displayed)

In my first drafts that I shared offline with Justin, I had JOSE client
authentication throughout

Put JOSE Client authentication into a separate document in version -08.

WG deliverables -- authentication is a separate document.

>From a security perspective, I focussed on the protocol aspects rather than
the security aspects.

interaction modes

URIs - based off of GS URI, methods and - decomposition

client knows which GS a Grant or AZ came from

On Thu, Jul 30, 2020 at 8:11 AM Kathleen Moriarty <> wrote:

> Hey Dick,
> Thanks for your questions and all of your hard work.  I'll respond inline
> as not to miss anything.
> On Wed, Jul 29, 2020 at 1:07 PM Dick Hardt <> wrote:
>> Hey Kathleen
>> A couple questions on your presentation:
>> 1) Which versions of the documents did you review?
> Your last posted version to the datatracker.
> I had started with the latest in the datatracker for Justin, but switched
> when he announced the update.  Although my skim on the datatracker one had
> similar impressions in terms of structure, ease of use, etc.
>> 2) Would you elaborate on your security comparisons of XAuth and XYZ? I
>> want to make sure I understand the work you put into your review.  While
>> reviewing your slides, I was not following a number of your statements. For
>> example:
>> In your first slide:
>> A) you stated that "XAuth Relies heavily on OAuth2.0, using Bearer token
>> and adding cryptographic (e.g.JOSE) functions after-the-fact". Both XAuth
>> and XYZ support bearer tokens for calling an RS. I'm not clear how this
>> feature is different in XAuth.
> Sure, XAuth punts the use of security off in a section and is not more
> integrated in the approach.  That's how OAUth is now and it's something
> that really should be fixed.  Making it clear that security is an
> afterthought makes it an afterthought for developer and implementers.
> Industry is moving towards built-in intrinsic security.
> You can do this just as easily, but XYZ mentioned security in the
> flows/sequences as an inherent part of each.   While it may not be perfect
> yet, the theme was there.  The references to exchange of a key in section 2
> and 3 with an editor note that this needs work are the first places the
> idea of embedding begins.
> The value generated in the access token doesn't explicitly use crypto, but
> could.  This is something to consider.
> Section 4.4.2. - uses a HASH, but an HMAC or KMAC could be used.  This is
> in the feedback I will be posting.
> Section 7 calls explicitly for use of a JWS and authorization values.
> Section 8 provides more explicit guidance for add-on, but it's not in a
> registry or another draft - part of this work.
> Section 13 points to the need for more work, acknowledging multiple ways
> to explore supporting security directly in the protocol.
>> B) What parts of XYZ did you view as "Builds security into the protocol
>> as opposed to adding it in later (e.g. OAuth2.0 bearer token + JWT)"?
> See above.  It's a lot more clear than the single reference in XAuth.
>> C) "Interaction flows defined, focus more on security with cryptographic
>> requirements and examples included" -- there some cryptography in the
>> redirect flow, but not in the others. In my opinion, the cryptography in
>> the redirect flow does not add any value, and just complicates the
>> protocol.
>> Perhaps you can point to sections in each draft?
> See above.
> Best regards,
> Kathleen
>> Thanks!
>> /Dick
>> --
>> Txauth mailing list
> --
> Best regards,
> Kathleen