IETF Logo Mail Archive

Re: [Txauth] TxAuth Charter (Take 3.5)

Adrian Hope-Bailie <adrian@hopebailie.com> Wed, 29 January 2020 09:40 UTC

Return-Path: <adrian@hopebailie.com>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1E6AF12026E for <txauth@ietfa.amsl.com>; Wed, 29 Jan 2020 01:40:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.996
X-Spam-Level:
X-Spam-Status: No, score=-1.996 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=hopebailie.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id L5nnh5EF5c8F for <txauth@ietfa.amsl.com>; Wed, 29 Jan 2020 01:40:40 -0800 (PST)
Received: from mail-ot1-x334.google.com (mail-ot1-x334.google.com [IPv6:2607:f8b0:4864:20::334]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6F456120130 for <txauth@ietf.org>; Wed, 29 Jan 2020 01:40:40 -0800 (PST)
Received: by mail-ot1-x334.google.com with SMTP id 59so14918892otp.12 for <txauth@ietf.org>; Wed, 29 Jan 2020 01:40:40 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hopebailie.com; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=KXh/MLjS5vPmQ7Q6yIXcNpwuhSoUCGKVQNfticXtwS4=; b=Yo0tBCfIzbGQq8m12GSm2keR28WrFiJZZTYVlZttypgyNqNkLXgVgbdjdqTPPrKl4v OzbysLlo1vnJwjVxlXBFs7ziWODajReHkwg7xz8M6hXq1Y7RZSgumJMaFE6vBRkmvCg7 58b4Uz7GrCAA77hv52HNgxPzHtitAh08+XoVo=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=KXh/MLjS5vPmQ7Q6yIXcNpwuhSoUCGKVQNfticXtwS4=; b=FmsTFvsyry01zB/PEosmQ7hn1l3Kv1SapUNfyMJa8zwHFlrr+4pCSSctX15DsUUc31 a7HIuDc6N1n/Vt+cBoxubvWAGqYvQAw6Z/J1wPpYi3FU45pSA6a6y8FZ9vjtpAVPwmVV 8/YfLfkg+DXUdI/R5qlp5xR+6PvSfp7IhRQgT7HQvVCr4WNYC5pzwdCg0Y/QUzWz/EOq hBjjx5ioZsOG4DxItzO+N34U8cqxp0Hbrnqbm+vRkZBrHtjMotOsAznGmrb+pq8n6Ddy iD/0Pld5yI9m1p7ku87brCWYsIq82Y/gtthCP/KMSrJmfLQLrJjjdzTa252ZjzeRvNRX 4eIQ==
X-Gm-Message-State: APjAAAVF1//PlvS/2QIqlPXx5eiu0GeuUO05wCpI3wSzyITEJ6VJgSCc qSIB+FiDB+0VTtdwqv3n0DJMAiPT5wD2pWoPcwoL9yRJat/r/w==
X-Google-Smtp-Source: APXvYqyWmervTYCnL1NCRbhmxhBAz7fZgw05UniA8WPr6ch9gCqOBKSsi73FDFOxcDHEIqtIqW914YPLLd2s/bPmlzM=
X-Received: by 2002:a05:6830:15d7:: with SMTP id j23mr8398457otr.357.1580290839567; Wed, 29 Jan 2020 01:40:39 -0800 (PST)
MIME-Version: 1.0
References: <359EC4B99E040048A7131E0F4E113AFC0216F15F2E@marchand> <359EC4B99E040048A7131E0F4E113AFC0216F15F4E@marchand> <D9533FDA-1B20-4CC5-972D-B6C9F9219143@mit.edu>
In-Reply-To: <D9533FDA-1B20-4CC5-972D-B6C9F9219143@mit.edu>
From: Adrian Hope-Bailie <adrian@hopebailie.com>
Date: Wed, 29 Jan 2020 11:40:28 +0200
Message-ID: <CA+eFz_+wag1DQYsBE7_VUDEcZz1zFmazSHDa4msfw5cDV85rfg@mail.gmail.com>
To: Justin Richer <jricher@mit.edu>
Cc: "rdd@cert.org" <rdd@cert.org>, "txauth@ietf.org" <txauth@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000227770059d4422f2"
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/ROYEfcwQlctAWSvPvaU5faQ-xeU>
Subject: Re: [Txauth] TxAuth Charter (Take 3.5)
X-BeenThere: txauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <txauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/txauth>, <mailto:txauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth/>
List-Post: <mailto:txauth@ietf.org>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/txauth>, <mailto:txauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Jan 2020 09:40:43 -0000

On Wed, 29 Jan 2020 at 11:04, Justin Richer <jricher@mit.edu> wrote:

> Hi Roman, thanks for the review. I’ll respond to the questions in line.
>
> > On Jan 29, 2020, at 1:13 AM, Roman Danyliw <rdd@cert.org> wrote:
> >
> > Hi!
> >
> >> -----Original Message-----
> >> From: TxAuth <txauth-bounces@ietf.org> On Behalf of Justin Richer
> >> Sent: Sat, 18 January 2020 14:15 UTCShow
> >> To: IETF TxAuth <txauth@ietf.org>
> >> Subject: [Txauth] TxAuth Charter (Take 3.5)
> >>
> >
> > [snip]
> >> I would really appreciate the security AD's weighing in at this stage.
> Thanks
> >> again everyone!
> >
> > The Sec ADs have reviewed the charter (as of v3.5) and at a high level
> believe the scope could use a bit more precision.  If there was no prior
> work, the situation would be different.  However, in this case,
> relationships with the existing OAuth WG needs to be navigated.
>
> That makes a lot of senes, and I appreciate the drive to clarity.
>
> > Topics that require discussion and clarity include:
> >
> > ** is TxAuth intended to solve all existing OAuth use cases (i.e., is
> TxAuth is a superset of OAuth) in a new, non-backward compatible way?  If
> not all, which would not be addressed?
>
> Yes, it is my perspective that we would be working on a superset of OAuth
> use cases. However, that does not mean that we would be replicated OAuth
> functionality exactly — there will be things that we solve in fairly
> different ways (like single-page apps, for example).
>
> If this were happening in the OAuth WG, this work would likely be called
> OAuth 3.0, and that might still be the final name at some point in the
> future.
>
> How would you recommend we communicate that in the charter? Should we
> explicitly call out coordination with OAuth WG?
>
> > ** what new use cases would TxAuth address (that aren't in scope for
> OAuth)?
>
> Identity is a big one, which is what OIDC currently layers on top of OAuth
> 2. We’d also be looking at user-to-user delegation (the UMA and CIBA use
> cases). We’re also looking at cases that involve non-web interaction with
> users (like the DID/VC work, or app-to-app communication on devices). All
> of these are listed in the proposed text, do they need to be called out as
> being beyond OAuth 2?
>

We are most interested in payments use cases. Specifically we find the use
of OAuth 2.0 for delegated access to financial accounts very limited,
forcing us into using things like the "Lodging Intents Pattern". I think
Torsten has made the point well in his blogs on the topic (
https://medium.com/oauth-2/transaction-authorization-or-why-we-need-to-re-think-oauth-scopes-2326e2038948
).

I believe this can be broadened to include any use case where the
authorization flow involves the user/RO giving consent to a client to
perform a specific transaction (as opposed to simply get access to a
resource or API) and the need for the AS to have the details of this prior
to authorization so the details can be properly presented to the user.


>
> > ** given a new use case requirement for delegated
> authorization/identity, what would be the decision process to decide to
> which WG or WGs it would go?
>
> These are different protocols, so a large part of it would be what context
> is it being solved in? If “using OAuth 2” is a requirement, which is going
> to be the case for a lot of people for a while yet, then the OAuth WG would
> pick it up. That’s why we’re still doing PAR, JAR, RAR, and the like over
> there. If you don’t have to use OAuth 2 or OIDC as your base, or if you
> need behaviors that are outside the OAuth 2, then you direct the work here.
>
> Or you bring the use case to both spaces, and maybe there’s an OAuth 2 and
> a TxAuth version of what you’re after, and these solutions are coordinated
> as much as makes sense.
>
> What should the charter say to address this information routing question?
>
> > ** notional milestones (not the dates, but the deliverables)
>
> Is this a proposed document list? I had thought we’d already kinda covered
> this in the extant text, but I’m taking this comment that we need something
> that’s more specific.
>
> >
> > In the details of the text:
> >
> > (1) Distinguish what's new (instance #1):
> > OLD:
> > This group is chartered to develop a delegation protocol for
> authorization, identity, and API access.
> >
> > NEW:
> > This group is chartered to develop a fine-grained delegation protocol
> for authorization, identity, and API access.
> >
>
> That works for me.
>
> > (2) Distinguish what's new (instance #2):
> > OLD:
> > The use cases supported by this protocol will include widely deployed
> use cases currently supported by OAuth 2.0 and OpenID Connect (an extension
> of OAuth 2.0) as well as new use cases not enabled by OAuth 2.0.
> >
> > NEW:
> > It will expand upon the uses cases currently supported by OAuth 2.0 and
> OpenID Connect (itself an extension of OAuth 2.0) to support authorizations
> scoped as narrowly as a single transaction, provide a clear framework for
> interaction among all parties involved in the protocol flow, and remove
> unnecessary dependence on a browser or user-agent for coordinating
> interactions.
> >
>
> I like this, thanks.
>
> > (3) Style Nit:
> > OLD:
> > Web, mobile, single-page, interaction-constrained, and other types of
> client applications
> >
> > NEW:
> > A variety of client applications, including Web, mobile, single-page,
> and interaction-constrained applications
> >
>
> Works for me.
>
> > (4) Per "Token presentation mechanisms and key bindings", perhaps it
> might be clearer to say "Mechanisms for presenting tokens to resource
> servers and binding resource requests to cryptographic keys”
> >
>
> That works, though probably “binding resource requests to tokens and
> associated cryptographic keys"
>
> > (5) Per "Mechanisms for providing user, software ...", perhaps it might
> be clearer to say "Mechanism for conveying user, software …"
>
> Sounds good.
>
> >
> > (6) Per "Optimization of information and API access beyond identity
> through the delegation process", is this suggesting the need for optimizing
> access to TxAuth information for use cases beyond identity? Or the
> inclusion of information that isn't identity information into the
> delegation process?
>
> It’s the latter — there’s been stated interest in including information
> beyond just an access token in the response. Identity is the first clear
> use case of this, but I think we can treat identity information as a
> specific case of a more generic response.
>
> >
> > (7) Refine the protocol focus:
> > OLD:
> > While the initial work will focus on using HTTP for communication
> between the client and the authorization server, the working group will
> seek to take advantage of optimization features of HTTP2 and HTTP3 where
> possible, and will strive to enable simple mapping to other protocols such
> as COAP.
> >
> > NEW:
> > The initial work will focus on using HTTP for communication between the
> client and the authorization server, taking advantage of optimization
> features of HTTP2 and HTTP3 where possible, and will strive to enable
> simple mapping to other protocols such as COAP when doing so does not
> conflict with the primary focus.
>
> I like this wording, thanks.
>
> >
> > Regards,
> > Roman and Ben
> >
> > --
> > Txauth mailing list
> > Txauth@ietf.org
> > https://www.ietf.org/mailman/listinfo/txauth
>
> --
> Txauth mailing list
> Txauth@ietf.org
> https://www.ietf.org/mailman/listinfo/txauth
>

v2.23.0 | Report a Bug | By Email