IETF Logo Mail Archive

Re: [GNAP] Summarizing status from SECDIR IETF LC review of draft-ietf-gnap-core-protocol-16

Justin Richer <jricher@mit.edu> Thu, 08 February 2024 19:02 UTC

Return-Path: <jricher@mit.edu>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 99F7AC15106B for <txauth@ietfa.amsl.com>; Thu, 8 Feb 2024 11:02:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.106
X-Spam-Level:
X-Spam-Status: No, score=-2.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=mit.edu
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gW4RPPnaTVIR for <txauth@ietfa.amsl.com>; Thu, 8 Feb 2024 11:02:10 -0800 (PST)
Received: from NAM02-SN1-obe.outbound.protection.outlook.com (mail-sn1nam02on2133.outbound.protection.outlook.com [40.107.96.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 915AEC151068 for <txauth@ietf.org>; Thu, 8 Feb 2024 11:02:10 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=kzTWE0vCwU6RuTjkmjUFskOnGE9yOM8vwybMjOjwqpNXkQlIg753QZBDJfWQdSlE0PMq+pxikvycN+HTbPvpO80YeQ1XCdUpYFn9sGMDpQ+ZmX/G5x/2V2HsqAtupMZ/yyJWReRfRvkCBFn5tLlGrn0qheVahn1VSnpQ80DFP3lowRwlTDRB6ZoCTWdI5jsuUUQYKfDOmZImobnGyR5dGAGUer+CigRFZcbTjAz1dlQdQLpOqMQS7s3vFuL9nwFEr8zVxswgN3w8oEtmmo+B70ox5rF7LI9dj9PF8NBDVgS9lpMHGp0V8As/Ic1uyYB5sDhqWPDQ0wKf3jI6UsP1KQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=iISVCYtjdGWoDC5vEXClFFzPnUGjzdxCKpCJvYpl11Q=; b=j6macP3MmplDEK/+pB6HVl5JFjptSsD/fO0TXkggdsW/YNlw+79ZCHvnqNp5PyM0BcIUrhXaqLV2CWXwuo/TZN99GZ2mG1jE7WVyVz2V3rzyK1GYkykiHNUB7ZAY3Lefb98taOm9HC4xpcbFge/CjvMvdkSfNkuUsUKAx9BdzQsHpsQd0IKDeCmjI887waHhKoJ6ilu1eNYkwAfdE0PRbBgTPpF9rDbA5RPrMSVrNODMpdbQt59MJeGiAac6Yxsm1SxWFzwFkTf1DdIuJmmm8wE778OVHHNmkTvKFf3ojgnJXby2flM+YwRjw+XMiH8Je0CpcaLn1UeBlyJeT2cK5A==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=mit.edu; dmarc=pass action=none header.from=mit.edu; dkim=pass header.d=mit.edu; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mit.edu; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=iISVCYtjdGWoDC5vEXClFFzPnUGjzdxCKpCJvYpl11Q=; b=td3/mn+uxu2HFByHRJD/wYgcZvU7ZJE74cUUJ7+dytmPO6WhaJOTzoJauTtVrEywaScajImpOkEtMC1sBFjdCRvqOMjaAb/e+19Qty0qdryvjhy1ilD4OmhrlCmx3q9S+fqRrw/WV6SesNeKpmeOnH1nIB5/Jd2Njaqhuey8HlI=
Received: from LV8PR01MB8677.prod.exchangelabs.com (2603:10b6:408:1e8::20) by CH3PR01MB8339.prod.exchangelabs.com (2603:10b6:610:174::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7249.38; Thu, 8 Feb 2024 19:02:07 +0000
Received: from LV8PR01MB8677.prod.exchangelabs.com ([fe80::c5bd:292f:c37:64dc]) by LV8PR01MB8677.prod.exchangelabs.com ([fe80::c5bd:292f:c37:64dc%3]) with mapi id 15.20.7249.038; Thu, 8 Feb 2024 19:02:07 +0000
From: Justin Richer <jricher@mit.edu>
To: Russ Housley <housley@vigilsec.com>
CC: "rdd@cert.org" <rdd@cert.org>, "txauth@ietf.org" <txauth@ietf.org>
Thread-Topic: Summarizing status from SECDIR IETF LC review of draft-ietf-gnap-core-protocol-16
Thread-Index: AdpZ9ROUOAGI7nyfTNWlob7LkU2+DQAFZLmAAALWIgAAKtKjgA==
Date: Thu, 08 Feb 2024 19:02:07 +0000
Message-ID: <228DFDD9-EF1D-4D7C-BDBF-3B1914E8BBCA@mit.edu>
References: <BN2P110MB11074A36A14E33B0F4A9ECEBDC45A@BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM> <05C47833-3C63-4588-B9BB-8FB1673F68FD@mit.edu> <348E9604-64C9-4281-8A32-23C9A08C5E22@vigilsec.com>
In-Reply-To: <348E9604-64C9-4281-8A32-23C9A08C5E22@vigilsec.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=mit.edu;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: LV8PR01MB8677:EE_|CH3PR01MB8339:EE_
x-ms-office365-filtering-correlation-id: fad2fde4-b388-4837-bf8c-08dc28d87264
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: uK7offapHRjTfSlj8L6lLb6rc+0YYwygNOr4dEhSKwMerpO7IyYZmBVkozbjw8larPixq1AeNnUrq3Xuj+8NxsdG1HQVxQdiY6JoB8NYyyxPB6tHxXCOEEn8k+0CtjXugqezB3Un4UtQXsWLUDWbd7o4MGAN5C8A7BuGwuOy+ztkopj/DRs53lcGszeZdCwI14pMOaShxMKMHtSU94Z/Dl11pZ0VkZzmMGW30TWuCmF53p9NFkRTOGFxDFiujkRsn8vQfdpcsyA8bb1G0nqDFAGFT6LMsSYLq3UCKc9HO2KCuCpFzJYCGa+DscC96X4omCCam+0o235XO48Mv/zUHRdaoYrs43Lm5+Ch7bwqsuGQbZezxm3B+g7l6DsJU3WVtS4/HMPwLy0+Bb4Lpvufg97LmyUdjywS3mpYkBB07cnJUF9uHWZ05yxJzV/90yQM8RNFQkuAr8VnEYVZ/1ZlAYzT74X7zc66svqPKZjqEEU/X1i/M/AqHUW2xyZKMJ+2AuDyslJRyMfvADVCS0gvB5tklT2wwS9im4MmeKvhz5AjA8ne/SfpSzESeVI0KW+bEioM0DAH88BetGNYmZuNKpc/AkWESF8jQB3rhkfeU24Haqj8KOJW3NCJaZ90GPfyc9dEHHMadAdqO1N3v8AKAA==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:LV8PR01MB8677.prod.exchangelabs.com; PTR:; CAT:NONE; SFS:(13230031)(396003)(39860400002)(346002)(376002)(366004)(136003)(230922051799003)(64100799003)(1800799012)(186009)(451199024)(2906002)(4001150100001)(5660300002)(75432002)(41300700001)(66899024)(83380400001)(122000001)(38100700002)(2616005)(26005)(86362001)(33656002)(786003)(6916009)(54906003)(6512007)(66446008)(71200400001)(66476007)(6486002)(66946007)(6506007)(64756008)(66556008)(478600001)(36756003)(966005)(76116006)(8936002)(8676002)(53546011)(4326008)(166002)(316002)(38070700009); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: eLFSoja/GhJ8htWMtGO2WkwNy4FTG/1V5vHIZW21vUSAVb8qB/v+Ix79yrRcygvexAOH8UTCxRhxlCPVmfPEzsa9stD6gaT0lFz7SmAhsmr7oA2uUTf9fqYjTuFliEbkDCCaQ97D/xLyrFDqdBdYb3e8c2I9mh6pltt6oquCqDWAGIYS1VIlA8X3L2rpLoRyyJgUqEYq0/eXF9hInaNNlxBsiNM0zyuZusOjifZ/bBQYwiO3c7UkupIWltVDTveoPWm4pwhvY3u+DhDC40lnsIaPHJdakzGny+r5koEAfzQx1ET5cCXzurKzSXG1MZzVHyoi5goSOmVkoOnKfQtsqB3N+PRZ2c/kGTILIDQ5VzOegnoIkpeBUwdGEC9N7L4j0lTNIssIm8XPassn2SKu117GW25DzVXopUeMKuOaYtGYdRIyuQwsLvpM5lsj+zUBdOr0yxlTYbvE743COmYYcbeDmv/lH0PqR0EEr17cAuLPV8W7/AhHq62/Kx+tgwEtsWSBMPQxyxkt1WeMZP7Mba8Z+mWM7U8N31+1Flvhas5XtqWZ8VbYq0YB/ABJdpMO/jeq9c8GsFAh2CaSsbqC8NaPJD6fgCalHEGgOrtGXhOwzThZ3ZpByaO63MvhCnjshh6S6phrG6meXhn/vP+4TisA0KvamO+LEtLz6o6seztivwYBC0P24WtDofP9BHG8oO6PMrMH3uOSblDoyR5fv2S8A+0zez9jCkNIXlJ61uI2KHrnsUFYAcmuy/6yWSrUUxKF7UWefxNxA9oKIuBgPU5hzLv5jMFcCoXO0gUgRm6W6J+4dr8WbkLFhtHeTNrPJy0X32mewJiFiw2ObTTT7uhVAju1tsEGlkD4LilYpyGUuP3OM5rCeAKQkJ3nfGjKwdrj6OP9pmp2nnjiTwniEZEAKUo04Xoueb+2FeGrsL7BiIqtf58Af9EiNbFPlParW/MyWqSvNvHU/rgyLcKdMnVPq5QTGXdCBy7uhlC0Swcn3IIe2rBQYhZKPKbwgJsBZhxy9E96j/8Th267Hpk2r8G2szfMU9pmb8Dj3L73de13XdF7ISO1qee9zr2L6vWsneXfI9a5ucVNh8F9D4qXCCb/Fxgunh+hTm+DPfHupQ95OdsEPCC5Dc6ndOYbzGKfGwlVBE04sgYR1kb8twOP4fMuSGGiwIJ0qvXEFiTTakJC+K7nodCIa9GFb1kyFcRlWWg7QKcpDXdYrkqKCy+BmhcWr3Dp1yA5+59sWls/pEoP9SRz6zrYx3iuam/x032vqDv8+Sv+Sg6mdgHz6JICwv3InPWav8pI2CPG5BCCx2FqqDJuJn8L9zojmuDconYLXu6wIvfYc0J2+LIzAqnnBxRQyGjgBtmsOy4hQkNQ349Ucm/WJZEgGBqm9BD1Ahw0IpU8GoD/+i0MkG6fYwoXLUDADfF3xES0FJZEcuEDt2fnXFzjkC6EMcj3HWYHYfrJIWbL5Vx8tSZ+MEabcf8/dzfbQtR6yrGbEH5TsLv9TKq/kGHoa5tUahzkIss8ai/ynMrlEyUSekOUJpk0r3wauDFeL6jjcsXnPHjt/SE+x9t/AmzibKh0KLSRSJ7jwZdS
Content-Type: multipart/alternative; boundary="_000_228DFDD9EF1D4D7CBDBF3B1914E8BBCAmitedu_"
MIME-Version: 1.0
X-OriginatorOrg: mit.edu
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: LV8PR01MB8677.prod.exchangelabs.com
X-MS-Exchange-CrossTenant-Network-Message-Id: fad2fde4-b388-4837-bf8c-08dc28d87264
X-MS-Exchange-CrossTenant-originalarrivaltime: 08 Feb 2024 19:02:07.6554 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: IHlDA7k4rSuV0ssSbIp6bWcEA0zu+aIpnADlLWRrH/zbeLAB75diFaj34Q+yaI8g
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CH3PR01MB8339
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/UN025o--Owt4hdmYAIjQYOjypJg>
Subject: Re: [GNAP] Summarizing status from SECDIR IETF LC review of draft-ietf-gnap-core-protocol-16
X-BeenThere: txauth@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: GNAP <txauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/txauth>, <mailto:txauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth/>
List-Post: <mailto:txauth@ietf.org>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/txauth>, <mailto:txauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Feb 2024 19:02:14 -0000

Hi Russ, Responses inline with some items trimmed for clarity.

— Justin

On Feb 7, 2024, at 5:35 PM, Russ Housley <housley@vigilsec.com> wrote:

Justin:


During IETF LC, SECDIR (Russ Housley) performed a review on draft-ietf-gnap-core-protocol-16.  See https://mailarchive.ietf.org/arch/msg/txauth/i9NEvnr2l1p8hW7U_l382NZbLxg/.  Justin (Richer) responded and iterated on this review. Here are the relevant messages in the thread since it is not linked from the SECDIR review link in the Datatracker.

(Justin-2023-11-27) https://mailarchive.ietf.org/arch/msg/txauth/-Zl-mKGKC0WgujAlj8cd3sOgr2Q/
(Russ-2023-11-28) https://mailarchive.ietf.org/arch/msg/txauth/ZArrGJN06Tsyi1o9g48P2J4fzIo/
(Justin-2023-11-29) https://mailarchive.ietf.org/arch/msg/txauth/Ek0NCQeiUfuiJv7EdSFzPq2s-ao/

A -17 of the document has been released.  I very much appreciate the deep review and iteration.  I am trying to re-review the document and identify unresolved issues.  The following is my assessment.  The inline thread was broken at some point making it difficult to attribute text so I'm repeating the initial feedback from the SECDIR review here and annotating it with [Roman].  Please consult the above links for some of the details.  I'm looking for resolution of the issues below with further discussion or a document change; or a correction that that this issue been addressed in a way I didn't immediately recognize.

** (Russ on -16) Section 1.2: I am having trouble getting my head around the idea that
the AS role grants subject information to client instances.  This feels
like a purposeful confusion between authentication and authorization.

** (Russ on -16) Section 1.3: Elsewhere in the document, there is a careful distinction
between software that acts on behalf of a subject and the natural person
that uses the software.  This distinction is missing in the definition
of Subject.  It is made worse by including organizations.  Please say
how people and organizations "decide whether and under which conditions
its attributes can be disclosed to other parties."  I believe this is
done by interacting with the software or initial configuration of the
software.

[Roman] Is it possible to be specific on where there is a mismatch?

GNAP is fundamentally a delegation protocol, which can delegate both authorization to call APIs (a la OAuth) and the identity of the user (a la OpenID Connect) in the same flows. I do not see a confusion between the authorization and authentication aspects here, especially as they are deliberately requested and returned separately from each other.

I got this from the discussion that we had following the SECDIR review.  However, I think that saying something about authentication in the role definition in Section 1.2 would be very helpful.

I am still confused about how a device can be an RO.  See my message from earlier today.


As per discussion on the other thread, I’ve changed the introduction here that hopefully makes this intent more clear without changing the intent of the text:

https://github.com/ietf-wg-gnap/gnap-core-protocol/pull/529


** (Russ on -16) Section 2.3.2: I am not worried about logo_uri if only data: URIs are
allowed, but that does not seem to be the case.  Since the logo might
be fetched, there need to be an integrity protection mechanism to
ensure that the web server does not provide a different image than
was intended.  RFC 3709 has this same concern and it uses a hash of
the image to ensure that the intended image was provided.

[Roman] Section 13.15 has several relevant considerations.  Building on Russ’s point of having confidence in fetched image and the intent to provide flexibility, isn’t there a residual security considerations to document where an AS provides a URI which

Both the value and security consideration come from the client being able to swap out the image without updating the AS.

I’ve proposed an additional security consideration just for this particular aspect in this PR:

https://github.com/ietf-wg-gnap/gnap-core-protocol/pull/524

Great improvement!

I am not sure what you mean by a "sanitized and generic URI".  Do you have a reference or short description?

I really just meant a URI that doesn’t have security sensitive elements in it, I’ve changed the PR to say that instead.


** (Russ on -16)  Section 2.5.2.1: How does the use of an application-specific URI scheme
provide for the same security as HTTPS?  It seems like an way to avoid
them.  This text appears several places in the document.

[Roman] This doesn’t appear to have been resolved.  There was an indication that improved definitions would be added to Section 1.1

An application-specific URL is not loaded across an untrusted network connection and is therefore equivalent in protection to plain HTTP on localhost. I’ve added that text explicitly in all the places I could find:

https://github.com/ietf-wg-gnap/gnap-core-protocol/pull/526

I don’t believe it needs an additional definition.

Nit:  Would it change your intent to say "that already exists on the end user's device."

The point is that it is already there, so no network access is needed at all.

Since the context of each of these statements is a URL that the client instance knows it can serve, I think it stands to reason that the application already exists on the device since it’s the same application that’s creating the initial request. Furthermore, there’s no way for an AS to enforce the installation state on the end-user’s device. With that, I don’t think it’s helpful to add the additional text here.


** (Russ on -16) Section 7: Please consider a reference to RFC 4107.  I'm not sure where
in this section is the best place to add a cite.

[Roman] -16 already contained a reference to RFC4107 in Section 13.7.  The discussion thread seems to indicate that additional pointers would be added in a version after -16.  I don't see it.

It seemed to make more sense to keep the reference in the security considerations section as opposed to making a reference to it (normative or otherwise) in the client-signing section (7). Yes, clients and AS’s need to manage and store their keys well. But the thrust of section 7 is how those are presented on the wire and used to bind request messages to keys, not how the keys themselves are managed. There’s already a forward reference to the security section that mentions RFC4107 in section 7, so we felt that was sufficient.

I really dislike the notion of a symmetric key being used for "signing".  In my view, digital signatures require asymmetric cryptography.  Is there a way to avoid this in the first paragraph of Section 13.7.

I think we can add same definitions paragraph that’s in the HTTP Message Signatures spec introduction, which I’ve added in this PR:

https://github.com/ietf-wg-gnap/gnap-core-protocol/pull/528


** (Russ on -16) Section 9.1: I do not understand what an implementer is supposed to
do based on this MUST statement:

  "client instance MUST check its value to protect itself"

(Justin) The client instance checks whether the value of the `referrer` parameter is the URI of the resource server that it made the request to. The rationale for this is discussed a little more in §13.36 (https://www.ietf.org/archive/id/draft-ietf-gnap-core-protocol-16.html#security-compromised-rs).

(Russ) What checks MUST the client instance perform?  Section 13.36 does not address my concern.  Section 13.36 is about protections that are implemented at the resource server.

(Justin) The client instance compares the referrer parameter returned to the URL of the RS.

[Roman] Perhaps this clarifying guidance can be added directly into the text.

I’ve put together a PR to clarify this, as well as straighten out the language around the requirements of what’s returned from the RS and what the client is supposed to do with them.

https://github.com/ietf-wg-gnap/gnap-core-protocol/pull/527

This is now answering my concern.  However, the sentence is incomplete: "... plain string comparison method in ."  I assume you meant to insert a reference at the end of that sentence.


Oh thanks, I’ve added the reference to the existing PR — it was meant to point to the simple string comparison of URI.

** (Russ on -16) Section 13.24: This section does not seem like a Security Consideration.
If the calculation of the interaction hash is not done the same, then
there will be interoperability issues.

[Roman] Doesn’t seem like we have resolution on the issue.

It’s a security consideration because the client can choose to not calculate and check the value, which would leave it open to the described attack. The mitigation of the attack is to perform the function as specified in the document. This section explains why it’s important, which I believe is a valid use of a security considerations section.

I think you do not understand my comment.  You specify the way that the interaction hash is calculated.  Everybody needs to do it as specified.  Failure to do so is an interoperability issue.  This section talks about the protections that are offered by checking the interaction hash.  Failure to perform the check is a security issue.


I’ve added some framing text to the PR here, hopefully this helps clarify the purpose of the section in question.

https://github.com/ietf-wg-gnap/gnap-core-protocol/pull/530

Russ

v2.23.0 | Report a Bug | By Email