[GNAP] New I-D: draft-pinkas-gnap-core-protocol

Denis <denis.ietf@free.fr> Thu, 19 August 2021 17:24 UTC

Return-Path: <denis.ietf@free.fr>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AE4953A0890 for <txauth@ietfa.amsl.com>; Thu, 19 Aug 2021 10:24:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.719
X-Spam-Level:
X-Spam-Status: No, score=-0.719 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, KHOP_HELO_FCRDNS=0.399, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_NEUTRAL=0.779, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ITkejrRaZM69 for <txauth@ietfa.amsl.com>; Thu, 19 Aug 2021 10:24:24 -0700 (PDT)
Received: from smtp.smtpout.orange.fr (smtp03.smtpout.orange.fr [80.12.242.125]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 45E3A3A088F for <txauth@ietf.org>; Thu, 19 Aug 2021 10:24:23 -0700 (PDT)
Received: from [192.168.1.11] ([90.26.88.110]) by mwinf5d06 with ME id jVQK2500D2Nqh1E03VQLKz; Thu, 19 Aug 2021 19:24:20 +0200
X-ME-Helo: [192.168.1.11]
X-ME-Auth: ZGVuaXMucGlua2FzQG9yYW5nZS5mcg==
X-ME-Date: Thu, 19 Aug 2021 19:24:20 +0200
X-ME-IP: 90.26.88.110
From: Denis <denis.ietf@free.fr>
To: "txauth@ietf.org" <txauth@ietf.org>
Message-ID: <fc61cf1c-d661-6403-479b-615bf86193a4@free.fr>
Date: Thu, 19 Aug 2021 19:24:19 +0200
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.12.0
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="------------38542D0ECE02F0A84E7ACF46"
Content-Language: en-GB
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/XDym9T5yvlWmZx_eQB6DjCGVUmw>
Subject: [GNAP] New I-D: draft-pinkas-gnap-core-protocol
X-BeenThere: txauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: GNAP <txauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/txauth>, <mailto:txauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth/>
List-Post: <mailto:txauth@ietf.org>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/txauth>, <mailto:txauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Aug 2021 17:24:29 -0000

Yaron (the chair of the GNAP WG) and myself have had a video conference 
call last week. At the end of this call, Yaron asked me if I could write
an I-D that would summarize the main concepts on how to support an 
Attribute Based Access Control (ABAC) mechanism. I have accepted.

Since during that call, I mentioned that the current description of the 
protocol was both insecure and not interoperable, I indicated
that I will provide a draft describing the main concepts on how to 
support both an Attribute Based Access Control (ABAC) mechanism
as well as a Capability Based Access Control (CBAC) mechanism, both in a 
secure and in an interoperable way.

The draft re-uses many portions of text that I have provided in the 
issues that I have posted on Github.

In order to understand the motivations of the proposal, here after is a 
quick analysis of draft-ietf-gnap-core-protocol-06.

The charter of the GNAP WG states, close to its end :

            "The initial work will focus on using HTTPS for 
communication between the client and the authorization server, (...)"

            See: https://datatracker.ietf.org/doc/charter-ietf-gnap/

Unfortunately, draft-ietf-gnap-core-protocol-06 does not mandate the use 
of HTTPS for communication between the client and the authorization server
and does not take advantage of the security properties obtained thanks 
to the use of HTTPS. This means that draft-ietf-gnap-core-protocol-06
does not comply with the GNAP charter.

Instead, draft-ietf-gnap-core-protocol-06 makes use of "client instance 
keys" between the client and the AS and is mute about the relationships
between a "client instance key" and an end-user. From oral explanations 
recently obtained from one of the co-editors, a "client instance key" is 
a key attached
to a device owned by an end-user. How the identity or an identifier of 
the end-user relates to a device is left undefined. If an end-user has 
four devices
(e.g. a laptop, a desktop, a smart phone and a tablet), he will need to 
register with the AS each of these four devices. This is done using 
"out-of-bands" means.
If he looses one of these four devices, he will need to revoke the 
client instance key associated with that device and then, if he has not 
taken one of the three
of other devices with him, he will need to register a new device (i.e. a 
new client instance key). Here again, this is done using "out-of-bands" 
means.
All that information is not present in draft-ietf-gnap-core-protocol-06 
and has only be inferred from the oral explanations provided by one of 
the co-editors.

Furthermore, the client indicates (i.e. claims) to the AS the 
identity/identifier of the end-user. However, since the AS has no way to 
know whether the client
software can be trusted, the AS cannot rely on that claimed information. 
This means that the client/AS protocol, as currently described, is insecure.

In draft-ietf-gnap-core-protocol-06, the client instance secures its 
requests to the AS and RS by presenting an access token, presenting 
proof of a key that it possesses,
or both an access token and key proof together. Such a protection is 
illusory, since a collaborative client is able to perform all the 
cryptographic computations that
another collaborative client needs to claim to be the "owner" of the 
access token. With the use of an Hardware Security Module (HSM), the 
same situation remains.
This means that the client/RS protocol, as currently described, is insecure.

Does the description that is present in draft-ietf-gnap-core-protocol-06 
allows to demonstrate that the protocol is secure? Unfortunately, the 
response to this question
is negative, since the "Security Considerations section" is nearly empty.

Does the description that is present in draft-ietf-gnap-core-protocol-06 
allows to interoperate ? Unfortunately, the response to this questions 
is also negative,
since the structure of the access tokens is left undefined. In 
particular, the verifications that a RS *SHALL* perform on the content 
of an access token to make sure
that it is valid are left undefined. Currently, GNAP is a framework, 
like OAuth 2.0 (RFC 6749) and OAuth 2.1 (draft-ietf-oauth-v2-1-01), and 
is not an interoperable protocol.

At the moment, draft-ietf-gnap-core-protocol-06 only supports "rights". 
In the security literature, this is a Capability based access control 
(CBAC) scheme.
Since a privilege is currently described as being a right and/or an 
attribute, an Attribute based access control (ABAC) scheme should also 
be supported.
This is not the case at the moment.

I have successfully submitted and posted to the IETF repository an 
Individual Submission of an I-D.

    Name:        draft-pinkas-gnap-core-protocol
    Revision:    00
    Title:           Grant Negotiation and Authorization Protocol
    Document date:    2021-08-19
    Group:         Individual Submission
    Pages:         33
    URL: 
https://www.ietf.org/archive/id/draft-pinkas-gnap-core-protocol-00.txt
    Status: 
https://datatracker.ietf.org/doc/draft-pinkas-gnap-core-protocol/
    Htmlized: 
https://datatracker.ietf.org/doc/html/draft-pinkas-gnap-core-protocol

*Abstract:*

       This protocol enables an Authorization Server (AS) to issue 
access  tokens to permit an end-user using a client software to perform
       operations on a protected resource hosted by a Resource Server 
(RS).  These access tokens allow to support capabilities and/or user
       attributes.

       The protocol includes means of specifying how the end-user can  
potentially be involved in an interactive fashion during the
       process.  The client and/or the RS will use these interaction 
mechanisms to involve the end-user, as necessary, to take decisions.

       The protocol uses HTTPS for all communications between the client 
and the AS, as well as between the client and the RS.


Being a version -00, this 33 pages document explains the main concepts 
but does not provide the details of the protocols. The document includes
a Trust Relationships section (1.5) and both a Security Considerations 
section (4) and a Privacy Considerations section (5).

The flow of operations for an access to a protected resource is 
illustrated in Figure 2, on page 26. The creation of RS user accounts is 
not illustrated
on this figure but is explained in the text before.

Denis