IETF Logo Mail Archive

Re: [GNAP] RS Draft Updates

Justin Richer <jricher@mit.edu> Wed, 18 October 2023 23:11 UTC

Return-Path: <jricher@mit.edu>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6D9C8C14CE4A for <txauth@ietfa.amsl.com>; Wed, 18 Oct 2023 16:11:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.105
X-Spam-Level:
X-Spam-Status: No, score=-2.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=mit.edu
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GBx4F_Wl-KV1 for <txauth@ietfa.amsl.com>; Wed, 18 Oct 2023 16:10:57 -0700 (PDT)
Received: from outgoing-exchange-3.mit.edu (outgoing-exchange-3.mit.edu [18.9.28.13]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 287BFC14CE29 for <txauth@ietf.org>; Wed, 18 Oct 2023 16:10:56 -0700 (PDT)
Received: from w92exedge4.exchange.mit.edu (W92EXEDGE4.EXCHANGE.MIT.EDU [18.7.73.16]) by outgoing-exchange-3.mit.edu (8.14.7/8.12.4) with ESMTP id 39INAqW0029985 for <txauth@ietf.org>; Wed, 18 Oct 2023 19:10:53 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mit.edu; s=outgoing; t=1697670653; bh=KtAJtSlsrbV/aJQb5e2daMHr9hJSC/P++8U69h/FmAY=; h=From:Subject:Date:Message-ID:Content-Type:MIME-Version; b=GsezcrzvGFD4ZMNy8ErnnjV7X1DOn4EqL9Ie4zl7Wyz6yTVH70QH/92RoHiOv1Zya VUFpyE0rOiCd7nvSpQxNhWuCqYiFvAE2/klztHi0B2js5n+lUFS5hR3O6cKboRJked CkPcuj+b2ndrfYr7rpgsoJlPmbQC3940zDhS6snfqlkFe0U59+xRbT0JMTUN209LGm RVYe5f4O2/TpYR6iacXx6BjuUCRqUZfDQ+SoNSY/wE+OX9COksZJK5JHOwcjOD8CE6 BpnUSFtExfZQma+tjva7KCBybE35tosO5ALNKtswqKbCZ+0k+WB09TsizSxl4TuLHJ hGYcyLAbtZ/MQ==
Received: from oc11expo6.exchange.mit.edu (18.9.4.11) by w92exedge4.exchange.mit.edu (18.7.73.16) with Microsoft SMTP Server (TLS) id 15.0.1497.48; Wed, 18 Oct 2023 19:10:44 -0400
Received: from oc11exhyb7.exchange.mit.edu (18.9.1.112) by oc11expo6.exchange.mit.edu (18.9.4.11) with Microsoft SMTP Server (TLS) id 15.0.1497.42; Wed, 18 Oct 2023 19:10:51 -0400
Received: from NAM12-DM6-obe.outbound.protection.outlook.com (104.47.59.169) by oc11exhyb7.exchange.mit.edu (18.9.1.112) with Microsoft SMTP Server (TLS) id 15.0.1497.48 via Frontend Transport; Wed, 18 Oct 2023 19:10:51 -0400
Received: from DM6PR01MB4444.prod.exchangelabs.com (2603:10b6:5:78::15) by PH0PR01MB7253.prod.exchangelabs.com (2603:10b6:510:100::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6907.24; Wed, 18 Oct 2023 23:10:50 +0000
Received: from DM6PR01MB4444.prod.exchangelabs.com ([fe80::f8f3:7e77:4517:6b13]) by DM6PR01MB4444.prod.exchangelabs.com ([fe80::f8f3:7e77:4517:6b13%3]) with mapi id 15.20.6886.034; Wed, 18 Oct 2023 23:10:50 +0000
From: Justin Richer <jricher@mit.edu>
To: GNAP Mailing List <txauth@ietf.org>
Thread-Topic: [GNAP] RS Draft Updates
Thread-Index: AQHaARwUVQvbfGg/kkWYfyGv63oQN7BQLmWA
Date: Wed, 18 Oct 2023 23:10:49 +0000
Message-ID: <94382C35-A8FB-4E2D-B19F-CFB9757C7097@mit.edu>
References: <C2664588-A1E8-409B-A3D8-129AF3965A1B@mit.edu>
In-Reply-To: <C2664588-A1E8-409B-A3D8-129AF3965A1B@mit.edu>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=mit.edu;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: DM6PR01MB4444:EE_|PH0PR01MB7253:EE_
x-ms-office365-filtering-correlation-id: 47d7ec85-1151-4566-56af-08dbd02f7825
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: Gp3qyaPfKAqmQx3/BiHppcaub87USVhMe6hj8+7rkiTBgTgWsqYFxYhc4KlZz7XjXvdzpslUu29RKnPvIIQ7n0BCND+to8OPihJKhuS08WQ5QiitEebTBF1EaglJFDhlLfw9XByps8PnVduvwBO8CIvobNfroNtUAr3H+T7j8+VB1ZFg1NnBjdJNdGSTqKo3E76Su2NGjfYHrk07dHBviwj3P6f2NpfrSDPr/HPtxS3tWxyqVwPf59FiTJd48a20AVg5tZr5aoYflSKCn0x3krEfvPZt1d+mSjQwQwJHS+uTKOLLydYob9s+W6E7fT7nfIvVuGwUFuJvWFr1btPL7Sac7O5OfV9DwMjn5dt3gaJGUFtjVLsN2fpFBoI9aYDlHl85P9QZB/ipHh4TxfRZAWDubsGbghTiSR0lcqB1mT2XGLWyyii30pU8SEALoua1GFo31xnrCO77KW+f7E1M7tXhiNDKrqsTgjiQSlmcXE2LXRtW/bX4POkHVfPDiHcEEBvikG29STvsKKfrgPJF4E/5xaeZBDK8st/5KHVuEhCJ4V0D59bTEhno5yoFpJRV8TK7hKSgJRutL1NQe682F4DG+XDNgBW8ZCE5EOyhUKzF1i3sx5kRLASxuAyMF2zc5wDM1Jhfctwj9wnh5VQsGw==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DM6PR01MB4444.prod.exchangelabs.com; PTR:; CAT:NONE; SFS:(13230031)(376002)(346002)(39860400002)(136003)(396003)(366004)(230922051799003)(64100799003)(451199024)(186009)(1800799009)(83380400001)(71200400001)(66899024)(26005)(2616005)(2906002)(15650500001)(5660300002)(8676002)(8936002)(36756003)(33656002)(86362001)(166002)(122000001)(6512007)(6506007)(6486002)(966005)(53546011)(76116006)(91956017)(6916009)(786003)(316002)(41300700001)(66946007)(66556008)(66476007)(66446008)(64756008)(38070700005)(75432002)(478600001)(38100700002); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: 7ZGLVAyqPpKLPYwDZInIF7TtGNR9kG/wxjDzpUI/ndGr8n/UE3pOkLS28eMpEgGJfA2GpuHMHlGRNU2m5h5sVQg4cZKVxxBiCCqVqTn0DNgehEGiH3ypnEEYhjrrZUBncjWrmgbc1Gk8Gh0n+mOd12MAlwtnVxKy5i5YJnh2QUS0RT3PGFjLz+xf6df5ib0zNJCUnSZ6nHn/avGGsjJhQOWu2EBSpMNG5iRtwMvBsVncQlta7w+dyGZD0PFd1PSTdJa7mgFFNHgFOIlD2k0kYe5C3f4y6WjS1+FBGdPBAyQjZtaj0j1nO5wKGdP4l62pJ7UUY5ns5qD3Keo0wxoQK9kZ2VVM9rUc2xHh1TMQl1WGIdOwr6tUtgQ6jRkB9lZS5diZ/Y6VVpSxvu4xv8i2NpEL7t9vqmvFgbCSLlOOHaSs67/pRaPAXkE2qLRpop7VfqDA+jsuW3RKsAwDMTGQcVsWxTtyDrJqoQNOO3ao6u4uO24I0Y9Fq+DAs+3rVZxVaM9lh2VMKSZ50qtY57KVocD3D00IVPlpfBwgEmwTKCp+lgZm/Gx0e0htAmdi7FuI4fgWJVbjru8mUsKVw4UO0jLxw757nH7wyeTq97aS+cWjG34moKEOkw1fMNq73kLFzrWknLMpQtjaZqqXQFtlO1WwKhX6EEG0ZPBdLRVUXz6Z+04Cb1VaAsxT3pltXEOXFg7nfXtsu7tFaCIJW8iu5vFCWX053/oiY5h541lsqRrXLLgNs8VQxgjAhQQ5QTL4VEftlPgZmtYFNM7xkid7PKM4D0K2u+oZtA1w/9M21CondIMYXQv+AuYfpG6yJF7tLFqV0jLaYOZeF8NZOcTzUnGJsnxZZfN8uqZG/EjKgMBPUrfb4v/VCuM7pYu5A7fefL9XDMazrIyJcTLLrdLKcbFM6zOdw9Tr5BPurC9+ISS5wF3E2WJK2A8qC1up6K71eHVzrDFGnQmTBzy9YGyxtUJH0rtnSFm5SMzXNcpn6YzgnsEFVEUrB5DeeqL/eQLegB21GEXusN5G6fDuWKrPae6RbSEblhPLXTkmBgIhO4nWzXOI8ChHe+LLsUh2J9INPYQVb7JJu9FHxYynnD7luq317uYFCAMEW4eN/GnroYAddKvyNp7OCkrSswOR3GUwAl16xnrKeWT0hthSLDepe7/zkkwRW9AnPJBktL7GMNJ2U7TGh+rzPmzAa49guU+jX2nJRdJQsBH6JJbrjwAU/ZCO2gCfIOdoTGXc/QTHiowL880nezz9PxJXng5pptMtEi/no+xmiftdbEiXbNoVFEzvS3glwwONVBrmULxqajOp19A1NiEAWHEB3glH+j8A7jA/XKWXs4yLl+fZaB80qinM6belmTzXvHLC5JE3loY05ynMzJngiPa/6SlnHHDno6eYrwdUO7zGxUxbsoH9mAQCW6mBVKqAlYtHuYDzOKtm3/fKwxdDFtbca1AGpPR0LT734lepd7weoC77VWmwb4nF9WZ1vOCd+lQt85+Y9nrJZo2ogczw4Afc0m5QfP5PodJbgG9ftu7K3SY0jWSwTTYcslzEdxmLQD6OmM5jwhltuXYv6GvbkFJGU1PldSZU
Content-Type: multipart/alternative; boundary="_000_94382C35A8FB4E2DB19FCFB9757C7097mitedu_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: DM6PR01MB4444.prod.exchangelabs.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 47d7ec85-1151-4566-56af-08dbd02f7825
X-MS-Exchange-CrossTenant-originalarrivaltime: 18 Oct 2023 23:10:50.0724 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: wJSZTBuJRjKP+G89drlmOTBhqJX1SCVeabC2omy3k7nsGRKwReGfcQCl7QOzq4dD
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH0PR01MB7253
X-OriginatorOrg: mit.edu
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/XVP05T8hMDka3Tt76HiUFlUxr3U>
Subject: Re: [GNAP] RS Draft Updates
X-BeenThere: txauth@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: GNAP <txauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/txauth>, <mailto:txauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth/>
List-Post: <mailto:txauth@ietf.org>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/txauth>, <mailto:txauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Oct 2023 23:11:03 -0000

Hi WG,

A couple more updates:

https://github.com/ietf-wg-gnap/gnap-resource-servers/pull/76 - security and privacy considerations

https://github.com/ietf-wg-gnap/gnap-resource-servers/pull/77 - updated intro and abstract

These, along with a couple small changes to the PRs below, should cover just about all the open issues.

Additionally, there’s some PRs on the core document

https://github.com/ietf-wg-gnap/gnap-core-protocol/pull/514 - add a security consideration as discussed at OSW:

https://github.com/ietf-wg-gnap/gnap-core-protocol/pull/515 - update the intro on the extensibility section to make it more clear

Please review and comment either on the list or in GitHub.

The goal is to publish updated drafts for both RS and core by Monday’s deadline, if possible.

 — Justin




On Oct 17, 2023, at 1:05 PM, Justin Richer <jricher@mit.edu> wrote:

Hi WG,

We’ve been working through the issues filed against the RS draft ahead of the Prague meeting. As you’ve probably seen on the summary, there are a number of PRs to update text. Most of these address existing issues:

https://github.com/ietf-wg-gnap/gnap-resource-servers/pull/65 - adds token format references

https://github.com/ietf-wg-gnap/gnap-resource-servers/pull/66 - updates IANA considerations sections based on other feedback

https://github.com/ietf-wg-gnap/gnap-resource-servers/pull/70 - during token derivation, require that the token being presented is applicable to the RS presenting it (built-in introspection, essentially)

https://github.com/ietf-wg-gnap/gnap-resource-servers/pull/71 - list token formats supported during resource set registration

https://github.com/ietf-wg-gnap/gnap-resource-servers/pull/72 - be more clear about token introspection responsibilities and expectations for the AS

https://github.com/ietf-wg-gnap/gnap-resource-servers/pull/73 - update the RS-facing discovery document to match the format of core



Additionally, there are a couple new features and clarifications that didn’t have issues filed but we fixed along the way:

https://github.com/ietf-wg-gnap/gnap-resource-servers/pull/69 - add the “token management token” to the token model under the classes of special tokens, like the continuation access token


https://github.com/ietf-wg-gnap/gnap-resource-servers/pull/74 - this small change allows an AS to use a key-bound GNAP access token to protect calls to the RS-facing API. This API already requires authentication by the RS, so this is just an additional option where it makes sense for an AS to use it. This feature is reminiscent of an UMA feature from the distributed authorization specification, which utilized a construct known as the protection API access token (PAT).


https://github.com/ietf-wg-gnap/gnap-resource-servers/pull/75 - adds the “end user” as an entity to the token model, particularly in cases where the end user and RO are different and it’s important for the system to know about that difference. This does not map directly to an existing JWT field at this time.




We’re still working on the expanded security considerations as discussed in the wake of discussions at OSW and during the reviews, as well as some editorial rewrites for the intro and abstract. Once this is done and the above PRs are incorporated, we believe the document will be ready for WGLC. Please review the above text changes, as the editors would like to publish a new document ahead of Prague — the cutoff date for new drafts is this coming Monday.

 — Justin
--
TXAuth mailing list
TXAuth@ietf.org
https://www.ietf.org/mailman/listinfo/txauth

v2.23.0 | Report a Bug | By Email