IETF Logo Mail Archive

Re: [GNAP] draft-ietf-gnap-core-protocol-00 feedback

Fabien Imbault <fabien.imbault@gmail.com> Wed, 21 October 2020 18:28 UTC

Return-Path: <fabien.imbault@gmail.com>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5796A3A1224 for <txauth@ietfa.amsl.com>; Wed, 21 Oct 2020 11:28:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3XMjrR0a8FYM for <txauth@ietfa.amsl.com>; Wed, 21 Oct 2020 11:28:05 -0700 (PDT)
Received: from mail-io1-xd35.google.com (mail-io1-xd35.google.com [IPv6:2607:f8b0:4864:20::d35]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 37C233A120A for <txauth@ietf.org>; Wed, 21 Oct 2020 11:28:05 -0700 (PDT)
Received: by mail-io1-xd35.google.com with SMTP id n6so4169259ioc.12 for <txauth@ietf.org>; Wed, 21 Oct 2020 11:28:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=ZKaEiBSisgWt5ZwEHTP0z10AbTKYwvO9RLlbo/RoHOs=; b=HNKYYAFe/YDHXx0KWkytkNa16teWNfjWKYOlRSb4ZNFp67co8twCCfO19Gbj80waWz qqZm7kchXaP9DBHIX5t62raXlYL0pq71PzFiuBCpvjeJKUf8veDFIKA7rVPiPRRvWAnC PcIAtaC0Fn9sOmNcool3g4R8p6mQfwVwM+GYkDyII7uwpRDr/xWCFWfTOc8MWEq4lIb3 dwb43xUCOtbfxf2GbnbhGun+3HfxnjClM27Cv/cY4yU+gljoVs9x9lHRKMfzPbE4UjZI tyEDIVRuK7YX/66OWCcPSALwK2klvZdBpvPJOUs3xCcFfKtCoeMPqcSD36yv7F1bSCG+ 3PiQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=ZKaEiBSisgWt5ZwEHTP0z10AbTKYwvO9RLlbo/RoHOs=; b=g1kqLRCSLFBCppe6FaK7g92bCE4tZKjnEQbS865nZYjh17WR44e3khmi9Hki5UtYQV tj+bgrnPYKcqVNfzuanyCBEl/Z7DtbkXGG5N3UKU89vdXgCD/LXh7a4OwbKZnMMt7K2L XwCtKEqRfoDVmthXy9ZirSqNtsr/xSXNUWiTV8IjlzdW8SkPhdHnUb8HCMWcmHiMtmqe B8pEEJ/CiYu8vn5rXIcnr5FdRnptCYxSP1CngpwZ7U8eLY6dT03iCglIBe1MC2EMEd68 OH4/JeZiBIkM0QR8vEfiSW840mGzlP6Dy36gqQ1t63kRw7vN46c5g300QzlHbWl6hDzJ j1KQ==
X-Gm-Message-State: AOAM5305J16B/wTk5xS5HNg6araMSJb2WPTNKSEamQfp0ukfosVYw1xF jSgMLqSztE/b5cZPojiC+xLtNgZxm6qfznOfn+E=
X-Google-Smtp-Source: ABdhPJw0DfU8ftHvNi4h7pe39RaOV44zm/h38xr+haVwrQKb+l54MxPfFEUe/gYGm7yBO7TVvldDZBU7eXdqUcqluOc=
X-Received: by 2002:a6b:3f88:: with SMTP id m130mr3793406ioa.78.1603304884063; Wed, 21 Oct 2020 11:28:04 -0700 (PDT)
MIME-Version: 1.0
References: <CAD9ie-v7uUxBzMz6K_n=xpVAvnJY=GHe1iB7hBOBj4xxdbp0wg@mail.gmail.com> <CAM8feuTP=9+dDv5m2fMKru=DuLLbjv3AStkEWgwjdWCmrdpDzg@mail.gmail.com> <CAD9ie-uCC7uDrVCCuzWYgOf9WM=PBRgCh2+EmKVPr6MrramNBw@mail.gmail.com> <CAM8feuS=ZxFqf9X8usGQah778gYkufWjqzKfNYhPSYFB8xSBFw@mail.gmail.com> <CAD9ie-tBF4Ydz0kxXWmzEb+hkt+28UPeUMdRCFSiQfYQn4ciLg@mail.gmail.com>
In-Reply-To: <CAD9ie-tBF4Ydz0kxXWmzEb+hkt+28UPeUMdRCFSiQfYQn4ciLg@mail.gmail.com>
From: Fabien Imbault <fabien.imbault@gmail.com>
Date: Wed, 21 Oct 2020 20:27:50 +0200
Message-ID: <CAM8feuTt6o_R5u0s_p_UaKDqc_Va36aKL4-YB0bR7NgK09QhKw@mail.gmail.com>
To: Dick Hardt <dick.hardt@gmail.com>
Cc: GNAP Mailing List <txauth@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000014d25305b23282c9"
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/YTvPKvZ1LXVNbcUipX7ffoTbJmE>
Subject: Re: [GNAP] draft-ietf-gnap-core-protocol-00 feedback
X-BeenThere: txauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <txauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/txauth>, <mailto:txauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth/>
List-Post: <mailto:txauth@ietf.org>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/txauth>, <mailto:txauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Oct 2020 18:28:08 -0000

Hi Dick,

Regarding the identifier : I agree in principle, but "globally unique" is
anything but trivial.

Fabien

Le mer. 21 oct. 2020 à 19:36, Dick Hardt <dick.hardt@gmail.com> a écrit :

> Hi Fabien
>
> There *could* be value in GNAP creating yet-another-user-identifier if the
> identifier was guaranteed to be globally unique -- a property not held by
> "sub" in an ID Token.
>
> Using the SecEvent subject identifier draft for a client to share which
> user the client *thinks* it has is useful -- that is what the draft was
> intended for. In my opinion, querying for identifiers independent of what
> is already defined in OpenID and other standards is a path for developer
> misery.
>
> I don't think the hash provides any extra value if the redirect URL
> provided by the client to the AS is unique to the transaction. It has no
> value in a push back to the client, or a decoupled interaction -- both of
> which are susceptible to session fixation / phishing attacks.
>
> ᐧ
>
> On Wed, Oct 21, 2020 at 1:16 AM Fabien Imbault <fabien.imbault@gmail.com>
> wrote:
>
>> Thanks Dick, it clarifies a few points. In the core of your email, I
>> focus on 2 items : sub_ids and hash.
>>
>> Beyond that we will also need a further description of the
>> possibilities/tradeoffs in section 8, to clarify for everyone (not included
>> here, but will be useful).
>>
>> There are quite a few places where practical implementations could help
>> us decide, beyond theorical arguments.
>>
>> Fabien
>>
>> Le mar. 20 oct. 2020 à 19:45, Dick Hardt <dick.hardt@gmail.com> a écrit :
>>
>>> Responses inline with sections without comments deleted ...
>>>
>>> On Tue, Oct 20, 2020 at 2:40 AM Fabien Imbault <fabien.imbault@gmail.com>
>>> wrote:
>>>
>>>> Hi
>>>>
>>>> Some comments marked with FI.
>>>>
>>>> Fabien
>>>>
>>>> Le mar. 20 oct. 2020 à 05:27, Dick Hardt <dick.hardt@gmail.com> a
>>>> écrit :
>>>>
>>>>> *Previous Feedback*
>>>>> The following items were discussed in the design team, but did not
>>>>> make it into the draft for WG discussion. A concern I have with many of the
>>>>> editor notes (which I point out) is that they are heavily biased by
>>>>> Justin's vision and misrepresent the options.
>>>>>
>>>>
>>>> FI : I'm sure we can get past hard feelings and focus on the core of
>>>> the concerns. The editor's notes do their best to point where discussion
>>>> should happen. If some of them need further clarification, we can certainly
>>>> do that.
>>>>
>>>
>>> While I am disappointed that the design team did not decide on the best
>>> features or XYZ and XAuth, and instead started with the XYZ doc, I was not
>>> trying to express any hard feelings!
>>>
>>> Reading the draft, Justin clearly has a bias to using HTTP Signing
>>> rather than a self contained JOSE token.
>>> His comments (as noted below) on 8.2 misrepresent, and do not call out
>>> the advantage over all the other mechanisms of being self contained.
>>>
>>> Except for at the bottom, these are points for discussion that I brought
>>> up in the design team that did not make it into the draft for discussion.
>>>
>>>
>>>>> *2.3.1 *Do we need to support symmetric keys? Most OAuth clients
>>>>> support a secret, not a key.
>>>>>
>>>>
>>>> FI : it's difficult to assume people with use public key cryptography
>>>> for everything. Seems to me the text is clear enough on what this implies.
>>>>
>>>
>>> We are requiring HTTPS -- so the client has support for asymmetric
>>> crypto. My point is that the editor notes should bring up this question,
>>> which I asked in the design team.
>>>
>>
>>>
>>>>
>>>>> *2.4.1* identifying the user
>>>>> this identifier would be useful if it had properties that other opaque
>>>>> identifiers did not have: being globally unique. A reason developers have
>>>>> used the email in ID Tokens was that it was a globally unique string in
>>>>> contrast to the tuple of "iss" and "sub" in the ID Token which was much
>>>>> more complicated to add and work with in a DB. Otherwise, we are creating
>>>>> yet another user identifier.
>>>>>
>>>>
>>>> FI : OK but how would you make this a global identifier? Seems close to
>>>> what DIF Keri is looking for (although I find the way they're doing it is
>>>> overly/unnecessarily complex).
>>>>
>>>
>>> Lots of options. No requirement to specify how the identifier is ensured
>>> to be unique as it should be opaque to the client. It could be a URI that
>>> starts with the AS URI, or a UUID.
>>>
>>> My point is that a note on this option should be in the draft.
>>>
>>
>> FI : so the minimal requirement on which we agree is to have an opaque
>> identifier. So typically this would be unique for the AS and transmitted
>> through a user_handle (already in the spec). The client could make its own
>> local mapping if it already knows something about the user.
>>
>> To know more about the user, it is possible to :
>> - use a verifiable identity layer such as OIDC or equivalent
>> - (TBD) use sub_ids, based on the information already locally available
>> at the AS (with the limitations mentioned previously) ; or maybe we could
>> use an alternative/complementary design. For instance a more explicit json
>> on what is transmitted, or carry a correlation ID given by the client, or
>> etc.
>>
>>
>>
>>>
>>>
>>>> Would that replace sub_ids?
>>>>
>>>
>>> yes
>>>
>>>
>>>>
>>>>> *3.* The URI can be stable, and the access token is potentially
>>>>> superfluous. As the client is authenticating with the same key in all
>>>>> subsequent requests, rotation of the URI or access token may be
>>>>> superfluous. Having an access token for the AS seems that is used while
>>>>> authenticating vs the typical access token for an RS seems very confusing
>>>>> to a developer.
>>>>>
>>>>
>>>> FI : why would that be confusing?
>>>>
>>>
>>> Because developers don't use access tokens when accessing an OAuth AS or
>>> an OIDC OP?
>>>
>>
>>>
>>>>
>>>>> Additionally, putting the access token for calls to the AS in the HTTP
>>>>> Authorization header precludes using the HTTP Authorization header for
>>>>> client authentication in 8.
>>>>>
>>>>
>>>> FI : that's one of the choices we need to make. But that doesn't mean
>>>> what is proposed is worse, it's just a different design with different
>>>> tradeoffs. This requires a complete discussion on section 8 (which already
>>>> occurred in the small group, but Justin will be able to comment).
>>>>
>>>
>>> Agreed. I had asked for this to be called out as a discussion point in
>>> the editor notes. It was not.
>>>
>>>
>>>>
>>>>> *4.4.2 *This functionality looks like a WebHook, and perhaps belongs
>>>>> in the API between the client and the AS rather than an interaction that
>>>>> involves the user. Also, this functionality provides no protection to
>>>>> session fixation. The interaction reference has no value.
>>>>>
>>>>> *4.4.3 *While it is good to see an editor's note that a unique
>>>>> callback URL could be used, the statement "but it would not prevent an
>>>>> attacker from injecting an unrelated interaction reference into this
>>>>> channel." is misleading. This would only happen if the client did not
>>>>> ensure it is the same user, as that would be linked to the correct URL.
>>>>> Similarly, the interaction reference does not provide protection if the
>>>>> client does not ensure it is the same user.
>>>>> Using a unique callback URL would be much simpler, and appears to
>>>>> provide the same protection as the interaction reference and the hashing.
>>>>>
>>>>
>>>> FI : having to rely on the client only to ensure it is the same user is
>>>> precisely what you want to avoid. Hence the hashing.
>>>>
>>>
>>> The hashing does not protect against session fixation if the client does
>>> not ensure it has the same user before and after the redirect.
>>>
>>> For example, if the user has a decoupled interaction such as scanning a
>>> QR code on their PC with their phone, the client cannot ensure it is the
>>> same user coming back. An attacker can trick a user into clicking on the
>>> decoupled URL that the attacker obtained from the AS. The hashing does not
>>> protect against this.
>>>
>>
>> FI : good point. We certainly need to handle that case correctly. We
>> should note that to make sure we don't forget.
>> That said, this comes as an additional requirement for some decoupled
>> interaction modes, not as a replacement of the entire scheme.
>>
>>>
>>> /Dick
>>> ᐧ
>>>
>>

v2.23.0 | Report a Bug | By Email