Re: [GNAP] draft-ietf-gnap-core-protocol-00 feedback
Fabien Imbault <fabien.imbault@gmail.com> Wed, 21 October 2020 18:28 UTC
Return-Path: <fabien.imbault@gmail.com>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5796A3A1224 for <txauth@ietfa.amsl.com>; Wed, 21 Oct 2020 11:28:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3XMjrR0a8FYM for <txauth@ietfa.amsl.com>; Wed, 21 Oct 2020 11:28:05 -0700 (PDT)
Received: from mail-io1-xd35.google.com (mail-io1-xd35.google.com [IPv6:2607:f8b0:4864:20::d35]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 37C233A120A for <txauth@ietf.org>; Wed, 21 Oct 2020 11:28:05 -0700 (PDT)
Received: by mail-io1-xd35.google.com with SMTP id n6so4169259ioc.12 for <txauth@ietf.org>; Wed, 21 Oct 2020 11:28:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=ZKaEiBSisgWt5ZwEHTP0z10AbTKYwvO9RLlbo/RoHOs=; b=HNKYYAFe/YDHXx0KWkytkNa16teWNfjWKYOlRSb4ZNFp67co8twCCfO19Gbj80waWz qqZm7kchXaP9DBHIX5t62raXlYL0pq71PzFiuBCpvjeJKUf8veDFIKA7rVPiPRRvWAnC PcIAtaC0Fn9sOmNcool3g4R8p6mQfwVwM+GYkDyII7uwpRDr/xWCFWfTOc8MWEq4lIb3 dwb43xUCOtbfxf2GbnbhGun+3HfxnjClM27Cv/cY4yU+gljoVs9x9lHRKMfzPbE4UjZI tyEDIVRuK7YX/66OWCcPSALwK2klvZdBpvPJOUs3xCcFfKtCoeMPqcSD36yv7F1bSCG+ 3PiQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=ZKaEiBSisgWt5ZwEHTP0z10AbTKYwvO9RLlbo/RoHOs=; b=g1kqLRCSLFBCppe6FaK7g92bCE4tZKjnEQbS865nZYjh17WR44e3khmi9Hki5UtYQV tj+bgrnPYKcqVNfzuanyCBEl/Z7DtbkXGG5N3UKU89vdXgCD/LXh7a4OwbKZnMMt7K2L XwCtKEqRfoDVmthXy9ZirSqNtsr/xSXNUWiTV8IjlzdW8SkPhdHnUb8HCMWcmHiMtmqe B8pEEJ/CiYu8vn5rXIcnr5FdRnptCYxSP1CngpwZ7U8eLY6dT03iCglIBe1MC2EMEd68 OH4/JeZiBIkM0QR8vEfiSW840mGzlP6Dy36gqQ1t63kRw7vN46c5g300QzlHbWl6hDzJ j1KQ==
X-Gm-Message-State: AOAM5305J16B/wTk5xS5HNg6araMSJb2WPTNKSEamQfp0ukfosVYw1xF jSgMLqSztE/b5cZPojiC+xLtNgZxm6qfznOfn+E=
X-Google-Smtp-Source: ABdhPJw0DfU8ftHvNi4h7pe39RaOV44zm/h38xr+haVwrQKb+l54MxPfFEUe/gYGm7yBO7TVvldDZBU7eXdqUcqluOc=
X-Received: by 2002:a6b:3f88:: with SMTP id m130mr3793406ioa.78.1603304884063; Wed, 21 Oct 2020 11:28:04 -0700 (PDT)
MIME-Version: 1.0
References: <CAD9ie-v7uUxBzMz6K_n=xpVAvnJY=GHe1iB7hBOBj4xxdbp0wg@mail.gmail.com> <CAM8feuTP=9+dDv5m2fMKru=DuLLbjv3AStkEWgwjdWCmrdpDzg@mail.gmail.com> <CAD9ie-uCC7uDrVCCuzWYgOf9WM=PBRgCh2+EmKVPr6MrramNBw@mail.gmail.com> <CAM8feuS=ZxFqf9X8usGQah778gYkufWjqzKfNYhPSYFB8xSBFw@mail.gmail.com> <CAD9ie-tBF4Ydz0kxXWmzEb+hkt+28UPeUMdRCFSiQfYQn4ciLg@mail.gmail.com>
In-Reply-To: <CAD9ie-tBF4Ydz0kxXWmzEb+hkt+28UPeUMdRCFSiQfYQn4ciLg@mail.gmail.com>
From: Fabien Imbault <fabien.imbault@gmail.com>
Date: Wed, 21 Oct 2020 20:27:50 +0200
Message-ID: <CAM8feuTt6o_R5u0s_p_UaKDqc_Va36aKL4-YB0bR7NgK09QhKw@mail.gmail.com>
To: Dick Hardt <dick.hardt@gmail.com>
Cc: GNAP Mailing List <txauth@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000014d25305b23282c9"
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/YTvPKvZ1LXVNbcUipX7ffoTbJmE>
Subject: Re: [GNAP] draft-ietf-gnap-core-protocol-00 feedback
X-BeenThere: txauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <txauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/txauth>, <mailto:txauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth/>
List-Post: <mailto:txauth@ietf.org>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/txauth>, <mailto:txauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Oct 2020 18:28:08 -0000
Hi Dick, Regarding the identifier : I agree in principle, but "globally unique" is anything but trivial. Fabien Le mer. 21 oct. 2020 à 19:36, Dick Hardt <dick.hardt@gmail.com> a écrit : > Hi Fabien > > There *could* be value in GNAP creating yet-another-user-identifier if the > identifier was guaranteed to be globally unique -- a property not held by > "sub" in an ID Token. > > Using the SecEvent subject identifier draft for a client to share which > user the client *thinks* it has is useful -- that is what the draft was > intended for. In my opinion, querying for identifiers independent of what > is already defined in OpenID and other standards is a path for developer > misery. > > I don't think the hash provides any extra value if the redirect URL > provided by the client to the AS is unique to the transaction. It has no > value in a push back to the client, or a decoupled interaction -- both of > which are susceptible to session fixation / phishing attacks. > > ᐧ > > On Wed, Oct 21, 2020 at 1:16 AM Fabien Imbault <fabien.imbault@gmail.com> > wrote: > >> Thanks Dick, it clarifies a few points. In the core of your email, I >> focus on 2 items : sub_ids and hash. >> >> Beyond that we will also need a further description of the >> possibilities/tradeoffs in section 8, to clarify for everyone (not included >> here, but will be useful). >> >> There are quite a few places where practical implementations could help >> us decide, beyond theorical arguments. >> >> Fabien >> >> Le mar. 20 oct. 2020 à 19:45, Dick Hardt <dick.hardt@gmail.com> a écrit : >> >>> Responses inline with sections without comments deleted ... >>> >>> On Tue, Oct 20, 2020 at 2:40 AM Fabien Imbault <fabien.imbault@gmail.com> >>> wrote: >>> >>>> Hi >>>> >>>> Some comments marked with FI. >>>> >>>> Fabien >>>> >>>> Le mar. 20 oct. 2020 à 05:27, Dick Hardt <dick.hardt@gmail.com> a >>>> écrit : >>>> >>>>> *Previous Feedback* >>>>> The following items were discussed in the design team, but did not >>>>> make it into the draft for WG discussion. A concern I have with many of the >>>>> editor notes (which I point out) is that they are heavily biased by >>>>> Justin's vision and misrepresent the options. >>>>> >>>> >>>> FI : I'm sure we can get past hard feelings and focus on the core of >>>> the concerns. The editor's notes do their best to point where discussion >>>> should happen. If some of them need further clarification, we can certainly >>>> do that. >>>> >>> >>> While I am disappointed that the design team did not decide on the best >>> features or XYZ and XAuth, and instead started with the XYZ doc, I was not >>> trying to express any hard feelings! >>> >>> Reading the draft, Justin clearly has a bias to using HTTP Signing >>> rather than a self contained JOSE token. >>> His comments (as noted below) on 8.2 misrepresent, and do not call out >>> the advantage over all the other mechanisms of being self contained. >>> >>> Except for at the bottom, these are points for discussion that I brought >>> up in the design team that did not make it into the draft for discussion. >>> >>> >>>>> *2.3.1 *Do we need to support symmetric keys? Most OAuth clients >>>>> support a secret, not a key. >>>>> >>>> >>>> FI : it's difficult to assume people with use public key cryptography >>>> for everything. Seems to me the text is clear enough on what this implies. >>>> >>> >>> We are requiring HTTPS -- so the client has support for asymmetric >>> crypto. My point is that the editor notes should bring up this question, >>> which I asked in the design team. >>> >> >>> >>>> >>>>> *2.4.1* identifying the user >>>>> this identifier would be useful if it had properties that other opaque >>>>> identifiers did not have: being globally unique. A reason developers have >>>>> used the email in ID Tokens was that it was a globally unique string in >>>>> contrast to the tuple of "iss" and "sub" in the ID Token which was much >>>>> more complicated to add and work with in a DB. Otherwise, we are creating >>>>> yet another user identifier. >>>>> >>>> >>>> FI : OK but how would you make this a global identifier? Seems close to >>>> what DIF Keri is looking for (although I find the way they're doing it is >>>> overly/unnecessarily complex). >>>> >>> >>> Lots of options. No requirement to specify how the identifier is ensured >>> to be unique as it should be opaque to the client. It could be a URI that >>> starts with the AS URI, or a UUID. >>> >>> My point is that a note on this option should be in the draft. >>> >> >> FI : so the minimal requirement on which we agree is to have an opaque >> identifier. So typically this would be unique for the AS and transmitted >> through a user_handle (already in the spec). The client could make its own >> local mapping if it already knows something about the user. >> >> To know more about the user, it is possible to : >> - use a verifiable identity layer such as OIDC or equivalent >> - (TBD) use sub_ids, based on the information already locally available >> at the AS (with the limitations mentioned previously) ; or maybe we could >> use an alternative/complementary design. For instance a more explicit json >> on what is transmitted, or carry a correlation ID given by the client, or >> etc. >> >> >> >>> >>> >>>> Would that replace sub_ids? >>>> >>> >>> yes >>> >>> >>>> >>>>> *3.* The URI can be stable, and the access token is potentially >>>>> superfluous. As the client is authenticating with the same key in all >>>>> subsequent requests, rotation of the URI or access token may be >>>>> superfluous. Having an access token for the AS seems that is used while >>>>> authenticating vs the typical access token for an RS seems very confusing >>>>> to a developer. >>>>> >>>> >>>> FI : why would that be confusing? >>>> >>> >>> Because developers don't use access tokens when accessing an OAuth AS or >>> an OIDC OP? >>> >> >>> >>>> >>>>> Additionally, putting the access token for calls to the AS in the HTTP >>>>> Authorization header precludes using the HTTP Authorization header for >>>>> client authentication in 8. >>>>> >>>> >>>> FI : that's one of the choices we need to make. But that doesn't mean >>>> what is proposed is worse, it's just a different design with different >>>> tradeoffs. This requires a complete discussion on section 8 (which already >>>> occurred in the small group, but Justin will be able to comment). >>>> >>> >>> Agreed. I had asked for this to be called out as a discussion point in >>> the editor notes. It was not. >>> >>> >>>> >>>>> *4.4.2 *This functionality looks like a WebHook, and perhaps belongs >>>>> in the API between the client and the AS rather than an interaction that >>>>> involves the user. Also, this functionality provides no protection to >>>>> session fixation. The interaction reference has no value. >>>>> >>>>> *4.4.3 *While it is good to see an editor's note that a unique >>>>> callback URL could be used, the statement "but it would not prevent an >>>>> attacker from injecting an unrelated interaction reference into this >>>>> channel." is misleading. This would only happen if the client did not >>>>> ensure it is the same user, as that would be linked to the correct URL. >>>>> Similarly, the interaction reference does not provide protection if the >>>>> client does not ensure it is the same user. >>>>> Using a unique callback URL would be much simpler, and appears to >>>>> provide the same protection as the interaction reference and the hashing. >>>>> >>>> >>>> FI : having to rely on the client only to ensure it is the same user is >>>> precisely what you want to avoid. Hence the hashing. >>>> >>> >>> The hashing does not protect against session fixation if the client does >>> not ensure it has the same user before and after the redirect. >>> >>> For example, if the user has a decoupled interaction such as scanning a >>> QR code on their PC with their phone, the client cannot ensure it is the >>> same user coming back. An attacker can trick a user into clicking on the >>> decoupled URL that the attacker obtained from the AS. The hashing does not >>> protect against this. >>> >> >> FI : good point. We certainly need to handle that case correctly. We >> should note that to make sure we don't forget. >> That said, this comes as an additional requirement for some decoupled >> interaction modes, not as a replacement of the entire scheme. >> >>> >>> /Dick >>> ᐧ >>> >>
- [GNAP] draft-ietf-gnap-core-protocol-00 feedback Dick Hardt
- Re: [GNAP] draft-ietf-gnap-core-protocol-00 feedb… Fabien Imbault
- Re: [GNAP] draft-ietf-gnap-core-protocol-00 feedb… Dick Hardt
- Re: [GNAP] draft-ietf-gnap-core-protocol-00 feedb… Fabien Imbault
- Re: [GNAP] draft-ietf-gnap-core-protocol-00 feedb… Dick Hardt
- Re: [GNAP] draft-ietf-gnap-core-protocol-00 feedb… Fabien Imbault
- Re: [GNAP] draft-ietf-gnap-core-protocol-00 feedb… Justin Richer
- Re: [GNAP] draft-ietf-gnap-core-protocol-00 feedb… Dick Hardt