Re: [Txauth] Call for charter consensus - TxAuth WG
Vittorio Bertocci <vittorio.bertocci@auth0.com> Fri, 20 March 2020 07:48 UTC
Return-Path: <vittorio.bertocci@auth0.com>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 950163A167A for <txauth@ietfa.amsl.com>; Fri, 20 Mar 2020 00:48:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=auth0.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AAiB7_zrCVu8 for <txauth@ietfa.amsl.com>; Fri, 20 Mar 2020 00:48:05 -0700 (PDT)
Received: from mail-vs1-xe2c.google.com (mail-vs1-xe2c.google.com [IPv6:2607:f8b0:4864:20::e2c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0A5523A1101 for <txauth@ietf.org>; Fri, 20 Mar 2020 00:47:54 -0700 (PDT)
Received: by mail-vs1-xe2c.google.com with SMTP id m25so3423240vsa.7 for <txauth@ietf.org>; Fri, 20 Mar 2020 00:47:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=auth0.com; s=google; h=mime-version:references:in-reply-to:reply-to:from:date:message-id :subject:to:cc; bh=09kqINZbNgaJ08f1ylme8IxsTsiLQ9eM83h3/Iwxtpg=; b=WtQB3c7DQouaUdwt0GkTwj343TWfXe925afx93VCB6iPV9dwfqTw9CjVMGuJNiTXo7 OwjlLxKznyDy8fITBol6D/KAwnrR54Mk8IG73CAlN6Svk++PD2J8nf4FMcVtlXM9nRNG 6BvqNJEoUbubpV7wdVGqo6twspylAM2rBirgQkBjaB0JE/drvJa6VY0T0Yz/kJk8ntPF WKW9MSNd7l5e/r9USSdYZJZTmCexJuItZ0U+898VqNqY9LxMCLoBCZtEFaScS5vVOCP6 tc2rCa0juRp+EAMfcjQ6aNE1q2U5v0kB+r2wiQKI8XDiMZMDXP2p0ZOI/x6IGkQx78nq 3C3Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:reply-to :from:date:message-id:subject:to:cc; bh=09kqINZbNgaJ08f1ylme8IxsTsiLQ9eM83h3/Iwxtpg=; b=Jx0bn/HIuu7xuTvdKfdNqKvT+zqXoHhhl+ckHZ5YIRc8EJEeVQc04cnNn15aWIZ+cD mgP+wkDIjhxfRprzOBNZQTymqHBnOLuYXWZXwP8FuUCwLDj1qB0d0zx/wlOV2leboO3a Td8M5s4H9WhjvJEDWT61iGOGGzbYOCazItotRP34hCBRa3H2iodEEodnM87v5JfNNRjn erX3rykYupd1ySVOwrp1Jbb6L5gvDuSA98frCn9wRZtBN7ftIZT6Nqd6zIZ/UZnfSviR +t4oyhiHcIkRGQ27irGx4nJYYCTiYzabqMbehqr7uUBAja412BhRWzqv28yyAuD5y6uJ Vq5g==
X-Gm-Message-State: ANhLgQ3H8mtpNLq6j5V0w7dOMivxak0OOy33g4yuprCv/gmVU0VQ1UwG +3XM3s2yCaycTnGZHIt9jyN6ksr9cbz2ge9/PP23yA==
X-Google-Smtp-Source: ADFU+vtkriXjLLYs6t96RlsgpdxUeWhwG7rnnWCA+LM7wFsKw9rc+hxjg1mXEgzup1Kgt7z7P5E3lL5IvUnMcZ+BRRs=
X-Received: by 2002:a05:6102:2086:: with SMTP id h6mr4226794vsr.134.1584690472702; Fri, 20 Mar 2020 00:47:52 -0700 (PDT)
MIME-Version: 1.0
References: <MN2PR00MB0686B5459E642FE6E65686F7F5F60@MN2PR00MB0686.namprd00.prod.outlook.com> <CABzCy2DGw5tcFgiwqzZgZKvXEaBbg0_sGD6xtdVdopfkyDhaxw@mail.gmail.com>
In-Reply-To: <CABzCy2DGw5tcFgiwqzZgZKvXEaBbg0_sGD6xtdVdopfkyDhaxw@mail.gmail.com>
Reply-To: Vittorio@auth0.com
From: Vittorio Bertocci <vittorio.bertocci@auth0.com>
Date: Fri, 20 Mar 2020 00:47:41 -0700
Message-ID: <CAO_FVe5_4HiPzzTPtf+=yf17d9cVkyY5qC=+2d35i0zbUob-4w@mail.gmail.com>
To: Nat Sakimura <sakimura@gmail.com>
Cc: Mike Jones <Michael.Jones=40microsoft.com@dmarc.ietf.org>, Yaron Sheffer <yaronf.ietf@gmail.com>, Torsten Lodderstedt <torsten@lodderstedt.net>, "txauth@ietf.org" <txauth@ietf.org>, Justin Richer <jricher@mit.edu>
Content-Type: multipart/alternative; boundary="000000000000b4700a05a14480a9"
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/ZzvnjTwU2tnYhDbcooLl3_D6qv8>
Subject: Re: [Txauth] Call for charter consensus - TxAuth WG
X-BeenThere: txauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <txauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/txauth>, <mailto:txauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth/>
List-Post: <mailto:txauth@ietf.org>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/txauth>, <mailto:txauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 20 Mar 2020 07:48:15 -0000
I like the direction this is going. Besides agreeing with the proposed layering and with the importance of fleshing out the RS-AS discourse and access control, which probably doesn't come as a surprise given my interest in the JWT AT profile; I feel that focusing on this aspect, rather that areas like identity which already have a known, viable solution, will make it easier to "market" TxAuth to the non initiated. A lot of the improvements being proposed these days are better ways of implementing what to the untrained eye might look like the same scenarios being tackled by existing protocols- and given that most of the non identity experts use SDKs, they might just not see much difference. Given better guidance on the access control aspect would provide a valueprop that would be easy to see to the non expert, too. On Thu, Mar 19, 2020 at 11:21 PM Nat Sakimura <sakimura@gmail.com> wrote: > I thought I should keep my mouth shut as anything I say may be deemed > biased as my other hat is the chairman of OIDF, but here is my 2c. > > As Torsten indicated, there is much to be desired to standardize the AS - > RS communication patterns. You may say that the charter includes it, but I > cannot read it out of the charter just like Torsten could not. As a new > protocol, it would be good to include it. > > In this respect, I am not sure if we should start off from OAuth 2.0 and > OIDC model. If we are creating a new protocol, I feel that we should > architect is more fully. Not mentioning AS - RS relationship to me feels > like an indication of this failure. For that matter, I feel that the first > output of the group should be an architecture document that takes the > concerns from all the relevant stakeholders/actors in. > > We should also be cognizant of the access control models like ABAC. For > that, decoupling of identity (= set of claims) assertion and authorization > is a necessity. We could optimize it but the base case should take care of > it. (In this respect, I am feeling that OIDC has perhaps over-optimized.) > So, I feel that at least as the first step, TxAuth should concentre on the > Access Control. If I were to go one step further, it should be modelled so > that it can consume various identity assertions (authenticated identity in > ISO/IEC 24760 speak) including ID Token, SAML Assertion, DID Verifiable > Credentials, X.509 certificates (such as in eIDAS and Japanese National ID > scheme) etc. We are not going to get to a unified identity world anytime > soon. > > Cheers, > > Nat Sakimura > > > On Wed, Mar 18, 2020 at 7:06 AM Mike Jones <Michael.Jones= > 40microsoft.com@dmarc.ietf.org> wrote: > >> I believe it's significant that four people have expressed concerns with >> including digital identity in the charter (the only concerns voiced as far >> as I can tell). At a minimum, I believe that that warrants making the >> inclusion or exclusion of digital identity a discussion topic during the >> upcoming virtual BoF, before adopting any charter. >> >> It would be my proposal to initially charter without digital identity and >> see how far we get with our energies intentionally focused in that way. If >> the working group decides to recharter to include digital identity, that >> can always happen later, after the authorization-focused work has matured, >> and once there's a clear case to actually do so. >> >> -- Mike >> >> -----Original Message----- >> From: Justin Richer <jricher@mit.edu> >> Sent: Tuesday, March 17, 2020 2:20 PM >> To: Mike Jones <Michael.Jones@microsoft.com> >> Cc: Yaron Sheffer <yaronf.ietf@gmail.com>; Torsten Lodderstedt < >> torsten@lodderstedt.net>; txauth@ietf.org >> Subject: Re: [Txauth] Call for charter consensus - TxAuth WG >> >> While I understand the concerns around identity in the charter, and I had >> initially not included it, I was convinced that the kind of identity >> protocol that we’re looking at here is a minor addition to the >> authorization and delegation end of things. >> >> As you know, much of what’s in OIDC is there to fix problems with OAuth 2 >> when it’s used for identity. If OAuth 2 had solved those problems >> internally, then OIDC would be much, much simpler and smaller. We’re now >> starting at a base where those problems don’t exist, but we don’t yet know >> what other problems there might be. >> >> The market has shown us that the most common application of OAuth 2 is >> far and away access to identity information along side access to an API. I >> think we need to pay attention to that and not make this separate just >> because we did it that way before. And some of the proposed innovations, >> including getting and sending VC’s, are all about identity. >> >> Furthermore, this charter does not specify the document and specification >> structure of the components, nor does it specify the publication order or >> timing of any documents. I personally think that the identity layer should >> be separable to an extent, to the point of publishing that layer in its own >> spec alongside the core authorization delegation system. However, that does >> not mean that it should be developed elsewhere. >> >> If there is better language to tighten the aspects of an identity >> protocol that we will explicitly cover, then I would welcome you to suggest >> an amended text to the charter. However, I believe there is enough interest >> within the community to work on identity in the context of this protocol, >> including a large number of people being OK with it in the charter, that it >> would not be a reasonable thing to remove it. >> >> — Justin >> >> > On Mar 17, 2020, at 1:12 PM, Mike Jones <Michael.Jones= >> 40microsoft.com@dmarc.ietf.org> wrote: >> > >> > 1. Do you support the charter text provided at the end of this email? >> Or do you have major objections, blocking concerns or feedback (if so >> please elaborate)? >> > >> > I share the concerns about including identity in the charter that were >> expressed by Torsten and agreed with by David Skaife. I'll note that Kim >> Cameron previously expressed concerns about including identity in his >> earlier charter critique at >> https://mailarchive.ietf.org/arch/msg/txauth/uL92O_Vk5m38DcacXSnshX2CahE/ >> . >> > >> > I'm fine with refactoring the authorization protocol. But identity >> should be decoupled from the TxAuth work to focus its scope on areas where >> innovation is being proposed. Digital identity can always be added as a >> layer if needed, just as OpenID Connect layered identity onto OAuth 2.0. >> > >> > Please revise the charter to remove digital identity from the scope of >> the work. >> > >> > 2. Are you willing to author or participate in the development of the >> drafts of this WG? >> > >> > Yes >> > >> > 3. Are you willing to help review the drafts of this WG? >> > >> > Yes >> > >> > 4. Are you interested in implementing drafts of this WG? >> > >> > Not at this time. >> > >> > -- Mike >> > >> > -----Original Message----- >> > From: Txauth <txauth-bounces@ietf.org> On Behalf Of Torsten Lodderstedt >> > Sent: Saturday, March 7, 2020 7:18 AM >> > To: Yaron Sheffer <yaronf.ietf@gmail.com> >> > Cc: txauth@ietf.org >> > Subject: [EXTERNAL] Re: [Txauth] Call for charter consensus - TxAuth WG >> > >> > Hi, >> > >> >> Am 06.03.2020 um 17:45 schrieb Yaron Sheffer <yaronf.ietf@gmail.com>: >> >> >> >> Hi Everyone, >> >> >> >> It appears that momentum is forming around the proposed formation of a >> TxAuth working group. We’d like to more formally gauge interest in >> proceeding with this work. Please do so by responding to the following >> questions: >> >> >> >> 1. Do you support the charter text provided at the end of this >> email? Or do you have major objections, blocking concerns or feedback (if >> so please elaborate)? >> > >> > I‘m in although I have to admit I‘m slightly concerned the scope of the >> charter is too broad, e.g. identify alone is a huge topic.. >> > >> > We need to keep an eye on this aspect in order to make sure, the group >> is able to work effectively and the specs we will be producing are as >> simple as possible and foster interoperability. >> > >> >> >> >> 2. Are you willing to author or participate in the development of the >> drafts of this WG? >> > >> > yes >> > >> >> >> >> 3. Are you willing to help review the drafts of this WG? >> > >> > yes >> > >> >> >> >> 4. Are you interested in implementing drafts of this WG? >> > >> > yes >> > >> > best regards, >> > Torsten. >> > >> >> >> >> The call will run for two weeks, until March 21. If you think that the >> charter should be amended In a significant way, please reply on a separate >> thread. >> >> >> >> The feedback provided here will help the IESG come to a decision on >> the formation of a new WG. Given the constraints of the chartering process, >> regardless of the outcome of this consensus call, we will be meeting in >> Vancouver as a BoF. >> >> >> >> Thanks, >> >> Yaron and Dick >> >> >> >> --- Charter Text Follows --- >> >> >> >> This group is chartered to develop a fine-grained delegation protocol >> for authorization, identity, and API access. This protocol will allow an >> authorizing party to delegate access to client software through an >> authorization server. It will expand upon the uses cases currently >> supported by OAuth 2.0 and OpenID Connect (itself an extension of OAuth >> 2.0) to support authorizations scoped as narrowly as a single transaction, >> provide a clear framework for interaction among all parties involved in the >> protocol flow, and remove unnecessary dependence on a browser or user-agent >> for coordinating interactions. >> >> >> >> The delegation process will be acted upon by multiple parties in the >> protocol, each performing a specific role. The protocol will decouple the >> interaction channels, such as the end user’s browser, from the delegation >> channel, which happens directly between the client and the authorization >> server (in contrast with OAuth 2.0 which is initiated by the client >> redirecting the user’s browser). The client and AS will involve a user to >> make an authorization decision as necessary through interaction mechanisms >> indicated by the protocol. This decoupling avoids many of the security >> concerns and technical challenges of OAuth 2.0 and provides a non-invasive >> path for supporting future types of clients and interaction channels. >> >> >> >> Additionally, the delegation process will allow for: >> >> >> >> - Fine-grained specification of access >> >> - Approval of AS attestation to identity claims >> >> - Approval of access to multiple resources and APIs in a single >> interaction >> >> - Separation between the party authorizing access and the party >> operating the client requesting access >> >> - A variety of client applications, including Web, mobile, >> single-page, and interaction-constrained applications >> >> >> >> The group will define extension points for this protocol to allow for >> flexibility in areas including: >> >> >> >> - Cryptographic agility for keys, message signatures, and proof of >> possession >> >> - User interaction mechanisms including web and non-web methods >> >> - Mechanisms for conveying user, software, organization, and other >> pieces of information used in authorization decisions >> >> - Mechanisms for presenting tokens to resource servers and binding >> resource requests to tokens and associated cryptographic keys >> >> - Optimized inclusion of additional information through the delegation >> process (including identity) >> >> >> >> Additionally, the group will provide mechanisms for management of the >> protocol lifecycle including: >> >> >> >> - Discovery of the authorization server >> >> - Revocation of active tokens >> >> - Query of token rights by resource servers >> >> >> >> Although the artifacts for this work are not intended or expected to >> be backwards-compatible with OAuth 2.0 or OpenID Connect, the group will >> attempt to simplify migrating from OAuth 2.0 and OpenID Connect to the new >> protocol where possible. >> >> >> >> This group is not chartered to develop extensions to OAuth 2.0, and as >> such will focus on new technological solutions not necessarily compatible >> with OAuth 2.0. Functionality that builds directly on OAuth 2.0 will be >> developed in the OAuth Working Group, including functionality back-ported >> from the protocol developed here to OAuth 2.0. >> >> >> >> The group is chartered to develop mechanisms for applying >> cryptographic methods, such as JOSE and COSE, to the delegation process. >> This group is not chartered to develop new cryptographic methods. >> >> >> >> The initial work will focus on using HTTP for communication between >> the client and the authorization server, taking advantage of optimization >> features of HTTP2 and HTTP3 where possible, and will strive to enable >> simple mapping to other protocols such as COAP when doing so does not >> conflict with the primary focus. >> >> >> >> Milestones to include: >> >> - Core delegation protocol >> >> - Key presentation mechanism bindings to the core protocol for TLS, >> detached HTTP signature, and embedded HTTP signatures >> >> - Identity and authentication conveyance mechanisms >> >> - Guidelines for use of protocol extension points >> >> >> >> >> >> -- >> >> Txauth mailing list >> >> Txauth@ietf.org >> >> https://www.ietf.org/mailman/listinfo/txauth >> > -- >> > Txauth mailing list >> > Txauth@ietf.org >> > https://www.ietf.org/mailman/listinfo/txauth >> >> -- >> Txauth mailing list >> Txauth@ietf.org >> https://www.ietf.org/mailman/listinfo/txauth >> > > > -- > Nat Sakimura (=nat) > Chairman, OpenID Foundation > http://nat.sakimura.org/ > @_nat_en > -- > Txauth mailing list > Txauth@ietf.org > https://www.ietf.org/mailman/listinfo/txauth >
- [Txauth] Call for charter consensus - TxAuth WG Yaron Sheffer
- Re: [Txauth] Call for charter consensus - TxAuth … Aaron Parecki
- Re: [Txauth] Call for charter consensus - TxAuth … Aleksei Petrov
- Re: [Txauth] Call for charter consensus - TxAuth … Amanjeev Sethi
- Re: [Txauth] Call for charter consensus - TxAuth … Torsten Lodderstedt
- Re: [Txauth] Call for charter consensus - TxAuth … David Skaife
- Re: [Txauth] Call for charter consensus - TxAuth … Leif Johansson
- Re: [Txauth] Call for charter consensus - TxAuth … Florian Biesinger
- Re: [Txauth] Call for charter consensus - TxAuth … Lee McGovern
- Re: [Txauth] Call for charter consensus - TxAuth … Daniel DeGroff
- Re: [Txauth] Call for charter consensus - TxAuth … Justin Richer
- Re: [Txauth] Call for charter consensus - TxAuth … Sudipta Pal
- Re: [Txauth] Call for charter consensus - TxAuth … Dmitri Zagidulin
- Re: [Txauth] Call for charter consensus - TxAuth … Fabien Imbault
- Re: [Txauth] Call for charter consensus - TxAuth … Matthew De Haast
- Re: [Txauth] Call for charter consensus - TxAuth … Fabien Imbault
- Re: [Txauth] Call for charter consensus - TxAuth … Justin Richer
- Re: [Txauth] Call for charter consensus - TxAuth … Stephen Moore
- Re: [Txauth] Call for charter consensus - TxAuth … Tobias Looker
- Re: [Txauth] Call for charter consensus - TxAuth … Richard Backman, Annabelle
- Re: [Txauth] [EXTERNAL] Re: Call for charter cons… Mike Jones
- Re: [Txauth] [EXTERNAL] Re: Call for charter cons… Justin Richer
- Re: [Txauth] Call for charter consensus - TxAuth … Mike Jones
- Re: [Txauth] Call for charter consensus - TxAuth … Aaron Parecki
- Re: [Txauth] Call for charter consensus - TxAuth … Justin Richer
- Re: [Txauth] Call for charter consensus - TxAuth … Mike Jones
- Re: [Txauth] Call for charter consensus - TxAuth … David Skaife
- Re: [Txauth] Call for charter consensus - TxAuth … Justin Richer
- Re: [Txauth] Call for charter consensus - TxAuth … Torsten Lodderstedt
- Re: [Txauth] Call for charter consensus - TxAuth … Justin Richer
- Re: [Txauth] Call for charter consensus - TxAuth … Torsten Lodderstedt
- Re: [Txauth] Call for charter consensus - TxAuth … Justin Richer
- Re: [Txauth] Call for charter consensus - TxAuth … Torsten Lodderstedt
- Re: [Txauth] Call for charter consensus - TxAuth … Vladimir Dzhuvinov
- Re: [Txauth] Call for charter consensus - TxAuth … Torsten Lodderstedt
- Re: [Txauth] Call for charter consensus - TxAuth … Mike Jones
- Re: [Txauth] Call for charter consensus - TxAuth … Justin Richer
- Re: [Txauth] Call for charter consensus - TxAuth … Torsten Lodderstedt
- Re: [Txauth] Call for charter consensus - TxAuth … Justin Richer
- Re: [Txauth] Call for charter consensus - TxAuth … David Skaife
- Re: [Txauth] Call for charter consensus - TxAuth … Dick Hardt
- Re: [Txauth] Call for charter consensus - TxAuth … Nat Sakimura
- Re: [Txauth] Call for charter consensus - TxAuth … Vittorio Bertocci
- Re: [Txauth] Call for charter consensus - TxAuth … Vijay IETF
- Re: [Txauth] Call for charter consensus - TxAuth … Justin Richer
- Re: [Txauth] Call for charter consensus - TxAuth … Dick Hardt
- Re: [Txauth] Call for charter consensus - TxAuth … Mike Jones
- Re: [Txauth] Call for charter consensus - TxAuth … Dick Hardt
- Re: [Txauth] Call for charter consensus - TxAuth … Kim
- Re: [Txauth] Call for charter consensus - TxAuth … Brian Campbell
- Re: [Txauth] Call for charter consensus - TxAuth … Justin Richer
- Re: [Txauth] Call for charter consensus - TxAuth … Justin Richer
- Re: [Txauth] Call for charter consensus - TxAuth … Dick Hardt
- Re: [Txauth] Call for charter consensus - TxAuth … Torsten Lodderstedt
- Re: [Txauth] Call for charter consensus - TxAuth … Justin Richer
- Re: [Txauth] Call for charter consensus - TxAuth … Justin Richer
- Re: [Txauth] Call for charter consensus - TxAuth … Torsten Lodderstedt
- Re: [Txauth] Call for charter consensus - TxAuth … Justin Richer
- Re: [Txauth] Call for charter consensus - TxAuth … Torsten Lodderstedt
- Re: [Txauth] Call for charter consensus - TxAuth … Nat Sakimura
- Re: [Txauth] Call for charter consensus - TxAuth … Dick Hardt
- Re: [Txauth] Call for charter consensus - TxAuth … Justin Richer