IETF Logo Mail Archive

Re: [GNAP] DID as sub_id or assertion?

Adrian Gropper <agropper@healthurl.com> Thu, 18 March 2021 14:04 UTC

Return-Path: <agropper@gmail.com>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7B2A73A2C45 for <txauth@ietfa.amsl.com>; Thu, 18 Mar 2021 07:04:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.399
X-Spam-Level:
X-Spam-Status: No, score=-1.399 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.249, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dQAblJF_FBye for <txauth@ietfa.amsl.com>; Thu, 18 Mar 2021 07:04:34 -0700 (PDT)
Received: from mail-vs1-f49.google.com (mail-vs1-f49.google.com [209.85.217.49]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 15C7C3A2C46 for <txauth@ietf.org>; Thu, 18 Mar 2021 07:04:34 -0700 (PDT)
Received: by mail-vs1-f49.google.com with SMTP id 124so1600151vsg.12 for <txauth@ietf.org>; Thu, 18 Mar 2021 07:04:34 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=iFkPShtfQOOaH7xyhk0YzvUVBXBy6XQra8UDLShyUkU=; b=VmKL8DUBNnF8JX63aWL2SALePljIiFxgXGSlpcYnPVFBCX4s7GEgvhZ4h/X9K2wCNr fr9Q2Ndiu9/GXOp/j1kNngqWu/ic0+i7zsavdC2jyG3wbtui1MWayhdtINfONG0FRmDq thKmeEuurEyEFpTK0Z1MW+H5jh0R3KicppOjjGJ7P+Ry7pAwDSIkDibT3EqTpyLUBBLe sLTO7/SFAFHcb4KAb4RuTbMVjJSR5dV9a9BA0Nvl9dcxxhF5C/yrCF1uxCyQQw6acQp/ LRf4wTjuOg+I9icwZImh5UrvRU2itySEO5knrZA5ATe0SKZ5qAp7JZAzg1lqlAGq19zz OpWg==
X-Gm-Message-State: AOAM533YFw7gYxkW7QWKPk1EGrIBrogwglDEpgHV2boXwBopRmNUZ4/j WKVe1NS1ycw5bdoxEO3SKvYk+EWjvFRE0Asqph0mKIjzuSE=
X-Google-Smtp-Source: ABdhPJzSoIi0IySpnJmYdC/1MxoRiuyiz938Pj9DbofnLQhM4zvE11ZqCJlKqnqS2TF0nZHlBAb4FqYaKWROmsjvjsY=
X-Received: by 2002:a67:db84:: with SMTP id f4mr6788933vsk.20.1616076272877; Thu, 18 Mar 2021 07:04:32 -0700 (PDT)
MIME-Version: 1.0
References: <CAM8feuQ5Q1LrGtniCH3WN5gyf6QhBa-9e+2kzaV0fxzA5D5m7w@mail.gmail.com> <CAM8feuSixNA2oFTtYR0Y3vngc+3UbsOSqSBCA6RUEEByB25eNA@mail.gmail.com> <CANYRo8hts6P_4QNjjcUr-H9B9wGJeVckWw+3V3N9hdPHf_idLQ@mail.gmail.com> <CAM8feuQEQyCEOErds8rpcipaqyPm3L3XMdrbQ6X2t3y9xcO4dQ@mail.gmail.com> <CAJmmfSQKZWm=YsjBVV8O+vU9zzC+eka0CCaQO-xFP-GcWzEigw@mail.gmail.com> <CANYRo8jw9gHQESDk__aKM3jK-C9FvYTFYOzb-8iYzbc_hVjMPA@mail.gmail.com> <EDB79C39-D706-43B2-B7D6-234CB32F7411@mit.edu> <CANYRo8inRJa0bAe6gqOkLKqHnt-qxPrzhDufBLwXd-S4wfjdxg@mail.gmail.com> <CAM8feuS98hqZ36hjCHg_=wpueDyXHb7t156OXnL_8MXtzpiyjA@mail.gmail.com> <CANYRo8i4gVpV5Fv7Yr9AFLNSq658EayHK5yJ+vp2ecUaRJ6fYw@mail.gmail.com> <CAM8feuSC2EDHbVHXjHAkgV8jfYP9+gQ_ZV-+y=aoEjf97Rbyqg@mail.gmail.com> <CANYRo8hdA0vLRXwOMDDg99qQHWC=DAzk+ht=ykjZ42bPmUxdPA@mail.gmail.com> <CANpA1Z2jv1ye234SKXa3n=z1yoVY5nW72Xqzj2bk_+_KjnK-+g@mail.gmail.com> <C4DC413B-32C7-432C-AE14-FC743D45319A@mit.edu> <08a4567d-404f-effd-67b3-57f4cdeeab90@free.fr> <CAM8feuQUrZqCO+ZjdGu-L9Ha=iYAXZTzd-tcGjnCeH1wm64DuQ@mail.gmail.com>
In-Reply-To: <CAM8feuQUrZqCO+ZjdGu-L9Ha=iYAXZTzd-tcGjnCeH1wm64DuQ@mail.gmail.com>
From: Adrian Gropper <agropper@healthurl.com>
Date: Thu, 18 Mar 2021 10:04:20 -0400
Message-ID: <CANYRo8gEyAX+Pgr9HNUFoGqS_uoTSQ2F=nhFXuwdwJEvdhQQNw@mail.gmail.com>
To: Fabien Imbault <fabien.imbault@gmail.com>
Cc: Denis <denis.ietf@free.fr>, Justin Richer <jricher@mit.edu>, Alan Karp <alanhkarp@gmail.com>, GNAP Mailing List <txauth@ietf.org>, Mark Miller <erights@gmail.com>, Tobias Looker <tobias.looker@mattr.global>
Content-Type: multipart/alternative; boundary="0000000000002cc5d805bdd0149f"
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/_S0RyDGmjPn9ESPSRAMSP7Rt3ys>
Subject: Re: [GNAP] DID as sub_id or assertion?
X-BeenThere: txauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: GNAP <txauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/txauth>, <mailto:txauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth/>
List-Post: <mailto:txauth@ietf.org>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/txauth>, <mailto:txauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Mar 2021 14:04:37 -0000

Yes, I think we can close the current thread. Justin's explanation above of
how we're using client is clear to me.

Adrian

On Thu, Mar 18, 2021 at 9:42 AM Fabien Imbault <fabien.imbault@gmail.com>
wrote:

> Yes I think we can close the current thread.
> Compared to the original objective of the thread, I just want to summarize
> what I understood as a rough consensus for the WG : go along with sub_ids,
> and consider DIDs as identifiers (knowing that the demand has been pushed
> to the related WG).
>
> Best
> Fabien
>
> On Thu, Mar 18, 2021 at 2:39 PM Denis <denis.ietf@free.fr> wrote:
>
>> Hi Justin,
>>
>> You wrote:
>>
>> Tokens are opaque to the client instance.
>>
>> This is certainly your point of view, but not mine. This topic is still
>> under discussion under the issue #145 (Opaque / Non opaque access token)
>> that you would like to close next week. But it closely relates to the
>> issue #214 (Trust relationships) to which you have not yet participated.
>>
>> I took a look at the subject of this thread which is [GNAP] DID as sub_id
>> or assertion?  We are far beyond the original topic of this thread.
>>
>> Denis
>>
>> On Mar 18, 2021, at 12:08 AM, Alan Karp <alanhkarp@gmail.com> wrote:
>>
>>
>> Adrian Gropper <agropper@healthurl.com> wrote:
>>
>>>
>>> Is there an AS involved in the delegation? How and where in the
>>> lifecycle of the protected resource?
>>>
>>
>> If tokens are certificates, the AS need not be involved in subsequent
>> delegations.  The AS must be involved if the tokens are opaque.
>>
>>
>> Tokens are opaque to the client instance. They are not opaque to the AS.
>> They might be opaque to the RS, but that depends on the kind of
>> relationship the RS and AS have. GNAP should allow different options here
>> as there are different use cases for that.
>>
>> It would probably be worthwhile to separate the portions of the spec that
>> talk about the RS-AS relationship into its own standalone document. A
>> similar approach was taken in UMA2 and it was helpful. (Though admittedly,
>> as with anything, there are missteps there that we can hopefully learn
>> from.)
>>
>>  — Justin
>>
>>
>> --------------
>> Alan Karp
>>
>>
>> On Wed, Mar 17, 2021 at 8:54 PM Adrian Gropper <agropper@healthurl.com>
>> wrote:
>>
>>> Sure!
>>>
>>> Is there an AS involved in the delegation? How and where in the
>>> lifecycle of the protected resource?
>>>
>>> Also your use of "the client" seems to imply that either there is only
>>> one client or the client doesn't matter. Which is it?
>>>
>>> Adrian
>>>
>>> On Wed, Mar 17, 2021 at 11:43 PM Fabien Imbault <
>>> fabien.imbault@gmail.com> wrote:
>>>
>>>> Thanks for that.
>>>>
>>>> Trying to reframe it:
>>>> GNAP is defined as a delegation protocol so the main intent is related
>>>> to a delegate of the RO (i.e. the end user) that wishes to access the RO's
>>>> protected resources, through the client.
>>>>
>>>> Fabien
>>>>
>>>> Le jeu. 18 mars 2021 à 04:29, Adrian Gropper <agropper@healthurl.com>
>>>> a écrit :
>>>>
>>>>> At various points in the lifecycle of the protected resource the
>>>>> client at the resource server (RS) might be:
>>>>>
>>>>>    - The RO (subject) user agent trading payment for a service promise
>>>>>    - The RO user agent using the promise to access the protected
>>>>>    resource
>>>>>    - A delegate of the RO user agent using a different client
>>>>>
>>>>> What's vague is where the GNAP AS enters the picture as described
>>>>> above. How would you describe it?
>>>>>
>>>>> Adrian
>>>>>
>>>>>
>>>>> On Wed, Mar 17, 2021 at 10:20 PM Fabien Imbault <
>>>>> fabien.imbault@gmail.com> wrote:
>>>>>
>>>>>> Hi Adrian
>>>>>>
>>>>>> I'm still confused why you're saying the terminology is vague.
>>>>>> I get the "power" neutrality is not to your liking, but RQ / user
>>>>>> agent is no better in my view.
>>>>>>
>>>>>> Can you elaborate?
>>>>>>
>>>>>> Fabien
>>>>>>
>>>>>> Le jeu. 18 mars 2021 à 00:18, Adrian Gropper <agropper@healthurl.com>
>>>>>> a écrit :
>>>>>>
>>>>>>> I'm sure you're right. Our vague terminology around
>>>>>>> client and end-user leads to my confusion. If GNAP is primarily about
>>>>>>> delegation then, of course, we should avoid any incentives to impersonate
>>>>>>> or we're wasting our time. This is partly why I'm trying to study up on
>>>>>>> capabilities and asking for expert advice from folks like Alan Karp and
>>>>>>> Mark Miller (cc'd)
>>>>>>>
>>>>>>> As best I can understand it, the RS has only two choices, it can:
>>>>>>>
>>>>>>>    - store an attribute of the RO a [DID, email address, GNAP AS
>>>>>>>    URL], or
>>>>>>>    - hand the RO a capability as a sort-of promise and avoid making
>>>>>>>    any entries in an ACL or equivalent.
>>>>>>>
>>>>>>> When a token comes back to the RS, it will either be:
>>>>>>>
>>>>>>>    - validated according to something associated with the stored RO
>>>>>>>    attribute, or
>>>>>>>    - signed by the RS itself.
>>>>>>>
>>>>>>> Either way, trust in the client seems moot.
>>>>>>>
>>>>>>> Adrian
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On Wed, Mar 17, 2021 at 5:29 PM Justin Richer <jricher@mit.edu>
>>>>>>> wrote:
>>>>>>>
>>>>>>>> On Mar 17, 2021, at 4:55 PM, Adrian Gropper <agropper@healthurl.com>
>>>>>>>> wrote:
>>>>>>>>
>>>>>>>>
>>>>>>>> On Wed, Mar 17, 2021 at 4:23 PM Tobias Looker <
>>>>>>>> tobias.looker@mattr.global> wrote:
>>>>>>>>
>>>>>>>>> <snip>
>>>>>>>>> > A client might not have a DID but it could have a VC as a
>>>>>>>>> certificate of authenticity linked to some audit mechanism.
>>>>>>>>>
>>>>>>>>> To me a VC would come under the assertions umbrella (that is to
>>>>>>>>> say a VC could be one type of valid assertion). The client may possess or
>>>>>>>>> been presented with a VC that it could include in its request to the AS as
>>>>>>>>> a way to identify the subject and perhaps prove authentication and
>>>>>>>>> authorization.
>>>>>>>>>
>>>>>>>>
>>>>>>>> I do not assume that the client that interacts with the AS to make
>>>>>>>> a request and receive a token is the same as the client that will present
>>>>>>>> the token to the RS. In the US HIPAA use-case, for example, the root of
>>>>>>>> trust is a contract between the patient-subject and the doctor-requesting
>>>>>>>> party but the doctor workflow is expected to delegate the token to some
>>>>>>>> other end-user that may be using a totally different client such as an EHR.
>>>>>>>>
>>>>>>>>
>>>>>>>> If the client that gets the token is not same as the client that
>>>>>>>> uses the token, that is a violation of core security principles as it
>>>>>>>> allows for (and really designs for) impersonation by client software. I
>>>>>>>> would have no reason to trust client software that would hand its
>>>>>>>> credentials over to another piece of software, and in fact I shouldn’t
>>>>>>>> trust it.
>>>>>>>>
>>>>>>>> I think you may be conflating several different kinds of parties
>>>>>>>> under the “client” umbrella here, though. It’s entirely possible that one
>>>>>>>> client might call an RS that in turn acts as a client for something else
>>>>>>>> down stream. But each of those hops is different from the last.
>>>>>>>>
>>>>>>>>  — Justin
>>>>>>>>
>>>>>>>>
>>
>>
>>

v2.39.1 | Report a Bug | By Email | System Status