IETF Logo Mail Archive

Re: [GNAP] Review of draft-ietf-gnap-core-protocol-00

Denis <denis.ietf@free.fr> Tue, 17 November 2020 16:45 UTC

Return-Path: <denis.ietf@free.fr>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9F0463A14C4 for <txauth@ietfa.amsl.com>; Tue, 17 Nov 2020 08:45:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.621
X-Spam-Level:
X-Spam-Status: No, score=-1.621 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, KHOP_HELO_FCRDNS=0.276, NICE_REPLY_A=-0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Olc0EySV6zuU for <txauth@ietfa.amsl.com>; Tue, 17 Nov 2020 08:45:06 -0800 (PST)
Received: from smtp.smtpout.orange.fr (smtp09.smtpout.orange.fr [80.12.242.131]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 19DB83A14BD for <txauth@ietf.org>; Tue, 17 Nov 2020 08:45:04 -0800 (PST)
Received: from [192.168.1.11] ([90.79.50.181]) by mwinf5d17 with ME id tUl02300D3uZx0A03Ul0FV; Tue, 17 Nov 2020 17:45:03 +0100
X-ME-Helo: [192.168.1.11]
X-ME-Auth: ZGVuaXMucGlua2FzQG9yYW5nZS5mcg==
X-ME-Date: Tue, 17 Nov 2020 17:45:03 +0100
X-ME-IP: 90.79.50.181
To: txauth@ietf.org
References: <160433257633.23038.15047041472414640530@ietfa.amsl.com> <AB11DC08-C6ED-4045-A8F5-872AD263035D@mit.edu> <FR2P281MB01063C2EA739E892B549611D8D110@FR2P281MB0106.DEUP281.PROD.OUTLOOK.COM> <CAM8feuQcCdQFGUKy-ou7H3Ta38yyN1LR+0XJd9WophRMRdPDEA@mail.gmail.com> <FR2P281MB0106C83420ED3F8DF2723BFD8DE30@FR2P281MB0106.DEUP281.PROD.OUTLOOK.COM>
From: Denis <denis.ietf@free.fr>
Message-ID: <5b8ac79b-0c0e-18e9-9f80-b5d79e9ae59b@free.fr>
Date: Tue, 17 Nov 2020 17:45:00 +0100
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:68.0) Gecko/20100101 Thunderbird/68.12.1
MIME-Version: 1.0
In-Reply-To: <FR2P281MB0106C83420ED3F8DF2723BFD8DE30@FR2P281MB0106.DEUP281.PROD.OUTLOOK.COM>
Content-Type: multipart/alternative; boundary="------------F4AF729AAB34394E7A38DC5D"
Content-Language: en-GB
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/_roX1aq1AfMxOw3nTexVcCmyWes>
Subject: Re: [GNAP] Review of draft-ietf-gnap-core-protocol-00
X-BeenThere: txauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: GNAP <txauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/txauth>, <mailto:txauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth/>
List-Post: <mailto:txauth@ietf.org>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/txauth>, <mailto:txauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Nov 2020 16:45:08 -0000

Hello  Francis,

See two comments in line.

>
>     B) Current Document
>
>     Roles description shall not hold any assumption on the physical
>     structure of the party fulfilling the roles.
>     [FI] not sure what you mean
>
>  [FP] for example, we assume the AS is a server! In most SSI based use 
> cases, the AS will be running on the user device. See SIOP 
> (https://identity.foundation/did-siop/).

I browsed through the two drafts, i.e. :

  * Decentralized Identifiers (DIDs) v1.0 Core architecture, data model,
    and representations W3C Working Draft 08 November 2020
  * Self-Issued OpenID Connect Provider DID Profile v0.1. DIF Working
    Group Draft

At no place within these two documents, it is possible to imagine that 
"the AS will be running on the user device".

 From section 3 of the DIF Working Group Draft:

       "Unlike the OIDC Authorization Code Flow as per [OIDC.Core], the 
SIOP will not return an access token to the RP".

An Identity Wallet is not an AS.

>
>     Roles:
>     -> grant endpoint of the AS: Why is this a post request? This
>     eliminates the chance of having user device hosted AS (no server).
>     [FI] what would you propose instead?
>     Would also be interested to understand better the deployment model
>     when there is no server. That's something that was discussed
>     several times but I'm still missing the underlying architecture
>     and use case.
>
>  [FP] See above (SIOP). There will be a lot of identity wallets 
> operated on end user device.

See the above comment. Please, do not confuse an Identity Wallet with an 
Authentication Server (AS).

Denis

>
>     -> Resource Owner (RO) : Authorizes the request? Does it authorize
>     the request or the access to a resource?
>     [FI] yes, we should make the wording clearer
>
>     Missing Section Interactions:
>     --> This section shall introduce the notion of interaction before
>     we start listing interaction types.
>     [FI] yes
>
>     Interaction Types:
>     --> I prefer a classification with Redirect, Decoupled and
>     Embedded is. In the draft, we have one redirect and 2 decouple
>     interactions and nothing else.
>     [FI] this should be handled as a specific discussion item. As a
>     reminder, how would you define embedded?
>
>     In practice there's at least these modes:
>     - redirect and redirect back
>     - redirect to different browser or device
>     - user code
>     - CIBA
>
> [FP] This classification is limited.
>
>   * Redirect: same device, same or different user agents (browser,
>     mobile app, desktop app, ...)
>   * Decoupled: different devices
>   * Embedded : RC carries RO authorization to AS
>
>
>
>     Resource Access Request vs. Resource Request
>     --> Both are mixed up. No clarification of the context of each
>     section.
>     [FI] could you clarify what you'd expect.  Btw on this topic,
>     there's a more general discussion on whether we should make a
>     distinction or not.
>
> ​[FP]: Here:
>
>   * Resource Access Request: Requesting Access to a resource. Response
>     is an access token (or any type of grant)
>   * Resource Request: Request the resource. Response is the resource
>     (or a corresponding execution)
>
>
>     Token Content Negotiation
>     --> Not expressed as such. This is central to GNAP and not
>     represented enough  in the document.
>     [FI] right. This should be a specific discussion item.
>
>     Requesting "User" Information
>     we identify two types of users: RQ and RO. It will be better not
>     to refer to a user in this draft, but either to a RQ or an RO.
>     [FI] yes that would avoid potential misunderstandings. Although in
>     the end, people will translate RQ into user or end-user most of
>     the time. Cf in definition, currently we have Requesting Party
>     (RQ, aka "user")
>
>
>     Interaction Again
>     -> For each interaction type, we will have to describe the
>     protocol flow and the nature and behavior of involved Roles
>     (Parties), Elements, Requests.
>     [FI] yes
>
>
> [FP] Will these and into tickets?
>
> Best regards.
> /Francis
>
>

v2.23.0 | Report a Bug | By Email