IETF Logo Mail Archive

Re: [GNAP] Consensus Call on Continuation Request

Fabien Imbault <fabien.imbault@gmail.com> Fri, 11 December 2020 14:18 UTC

Return-Path: <fabien.imbault@gmail.com>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 979633A0C27 for <txauth@ietfa.amsl.com>; Fri, 11 Dec 2020 06:18:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.086
X-Spam-Level:
X-Spam-Status: No, score=-2.086 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NzMkpzxdyeQt for <txauth@ietfa.amsl.com>; Fri, 11 Dec 2020 06:18:05 -0800 (PST)
Received: from mail-io1-xd2f.google.com (mail-io1-xd2f.google.com [IPv6:2607:f8b0:4864:20::d2f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9AABA3A0C1B for <txauth@ietf.org>; Fri, 11 Dec 2020 06:18:05 -0800 (PST)
Received: by mail-io1-xd2f.google.com with SMTP id o8so9640885ioh.0 for <txauth@ietf.org>; Fri, 11 Dec 2020 06:18:05 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=SEHOQc4JfnXGi2wAt8zBgnhz+6EelVOSKEf84G2Q08M=; b=Gd4D1s1T7+nU2Qi4FKETTa9nbeNvKJphCYREY+f2suQSz7DyIu48eZiSw7suieowLf TOyb/eWH3P4ZOEEo8R4PW6ojxVdw4P2haYPW+fqstpf1LXiP2aLjg2L+VkEKgYRrviYW vs+WXsmRgRXJxv+0+Xa+YXVP8YoADNjKQTwtR3Q1gYL+7ijPR/ccD6igSLbrCIsy94o2 oH//MIcHeP+0Yfr387HsyTmLxBRwWB7YGWjEYfpqUhw7JFXyPyxKC0XQTE5NneCdi5xF Cf6+c+5OPDImbteQZKr7WIi4vCOmNyOwLvnle61E0auBlhloYeA00t3SpKPRbyoqOqUv 3CkQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=SEHOQc4JfnXGi2wAt8zBgnhz+6EelVOSKEf84G2Q08M=; b=Vgaxw2NjJBsQqsMN1zexbi/8KrH9RQG5SAlWLeC/Lo6uPq4gbva51Ox+rqnDKgTOui sn+km2l/BMBRLkOsHchyR/PszI4uYdcaDzBuje72dWOv2YhlLAgyN7rJwZRXVlg+9emi cqT+p9DVLM7U4xyG0ULZstEdekavjT/8o4sAZi1nrZwzZsn4GRZnylJgMY9Cazv45O2Z 0ZToeBd2RALHLd5rmoChTFtJrdvI5ajPIVv+hpz8pWLoV1N0oBbXjVLVLSUqD2BWggr5 t0bPTgikiv/ZzkEtytErK7sv45Ia/qrQ0yZFFOEKAAvJ7Do563dgsXqpYp3bRg/N+ROK C7AA==
X-Gm-Message-State: AOAM530dHsq8HL3Q3xONkQH2dikHvCzXjeWNiSkmOpX06oOs4g1dnVV9 q0KqfTtAhdN91VjkgV8wWXBTdAuHlKBXry/0aUg=
X-Google-Smtp-Source: ABdhPJxhb/Xv4pLpXllSQ9g2Ta8tgZ+68xl5fgYru1POyiXo6Tt8ALEmkYb5SQIXII8Bvm1o9Gof7IER/Flnmv6iNNE=
X-Received: by 2002:a5e:a916:: with SMTP id c22mr15328431iod.144.1607696284645; Fri, 11 Dec 2020 06:18:04 -0800 (PST)
MIME-Version: 1.0
References: <94973397-0354-4B02-9EC8-EF972A7F1867@mit.edu> <CAD9ie-v-j=PBGjLmiWT+z1Whimfmqo=+Pqw1DVFmXZO-bm7=4w@mail.gmail.com> <CAJot-L1XuL0csXJi2MX81Ado_BmQdys1CQDFZ1rRp7LfEsmeZg@mail.gmail.com>
In-Reply-To: <CAJot-L1XuL0csXJi2MX81Ado_BmQdys1CQDFZ1rRp7LfEsmeZg@mail.gmail.com>
From: Fabien Imbault <fabien.imbault@gmail.com>
Date: Fri, 11 Dec 2020 15:17:53 +0100
Message-ID: <CAM8feuQMK5tZQmUDBYtOBAm0PrSiRzFPz=8=kqZPwDzM-MGfLw@mail.gmail.com>
To: Warren Parad <wparad@rhosys.ch>
Cc: Dick Hardt <dick.hardt@gmail.com>, txauth gnap <txauth@ietf.org>, Justin Richer <jricher@mit.edu>
Content-Type: multipart/alternative; boundary="000000000000f3fc3305b630f53d"
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/a_bpYC-w8lXOOdmjfYuoPMwtd_M>
Subject: Re: [GNAP] Consensus Call on Continuation Request
X-BeenThere: txauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: GNAP <txauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/txauth>, <mailto:txauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth/>
List-Post: <mailto:txauth@ietf.org>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/txauth>, <mailto:txauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 11 Dec 2020 14:18:08 -0000

Hi,

I commented previously on Dick's input (in short, I disagree - at least
with the cookie comparison).

I'm not sure I follow your point here. "access_token" already has its
field, the proposal is just reusing it throughout the protocol (see for
instance section 3.2.1) as a fairly consistent api. The only difference is
the meaning of the "key" boolean parameter (which I would be in favor of
renaming to clarify).

The proposed alternative comes with issues with seem very hard to get
around, at least in a systematic way. Like potential logs of capability
URLs that include the token, which opens the doors to vulnerable
implementations.

Fabien

On Fri, Dec 11, 2020 at 11:24 AM Warren Parad <wparad@rhosys.ch> wrote:

> For the part I agree with Dick, but I also dislike the separation of the
> "access token" into its own field. If I understand *continue* correctly,
> the *access_token *would only ever be used with the *continue *uri, in
> which case, having the token in the url is much better than having a
> separate parameter which has to be merged with the continue request to auth
> it. In my opinion there is no reason to break HATEOAS here, this is one of
> the few places where the capability URL makes sense, and given its limited
> use and accessibility the concerns are alleviated. Additionally moving the
> token back into the uri, avoids the whole problem of naming and how to
> treat this token.
>
> Warren Parad
>
> Founder, CTO
> Secure your user data and complete your authorization architecture.
> Implement Authress <https://bit.ly/37SSO1p>.
>
>
> On Thu, Dec 10, 2020 at 9:06 PM Dick Hardt <dick.hardt@gmail.com> wrote:
>
>> -1 per all the reasons I laid out in
>> https://mailarchive.ietf.org/arch/msg/txauth/hBMexdKrh7RuR--Dq6UEVJN8hkY/
>> ᐧ
>>
>> On Thu, Dec 10, 2020 at 7:52 AM Justin Richer <jricher@mit.edu> wrote:
>>
>>> The editors and chairs would like to confirm consensus on a current pull
>>> request:
>>>
>>> https://github.com/ietf-wg-gnap/gnap-core-protocol/pull/129
>>>
>>> This pull request simplifies the continuation response and request by
>>> making the access token mandatory, and it clarifies the responsibilities of
>>> the AS in enforcing the security of the continuation request. Several WG
>>> members expressed specific support for keeping the access token to enable
>>> specific use cases, and there was general support for simplifying the
>>> process from what it currently is in the draft. The editors believe the
>>> pull request represents a solution that meets these goals.
>>>
>>> This call is open until Monday December 14. At that point, the PR will
>>> be merged unless the chairs determine there is not rough consensus for its
>>> inclusion.
>>>
>>> Thank you,
>>>
>>>  - Justin, Aaron, and Fabien
>>> --
>>> TXAuth mailing list
>>> TXAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/txauth
>>>
>> --
>> TXAuth mailing list
>> TXAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/txauth
>>
> --
> TXAuth mailing list
> TXAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/txauth
>

v2.23.0 | Report a Bug | By Email