Re: [Txauth] New version of XYZ Draft

Dick Hardt <> Sun, 19 July 2020 00:59 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 70F433A0F41 for <>; Sat, 18 Jul 2020 17:59:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -0.097
X-Spam-Status: No, score=-0.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, PDS_OTHER_BAD_TLD=1.999, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 33b5o5txTeOP for <>; Sat, 18 Jul 2020 17:59:18 -0700 (PDT)
Received: from ( [IPv6:2a00:1450:4864:20::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id C90D33A0F0F for <>; Sat, 18 Jul 2020 17:59:15 -0700 (PDT)
Received: by with SMTP id j11so16598893ljo.7 for <>; Sat, 18 Jul 2020 17:59:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=G/h2MHkgq1sPb2jicuXpnYLhu4QVIVwOwcHMjjmDJU0=; b=eIRuniEB+gf14DSiprRalZag3pihxJiTCH2sDyMwX9I2EV5nlr5WK9p9oR/ZHrtuHh KZXyOsSR6NfWPmgdRsrAe8hn3VhTN7LMW01PO9jYCfDPfxQOlVHipzMOpQ5InMwxITFG p+8xtw6KcAJ6+AeuitOjZzPSkg+735App4Q/1ldjHeCteG5YZjyloflVoqHquNP8zVSY J8WgHWV6aPZBY6ZQlaC0lhMaYC+hFAmgXrHbCnhOuvPGzxtV5+GvDSS8zpSnrfPHGS/R i0CFyzunDqLFgi/eUjzA+aMpstFazx9YeECYYouZcFZ+f90jtYMiBCXSmXgsJ4d9gcVf 6p1g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=G/h2MHkgq1sPb2jicuXpnYLhu4QVIVwOwcHMjjmDJU0=; b=tbV2Hhmu08Sb6IYFigagEUjurpbS90tgddd3Af5Cc2LIe+jVjYaXH2qNk/tURXPjun qetRfd4kBr4L43CQab2LN72mVdV+ZIK6qbRQ7xaTBk4JSyXaDJyrZQbk20930ifG/dxA 7xPtHNftJARwr1XgNoem9ZQdsKz52LzS1xU98QDz46eW/AJySWxZ8c0AJOXy1ThV716H FFBiPQG2o/FWj1ziuLDAT5nVlQZEHIBYyW/H8nDx0Aq0S+5c3X0tcKI6z6nEdPO5IjBx OtYBjXsuGAjsZkjJAjGIsCWAjW2SFkDKtAHQLjdfLciolSKENA5iB8RonHQN0ymeE8f5 iX/g==
X-Gm-Message-State: AOAM530429EwW/BF6qdQyEykxng+yj/M7kIv900lTIQAQ9ch411PMyZP 29kVRojLFixmrbLNIZPBZsQ8JAuVuqvsrShxhhxURVKw
X-Google-Smtp-Source: ABdhPJyk5myKe16P+0ePMlQNofpS3aTNTP5MPf/F29A+0rd5PilnmjfHcS20sb83LgqKRGMj6qhGxUcKGhJWYxlGOjg=
X-Received: by 2002:a2e:9611:: with SMTP id v17mr7688262ljh.110.1595120353939; Sat, 18 Jul 2020 17:59:13 -0700 (PDT)
MIME-Version: 1.0
References: <> <> <> <> <>
In-Reply-To: <>
From: Dick Hardt <>
Date: Sat, 18 Jul 2020 17:58:38 -0700
Message-ID: <>
To: Justin Richer <>
Content-Type: multipart/alternative; boundary="0000000000001216fa05aac0e6b7"
Archived-At: <>
Subject: Re: [Txauth] New version of XYZ Draft
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sun, 19 Jul 2020 00:59:28 -0000

Justin: how about we let the chairs drive WG conversations on the
goals, and we focus on the technical discussion?

In addition to my questions and observations earlier, here is my feedback
on the new capabilities in XYZ:

2.5.2. Redirect to an Arbitrary Short URL

This looks the same as 2.5.1 except it is short. My concern with both of
these is the AS has no signal on the mode chosen by the client/user. It
could be a redirect on the same device, or decoupled, where the user is now
on a different device. In 2.5.3 you justify a new URL because the AS may
want a different URL for an app. I think that is even more significant
between an on device redirect, and a decoupled experience. By having
different URLs for the different modes in XAuth, the AS can ensure the one
in a decoupled mode is short enough to be scanned if decoupled is
supported. In other words, the mode dictates if it should be short enough
to be scanned.

2.5.3 Open an Application-specific URL

What are you intending "app" to mean? I can think of a device where the
client can open a URL, and a URL could not be associated with an
application on the device. Are you thinking the client will do some
detection if a specific app is available on the device? What if the app is
not on the device? Most platforms don't provide any probing on what other
apps are on a device, so there is no mechanism to detect if the app is
present prior to launching. Is that what you are expecting?

2.5.5. Receive an HTTP Direct Callback

What use cases require this functionality? Contrary to SecEvent, where both
push and poll are specified because a receiver may not be able to have a
public endpoint, the AS has a public endpoint for the client to call. In
GNAP, the client can poll the AS. Why have both?


On Sat, Jul 18, 2020 at 7:55 AM Justin Richer <> wrote:

> I really don’t see them as shifting towards each other so much as it is
> them adapting and changing based on ongoing efforts. As such I’ve modified
> XYZ not to make it “look more like XAuth”, but rather to hopefully improve
> it in some measurable dimensions. So if you wonder why it doesn’t “look
> even more like XAuth” it’s because I don’t think that such changes would be
> improvements — in fact, even with recent improvements, I think there are a
> still a lot of issues with XAuth’s design and assumptions. XYZ can, I’m
> sure, also be improved.
> The goal here isn’t to take two projects and make them look the same. The
> goal here is to make one protocol, GNAP, with the best ideas and elements
> engineered into it that we, as a working group, can. It’s not about one
> input proposal winning over another, it’s about improving our understanding
> of all the use cases and possible solutions and coming up with the best
> specification possible. Making things better should always be the goal.
> Progress should always be the goal.
> But we aren’t here to build XYZ or XAuth. We’re here to build GNAP and
> decide what GNAP looks like. XYZ’s structure and design is the best I’ve
> been able to make it so far, and it should be our goal as a WG to move past
> either XYZ or XAuth and build GNAP even better than any of that.
>  — Justin
> On Jul 17, 2020, at 6:46 PM, Dick Hardt <> wrote:
> XYZ is looking a lot more like XAuth, similar to how XAuth has shifted
> towards XYZ.
> I have implemented separate URIs for grants and authorizations, and it
> worked really well.
> All 3 of the new capabilities are problematic. Perhaps you did not notice
> that there no longer is a short_uri in XAuth? As I recall, you were opposed
> to the short URI that was in the earlier drafts of XAuth. In my XAuth
> implementation, I show QR codes in the CLI app. Have you checked out my
> implementation? Have you implemented a QR code? I found that the string did
> not need to be nearly as short as it has in the past.
> I still don't understand the requirement to rotate the reference handle. I
> read over the pointer you provided last time we discussed it, and
> responded, but I have not heard back from you on that.
> ᐧ
> On Fri, Jul 17, 2020 at 2:36 PM Justin Richer <> wrote:
>> Most of these are changes I’ve wanted to do for quite some time and
>> finally had opportunity to make the edits. As I said below, the core
>> protocol really hasn’t changed in nature, but hopefully it’s easier to
>> understand with it laid out in this way.
>> All of these are points that I’ve made previously on the list in
>> discussions, but to answer your questions directly:
>> - Mapping items to separate URLs has been on XYZ’s radar since well
>> before it was proposed in Xauth, so this is bringing some of that into the
>> concrete system. I still need to implement it to see how well it works in
>> practice.
>> - The need to rotate the reference handle as well as use it externally
>> (the “extend a request” method) both call for having an identifier separate
>> from the access URL. It also allows an AS more freedom in how it manages
>> its endpoints, and aligns with the desire to push more information into the
>> ongoing request after the initial phase. I’d actually rather the access
>> token management move in that direction, using the token itself as the
>> artifact, but I couldn’t do that and still use the DELETE method for
>> revocation. So that’s an engineering challenge that I think the group
>> should discuss, and decide whether it’s worth having the “DELETE” verb
>> semantics and having that restriction placed on the AS as a consequence.
>> - The DID work is likely better suited for an extension, and always has
>> been. But it was worth having in previous revisions for discussion
>> purposes, especially as a point around how a non-HTTP interaction method
>> would work. I expect to see DIDCOMM, CHAPI, WebAuthN, and other interaction
>> methods in the extensions landscape of GNAP, usable alongside the others.
>> And a final point, the interaction setup hasn’t really changed, so I’m
>> curious to hear what you think *has* changed there. Even with a couple
>> new capabilities on the way there (short_uri and app) and back (pushback),
>> It’s structurally and conceptually identical to previous revisions.
>>  — Justin
>> On Jul 17, 2020, at 1:10 PM, Dick Hardt <> wrote:
>> Hey Justin,
>> Glad to see that you are aligning on having URIs for the access tokens
>> and the "grant".
>> While the token URI is unique to the token, you have not done the same
>> for a "grant", but have a handle and a non-unique URI.
>> Why not have a unique grant URI similar to the token URI? (a combination
>> of the handle and a non-unique URI) -- this is then both the identifier,
>> and the URL for "management"?
>> Glad to see you have excised the DID references. I don't think the common
>> use cases are well established there currently.
>> I have LOTS of feedback on your interaction changes, that I'll post later
>> on, and hope that others have feedback on those as well.
>> /Dick
>> On Thu, Jul 16, 2020 at 2:52 PM Justin Richer <> wrote:
>>> Hi all,
>>> I’ve updated the XYZ draft specification. Since the publication tools
>>> are currently locked prior to the upcoming virtual meeting, I have
>>> published it online here:
>>> This represents a pretty significant refactoring of the specification,
>>> hopefully to make the concepts and capabilities easier to understand. The
>>> core protocol is largely the same as before, but there are a number of
>>> serious updates:
>>>  - Continuation requests happen at a URL returned in the TX response.
>>> The “handle” is still sent as one of the input values here, since the
>>> handle can also be used it other contexts.
>>>  - Tokens now can include the resources they are issued for
>>>  - Tokens can have an optional management URI for rotation and
>>> revocation.
>>>  - “claims” has been removed in favor of “subject” dealing directly with
>>> identifiers and assertions
>>>  - the “user” request and response now align with identifiers and
>>> assertions
>>>  - Extensions and registries are more clearly enumerated throughout the
>>> document
>>>  - DID-related items have been excised in deference to a future possible
>>> extension
>>>  - Added a “pushback” mechanism to complement the “callback” mechanism
>>>  - Simplified dynamic handle returns and access tokens based on
>>> developer feedback (basically we dropped a bunch of “what if” stuff that
>>> nobody used or liked, like SHA3 hashes for bearer tokens)
>>> I’ve also updated the interactive examples on to
>>> match this new draft. Hopefully it’s consistent with the draft text.
>>> I have not yet, however, updated any of the implementations of XYZ to
>>> take the elements of new syntax into account, so there might be some more
>>> changes prior to the IETF meeting as I realize what terrible mistakes I’ve
>>> made when doing that. :)
>>> Feedback, as always, is welcomed, and thanks to everyone who’s provided
>>> input to the project to date.
>>>  — Justin
>>> --
>>> Txauth mailing list