[GNAP] Re: [Technical Errata Reported] RFC9635 (8198)

Yaron Sheffer <yaronf.ietf@gmail.com> Fri, 06 December 2024 14:56 UTC

Return-Path: <yaronf.ietf@gmail.com>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E115BC14F696 for <txauth@ietfa.amsl.com>; Fri, 6 Dec 2024 06:56:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.903
X-Spam-Level:
X-Spam-Status: No, score=-1.903 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, MIME_HTML_ONLY=0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, TRACKER_ID=0.1, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OGZMuzvx_DvA for <txauth@ietfa.amsl.com>; Fri, 6 Dec 2024 06:55:59 -0800 (PST)
Received: from mail-wm1-x329.google.com (mail-wm1-x329.google.com [IPv6:2a00:1450:4864:20::329]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4D69BC14F69A for <txauth@ietf.org>; Fri, 6 Dec 2024 06:55:59 -0800 (PST)
Received: by mail-wm1-x329.google.com with SMTP id 5b1f17b1804b1-4349e1467fbso14687245e9.1 for <txauth@ietf.org>; Fri, 06 Dec 2024 06:55:59 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1733496957; x=1734101757; darn=ietf.org; h=content-transfer-encoding:cc:to:references:message-id:in-reply-to :thread-topic:subject:from:date:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=RBN+Bq020mXHjHCZ3BKQ3eDv0fgd0znSgPS7OW7jQ4w=; b=UZtQimdBEORg0sH0zuJwzppaFWWgTNcDKwjnc5Si3O2gx4541DMbNFOxKbEy7Fxq5z Kp8HGkZm2HvHrwCxgZ9HwAuApcBkKF/1edDgT3BnlP51EAFPuHfTIieGRvRuBC0Af50b 7hX5gB8IkiKMr3lWcNHivoipdJdem59GOO/eQ08oUVpBdh/XwukCKCamazI9kgtL26ph T9JZuKfF2pf9+LCalb9sP6b6TS9CvlUSV/1hns+DDT8aB4RjD5rhKM3T6ISkZgxHjd/s JRoVot7zTqM5QBMGix6CiFMB48i8brnAvvr5aefGJm4XhH/Kppo8eZai5FjFVQ9bne7D JuGw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1733496957; x=1734101757; h=content-transfer-encoding:cc:to:references:message-id:in-reply-to :thread-topic:subject:from:date:mime-version:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=RBN+Bq020mXHjHCZ3BKQ3eDv0fgd0znSgPS7OW7jQ4w=; b=oy56EDM5UkUpB7Twz84UQMuOmT+3OYlLFepb0cfgluWiugj94f/RKLtZbUkGrrMSVb 3intwnr4rvuKg0abLDvJFNPRJPsYplUvj2fcOeW23DtmQO6WkrrklC84mf0ZNgtU5CQy GpAOqEEKb5D0zy73dOvhYa20bavqGmYfbPpbwD5PUFGoRZhZ4AGjxBcrZzTynJsNTyrf 4g1PMyps2I3/6IZgC1384va9U1ek3YbgX5naVVfiP/iWSogLzfZhQiVhePKJqySqmuGj 9FfVIZ1dEi4UaE7CEczAdA6QuZ0ai/AnyoY+nSSX/s/dpsm7QdtshD1auKApihF1fGLH g+iw==
X-Forwarded-Encrypted: i=1; AJvYcCUHakcu6RHcIB/V4v4CkIH2jEQFcsXhBdJbgU2B1qsguaSHtkdBKMv+jm1r+nwutV2esn4ZOKg=@ietf.org
X-Gm-Message-State: AOJu0YyOAB8XNK/TuxIfHcto2KtTrQsxtOuqW+Bvy4Fpi8rp2M4VR13F wdcLXxNThrQK08mIyTIzulf1J8uvZoW2nJcgSUkQcXBwduzmeolc
X-Gm-Gg: ASbGncsibPVkBv71A9BOCmotfaWkE4HANNn7a0+npZqT3z2O/tn13zvQ9UjIfsfKJoz C9HO3Xieeba0md+qYJIGw26aMFq/4o9PV17Mpqc6/pE2pHCQV+4KdmldRG5Jbi0oN5CXAeDpDd7 Viq3zpoG2uzArtxJTlSCBwc4SbQWEDKyIinfnJ/mp3GpKcatVQa3CwZpVlZszaX1mgCfVYKmJZP 5p9I+wdpsDVI8OzcmSjLnhc8HWTiguVtPkDMxGZPTMjx4UfLj9pPb3cAR8CgPlSUbE36iOkFDRS CAxBV3nToQGKnJs7XNpEWFy65Q==
X-Google-Smtp-Source: AGHT+IGPGphfRwJIfyxdTXClUfyVqxqGZrJxCAoZie1JQDdUfIaoKRuIMkJsZXDljifV+5L86/ueCA==
X-Received: by 2002:a05:600c:3544:b0:430:563a:b20a with SMTP id 5b1f17b1804b1-434ddeac94bmr28382085e9.11.1733496956870; Fri, 06 Dec 2024 06:55:56 -0800 (PST)
Received: from macos-F7LQR2FV6V (IGLD-84-229-146-74.inter.net.il. [84.229.146.74]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-434da0d6b44sm59276755e9.18.2024.12.06.06.55.55 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Fri, 06 Dec 2024 06:55:56 -0800 (PST)
MIME-Version: 1.0
Date: Fri, 06 Dec 2024 16:55:52 +0200
From: Yaron Sheffer <yaronf.ietf@gmail.com>
Thread-Topic: Re: [Technical Errata Reported] RFC9635 (8198)
In-Reply-To: <20241204173035.8748E1BE96E@rfcpa.rfc-editor.org>
Message-ID: <649964B1-A6B2-7B41-9AF7-BA59F069E04E@hxcore.ol>
References: <20241204173035.8748E1BE96E@rfcpa.rfc-editor.org>
To: RFC Errata System <rfc-editor@rfc-editor.org>, "ietf@justin.richer.org" <ietf@justin.richer.org>, "fabien.imbault@acert.io" <fabien.imbault@acert.io>, "debcooley1@gmail.com" <debcooley1@gmail.com>, "paul.wouters@aiven.io" <paul.wouters@aiven.io>, "leifj@sunet.se" <leifj@sunet.se>
Content-Transfer-Encoding: base64
Content-Type: text/html; charset="utf-8"
Message-ID-Hash: I6BRYVRJL2YVHDEOFE3E3YO72N36TGTS
X-Message-ID-Hash: I6BRYVRJL2YVHDEOFE3E3YO72N36TGTS
X-MailFrom: yaronf.ietf@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "iana@erinshepherd.net" <iana@erinshepherd.net>, "txauth@ietf.org" <txauth@ietf.org>, "rfc-editor@rfc-editor.org" <rfc-editor@rfc-editor.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [GNAP] Re: [Technical Errata Reported] RFC9635 (8198)
List-Id: GNAP <txauth.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/bLyWFBP_TOgTOT104-Cu2W9jJJQ>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Owner: <mailto:txauth-owner@ietf.org>
List-Post: <mailto:txauth@ietf.org>
List-Subscribe: <mailto:txauth-join@ietf.org>
List-Unsubscribe: <mailto:txauth-leave@ietf.org>

I believe this errata should be marked Verified.

 

But we also have to deal with the unregistered header field. Normally I would say, let’s submit an IANA registration request [1] and be done with it. But registering a new header field is somewhat painful, see [2], and seems to require a stable reference. So, do we need a -bis document? Or maybe a short AD-sponsored draft for this one purpose?

 

Thanks,

                Yaron

 

[1] https://www.iana.org/form/protocol-assignment" rel="nofollow">https://www.iana.org/form/protocol-assignment

[2] https://httpwg.org/specs/rfc7231.html#considerations.for.new.header.fields" rel="nofollow">https://httpwg.org/specs/rfc7231.html#considerations.for.new.header.fields

 

On 04/12/2024, 19:30, "RFC Errata System" <rfc-editor@rfc-editor.org> wrote:

The following errata report has been submitted for RFC9635,

"Grant Negotiation and Authorization Protocol (GNAP)".

 

--------------------------------------

You may review the report below and at:

 

--------------------------------------

Type: Technical

Reported by: Erin Shepherd <iana@erinshepherd.net>

 

Section: 7.3.3.

 

Original Text

-------------

   The signer presents the signed object in compact form [RFC7515] in

   the Detached-JWS header field.

 

   In the following non-normative example, the JOSE header contains the

   following parameters:

 

   {

       "alg": "RS256",

       "kid": "gnap-rsa",

       "htm": "POST",

       "typ": "gnap-binding-jwsd",

       "created": 1618884475

   }

 

   The request content is the following JSON object:

 

   NOTE: '\' line wrapping per RFC 8792

 

   {

       "access_token": {

           "access": [

               "dolphin-metadata"

           ]

       },

       "interact": {

           "start": ["redirect"],

           "finish": {

               "method": "redirect",

               "uri": "https://client.foo/callback%22" rel="nofollow">https://client.foo/callback",

               "nonce": "VJLO6A4CAYLBXHTR0KRO"

           }

       },

       "client": {

         "key": {

           "proof": "jwsd",

           "jwk": {

               "kid": "gnap-rsa",

               "kty": "RSA",

               "e": "AQAB",

               "alg": "RS256",

               "n": "hYOJ-XOKISdMMShn_G4W9m20mT0VWtQBsmBBkI2cmRt4Ai8Bf\

     YdHsFzAtYKOjpBR1RpKpJmVKxIGNy0g6Z3ad2XYsh8KowlyVy8IkZ8NMwSrcUIBZG\

     YXjHpwjzvfGvXH_5KJlnR3_uRUp4Z4Ujk2bCaKegDn11V2vxE41hqaPUnhRZxe0jR\

     ETddzsE3mu1SK8dTCROjwUl14mUNo8iTrTm4n0qDadz8BkPo-uv4BC0bunS0K3bA_\

     3UgVp7zBlQFoFnLTO2uWp_muLEWGl67gBq9MO3brKXfGhi3kOzywzwPTuq-cVQDyE\

     N7aL0SxCb3Hc4IdqDaMg8qHUyObpPitDQ"

           }

         }

         "display": {

           "name": "My Client Display Name",

           "uri": "https://client.foo/%22" rel="nofollow">https://client.foo/"

         },

       }

   }

 

   This is hashed to the following base64-encoded value:

 

   PGiVuOZUcN1tRtUS6tx2b4cBgw9mPgXG3IPB3wY7ctc

 

   This leads to the following full HTTP request message:

 

   NOTE: '\' line wrapping per RFC 8792

 

   POST /gnap HTTP/1.1

   Content-Type: application/json

   Content-Length: 983

   Detached-JWS: eyJhbGciOiJSUzI1NiIsImNyZWF0ZWQiOjE2MTg4ODQ0NzUsImh0b\

     SI6IlBPU1QiLCJraWQiOiJnbmFwLXJzYSIsInR5cCI6ImduYXAtYmluZGluZytqd3\

     NkIiwidXJpIjoiaHR0cHM6Ly9zZXJ2ZXIuZXhhbXBsZS5jb20vZ25hcCJ9.PGiVuO\

     ZUcN1tRtUS6tx2b4cBgw9mPgXG3IPB3wY7ctc.fUq-SV-A1iFN2MwCRW_yolVtT2_\

     TZA2h5YeXUoi5F2Q2iToC0Tc4drYFOSHIX68knd68RUA7yHqCVP-ZQEd6aL32H69e\

     9zuMiw6O_s4TBKB3vDOvwrhYtDH6fX2hP70cQoO-47OwbqP-ifkrvI3hVgMX9TfjV\

     eKNwnhoNnw3vbu7SNKeqJEbbwZfpESaGepS52xNBlDNMYBQQXxM9OqKJaXffzLFEl\

     -Xe0UnfolVtBraz3aPrPy1C6a4uT7wLda3PaTOVtgysxzii3oJWpuz0WP5kRujzDF\

     wX_EOzW0jsjCSkL-PXaKSpZgEjNjKDMg9irSxUISt1C1T6q3SzRgfuQ

 

 

   {

       "access_token": {

           "access": [

               "dolphin-metadata"

           ]

       },

       "interact": {

           "start": ["redirect"],

           "finish": {

               "method": "redirect",

               "uri": "https://client.foo/callback%22" rel="nofollow">https://client.foo/callback",

               "nonce": "VJLO6A4CAYLBXHTR0KRO"

           }

       },

       "client": {

         "key": {

           "proof": "jwsd",

           "jwk": {

               "kid": "gnap-rsa",

               "kty": "RSA",

               "e": "AQAB",

               "alg": "RS256",

               "n": "hYOJ-XOKISdMMShn_G4W9m20mT0VWtQBsmBBkI2cmRt4Ai8Bf\

     YdHsFzAtYKOjpBR1RpKpJmVKxIGNy0g6Z3ad2XYsh8KowlyVy8IkZ8NMwSrcUIBZG\

     YXjHpwjzvfGvXH_5KJlnR3_uRUp4Z4Ujk2bCaKegDn11V2vxE41hqaPUnhRZxe0jR\

     ETddzsE3mu1SK8dTCROjwUl14mUNo8iTrTm4n0qDadz8BkPo-uv4BC0bunS0K3bA_\

     3UgVp7zBlQFoFnLTO2uWp_muLEWGl67gBq9MO3brKXfGhi3kOzywzwPTuq-cVQDyE\

     N7aL0SxCb3Hc4IdqDaMg8qHUyObpPitDQ"

           }

         }

         "display": {

           "name": "My Client Display Name",

           "uri": "https://client.foo/%22" rel="nofollow">https://client.foo/"

         },

       }

   }

 

   When the verifier receives the Detached-JWS header, it MUST parse and

   validate the JWS object.  The signature MUST be validated against the

   expected key of the signer.  If the HTTP message request contains

   content, the verifier MUST calculate the hash of the content just as

   the signer does, with no normalization or transformation of the

   request.  All required fields MUST be present, and their values MUST

   be valid.  All fields MUST match the corresponding portions of the

   HTTP message.  For example, the htm field of the JWS header has to be

   the same as the HTTP verb used in the request.

 

   Note that this proofing method depends on a specific cryptographic

   algorithm, SHA-256, in two ways: 1) the ath hash algorithm is

   hardcoded and 2) the payload of the detached/attached signature is

   computed using a hardcoded hash.  A future version of this document

   may address crypto-agility for both these uses by replacing ath with

   a new header that upgrades the algorithm and possibly defining a new

   JWS header that indicates the HTTP content's hash method.

 

7.3.3.1.  Key Rotation Using Detached JWS

 

   When rotating a key using detached JWS, the message, which includes

   the new public key value or reference, is first signed with the old

   key as described above using a JWS object with typ header value

   "gnap-binding-rotation-jwsd".  The value of the JWS object is then

   taken as the payload of a new JWS object, to be signed by the new key

   using the parameters above.

 

   The value of the new JWS object is sent in the Detached-JWS header.

 

 

Corrected Text

--------------

N/A

 

Notes

-----

This section standardises the use of the Detached-JWS HTTP header. This header was not registered in  the IANA Considerations section and is not a registered HTTP header.

 

I am unsure what the best way to correct this ommission is.

 

Instructions:

-------------

This erratum is currently posted as "Reported". (If it is spam, it

will be removed shortly by the RFC Production Center.) Please

use "Reply All" to discuss whether it should be verified or

rejected. When a decision is reached, the verifying party  

will log in to change the status and edit the report, if necessary.

 

--------------------------------------

RFC9635 (draft-ietf-gnap-core-protocol-19)

--------------------------------------

Title               : Grant Negotiation and Authorization Protocol (GNAP)

Publication Date    : October 2024

Author(s)           : J. Richer, Ed., F. Imbault

Category            : PROPOSED STANDARD

Source              : Grant Negotiation and Authorization Protocol

Stream              : IETF

Verifying Party     : IESG