Re: [Txauth] Support of FIDO and data minimization by RSs

Dick Hardt <dick.hardt@gmail.com> Mon, 06 July 2020 20:27 UTC

Return-Path: <dick.hardt@gmail.com>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DB40B3A0A65; Mon, 6 Jul 2020 13:27:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id k1reti0EQU-0; Mon, 6 Jul 2020 13:27:26 -0700 (PDT)
Received: from mail-lj1-x233.google.com (mail-lj1-x233.google.com [IPv6:2a00:1450:4864:20::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E60853A0A64; Mon, 6 Jul 2020 13:27:25 -0700 (PDT)
Received: by mail-lj1-x233.google.com with SMTP id e8so12847917ljb.0; Mon, 06 Jul 2020 13:27:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=/s9tYz/6jdm8sRDTjLuaD0OZis7KJFCWp5PDxcWefGo=; b=irYIZkd9Y/P/XQWQyHuIpqil1wJj2MmSZ/Ol1YtfQtzlRZkON3RsbafLDqM6ZDyMgU 9jvaRlbcLjRGnk9fYDsT4DGaLfyKVOCTFpgVEstOYEUiF/au4LUinLdT9SENnj0EKQ82 +KeEGS0BzVd4PwDaUsaFjBA9cqSPj1UkEcPrrKLwuI2u1oe/HfRwE1uneTPI6a+9VCrv P09IFYKsqVxXl5tKjVFRf4YjWubmqU9Zk3eep6VxY3EUzOJ5AGkCAuPNKS74pAPIa3IJ 1bcxWQUj9Ua2npM/m2vgMHMjQ5YMefYcqpykFJ3iqbGQF/s1pe1WaVEeZaXFdD+V+bel PjAg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=/s9tYz/6jdm8sRDTjLuaD0OZis7KJFCWp5PDxcWefGo=; b=f9I4qsjGzRpHp9PKhv7U6/0gMlTYW5K5M2st4sfsN5gVHSx/R4WxghqWsgZNkyV0n2 +XHa7bTtwuVkKCzIra2HZZDc7Xsg0pWIZ68vDWXYsQjidL/aDs1NUI3oYTlf71w+oiuX mD9wWQOBH36ybg9IV/c7rVd5epoSXtzu0lrGpIPLI6I9ohlcmKIiBdcxkUbRC11elXEG K9l8sfoiU11OFZcQRSdEGgzCAJpiaQF0dJ06DcSHhH6XLL3yFvVkRv93o5wCz9Ttp0hR yny1f9B4dSHDB41S5tCxeXwFVzPp8AkN+NVo4EKJUzUxckpcx/44P5SEvRFR09TGJkmG qgKQ==
X-Gm-Message-State: AOAM532pEpS87agp4hAOKeJxt2nmRldNYPLLLcSMp032CIXKzOrpP4ZS f5Ynt95y0KgSCA2ZUHDyMhtP9DGg8rML0WDoq5o=
X-Google-Smtp-Source: ABdhPJz6vXuJf1WHnakfMTgPoHDwhivjACFpOFoVAxc+4+RLQzHZJYlRIqCqxWKI4JXQhjABGp4gIsM+7M1NvfX3Rtw=
X-Received: by 2002:a2e:7f10:: with SMTP id a16mr29503280ljd.69.1594067243664; Mon, 06 Jul 2020 13:27:23 -0700 (PDT)
MIME-Version: 1.0
References: <02ea0d99-a8b8-7957-8d16-de0a105f9362@free.fr> <CAD9ie-uHo1hNs6Y767NHyNj1TxmfzcbDk-6iZxBT0QWtqpe+Fg@mail.gmail.com> <c91a9ecf-0f8c-a62d-aa4f-66e15cc6fba2@free.fr>
In-Reply-To: <c91a9ecf-0f8c-a62d-aa4f-66e15cc6fba2@free.fr>
From: Dick Hardt <dick.hardt@gmail.com>
Date: Mon, 6 Jul 2020 13:26:47 -0700
Message-ID: <CAD9ie-sJLYx1Nu9trNUbTKc6U94d5-m1UiKnfW225n6ZuS5Vqw@mail.gmail.com>
To: Denis <denis.ietf@free.fr>
Cc: Roman Danyliw <rdd@cert.org>, "txauth@ietf.org" <txauth@ietf.org>, The IESG <iesg@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000ce8ae305a9cbb3c8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/bmgyu5B56y39Iv7WW8rYXXWXJVU>
Subject: Re: [Txauth] Support of FIDO and data minimization by RSs
X-BeenThere: txauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <txauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/txauth>, <mailto:txauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth/>
List-Post: <mailto:txauth@ietf.org>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/txauth>, <mailto:txauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Jul 2020 20:27:29 -0000

Hi Denis

Thanks for writing up the scenarios, that helps me ensure we are talking
about the same thing. They are similar to scenarios that have been
discussed by the digeriti for what seems forever!

To elaborate on my other email, I do think GNAP should support
implementations that need "privacy by design". I don't think that is
applicable to all the use cases, and would overly restrict the use cases
that many participants want to solve with GNAP.

I think the resulting GNAP document should have a Privacy Considerations
section and/or a separate Privacy document, to assist implementers in
dealing with potential privacy issues.

Perhaps if we had a privacy related milestone you would feel your concerns
will be addressed by the WG?


On Mon, Jul 6, 2020 at 12:17 PM Denis <denis.ietf@free.fr> wrote:

> Hi Dick,
>
> Congratulations ! You made a good guess (but the guess was easy): my
> approach is indeed privacy related.
>
> *Note*: Since it is close to the end of the day in my time zone (and
> since it is the last day for comments to the charter),
> I copy both the IESG and Roman so that they can know that GNAP should also
> consider a* bridge with FIDO*.
>
> I have several goals:
>
> 1 - make a bridge with FIDO U2F (I will illustrate this with a specific
> scenario).
>
> 2 - prevent every AS to know which RSs are going to be accessed or which
> kind of operation the client will be doing.
>     This is to prevent an AS to act as "Big Brother".
>
> 3 - apply both "privacy by default" and "data minimization" (when the user
> authenticates it may authenticate using FIDO or
>      by presenting one or more access tokens. Then after, the necessary
> attributes that are necessary to perform a given operation
>     are only requested and released at the time they are indeed needed to
> perform the given operation (i.e. they are not released
>     when the user logs on).
>
> 4 - the proposed RS Authorization algorithm allows a great flexibility, in
> particular it supports FIDO and different attributes
>      from different ASs may be requested by the RS.
>
> 5 - the rules associated with the RS Authorization algorithm are making
> these rules only available at the time the client indicates
>      which operation it is willing to perform (i.e. by default, they are
> not public).
>
> 6 - access tokens are NOT OPAQUE to the clients so that every client can
> make sure that their content reflects what has been requested.
>
> *A simple scenario to illustrate*
>
> A student wants to apply for a new university. He connects to the RS of
> the University. He first creates an account using FIDO.
> He then selects the button "Preliminary information for applying to the
> university". He is asked to enter two categories of information:
>
>
>    - citizenship information and
>    - prior graduations.
>
> The student can interrupt the preliminary registration procedure at any
> time and continue it at any time later on.
>
> When the student is finished, it selects the button "Application to the
> university".
>
> The university RS "reads" the citizen ship of the student and let know to
> the student whether a paper form
> and/or an electronic form of the identity of the student may be provided.
> Let us assume the later case and that
> the student is a citizen from France. Then the university RS indicates
> which French banks or other French organisations
> are trusted to provide an access token. The client checks whether this
> list fits one of the AS with which it has a relationship.
>
> The university RS "reads" the prior graduations of the student and then
> let know to the student whether a paper form
> and/or an electronic form of the last graduation of the student may be
> provided. Let us assume the later case and
> that the student is from Yale University. Then the university indicates
> the address of the AS from Yale University.
> If the student is indeed from Yale University, he should be able to
> provide the requested access token.
>
> Such scenario which follows some privacy principles cannot be constructed "*after
> the design"* (it will not happen by magic or by accident)
> This is why the approach is called "privacy by design".
>
> Denis
>
> Hi Denis
>
> Would you provide some background on what you are trying to solve with
> this? I'm guessing it is privacy related.
>
> Perhaps a use case would help make it more concrete?
>
> /Dick
>
>
> On Mon, Jul 6, 2020 at 5:39 AM Denis <denis.ietf@free.fr> wrote:
>
>> eThis is a new thread: a proposal for a RS authorization algorithm and a
>> way to support FIDO by RSs
>>
>> In order to support the privacy principle of "data minimization" by RSs,
>> only the attributes that are strictly necessary to perform
>> an operation requested by a client should be requested by the RS.
>>
>> When a client wants to authenticate, it will usually be informed by the
>> RS on how to do it (see more details about two exceptions at the end of
>> this email).
>> Which conditions are needed to perform other operations will only be
>> disclosed to authenticated users at the time they are willing to perform an
>> operation.
>>
>> Two categories of operations will be considered: authentication
>> operations and other operations.
>>
>> For the "authentication" operation, two cases will be supported:
>>
>> -          FIDO U2F or
>>
>> -          one or more attributes from one or more ASs.
>>
>> In the second case, an access will be granted by a RS based on an
>> mathematical expression which is formed using some combination of AND and
>> OR conditions.
>>
>> Examples of combinations:
>>
>> *Condition 1* AND
>> *Condition 2 Condition 1* OR *Condition 2*
>> (*Condition 1* AND *Condition 2)* OR
>> *Condition 3 (Condition 1* OR *Condition 2)* AND *Condition 3*
>>
>> The following notation is being used for *a Condition *:
>>
>> *Condition x* = { AS identifier + set of attributes types + optional
>> scope identifier }
>>
>> The presence of the *optional* scope identifier allows to provide a
>> backward compatibility with ASs from the OAuth 2.0. world:
>> the optional scope identifier is only present when a bilateral
>> relationship has been established between a RS and an AS prior
>> to any access (*and will continue to be maintained*) using
>> "out-of-bands" means.
>>
>> Each RS internally constructs an *authorization table* with the
>> following content:
>>
>> 1°  For the "authentication" operation : either FIDO U2F or a
>> mathematical expression using conditions;
>>
>> 2°  For any other operation : a mathematical expression using conditions.
>>
>> An example is used to explain the concepts.
>>
>> "Operation(s)/ Mathematical expression" pairs managed by the RO of a RS.
>>
>> *Operation*
>>
>> *Mathematical expression*
>>
>> Authentication
>>
>> *Condition 1* OR *Condition 2*
>>
>> Operation A OR Operation Z
>>
>> *Condition 3* AND *Condition 4*
>>
>> Conditions table:
>>
>> Condition 1
>>
>> FIDO U2F 1.2
>>
>> -
>>
>> -
>>
>> Condition 2
>>
>> AS 1
>>
>> set 1 of attributes types
>>
>>
>>
>> Condition 3
>>
>> AS 4
>>
>> set 2 of attributes types
>>
>> scope identifier : 21
>>
>> Condition 4
>>
>> AS 9
>>
>> set 3 of attributes types
>>
>> -
>>
>> Given the operation selected by the client, the RS returns the
>> appropriate mathematical expression and only the associated conditions
>> used in that mathematical expression. The user may then decide whether
>> the set of attributes types which are indicated for a given AS
>> are appropriate to him or not and then select that AS if it has a
>> relationship with it.
>>
>> In this example, one mathematical expression for the combination of
>> conditions using AND and OR operators is "*Condition 3* OR *Condition
>> 4",*
>> * which means that* some types of attributes from AS 4 AND some other
>> types of attributes from AS 9 are both needed by RSx to perform on RSx
>> either the Operation A or the Operation Z.
>>
>> In this example, RS 1 and AS 4 have established a bilateral relationship
>> (and have agreed to define and use scope identifiers)
>> whereas RS 1 and AS 9 have not established any bilateral relationship
>> prior to the exchange.
>>
>> The user makes up his mind whether the attributes requested by AS 1 and
>> AS 9 are reasonable and if so, requests two access tokens:
>> one to AS 4 and another one to AS 9.
>>
>> For AS 4, the client shall use the scope identifier with the value 21.
>> For AS 9, the client shall use the set 3 of attributes types indicated in
>> the Condition 4.
>>
>> In order to save one exchange, a RS could publicly publish how its
>> clients can authenticate.
>> However,  it is also possible to consider no guidance at all: in such a
>> case, using "out-of-bands" means, the clients should know how to
>> authenticate.
>>
>> Denis
>> --
>> Txauth mailing list
>> Txauth@ietf.org
>> https://www.ietf.org/mailman/listinfo/txauth
>>
>
> --
> Txauth mailing list
> Txauth@ietf.org
> https://www.ietf.org/mailman/listinfo/txauth
>