IETF Logo Mail Archive

Re: [GNAP] [Txauth] Three Client-Server use cases with several ASs built along "Privacy by Design" (PbD)

Fabien Imbault <fabien.imbault@gmail.com> Wed, 12 August 2020 08:02 UTC

Return-Path: <fabien.imbault@gmail.com>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 21A843A1124 for <txauth@ietfa.amsl.com>; Wed, 12 Aug 2020 01:02:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vPpBRYi8JO2p for <txauth@ietfa.amsl.com>; Wed, 12 Aug 2020 01:02:13 -0700 (PDT)
Received: from mail-io1-xd30.google.com (mail-io1-xd30.google.com [IPv6:2607:f8b0:4864:20::d30]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C896A3A1123 for <txauth@ietf.org>; Wed, 12 Aug 2020 01:02:13 -0700 (PDT)
Received: by mail-io1-xd30.google.com with SMTP id j8so1588374ioe.9 for <txauth@ietf.org>; Wed, 12 Aug 2020 01:02:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=xX3ePYkvh6DHZ+F8aZvYk1xzWSByZxGLy1oJpGWA0Gs=; b=V/MaGHQL2CVBoGXSlwKFgtulmT+Jzc2q7cx4o8NNygHJRsvVr6m++0B/23tZdM3vV8 +rUi8rkExi+3bI8xUSBGy1Z0rNf/UDOg7bUIPfl0aU6DAKz6XdZ7blhXokD/KvSWOKZq NoJFpH34a/h8rD7w4dRcQ+koYB0kXwcSr0Hix5FcXJo6NcwZjyj3zehluyu/JzK8ICpt og3B9qSYnEfSjDS4+JusVhrQb1+wTR7O2OzMtGBq5vajJTEPQiay+6VvsCNI5d1JEby3 6EMdZyseK3F6gUM0/eYifyZF4eeYnTlyVrxKjsimJc6aOUeNHsRNX4wFu76//eg6pT04 eZQQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=xX3ePYkvh6DHZ+F8aZvYk1xzWSByZxGLy1oJpGWA0Gs=; b=JdYUF7AKGcL1VgKyYgSI0gIFokVUxXfxBLixg3V0hTF/7PC7AV6CIwG9oXlkJRHqL4 gKts73TsQApzPQnTIslxx4WrSwmCXYTCnDiMcYdYaN5HRCPVimFvuOnaq8gC32QVQyXb anm5A180laZlQEAFCgApNQ6bc74zlTL0msc4EsGW1NJWeOOo7UWpyZQN9ferccnDzCu0 hg3nYXqRo5EI7fu+yDuSJcVa4vxtluA11ozTySPlDi174xOFXgrdC8yTXqB+bfnMWQ7n y3VVreDdACZxNON4e6x+Bm21FugPBBueKuJjYoR/FKYToH/Z7apU9+8RkhjWUUiqm3NG EfpQ==
X-Gm-Message-State: AOAM530U2tliKaHgdq5Mb/f+012fDdiNKeGRJeaHw34EPRgrfSV/0Uxy xmBj3LuMFphShSsBMEyTLWeG3n+GLwepdquAmlkJLOD8EY4=
X-Google-Smtp-Source: ABdhPJwpYon3K+l8AlkrA9lPOLHg1XZhdV5ecZRgLzXxCWZGMLHHEYOKmD7WH929pCr8Di4TnwrDvj4/0uBy1HF5cLM=
X-Received: by 2002:a5d:841a:: with SMTP id i26mr26277137ion.144.1597219332891; Wed, 12 Aug 2020 01:02:12 -0700 (PDT)
MIME-Version: 1.0
References: <d2ee5da2-8e88-15c8-8646-087860463d2c@free.fr> <CAOW4vyOwQTMoo2Nmb8KNcVM5hdOW69FzZTK5XQ2fRL9CC8+SUA@mail.gmail.com> <CAM8feuT2K2xpF=VES11kihsqfGK4RCzdSCU=HCLijxLvnc=8LA@mail.gmail.com> <CAOW4vyM0jkw9qTzohzGaNwvvT6JGqcUbdqXnJFq9ahqnRPnuGQ@mail.gmail.com>
In-Reply-To: <CAOW4vyM0jkw9qTzohzGaNwvvT6JGqcUbdqXnJFq9ahqnRPnuGQ@mail.gmail.com>
From: Fabien Imbault <fabien.imbault@gmail.com>
Date: Wed, 12 Aug 2020 10:02:01 +0200
Message-ID: <CAM8feuQfknpOFHTdV_XAc-49Vw-2jER65x4XxmARN6-Dwhyn+A@mail.gmail.com>
To: Francis Pouatcha <fpo@adorsys.de>
Cc: Denis <denis.ietf@free.fr>, GNAP Mailing List <txauth@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000f7342b05aca99a50"
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/c5TWR-xG6JIHofpTj6Xc3UO6_DY>
Subject: Re: [GNAP] [Txauth] Three Client-Server use cases with several ASs built along "Privacy by Design" (PbD)
X-BeenThere: txauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <txauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/txauth>, <mailto:txauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth/>
List-Post: <mailto:txauth@ietf.org>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/txauth>, <mailto:txauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 12 Aug 2020 08:02:16 -0000

Hi Francis,

My comments are embedded into your email with FI.

You're saying in a follow-up message:
"- If you want privacy, *don't* expose RS identity to AS.
- If you want transparency, expose RS identity to AS.
You can't have both...."
While that may seem a reasonable dichotomy at first sight, I believe the
reality is actually more nuanced and depends on how we end up designing the
system.

Cheers,
Fabien

On Tue, Aug 11, 2020 at 11:27 PM Francis Pouatcha <fpo@adorsys.de> wrote:

> Hello Fabian,
>
> On Tue, Aug 11, 2020 at 2:17 AM Fabien Imbault <fabien.imbault@gmail.com>
> wrote:
>
>> Hi Francis,
>>
>> I think Denis points to the fact that, in the current situation, the AS
>> receives the resource request from the Client and therefore knows what
>> tokens are asked.
>>
> The token request must not mention any reference of the RS.
>

FI : yes we can do that, but as Tom commented, it's not a general rule. And
for instance in XYZ you do describe the URL of the resource. See also the
use case on directed tokens, which is an interesting topic which makes
sense in many scenarios.
But as soon as you include that possibility, it's fair to think that this
capability could be used for surveillance purposes in some cases, unless
you found a privacy by design scheme that applies by default.
Again this doesn't mean that transparency requirements aren't important
too, but I think there are other ways it can be achieved (for instance, an
inspiration is the certificate transparency project). Could be an extension
to the protocol I believe.


>
>> Then it also implements the consent interface (and possibly the login
>> too) and so it also knows who validates and what is accepted or not.
>>
> Decoupling this does not change the privacy context, as the AS issues the
> Token. AS needs to add a reference to the RC in the token. SO AS can
> correlate on StudentId anyway.
>

FI : I disagree. It does change the privacy context, if as Denis suggested,
the consent is made outside of the AS and if you don't send to the AS the
information on the RS when it needs to issue the token.
Correlation on StudentId is limited as long as it's a local identifier,
i.e. not a public DID.

As a concrete example: a user may want to use an application to access
rs_domain/directory1 and rs_domain/directory2 in read and write, which are
managed by a RO.
What I suggested is that the Client may (optionally) carry out its consent
through a decoupled IS server (separated from the AS), that displays the UI
based on the RS requirements => the IS knows what information is used, but
the IS may be chosen by the IS independently from the AS or even run by the
Client itself.
In this case, suppose the RO only provided consent for rs_domain/directory1
for read.
We now need to get back to the AS to mint the access token.

If we want the AS to not know about the RS, we either :
- don't supply the rs_domain at all -> the JWT says that directory1 in read
access is authorized. The downside is that we actually cannot control to
which URL the authorization applies. In that case I agree with your either
or statement.
- or find a way to hide it (not sure if that's practical, hence my
questions on RS hiding). This would have the benefit of still allowing
directed tokens -> the JWT says that rs_petname/directory1 in read access
is authorized.

Either way, the AS has not been provided any information as to where this
token will effectively be used.

>
>
>> I don't think the abstract flow deals with those privacy concerns.
>>
> To solve the privacy problem addressed in this thread, we need to go the
> (SSI/DiD/VC) way. Then UNIV-0 (in his role of RS) will have to issue a VC
> (Verifiable Credential) to the Student (in his role of RC). The Student
> will then present this claim to UNIV-1 during his registration. In this
> case we need no Grant negotiation and no AS.
>

FI : That may be useful but it's not enough. What you describe only works
because you take a very specific use case, aka registration. This fits well
into DID/VC without requiring authorization per say. However grant
negotiation is still required for more general settings of authorization.
I've added a DID example to my implementation, will publish it soon.


> Best regards.
> /Francis
>
>>
>
>>
>> Then I agree with you on the audience field of the token, if left empty
>> it simplifies part of the problem, although it removes a big part of the
>> control you may want from directed tokens. That's why I'm willing to better
>> develop the RS hiding idea.
>>
>> Fabien
>>
>> Le mar. 11 août 2020 à 05:58, Francis Pouatcha <fpo=
>> 40adorsys.de@dmarc.ietf.org> a écrit :
>>
>>> Hello Denis,
>>>
>>> what you describe in the use case seems to be the default behavior of
>>> the protocol. Let me map it with this abstract protocol flow:
>>>
>>> +-----------+      +--------------+  +-----------+  +----+
>>>  +---------------------+
>>> | Requestor |      | Orchestrator |  | RS        |  | GS |  | Resource
>>> Controller |
>>> | is UNIV-1 |      |  is UNIV-1   |  | is UNIV-0 |  | or |  |
>>>  is          |
>>> |   Staff   |      | Registr. App |  | Server    |  | AS |  |
>>>  Student       |
>>> +-----------+      +--------------+  +-----------+  +----+
>>>  +---------------------+
>>>   |(1) RegisterStudent    |                |           |                |
>>>   |---------------------->|                |           |                |
>>>   |                       |(2) RequestRecordIntent(RecordType,StudentId,
>>>   |                       |
>>>  OrchestratorId):AuthRequest[RecordType,StudentId]
>>>   |                       |<-------------->|           |                |
>>>   |                       |                |           |                |
>>>   |                       |(3)
>>> AuthZRequest(RecordType,StudentId,OrchestratorId)
>>>   |                       |--------------------------->|                |
>>>   |                       |                |           |(4)
>>> ConsentRequest(RecordType,
>>>   |                       |                |           |
>>>  OrchestratorId):Consent
>>>   |                       |                |           |<-------------->|
>>>   |                       |(5) AuthZ[RecordType,StudentId,OrchestratorId]
>>>   |                       |<---------------------------|                |
>>>   |                       |                |           |                |
>>>   |                       |(2)
>>> RequestRecord(RecordType,StudentId,OrchestratorId)
>>>   |                       |     :RecordOf[StudentId]   |                |
>>>   |                       |<-------------->|           |                |
>>>   |(7) Registered         |                |           |                |
>>>   |<----------------------|                |           |                |
>>>   +                       +                +           +                +
>>>
>>> we assume the authz request sent by "Client" to "AS" describes the
>>> protected resource without referring to the authz server. An AS can issue
>>> the authz to release the graduation record  of a student
>>> ((5) AuthZ[RecordType,StudentId,OrchestratorId]), without any reference to
>>> the target university.
>>>
>>> What matters for this authz object is:
>>> - StudentId: a reference to the student as known to the resource server.
>>> - RecordType: a reference to a resource of type graduation record as
>>> understandable  by the resource server.
>>> - OrchestratorId: reference to the Orchestrator. Can be used to bind
>>> authz to Orchestrator.
>>>
>>> But:
>>> - RS must trust AS issued token.
>>> - StudentId must be known to RS, AS and Orchestrator.
>>>
>>> Therefore, the AS does not need to know the RS. Keep the audience field
>>> empty.
>>>
>>> Same principle applies for the second use case.
>>>
>>> What privacy problem do you see here?
>>>
>>> Best regards.
>>> /Francis
>>>
>>> On Tue, Aug 4, 2020 at 5:08 AM Denis <denis.ietf@free.fr> wrote:
>>>
>>>> I tried my best twice to download three use cases in the Use cases
>>>> directory, but I failed.
>>>>
>>>> Rather than failing a third time, here is the direct link of the second
>>>> try:
>>>>
>>>>
>>>> https://github.com/ietf-wg-gnap/general/wiki/Three-Client-Server-use-cases-with-several-ASs-built-along-%22Privacy-by-Design%22-(PbD)
>>>>
>>>> Denis
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> Txauth mailing list
>>>> Txauth@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/txauth
>>>>
>>>
>>>
>>> --
>>> Francis Pouatcha
>>> Co-Founder and Technical Lead
>>> adorsys GmbH & Co. KG
>>> https://adorsys-platform.de/solutions/
>>> --
>>> TXAuth mailing list
>>> TXAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/txauth
>>>
>>
>
> --
> Francis Pouatcha
> Co-Founder and Technical Lead
> adorsys GmbH & Co. KG
> https://adorsys-platform.de/solutions/
>

v2.23.0 | Report a Bug | By Email