[GNAP] Core protocol comments - Sec. 1-6
Yaron Sheffer <yaronf.ietf@gmail.com> Tue, 24 January 2023 22:45 UTC
Return-Path: <yaronf.ietf@gmail.com>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7B197C16952E for <txauth@ietfa.amsl.com>; Tue, 24 Jan 2023 14:45:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.095
X-Spam-Level:
X-Spam-Status: No, score=-2.095 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KBCWXKOQ6rv7 for <txauth@ietfa.amsl.com>; Tue, 24 Jan 2023 14:45:12 -0800 (PST)
Received: from mail-wr1-x42d.google.com (mail-wr1-x42d.google.com [IPv6:2a00:1450:4864:20::42d]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 34D92C14CE38 for <txauth@ietf.org>; Tue, 24 Jan 2023 14:45:12 -0800 (PST)
Received: by mail-wr1-x42d.google.com with SMTP id t18so2533390wro.1 for <txauth@ietf.org>; Tue, 24 Jan 2023 14:45:12 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:thread-topic:message-id:to:from:subject:date :user-agent:from:to:cc:subject:date:message-id:reply-to; bh=LjWQQEHyfOzt4MOTcbVHfjaXh8/z3QyyzogHqxzzRqE=; b=cfmr3oGGc7l31CeE2IFd+fEIZfKauQDZTzr98Rt9yqreoCsf07a5BD7Se/Jcyn9uxE dKasrfXCaYeg0CDcJ/SQaQzZG/LexRA1fR7ZCXI0jsKNsiR0oUTCllhoB2FAE+XjbsZR g7JJGtLBEx+pkDORtlVYRjElnzVxY4tiM7QTOVlvFaEp3vrUh/666mynGOemiZWEQx4m fK+Lxmx8JV1eK54mRZzvOvDfh8rMyGKtYvVbWYbIHDfEBEDZMP09klJDnGeXLOEILhfm 9t92mz2+aWa6aoUdyVTDySUl1pvXS4TMiUIsEFWssakHd5beZW7aZjvDhkRJEmkRAwDj hIwg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=mime-version:thread-topic:message-id:to:from:subject:date :user-agent:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=LjWQQEHyfOzt4MOTcbVHfjaXh8/z3QyyzogHqxzzRqE=; b=4hYned9rULLZTFvUOYUUR2pxEG51HVV94ynqQ7Sy9eezsMQdXot1hb98AvbAm7gFDS EU8avtnxSMIGhGmJDFuX1Viut1TXthXHZ9jIhVzyxvA3B/LLOTzEWkry9mFeIqxhydi/ fZWQGrg81un1Q4r0vAJZ+WQebp6n12JFiSiQfRVAdz+IH0HY2GjmZl7av3mj3jPEl2FB YGLHbgqDbkfV+wp0mOKD+AZhUL7D4LpV53/w4R/SX8gQpzhO6pcrds0ggv+1tqWKeW/M sanfjK7tQADBJhKo37f9eSzsUbN0qoHvtU7rLK596WzLvZ224HktHVQhuXPqmtXNj8dQ xUCA==
X-Gm-Message-State: AO0yUKVJDjpE5wQVnK3Hn20n27e/iyPP5X6UmoXirE1xA00v/Cau0ARG iyQ25W0/mbFF9FpIItwl1BV6cCgKypw=
X-Google-Smtp-Source: AK7set89Qnlauib1aR+Nh7v/oh6s56UXfFLQ7eTsOeR4QGOhx3fUEKMS6rsi8vFDOQJR+dyHRJn6iw==
X-Received: by 2002:adf:f045:0:b0:2bf:b872:cf21 with SMTP id t5-20020adff045000000b002bfb872cf21mr232346wro.0.1674600309549; Tue, 24 Jan 2023 14:45:09 -0800 (PST)
Received: from [192.168.68.106] ([77.125.223.181]) by smtp.gmail.com with ESMTPSA id l10-20020a05600012ca00b002bfb02153d1sm2815568wrx.45.2023.01.24.14.45.08 for <txauth@ietf.org> (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Tue, 24 Jan 2023 14:45:09 -0800 (PST)
User-Agent: Microsoft-MacOutlook/16.69.23011802
Date: Wed, 25 Jan 2023 00:45:07 +0200
From: Yaron Sheffer <yaronf.ietf@gmail.com>
To: GNAP Mailing List <txauth@ietf.org>
Message-ID: <417A84D1-27D7-4B78-BA0C-FE45A45E56C1@gmail.com>
Thread-Topic: Core protocol comments - Sec. 1-6
Mime-version: 1.0
Content-type: multipart/alternative; boundary="B_3757452308_3263824242"
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/d5HqTai4aBDDMcgEyrpJf_BPhno>
Subject: [GNAP] Core protocol comments - Sec. 1-6
X-BeenThere: txauth@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: GNAP <txauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/txauth>, <mailto:txauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth/>
List-Post: <mailto:txauth@ietf.org>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/txauth>, <mailto:txauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Jan 2023 22:45:13 -0000
Dear editors, Below is a bunch of comments about the bulk of the document, some editorial and some not. In general, despite the number of comments, I think the document is in good shape. Thanks, Yaron 1.5: While it is possible to deploy an AS in a stateless environment, such deployments will need a way to manage the current state of the grant request in a secure and deterministic fashion. - I'm not sure such a deployment is possible, e.g. if the state is managed by the client, it would be able to roll back to a previous state and cancel any pending revocations. 1.6.1: the generic sequence diagram seems to have a bug, especially when compared to the one in 1.6.4: after message (3), there is interaction with the RO, marked with (B). What then initiates the client's next step, the one marked (4)? Is there polling going on? 2.1.1: access token flags - the "bearer" flag is mentioned for requests and responses, but the "durable" flag only for responses. I suggest to add "allowed use" as a new column to the relevant IANA registration registry (Sec. 11.2). 2.1.1: "since no flag is provided in this example, is bound to the client instance's key", better be more precise about the flag: since the "bearer" flag is not provided in this example, is bound to the client instance's key. 2.2: SAML - please add a reference. Also, is "SAML 2 assertion" well defined? Are there any constraints? If we don't want to give a detailed definition, maybe leave it out. 2.3: the example includes both a "jwk" and a "cert" for the public key. I think this contradicts the text in Sec. 7.1: "A key [...] MUST be presented in one and only one supported format". 13.12: when we say "natural extension point" I suggest we add a reference to the relevant IANA registry (Sec. 11.5 IMO). In general it's worth looking at where the word "extension" is mentioned throughout the document. For example, in Sec. 4, "or through some other method defined by an extension of this specification", I don't think we have defined such an extension point, so I would remove that text or add the extension point. 2.3: the "display" URI is limited to web addresses, and can simply be a URL. 2.3: "SHOULD use a different key for each AS" - I would change it to MUST. We know of one attack, there may be more. If we leave it a “should”, deployers will not have enough information to make an informed decision here. 2.3.1: "If the client instance is identified in this manner, the registered key for the client instance MAY be a symmetric key known to the AS." I think this gets it wrong: for symmetric keys, it is the "key" value that's given by reference. The "client" value is unrelated. 2.4: "Assertions SHOULD be validated by the AS." In addition to ensuring the JWS is signed correctly, are there other checks the AS must do? E.g., ensuring the assertion refers to the same identity as the sub_ids? 2.4.1: what is the lifetime of the user reference? Can the client assume it will remain valid forever (as long as the user itself is valid)? 2.5: "array of strings/objects" - this is somewhat ambiguous, is it allowed to mix strings and objects in the same array? 2.5.1: "by a JSON object with one required field" -> "by a JSON object with the `mode` required field" 2.5.2: I think the nonce MUST be valid ASCII, to avoid complexity when computing the hash. The same goes for the Finish nonce in Sec. 3.3.5. 3.2.1: the text in 2.1 implies that for a single access token, if a table is included in the request, it should be included in the response. So I suggest: "REQUIRED for multiple access tokens or if a table was included in the request, OPTIONAL otherwise." 3.2.1: when the AS returns a `key` by value, there's a lot of complexity and possible security issues as the Client tries to correlate it to known keys. We should RECOMMEND to use the key reference (Sec. 7.1.1) mechanism instead. 3.2.2: this sentence got mangled: "other issued access tokens are included in the response the requested names appropriate names". 3.4: ISO8610 -> ISO 8601 (but why not RFC 3339?) 3.6: "provide a error as a string" -> "provide the `error` key as a string" 3.6: what is the error that corresponds to "not yet granted" - async authorization as per Sec. 1.6.4 (step #2)? 4.1.2: "the URI is usually be opened" -> "the URI is usually opened" 4.2: "follow the appropriate method at upon completion" -> "follow the appropriate method upon completion" 4.2.2: "the AS MUST protect itself" - I think this should refer to the client. 4.2.3: there's something missing here: the section discusses hash functions applied to strings, but does not mention the string's encoding to bytes. Maybe we should say, instead of "The party then hashes this string", "The party then hashes the ASCII bytes that encode to this string". 5: "Access tokens other than the continuation access tokens MUST NOT be usable for continuation requests." I would also add: "Conversely, continuation access tokens MUST NOT be usable to authorize requests into Resource Servers, even if collocated with the AS." 5: "The AS MUST be able to tell from the client instance's request which specific ongoing request is being accessed, using a combination of the continuation URI, the provided continuation access token, and the client instance identified by the key signature." The first two (and preferably only one) must be sufficient to identify the request. I suggest to change to: "The AS MUST be able to tell from the client instance's request which specific ongoing request is being accessed, using a combination of the continuation URI and the provided continuation access token. The AS MUST verify the signature and MUST ensure that it is bound to the client that originated the request." 5.1: "If the AS detects a client instance submitting the same interaction reference multiple times" - can we rephrase this rule so that it depends on the grant's state, in order for the AS not to have to cache references? 5.2: the text says the POST does not include a message body, but the example still includes a Content-Type header. "If the grant request was previously in the approved state, the AS could decide to remember the larger scale of access rights associated with the grant request..." If the client first asks for A+B permissions than asks for only A, I would say "remembering" A+B and granting it again is a mistake. The client may have good reasons to ask for restricted permissions, e.g. if the client's security posture has changed and it is at higher risk now. Granting it A+B again would be a mistake. If this text is not about the access rights being granted but rather about some internal optimization at the AS, please clarify it in the text. 5.3: "Modification requests MUST NOT alter previously-issued access tokens. Instead, any access tokens issued from a continuation are considered new, separate access tokens. The AS MAY revoke previously-issued access tokens after a modification has occurred." IMO the AS SHOULD revoke in this case, which would be more in line with the intuitive semantics of a PATCH. If the client wanted more access tokens for the permissions it is already holding, it could have made a whole new grant request. "In the future" -> "Some time later". "The AS would likely revoke previously-issued access tokens that had the greater access rights associated with them, unless they had been issued with the durable flag." I think a more consistent interpretation of "durable" is that it is used ONLY to make access token rotation easier, by allowing overlap between the old and the new token. If a new token with reduced right is expressly requested, it would make more sense to always revoke old tokens, regardless of the "durable" flag. In general the logic of Sec. 5.3 implies that the AS needs to keep track of all tokens (a potentially unlimited number of them) associated with the grant request, along with each one's associated rights, and compare each new token's rights to all previous ones. A simpler way to manage the grant request would be to just keep the last one, and always revoke it whenever the grant request is modified. 6.1: Requiring an access token to be unexpired when it is rotated would simplify the text as well as the implementation logic (e.g. around expiration vs. revocation). Why not have the client responsible to rotate the token in a timely manner? If it doesn't, it can always request a new one.
- [GNAP] Core protocol comments - Sec. 1-6 Yaron Sheffer
- Re: [GNAP] Core protocol comments - Sec. 1-6 Justin Richer
- Re: [GNAP] Core protocol comments - Sec. 1-6 Justin Richer
- Re: [GNAP] Core protocol comments - Sec. 1-6 Justin Richer