Re: [GNAP] New I-D: draft-pinkas-gnap-core-protocol
Denis <denis.ietf@free.fr> Fri, 20 August 2021 08:09 UTC
Return-Path: <denis.ietf@free.fr>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7864B3A12BC for <txauth@ietfa.amsl.com>; Fri, 20 Aug 2021 01:09:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.72
X-Spam-Level:
X-Spam-Status: No, score=-0.72 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, KHOP_HELO_FCRDNS=0.399, NICE_REPLY_A=-0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_NEUTRAL=0.779, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2RgOCgeH6pUQ for <txauth@ietfa.amsl.com>; Fri, 20 Aug 2021 01:09:22 -0700 (PDT)
Received: from smtp.smtpout.orange.fr (smtp07.smtpout.orange.fr [80.12.242.129]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3BBDE3A12BA for <txauth@ietf.org>; Fri, 20 Aug 2021 01:09:22 -0700 (PDT)
Received: from [192.168.1.11] ([90.26.88.110]) by mwinf5d87 with ME id jk9K250072Nqh1E03k9KlP; Fri, 20 Aug 2021 10:09:20 +0200
X-ME-Helo: [192.168.1.11]
X-ME-Auth: ZGVuaXMucGlua2FzQG9yYW5nZS5mcg==
X-ME-Date: Fri, 20 Aug 2021 10:09:20 +0200
X-ME-IP: 90.26.88.110
To: Justin Richer <jricher@mit.edu>
Cc: "txauth@ietf.org" <txauth@ietf.org>
References: <fc61cf1c-d661-6403-479b-615bf86193a4@free.fr> <BF261D8F-D5DA-43BD-BB46-FC9614CC2AB7@mit.edu>
From: Denis <denis.ietf@free.fr>
Message-ID: <a8af45cd-a7d1-03a9-3e1d-43b2b6833a56@free.fr>
Date: Fri, 20 Aug 2021 10:09:19 +0200
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.12.0
MIME-Version: 1.0
In-Reply-To: <BF261D8F-D5DA-43BD-BB46-FC9614CC2AB7@mit.edu>
Content-Type: multipart/alternative; boundary="------------FF66F3282214D15841042375"
Content-Language: en-GB
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/dm46KJS6V2h0l_xVAx7y4l7yKho>
Subject: Re: [GNAP] New I-D: draft-pinkas-gnap-core-protocol
X-BeenThere: txauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: GNAP <txauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/txauth>, <mailto:txauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth/>
List-Post: <mailto:txauth@ietf.org>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/txauth>, <mailto:txauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 20 Aug 2021 08:09:28 -0000
Hi Justin, There is a difference between the following two sentences : All *requests *have to be over TLS or equivalent as per [BCP195 <https://www.ietf.org/archive/id/draft-ietf-gnap-core-protocol-06.html#BCP195>]. (from : draft-ietf-gnap-core-protocol-06 on *page 105*) Which "requests" ? Access token requests ? Requests from which entity to which other entity ? and The protocol uses HTTPS for all *communications *between the client and the AS, as well as between the client and the RS. (from: draft-pinkas-gnap-core-protocol-00 on *page 1*). IMO, the first one is ambiguous while the second one is crystal clear. As I wrote, nowhere in draft-ietf-gnap-core-protocol-06, the text is taking advantage of the security properties obtained thanks to the use of HTTPS. Nevertheless, there are many other major issues raised about draft-ietf-gnap-core-protocol-06, that draft-pinkas-gnap-core-protocol-00 attempts to address and to solve. The very first version of draft-pinkas-gnap-core-protocol has been written from scratch with a Trust Relationships section (1.5) and both a Security Considerations section (4) and a Privacy Considerations section (5). Writing these three sections in a very first version is a good way to have a document understandable and coherent. Denis > I want to clarify one point of confusion here: > >> The charter of the GNAP WG states, close to its end : >> >> >> "The initial work will focus on using HTTPS for >> communication between the client and the authorization server, (...)" >> >> See: https://datatracker.ietf.org/doc/charter-ietf-gnap/ >> >> Unfortunately, draft-ietf-gnap-core-protocol-06 does not mandate the >> use of HTTPS for communication between the client and the >> authorization server >> and does not take advantage of the security properties obtained >> thanks to the use of HTTPS. This means that >> draft-ietf-gnap-core-protocol-06 >> does not comply with the GNAP charter. >> > This was quoted out of context and misrepresents the goal. If you read > the rest of that sentence, you’ll see that it’s talking about HTTP > versions: > > The initial work will focus on using HTTPS for communication between the client > and the authorization server, taking advantage of optimization features of > HTTP/2 and HTTP/3 where possible, and will strive to enable simple mapping to > other protocols such as CoAP when doing so does not conflict with the primary > focus. > > What this is saying is that we shouldn’t make something that is only > deployable on HTTP/1. > > Additionally, the GNAP core draft does already require HTTPS. While > the security considerations section (section 12) is not yet filled out > (though note — this one of the topics the editors are actively working > on), the one item it does have in there mandates HTTPS: > > All requests have to be over TLS or equivalent as per [BCP195 > <https://www.ietf.org/archive/id/draft-ietf-gnap-core-protocol-06.html#BCP195>]. > > > Therefore, the statement as asserted in this email, and the > conclusions that follow it, are not accurate. > > — Justin