Re: [GNAP] DID as sub_id or assertion?
Alan Karp <alanhkarp@gmail.com> Thu, 18 March 2021 15:27 UTC
Return-Path: <alanhkarp@gmail.com>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 54BE33A2DD5 for <txauth@ietfa.amsl.com>; Thu, 18 Mar 2021 08:27:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2a2WrSPiRwPP for <txauth@ietfa.amsl.com>; Thu, 18 Mar 2021 08:27:21 -0700 (PDT)
Received: from mail-qv1-xf2b.google.com (mail-qv1-xf2b.google.com [IPv6:2607:f8b0:4864:20::f2b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 09D623A2DD6 for <txauth@ietf.org>; Thu, 18 Mar 2021 08:27:21 -0700 (PDT)
Received: by mail-qv1-xf2b.google.com with SMTP id d10so3358796qve.7 for <txauth@ietf.org>; Thu, 18 Mar 2021 08:27:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=BXHNSkKk1+oS8qkexvMDuh9xmeDWSxNLejM7YZqml7c=; b=nz8uLAEHrPpJTf5G+u9UK0sktM6ZSpMARJPjIIAfAxeAmP3oKDOtHFJ3gsmYBBmisT youtff9CNk29CLyXCGtnX0nuP3DjtQ3XkoO+ZIevQg8RKfOC7EU+XFD+iCxeKThlq6Zm bftGfMcysB/4HEj3fgIKmAMjdglDc5MtRH+cligTyuwclSHmzEMG9SyUBw8wDe6mp2c8 NLmWsmjbW85qxMH2Nf89xApG+AHAy1iaQstV3dHgHarZEGQ33+GM5d4Ar42jYv5zhATl 2oJUONjxfD9OOvTu9h2KAEoSh13W4Px5K3byMXLaa8BooBcguU7Ri5/L/rcF9AyQODyr EAWQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=BXHNSkKk1+oS8qkexvMDuh9xmeDWSxNLejM7YZqml7c=; b=V+jfdiUITR/JjrPpmlPRpHjywIhetf/joqK0z17uODS7pXO51NfRK7lK70otenrXM4 6c8tuooK6Y0+p+UA77beLY76qwwZ2u8TO5VrHb7a4RCrLRGJNqhcugRxG/CCR3c/OKKL qBWwDhHIRL2tf2xzNIMYDw9pGRw8j7y6wFSUD4gyGppzTnEcfRK5xrfUVOFgh5TAhlkE 1jilP2zPMlxGbRouy/+Yw1TTiNPr3LHsanXzW0xKLHku0tdFiNo601KpJgnvgblA4oTn 5LS+LAYlJoB/8eG0LOviIZbUz4ebqkV8DXrV15dKprrJyVWlqLwTZTNBdVkfskG+IRy+ B+RA==
X-Gm-Message-State: AOAM533EcXt1QEKwIAtVdn9xZEO6yqf3NWnccmgawSnP6nxWwseUyHrE SyWSP5cS8Hj53iwARszFv6B1d6BKM7AxEYpeko4=
X-Google-Smtp-Source: ABdhPJxBJva+AzcookQB2xpbFR4ALQgGwDT4wYr10eziOxMjPVf94lnrR2ABlw/QqpWafXeLqAmlnnlxz/YXxl2kGGw=
X-Received: by 2002:a0c:eac9:: with SMTP id y9mr4810278qvp.58.1616081238894; Thu, 18 Mar 2021 08:27:18 -0700 (PDT)
MIME-Version: 1.0
References: <CAM8feuQ5Q1LrGtniCH3WN5gyf6QhBa-9e+2kzaV0fxzA5D5m7w@mail.gmail.com> <B3A02C1B-5DF6-46AE-B806-8DBBF5F6B701@mit.edu> <CAM8feuRuCyKGCDNYXP_gwc=wk986q6m_-DDOcXR8T9k+LdoX9g@mail.gmail.com> <CAM8feuRHQJF6sWGBcvt41kH6V6fwXK0-O15aUgvRRiK9q8vefA@mail.gmail.com> <CAJmmfSSY03c1nn3qtQDhY+Zk490d++zftyftSWPOGPdgPOnkag@mail.gmail.com> <CAM8feuTSWko8q+Agn+0+tLmSAOG6NYH_dMCV697NLna1U-Sxew@mail.gmail.com> <CANYRo8immAFJ08pvd00U6zT6-zRsrHkJ28NuKyC28Fdx=F=USQ@mail.gmail.com> <CAM8feuQbDJfPqym-2VAb4VyDuL8rm_Yk-sGyrb8_qAapUBtEuw@mail.gmail.com> <CAM8feuS332Ng_Bi=doXzq0WEgLc7_+tOmB4uE71+bpJ_g4P-aw@mail.gmail.com> <CANYRo8jG+ZutU6Bhy7zSrKcgnVxjMze7i-y_UpU3+PWvsWfLvA@mail.gmail.com> <CAM8feuSixNA2oFTtYR0Y3vngc+3UbsOSqSBCA6RUEEByB25eNA@mail.gmail.com> <CANYRo8hts6P_4QNjjcUr-H9B9wGJeVckWw+3V3N9hdPHf_idLQ@mail.gmail.com> <CAM8feuQEQyCEOErds8rpcipaqyPm3L3XMdrbQ6X2t3y9xcO4dQ@mail.gmail.com> <CAJmmfSQKZWm=YsjBVV8O+vU9zzC+eka0CCaQO-xFP-GcWzEigw@mail.gmail.com> <CANYRo8jw9gHQESDk__aKM3jK-C9FvYTFYOzb-8iYzbc_hVjMPA@mail.gmail.com> <EDB79C39-D706-43B2-B7D6-234CB32F7411@mit.edu> <CANYRo8inRJa0bAe6gqOkLKqHnt-qxPrzhDufBLwXd-S4wfjdxg@mail.gmail.com> <CANpA1Z1kpgeuLhYsDxD5+ghCbMShJuaQLNeR=YGYvsariAjrHg@mail.gmail.com> <16A7F150-6AD9-410F-BC14-7CCC1D580BB3@mit.edu>
In-Reply-To: <16A7F150-6AD9-410F-BC14-7CCC1D580BB3@mit.edu>
From: Alan Karp <alanhkarp@gmail.com>
Date: Thu, 18 Mar 2021 08:27:07 -0700
Message-ID: <CANpA1Z0xQBsXhHyE1cUDVJoMSNt6KeM5SCqYUzKFxwD4B2rpJg@mail.gmail.com>
To: Justin Richer <jricher@mit.edu>
Cc: Adrian Gropper <agropper@healthurl.com>, Tobias Looker <tobias.looker@mattr.global>, Fabien Imbault <fabien.imbault@gmail.com>, GNAP Mailing List <txauth@ietf.org>, Mark Miller <erights@gmail.com>
Content-Type: multipart/alternative; boundary="0000000000002c2bad05bdd13c97"
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/eOHRaGM37iZ2g2e6fdFlSyYfYfI>
Subject: Re: [GNAP] DID as sub_id or assertion?
X-BeenThere: txauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: GNAP <txauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/txauth>, <mailto:txauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth/>
List-Post: <mailto:txauth@ietf.org>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/txauth>, <mailto:txauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Mar 2021 15:27:23 -0000
Justin Richer <jricher@mit.edu> wrote: > > From the protocol's perspective, these are functionally the same client. > Remember, “client instance” is a role in the system and it could be made up > of many pieces of software deployed with their own internal sharing system. > If two pieces of software have the same key material and token material, > then they are, as far as GNAP is concerned, the same client instance. It’s > important not to confuse the deployment pattern with the protocol roles. > That's exactly the right perspective. I've been surprised by how many people don't see it that way. > > GNAP has mechanisms to enable the kind of explicitly derived delegation > that you’re describing here by allowing a client instance to ask for a new > token in the context of an existing grant request or an existing access > token. Those mechanisms have not been fully explored by the WG yet but they > are based on the OAuth 2 token exchange concept. > You don't need token exchange if your tokens are certificates. -------------- Alan Karp On Thu, Mar 18, 2021 at 4:53 AM Justin Richer <jricher@mit.edu> wrote: > > > On Mar 18, 2021, at 12:03 AM, Alan Karp <alanhkarp@gmail.com> wrote: > > If the client that gets the token is not same as the client that uses the > token, that is a violation of core security principles as it allows for > (and really designs for) impersonation by client software. I would have no > reason to trust client software that would hand its credentials over to > another piece of software, and in fact I shouldn’t trust it. > > > How would you know if the client using the token is not the client it was > given to if the two clients are in cahoots? Sharing tokens is actually a > useful pattern. Client A running on your behalf could delegate to Client B > also running on your behalf, but it's sometimes easier to share the > credential. For example, you might not mind if the client you use to > retrieve the prices of stocks in your portfolio shares permission to know > what stocks you own with the client you use to plot that data. You would > only need to delegate if you wanted to sub-scope, separately revoke, or > have an audit trail. > > > From the protocol's perspective, these are functionally the same client. > Remember, “client instance” is a role in the system and it could be made up > of many pieces of software deployed with their own internal sharing system. > If two pieces of software have the same key material and token material, > then they are, as far as GNAP is concerned, the same client instance. It’s > important not to confuse the deployment pattern with the protocol roles. > > GNAP has mechanisms to enable the kind of explicitly derived delegation > that you’re describing here by allowing a client instance to ask for a new > token in the context of an existing grant request or an existing access > token. Those mechanisms have not been fully explored by the WG yet but they > are based on the OAuth 2 token exchange concept. > > — Justin > > > -------------- > Alan Karp > > > On Wed, Mar 17, 2021 at 4:18 PM Adrian Gropper <agropper@healthurl.com> > wrote: > >> I'm sure you're right. Our vague terminology around client and end-user >> leads to my confusion. If GNAP is primarily about delegation then, of >> course, we should avoid any incentives to impersonate or we're wasting our >> time. This is partly why I'm trying to study up on capabilities and asking >> for expert advice from folks like Alan Karp and Mark Miller (cc'd) >> >> As best I can understand it, the RS has only two choices, it can: >> >> - store an attribute of the RO a [DID, email address, GNAP AS URL], or >> - hand the RO a capability as a sort-of promise and avoid making any >> entries in an ACL or equivalent. >> >> When a token comes back to the RS, it will either be: >> >> - validated according to something associated with the stored RO >> attribute, or >> - signed by the RS itself. >> >> Either way, trust in the client seems moot. >> >> Adrian >> >> >> >> On Wed, Mar 17, 2021 at 5:29 PM Justin Richer <jricher@mit.edu> wrote: >> >>> On Mar 17, 2021, at 4:55 PM, Adrian Gropper <agropper@healthurl.com> >>> wrote: >>> >>> >>> On Wed, Mar 17, 2021 at 4:23 PM Tobias Looker < >>> tobias.looker@mattr.global> wrote: >>> >>>> <snip> >>>> > A client might not have a DID but it could have a VC as a certificate >>>> of authenticity linked to some audit mechanism. >>>> >>>> To me a VC would come under the assertions umbrella (that is to say a >>>> VC could be one type of valid assertion). The client may possess or been >>>> presented with a VC that it could include in its request to the AS as a way >>>> to identify the subject and perhaps prove authentication and authorization. >>>> >>> >>> I do not assume that the client that interacts with the AS to make a >>> request and receive a token is the same as the client that will present the >>> token to the RS. In the US HIPAA use-case, for example, the root of trust >>> is a contract between the patient-subject and the doctor-requesting party >>> but the doctor workflow is expected to delegate the token to some other >>> end-user that may be using a totally different client such as an EHR. >>> >>> >>> If the client that gets the token is not same as the client that uses >>> the token, that is a violation of core security principles as it allows for >>> (and really designs for) impersonation by client software. I would have no >>> reason to trust client software that would hand its credentials over to >>> another piece of software, and in fact I shouldn’t trust it. >>> >>> I think you may be conflating several different kinds of parties under >>> the “client” umbrella here, though. It’s entirely possible that one client >>> might call an RS that in turn acts as a client for something else down >>> stream. But each of those hops is different from the last. >>> >>> — Justin >>> >>> >
- [GNAP] DID as sub_id or assertion? Fabien Imbault
- Re: [GNAP] DID as sub_id or assertion? Tobias Looker
- Re: [GNAP] DID as sub_id or assertion? Fabien Imbault
- Re: [GNAP] DID as sub_id or assertion? Fabien Imbault
- Re: [GNAP] DID as sub_id or assertion? Justin Richer
- Re: [GNAP] DID as sub_id or assertion? Fabien Imbault
- Re: [GNAP] DID as sub_id or assertion? Tobias Looker
- Re: [GNAP] DID as sub_id or assertion? Justin Richer
- Re: [GNAP] DID as sub_id or assertion? Fabien Imbault
- Re: [GNAP] DID as sub_id or assertion? Fabien Imbault
- Re: [GNAP] DID as sub_id or assertion? Denis
- Re: [GNAP] DID as sub_id or assertion? Fabien Imbault
- Re: [GNAP] DID as sub_id or assertion? Justin Richer
- Re: [GNAP] DID as sub_id or assertion? Fabien Imbault
- Re: [GNAP] DID as sub_id or assertion? Fabien Imbault
- Re: [GNAP] DID as sub_id or assertion? Tobias Looker
- Re: [GNAP] DID as sub_id or assertion? Fabien Imbault
- Re: [GNAP] DID as sub_id or assertion? Adrian Gropper
- Re: [GNAP] DID as sub_id or assertion? Fabien Imbault
- Re: [GNAP] DID as sub_id or assertion? Fabien Imbault
- Re: [GNAP] DID as sub_id or assertion? Adrian Gropper
- Re: [GNAP] DID as sub_id or assertion? Fabien Imbault
- Re: [GNAP] DID as sub_id or assertion? Adrian Gropper
- Re: [GNAP] DID as sub_id or assertion? Fabien Imbault
- Re: [GNAP] DID as sub_id or assertion? Tobias Looker
- Re: [GNAP] DID as sub_id or assertion? Adrian Gropper
- Re: [GNAP] DID as sub_id or assertion? Justin Richer
- Re: [GNAP] DID as sub_id or assertion? Adrian Gropper
- Re: [GNAP] DID as sub_id or assertion? Justin Richer
- Re: [GNAP] DID as sub_id or assertion? Adrian Gropper
- Re: [GNAP] DID as sub_id or assertion? Fabien Imbault
- Re: [GNAP] DID as sub_id or assertion? Adrian Gropper
- Re: [GNAP] DID as sub_id or assertion? Fabien Imbault
- Re: [GNAP] DID as sub_id or assertion? Adrian Gropper
- Re: [GNAP] DID as sub_id or assertion? Fabien Imbault
- Re: [GNAP] DID as sub_id or assertion? Alan Karp
- Re: [GNAP] DID as sub_id or assertion? Alan Karp
- Re: [GNAP] DID as sub_id or assertion? Adrian Gropper
- Re: [GNAP] DID as sub_id or assertion? Fabien Imbault
- Re: [GNAP] DID as sub_id or assertion? Justin Richer
- Re: [GNAP] DID as sub_id or assertion? Justin Richer
- Re: [GNAP] DID as sub_id or assertion? Denis
- Re: [GNAP] DID as sub_id or assertion? Fabien Imbault
- Re: [GNAP] DID as sub_id or assertion? Adrian Gropper
- Re: [GNAP] DID as sub_id or assertion? Alan Karp
- Re: [GNAP] DID as sub_id or assertion? Alan Karp
- Re: [GNAP] DID as sub_id or assertion? Justin Richer
- Re: [GNAP] DID as sub_id or assertion? Fabien Imbault
- [GNAP] Should access tokens be opaque or not for … Denis
- Re: [GNAP] DID as sub_id or assertion? Justin Richer
- Re: [GNAP] DID as sub_id or assertion? Fabien Imbault
- Re: [GNAP] Should access tokens be opaque or not … Stephen Moore
- Re: [GNAP] Should access tokens be opaque or not … Justin Richer
- Re: [GNAP] Should access tokens be opaque or not … Stephen Moore
- Re: [GNAP] Should access tokens be opaque or not … Justin Richer
- Re: [GNAP] Should access tokens be opaque or not … Adrian Gropper
- Re: [GNAP] Should access tokens be opaque or not … Fabien Imbault
- Re: [GNAP] Should access tokens be opaque or not … Alejandro Iacobelli
- Re: [GNAP] Should access tokens be opaque or not … Adrian Gropper
- Re: [GNAP] Should access tokens be opaque or not … Justin Richer
- Re: [GNAP] Should access tokens be opaque or not … Alejandro Iacobelli
- Re: [GNAP] Should access tokens be opaque or not … Justin Richer
- Re: [GNAP] Should access tokens be opaque or not … Adrian Gropper
- Re: [GNAP] Should access tokens be opaque or not … Justin Richer
- Re: [GNAP] Should access tokens be opaque or not … Adrian Gropper
- Re: [GNAP] Should access tokens be opaque or not … Justin Richer
- Re: [GNAP] Should access tokens be opaque or not … Fabien Imbault
- Re: [GNAP] Should access tokens be opaque or not … Adrian Gropper