Re: [GNAP] Murray Kucherawy's No Objection on draft-ietf-gnap-core-protocol-18: (with COMMENT)
Justin Richer <jricher@mit.edu> Fri, 08 March 2024 17:43 UTC
Return-Path: <jricher@mit.edu>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E3C3DC14F617; Fri, 8 Mar 2024 09:43:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.106
X-Spam-Level:
X-Spam-Status: No, score=-7.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=mit.edu
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OzsRX7FSHIuM; Fri, 8 Mar 2024 09:43:23 -0800 (PST)
Received: from NAM10-BN7-obe.outbound.protection.outlook.com (mail-bn7nam10on2109.outbound.protection.outlook.com [40.107.92.109]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 62681C14F684; Fri, 8 Mar 2024 09:43:23 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=IwvBEn4MTBP/xAoQMNYpUJa8hyt6nYomhqqS4ZLfYdNjrFVkK63ILtYF48QxwAcQc9cxHayWe6l6mzUPCnwybNJO5BDdUTOH7Y7Wh6OpbN1bJ0InFpCHhkHIamelzTaoDK0rgEdJ5n6s4QhkpzdUHIuDRSWzJBzSycR3xHwi/C2hWdbMl2pMIS7hEUQFgMpHBtFg0SjlJOarKjrn/URYFEF7P8msoFLXWOW00WdTVZlMZNIDUf26yuaBtVhhwNkVdPl4WpAHrOcF1YfUfjjbM0kEdFzNkEcRevpcE7YYysZ+2PpenPISJGUT6OfLQJ+XdM/iLuw9bdISPBcFxc/xew==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=qBmAnXs8zktiW7Nu7ySq4TQd8UG0hgfPPzio9di9Ics=; b=S/KvwkrIUlkymUl4gKQh4GkiyckGWuRvwm4TZ4bij753Iw8YPd2zRgK8Y7WNCL/eu1bMKTTcRaeFcBGF2nHuaXVvp46L+R6h1g0y5H+Gyfln0nm+I566Xof+Ua2Mv6QP3lhI3F2u9/Ah/mfeuhcXKxXjaCGpQZ1GoWLSJo9kn3VoJ2I7OJNg81eM2oEoLNCEaXH4LfvpX0s6y5FqL9bj4ddwzEDXy9AYVOSDVGemayAhSqbp1C6rfUzUWAYlO0NEaoL+QbLKixKYff9nKink/N7oYnTl5YwnoQvVT/5csFVjOSLPohFNpmjfI+Advj33A49JJRXg/wRA7tikdhnC1w==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=mit.edu; dmarc=pass action=none header.from=mit.edu; dkim=pass header.d=mit.edu; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mit.edu; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=qBmAnXs8zktiW7Nu7ySq4TQd8UG0hgfPPzio9di9Ics=; b=a/CTYutlOYcvElXYlGJ7Ausd4vwLIRJXWUE+M8sBHUnP9RcRZKRO0mj1VTGt8JBNFbZT27FyN66fcQfCn3DFzG9i9ErZbprh8i25GDReL53jsk+GovHHU+qOGogxGR6Z8wHuUGX5W1ebsr1hFzPAWiTeyM6Oh00q+cKCS/mt7WM=
Received: from LV8PR01MB8677.prod.exchangelabs.com (2603:10b6:408:1e8::20) by BL3PR01MB6817.prod.exchangelabs.com (2603:10b6:208:33c::6) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7362.29; Fri, 8 Mar 2024 17:43:21 +0000
Received: from LV8PR01MB8677.prod.exchangelabs.com ([fe80::167:b38f:bb84:ecef]) by LV8PR01MB8677.prod.exchangelabs.com ([fe80::167:b38f:bb84:ecef%3]) with mapi id 15.20.7362.024; Fri, 8 Mar 2024 17:43:21 +0000
From: Justin Richer <jricher@mit.edu>
To: Murray Kucherawy <superuser@gmail.com>
CC: The IESG <iesg@ietf.org>, "draft-ietf-gnap-core-protocol@ietf.org" <draft-ietf-gnap-core-protocol@ietf.org>, "gnap-chairs@ietf.org" <gnap-chairs@ietf.org>, "txauth@ietf.org" <txauth@ietf.org>, "yaronf.ietf@gmail.com" <yaronf.ietf@gmail.com>
Thread-Topic: Murray Kucherawy's No Objection on draft-ietf-gnap-core-protocol-18: (with COMMENT)
Thread-Index: AQHacXoNQ4ys2svQwU6n1swUTLAdGbEuHTcA
Date: Fri, 08 Mar 2024 17:43:21 +0000
Message-ID: <20CE1384-27D0-4AB1-AC04-6434B15075BF@mit.edu>
References: <170982516917.60817.16221027054744866316@ietfa.amsl.com> <DFBACC0A-6335-424E-BC78-9B6A002F6A60@mit.edu>
In-Reply-To: <DFBACC0A-6335-424E-BC78-9B6A002F6A60@mit.edu>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=mit.edu;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: LV8PR01MB8677:EE_|BL3PR01MB6817:EE_
x-ms-office365-filtering-correlation-id: 912ad2ba-540e-4491-078b-08dc3f973f2e
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: HNFBlt5NlvZrA9PoAU6fYNoBh9VjBS52zt5GsZYD5Uxrskqc2gOrrLu3oftLUNwIfpuA8g8dIHnF8XSd2wzzo8iBwtZwiYuqAofis12jaLMdrGDN012v9cgJN1PS/8XZLC0K3RIi3d4DqwAKVq4skec/VXcVHEqW1JVN09pOdKZn3D8S2BSTUkFkjpm6dRvlACmS1VIXWG1CrefWHn9DiH9xVUP5kmYDzNuP+babE6jbyrElaea8LKBRMUtxbsl9H7qLxLKpdxGSA/8uZgSnHEaOI7jBsOfkTKa0AfZxY+0wYRvuyp/Sd/Lxt6NU3kgxI4XMjNGuL1a9fl446Llsh1/fa1cLh6xXRTX08gWXYjkZyIM8gKYSyq5I+6eI2IK890Sv9tCvmgtI0MA+FpNIlYPCg9RtoKrznfmFt/cxwjhNUR59msa0Fn6CvxgQxFWHjlVH1j5nmUPTM1323E2elPo1JhkR3QuNrC4qGyZStEEGhmTDnQC4d8xaRh1zr9LDjHGAhXZZTTgtwfGs0iiSgw8TOtqt1tzxTMX2L7fsvl7XD+O/9hKFqHej9EhiBzTJp+EyhKqGs9rv0k5cYXu3J7hGw80wnhWFzhvwc7VfzaJjqIT5Uph7MynV5lsNq7iZEx8M7wFtH46gsmHzVKfESLNSG6RIl/0ImW5LgjvKdswATa4Wm9l029JETd+Q9SDg
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:LV8PR01MB8677.prod.exchangelabs.com; PTR:; CAT:NONE; SFS:(13230031)(376005)(1800799015)(38070700009); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: eXVnzDfkgAlgZCoQqPpqjDk01/PftZJ1sZ71GGsWE24iIzf3QsKaNZK4wxge+4SgUdPiNmBqIeiuCC1S6gbS29BgxqN1sENTKzr1u6ujIAvDK2ws9Rs2PYopmwG+N+/AVc2oSgdddqSswsNe6QcKNdaTtBf8D1s5aMJp0pQZLXD8FSTILnbHIKvlqLWjHX7yPF4PIqOaTp8xVEzvwfard7QG4Pw/+dujqOEj6THTsIsIZhZwC4UpMLnbw0sM13oKC4AbV/KzY3gU9aOyODykPwRP3+1DvI8L2Mp1bYlRm127EoiJKVM1qQSWERK14zEAPLqhcGQnlbq0eXZltXRdn0oAhJrk4sn6q01VRf1FodOV/iL5UhR64hHwMbkTNPJBe4QdPoW4yGfG3nA+ktfFeYINy9yLvY5HFs0JprcgqNDmdEdL99qHemy9dr0n0pSaXvHn7twgtp/Sk6WubcH15XVbWK4EWRw3OZ7SHW9rXBJ8b1epCW7IYozKSSnqBBGHJR437uz7NX8o5MP+YsZDxd02vzru4HOVDhNcGCgsrEO3HByZSG2HZfYM5OQ7S0lj11WXBlP0Vlu060v+lliahQzYQgRKxu+69wgNqNeuKBEb9p98CVmkBsookXFsM6yhyivdhrSD6aHEo+P470rSgC282j1U2+RTDJ7w31jEp157B0JOUeHgNz+m99EBOuubQjNKXV9aPAlqscVp2mTe0JPZWakw5E4nIhmflWNB/iZDcgisJ0tiQKyAILls1H8Dsg7L37I57Q38TmeN3ttHqkPiz0y9xxIFjkxDOFxP48jowVYW5P9h8ZPgUNO2ZhIWV688VO88JL33It4HU5B1Oz73F+HGA27Dxoyo6K4l+kZ26e9mvtnIxbvrL+N/Uvx562kuxZKW5DhTpWlEHwXv61b/by1H2Cpp62oALyvu8AKBPcRY5tV0A8+V95sg7ZuiZJdrEB0BDZ2D1rqQqfvZT9hnxqSHsdo6aivvTwbn6OLTEuooEHqIys8OBsbJ9h/bvzzJl5eJxTy2lyc9yTQQM+AS7P8ShBVZHbfFfEPlbHdd/r2PdzmiwIY5bUZludA55IlT+iG1XQp8Mr0CSDIujoj+QEShq+rOv8iGveAxlLeYQukIZhz6GeRMZVmASycjTzaFh2dUnlwXFSSGH2Pa01pU/5H20sGmP+TGZypG8phUvCqTU0FPiLnQw4bHcUdF7+y4pBAZSvQM3xuqbuC03GV5zHDUO/C6qymUKFd3DpVD1ofD/6moFruil7Aa02hwKFaX5GfvlAEn8KOJ4jwj38OYtchXBnpzZ9srjm1K3xm1FtQs8NnUPrrA5vKyIVZmOk7vHVKEmrSNq1rwAxSw0FoQAxzLxQBqvAEiZGjs5yx1Teuz6E7XfJf4I+0x7QXwvbsxOon9simcj0cKKs4+cni9EmF94Us8IFSSTpvxEW3Mp3RCg8EIa4ZJ4+Exi0imKDRRVaM+QGTr79HAvD0XdH/f7XCUARTs99FQAq+S5/1soVcS6Qa5HcA2p9GIzeOCzB8wEyvQvKleO/CNwDZLXdvypYfO8O20h9UTnp+L1XzAF7Fw2mT6/y/U6Uk85BmO
Content-Type: multipart/alternative; boundary="_000_20CE138427D04AB1AC046434B15075BFmitedu_"
MIME-Version: 1.0
X-OriginatorOrg: mit.edu
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: LV8PR01MB8677.prod.exchangelabs.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 912ad2ba-540e-4491-078b-08dc3f973f2e
X-MS-Exchange-CrossTenant-originalarrivaltime: 08 Mar 2024 17:43:21.1873 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: WzSjNbthVK/MN2LxABw0iLgZEoujGjmIrcdAbEiBnvRvR/C1QpwdjyBcTpP19Enb
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BL3PR01MB6817
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/eYUahQtcS8Yi6GIFgwbxfaQQMDc>
Subject: Re: [GNAP] Murray Kucherawy's No Objection on draft-ietf-gnap-core-protocol-18: (with COMMENT)
X-BeenThere: txauth@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: GNAP <txauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/txauth>, <mailto:txauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth/>
List-Post: <mailto:txauth@ietf.org>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/txauth>, <mailto:txauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 08 Mar 2024 17:43:28 -0000
And now this time — with actual comments! (Accidentally bumped the "send" button, sorry!) Fixed items are in this PR unless otherwise indicated: https://github.com/ietf-wg-gnap/gnap-core-protocol/pull/534 — Justin On Mar 8, 2024, at 11:59 AM, Justin Richer <jricher@mit.edu> wrote: Thank you for the review. Comments inline below. — Justin On Mar 7, 2024, at 10:26 AM, Murray Kucherawy via Datatracker <noreply@ietf.org> wrote: Murray Kucherawy has entered the following ballot position for draft-ietf-gnap-core-protocol-18: No Objection When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/about/groups/iesg/statements/handling-ballot-positions/ for more information about how to handle DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-gnap-core-protocol/ ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- === My own review isn't done yet, but forwarding some comments from Orie Steele, incoming ART Area Director: """ The AS is uniquely defined by the grant endpoint URI, which the absolute URI where grant requests are started by clients. """ Suggested change "which is the absolute URI" (missing is?). Yes, that’s correct, fixed. """ Grant: (verb): to permit an instance of client software to receive some attributes at a specific time and valid for a specific duration and/or to exercise some set of delegated rights to access a protected resource; (noun): the act of granting permission to a client instance. """ I wonder if these definitions can be shortened to the following without loss of generality? """ Grant: (verb): to permit an instance of client software to receive attributes or to access protected resources. (noun): an expression of attributes or permissions given to an instance of client software. """ I don’t believe we can really tighten them any more than they are — there was considerable debate about the content of most of the definitions, and I believe that removing any specific content would lose the intent of the definition itself at this point. The text about the specificity of the grant is intentionally included to limit the usage. ... """ Some promises can be conditional of some previous interactions (e.g. repeated requests). """ Suggested change: Some promises can be conditioned on previous interactions (e.g. repeated requests). Changed to "Some promises can be affected by previous interactions (e.g., repeated requests). """ In may cases, this happens through a front-channel interaction through the end user's browser. """ Suggested change: In many cases,... Thanks, fixed! In section-2.1.1 """ A unique name chosen by the client instance to refer to the resulting access token. """ Is this meant to be a machine facing string, or a human facing one? Are there unicode consideration that apply to this field, similar to https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-sfbis-05#section-3.3.8 ? Put another way, is deceptive text a security consideration for this field? This is a machine facing string, human should not normally see this. We’ve added text to make that more specific. """ Each object is a subject identifier as defined by [[I-D.ietf-secevent-subject-identifiers](https://datatracker.ietf.org/doc/html/draft-ietf-secevent-subject-identifiers-18)]. """ Suggest to update reference to: https://datatracker.ietf.org/doc/html/rfc9493 Updated, thank you. """ If the identified end user does not match the RO present at the AS during an interaction step, and the AS is not explicitly allowing a cross-user authorization, the AS SHOULD reject the request with an unknown_user error. """ Why not MUST? It’s ultimately up to AS policy whether it wants to reject or escalate the request, especially during the interactive section. The AS could decide, for example, to allow the "correct" user to authenticate instead of rejecting outright. Section 2.5.3.1 Indicate Desired Interaction Locales It would have been good to have gotten an i18n review based on this section. I recommend a reference to https://datatracker.ietf.org/doc/html/rfc5895 regarding international domain names, to ensure that language considerations in URLs are also addressed. I don’t see where that would apply in this section. The locales are the client telling the AS "this is what locale I think the user is using because they configured something with me, just fyi". It’s up to the AS to decide what to do with that information, and it’s even likely that an AS would defer to whatever configuration settings it has for the RO once they’ve authenticated during the interaction phases. Can you please expand where you think this would apply? Thank you. In section 3, an informative or normative reference for DID should be provided. Instead of that, we’ve added an explicit reference to RFC9493 which defines the "did" format. We have a normative dependency on RFC9493, not DID, which is only used in this one example. In section 3.4 """ value (string): The assertion value as the JSON string serialization of the assertion. REQUIRED. """ The example starts with "eyj...", is this value meant to also be base64url encoded? It seems like this might also be a JWT, in which case, its not a JSON string, its a string of base64url encoded JSON strings separated by periods. A less elided example might be helpful here. That is an incorrect reading. The value is a JSON string. The content of that string is based on the assertion type. For an ID token, that’s going to be a compact JOSE (so base64url plus JOSE stuff). To make this clearer, we’ve added a new subsection calling out the assertion formats directly. Section 4.1.2 rightly warns of deceptive / indistinguishable unicode, you might consider a citation to https://datatracker.ietf.org/doc/rfc8264/ Thanks for the reference, this has been added. Section 5.3 """ The AS SHOULD check that this presented user information is consistent with any user information previously presented by the client instance or otherwise associated with this grant request. """ What happens if this check is not performed or the information does not match? As with many things in a modification, it’s up to the AS how to handle it. The AS can ignore the presented user information in favor of the RO, it could reject the request because the user isn’t the same and the AS doesn’t want that, it could modify the request to update the RO because it trusts the client instance to know the user (maybe through an assertion the client instance presents). References to ietf-httpbis-message-signatures should be updated to https://datatracker.ietf.org/doc/html/rfc9421 Thank you, done. In section 7.3.3 +jwsd is introduced, but there is no corrosponding registered Structured Syntax Suffixes in https://www.iana.org/assignments/media-type-structured-suffix/media-type-structured-suffix.xhtml or in the document. Similarly `typ: gnap-binding+...` implies a registered media type of `application/gnap-binding+...` `gnap-binding-rotation` is also present but not requested to be registered via IANA media types registry. This has been done in a separate PR: https://github.com/ietf-wg-gnap/gnap-core-protocol/pull/533 In section 11, you may wish to comment on if expired drafts are acceptable references for specification required, so that experts have guidance on this topic. In 11, I wonder if it is truly necessary to request 16 registries from IANA, given the initial entries for some of the registries contain only a single reference. The intent was to create a single page within IANA to house all the registries, such as is done with other protocols, such as OAuth 2: https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml and HTTP Signatures: https://www.iana.org/assignments/http-message-signature/http-message-signature.xhtml Each section is a separate registry, but all are collected together under a single heading. If there is a better way to format this request, I would be happy to reformat this. — Justin
- [GNAP] Murray Kucherawy's No Objection on draft-i… Murray Kucherawy via Datatracker
- Re: [GNAP] Murray Kucherawy's No Objection on dra… Justin Richer
- Re: [GNAP] Murray Kucherawy's No Objection on dra… Justin Richer