Re: [Txauth] RS/AS communication for multiparty cases
Denis <denis.ietf@free.fr> Mon, 06 July 2020 20:39 UTC
Return-Path: <denis.ietf@free.fr>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 772313A0A83 for <txauth@ietfa.amsl.com>; Mon, 6 Jul 2020 13:39:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.62
X-Spam-Level:
X-Spam-Status: No, score=-0.62 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, FREEMAIL_REPLY=1, HTML_MESSAGE=0.001, KHOP_HELO_FCRDNS=0.276, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id G5ChleD-tkzq for <txauth@ietfa.amsl.com>; Mon, 6 Jul 2020 13:39:19 -0700 (PDT)
Received: from smtp.smtpout.orange.fr (smtp10.smtpout.orange.fr [80.12.242.132]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 12CEC3A0A80 for <txauth@ietf.org>; Mon, 6 Jul 2020 13:39:18 -0700 (PDT)
Received: from [192.168.1.11] ([86.238.65.197]) by mwinf5d88 with ME id zwfF2200Y4FMSmm03wfGhJ; Mon, 06 Jul 2020 22:39:17 +0200
X-ME-Helo: [192.168.1.11]
X-ME-Auth: ZGVuaXMucGlua2FzQG9yYW5nZS5mcg==
X-ME-Date: Mon, 06 Jul 2020 22:39:17 +0200
X-ME-IP: 86.238.65.197
To: Justin Richer <jricher@mit.edu>, Fabien Imbault <fabien.imbault@gmail.com>
Cc: txauth@ietf.org
References: <CAM8feuT20tPAAkCUE2rKyQ1MTc--14bNNRu1cPTs2xvbJAfMcA@mail.gmail.com> <ecb0bdf2-5ec6-db9b-39f7-054a6b7f7603@free.fr> <CAM8feuT6u1oGpaj=Eoeh8ye36ZWNTYn-Xt-GH5KF5bnx1_cMmA@mail.gmail.com> <8a723292-4d04-63c7-e57c-7e7307e145c8@free.fr> <CAM8feuQ-QpPzkT61PYTYh_wb65Xmj4E4pxP529OQkbDKJu3rmQ@mail.gmail.com> <2F429EC5-85FD-4991-AED8-8478BD371A00@mit.edu>
From: Denis <denis.ietf@free.fr>
Message-ID: <9f2f39f0-9f72-c76e-e3b1-c35a75bd69d8@free.fr>
Date: Mon, 06 Jul 2020 22:39:13 +0200
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:68.0) Gecko/20100101 Thunderbird/68.9.0
MIME-Version: 1.0
In-Reply-To: <2F429EC5-85FD-4991-AED8-8478BD371A00@mit.edu>
Content-Type: multipart/alternative; boundary="------------D654A8511FA717314FC89EAE"
Content-Language: en-GB
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/f0XtlMAA7P9qPKfCJbBZdnX6qyI>
Subject: Re: [Txauth] RS/AS communication for multiparty cases
X-BeenThere: txauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <txauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/txauth>, <mailto:txauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth/>
List-Post: <mailto:txauth@ietf.org>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/txauth>, <mailto:txauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Jul 2020 20:39:23 -0000
Hi Justin, > Fabien and Denis, > > I think here we can see that there are multiple different directions > that people’s use cases and concerns will pull GNAP’s design. Some > want to have the AS have no knowledge of the RS, and only the client > to know that; others want the AS to have knowledge of all of its RS’s > and be able to dispatch an naive client to one. The thing is, I think > both of these have merit and both of them can be accommodated in the > protocol. Allowing one does not disallow the other. It’s not up to > GNAP to decide which of these approaches is morally correct. As soon as we allow a RS to get access tokens from multiples ASs, the driving of a client by a *single AS* does not make sense any more. If we allow the RSs to drive the clients, it will also apply to "naive clients" and then they do not need to be driven by a *single AS*. The model should be the same whether a RS requests to get an access token from a single AS or from multiple ASs. The delegation model would also be quite different whether the client will be driven by a single AS or be driven by each RS that is attempting to respond to an original operation. Has the delegation model been discussed on the mailing list ? Accommodating both approaches in the same protocol appears to me rather difficult: I do not see how "privacy by design" could be melt into "spy by design" nor how "spy by design" could be melt into "privacy by design". Denis > In particular, addressing both of these dimensions is one of the > things that having a multi-dimensional language for requesting > resources in a standard way is going to help beyond what OAuth 2 can > do. These queries can be designed in such a way to minimize disclosure > to the AS or to minimize the amount of knowledge in the client, or > anywhere in between. Ultimately it’s up to the RS to decide whether > the rights associated with the token are good enough for the request, > and GNAP’s proposed charter says we’ll be defining both a means for > fine-grained requests as well as a consistent data model for the > token’s rights. Neither of these assumes that the RS will be > identified, nor that it can’t be. > > — Justin > >> On Jul 6, 2020, at 7:06 AM, Fabien Imbault <fabien.imbault@gmail.com >> <mailto:fabien.imbault@gmail.com>> wrote: >> >> Hi Denis, >> >> Thanks for your feedback. Your scheme is interesting and covers well >> the personal access. >> >> The variant I'm referring to is multiparty access, which is a fairly >> common pattern also. Handled as an extension in Oauth2, but to my >> knowledge it requires an additional relationship between RS and AS. >> Maybe we can come up with an alternative design, I don't know yet. >> >> Cheers. >> >> Fabien >> >> >> Le lun. 6 juil. 2020 à 12:23, Denis <denis.ietf@free.fr >> <mailto:denis.ietf@free.fr>> a écrit : >> >> Hello Fabien, >>> Thanks Denis. It clarifies what you have in mind. >>> >>> While I agree with the general idea that we need to take privacy >>> more seriously, there are a few hypotheses that we need to put >>> in perspective : >>> >>> 1) AS-RS relationship <=> big brother. It may happen as we all >>> know, but you always have the choice as a user to not deal with >>> orgs you don't like >>> or maybe even take action if they don't respect the law. >> >> Unfortunately, the choice you mention is not always possible. >> There is a fundamental point here: since it is not always >> possible to trust an AS to respect the law, >> it is possible to build an architecture where the AS will be >> unable to by-pass the law. It is the difference between : >> >> * "the AS *should not* do this or that" (but it could if it >> would) and >> * "the AS *cannot do* this or that" (it cannot even if it would). >> >>> 2) the collusion possibility (Alice's uncle) : there are of >>> course situations where that may be an issue. This is I guess >>> the reason for the sovrin foundation >>> to require that only approved issuers can participate. But even >>> if you open up the system, it always ends up as whether you can >>> trust the uncle to be honest >>> in the first place (knowing that trust is a social construct). >> >> When using computers, trust is not a "social construct". It is a >> construction where an entity A trusts an entity B for some >> behaviour C. >> In the ABC attack, the RS will never know whether someone >> forwarded or not an access token to Alice. >> >>> So I may require the issuer to be a well known participant instead. >>> >>> 3) The use of hardware FIDO inspired components does relax some >>> of the previous concern, but comes with its own sets of challenges. >>> Biometrics come with their own sets of potential issues. >> >> The use of FIDO does not imply that you must use its biometrics >> features. >> >>> More trivially, if you loose your hardware, you loose your ID. >> >> If you loose your ID, you should report of its loss. It also >> means that by design, a mechanism has been constructed to recover >> from the situation >> within a short period of time. Unfortunately, such a property is >> currently missing in FIDO, but it does not mean that it cannot be >> added. >> >>> And there can also be hacks in hardware. If I find a way to >>> import or export the private key from the enclave, the system fails. >> >> The whole system does not fail. When someone attempts to export a >> private key from an hardware device in an unlawful way, it takes >> some time and some expertise. >> As soon as the legitimate holder realizes the lost of his >> hardware, he should report the loss. Then after, the discovery of >> private keys stored into the device is no more an issue. >> >>> So in the end, I agree it's best to enable as much privacy by >>> design as we possibly can, but we need to put that in >>> perspective with use cases too and make some tradeoffs. >>> Healthcare in particular is a domain that is concerned with a >>> constant balance between privacy and security, and sometimes >>> there is no possibility to tick all boxes. >>> I think an UMA2/OpenId Heart scenario is a very important case >>> to consider in that respect. >> >> The goal of this BoF/WG is not to rubber-stamp the "Health >> Relationship Trust Profile for User-Managed Access 2.0" >> specification. >> >> Since the "Health Relationship Trust Profile for User-Managed >> Access 2.0" specification has nothing really specific to >> healthcare, what is the "very important case" you have in mind ? >> Would it be possible to model a specific characteristic you have >> in mind in terms of model components, operations flows, trust >> relationships, privacy requirements and security requirements ? >> >> Denis >> >>> >>> Fabien >>> >>> >>> >>> >>> On Fri, Jul 3, 2020 at 12:01 PM Denis <denis.ietf@free.fr >>> <mailto:denis.ietf@free.fr>> wrote: >>> >>> Hello Fabien, >>> >>> In 2017, I made a presentation at the OAuth workshop in Zurich. >>> >>> The paper is available from: >>> https://zisc.ethz.ch/wp-content/uploads/2017/02/pinkas_privacy-by-design-eID-scheme-supporting-Attribute-based-Access-Control.pdf >>> >>> The slides are available from: >>> https://zisc.ethz.ch/wp-content/uploads/2017/02/pinkas_privacybydesign.ppt >>> _Note_: The slides should be viewed "full screen" to get the >>> animations. >>> >>> The general approach is how to construct from scratch a >>> "privacy by design" architecture taking also into >>> consideration "security by design". >>> >>> Coming back to your requirement, I would not cover it if it >>> infringes the sentence "the RS and the AS never communicate >>> directly". >>> >>> You should start your design by defining the trust >>> relationships, then apply the privacy requirements while not >>> forgetting the security requirements. >>> >>> Denis >>> >>>> Hello Denis, >>>> >>>> I have been following your comments. I still fail to see >>>> the global privacy preserving architecture you're >>>> proposing. It would help to get a more thorough proposal if >>>> you can. >>>> >>>> But more specifically, I have a comment on : >>>> >>>> "I would have preferred that you meant: the RS and the AS never >>>> communicate directly, which is indeed a nice property to follow >>>> to ensure the user's privacy." >>>> I think that may come as an issue in some cases, especially for multiparty patterns (like in UMA). Typically we may wish the RS to start a grant request and use the handle to continue until a token is generated. >>>> I think those cases, which weren't initially covered by OAuth2, are very important to cover as well. How would you cover such requirements? >>>> Fabien >>>> >>> >> >> -- >> Txauth mailing list >> Txauth@ietf.org <mailto:Txauth@ietf.org> >> https://www.ietf.org/mailman/listinfo/txauth >
- [Txauth] RS/AS communication for multiparty cases Fabien Imbault
- Re: [Txauth] RS/AS communication for multiparty c… Denis
- Re: [Txauth] RS/AS communication for multiparty c… Fabien Imbault
- Re: [Txauth] RS/AS communication for multiparty c… Denis
- Re: [Txauth] RS/AS communication for multiparty c… Fabien Imbault
- Re: [Txauth] RS/AS communication for multiparty c… Justin Richer
- Re: [Txauth] RS/AS communication for multiparty c… Denis