Re: [Txauth] WG Review: Grant Negotiation and Authorization Protocol (gnap)
Tom Jones <thomasclinganjones@gmail.com> Fri, 26 June 2020 22:09 UTC
Return-Path: <thomasclinganjones@gmail.com>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1619C3A0CE5; Fri, 26 Jun 2020 15:09:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.086
X-Spam-Level:
X-Spam-Status: No, score=-2.086 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_FILL_THIS_FORM_SHORT=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TT933suRZsb3; Fri, 26 Jun 2020 15:09:54 -0700 (PDT)
Received: from mail-ot1-x333.google.com (mail-ot1-x333.google.com [IPv6:2607:f8b0:4864:20::333]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 436AD3A0CE0; Fri, 26 Jun 2020 15:09:47 -0700 (PDT)
Received: by mail-ot1-x333.google.com with SMTP id q21so2483916otc.7; Fri, 26 Jun 2020 15:09:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=gXarehUMIi/W4CfH4Yu4hMrDdsxcxvEtbHZ6yp4vgMI=; b=XTLc9zQ6RY9yuELbn2hWYJOHXH2myLp3ceRcFazxAm+R0k7xPiaClEw+6hIbGB0EEE XLHGreCfYLfo9MJlwxtg6tVPsxaWoOW7f2FzV9vsisA5uoJsYT2Z2DlY0Ay9+xNmRNzA e3pSZEvC3UYBZfKwAKVkdCO6g+MCt5IO8DEdmnR2LRbCh5+vkthsRi1oaDXcdpJ+iaVY rwRBCg3uVCjcWwQdM8RF3/1Mwmp2ANgNeD3ewGnLJFES76kxRljOG6oTY03/n+39B5RC UA6MBddavXL8vOi3fSdrqJCDNUltmcO1xmqyL8mlYRecSTpG2C3gxXWy6u5vWdVI56Nh kkKw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=gXarehUMIi/W4CfH4Yu4hMrDdsxcxvEtbHZ6yp4vgMI=; b=DDtDW8NMVzsC+O5HLxyVpLdIVOkhp0d7813Kzm8fGxpxN8+2ifRdcA5jB4QSvZd9/S uCq+7qJuYv3LI7+oRXkNEJD0ULBTH29lvfgdYN4SYwbxfIw63IymX1K/A1NU0SEbsn9o GwjFGlzvz6WfXnXEH2k62dc6gHwdLs2xIahCBrM2Oi6Vu68ybZlHHMp86r6RxnYp2601 p7Cwqu1CvMudiDxCDYKpEhQKhOdxpb8d/QLgrgiNozVoJK423jc2yDK/PRXq8IMoU8mK loGBrdkC+jp2jZ8zG0Du81c+/fhlT8sgSh/p+yIzlg5lIUg57pJk5mFKG7wExIrF6Dq6 epjw==
X-Gm-Message-State: AOAM533dE5Woj1uTK7f0YV4q9HOf8VQqaAHp1ue2Yg1OJULSLFxyji4d lUMOr0r+LJIygk1CvNPRjO36GHbrIpWgkQjsd8o=
X-Google-Smtp-Source: ABdhPJzD6m3qR2jAg4MLESa5LjvXGI61vBZ4JxEfhMa4EVXJZJslipM9AYvkOQbnB63dI48ZNR7kjCKngYJvCfv59ds=
X-Received: by 2002:a05:6830:837:: with SMTP id t23mr4065501ots.87.1593209386356; Fri, 26 Jun 2020 15:09:46 -0700 (PDT)
MIME-Version: 1.0
References: <159318778098.29096.6482921706088845432@ietfa.amsl.com> <CAD9ie-voeZUSaYVwWHHTN8ocsHq6OCReiOLOixxqOZ2qO3aOSw@mail.gmail.com> <830A4653-5912-46DE-8173-BA149899FDD3@mit.edu>
In-Reply-To: <830A4653-5912-46DE-8173-BA149899FDD3@mit.edu>
From: Tom Jones <thomasclinganjones@gmail.com>
Date: Fri, 26 Jun 2020 15:09:34 -0700
Message-ID: <CAK2Cwb7KNHr1pEaeK=5iGZW6ij8YAtFt2khFiFOf1FfUaG9QtQ@mail.gmail.com>
To: Justin Richer <jricher@mit.edu>
Cc: The IESG <iesg@ietf.org>, txauth@ietf.org, Dick Hardt <dick.hardt@gmail.com>
Content-Type: multipart/alternative; boundary="00000000000086d8b505a903f719"
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/f6dd6WeH889Te4dVY983cOrgoF4>
Subject: Re: [Txauth] WG Review: Grant Negotiation and Authorization Protocol (gnap)
X-BeenThere: txauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <txauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/txauth>, <mailto:txauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth/>
List-Post: <mailto:txauth@ietf.org>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/txauth>, <mailto:txauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 26 Jun 2020 22:09:57 -0000
Right - I have already proposed binding to application level keys in other venues and strongly oppose continued use of channel binding. Peace ..tom On Fri, Jun 26, 2020 at 2:03 PM Justin Richer <jricher@mit.edu> wrote: > I agree with this proposed change in wording for the milestones. We don’t > want to artificially limit the key binding presentation mechanisms. While I > think the three listed are likely to be among the first ones we see (based > on prior art and current community interest), I don’t think we can predict > entirely what will be developed by the group and when. > > — Justin > > On Jun 26, 2020, at 1:21 PM, Dick Hardt <dick.hardt@gmail.com> wrote: > > > > I am concerned with the following milestones: > > > Oct 2021 - Key presentation mechanism binding to the core protocol, > TLS, to > WGLC > > Oct 2021 - Key presentation mechanism binding to the core protocol, > detached HTTP signatures, to WGLC > > Oct 2021 - Key presentation mechanism binding to the core protocol, > embedded HTTP signature, to WGLC > > I think it is overly prescriptive to specify which key presentation > mechanisms will be created, and it implies that other key presentation > mechanisms will not be worked on. While it is possible that channel binding > mechanisms such as TLS, detached HTTP signatures, and embedded HTTP > signatures will be appropriate key presentation mechanisms for GNAP, it is > also quite possible that the WG will determine one or more are not > appropriate, or the underlying mechanism may not gain acceptance, or > channel binding is not always needed. For example, the effort to bind OAuth > access tokens using RFC8471 was disbanded. > > Additionally, there are two primary communication channels in the protocol > that have different security requirements. The client to authorization > server, and the client to resource server. The term "core protocol" is > vague and could be construed that the same mechanism MUST be used in both > channels. > > I propose the following new wording: > > Oct 2021 - Key presentation mechanism binding for each communication > channel to WGLC. > > > ---------- Forwarded message --------- > From: The IESG <iesg-secretary@ietf.org> > Date: Fri, Jun 26, 2020 at 9:10 AM > Subject: WG Review: Grant Negotiation and Authorization Protocol (gnap) > To: IETF-Announce <ietf-announce@ietf.org> > Cc: <txauth@ietf.org> > > > A new IETF WG has been proposed in the Security Area. The IESG has not made > any determination yet. The following draft charter was submitted, and is > provided for informational purposes only. Please send your comments to the > IESG mailing list (iesg@ietf.org) by 2020-07-06. > > Grant Negotiation and Authorization Protocol (gnap) > ----------------------------------------------------------------------- > Current status: Proposed WG > > Chairs: > Yaron Sheffer <yaronf.ietf@gmail.com> > Leif Johansson <leifj@sunet.se> > > Assigned Area Director: > Roman Danyliw <rdd@cert.org> > > Security Area Directors: > Benjamin Kaduk <kaduk@mit.edu> > Roman Danyliw <rdd@cert.org> > > Mailing list: > Address: txauth@ietf.org > To subscribe: https://www.ietf.org/mailman/listinfo/txauth > Archive: https://mailarchive.ietf.org/arch/browse/txauth/ > > Group page: https://datatracker.ietf.org/group/gnap/ > > Charter: https://datatracker.ietf.org/doc/charter-ietf-gnap/ > > This group is chartered to develop a fine-grained delegation protocol for > authorization and API access, as well as requesting and providing user > identifiers and claims. This protocol will allow an authorizing party to > delegate access to client software through an authorization server. It will > expand upon the uses cases currently supported by OAuth 2.0 and OpenID > Connect > (itself an extension of OAuth 2.0) to support authorizations scoped as > narrowly as a single transaction, provide a clear framework for interaction > among all parties involved in the protocol flow, and remove unnecessary > dependence on a browser or user-agent for coordinating interactions. > > The delegation process will be acted upon by multiple parties in the > protocol, > each performing a specific role. The protocol will decouple the interaction > channels, such as the end user’s browser, from the delegation channel, > which > happens directly between the client and the authorization server (in > contrast > with OAuth 2.0, which is initiated by the client redirecting the user’s > browser). The protocol will include a means of specifying how the user can > potentially be involved in an interactive fashion during the delegation > process. The client and Authorization Server (AS) will use these > interaction > mechanisms to involve the user, as necessary, to make authorization > decisions. > This decoupling avoids many of the security concerns and technical > challenges > of OAuth 2.0 and provides a non-invasive path for supporting future types > of > clients and interaction channels. > > The group will define interoperability for this protocol between different > parties, including > - client and authorization server; > - client and resource server; and > - authorization server and resource server. > > The group will seek to minimize assumptions about the form of client > applications, allowing for: > - Fine-grained specification of access > - Approval of AS attestation to identifiers and other identity claims > - Approval of access to multiple resources and APIs in a single interaction > - Support for multiple access tokens in a single request and response > - Support for directed, audience-restricted access tokens > - Separation between the party authorizing access and the party operating > the > client requesting access > > The group will define extension points for this protocol to allow for > flexibility in areas including: > > - Cryptographic agility for keys, message signatures, and proof of > possession > - User interaction mechanisms including web and non-web methods > - Mechanisms for conveying user, software, organization, and other > information used in authorization decisions > - Mechanisms for presenting tokens to resource servers and binding resource > requests to tokens and associated cryptographic keys > - Optimized inclusion of additional information (including identifiers and > identity assertions) through the delegation process > > Additionally, the group will provide mechanisms for management of the > protocol > lifecycle including: > > - Discovery of the authorization server > - Revocation of active tokens > - Mechanisms for the AS and RS to communicate the access granted by an > access > token > > Although the artifacts for this work are not intended or expected to be > backwards-compatible with OAuth 2.0 or OpenID Connect, the group will > attempt > to simplify migrating from OAuth 2.0 and OpenID Connect to the new protocol > where possible. > > This group is not chartered to develop extensions to OAuth 2.0, and as such > will focus on new technological solutions not necessarily compatible with > OAuth 2.0. Functionality that builds directly on OAuth 2.0 will be directed > to the OAuth Working Group, including functionality back-ported from the > protocol developed here to OAuth 2.0. > > The group is chartered to develop mechanisms for applying cryptographic > methods, such as JOSE and COSE, to the delegation process. This group is > not > chartered to develop new cryptographic methods. > > The group is chartered to develop mechanisms for conveying identity > information within the protocol including existing identifiers (such as > email > addresses, phone numbers, usernames, and subject identifiers) and > assertions > (such as OpenID Connect ID Tokens, SAML Assertions, and Verifiable > Credentials). The group is not chartered to develop new formats for > identifiers or assertions, nor is the group chartered to develop schemas > for > user information, profiles, or other identity attributes, unless a viable > existing format is not available. > > The initial work will focus on using HTTPS for communication between the > client and the authorization server, taking advantage of optimization > features of HTTP/2 and HTTP/3 where possible, and will strive to enable > simple mapping to other protocols such as COAP when doing so does not > conflict with the primary focus. > > Milestones to include: > - Core delegation protocol > - Key presentation mechanism bindings to the core protocol including TLS, > detached HTTP signature, and embedded HTTP signatures > - Conveyance mechanisms for identifiers and assertions > - Guidelines for use of protocol extension points > - (if needed) Guidelines on migration paths, implementation, and operations > > Where possible, the group will seek to make use of tools to guide and > inform > the standardization process including formal analysis, architecture > documents, > and use case documents. These artifacts will not be considered as working > group milestones or deliverables. > > The working group will cooperate and coordinate with other IETF WGs such as > OAUTH, and work with external organizations, such as the OpenID Foundation, > as appropriate. > > Milestones: > > Jul 2021 - Core delegation protocol in WGLC > > Oct 2021 - Key presentation mechanism binding to the core protocol, TLS, > to > WGLC > > Oct 2021 - Key presentation mechanism binding to the core protocol, > detached HTTP signatures, to WGLC > > Oct 2021 - Key presentation mechanism binding to the core protocol, > embedded HTTP signature, to WGLC > > Dec 2021 - Guidelines for use of protocol extension points to WGLC > > Feb 2022 - Guidelines on migration paths, implementation, and operations > to > WGLC > > > > _______________________________________________ > IETF-Announce mailing list > IETF-Announce@ietf.org > https://www.ietf.org/mailman/listinfo/ietf-announce > ᐧ > -- > Txauth mailing list > Txauth@ietf.org > https://www.ietf.org/mailman/listinfo/txauth > > > -- > Txauth mailing list > Txauth@ietf.org > https://www.ietf.org/mailman/listinfo/txauth >
- [Txauth] WG Review: Grant Negotiation and Authori… The IESG
- Re: [Txauth] WG Review: Grant Negotiation and Aut… Denis
- Re: [Txauth] WG Review: Grant Negotiation and Aut… Dick Hardt
- Re: [Txauth] WG Review: Grant Negotiation and Aut… Dick Hardt
- Re: [Txauth] WG Review: Grant Negotiation and Aut… Justin Richer
- Re: [Txauth] WG Review: Grant Negotiation and Aut… Tom Jones
- Re: [Txauth] WG Review: Grant Negotiation and Aut… Justin Richer
- Re: [Txauth] WG Review: Grant Negotiation and Aut… Dick Hardt
- Re: [Txauth] WG Review: Grant Negotiation and Aut… Tom Jones
- Re: [Txauth] WG Review: Grant Negotiation and Aut… Justin Richer
- Re: [Txauth] WG Review: Grant Negotiation and Aut… Dick Hardt
- Re: [Txauth] WG Review: Grant Negotiation and Aut… Denis
- Re: [Txauth] WG Review: Grant Negotiation and Aut… Denis
- Re: [Txauth] WG Review: Grant Negotiation and Aut… Justin Richer
- Re: [Txauth] WG Review: Grant Negotiation and Aut… Mike Varley
- Re: [Txauth] WG Review: Grant Negotiation and Aut… Tom Jones
- Re: [Txauth] WG Review: Grant Negotiation and Aut… Denis
- Re: [Txauth] WG Review: Grant Negotiation and Aut… Denis
- Re: [Txauth] WG Review: Grant Negotiation and Aut… Dick Hardt
- Re: [Txauth] WG Review: Grant Negotiation and Aut… Dick Hardt
- Re: [Txauth] WG Review: Grant Negotiation and Aut… Denis
- Re: [Txauth] WG Review: Grant Negotiation and Aut… Dick Hardt
- Re: [Txauth] WG Review: Grant Negotiation and Aut… Roman Danyliw
- Re: [Txauth] WG Review: Grant Negotiation and Aut… Roman Danyliw
- Re: [Txauth] WG Review: Grant Negotiation and Aut… Denis
- Re: [Txauth] WG Review: Grant Negotiation and Aut… Denis
- Re: [Txauth] WG Review: Grant Negotiation and Aut… Dick Hardt
- Re: [Txauth] WG Review: Grant Negotiation and Aut… Dick Hardt
- Re: [Txauth] WG Review: Grant Negotiation and Aut… Denis
- Re: [Txauth] WG Review: Grant Negotiation and Aut… Dick Hardt
- Re: [Txauth] WG Review: Grant Negotiation and Aut… Roman Danyliw
- Re: [Txauth] WG Review: Grant Negotiation and Aut… Tom Jones
- Re: [Txauth] WG Review: Grant Negotiation and Aut… Denis
- Re: [Txauth] WG Review: Grant Negotiation and Aut… Tom Jones
- Re: [Txauth] WG Review: Grant Negotiation and Aut… Justin Richer
- Re: [Txauth] WG Review: Grant Negotiation and Aut… Denis
- Re: [Txauth] WG Review: Grant Negotiation and Aut… Tom Jones
- Re: [Txauth] WG Review: Grant Negotiation and Aut… Justin Richer