Re: [Txauth] RS/AS communication for multiparty cases
Fabien Imbault <fabien.imbault@gmail.com> Fri, 03 July 2020 14:46 UTC
Return-Path: <fabien.imbault@gmail.com>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E69BA3A0860 for <txauth@ietfa.amsl.com>; Fri, 3 Jul 2020 07:46:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0B-y0brAGftP for <txauth@ietfa.amsl.com>; Fri, 3 Jul 2020 07:46:25 -0700 (PDT)
Received: from mail-il1-x12a.google.com (mail-il1-x12a.google.com [IPv6:2607:f8b0:4864:20::12a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 382703A0835 for <txauth@ietf.org>; Fri, 3 Jul 2020 07:46:25 -0700 (PDT)
Received: by mail-il1-x12a.google.com with SMTP id r12so20278573ilh.4 for <txauth@ietf.org>; Fri, 03 Jul 2020 07:46:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=ijeGpa0ty3w+ZEVPKrKX7rS9ku+srtTgYxM7Gt5F+sI=; b=GsP7RHqKOSRWgCK5Wg/ojW2Om1hW1WI6Hq/CEV4t5q8YbTnUtIycHyJQcwEvX5w9vv uogAcVQ46vnu1ZnH4itj/Q6tP6WMrKXp7RQe6JgRmAs5oww3f8evbLV6GapNz2fu5yEF f7bFajlZCBycPELRIn9CwotZAoVI+t8vf4f/NwDBtvsi92Y4OR9E18nn2/cllQwUr3Zc 00b7zXzzPezPStGdxdC/9Db04YPPFp2MpGFrRxnQm0smM/G0eR6f81W/5yYjbdSW0JNn Z154igwycYxwqWKcs/axjjzCXvtT2EVizq4nHdmh6dNyb5PlPVSoxEe6acS9qlfmzYJe uVHA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=ijeGpa0ty3w+ZEVPKrKX7rS9ku+srtTgYxM7Gt5F+sI=; b=OnKxFwhAnIhKXb7o7ippDqYzEcXKreqXmDtf21AzkvhH9IkoWRXK3NEPXiI8OhY6N0 5nPEILpO5RUR5XcgdxAfZyyzp2zAuZL+sLV8m5eUgSO7PXgBv5Cwjl4ltqt90R8+3A7y rEvQyTA3znIL8El0ValCF0x/Al9YLUdhoTL1tH22ed7BmX8G4nWIvfh778+22+LJmD3T qp/xRzI8jeMujKwHkUJQIeTWOyrLHkhsa7yKZqOgcB2cVjCdwItiK9MQVGIFeHYIeoUC NHi1mS3fHUWTEiZMD1eRQN+mBCCeHf/PtHoF/3EeXK7ZJWXO0uvGnkjNfjBRZ2JN/UNq VUqg==
X-Gm-Message-State: AOAM533dFge0qgAgzrk0GCMaZAoOV468ZSbSBur4QRPXVqg7QUZCkfoy naWbTjMYPJIuxxvXn+KE/y1SHlqJ9gnp6zSyOOZ0T80W
X-Google-Smtp-Source: ABdhPJyk4NeT5ViDtqckfzyM7GUBYIsauqcb2xijctdwCq1g4lT76Pi5hD6BfNyywcoK6Q2HGD76/+sKyEigvX1H/Lk=
X-Received: by 2002:a92:b749:: with SMTP id c9mr18798390ilm.289.1593787584383; Fri, 03 Jul 2020 07:46:24 -0700 (PDT)
MIME-Version: 1.0
References: <CAM8feuT20tPAAkCUE2rKyQ1MTc--14bNNRu1cPTs2xvbJAfMcA@mail.gmail.com> <ecb0bdf2-5ec6-db9b-39f7-054a6b7f7603@free.fr>
In-Reply-To: <ecb0bdf2-5ec6-db9b-39f7-054a6b7f7603@free.fr>
From: Fabien Imbault <fabien.imbault@gmail.com>
Date: Fri, 03 Jul 2020 16:46:13 +0200
Message-ID: <CAM8feuT6u1oGpaj=Eoeh8ye36ZWNTYn-Xt-GH5KF5bnx1_cMmA@mail.gmail.com>
To: Denis <denis.ietf@free.fr>
Cc: txauth@ietf.org
Content-Type: multipart/alternative; boundary="000000000000d090e305a98a96f4"
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/h8NonNGVELjEaah7DLh3WZs6l10>
Subject: Re: [Txauth] RS/AS communication for multiparty cases
X-BeenThere: txauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <txauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/txauth>, <mailto:txauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth/>
List-Post: <mailto:txauth@ietf.org>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/txauth>, <mailto:txauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 03 Jul 2020 14:46:27 -0000
Thanks Denis. It clarifies what you have in mind. While I agree with the general idea that we need to take privacy more seriously, there are a few hypotheses that we need to put in perspective : 1) AS-RS relationship <=> big brother. It may happen as we all know, but you always have the choice as a user to not deal with orgs you don't like or maybe even take action if they don't respect the law. 2) the collusion possibility (Alice's uncle) : there are of course situations where that may be an issue. This is I guess the reason for the sovrin foundation to require that only approved issuers can participate. But even if you open up the system, it always ends up as whether you can trust the uncle to be honest in the first place (knowing that trust is a social construct). So I may require the issuer to be a well known participant instead. 3) The use of hardware FIDO inspired components does relax some of the previous concern, but comes with its own sets of challenges. Biometrics come with their own sets of potential issues. More trivially, if you loose your hardware, you loose your ID. And there can also be hacks in hardware. If I find a way to import or export the private key from the enclave, the system fails. So in the end, I agree it's best to enable as much privacy by design as we possibly can, but we need to put that in perspective with use cases too and make some tradeoffs. Healthcare in particular is a domain that is concerned with a constant balance between privacy and security, and sometimes there is no possibility to tick all boxes. I think an UMA2/OpenId Heart scenario is a very important case to consider in that respect. Fabien On Fri, Jul 3, 2020 at 12:01 PM Denis <denis.ietf@free.fr> wrote: > Hello Fabien, > > In 2017, I made a presentation at the OAuth workshop in Zurich. > > The paper is available from: > https://zisc.ethz.ch/wp-content/uploads/2017/02/pinkas_privacy-by-design-eID-scheme-supporting-Attribute-based-Access-Control.pdf > > The slides are available from: > https://zisc.ethz.ch/wp-content/uploads/2017/02/pinkas_privacybydesign.ppt > *Note*: The slides should be viewed "full screen" to get the animations. > > The general approach is how to construct from scratch a "privacy by > design" architecture taking also into consideration "security by design". > > Coming back to your requirement, I would not cover it if it infringes the > sentence "the RS and the AS never communicate directly". > > You should start your design by defining the trust relationships, then > apply the privacy requirements while not forgetting the security > requirements. > > Denis > > Hello Denis, > > I have been following your comments. I still fail to see the global > privacy preserving architecture you're proposing. It would help to get a > more thorough proposal if you can. > > But more specifically, I have a comment on : > > "I would have preferred that you meant: the RS and the AS never > communicate directly, which is indeed a nice property to follow > to ensure the user's privacy." > > I think that may come as an issue in some cases, especially for multiparty patterns (like in UMA). Typically we may wish the RS to start a grant request and use the handle to continue until a token is generated. > > I think those cases, which weren't initially covered by OAuth2, are very important to cover as well. How would you cover such requirements? > > Fabien > > > >
- [Txauth] RS/AS communication for multiparty cases Fabien Imbault
- Re: [Txauth] RS/AS communication for multiparty c… Denis
- Re: [Txauth] RS/AS communication for multiparty c… Fabien Imbault
- Re: [Txauth] RS/AS communication for multiparty c… Denis
- Re: [Txauth] RS/AS communication for multiparty c… Fabien Imbault
- Re: [Txauth] RS/AS communication for multiparty c… Justin Richer
- Re: [Txauth] RS/AS communication for multiparty c… Denis