IETF Logo Mail Archive

Re: [Txauth] WG Review: Grant Negotiation and Authorization Protocol (gnap)

Dick Hardt <dick.hardt@gmail.com> Fri, 26 June 2020 17:22 UTC

Return-Path: <dick.hardt@gmail.com>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 580BB3A09EA; Fri, 26 Jun 2020 10:22:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.086
X-Spam-Level:
X-Spam-Status: No, score=-2.086 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_FILL_THIS_FORM_SHORT=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id H_7ZS8B8wUEA; Fri, 26 Jun 2020 10:22:05 -0700 (PDT)
Received: from mail-lj1-x233.google.com (mail-lj1-x233.google.com [IPv6:2a00:1450:4864:20::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 58CD13A09B3; Fri, 26 Jun 2020 10:22:05 -0700 (PDT)
Received: by mail-lj1-x233.google.com with SMTP id 9so11132597ljc.8; Fri, 26 Jun 2020 10:22:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Abs5g8gR78BFz5HJQtQxLXVKQy2U3QlIAu1WemC+KAs=; b=hr7JJxcOpCoCY6VoItY0JMo/xdM1k0UnpSylE1qvp4BQuRK+U/te1ydRJQL7Zqr3vL V8TsfgLbsFKVL9Jo4lF11SLW9CF5VMnwigI/YEkfjBKf1VrGdS4brisd6TVWktO7M7mb vUIfluY70nA2scBGQ6dap7npEHF47fIcxHPOTqH+ZpLF1HCFlkmsdp9Rpux7wpHj9yOd 5J7eoBuwsue76C0VQjLMf4Fr/DC5DoV4NvaSTS6BHTUMdzqC1QqWqHAbk21/I2oWvXp8 2iDUCdATk+MlDzs+RPyF7JXTYEfnNBD+Gp9GtgzF29SrLFhxgpfx5Lp7+YviemIVniw2 WUBg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Abs5g8gR78BFz5HJQtQxLXVKQy2U3QlIAu1WemC+KAs=; b=pvYTRYVnLB3Q3Jr3ZXfg2R0v6iqHbzRbIOSA+ra5C53opoe5hDcnmkSBYrscZumgz7 GMfCrmxZN90/Mw3rzpRQVT4QJmVFLOboppa0pkIcjmnuwDSJ8GKxYGJ3ytbpRYrtJ2h3 ZisfSDpYNU5GFc1lrMj44kKUPiNF5gUxxJbzV1XEq8+1sUW0SgiaGT44NKB183SsQhF/ YfODQMO5iv4JYPqzKvncPBWzJ7D8jfYo09HQf6xgeX4uZttgqK4FXKB6Dmy25I0OeFNp yzUIM/Bp9pe4if9wAIeRK7wxgxfMQ8EK0soqDRErIXJewr12xBlazxxzLs0eyS1aNt0q HQFQ==
X-Gm-Message-State: AOAM532pDhMe0AuBodpaGFT0nhnbbZrlTdIhhRjclM8xx+Mf+lLW6FB6 mQBhpP6yKhpuHVEWSyWJiWsA+mXaYKHPbFxZ8k1HsuzpzwA=
X-Google-Smtp-Source: ABdhPJxrMKXYn57sK7SFQ9FM7aZMP+gt6bJSoXLUbcQ1N8cqiiMmEk3d8VhGFrztzJLV+zkILm+2wB/Z0eHMWv65HXE=
X-Received: by 2002:a05:651c:547:: with SMTP id q7mr1791605ljp.437.1593192123131; Fri, 26 Jun 2020 10:22:03 -0700 (PDT)
MIME-Version: 1.0
References: <159318778098.29096.6482921706088845432@ietfa.amsl.com>
In-Reply-To: <159318778098.29096.6482921706088845432@ietfa.amsl.com>
From: Dick Hardt <dick.hardt@gmail.com>
Date: Fri, 26 Jun 2020 10:21:27 -0700
Message-ID: <CAD9ie-voeZUSaYVwWHHTN8ocsHq6OCReiOLOixxqOZ2qO3aOSw@mail.gmail.com>
To: iesg@ietf.org
Cc: txauth@ietf.org
Content-Type: multipart/alternative; boundary="0000000000008eed2405a8fff285"
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/hEmrAS0E9u2DQobBqiIzXlxC8FY>
Subject: Re: [Txauth] WG Review: Grant Negotiation and Authorization Protocol (gnap)
X-BeenThere: txauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <txauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/txauth>, <mailto:txauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth/>
List-Post: <mailto:txauth@ietf.org>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/txauth>, <mailto:txauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 26 Jun 2020 17:22:08 -0000

I am concerned with the following milestones:


  Oct 2021 - Key presentation mechanism binding to the core protocol, TLS,
to
  WGLC

  Oct 2021 - Key presentation mechanism binding to the core protocol,
  detached HTTP signatures, to WGLC

  Oct 2021 - Key presentation mechanism binding to the core protocol,
  embedded HTTP signature, to WGLC

I think it is overly prescriptive to specify which key presentation
mechanisms will be created, and it implies that other key presentation
mechanisms will not be worked on. While it is possible that channel binding
mechanisms such as TLS, detached HTTP signatures, and embedded HTTP
signatures will be appropriate key presentation mechanisms for GNAP, it is
also quite possible that the WG will determine one or more are not
appropriate, or the underlying mechanism may not gain acceptance, or
channel binding is not always needed. For example, the effort to bind OAuth
access tokens using RFC8471 was disbanded.

Additionally, there are two primary communication channels in the protocol
that have different security requirements. The client to authorization
server, and the client to resource server. The term "core protocol" is
vague and could be construed that the same mechanism MUST be used in both
channels.

I propose the following new wording:

Oct 2021 - Key presentation mechanism binding for each communication
channel to WGLC.


---------- Forwarded message ---------
From: The IESG <iesg-secretary@ietf.org>
Date: Fri, Jun 26, 2020 at 9:10 AM
Subject: WG Review: Grant Negotiation and Authorization Protocol (gnap)
To: IETF-Announce <ietf-announce@ietf.org>
Cc: <txauth@ietf.org>


A new IETF WG has been proposed in the Security Area. The IESG has not made
any determination yet. The following draft charter was submitted, and is
provided for informational purposes only. Please send your comments to the
IESG mailing list (iesg@ietf.org) by 2020-07-06.

Grant Negotiation and Authorization Protocol (gnap)
-----------------------------------------------------------------------
Current status: Proposed WG

Chairs:
  Yaron Sheffer <yaronf.ietf@gmail.com>
  Leif Johansson <leifj@sunet.se>

Assigned Area Director:
  Roman Danyliw <rdd@cert.org>

Security Area Directors:
  Benjamin Kaduk <kaduk@mit.edu>
  Roman Danyliw <rdd@cert.org>

Mailing list:
  Address: txauth@ietf.org
  To subscribe: https://www.ietf.org/mailman/listinfo/txauth
  Archive: https://mailarchive.ietf.org/arch/browse/txauth/

Group page: https://datatracker.ietf.org/group/gnap/

Charter: https://datatracker.ietf.org/doc/charter-ietf-gnap/

This group is chartered to develop a fine-grained delegation protocol for
authorization and API access, as well as requesting and providing user
identifiers and claims. This protocol will allow an authorizing party to
delegate access to client software through an authorization server. It will
expand upon the uses cases currently supported by OAuth 2.0 and OpenID
Connect
(itself an extension of OAuth 2.0) to support authorizations scoped as
narrowly as a single transaction, provide a clear framework for interaction
among all parties involved in the protocol flow, and remove unnecessary
dependence on a browser or user-agent for coordinating interactions.

The delegation process will be acted upon by multiple parties in the
protocol,
each performing a specific role. The protocol will decouple the interaction
channels, such as the end user’s browser, from the delegation channel, which
happens directly between the client and the authorization server (in
contrast
with OAuth 2.0, which is initiated by the client redirecting the user’s
browser). The protocol will include a means of specifying how the user can
potentially be involved in an interactive fashion during the delegation
process. The client and Authorization Server (AS) will use these interaction
mechanisms to involve the user, as necessary, to make authorization
decisions.
This decoupling avoids many of the security concerns and technical
challenges
of OAuth 2.0 and provides a non-invasive path for supporting future types of
clients and interaction channels.

The group will define interoperability for this protocol between different
parties, including
 - client and authorization server;
 - client and resource server; and
 - authorization server and resource server.

The group will seek to minimize assumptions about the form of client
applications, allowing for:
- Fine-grained specification of access
- Approval of AS attestation to identifiers and other identity claims
- Approval of access to multiple resources and APIs in a single interaction
- Support for multiple access tokens in a single request and response
- Support for directed, audience-restricted access tokens
- Separation between the party authorizing access and the party operating
the
client requesting access

The group will define extension points for this protocol to allow for
flexibility in areas including:

- Cryptographic agility for keys, message signatures, and proof of
possession
- User interaction mechanisms including web and non-web methods
- Mechanisms for conveying user, software, organization, and other
information used in authorization decisions
- Mechanisms for presenting tokens to resource servers and binding resource
requests to tokens and associated cryptographic keys
- Optimized inclusion of additional information (including identifiers and
identity assertions) through the delegation process

Additionally, the group will provide mechanisms for management of the
protocol
lifecycle including:

- Discovery of the authorization server
- Revocation of active tokens
- Mechanisms for the AS and RS to communicate the access granted by an
access
token

Although the artifacts for this work are not intended or expected to be
backwards-compatible with OAuth 2.0 or OpenID Connect, the group will
attempt
to simplify migrating from OAuth 2.0 and OpenID Connect to the new protocol
where possible.

This group is not chartered to develop extensions to OAuth 2.0, and as such
will focus on new technological solutions not necessarily compatible with
OAuth 2.0. Functionality that builds directly on OAuth 2.0 will be directed
to the OAuth Working Group, including functionality back-ported from the
protocol developed here to OAuth 2.0.

The group is chartered to develop mechanisms for applying cryptographic
methods, such as JOSE and COSE, to the delegation process. This group is not
chartered to develop new cryptographic methods.

The group is chartered to develop mechanisms for conveying identity
information within the protocol including existing identifiers (such as
email
addresses, phone numbers, usernames, and subject identifiers) and assertions
(such as OpenID Connect ID Tokens, SAML Assertions, and Verifiable
Credentials). The group is not chartered to develop new formats for
identifiers or assertions, nor is the group chartered to develop schemas for
user information, profiles, or other identity attributes, unless a viable
existing format is not available.

The initial work will focus on using HTTPS for communication between the
client and the authorization server, taking advantage of optimization
features of HTTP/2 and HTTP/3 where possible, and will strive to enable
simple mapping to other protocols such as COAP when doing so does not
conflict with the primary focus.

Milestones to include:
- Core delegation protocol
- Key presentation mechanism bindings to the core protocol including TLS,
detached HTTP signature, and embedded HTTP signatures
- Conveyance mechanisms for identifiers and assertions
- Guidelines for use of protocol extension points
- (if needed) Guidelines on migration paths, implementation, and operations

Where possible, the group will seek to make use of tools to guide and inform
the standardization process including formal analysis, architecture
documents,
and use case documents. These artifacts will not be considered as working
group milestones or deliverables.

The working group will cooperate and coordinate with other IETF WGs such as
OAUTH, and work with external organizations, such as the OpenID Foundation,
as appropriate.

Milestones:

  Jul 2021 - Core delegation protocol in WGLC

  Oct 2021 - Key presentation mechanism binding to the core protocol, TLS,
to
  WGLC

  Oct 2021 - Key presentation mechanism binding to the core protocol,
  detached HTTP signatures, to WGLC

  Oct 2021 - Key presentation mechanism binding to the core protocol,
  embedded HTTP signature, to WGLC

  Dec 2021 - Guidelines for use of protocol extension points to WGLC

  Feb 2022 - Guidelines on migration paths, implementation, and operations
to
   WGLC



_______________________________________________
IETF-Announce mailing list
IETF-Announce@ietf.org
https://www.ietf.org/mailman/listinfo/ietf-announce

v2.23.0 | Report a Bug | By Email