IETF Logo Mail Archive

Re: [Txauth] alternative charter writeup

Thomas Hardjono <ietf-txauth@hardjono.net> Thu, 16 January 2020 23:17 UTC

Return-Path: <ietf-txauth@hardjono.net>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A819C1200DF for <txauth@ietfa.amsl.com>; Thu, 16 Jan 2020 15:17:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.12
X-Spam-Level:
X-Spam-Status: No, score=-1.12 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_NEUTRAL=0.779, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (768-bit key) header.d=hardjono.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lDhjBYTR-CMU for <txauth@ietfa.amsl.com>; Thu, 16 Jan 2020 15:17:37 -0800 (PST)
Received: from gateway36.websitewelcome.com (gateway36.websitewelcome.com [192.185.199.121]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 609FC1200D7 for <txauth@ietf.org>; Thu, 16 Jan 2020 15:17:37 -0800 (PST)
Received: from cm10.websitewelcome.com (cm10.websitewelcome.com [100.42.49.4]) by gateway36.websitewelcome.com (Postfix) with ESMTP id 3209740CBCD1F for <txauth@ietf.org>; Thu, 16 Jan 2020 16:29:08 -0600 (CST)
Received: from box5207.bluehost.com ([162.241.224.194]) by cmsmtp with SMTP id sENPiX1w6HunhsENPieeAH; Thu, 16 Jan 2020 17:16:35 -0600
X-Authority-Reason: nr=8
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=hardjono.net; s=default; h=Content-transfer-encoding:Content-type: Mime-version:In-Reply-To:References:Message-ID:CC:To:From:Subject:Date:Sender :Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help: List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=qBejVhA95zmjd++v1C6s2I1nV9A67uKtgYzKrj/Ac4g=; b=JoMWcr2ZsS+6RC2PKm9UnGmTqq iFnTOtBoxD2juyLtnE9LJYd2OGLndan+olPdOXQ9bsnZ09BgUWAIL74jcp0MlUxJFZg+dL7FrmWS8 QcAJTRPbrd70XaaH+ETrJD9yZ;
Received: from c-73-167-220-69.hsd1.ma.comcast.net ([73.167.220.69]:60873 helo=[10.0.0.194]) by box5207.bluehost.com with esmtpsa (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92) (envelope-from <ietf-txauth@hardjono.net>) id 1isENP-003lbr-0a; Thu, 16 Jan 2020 16:16:35 -0700
User-Agent: Microsoft-MacOutlook/10.10.12.200112
Date: Thu, 16 Jan 2020 18:16:32 -0500
From: Thomas Hardjono <ietf-txauth@hardjono.net>
To: Justin Richer <jricher@mit.edu>
CC: Thomas Hardjono <hardjono@mit.edu>, "txauth@ietf.org" <txauth@ietf.org>
Message-ID: <3119F975-5ED2-4E5E-B6D4-997871FF6EF6@hardjono.net>
Thread-Topic: [Txauth] alternative charter writeup
References: <CAD9ie-sGfRGPFa4jBUeoVcG+CO=PvG-Ys-HrUMs7kVdt1zT3vA@mail.gmail.com> <FE8064D0-02CF-4BF1-AF25-0E52D9362D27@mit.edu> <CAD9ie-tAquhg=o1_cmKg_rO3mn9FeqCTDtY07XMqMOdhRWrD5Q@mail.gmail.com> <B758A8F2-211F-4637-84AE-3FD6974C546F@amazon.com> <CAD9ie-u5aV+FShiseuNRu_Ayp3EJjrN=zM1XBJW+vc9wDdL3NQ@mail.gmail.com> <A6D90193-D3FC-4BDB-8F4C-55A30ED252EE@amazon.com> <B88684FE-9ECE-4326-8DA2-F6A14E0D6ED0@mit.edu> <CAD9ie-tgXONsgr1cW=5X12Wdi+=iGZrnDtCfMzy-Vf-maezFHg@mail.gmail.com> <857A822F-E819-443E-8D92-5A5BD682D3AF@mit.edu> <40DEDA03-58E1-46EE-A46E-15D448283762@hardjono.net> <5F952C70-8EE2-440A-9334-5FBC19CE2A5E@mit.edu> <D3801C15-1089-4383-AAD9-10C867170181@hardjono.net> <301ADD9B-CCC9-447D-B652-EB377961FBD6@mit.edu>
In-Reply-To: <301ADD9B-CCC9-447D-B652-EB377961FBD6@mit.edu>
Mime-version: 1.0
Content-type: text/plain; charset="UTF-8"
Content-transfer-encoding: quoted-printable
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - box5207.bluehost.com
X-AntiAbuse: Original Domain - ietf.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - hardjono.net
X-BWhitelist: no
X-Source-IP: 73.167.220.69
X-Source-L: No
X-Exim-ID: 1isENP-003lbr-0a
X-Source:
X-Source-Args:
X-Source-Dir:
X-Source-Sender: c-73-167-220-69.hsd1.ma.comcast.net ([10.0.0.194]) [73.167.220.69]:60873
X-Source-Auth: ietf-txauth@hardjono.net
X-Email-Count: 1
X-Source-Cap: aGFyZGpvbm87aGFyZGpvbm87Ym94NTIwNy5ibHVlaG9zdC5jb20=
X-Local-Domain: yes
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/iQEw2eWf1pfoIfNnP48mEWZeOF4>
Subject: Re: [Txauth] alternative charter writeup
X-BeenThere: txauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <txauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/txauth>, <mailto:txauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth/>
List-Post: <mailto:txauth@ietf.org>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/txauth>, <mailto:txauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 16 Jan 2020 23:17:40 -0000

Yes, I see that sentence ("This protocol will allow an authorizing party to delegate access to client software through an authorization server"). That's very specific, which is good.

Just wanted to be sure that the bullet further below ("Delegation between multiple users") also makes sense given that the first sentence is talking about delegation to a piece of software.

It’s a big jump between (i) a person delegating to a piece of software, to (ii) a person delegating to another person.

Sorry for being pedantic.



-- thomas --



-----Original Message-----
From: Justin Richer <jricher@mit.edu>
Date: Thursday, January 16, 2020 at 5:50 PM
To: Thomas Hardjono <ietf-txauth@hardjono.net>
Cc: "hardjono@mit.edu" <hardjono@mit.edu>, "txauth@ietf.org" <txauth@ietf.org>
Subject: Re: [Txauth] alternative charter writeup

I get that, but that’s why the proposed charter text tries to be very explicit about who is delegating to whom (or what) and for what purpose. That’s why delegation to software and delegation between users are both listed separately. 

 — Justin

> On Jan 16, 2020, at 4:07 PM, Thomas Hardjono <ietf-txauth@hardjono.net> wrote:
> 
> The problem is that the word "delegation" is generally a very loaded term.
> 
> I understand that WGs need wiggle room, but I'm concerned that this kind of loose wording may cause confusion down the road.
> 
> 
> 
>>> What I think is very much out of scope is cross-domain policy processing.
> 
> Agree.
> 
> 
> 
> -----Original Message-----
> From: Txauth <txauth-bounces@ietf.org> on behalf of Justin Richer <jricher@mit.edu>
> Date: Thursday, January 16, 2020 at 11:54 AM
> To: Thomas Hardjono <ietf-txauth@hardjono.net>
> Cc: "hardjono@mit.edu" <hardjono@mit.edu>, "txauth@ietf.org" <txauth@ietf.org>
> Subject: Re: [Txauth] alternative charter writeup
> 
> On Jan 16, 2020, at 11:43 AM, Thomas Hardjono <ietf-txauth@hardjono.net> wrote:
>> 
>> 
>> Looks good, but I have a clarification question:
>> 
>>>>> - Delegation between multiple users
>> 
>> What does this mean exactly?
>> 
>> Is it the "multi-hop" delegation (Alice to Bob to Charlize to ...)
>> 
>> Or does it only the "1-hop" delegation concurrently (Alice to Bob; Alice to Charlize; Alice to…)
> 
> My thinking was that at the very least we want to allow the person running the client software and the person doing the authorization to be different people. This is the UMA use case (Alice to bob) and the CIBA use case (agent getting someone to log in). I think chaining can follow that, where Bob can then let Charlie do something. This is also along the lines of the token exchange model of OAuth 2, with continuously down-scoped access.
> 
> What I think is very much out of scope is cross-domain policy processing. 
> 
> — Justin
> 
>> 
>> -- thomas --
>> 
>> 
>> 
>> -----Original Message-----
>> From: Txauth <txauth-bounces@ietf.org> on behalf of Justin Richer <jricher@mit.edu>
>> Date: Thursday, January 16, 2020 at 10:46 AM
>> To: "txauth@ietf.org" <txauth@ietf.org>
>> Cc: "rdd@cert.org" <rdd@cert.org>, "Richard Backman, Annabelle" <richanna@amazon.com>, Benjamin Kaduk <kaduk@mit.edu>, Dick Hardt <dick.hardt@gmail.com>
>> Subject: Re: [Txauth] alternative charter writeup
>> 
>> Here’s my updated text incorporating the feedback so far:
>> 
>> 
>> This group is chartered to develop a delegation protocol for identity, authorization, and API access. This protocol will allow an authorizing party to delegate access to client software through an authorization server. The use cases supported by this protocol will include widely deployed use cases currently supported by OAuth 2.0 and OpenID Connect (an extension of OAuth 2.0) as well as new use cases not enabled by OAuth 2.0.
>> 
>> 
>> The delegation process will be acted upon by multiple parties in the protocol, each performing a specific role. The protocol will decouple the interaction channels, such as the end user’s browser, from the delegation channel, which happens directly between the client and the authorization server (in contrast with OAuth 2 which is initiated by the client redirecting the user’s browser). The client will involve the authorizing party as necessary through interaction mechanisms indicated by the protocol. This decoupling avoids many of the security concerns and technical challenges of OAuth 2.0 as well as providing a non-invasive path for supporting future types of clients and interaction channels.
>> 
>> 
>> Additionally, the delegation process will allow for:
>> 
>> 
>> - Fine-grained specification of resource access
>> 
>> - Approval of identity claims and multiple resources in a single interaction
>> 
>> - Delegation between multiple users
>> 
>> - Web, mobile, single-page, interaction-constrained, and other types of client applications
>> 
>> 
>> The group will define extension points for this protocol to allow for flexibility in areas including:
>> 
>> 
>> - Cryptographic agility for keys, message signatures, and proof of possession 
>> 
>> - User interaction mechanisms including web and non-web methods
>> 
>> - Mechanisms for providing user, software, organization, and other pieces of information used in authorization decisions
>> 
>> - Token presentation mechanisms and key bindings
>> 
>> 
>> Additionally, the group will provide mechanisms for management of the protocol lifecycle including:
>> 
>> 
>> - Discovery of the authorization server
>> 
>> - Revocation of active tokens
>> 
>> - Query of token rights by resource servers
>> 
>> 
>> Although the artifacts for this work are not intended or expected to be backwards-compatible with OAuth 2.0 or OpenID Connect, the group will attempt to simplify porting from OAuth 2.0 and OpenID Connect to the new protocol where possible.
>> 
>> 
>> While the initial work will focus on using HTTP for communication between the client and the authorization server, the working group will seek to take advantage of optimization features of HTTP2 and HTTP3 where possible, and will strive to enable simple mapping to other protocols such as COAP.
>> 
>> 
>> 
>> 
>> 
>> It’s definitely a lot, but I think we’ve got a good handle on what we’re working on, and what the boundaries are. I think this is both too much of an effort and too much of a break to do this in the OAuth WG, where there’s already still plenty of work to be done. We’re leaning a lot on lessons learned from the OAuth 2 world and its extensions, including OIDC and UMA2. We’ve got the attention of a lot of the right people to start this as well.
>> 
>> So to the AD’s: Ben and Roman — what’s the next step? This should be a new working group and like to get it started so that we can have our first meeting in Vancouver.
>> 
>> — Justin
>> 
>> 
>> On Jan 14, 2020, at 12:12 AM, Dick Hardt <dick.hardt@gmail.com> wrote:
>> 
>> Sounds good to me.
>> 
>> On Mon, Jan 13, 2020 at 6:24 PM Justin Richer <jricher@mit.edu> wrote:
>> 
>> 
>> I can get behind this kind of addition. I like Annabelle’s framing of it in terms of decoupling, and some explanation of why we’re doing it in relation to OAuth 2’s approach. One of the key things, to me, is that we’re making a break from OAuth 2’s core architecture but doing so for very specific reasons. 
>> 
>> — Justin
>> 
>> 
>> On Jan 13, 2020, at 8:54 PM, Richard Backman, Annabelle <richanna@amazon.com> wrote:
>> 
>> It’s not just about the initial communication, though. I the key thing to emphasize is the decoupling the protocol from delegation channels, which addresses the aforementioned security/complexity issues and also provides a path to support future delegation channel types without significant changes to the protocol (unlike OAuth 2.0, where extensions like Device Flow and PAR introduce substantial changes to the core protocol flow on both client and AS). Since the protocol isn’t assuming a particular front channel, it’s easier to add support for a new one.
>> 
>> Proposal, altered from Dick’s suggestion:
>> This group is chartered to develop a delegated identity and authorization protocol. The use cases supported by this protocol will include widely deployed use cases currently supported by OAuth 2.0, and OpenID Connect, an extension of OAuth 2.0. This protocol will be decoupled from delegation channels such as an end user’s web browser and operate primarily through a channel between the client and the authorization server, avoiding many of the security concerns and technical challenges of OAuth 2.0 and providing a non-invasive path for adding support for future types of clients and delegation channels.
>> 
>> – 
>> Annabelle Richard Backman
>> AWS Identity
>> 
>> 
>> 
>> From: Dick Hardt <dick.hardt@gmail.com>
>> Date: Monday, January 13, 2020 at 4:35 PM
>> To: "Richard Backman, Annabelle" <richanna@amazon.com>
>> Cc: Justin Richer <jricher@mit.edu>, "txauth@ietf.org" <txauth@ietf.org>
>> Subject: Re: [Txauth] alternative charter writeup
>> 
>> 
>> 
>> I agree, some more "why" would help a broader audience understand the motivations. How about this change to the first paragraph?
>> 
>> 
>> 
>> This group is chartered to develop a delegated identity and authorization protocol. The use cases supported by this protocol will include widely deployed use cases currently supported by OAuth 2.0, and OpenID Connect, an extension of OAuth 2.0. In contrast to OAuth 2.0, where the protocol is initiated by redirecting the user's browser to an authorization server, this protocol will be initiated by the client directly interacting with the authorization server, which will mitigate many of the security concerns and technical challenges of OAuth 2.0.
>> 
>> 
>> 
>> 
>> 
>> On Mon, Jan 13, 2020 at 3:38 PM Richard Backman, Annabelle <richanna@amazon.com> wrote:
>> 
>> 
>> While I agree with the goals stated in this charter, if I read this from the perspective of someone who hasn’t been our meetings or listened to Justin’s presentations, I’m hard pressed to see what the point of this group is, relative to the OAuth WG. I’d expect this charter to provide at least a cursory explanation of what problem it is trying to solve. In this case, the problem should be partially defined in relation to OAuth. What will this WG do that the OAuth WG hasn’t already done or isn’t already doing?
>> 
>> How about adding something like the following to paragraph 2:
>> 
>> The protocol will mitigate many of the security concerns and technical challenges of OAuth 2.0 by communicating over secure channels between the client and the authorization server, and minimizing the amount of information transmitted over untrusted channels.
>> 
>> – 
>> Annabelle Richard Backman
>> AWS Identity
>> 
>> 
>> 
>> From: Txauth <txauth-bounces@ietf.org> on behalf of Dick Hardt <dick.hardt@gmail.com>
>> Date: Friday, January 10, 2020 at 6:57 PM
>> To: Justin Richer <jricher@mit.edu>
>> Cc: "txauth@ietf.org" <txauth@ietf.org>
>> Subject: Re: [Txauth] alternative charter writeup
>> 
>> 
>> 
>> This looks even better! Thanks Justin.
>> 
>> 
>> What do others think of the proposed charter now? 
>> 
>> 
>> ᐧ
>> 
>> 
>> On Fri, Jan 10, 2020 at 12:43 PM Justin Richer <jricher@mit.edu> wrote:
>> 
>> 
>> Thanks, Dick. I’ve been working on an updated charter based on everyone’s feedback, and I was aiming to have out today anyway, so this timing is helpful. So here’s my take on a new charter, incorporating some of your points below: 
>> 
>> 
>> 
>> This group is chartered to develop a delegation protocol for identity, authorization, and API access. This protocol will allow an authorizing party to delegate access to client software through an authorization server. The use cases supported by this protocol will include widely deployed use cases currently supported by OAuth 2.0 and OpenID Connect. 
>> 
>> 
>> 
>> The delegation process will be acted upon by multiple parties in the protocol, each performing a specific role. The protocol will be initiated by the client interacting directly with the authorization server (in contrast with OAuth 2 which is initiated by the client redirecting the user’s browser). The client will involve the authorizing party as necessary through interaction mechanisms indicated by the protocol. 
>> 
>> 
>> 
>> Additionally, the delegation process will allow for:
>> 
>> 
>> 
>> - Fine-grained specification of resource access
>> 
>> - Approval of identity claims and multiple resources in a single interaction
>> 
>> - Delegation between multiple users
>> 
>> - Web, mobile, single-page, and other types of client applications
>> 
>> 
>> 
>> The group will define extension points for this protocol to allow for flexibility in areas including:
>> 
>> 
>> 
>> - Cryptographic agility for keys, message signatures, and proof of possession 
>> 
>> - User interaction mechanisms including web and non-web methods
>> 
>> - Mechanisms for providing user, software, organization, and other pieces of information used in authorization decisions
>> 
>> - Token presentation mechanisms and key bindings
>> 
>> 
>> 
>> Additionally, the group will provide mechanisms for management of the protocol lifecycle including:
>> 
>> 
>> 
>> - Discovery of the authorization server
>> 
>> - Revocation of active tokens
>> 
>> - Query of token rights by resource servers
>> 
>> 
>> 
>> Although the artifacts for this work are not intended or expected to be backwards-compatible with OAuth 2.0 or OpenID Connect, the group will attempt to simplify porting from OAuth 2.0 and OpenID Connect to the new protocol where possible.
>> 
>> While the initial work will focus on using HTTP for communication between the client and the authorization server, the working group will seek to take advantage of optimization features of HTTP2 and HTTP3, and will strive to enable simple mapping to other protocols such as COAP.
>> 
>> 
>> 
>> 
>> 
>> On Jan 10, 2020, at 12:04 PM, Dick Hardt <dick.hardt@gmail.com> wrote:
>> 
>> 
>> Hey
>> 
>> 
>> I've written an alternative charter that I hope captures some of the feedback on Justin's charter.
>> 
>> 
>> 
>> I found it easier to rewrite the charter to broaden the marketplace of ideas. 
>> 
>> 
>> 
>> Key ideas:
>> 
>> 
>> 
>> - This work supports existing OAuth 2.0, and OpenID Connect use cases.
>> 
>> 
>> 
>> - The client interacts directly with the authorization server. 
>> 
>> 
>> 
>> /Dick
>> 
>> 
>> 
>> ----
>> 
>> 
>> This group is chartered to develop a delegated identity and authorization protocol.. The use cases supported by this protocol will include widely deployed use cases currently supported by OAuth 2.0, and OpenID Connect. In contrast to OAuth 2.0 and OpenID Connect, where the protocol is initiated by redirecting the user's browser to an authorization server, this protocol will be initiated by the client directly interacting with the authorization server..
>> 
>> 
>> Additionally, the protocol will allow:
>> 
>> - fine-grained specification of resource access
>> 
>> - the user to approve requests for identity claims and access to multiple resources in one interaction
>> 
>> - web, mobile, single-page, and other client applications
>> 
>> - taking advantage of optimization features in HTTP2 and HTTP3
>> 
>> 
>> The group will define extension points for this protocol to allow for flexibility in areas including:
>> 
>> 
>> - discovery of the authorization server
>> 
>> - cryptographic agility for keys, message signatures, and proof of possession 
>> 
>> - user interaction mechanisms including web and non-web methods- token presentation mechanisms and key bindings
>> 
>> 
>> Although the artifacts for this work are not intended or expected to be backwards-compatible with OAuth 2.0 or OpenID Connect, they will attempt to simplify porting from OAuth 2.0 and OpenID Connect, and strive to reuse existing semantics such as client identifiers, OAuth 2.0 scopes and access tokens, and OpenID Connect ID Tokens and claims.
>> 
>> 
>> While the initial work will focus on using HTTP for communication between the client and the authorization server, the working group will strive to enable simple mapping to other protocols such as COAP.
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> ᐧ
>> 
>> -- 
>> Txauth mailing list
>> Txauth@ietf.org
>> https://www.ietf.org/mailman/listinfo/txauth
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> -- 
>> Txauth mailing list
>> Txauth@ietf.org
>> https://www.ietf.org/mailman/listinfo/txauth
>> 
>> 
>> -- 
>> Txauth mailing list
>> Txauth@ietf.org
>> https://www.ietf.org/mailman/listinfo/txauth
> 
> -- 
> Txauth mailing list
> Txauth@ietf.org
> https://www.ietf.org/mailman/listinfo/txauth
> 
>

v2.23.0 | Report a Bug | By Email