Re: [GNAP] Consensus Call on Continuation Request
Dave Tonge <dave.tonge@moneyhub.com> Mon, 14 December 2020 21:25 UTC
Return-Path: <dave.tonge@moneyhub.com>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 849203A1330 for <txauth@ietfa.amsl.com>; Mon, 14 Dec 2020 13:25:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.187
X-Spam-Level:
X-Spam-Status: No, score=-0.187 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=moneyhub.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7Jkd2etfSqPr for <txauth@ietfa.amsl.com>; Mon, 14 Dec 2020 13:25:50 -0800 (PST)
Received: from mail-ej1-x62e.google.com (mail-ej1-x62e.google.com [IPv6:2a00:1450:4864:20::62e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D65033A132D for <txauth@ietf.org>; Mon, 14 Dec 2020 13:25:49 -0800 (PST)
Received: by mail-ej1-x62e.google.com with SMTP id b9so24670147ejy.0 for <txauth@ietf.org>; Mon, 14 Dec 2020 13:25:49 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=moneyhub.com; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=94RLtruN3Sn3WxXCedSZH9yKLJoU1DAXcrqp67TmSAY=; b=ABmUn60mUWA4AgFciyxmWpn2fHk9884FXaE+9k5FYMSh6Hz48zW2ALznYrHZcFZcGy WMKG2Bo1X5eg2eS/d5ASfoAlUVLhA6iD81y4HiJQZ6wj6rKJejl8dL/wbnWpaTW1V+W4 F+ldDqC+6gdzdRnJm6UR6tgCxq9OgcJfKTnq4=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=94RLtruN3Sn3WxXCedSZH9yKLJoU1DAXcrqp67TmSAY=; b=F4RfJWvlAUCDKGKG3aUrsTeeQe8n+uIa+V8riYzhUAk3L7dAlU+bIaz3Py3R/diV5A D3GNYnoOEDQ0KohlxMI+9vx5wrgQW8c35OvgRyJiGsl3V0z5BlXBPI0CLvL6KFwkwoPU zSFCQ+6CqrOqMAZ8zOs5Ao5fqu0hCT5gipuvvTBDEGa+gUI5IyZEGj23ZyG8c0MDG8Jo 7v6w3ncbBEWia5dY8mO2XFGPhZ2zVQhY4rY+EsnSG9DOFxoNHPV2s/Y0PdKxWmYHBwWy 6JqVuYUcaIBsMGZGHq6hzH1LmNwyjPe45H4YYgu9vdeVbN8nJJsPmKJwwlKHVx8bOqbz agwg==
X-Gm-Message-State: AOAM533ES/6aUQ707R2NKaeBo1Ecmw0maSBXn+54YieVDL8ynF6lWCDx 6liTn1JNsfFRpiM9Drh4/tueWjtdzaC9bWuDhF1/POIAbpwM7Mp4x8fSWIfvqNsg5G+lTsOfdhC yQRDAm2NoLslEne0=
X-Google-Smtp-Source: ABdhPJzxc90KunX0SlspTgecO1I7edel09cSYGihnP2WVx4zyV7Mp47sPDJUtyMTtTknrGSe09318P2lvCQ5r/MdMz0=
X-Received: by 2002:a17:906:cec3:: with SMTP id si3mr3179106ejb.277.1607981147972; Mon, 14 Dec 2020 13:25:47 -0800 (PST)
MIME-Version: 1.0
References: <94973397-0354-4B02-9EC8-EF972A7F1867@mit.edu> <CAD9ie-v-j=PBGjLmiWT+z1Whimfmqo=+Pqw1DVFmXZO-bm7=4w@mail.gmail.com> <8E2FF25A-4BE1-4EA1-A0FE-CB5194DEAC52@mit.edu> <CAD9ie-spy7fX-9+5cXzyrau62sX=wViqdpMYzmFBfz-Qbi63ZQ@mail.gmail.com> <CAK5Vu_DW=8V8qNH-MnjjrUsnganpdwKxCCE1ZTJmENGYEvFoew@mail.gmail.com> <CAD9ie-vWgOVqcXiTTLfBBLx2AKDw_ry0A06CuL2DpKFmjYQ8YQ@mail.gmail.com> <CAK5Vu_DqO+iZHWaov94PXTfD5tKdN9R4w08o8Dd4RxFD3UGxOA@mail.gmail.com> <CAD9ie-ud4i51dF-PEY4r+QpAu2fYNob==R7Ek69rwU6cjy-zBQ@mail.gmail.com> <CAM8feuRBvjx_2nBNy95dDtc6v8A1ebKGKfNE4SwkcFA0-7SYCw@mail.gmail.com> <CAD9ie-tEpVFfgB8KT3XK=G98wOTcVZxpXXRezCKbVuAP4hZoXQ@mail.gmail.com> <CAM8feuR9x7eMzWtTLeWHNEtjkFUk39kMw3ArFXp5rcFmXCw6BQ@mail.gmail.com> <CAD9ie-tMjNvewwof7W8Nof7D9FXuTEdwV3wTywyhB6gTurktmQ@mail.gmail.com> <CAGBSGjqer-kEz0=vbqu-=qsNg8gGRaWaxPjYd1q2eMeboF+yYg@mail.gmail.com> <CAD9ie-sMSN9Jm+W7ZgsjL_7JiHAMpe1Y-Q+avrE3Xi8G0ETPJg@mail.gmail.com>
In-Reply-To: <CAD9ie-sMSN9Jm+W7ZgsjL_7JiHAMpe1Y-Q+avrE3Xi8G0ETPJg@mail.gmail.com>
From: Dave Tonge <dave.tonge@moneyhub.com>
Date: Mon, 14 Dec 2020 22:25:36 +0100
Message-ID: <CAP-T6TQ-YiTqG8vpV6dVb2jSJRRoVCVeghD+qYt3ENHoxyGbjQ@mail.gmail.com>
To: Dick Hardt <dick.hardt@gmail.com>
Cc: Aaron Parecki <aaron@parecki.com>, Fabien Imbault <fabien.imbault@gmail.com>, txauth gnap <txauth@ietf.org>, Justin Richer <jricher@mit.edu>, Stephen Moore <srmoore@gmail.com>
Content-Type: multipart/alternative; boundary="0000000000002184dc05b6734973"
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/jeIYQMVbgM7kk0cYJZ2_M-oF22Q>
Subject: Re: [GNAP] Consensus Call on Continuation Request
X-BeenThere: txauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: GNAP <txauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/txauth>, <mailto:txauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth/>
List-Post: <mailto:txauth@ietf.org>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/txauth>, <mailto:txauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 14 Dec 2020 21:25:55 -0000
On the call I voiced my opinion that opionality should be reduced in the spec where possible. At the time I was in favour of access tokens being required. However, after reading the thread and looking again at the spec I'm no longer convinced. The only advantage I can see of the access token, is that it provides a way for the AS to be stateless, but I'm not sure how common or desirable that use-case is? As soon as the AS has to look some information up about a grant in order to continue, then there is no benefit in the access token. The identity of the grant can be in the url, and the authenticity of the client is provided by the signature. I know this is beyond the scope of this pull request, but for the majority of use-cases, my personal opinion is that a consistent identifier for each grant and a mandated REST like URL structure would be far more useful. The GNAP spec is being designed in an extensible manner that will allow a huge amount of use cases. Maybe in the future there will be new endpoints dreamed up at the AS that require tokens. But the current ones described in the spec don't (create grant, continue grant, modify grant, get grant, cancel grant, rotate token & revoke token). I also think there is some confusion that "binding" is being used for: - client authentication - sender constraining access tokens - http request signing If the signing mechanism is ok to authenticate the client in the first request, why is it not sufficient to authenticate the client on the continuation request? I think we need a stronger use-case for access tokens at the AS to warrant even its optional inclusion in the spec. On Mon, 14 Dec 2020 at 21:25, Dick Hardt <dick.hardt@gmail.com> wrote: > I don't understand what security risks are unique with the GNAP URI > relative to other API URIs that have a unique identifier in them. > > Developers can get "creative" and put "inappropriate" values in any API > URI they design. > > What are the security implications of using a large random value as the > <unique grant id>? > > > ᐧ > > On Mon, Dec 14, 2020 at 11:46 AM Aaron Parecki <aaron@parecki.com> wrote: > >> Thanks for the clear description. However saying "has no security >> concerns" is a bold claim. Can you clarify how you will ensure that there >> are no security concerns with this method? >> >> My main worry with this is people will start to get "creative" with the >> values of the things in this URL. We've seen this over and over, everything >> from using plaintext data in JWT access tokens in OAuth (now the access >> token contents are visible to clients), to putting data in the OAuth >> "state" parameter (easy to exploit unless it's signed/encrypted), and I'm >> sure someone somewhere is putting things in the authorization code that >> they shouldn't. >> >> Aaron >> >> >> On Mon, Dec 14, 2020 at 11:39 AM Dick Hardt <dick.hardt@gmail.com> wrote: >> >>> >>> I am proposing a URI that is straight forward, and has no >>> security concerns. >>> >>> For example, the URI could be: >>> >>> <as uri>/grant/<unique grant id> >>> >>> eg: https://example.com/as/grant/a3ce6053-ca48-4c04-af46-c2384ec8b89f >>> >>> The routing code in the AS then is: >>> >>> router.post( '/', grant.create); >>> router.get( '/grant/:grant', grant.read); >>> router.post( '/grant/:grant', grant.update); >>> router.delete( '/grant/:grant', grant.delete); >>> router.options( '/grant/:grant', grant.options); >>> >>> >>> Where there is a "grant" module to manage for working with grant >>> requests. >>> >>> /Dick >>> >>> ps: your previous email, and this one, are making the discussion >>> personal. Happy to discuss privately. >>> >>> ᐧ >>> -- >>> TXAuth mailing list >>> TXAuth@ietf.org >>> https://www.ietf.org/mailman/listinfo/txauth >>> >> -- > TXAuth mailing list > TXAuth@ietf.org > https://www.ietf.org/mailman/listinfo/txauth > -- Dave Tonge CTO [image: Moneyhub Enterprise] <http://www.google.com/url?q=http%3A%2F%2Fmoneyhubenterprise.com%2F&sa=D&sntz=1&usg=AFQjCNGUnR5opJv5S1uZOVg8aISwPKAv3A> Moneyhub Financial Technology, 5th Floor, 10 Temple Back, Bristol, BS1 6FL t: +44 (0)117 280 5120 Moneyhub Enterprise is a trading style of Moneyhub Financial Technology Limited which is authorised and regulated by the Financial Conduct Authority ("FCA"). Moneyhub Financial Technology is entered on the Financial Services Register (FRN 809360) at *https://register.fca.org.uk/ <https://register.fca.org.uk/>*. Moneyhub Financial Technology is registered in England & Wales, company registration number 06909772 . Moneyhub Financial Technology Limited 2019 © DISCLAIMER: This email (including any attachments) is subject to copyright, and the information in it is confidential. Use of this email or of any information in it other than by the addressee is unauthorised and unlawful. Whilst reasonable efforts are made to ensure that any attachments are virus-free, it is the recipient's sole responsibility to scan all attachments for viruses. All calls and emails to and from this company may be monitored and recorded for legitimate purposes relating to this company's business. Any opinions expressed in this email (or in any attachments) are those of the author and do not necessarily represent the opinions of Moneyhub Financial Technology Limited or of any other group company. -- Moneyhub Enterprise is a trading style of Moneyhub Financial Technology Limited which is authorised and regulated by the Financial Conduct Authority ("FCA"). Moneyhub Financial Technology is entered on the Financial Services Register (FRN 809360) at https://register.fca.org.uk/ <https://register.fca.org.uk/>. Moneyhub Financial Technology is registered in England & Wales, company registration number 06909772. Moneyhub Financial Technology Limited 2020 © Moneyhub Enterprise, Regus Building, Temple Quay, 1 Friary, Bristol, BS1 6EA. DISCLAIMER: This email (including any attachments) is subject to copyright, and the information in it is confidential. Use of this email or of any information in it other than by the addressee is unauthorised and unlawful. Whilst reasonable efforts are made to ensure that any attachments are virus-free, it is the recipient's sole responsibility to scan all attachments for viruses. All calls and emails to and from this company may be monitored and recorded for legitimate purposes relating to this company's business. Any opinions expressed in this email (or in any attachments) are those of the author and do not necessarily represent the opinions of Moneyhub Financial Technology Limited or of any other group company.
- [GNAP] Consensus Call on Continuation Request Justin Richer
- Re: [GNAP] Consensus Call on Continuation Request Dick Hardt
- Re: [GNAP] Consensus Call on Continuation Request Warren Parad
- Re: [GNAP] Consensus Call on Continuation Request Fabien Imbault
- Re: [GNAP] Consensus Call on Continuation Request Justin Richer
- Re: [GNAP] Consensus Call on Continuation Request Dick Hardt
- Re: [GNAP] Consensus Call on Continuation Request Fabien Imbault
- Re: [GNAP] Consensus Call on Continuation Request Justin Richer
- Re: [GNAP] Consensus Call on Continuation Request Denis
- Re: [GNAP] Consensus Call on Continuation Request Fabien Imbault
- Re: [GNAP] Consensus Call on Continuation Request Dick Hardt
- Re: [GNAP] Consensus Call on Continuation Request Stephen Moore
- Re: [GNAP] Consensus Call on Continuation Request Dick Hardt
- Re: [GNAP] Consensus Call on Continuation Request Stephen Moore
- Re: [GNAP] Consensus Call on Continuation Request Dick Hardt
- Re: [GNAP] Consensus Call on Continuation Request Fabien Imbault
- Re: [GNAP] Consensus Call on Continuation Request Stephen Moore
- Re: [GNAP] Consensus Call on Continuation Request Fabien Imbault
- Re: [GNAP] Consensus Call on Continuation Request Torsten Lodderstedt
- Re: [GNAP] Consensus Call on Continuation Request Fabien Imbault
- Re: [GNAP] Consensus Call on Continuation Request Justin Richer
- Re: [GNAP] Consensus Call on Continuation Request Dick Hardt
- Re: [GNAP] Consensus Call on Continuation Request Fabien Imbault
- Re: [GNAP] Consensus Call on Continuation Request Dick Hardt
- Re: [GNAP] Consensus Call on Continuation Request Aaron Parecki
- Re: [GNAP] Consensus Call on Continuation Request Warren Parad
- Re: [GNAP] Consensus Call on Continuation Request Dick Hardt
- Re: [GNAP] Consensus Call on Continuation Request Justin Richer
- Re: [GNAP] Consensus Call on Continuation Request Warren Parad
- Re: [GNAP] Consensus Call on Continuation Request Justin Richer
- Re: [GNAP] Consensus Call on Continuation Request Fabien Imbault
- Re: [GNAP] Consensus Call on Continuation Request Dave Tonge
- Re: [GNAP] Consensus Call on Continuation Request Warren Parad
- Re: [GNAP] Consensus Call on Continuation Request Fabien Imbault
- Re: [GNAP] Consensus Call on Continuation Request Fabien Imbault
- Re: [GNAP] Consensus Call on Continuation Request Torsten Lodderstedt
- Re: [GNAP] Consensus Call on Continuation Request Fabien Imbault
- Re: [GNAP] Consensus Call on Continuation Request Dave Tonge
- Re: [GNAP] Consensus Call on Continuation Request Fabien Imbault
- Re: [GNAP] Consensus Call on Continuation Request Dave Tonge
- Re: [GNAP] Consensus Call on Continuation Request Fabien Imbault
- Re: [GNAP] Consensus Call on Continuation Request Warren Parad
- Re: [GNAP] Consensus Call on Continuation Request Dave Tonge
- Re: [GNAP] Consensus Call on Continuation Request Fabien Imbault
- Re: [GNAP] Consensus Call on Continuation Request Justin Richer
- Re: [GNAP] Consensus Call on Continuation Request Dave Tonge
- Re: [GNAP] Consensus Call on Continuation Request Justin Richer
- Re: [GNAP] Consensus Call on Continuation Request Dave Tonge
- Re: [GNAP] Consensus Call on Continuation Request Dick Hardt
- Re: [GNAP] Consensus Call on Continuation Request Justin Richer
- Re: [GNAP] Consensus Call on Continuation Request Dave Tonge
- Re: [GNAP] Consensus Call on Continuation Request Warren Parad
- Re: [GNAP] Consensus Call on Continuation Request Fabien Imbault
- Re: [GNAP] Consensus Call on Continuation Request Justin Richer
- Re: [GNAP] Consensus Call on Continuation Request Aaron Parecki
- Re: [GNAP] Consensus Call on Continuation Request Mike Varley