IETF Logo Mail Archive

Re: [GNAP] Consensus Call on Continuation Request

Dave Tonge <dave.tonge@moneyhub.com> Mon, 14 December 2020 21:25 UTC

Return-Path: <dave.tonge@moneyhub.com>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 849203A1330 for <txauth@ietfa.amsl.com>; Mon, 14 Dec 2020 13:25:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.187
X-Spam-Level:
X-Spam-Status: No, score=-0.187 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=moneyhub.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7Jkd2etfSqPr for <txauth@ietfa.amsl.com>; Mon, 14 Dec 2020 13:25:50 -0800 (PST)
Received: from mail-ej1-x62e.google.com (mail-ej1-x62e.google.com [IPv6:2a00:1450:4864:20::62e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D65033A132D for <txauth@ietf.org>; Mon, 14 Dec 2020 13:25:49 -0800 (PST)
Received: by mail-ej1-x62e.google.com with SMTP id b9so24670147ejy.0 for <txauth@ietf.org>; Mon, 14 Dec 2020 13:25:49 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=moneyhub.com; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=94RLtruN3Sn3WxXCedSZH9yKLJoU1DAXcrqp67TmSAY=; b=ABmUn60mUWA4AgFciyxmWpn2fHk9884FXaE+9k5FYMSh6Hz48zW2ALznYrHZcFZcGy WMKG2Bo1X5eg2eS/d5ASfoAlUVLhA6iD81y4HiJQZ6wj6rKJejl8dL/wbnWpaTW1V+W4 F+ldDqC+6gdzdRnJm6UR6tgCxq9OgcJfKTnq4=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=94RLtruN3Sn3WxXCedSZH9yKLJoU1DAXcrqp67TmSAY=; b=F4RfJWvlAUCDKGKG3aUrsTeeQe8n+uIa+V8riYzhUAk3L7dAlU+bIaz3Py3R/diV5A D3GNYnoOEDQ0KohlxMI+9vx5wrgQW8c35OvgRyJiGsl3V0z5BlXBPI0CLvL6KFwkwoPU zSFCQ+6CqrOqMAZ8zOs5Ao5fqu0hCT5gipuvvTBDEGa+gUI5IyZEGj23ZyG8c0MDG8Jo 7v6w3ncbBEWia5dY8mO2XFGPhZ2zVQhY4rY+EsnSG9DOFxoNHPV2s/Y0PdKxWmYHBwWy 6JqVuYUcaIBsMGZGHq6hzH1LmNwyjPe45H4YYgu9vdeVbN8nJJsPmKJwwlKHVx8bOqbz agwg==
X-Gm-Message-State: AOAM533ES/6aUQ707R2NKaeBo1Ecmw0maSBXn+54YieVDL8ynF6lWCDx 6liTn1JNsfFRpiM9Drh4/tueWjtdzaC9bWuDhF1/POIAbpwM7Mp4x8fSWIfvqNsg5G+lTsOfdhC yQRDAm2NoLslEne0=
X-Google-Smtp-Source: ABdhPJzxc90KunX0SlspTgecO1I7edel09cSYGihnP2WVx4zyV7Mp47sPDJUtyMTtTknrGSe09318P2lvCQ5r/MdMz0=
X-Received: by 2002:a17:906:cec3:: with SMTP id si3mr3179106ejb.277.1607981147972; Mon, 14 Dec 2020 13:25:47 -0800 (PST)
MIME-Version: 1.0
References: <94973397-0354-4B02-9EC8-EF972A7F1867@mit.edu> <CAD9ie-v-j=PBGjLmiWT+z1Whimfmqo=+Pqw1DVFmXZO-bm7=4w@mail.gmail.com> <8E2FF25A-4BE1-4EA1-A0FE-CB5194DEAC52@mit.edu> <CAD9ie-spy7fX-9+5cXzyrau62sX=wViqdpMYzmFBfz-Qbi63ZQ@mail.gmail.com> <CAK5Vu_DW=8V8qNH-MnjjrUsnganpdwKxCCE1ZTJmENGYEvFoew@mail.gmail.com> <CAD9ie-vWgOVqcXiTTLfBBLx2AKDw_ry0A06CuL2DpKFmjYQ8YQ@mail.gmail.com> <CAK5Vu_DqO+iZHWaov94PXTfD5tKdN9R4w08o8Dd4RxFD3UGxOA@mail.gmail.com> <CAD9ie-ud4i51dF-PEY4r+QpAu2fYNob==R7Ek69rwU6cjy-zBQ@mail.gmail.com> <CAM8feuRBvjx_2nBNy95dDtc6v8A1ebKGKfNE4SwkcFA0-7SYCw@mail.gmail.com> <CAD9ie-tEpVFfgB8KT3XK=G98wOTcVZxpXXRezCKbVuAP4hZoXQ@mail.gmail.com> <CAM8feuR9x7eMzWtTLeWHNEtjkFUk39kMw3ArFXp5rcFmXCw6BQ@mail.gmail.com> <CAD9ie-tMjNvewwof7W8Nof7D9FXuTEdwV3wTywyhB6gTurktmQ@mail.gmail.com> <CAGBSGjqer-kEz0=vbqu-=qsNg8gGRaWaxPjYd1q2eMeboF+yYg@mail.gmail.com> <CAD9ie-sMSN9Jm+W7ZgsjL_7JiHAMpe1Y-Q+avrE3Xi8G0ETPJg@mail.gmail.com>
In-Reply-To: <CAD9ie-sMSN9Jm+W7ZgsjL_7JiHAMpe1Y-Q+avrE3Xi8G0ETPJg@mail.gmail.com>
From: Dave Tonge <dave.tonge@moneyhub.com>
Date: Mon, 14 Dec 2020 22:25:36 +0100
Message-ID: <CAP-T6TQ-YiTqG8vpV6dVb2jSJRRoVCVeghD+qYt3ENHoxyGbjQ@mail.gmail.com>
To: Dick Hardt <dick.hardt@gmail.com>
Cc: Aaron Parecki <aaron@parecki.com>, Fabien Imbault <fabien.imbault@gmail.com>, txauth gnap <txauth@ietf.org>, Justin Richer <jricher@mit.edu>, Stephen Moore <srmoore@gmail.com>
Content-Type: multipart/alternative; boundary="0000000000002184dc05b6734973"
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/jeIYQMVbgM7kk0cYJZ2_M-oF22Q>
Subject: Re: [GNAP] Consensus Call on Continuation Request
X-BeenThere: txauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: GNAP <txauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/txauth>, <mailto:txauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth/>
List-Post: <mailto:txauth@ietf.org>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/txauth>, <mailto:txauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 14 Dec 2020 21:25:55 -0000

On the call I voiced my opinion that opionality should be reduced in the
spec where possible. At the time I was in favour of access tokens being
required. However, after reading the thread and looking again at the spec
I'm no longer convinced.

The only advantage I can see of the access token, is that it provides a way
for the AS to be stateless, but I'm not sure how common or desirable that
use-case is? As soon as the AS has to look some information up about a
grant in order to continue, then there is no benefit in the access token.
The identity of the grant can be in the url, and the authenticity of the
client is provided by the signature.

I know this is beyond the scope of this pull request, but for the majority
of use-cases, my personal opinion is that a consistent identifier for each
grant and a mandated REST like URL structure would be far more useful.

The GNAP spec is being designed in an extensible manner that will allow a
huge amount of use cases. Maybe in the future there will be new endpoints
dreamed up at the AS that require tokens. But the current ones described
in  the spec don't (create grant, continue grant, modify grant, get grant,
cancel grant, rotate token & revoke token).

I also think there is some confusion that "binding" is being used for:
 - client authentication
 - sender constraining access tokens
 - http request signing

If the signing mechanism is ok to authenticate the client in the first
request, why is it not sufficient to authenticate the client on the
continuation request?

I think we need a stronger use-case for access tokens at the AS to
warrant even its optional inclusion in the spec.

On Mon, 14 Dec 2020 at 21:25, Dick Hardt <dick.hardt@gmail.com> wrote:

> I don't understand what security risks are unique with the GNAP URI
> relative to other API URIs that have a unique identifier in them.
>
> Developers can get "creative" and put "inappropriate" values in any API
> URI they design.
>
> What are the security implications of using a large random value as the
> <unique grant id>?
>
>
> ᐧ
>
> On Mon, Dec 14, 2020 at 11:46 AM Aaron Parecki <aaron@parecki.com> wrote:
>
>> Thanks for the clear description. However saying "has no security
>> concerns" is a bold claim. Can you clarify how you will ensure that there
>> are no security concerns with this method?
>>
>> My main worry with this is people will start to get "creative" with the
>> values of the things in this URL. We've seen this over and over, everything
>> from using plaintext data in JWT access tokens in OAuth (now the access
>> token contents are visible to clients), to putting data in the OAuth
>> "state" parameter (easy to exploit unless it's signed/encrypted), and I'm
>> sure someone somewhere is putting things in the authorization code that
>> they shouldn't.
>>
>> Aaron
>>
>>
>> On Mon, Dec 14, 2020 at 11:39 AM Dick Hardt <dick.hardt@gmail.com> wrote:
>>
>>>
>>> I am proposing a URI that is straight forward, and has no
>>> security concerns.
>>>
>>> For example, the URI could be:
>>>
>>> <as uri>/grant/<unique grant id>
>>>
>>> eg: https://example.com/as/grant/a3ce6053-ca48-4c04-af46-c2384ec8b89f
>>>
>>> The routing code in the AS then is:
>>>
>>> router.post(      '/', grant.create);
>>> router.get(        '/grant/:grant', grant.read);
>>> router.post(      '/grant/:grant', grant.update);
>>> router.delete(   '/grant/:grant', grant.delete);
>>> router.options( '/grant/:grant', grant.options);
>>>
>>>
>>> Where there is a "grant" module to manage for working with grant
>>> requests.
>>>
>>> /Dick
>>>
>>> ps: your previous email, and this one, are making the discussion
>>> personal. Happy to discuss privately.
>>>
>>> ᐧ
>>> --
>>> TXAuth mailing list
>>> TXAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/txauth
>>>
>> --
> TXAuth mailing list
> TXAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/txauth
>


-- 
Dave Tonge
CTO
[image: Moneyhub Enterprise]
<http://www.google.com/url?q=http%3A%2F%2Fmoneyhubenterprise.com%2F&sa=D&sntz=1&usg=AFQjCNGUnR5opJv5S1uZOVg8aISwPKAv3A>
Moneyhub Financial Technology, 5th Floor, 10 Temple Back, Bristol, BS1 6FL
t: +44 (0)117 280 5120

Moneyhub Enterprise is a trading style of Moneyhub Financial Technology
Limited which is authorised and regulated by the Financial Conduct
Authority ("FCA"). Moneyhub Financial Technology is entered on the
Financial Services Register (FRN 809360) at *https://register.fca.org.uk/
<https://register.fca.org.uk/>*. Moneyhub Financial Technology is
registered in England & Wales, company registration number  06909772 .
Moneyhub Financial Technology Limited 2019 ©

DISCLAIMER: This email (including any attachments) is subject to copyright,
and the information in it is confidential. Use of this email or of any
information in it other than by the addressee is unauthorised and unlawful.
Whilst reasonable efforts are made to ensure that any attachments are
virus-free, it is the recipient's sole responsibility to scan all
attachments for viruses. All calls and emails to and from this company may
be monitored and recorded for legitimate purposes relating to this
company's business. Any opinions expressed in this email (or in any
attachments) are those of the author and do not necessarily represent the
opinions of Moneyhub Financial Technology Limited or of any other group
company.

-- 


Moneyhub Enterprise is a trading style of Moneyhub Financial Technology 
Limited which is authorised and regulated by the Financial Conduct 
Authority ("FCA"). Moneyhub Financial Technology is entered on the 
Financial Services Register (FRN 809360) at https://register.fca.org.uk/ 
<https://register.fca.org.uk/>. Moneyhub Financial Technology is registered 
in England & Wales, company registration number 06909772. Moneyhub 
Financial Technology Limited 2020 © Moneyhub Enterprise, Regus Building, 
Temple Quay, 1 Friary, Bristol, BS1 6EA. 

DISCLAIMER: This email 
(including any attachments) is subject to copyright, and the information in 
it is confidential. Use of this email or of any information in it other 
than by the addressee is unauthorised and unlawful. Whilst reasonable 
efforts are made to ensure that any attachments are virus-free, it is the 
recipient's sole responsibility to scan all attachments for viruses. All 
calls and emails to and from this company may be monitored and recorded for 
legitimate purposes relating to this company's business. Any opinions 
expressed in this email (or in any attachments) are those of the author and 
do not necessarily represent the opinions of Moneyhub Financial Technology 
Limited or of any other group company.

v2.23.0 | Report a Bug | By Email