[GNAP] Eight issues for discussion before and at the next WG virtual meeting

Denis <denis.ietf@free.fr> Thu, 13 January 2022 14:32 UTC

Return-Path: <denis.ietf@free.fr>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id E4D803A124F for <txauth@ietfa.amsl.com>; Thu, 13 Jan 2022 06:32:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.893
X-Spam-Status: No, score=0.893 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FILL_THIS_FORM=0.001, FILL_THIS_FORM_LONG=2, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_NEUTRAL=0.779, T_FILL_THIS_FORM_FRAUD_PHISH=0.01] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id QIZYvSHFe-6w for <txauth@ietfa.amsl.com>; Thu, 13 Jan 2022 06:32:30 -0800 (PST)
Received: from smtp.smtpout.orange.fr (smtp07.smtpout.orange.fr []) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C0F973A1209 for <txauth@ietf.org>; Thu, 13 Jan 2022 06:32:29 -0800 (PST)
Received: from [] ([]) by smtp.orange.fr with ESMTPA id 819OnddvXSDrI819OnngbC; Thu, 13 Jan 2022 15:32:27 +0100
X-ME-Helo: []
X-ME-Date: Thu, 13 Jan 2022 15:32:27 +0100
Content-Type: multipart/alternative; boundary="------------RAMoPFLYfgYSZ0FWsJFiGn6o"
Message-ID: <4429563c-0967-ceb7-a9fa-0c3e74c755e3@free.fr>
Date: Thu, 13 Jan 2022 15:32:31 +0100
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:91.0) Gecko/20100101 Thunderbird/91.4.1
Content-Language: en-GB
From: Denis <denis.ietf@free.fr>
To: "txauth@ietf.org" <txauth@ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/jwwBQEWAsYQfxujRJmE_QU48BrA>
Subject: [GNAP] Eight issues for discussion before and at the next WG virtual meeting
X-BeenThere: txauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: GNAP <txauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/txauth>, <mailto:txauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth/>
List-Post: <mailto:txauth@ietf.org>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/txauth>, <mailto:txauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 13 Jan 2022 14:32:34 -0000

Hello every one,

Most of the following observations have already been advertised in 
previous virtual GNAP meetings as well at the last OAuth workshop 
virtual meeting.
However, time has been lacking to discuss them. Since a GNAP virtual 
meeting is scheduled next week, I have transformed these observations 
into issues,
so that that can be individually discussed in GitHub before the meeting 
and then at the meeting.

I publish the content of eight new posted issues below, so that every 
one can get an overview of all of them and, if interested, can directly 
point to each
of them with a single click.

I have a specific request to the editors: please, do not close any of 
these issues before the next virtual GNAP meeting.

*1.****Trust relationships are still left undefined in GNAP draft-08


**Section 1.4 of draft-08 is supposed to be about “/trust 
relationships/”, but it is not. It is based on “Promise Theory” document 
(302 pages)
where “ /A //promise is a stated intention /”. “ /Each agent defines its 
own valuation function of promises given or received /”.

On page 108 (!), there is a first attempt to define what Trust means:

/Proposal /1 (Trust). An agent’s expectation that a promise will be kept.
It may be assigned a value lying between0 and1, in the manner of a 
_Bayesian probability_/./

Such an approach is confusing : it is mixing trust relationships with 
security threats.

In the IT community, trust is a binary condition (0 or1): either you 
trust something or you don’t. *It is not a Bayesian probability*.

A trust relationship is rather simple and is composed of three parts :

An entity A … is trusting an entity B … for some kind of behavior C.
/…being aware that some conditions “out of control” might happen/

Section 1.4 of draft-08 is failing to indicate the trust relationships 
that may exist between:

- Client instances and end-users,
- End-users and ASs,
- Client instances and ASs,

Trust relationships need to be clear and understandable. Without them, 
it will not be possible to demonstrate the security of the architecture.

In draft-08, the following questions have no answer:

How may a client instance be associated with an end-user ? This is left 

How may an AS be confident that a legitimate user is using a given 
client instance ? This is left undefined.

*2. The Authentication of end-users by an AS is currently not required*


Extract from the Introduction on page 5 of draft-08:

This protocol allows a piece of software, the client instance, to 
request delegated authorization to resource servers and to request 
direct information.(…)
The end-useroperating the software mayinteract with the authorization 
server to authenticate, provide consent, and authorize the request.

Hence, the authentication of end-users by an AS is not required. Does it 
mean that the authentication of the "piece of software" used by an 
end-user SHALL be mandatory ?
If so, how this "piece of software" should associated with end-user is 
left undefined.

Considerations about an end-user for changing that "piece of software" 
or using several pieces of software at the same instant of time are not 

How an AS may associate some rights or attributes with an end-user is 
left undefined.

Note that the EU Payments Services Directive (PSD2) /mandates the use of 
MFA (Multi Factor Authentication) with the AS/.

Why a strong authentication of end-users by an AS would not be 
sufficient, hence avoiding the authentication of "pieces of software" ?

*3.* *R**ights and attributes **SHOULD be equally supported**


The core draft defines:

_Privilege_:right *or attribute *associated with a subject
_Access Token_:a data artifact representing a set of rights *and/or 

However, the core draft does not allow a RS to distinguish between 
rights and attributes.

The core protocol should define two fields in an access token request to 
distinguish between rights (i.e. capabilities) and attributes.

A set of standard _attribute types_ should be defined to support ABAC 
(Attribute Based Access Control) :
e.g. first name, family name, birth date, birth location, home address, 
email address, social security number, citizenship(s), etc …

*4.* *Both attributes (ABAC) and capabilities (CBAC) SHOULD be supported

At the moment, a client is able to request with a fine degree a 
precision a specific set of rights that should be included into an 
access token.
However, a client is unable to request a specific set of attributes that 
should be included into an access token.

As a consequence, the /support of rights/ versus the /support of 
attributes/ is unbalanced.

Implicitly, the core draft mandates a /bilateral/pre-relationship 
between every pair of AS / RS. This is not advertised in the draft.

Such bilateral pre-relationship limits the scalability of the architecture.

When attributes only are supported, no /bilateral/ pre-relationship 
between an AS and a RS is necessary.

The core document only implicitly allows an AS to add attributes into an 
access token /at its own discretion/,
without any specific request for them to be included from the client 
(and hence the end-user).

This means that the core document does not allow an AS to add specific 
attributes into an access token upon the request from the client
(and hence from the end-user).

This has *severe consequences in term of the end-user privacy* which are 
not mentioned in the draft.

First of all, since rights are always included, this means that the AS 
MUST be aware of the identity of the RS.
In addition, the AS cannot be kept ignorant of which actions will be 
performed by a client and on which resources.
*This allows the AS to act as "Big Brother"*. However, this can be 
prevented in the case where attributes only are supported.

Secondly, in order to support "good practices" (User Notice, User 
Choice, User Consent and Transparency)or legislation like the EU GDPR,
the end-user should be informed about the set of attributes that are 
requested _by a RS_and should also be able to know the treatment(s)
that will be done with such attributes. At the moment, a dialogue 
between the client and the RS is missing. A specific RS end-point
should be defined and dedicated for such dialogue.

If the end-user agrees to provide that set of attributes to the RS, he 
should be able to indicate to the AS which attributes types(/and 
optionally values/)
should be included into the access token. At the moment, the client is 
unable to specify to the AS a set of attributes to be included into the 
access token.
In addition, an end-user is even unable to know which set of attributes 
are known by the AS.

If this situation is going to last, the privacy consideration section 
should clearly indicate these limitations.

*5. A RS is currently only able to trust a single AS

This limitation should be removed and can be removed. For details, see: 

The /Proposal/for a Regulation amending Regulation (EU) No 910/2414 as 
regards establishing a framework for a European Digital Identity
of 3 June 2021 should not be ignored. /It paves the way for the use of 
//multiple////attribute servers//./

If such limitation is not removed, it should be clearly advertised in 
the core draft.

*6.* *Bearer access tokens and key-bound access tokens are not the 
single types of access tokens


**OAuth (and GNAP draft-08) postulate that only two classes of access 
tokens may exist:
- key-bound access tokens where the access token is bound to a key used 
by the client instance in its request, and
       - bearer access tokens that do not include a key used by the 
client instance in its request.

If a hardware security module (HSM) is being used, it prevents a 
legitimate client or a user to know the /value //of a client private key/,
but it does not prevent the /use//of that private key/by a legitimate 
client willing to collaborate with another client.

If a client accepts to collaboratewith another client, the use of 
key-bound access tokens does not offer a protection
against the use of an access token by another client.

GNAP (and OAuth) are not resistant to client collaborative attacks.

As long as this situation will last, this should be clearly advertised 
in the draft.

However, there exits a solution to address this issue which has already 
been advertised to the WG: the addition into the access token of a 
"buid" field : Binding User IDentifier.
As a side consequence, a distinction should be done between 
long_term_user_accounts and short_term_user_accountssupported by a RS.

For details, see: draft-pinkas-gnap-core-protocol-00.txt

*7. **Draft-08 makes a general assumption that an end-user and a RO are 
the same entity*


**Extract from page 13 of draft-08:

      Note that the RO and end-user are often the same entity in 
practice, but GNAP makes no general assumption that they are.

Unfortunately, this Note is wrong. Section 1.5 is failing to provide a 
single example where the end-user is not also the RO and where the RO is 
an automated process.

This comment has already made several times, but no action has been made 
to take care of it up to now: section 1.5 has still not been modified.

*8.* *GNAP versus GNAF*: *do the current drafts describe a protocol or a 
framework ?
*_Response_: They describe a framework since two independent 
implementations of the drafts will be unable to interoperate.

In particular, the issue about "Format of defining REQUIRED vs OPTIONAL 
request/response elements 
(https://github.com/ietf-wg-gnap/gnap-core-protocol/issues/257) is still 

The protocols are not defined end-to-end. In particular, which 
treatments and verifications should be done by a RS are still left 

As long as this situation will last, the document cannot be considered 
as a "Grant Negotiation and Authorization *Protocol*" (GNAP)
but rather as a "Grant Negotiation and Authorization *Framework*" (GNAF).