Re: [Txauth] Reviewing draft-hardt-xauth-protocol-11

Francis Pouatcha <> Mon, 20 July 2020 15:27 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id C0BCA3A0C4A for <>; Mon, 20 Jul 2020 08:27:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id MX1i5I3OE4fi for <>; Mon, 20 Jul 2020 08:27:25 -0700 (PDT)
Received: from ( [IPv6:2a00:1450:4864:20::331]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id DE5703A0C60 for <>; Mon, 20 Jul 2020 08:27:24 -0700 (PDT)
Received: by with SMTP id a6so249687wmm.0 for <>; Mon, 20 Jul 2020 08:27:24 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=JWD3ECpeNGFrz69bGmpucA0TBqlm9CLHjl7lPe34Kwg=; b=PSATJM5Gq8ttW+98xUpQtGtOR8DrBFmx18VexUwC2Ho41M74YD2NHdRhQEP38IlkJY UcDS8YCTLNJO4dXx/gX1J6PA6qzeaVSxHJlG9BwlEg1jpf0vGwj+1a5HOupCVcVSAkKx pnu5CQLbR0qd4Fpz9Uy9R9umjK9jx8Y238uoU=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=JWD3ECpeNGFrz69bGmpucA0TBqlm9CLHjl7lPe34Kwg=; b=YuvzNPV6Knb2KbLPd57hE86FFGfqBiy9ZKlEtDAlKjjAkXS8jZR5z310pBh1Wf2NqT XRhqYtUxBcPCuk2rA/Ih3xs/G3TbcSkwQN6F68E8v1IYthXMNJsNqmC2VX94DOFJN+6P e6mVlmmBMYGWFiOt3p1Vh9RDJv8upsyQ/N2Sb4RE2KBWK7G/h8q+O+ZurlGYC2guFcdu IsNrt0cLsG5svHtuiKhGFFd7ZNXUKh73Ay2MX5Q2z2fDwK5msihato0wVYulQ0v4p3zP j2BuA58O2Op/I5Z3X02oPfMEMfJc1OilGiLCX2Uj2GUWMUzUS3Q0s4+WToYPNmMKj4oo zNDg==
X-Gm-Message-State: AOAM532nVkjTjQVkYzgEysJMOCarB0rZO3KtFeNS/laSsRSacaMof3Gf 2dFuvGNfGOvPgZobNYWiI24PiVgAYwjY7Es5Fh6WZIfeCZc=
X-Google-Smtp-Source: ABdhPJy0DXZnbHBBPvHIv4uTLFJ1sAe1bSXguevqUJm8tBxvDDiyLpGFeUhWO5bbu7oQFYJSZs5csE9ELrPY7nxEe/U=
X-Received: by 2002:a1c:6289:: with SMTP id w131mr20934186wmb.64.1595258843207; Mon, 20 Jul 2020 08:27:23 -0700 (PDT)
MIME-Version: 1.0
References: <> <> <> <> <> <> <> <> <> <> <> <> <> <> <>
In-Reply-To: <>
From: Francis Pouatcha <>
Date: Mon, 20 Jul 2020 11:27:12 -0400
Message-ID: <>
To: Denis <>
Cc: Dick Hardt <>,
Content-Type: multipart/alternative; boundary="000000000000acaf1205aae124bc"
Archived-At: <>
Subject: Re: [Txauth] Reviewing draft-hardt-xauth-protocol-11
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 20 Jul 2020 15:27:31 -0000

Hello Denis,

On Mon, Jul 20, 2020 at 5:04 AM Denis <> wrote:

> Hi Dick,
> On Fri, Jul 17, 2020 at 9:21 AM Denis <> wrote:
>> Hello Francis and Dick,
>> The good news first: we are making some progress. We are now close to an
>> agreement with steps (1) up to (3),
>> ... except that the place where the user consent is captured is not
>> mentioned/indicated.
> This major question which is currently left unanswered is where, when and
> how the user consent is captured.
> Another important point to consider and to explain is related to the
> assurances that the user can obtain about
> the respect of his choices. This point is currently left unanswered in
> draft-hardt-xauth-protocol-13.
>> If a RO needs to be involved and since a RO is directly associated with a
>> RS, why can't it be directly queried
>> by the appropriate RS after step (2) or later on ?
> Good question. Perhaps you can expand on a use case where that would be
> useful?
> Before I expand, would you be able to explain first under which
> circumstances a RO needs to be queried by a GS ?
In all circumstances. Can you name a situation where this is not the case?

> How can the GS identify which RO to query ?
There is supposed to be a preexisting relationship between GS and RO, If
not RO will have to register with GS in the first interaction (onboarding).

How can the GS identify how to connect with RO?
GS must evaluate the RS provided info in step (3)
AuthZRequest(AuthZChallenge) to decide how to contact the RO. This is where
selection of interaction mode takes place.

>> Which information is supposed to be presented to the RO ?
>> Which information is supposed to be returned by the RO ?
> Just like how the user authenticates to an AS, how the AS and RO
> communicate is out of scope.
> At the moment, the usefulness of a dialogue between a GS and a RO has not
> been explained, nor demonstrated.
> The question is about the functionality of that dialogue in terms of input
> and output information (and not about
> the design of a protocol or of a user interface). Anyway, AFAIU a dialogue
> between a GS and a RO is optional.
> For many use cases, the User is the RO, and the interaction is through a
> user interface, not a machine protocol.
> Wait a second. You wrote "the User is the RO". The User is attempting to
> make an access to a RS by using a Client.
> *That* User is not the RO of the RS.
> The User interacts with the Client.
The RO interacts with the GS.

In some use cases (where we use redirect interaction) we assume the person
controlling the "User-Agent" is also the person controlling the "RO-Agent"
and they reside on the same device. These are cases where we say User
equals RO.
Francis Pouatcha
Co-Founder and Technical Lead
adorsys GmbH & Co. KG