Re: [Txauth] (no subject)

Kathleen Moriarty <> Thu, 30 July 2020 15:11 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 1D6493A07D1 for <>; Thu, 30 Jul 2020 08:11:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id eVHxJlUSu5-t for <>; Thu, 30 Jul 2020 08:11:53 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4864:20::d2f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 12F013A07EE for <>; Thu, 30 Jul 2020 08:11:07 -0700 (PDT)
Received: by with SMTP id k23so28512704iom.10 for <>; Thu, 30 Jul 2020 08:11:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=CmWyTwu01qOFcU8TwF5NC7uA8LIKoCXfqgpqV+/RD7A=; b=uxzQiRy35Xs54obZSL5bInTJKXPGvYHEqTIUbXXIj33ub4a1A9ZMhiKk+x2Pbr3jJG qBm89Zd1rcYm6YSzc4FJhhhfO8k/JW+CDkyGm/kB7FkJhJ6G9H5/QVfJWvvVxB0RhpoG eG+uvYOCP2HC+luO2UAj1oZLhfgV1ZFmPiOAJZ3ivwwMJcR2Ru7pIgg0F4ZUjDOO+A/D uPNZ4YGz1CpA9H1IYU5k0X9eWJX/RAKc0bkDjqfg11iGX2n7kK3drolKr58tCyflgzp3 Wzlu2J3dRqiVNJJV3lVJoUJG6ziC4839KIERJGULsWIBRtoBGP9hH/rwKiRfxk5J0CBo 7fYQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=CmWyTwu01qOFcU8TwF5NC7uA8LIKoCXfqgpqV+/RD7A=; b=kuYZd0x5kyotLcbQo6CUxjJ5Ofu0Kr+gtFLVI5lIxysuLr9liItIcfJcnag0OwJ4QB i5b4N/Ymd0TzI4r5ZjpOTaWs5mDBzafhe/U84xzJwqSapV05V41OWv9oXNZmO49VxnqF iQ4UB3Yf6Xbr9v6lVhjRAyDIb7xLDlwYbJJF4MOqhnNUo17Xpb0nk8ph2WJNOZisbcty uDmiNadi5JciIEsPc/58OXLrWJsxCiiUO/44AsXsp3Xx8MgHvybIHki+WiQuY1g2zRhZ WLA+tNZHk8q8mz+ilxbnQGqzC+1+NGdCoeg0cCf3PQ/J7bPr2F88+q5fIzHoOI4u/oS9 w9SQ==
X-Gm-Message-State: AOAM530qNmrGt3HWuB7AxA+uTfHzCFbld5hT8aNdZdpY/OnI/LFTOWpy yb++AT6FMVJnaMnPA6YqE/SsN4WQxps2V7fTslM=
X-Google-Smtp-Source: ABdhPJwrtDtTbH/C18X3OsYa3FiTLX+UDZV3reN5ls4uDg2lmBcntmSdlFcq0GBp+ZDc1mSLr28ck7L1v+9YnuIvz6Y=
X-Received: by 2002:a02:5b83:: with SMTP id g125mr3856260jab.91.1596121866359; Thu, 30 Jul 2020 08:11:06 -0700 (PDT)
MIME-Version: 1.0
References: <>
In-Reply-To: <>
From: Kathleen Moriarty <>
Date: Thu, 30 Jul 2020 11:10:30 -0400
Message-ID: <>
To: Dick Hardt <>
Cc: GNAP Mailing List <>
Content-Type: multipart/alternative; boundary="000000000000dcd4f005abaa1476"
Archived-At: <>
Subject: Re: [Txauth] (no subject)
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 30 Jul 2020 15:11:56 -0000

Hey Dick,

Thanks for your questions and all of your hard work.  I'll respond inline
as not to miss anything.

On Wed, Jul 29, 2020 at 1:07 PM Dick Hardt <> wrote:

> Hey Kathleen
> A couple questions on your presentation:
> 1) Which versions of the documents did you review?
Your last posted version to the datatracker.
I had started with the latest in the datatracker for Justin, but switched
when he announced the update.  Although my skim on the datatracker one had
similar impressions in terms of structure, ease of use, etc.

> 2) Would you elaborate on your security comparisons of XAuth and XYZ? I
> want to make sure I understand the work you put into your review.  While
> reviewing your slides, I was not following a number of your statements. For
> example:
> In your first slide:
> A) you stated that "XAuth Relies heavily on OAuth2.0, using Bearer token
> and adding cryptographic (e.g.JOSE) functions after-the-fact". Both XAuth
> and XYZ support bearer tokens for calling an RS. I'm not clear how this
> feature is different in XAuth.

Sure, XAuth punts the use of security off in a section and is not more
integrated in the approach.  That's how OAUth is now and it's something
that really should be fixed.  Making it clear that security is an
afterthought makes it an afterthought for developer and implementers.
Industry is moving towards built-in intrinsic security.

You can do this just as easily, but XYZ mentioned security in the
flows/sequences as an inherent part of each.   While it may not be perfect
yet, the theme was there.  The references to exchange of a key in section 2
and 3 with an editor note that this needs work are the first places the
idea of embedding begins.

The value generated in the access token doesn't explicitly use crypto, but
could.  This is something to consider.
Section 4.4.2. - uses a HASH, but an HMAC or KMAC could be used.  This is
in the feedback I will be posting.

Section 7 calls explicitly for use of a JWS and authorization values.

Section 8 provides more explicit guidance for add-on, but it's not in a
registry or another draft - part of this work.

Section 13 points to the need for more work, acknowledging multiple ways to
explore supporting security directly in the protocol.

> B) What parts of XYZ did you view as "Builds security into the protocol as
> opposed to adding it in later (e.g. OAuth2.0 bearer token + JWT)"?
See above.  It's a lot more clear than the single reference in XAuth.

> C) "Interaction flows defined, focus more on security with cryptographic
> requirements and examples included" -- there some cryptography in the
> redirect flow, but not in the others. In my opinion, the cryptography in
> the redirect flow does not add any value, and just complicates the
> protocol.
> Perhaps you can point to sections in each draft?
See above.

Best regards,

> Thanks!
> /Dick
> --
> Txauth mailing list


Best regards,