Re: [GNAP] New I-D: draft-pinkas-gnap-core-protocol
Fabien Imbault <fabien.imbault@gmail.com> Fri, 20 August 2021 10:48 UTC
Return-Path: <fabien.imbault@gmail.com>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 16D6D3A20DD for <txauth@ietfa.amsl.com>; Fri, 20 Aug 2021 03:48:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id h0CB1BKfk3-M for <txauth@ietfa.amsl.com>; Fri, 20 Aug 2021 03:48:39 -0700 (PDT)
Received: from mail-il1-x131.google.com (mail-il1-x131.google.com [IPv6:2607:f8b0:4864:20::131]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 00AEC3A20D9 for <txauth@ietf.org>; Fri, 20 Aug 2021 03:48:38 -0700 (PDT)
Received: by mail-il1-x131.google.com with SMTP id j18so9079532ile.8 for <txauth@ietf.org>; Fri, 20 Aug 2021 03:48:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=kfMQUbLsYqS8/iZ4V59OgmKcjoQXFqdDcZqE2eY87iQ=; b=QOR4G+ZREg3zPvQZGKEquSVlPlo34mz3ZNdCWuj2kNHCY6LnhP+HCtCAlty6r6yVj4 Cd8r7YnAgfIfDn7h4JTRtpLiWoYwhnBg8DdwIeXgq/DaX1HZ/aebVcPCHWMpERa7tahm /VzL+tGS5n4/EO2vbQMYHlUlIpGTj71luzW2baslK/54eo+7x0AQl2qnGBIz7psiZPNB khxRGMeSts+RsvFfst+qqCUlmP1gdY/ea+utTWRByXNRXVTz3lD/qVKaFVkXsM56zFqM duK8clXpStIf4Hv03S/5/0VaNuNYwhUeqwlO6oiU1UrFPGW8I0V1Lb9i7R0XDvecLtRY ykPA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=kfMQUbLsYqS8/iZ4V59OgmKcjoQXFqdDcZqE2eY87iQ=; b=a/2dPrS7T4q9Ra+KgcaZvBM6RNw/qfbC/Y2zRVk0UNv0vUjcvUjhPCPW1d7qMWoiOu odo5BfaA16VEm+pp2uiGWX7HbekVGxgb9VDZxNhm8mRZa98sCrviqaHvZJHxDgv1boWk gum7aYb2v28m5AbxwIacxOIPq4saPdNoi53QMSHFWshgdabtN0yk4c6iSA1Fl2NIH6OK uQpWkssnH0BbUsWO7pxbkPiZ3dga62K4ICmXJrwqKuhob71vpr+TyJ+GluPNKp3ZOyNF 6gJ3NKKuNZaACLoRdV9qWTXgVX2QCrAOmaD5UeAyicjaJsx11iybY3nx1b6wzhmEkIfM cPfg==
X-Gm-Message-State: AOAM530wM44HsxcBAt0hB0ceBCLGAtIfWjfp5KbnnAdWM61mGONpnIUH pEBnthvzWvtMCg4y8SvnwcpW9kv8Jj+MO7yvO/g=
X-Google-Smtp-Source: ABdhPJzFe0C0Ypwq1D0Taj2Y2qFOis6cwY5vXqWIhfp3xX8E90tBmXXc9CMXwvtd15/xjY9PieJVXRxH/Iv6ZF+uE0c=
X-Received: by 2002:a92:7d07:: with SMTP id y7mr13379546ilc.68.1629456517532; Fri, 20 Aug 2021 03:48:37 -0700 (PDT)
MIME-Version: 1.0
References: <fc61cf1c-d661-6403-479b-615bf86193a4@free.fr> <BF261D8F-D5DA-43BD-BB46-FC9614CC2AB7@mit.edu> <a8af45cd-a7d1-03a9-3e1d-43b2b6833a56@free.fr>
In-Reply-To: <a8af45cd-a7d1-03a9-3e1d-43b2b6833a56@free.fr>
From: Fabien Imbault <fabien.imbault@gmail.com>
Date: Fri, 20 Aug 2021 12:48:25 +0200
Message-ID: <CAM8feuQ=7rh4o8u9QSqPhT2ebaucgGkEFzPSB__C5AoOCV0BFg@mail.gmail.com>
To: Denis <denis.ietf@free.fr>
Cc: Justin Richer <jricher@mit.edu>, GNAP Mailing List <txauth@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000e7922205c9fb6896"
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/mqoqP2eDnXxVjnBTuT7LnF1NlYg>
Subject: Re: [GNAP] New I-D: draft-pinkas-gnap-core-protocol
X-BeenThere: txauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: GNAP <txauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/txauth>, <mailto:txauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth/>
List-Post: <mailto:txauth@ietf.org>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/txauth>, <mailto:txauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 20 Aug 2021 10:48:44 -0000
Hi Denis, I don't understand why you believe the wording in the draft is unclear, but if so a PR is always welcome. There's no ambiguity as to whether HTTPS is what we ask for. The editors always said there would be sections dedicated to trust / privacy / security. It should land into the github repository soon, but the underlying assumptions are different. As for the rest of your draft, there are interesting ideas, but seems to me that some are either case specific or out of scope of our charter. Cheers Fabien Le ven. 20 août 2021 à 10:09, Denis <denis.ietf@free.fr> a écrit : > Hi Justin, > > There is a difference between the following two sentences : > > All *requests *have to be over TLS or equivalent as per [BCP195 > <https://www.ietf.org/archive/id/draft-ietf-gnap-core-protocol-06.html#BCP195>]. > > (from : draft-ietf-gnap-core-protocol-06 on *page 105*) > > Which "requests" ? Access token requests ? Requests from which entity to > which other entity ? > > and > > The protocol uses HTTPS for all *communications *between the client > and the AS, as well as between the client and the RS. > (from: draft-pinkas-gnap-core-protocol-00 on *page 1*). > > > IMO, the first one is ambiguous while the second one is crystal clear. > > As I wrote, nowhere in draft-ietf-gnap-core-protocol-06, the text is > taking advantage of the security properties obtained thanks to the use of > HTTPS. > > Nevertheless, there are many other major issues raised about > draft-ietf-gnap-core-protocol-06, that draft-pinkas-gnap-core-protocol-00 > attempts > to address and to solve. > > The very first version of draft-pinkas-gnap-core-protocol has been written > from scratch with a Trust Relationships section (1.5) and both > a Security Considerations section (4) and a Privacy Considerations section > (5). Writing these three sections in a very first version is a > good way to have a document understandable and coherent. > > Denis > > I want to clarify one point of confusion here: > > The charter of the GNAP WG states, close to its end : > > > "The initial work will focus on using HTTPS for communication > between the client and the authorization server, (...)" > > See: https://datatracker.ietf.org/doc/charter-ietf-gnap/ > > Unfortunately, draft-ietf-gnap-core-protocol-06 does not mandate the use > of HTTPS for communication between the client and the authorization server > and does not take advantage of the security properties obtained thanks to > the use of HTTPS. This means that draft-ietf-gnap-core-protocol-06 > does not comply with the GNAP charter. > > This was quoted out of context and misrepresents the goal. If you read the > rest of that sentence, you’ll see that it’s talking about HTTP versions: > > The initial work will focus on using HTTPS for communication between the client > and the authorization server, taking advantage of optimization features of > HTTP/2 and HTTP/3 where possible, and will strive to enable simple mapping to > other protocols such as CoAP when doing so does not conflict with the primary > focus. > > What this is saying is that we shouldn’t make something that is only > deployable on HTTP/1. > > Additionally, the GNAP core draft does already require HTTPS. While the > security considerations section (section 12) is not yet filled out (though > note — this one of the topics the editors are actively working on), the one > item it does have in there mandates HTTPS: > > All requests have to be over TLS or equivalent as per [BCP195 > <https://www.ietf.org/archive/id/draft-ietf-gnap-core-protocol-06.html#BCP195> > ]. > > > Therefore, the statement as asserted in this email, and the conclusions > that follow it, are not accurate. > > — Justin > > > -- > TXAuth mailing list > TXAuth@ietf.org > https://www.ietf.org/mailman/listinfo/txauth >