Re: [GNAP] draft-ietf-gnap-core-protocol-00 feedback
Fabien Imbault <fabien.imbault@gmail.com> Wed, 21 October 2020 08:16 UTC
Return-Path: <fabien.imbault@gmail.com>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3E3A93A1323 for <txauth@ietfa.amsl.com>; Wed, 21 Oct 2020 01:16:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jXZPnzQaV-RT for <txauth@ietfa.amsl.com>; Wed, 21 Oct 2020 01:16:01 -0700 (PDT)
Received: from mail-il1-x131.google.com (mail-il1-x131.google.com [IPv6:2607:f8b0:4864:20::131]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B96833A1321 for <txauth@ietf.org>; Wed, 21 Oct 2020 01:16:01 -0700 (PDT)
Received: by mail-il1-x131.google.com with SMTP id a20so804121ilk.13 for <txauth@ietf.org>; Wed, 21 Oct 2020 01:16:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=IWtz1NbUczj0mLWIihiqy7KLS5/Hl6U61hLYxZlxc4g=; b=LaCU4hC9J18uy8LAeolpPDGJ82UFMjywd9nCOX+cstQQDCZRzpqyzyn/fkHlZqZPg9 r36S8GwICWftEXcThSjzkVWSeh8n1KV+RzJjI7Rl+d4fV1jb8WsHl+SdIfBt6g/dKnYu bHqWpSdlr/M3V+qggyrRTP8HaM8vLKb/JeOq4xnvGtIhaklSqL/fi4ZMTwmOD8Jcy6bY rk/VJBagyvI3a9VSI0Eoeru3hroKLYlUkefv0oDXxczNO/w0axqt5yi3MLwzHevuy6O0 +u7RakuaDY0ValuNoVr6q1BFoFaD+ARrsJwiVav2+RAXYQvUHYPcrfhSKG7ejYc5TRNu N6gQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=IWtz1NbUczj0mLWIihiqy7KLS5/Hl6U61hLYxZlxc4g=; b=Y8rXh6ALXJBfPzbYqidwzy7gFMsZzv9MRVz26QALjGeeeDabUCDG3xZ1Z2WH1hdRHe NDdm6NGKYmXYulKFOHqAzhnRs49qD6LA+TzTL8yf8TFCrWAMDGSBL3wkYswNAaT/5Zqw 80Gx0+pYDi4ga3oIPvfPvMWSMgTjcYtyqUJlnzK60ZMtKYCYotCf9BN3snZPmmWPhYaP tJ2G6yV5dhiingKOUe2e7PjT6xe38WINNDrLmscnQ2JNgGxalr/71iQzQWR+Bec0mbfY t9EZkpSpagTK8MyJCMAwINdjXPsc073+K7OJt3moTXqkHyw5sRYnIZYniErLPQKCbtT0 v6ig==
X-Gm-Message-State: AOAM532JEOkYMdwNjrdoLfCpfzuRWosPNp54reSw4f/Cf3dtQxTzeC1r k5KD83s/51WFMOOapHRVwfDJHKmO0y+ShobfNm0=
X-Google-Smtp-Source: ABdhPJxRNe3iJcnu8CFydY66+6apoWZguKiPnxGwcs3Ymh/ZR4zu6VP3I/VdOnh+u1NfSahXK5hg4r1izduEzsDUcXw=
X-Received: by 2002:a05:6e02:501:: with SMTP id d1mr1403705ils.68.1603268160892; Wed, 21 Oct 2020 01:16:00 -0700 (PDT)
MIME-Version: 1.0
References: <CAD9ie-v7uUxBzMz6K_n=xpVAvnJY=GHe1iB7hBOBj4xxdbp0wg@mail.gmail.com> <CAM8feuTP=9+dDv5m2fMKru=DuLLbjv3AStkEWgwjdWCmrdpDzg@mail.gmail.com> <CAD9ie-uCC7uDrVCCuzWYgOf9WM=PBRgCh2+EmKVPr6MrramNBw@mail.gmail.com>
In-Reply-To: <CAD9ie-uCC7uDrVCCuzWYgOf9WM=PBRgCh2+EmKVPr6MrramNBw@mail.gmail.com>
From: Fabien Imbault <fabien.imbault@gmail.com>
Date: Wed, 21 Oct 2020 10:14:55 +0200
Message-ID: <CAM8feuS=ZxFqf9X8usGQah778gYkufWjqzKfNYhPSYFB8xSBFw@mail.gmail.com>
To: Dick Hardt <dick.hardt@gmail.com>
Cc: GNAP Mailing List <txauth@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000035b30d05b229f52f"
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/nqiBUPYbrW5-LpiU_PUgZ92HXOs>
Subject: Re: [GNAP] draft-ietf-gnap-core-protocol-00 feedback
X-BeenThere: txauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <txauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/txauth>, <mailto:txauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth/>
List-Post: <mailto:txauth@ietf.org>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/txauth>, <mailto:txauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Oct 2020 08:16:04 -0000
Thanks Dick, it clarifies a few points. In the core of your email, I focus on 2 items : sub_ids and hash. Beyond that we will also need a further description of the possibilities/tradeoffs in section 8, to clarify for everyone (not included here, but will be useful). There are quite a few places where practical implementations could help us decide, beyond theorical arguments. Fabien Le mar. 20 oct. 2020 à 19:45, Dick Hardt <dick.hardt@gmail.com> a écrit : > Responses inline with sections without comments deleted ... > > On Tue, Oct 20, 2020 at 2:40 AM Fabien Imbault <fabien.imbault@gmail.com> > wrote: > >> Hi >> >> Some comments marked with FI. >> >> Fabien >> >> Le mar. 20 oct. 2020 à 05:27, Dick Hardt <dick.hardt@gmail.com> a écrit : >> >>> *Previous Feedback* >>> The following items were discussed in the design team, but did not make >>> it into the draft for WG discussion. A concern I have with many of the >>> editor notes (which I point out) is that they are heavily biased by >>> Justin's vision and misrepresent the options. >>> >> >> FI : I'm sure we can get past hard feelings and focus on the core of the >> concerns. The editor's notes do their best to point where discussion should >> happen. If some of them need further clarification, we can certainly do >> that. >> > > While I am disappointed that the design team did not decide on the best > features or XYZ and XAuth, and instead started with the XYZ doc, I was not > trying to express any hard feelings! > > Reading the draft, Justin clearly has a bias to using HTTP Signing rather > than a self contained JOSE token. > His comments (as noted below) on 8.2 misrepresent, and do not call out the > advantage over all the other mechanisms of being self contained. > > Except for at the bottom, these are points for discussion that I brought > up in the design team that did not make it into the draft for discussion. > > >>> *2.3.1 *Do we need to support symmetric keys? Most OAuth clients >>> support a secret, not a key. >>> >> >> FI : it's difficult to assume people with use public key cryptography for >> everything. Seems to me the text is clear enough on what this implies. >> > > We are requiring HTTPS -- so the client has support for asymmetric crypto. > My point is that the editor notes should bring up this question, which I > asked in the design team. > > >> >>> *2.4.1* identifying the user >>> this identifier would be useful if it had properties that other opaque >>> identifiers did not have: being globally unique. A reason developers have >>> used the email in ID Tokens was that it was a globally unique string in >>> contrast to the tuple of "iss" and "sub" in the ID Token which was much >>> more complicated to add and work with in a DB. Otherwise, we are creating >>> yet another user identifier. >>> >> >> FI : OK but how would you make this a global identifier? Seems close to >> what DIF Keri is looking for (although I find the way they're doing it is >> overly/unnecessarily complex). >> > > Lots of options. No requirement to specify how the identifier is ensured > to be unique as it should be opaque to the client. It could be a URI that > starts with the AS URI, or a UUID. > > My point is that a note on this option should be in the draft. > FI : so the minimal requirement on which we agree is to have an opaque identifier. So typically this would be unique for the AS and transmitted through a user_handle (already in the spec). The client could make its own local mapping if it already knows something about the user. To know more about the user, it is possible to : - use a verifiable identity layer such as OIDC or equivalent - (TBD) use sub_ids, based on the information already locally available at the AS (with the limitations mentioned previously) ; or maybe we could use an alternative/complementary design. For instance a more explicit json on what is transmitted, or carry a correlation ID given by the client, or etc. > > >> Would that replace sub_ids? >> > > yes > > >> >>> *3.* The URI can be stable, and the access token is potentially >>> superfluous. As the client is authenticating with the same key in all >>> subsequent requests, rotation of the URI or access token may be >>> superfluous. Having an access token for the AS seems that is used while >>> authenticating vs the typical access token for an RS seems very confusing >>> to a developer. >>> >> >> FI : why would that be confusing? >> > > Because developers don't use access tokens when accessing an OAuth AS or > an OIDC OP? > > >> >>> Additionally, putting the access token for calls to the AS in the HTTP >>> Authorization header precludes using the HTTP Authorization header for >>> client authentication in 8. >>> >> >> FI : that's one of the choices we need to make. But that doesn't mean >> what is proposed is worse, it's just a different design with different >> tradeoffs. This requires a complete discussion on section 8 (which already >> occurred in the small group, but Justin will be able to comment). >> > > Agreed. I had asked for this to be called out as a discussion point in the > editor notes. It was not. > > >> >>> *4.4.2 *This functionality looks like a WebHook, and perhaps belongs in >>> the API between the client and the AS rather than an interaction that >>> involves the user. Also, this functionality provides no protection to >>> session fixation. The interaction reference has no value. >>> >>> *4.4.3 *While it is good to see an editor's note that a unique >>> callback URL could be used, the statement "but it would not prevent an >>> attacker from injecting an unrelated interaction reference into this >>> channel." is misleading. This would only happen if the client did not >>> ensure it is the same user, as that would be linked to the correct URL. >>> Similarly, the interaction reference does not provide protection if the >>> client does not ensure it is the same user. >>> Using a unique callback URL would be much simpler, and appears to >>> provide the same protection as the interaction reference and the hashing. >>> >> >> FI : having to rely on the client only to ensure it is the same user is >> precisely what you want to avoid. Hence the hashing. >> > > The hashing does not protect against session fixation if the client does > not ensure it has the same user before and after the redirect. > > For example, if the user has a decoupled interaction such as scanning a QR > code on their PC with their phone, the client cannot ensure it is the same > user coming back. An attacker can trick a user into clicking on the > decoupled URL that the attacker obtained from the AS. The hashing does not > protect against this. > FI : good point. We certainly need to handle that case correctly. We should note that to make sure we don't forget. That said, this comes as an additional requirement for some decoupled interaction modes, not as a replacement of the entire scheme. > > /Dick > ᐧ >
- [GNAP] draft-ietf-gnap-core-protocol-00 feedback Dick Hardt
- Re: [GNAP] draft-ietf-gnap-core-protocol-00 feedb… Fabien Imbault
- Re: [GNAP] draft-ietf-gnap-core-protocol-00 feedb… Dick Hardt
- Re: [GNAP] draft-ietf-gnap-core-protocol-00 feedb… Fabien Imbault
- Re: [GNAP] draft-ietf-gnap-core-protocol-00 feedb… Dick Hardt
- Re: [GNAP] draft-ietf-gnap-core-protocol-00 feedb… Fabien Imbault
- Re: [GNAP] draft-ietf-gnap-core-protocol-00 feedb… Justin Richer
- Re: [GNAP] draft-ietf-gnap-core-protocol-00 feedb… Dick Hardt