Re: [GNAP] Should access tokens be opaque or not for the clients ?
Fabien Imbault <fabien.imbault@gmail.com> Fri, 19 March 2021 17:38 UTC
Return-Path: <fabien.imbault@gmail.com>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7AC583A1B0C for <txauth@ietfa.amsl.com>; Fri, 19 Mar 2021 10:38:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 79e_z2MfY8yf for <txauth@ietfa.amsl.com>; Fri, 19 Mar 2021 10:38:35 -0700 (PDT)
Received: from mail-il1-x130.google.com (mail-il1-x130.google.com [IPv6:2607:f8b0:4864:20::130]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 93F1E3A1B0A for <txauth@ietf.org>; Fri, 19 Mar 2021 10:38:35 -0700 (PDT)
Received: by mail-il1-x130.google.com with SMTP id j11so8754087ilu.13 for <txauth@ietf.org>; Fri, 19 Mar 2021 10:38:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=2nUSkr+RU6KZ2LoxJn9Q8DWkNGY5BJyHqv7tOChpE08=; b=IInBF6zMk0Z+bjaBqteAv25Lf6u0QAqW7Yf0/hoJ2KB4o7EiL8lSxomOG5BVZQWfJg 2iXb6PxIH6aMV0dJx2oBWKn8hMEV+eSg+bjQj1Tax+TGzL0y1Uc+TJC75Vk0V2rf76hq bgISJbssnyy5hLgTZabvdwfDar9Q6w+B8tJQXXRsf7EKlg8xfnbENQxtUU8J9FZR2nyd 5hQtIIyJdbVs6oahRwCjZeYCoODPaSBlj5OxqEbA2U1M2ksxQFfflYqWWsjfPcd1mMQc 2Bwxxc9VR9gJd0pAxhKMQWk0dXrwujYIKa2mOcOTNJciLwaawKuQ5ozF/tNWl1UvxHYW FpPA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=2nUSkr+RU6KZ2LoxJn9Q8DWkNGY5BJyHqv7tOChpE08=; b=Ef00hJ4q7gnIXBpnG5LzRje6+7ICupu+c7N6c7piZPNe0ZmSbkgTm/UiDVBicqHJ4o JqmhJDfMJIp5z2JLbnGH/KJic8GyOZqX5cqwfdXYZoIh/4mQ80dd7znzx+m7StybMGnE FEYDm05pv9cuddczr1I8U+ECKle/jA2C4tUCkI9+SFNq3L+fHWtzpdBBTDR1A+lqqBlr GcyT/zjCIscTvUcbdlrKZjmeMOuh9iiCMcrNguxNu2wl9aOtT6SeNiuzIYS2qpwkC0ke b58K2KVk3oYa5Jgx4WI2WaTxctUULkumnj6hM/KctgRBp1RdmR/pfGuMLrmugracXiMx bSYw==
X-Gm-Message-State: AOAM533c2PMmxGmdi+HF+TRR5jLNZYyB6FriacBiVPNacwc4mnfr1qzw JDGe1G1kZ5yqH+R8ejELOSjX4hh3w16IFtpRGCM=
X-Google-Smtp-Source: ABdhPJxSk8yEqWM3ANehdh5ZP+ot26TcaPo86oukS9f7As92/VFV8quN7TYNizmi/dClFr2M2vu+IjkxIejyppngu9s=
X-Received: by 2002:a92:1a11:: with SMTP id a17mr3771354ila.188.1616175513904; Fri, 19 Mar 2021 10:38:33 -0700 (PDT)
MIME-Version: 1.0
References: <CAM8feuQ5Q1LrGtniCH3WN5gyf6QhBa-9e+2kzaV0fxzA5D5m7w@mail.gmail.com> <CAM8feuQEQyCEOErds8rpcipaqyPm3L3XMdrbQ6X2t3y9xcO4dQ@mail.gmail.com> <CAJmmfSQKZWm=YsjBVV8O+vU9zzC+eka0CCaQO-xFP-GcWzEigw@mail.gmail.com> <CANYRo8jw9gHQESDk__aKM3jK-C9FvYTFYOzb-8iYzbc_hVjMPA@mail.gmail.com> <EDB79C39-D706-43B2-B7D6-234CB32F7411@mit.edu> <CANYRo8inRJa0bAe6gqOkLKqHnt-qxPrzhDufBLwXd-S4wfjdxg@mail.gmail.com> <CAM8feuS98hqZ36hjCHg_=wpueDyXHb7t156OXnL_8MXtzpiyjA@mail.gmail.com> <CANYRo8i4gVpV5Fv7Yr9AFLNSq658EayHK5yJ+vp2ecUaRJ6fYw@mail.gmail.com> <CAM8feuSC2EDHbVHXjHAkgV8jfYP9+gQ_ZV-+y=aoEjf97Rbyqg@mail.gmail.com> <CANYRo8hdA0vLRXwOMDDg99qQHWC=DAzk+ht=ykjZ42bPmUxdPA@mail.gmail.com> <CANpA1Z2jv1ye234SKXa3n=z1yoVY5nW72Xqzj2bk_+_KjnK-+g@mail.gmail.com> <C4DC413B-32C7-432C-AE14-FC743D45319A@mit.edu> <CANpA1Z1b8FVXNgJKbv9wDyWsuva5PRrWvrgsoymCK9bj_Zt1wg@mail.gmail.com> <43447446-4061-49F2-8486-5A196C3C75E2@mit.edu> <CAM8feuSncUCkqWAA975kCTUdv69VG41a9s7HYD2LP5xCVmkkiQ@mail.gmail.com> <37a04505-84ef-aecf-6913-5aad8330c97c@free.fr> <CAK5Vu_DOFm8LM82AiYi52p9MQikevJZuv5NrBj9K2KRZixhr0g@mail.gmail.com> <B7746C38-DCF4-4795-ACD4-3FABC536A952@mit.edu> <CAK5Vu_BUmKeWK4yQ-tmKsnJG=8KkM1C93LXfYfLyfpfOCF8Ghw@mail.gmail.com> <B2292C04-9580-403A-BFC1-5212335F8BFC@mit.edu> <CANYRo8jDqEdk9VsUnSsCufHn0MhRmqP+ArgxQ5q0WEJgje+6GQ@mail.gmail.com> <CAM8feuTC0nY6kUq_NtRAn_n6PVs1BK+4KNBsQ=ELqavTJC_wBA@mail.gmail.com> <CAM1Hn1XxtdXV0cWOo7TYQUPRZ4t0eo8eU+mJCxgw9_W0jPnijA@mail.gmail.com> <3FE214B6-CF96-472D-853B-C7C5AC7A73AE@mit.edu> <CAM1Hn1UDLXPfuVSuzyfUf1z-ocy-SSKZUjn2UVEqZ-64kzEJcQ@mail.gmail.com> <A337051B-701F-4CFD-989D-7412469619D4@mit.edu> <CANYRo8hiu74EkpENjsPO-bRJqaVFtH9Ev9o4Ex2GSTKqw1S=OQ@mail.gmail.com> <8DF709AE-B17D-4B53-92FC-723F2C8C2503@mit.edu> <CANYRo8gzaCdHaqYXe7hAawe0_tOz=3tnULpgRjspbhA-9xAV-A@mail.gmail.com> <48B35DA4-9B92-493B-B2CC-C03544A1707D@mit.edu>
In-Reply-To: <48B35DA4-9B92-493B-B2CC-C03544A1707D@mit.edu>
From: Fabien Imbault <fabien.imbault@gmail.com>
Date: Fri, 19 Mar 2021 18:38:22 +0100
Message-ID: <CAM8feuSFCLUFEKVdq=2ywjkCNpb+rKJJb8hPL=UdZRMvFFj36A@mail.gmail.com>
To: Justin Richer <jricher@mit.edu>
Cc: Adrian Gropper <agropper@healthurl.com>, Alejandro Iacobelli <aiacobelli.sec@gmail.com>, Steve Moore <srmoore@gmail.com>, txauth gnap <txauth@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000066aacd05bde72f02"
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/pIYrkbyobNZeJOTEznVrjv0iFuE>
Subject: Re: [GNAP] Should access tokens be opaque or not for the clients ?
X-BeenThere: txauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: GNAP <txauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/txauth>, <mailto:txauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth/>
List-Post: <mailto:txauth@ietf.org>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/txauth>, <mailto:txauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 19 Mar 2021 17:38:42 -0000
Oh I thought capchas were mostly a way to train your AI for free ;-) Joke aside, I support Justin's view of what goes into core versus what the kind of modularity we might bring in addition to that. Fabien On Fri, Mar 19, 2021 at 6:32 PM Justin Richer <jricher@mit.edu> wrote: > The only way for the RS operator could introduce a captcha, within the > definitions of the GNAP protocol, is through an AS. Or more properly, > through this yes-unnamed aspect of “interacting with the RO” that the AS is > in charge of coordinating the results of. The RS is not an end-user-facing > service, it is an API, software meant to be called by other software. The > defined way for the “RS” to interact with a person, issue tokens, or > anything of the sort is through an AS. > > In OAuth 1, the AS and RS were just called the “authorization server” or > even just “server", and it seems like a lot of the discussion on this > thread is collapsing that same set of roles back but instead calling it the > “RS”. I think this is problematic both in terms of the flexibility of the > protocol and also in terms of clarity in what we’re describing and > discussing. > > — Justin > > On Mar 19, 2021, at 1:26 PM, Adrian Gropper <agropper@healthurl.com> > wrote: > > I agree. The problem is that powerful RS operators introduce things like > Capchas that hassle the RO. Sometimes this is justified but often it > reflects an inadequate protocol. > > Adrian > > On Fri, Mar 19, 2021 at 1:22 PM Justin Richer <jricher@mit.edu> wrote: > >> There’s an important difference here: >> >> The AS is software. Always. It plays a specific role within the protocol. >> >> The RO could be a person. It could be an agency. It could be a policy. >> They don’t take part in the protocol directly but are involved in decisions >> made in the course of the protocol. >> >> These are two very, very different things, and they can’t be conflated. >> >> I like the idea of talking in terms of relationships, such as AS-RS (a >> protocol relationship) and AS-RO (a trust relationship). >> >> — Justin >> >> On Mar 19, 2021, at 12:37 PM, Adrian Gropper <agropper@healthurl.com> >> wrote: >> >> It might be a good idea to keep the RS to AS relationship out of the GNAP >> spec but I’m having a hard time analyzing it in the abstract. >> >> My starting perspective is that the RS should not know or care whether it >> is dealing with the AS or the RO. This is super important because it gives >> the RO unlimited delegation power. >> >> Cases where the RO wants to give the RS a separate endpoint or other >> identity should be allowed by GNAP but might be out of band. This is the >> HIPAA API Task Force use case that I have referenced in another thread. The >> issue here is that the RS has the option of reaching out to the RO and >> requesting confirmation. >> >> Adrian >> >> On Fri, Mar 19, 2021 at 11:37 AM Justin Richer <jricher@mit.edu> wrote: >> >>> My proposal is that the client instance shouldn’t care what’s in the >>> token, what format it is, etc. >>> >>> The RS can care and there should be choices that include random, sealed, >>> and even plainly signed tokens. That choice is part of the relationship >>> between the RS and AS, which the core GNAP protocol doesn’t specify. >>> >>> This is why I propose that we extract what’s now section 10 in the draft >>> and put it into a new document that can more directly discuss that >>> relationship. These different relationships should be modular. >>> >>> — Justin >>> >>> On Mar 19, 2021, at 11:13 AM, Alejandro Iacobelli < >>> aiacobelli.sec@gmail.com> wrote: >>> >>> Agree! So what are you saying the proposal should be? Random or sealed >>> tokens? >>> >>> El El vie, 19 mar. 2021 a la(s) 10:04, Justin Richer <jricher@mit.edu> >>> escribió: >>> >>>> One of the best ways to protect information in the token is to not put >>>> it in the token in the first place. This is why a some highly-sensitive >>>> application profiles and deployments us randomized values as tokens. The RS >>>> has a way to dereference it, which is important. >>>> >>>> For downstream delegation, like one micro service calling another, >>>> we’re no longer talking about the client knowing the access token, we’re >>>> talking about an RS at the first step. This is where non-opaque, or >>>> encrypted, or other kinds of recoverable data structures come into play >>>> more directly. >>>> >>>> To Adrian’s point, sharing the QR code should be up to the AS’s policy. >>>> If Steve gives me a bearer artifact that isn’t attached to anything that >>>> identifies me, then it’s easy for me to share because the artifact is the >>>> identity and proof all in one. The strawman description below sounds like >>>> that. But it’s important in this design that the AS can also require me to >>>> log in with a specific account, plus present a token, plus type in a secret >>>> code, plus present a hardware key that completes a circuit in the right way >>>> (seems like something Steve would build, tbh), etc. But all of these aren’t >>>> a client talking to a resource, they’re the end-user presenting things to >>>> the AS so that the AS can make a policy decision to issue a token and allow >>>> access. >>>> >>>> — Justin >>>> >>>> On Mar 18, 2021, at 8:23 PM, Alejandro Iacobelli < >>>> aiacobelli.sec@gmail.com> wrote: >>>> >>>> The decision about "opaque" vs "sealed but recoverable" or "signed" >>>> access_token goes way back on the stateless protocols session management. >>>> >>>> In my opinion, the software design principle that we must apply here is >>>> the "need to know" principle. This means, the less information an attacker >>>> could get, the better. One thing that JWS explse is all the context >>>> information about a token, so an attacker can get lots of information just >>>> with a look. >>>> >>>> The next discussion will be what ways of generating opaque tokens are >>>> there and which must we choose (Encrypted vs CSPRNG based). >>>> >>>> On Thu, 18 Mar 2021 at 21:17, Fabien Imbault <fabien.imbault@gmail.com> >>>> wrote: >>>> >>>>> Hi Adrian, >>>>> >>>>> I'm really not sure I understand here. >>>>> >>>>> I get the idea of putting a policy engine in front of your services to >>>>> implement ZTA. But I'm not sure I get this way of framing things. It blurs >>>>> functional roles and actual services, and most importantly if everything >>>>> gets its own AS, it also gets by transitivity its RO'/RQ' (and then its >>>>> AS-RO' etc) and so the complexity becomes staggering. >>>>> Why do we need that? >>>>> >>>>> Fabien >>>>> >>>>> Le ven. 19 mars 2021 à 00:55, Adrian Gropper <agropper@healthurl.com> >>>>> a écrit : >>>>> >>>>>> +1 This aligns with my healthcare use-case to the extent that Justin >>>>>> can transfer the capability granted by that QR code to Adrian who happens >>>>>> to be nearby Steve's house. >>>>>> >>>>>> I've tried to capture some of this in my comment to #145 >>>>>> https://github.com/ietf-wg-gnap/gnap-core-protocol/issues/145#issuecomment-802388458 >>>>>> >>>>>> - Adrian >>>>>> >>>>>> On Thu, Mar 18, 2021 at 2:39 PM Justin Richer <jricher@mit.edu> >>>>>> wrote: >>>>>> >>>>>>> Right, and in the GNAP model this becomes something my client >>>>>>> instance presents to the AS when I show up. The AS can validate my >>>>>>> presentation of this item and give my client instance a token to call >>>>>>> Steve’s RS. Or if you wanted to get super fancy Steve’s AS could even >>>>>>> challenge my client instance and get a cryptographic response to prove I >>>>>>> have the thing Steve had me scan. But in both cases it’s part of things >>>>>>> that the AS collects in order to create the access token. >>>>>>> >>>>>>> — Justin >>>>>>> >>>>>>> On Mar 18, 2021, at 2:26 PM, Stephen Moore <srmoore@gmail.com> >>>>>>> wrote: >>>>>>> >>>>>>> That in my mind works out great... Say I'm logged into my home >>>>>>> hub/AS. Justin is over and agrees to cat sit, I pull up my client app, and >>>>>>> generate a QR code that has maybe The AS URI, the HomeHub API URL, and the >>>>>>> 'special token to present to AS for a real token'. Justin scans that QR >>>>>>> code with his home controller app, and BAM, he's onboarded as a guest >>>>>>> without even logging into my AS or me dealing with his Auth provider. >>>>>>> -steve >>>>>>> >>>>>>> On Thu, Mar 18, 2021 at 2:08 PM Justin Richer <jricher@mit.edu> >>>>>>> wrote: >>>>>>> >>>>>>>> I think Steve’s use case gives an interesting example of something >>>>>>>> that I believe Adrian’s been talking about as well — delegating to another >>>>>>>> person. >>>>>>>> >>>>>>>> We traditionally think of delegation at the AS to mean “a different >>>>>>>> user account logs in to the AS”, and it’s important to know that this does >>>>>>>> in fact work. But this could just as easily be “Steve sends his friend an >>>>>>>> artifact to present to the AS to get access”. This isn’t Steve (or Steve’s >>>>>>>> client software) getting and sending an access token, this is sending some >>>>>>>> other set of rights credential to his friend, or his friend’s software. So >>>>>>>> then Steve’s AS can have policy that says “when I see this rights >>>>>>>> credential, give an access token for the following attenuated things, >>>>>>>> because Steve said so”. The AS doesn’t even ever need to know who Steve’s >>>>>>>> friend is! >>>>>>>> >>>>>>>> And importantly here, we don’t expect Steve’s friend to bring their >>>>>>>> own AS to the party. Steve’s RS has no reason to trust his friend’s AS, let >>>>>>>> alone his friend’s client. But Steve’s AS is in a position to know more >>>>>>>> about the rights policies that Steve wants to apply, and so it can use >>>>>>>> other technologies like VC’s, DIDs, OIDC, or any number of other things to >>>>>>>> let things go through. This pattern is exactly why I think we need to think >>>>>>>> of this in terms of what’s currently called “interaction” at the AS. It’s >>>>>>>> not really just about how the end-user interacts, it’s about how the AS >>>>>>>> gathers all the consent and authorization information. I plan to rewrite >>>>>>>> section 4 to that effect. >>>>>>>> >>>>>>>> — Justin >>>>>>>> >>>>>>>> On Mar 18, 2021, at 1:58 PM, Stephen Moore <srmoore@gmail.com> >>>>>>>> wrote: >>>>>>>> >>>>>>>> I'm having some concerns with the way you're flipping the trust >>>>>>>> here Denis. You seem to indicate that the user has trust in the RS and the >>>>>>>> Client and has to gain the trust of the AS. I feel like the least >>>>>>>> trustworthy portion of the architecture is the client, because that seems >>>>>>>> like it is the most interchangeable component. >>>>>>>> Let me explain by way of a use case I have in mind. >>>>>>>> Let's say I have a smart home. I have devices and data storage and >>>>>>>> rule engines that are parts of sensors and hubs I buy for the house. I have >>>>>>>> a trust in those devices, because it's hardware, if the company is leaking >>>>>>>> data at the hardware level there isn't much I can do other than buy >>>>>>>> different sensors. >>>>>>>> In this case, the primary home hub, which is under control of the >>>>>>>> homeowner, would also be the AS, as well as a policy agent. Authentication >>>>>>>> in the example is outsourced to whatever auth providers you want. I set up >>>>>>>> my home using a google account, a friend is staying and wants access and >>>>>>>> uses FB for auth... whatever. >>>>>>>> The part that I have little control over is the client my friend >>>>>>>> uses on his phone. Or if I change the client on the tablet in the kitchen >>>>>>>> to try out something new. These pieces might be single page web apps, they >>>>>>>> might be downloaded apps, etc. I do not want them having any additional >>>>>>>> information than is necessary. If I give my friend permission to unlock the >>>>>>>> door, and control the lights because they are feeding my cats while I'm >>>>>>>> away, the client doesn't need to know anything beyond, I see this home >>>>>>>> controller, and I have access to these lights and that door lock. >>>>>>>> >>>>>>>> In your scenarios, the client is spy by design, and if it is a web >>>>>>>> app, I don't trust them to not grab my user email address from the AS and >>>>>>>> put it on a mailing list it sells to some sketchy company, when the only >>>>>>>> other component that needs that information is the RS. >>>>>>>> >>>>>>>> -steve >>>>>>>> >>>>>>>> On Thu, Mar 18, 2021 at 1:21 PM Denis <denis.ietf@free.fr> wrote: >>>>>>>> >>>>>>>>> I have changed the title of this thread, since the original topic >>>>>>>>> has been closed. >>>>>>>>> >>>>>>>>> Justin, you are raising the following question: >>>>>>>>> >>>>>>>>> The question I have is — why does the client need to know what’s >>>>>>>>> in the token? >>>>>>>>> Not if they could possibly know, but why would we expect a client >>>>>>>>> to know and manage the contents of the token? >>>>>>>>> >>>>>>>>> The answer is quite simple: so that the end-user may have >>>>>>>>> confidence into the architecture. >>>>>>>>> The seventh of the eleven privacy principles from ISO 29100 (page >>>>>>>>> 14) is: >>>>>>>>> >>>>>>>>> *7. Openness, transparency and notice * >>>>>>>>> >>>>>>>>> If the access token is considered as a black box for the end-user, >>>>>>>>> it cannot be confident about the content of the access token. >>>>>>>>> Such access token may disclose some private information without >>>>>>>>> the consent of the end-user. If the access token that it has obtained >>>>>>>>> >>>>>>>>> does not match with what has been requested, the client will first >>>>>>>>> not forward the access token to the RS and then will complain about the AS. >>>>>>>>> >>>>>>>>> Denis >>>>>>>>> >>>>>>>>> >>>>>>>>> Hi Justin, >>>>>>>>> >>>>>>>>> "The access token is fundamentally a conversational artifact >>>>>>>>> between the AS and the RS which the client is the carrier of." >>>>>>>>> That's right, and a good opportunity to distinguish between the >>>>>>>>> need for token inspection (i.e. a runtime verification, wherever that may >>>>>>>>> be) >>>>>>>>> and the need to negotiate the token format (a discovery). That >>>>>>>>> last part could very well be an extension, as a way to open up the ecosystem >>>>>>>>> >>>>>>>>> beyond JWTs (which are fine, but come with their own limitations). >>>>>>>>> >>>>>>>>> Fabien >>>>>>>>> >>>>>>>>> On Thu, Mar 18, 2021 at 5:59 PM Justin Richer <jricher@mit.edu> >>>>>>>>> wrote: >>>>>>>>> >>>>>>>>>> On Mar 18, 2021, at 11:30 AM, Alan Karp <alanhkarp@gmail.com> >>>>>>>>>> wrote: >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Justin Richer <jricher@mit.edu> wrote: >>>>>>>>>> >>>>>>>>>>> On Mar 18, 2021, at 12:08 AM, Alan Karp <alanhkarp@gmail.com> >>>>>>>>>>> wrote: >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> Adrian Gropper <agropper@healthurl.com> wrote: >>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> Is there an AS involved in the delegation? How and where in the >>>>>>>>>>>> lifecycle of the protected resource? >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> If tokens are certificates, the AS need not be involved in >>>>>>>>>>> subsequent delegations. The AS must be involved if the tokens are opaque. >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> Tokens are opaque to the client instance. They are not opaque to >>>>>>>>>>> the AS. They might be opaque to the RS, but that depends on the kind of >>>>>>>>>>> relationship the RS and AS have. GNAP should allow different options here >>>>>>>>>>> as there are different use cases for that. >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Tokens are not opaque to the client in SPKI, zcap-ld, Orie's >>>>>>>>>> implementation with VCs, or our Zebra Copy work. Why must they be in GNAP? >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> The existence of the AS is exactly the reason for this. The AS is >>>>>>>>>> the role that “knowledge about the token contents” has been outsourced to >>>>>>>>>> in the GNAP model (which is based on the OAuth model). >>>>>>>>>> >>>>>>>>>> It brings significant simplicity for the client developer. The >>>>>>>>>> question I have is — why does the client need to know what’s in the token? >>>>>>>>>> Not if they could possibly know, but why would we expect a client to know >>>>>>>>>> and manage the contents of the token? >>>>>>>>>> >>>>>>>>>> The access token is fundamentally a conversational artifact >>>>>>>>>> between the AS and the RS which the client is the carrier of. The client is >>>>>>>>>> not the audience of the token, nor the creator of the token, nor even the >>>>>>>>>> manager of the token and the rights it represents. The client as a simple >>>>>>>>>> carrier is a powerful model that allows the security layer to get out of >>>>>>>>>> the way of the actual application logic that developers want to do. >>>>>>>>>> >>>>>>>>>> — Justin >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> -------------- >>>>>>>>>> Alan Karp >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> On Thu, Mar 18, 2021 at 4:56 AM Justin Richer <jricher@mit.edu> >>>>>>>>>> wrote: >>>>>>>>>> >>>>>>>>>>> On Mar 18, 2021, at 12:08 AM, Alan Karp <alanhkarp@gmail.com> >>>>>>>>>>> wrote: >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> Adrian Gropper <agropper@healthurl.com> wrote: >>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> Is there an AS involved in the delegation? How and where in the >>>>>>>>>>>> lifecycle of the protected resource? >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> If tokens are certificates, the AS need not be involved in >>>>>>>>>>> subsequent delegations. The AS must be involved if the tokens are opaque. >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> Tokens are opaque to the client instance. They are not opaque to >>>>>>>>>>> the AS. They might be opaque to the RS, but that depends on the kind of >>>>>>>>>>> relationship the RS and AS have. GNAP should allow different options here >>>>>>>>>>> as there are different use cases for that. >>>>>>>>>>> >>>>>>>>>>> It would probably be worthwhile to separate the portions of the >>>>>>>>>>> spec that talk about the RS-AS relationship into its own standalone >>>>>>>>>>> document. A similar approach was taken in UMA2 and it was helpful. (Though >>>>>>>>>>> admittedly, as with anything, there are missteps there that we can >>>>>>>>>>> hopefully learn from.) >>>>>>>>>>> >>>>>>>>>>> — Justin >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> -------------- >>>>>>>>>>> Alan Karp >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> On Wed, Mar 17, 2021 at 8:54 PM Adrian Gropper < >>>>>>>>>>> agropper@healthurl.com> wrote: >>>>>>>>>>> >>>>>>>>>>>> Sure! >>>>>>>>>>>> >>>>>>>>>>>> Is there an AS involved in the delegation? How and where in the >>>>>>>>>>>> lifecycle of the protected resource? >>>>>>>>>>>> >>>>>>>>>>>> Also your use of "the client" seems to imply that either there >>>>>>>>>>>> is only one client or the client doesn't matter. Which is it? >>>>>>>>>>>> >>>>>>>>>>>> Adrian >>>>>>>>>>>> >>>>>>>>>>>> On Wed, Mar 17, 2021 at 11:43 PM Fabien Imbault < >>>>>>>>>>>> fabien.imbault@gmail.com> wrote: >>>>>>>>>>>> >>>>>>>>>>>>> Thanks for that. >>>>>>>>>>>>> >>>>>>>>>>>>> Trying to reframe it: >>>>>>>>>>>>> GNAP is defined as a delegation protocol so the main intent is >>>>>>>>>>>>> related to a delegate of the RO (i.e. the end user) that wishes to access >>>>>>>>>>>>> the RO's protected resources, through the client. >>>>>>>>>>>>> >>>>>>>>>>>>> Fabien >>>>>>>>>>>>> >>>>>>>>>>>>> Le jeu. 18 mars 2021 à 04:29, Adrian Gropper < >>>>>>>>>>>>> agropper@healthurl.com> a écrit : >>>>>>>>>>>>> >>>>>>>>>>>>>> At various points in the lifecycle of the protected resource >>>>>>>>>>>>>> the client at the resource server (RS) might be: >>>>>>>>>>>>>> >>>>>>>>>>>>>> - The RO (subject) user agent trading payment for a >>>>>>>>>>>>>> service promise >>>>>>>>>>>>>> - The RO user agent using the promise to access the >>>>>>>>>>>>>> protected resource >>>>>>>>>>>>>> - A delegate of the RO user agent using a different client >>>>>>>>>>>>>> >>>>>>>>>>>>>> What's vague is where the GNAP AS enters the picture as >>>>>>>>>>>>>> described above. How would you describe it? >>>>>>>>>>>>>> >>>>>>>>>>>>>> Adrian >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> On Wed, Mar 17, 2021 at 10:20 PM Fabien Imbault < >>>>>>>>>>>>>> fabien.imbault@gmail.com> wrote: >>>>>>>>>>>>>> >>>>>>>>>>>>>>> Hi Adrian >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> I'm still confused why you're saying the terminology is >>>>>>>>>>>>>>> vague. >>>>>>>>>>>>>>> I get the "power" neutrality is not to your liking, but RQ / >>>>>>>>>>>>>>> user agent is no better in my view. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Can you elaborate? >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Fabien >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Le jeu. 18 mars 2021 à 00:18, Adrian Gropper < >>>>>>>>>>>>>>> agropper@healthurl.com> a écrit : >>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> I'm sure you're right. Our vague terminology around >>>>>>>>>>>>>>>> client and end-user leads to my confusion. If GNAP is primarily about >>>>>>>>>>>>>>>> delegation then, of course, we should avoid any incentives to impersonate >>>>>>>>>>>>>>>> or we're wasting our time. This is partly why I'm trying to study up on >>>>>>>>>>>>>>>> capabilities and asking for expert advice from folks like Alan Karp and >>>>>>>>>>>>>>>> Mark Miller (cc'd) >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> As best I can understand it, the RS has only two choices, >>>>>>>>>>>>>>>> it can: >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> - store an attribute of the RO a [DID, email address, >>>>>>>>>>>>>>>> GNAP AS URL], or >>>>>>>>>>>>>>>> - hand the RO a capability as a sort-of promise and >>>>>>>>>>>>>>>> avoid making any entries in an ACL or equivalent. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> When a token comes back to the RS, it will either be: >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> - validated according to something associated with the >>>>>>>>>>>>>>>> stored RO attribute, or >>>>>>>>>>>>>>>> - signed by the RS itself. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Either way, trust in the client seems moot. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Adrian >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> On Wed, Mar 17, 2021 at 5:29 PM Justin Richer < >>>>>>>>>>>>>>>> jricher@mit.edu> wrote: >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> On Mar 17, 2021, at 4:55 PM, Adrian Gropper < >>>>>>>>>>>>>>>>> agropper@healthurl.com> wrote: >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> On Wed, Mar 17, 2021 at 4:23 PM Tobias Looker < >>>>>>>>>>>>>>>>> tobias.looker@mattr.global> wrote: >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> <snip> >>>>>>>>>>>>>>>>>> > A client might not have a DID but it could have a VC as >>>>>>>>>>>>>>>>>> a certificate of authenticity linked to some audit mechanism. >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> To me a VC would come under the assertions umbrella (that >>>>>>>>>>>>>>>>>> is to say a VC could be one type of valid assertion). The client may >>>>>>>>>>>>>>>>>> possess or been presented with a VC that it could include in its request to >>>>>>>>>>>>>>>>>> the AS as a way to identify the subject and perhaps prove authentication >>>>>>>>>>>>>>>>>> and authorization. >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> I do not assume that the client that interacts with the AS >>>>>>>>>>>>>>>>> to make a request and receive a token is the same as the client that will >>>>>>>>>>>>>>>>> present the token to the RS. In the US HIPAA use-case, for example, the >>>>>>>>>>>>>>>>> root of trust is a contract between the patient-subject and the >>>>>>>>>>>>>>>>> doctor-requesting party but the doctor workflow is expected to delegate the >>>>>>>>>>>>>>>>> token to some other end-user that may be using a totally different client >>>>>>>>>>>>>>>>> such as an EHR. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> If the client that gets the token is not same as the >>>>>>>>>>>>>>>>> client that uses the token, that is a violation of core security principles >>>>>>>>>>>>>>>>> as it allows for (and really designs for) impersonation by client software. >>>>>>>>>>>>>>>>> I would have no reason to trust client software that would hand its >>>>>>>>>>>>>>>>> credentials over to another piece of software, and in fact I shouldn’t >>>>>>>>>>>>>>>>> trust it. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> I think you may be conflating several different kinds of >>>>>>>>>>>>>>>>> parties under the “client” umbrella here, though. It’s entirely possible >>>>>>>>>>>>>>>>> that one client might call an RS that in turn acts as a client for >>>>>>>>>>>>>>>>> something else down stream. But each of those hops is different from the >>>>>>>>>>>>>>>>> last. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> — Justin >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>>> -- >>>>>>>>> TXAuth mailing list >>>>>>>>> TXAuth@ietf.org >>>>>>>>> https://www.ietf.org/mailman/listinfo/txauth >>>>>>>>> >>>>>>>> -- >>>>>>>> TXAuth mailing list >>>>>>>> TXAuth@ietf.org >>>>>>>> https://www.ietf.org/mailman/listinfo/txauth >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> -- >>>>>>> TXAuth mailing list >>>>>>> TXAuth@ietf.org >>>>>>> https://www.ietf.org/mailman/listinfo/txauth >>>>>>> >>>>>> -- >>>>>> TXAuth mailing list >>>>>> TXAuth@ietf.org >>>>>> https://www.ietf.org/mailman/listinfo/txauth >>>>>> >>>>> -- >>>>> TXAuth mailing list >>>>> TXAuth@ietf.org >>>>> https://www.ietf.org/mailman/listinfo/txauth >>>>> >>>> >>>> >>>> -- >>>> You know nothing Jon Snow! >>>> >>>> >>>> -- >>> You know nothing Jon Snow! >>> >>> >>> >> >
- [GNAP] DID as sub_id or assertion? Fabien Imbault
- Re: [GNAP] DID as sub_id or assertion? Tobias Looker
- Re: [GNAP] DID as sub_id or assertion? Fabien Imbault
- Re: [GNAP] DID as sub_id or assertion? Fabien Imbault
- Re: [GNAP] DID as sub_id or assertion? Justin Richer
- Re: [GNAP] DID as sub_id or assertion? Fabien Imbault
- Re: [GNAP] DID as sub_id or assertion? Tobias Looker
- Re: [GNAP] DID as sub_id or assertion? Justin Richer
- Re: [GNAP] DID as sub_id or assertion? Fabien Imbault
- Re: [GNAP] DID as sub_id or assertion? Fabien Imbault
- Re: [GNAP] DID as sub_id or assertion? Denis
- Re: [GNAP] DID as sub_id or assertion? Fabien Imbault
- Re: [GNAP] DID as sub_id or assertion? Justin Richer
- Re: [GNAP] DID as sub_id or assertion? Fabien Imbault
- Re: [GNAP] DID as sub_id or assertion? Fabien Imbault
- Re: [GNAP] DID as sub_id or assertion? Tobias Looker
- Re: [GNAP] DID as sub_id or assertion? Fabien Imbault
- Re: [GNAP] DID as sub_id or assertion? Adrian Gropper
- Re: [GNAP] DID as sub_id or assertion? Fabien Imbault
- Re: [GNAP] DID as sub_id or assertion? Fabien Imbault
- Re: [GNAP] DID as sub_id or assertion? Adrian Gropper
- Re: [GNAP] DID as sub_id or assertion? Fabien Imbault
- Re: [GNAP] DID as sub_id or assertion? Adrian Gropper
- Re: [GNAP] DID as sub_id or assertion? Fabien Imbault
- Re: [GNAP] DID as sub_id or assertion? Tobias Looker
- Re: [GNAP] DID as sub_id or assertion? Adrian Gropper
- Re: [GNAP] DID as sub_id or assertion? Justin Richer
- Re: [GNAP] DID as sub_id or assertion? Adrian Gropper
- Re: [GNAP] DID as sub_id or assertion? Justin Richer
- Re: [GNAP] DID as sub_id or assertion? Adrian Gropper
- Re: [GNAP] DID as sub_id or assertion? Fabien Imbault
- Re: [GNAP] DID as sub_id or assertion? Adrian Gropper
- Re: [GNAP] DID as sub_id or assertion? Fabien Imbault
- Re: [GNAP] DID as sub_id or assertion? Adrian Gropper
- Re: [GNAP] DID as sub_id or assertion? Fabien Imbault
- Re: [GNAP] DID as sub_id or assertion? Alan Karp
- Re: [GNAP] DID as sub_id or assertion? Alan Karp
- Re: [GNAP] DID as sub_id or assertion? Adrian Gropper
- Re: [GNAP] DID as sub_id or assertion? Fabien Imbault
- Re: [GNAP] DID as sub_id or assertion? Justin Richer
- Re: [GNAP] DID as sub_id or assertion? Justin Richer
- Re: [GNAP] DID as sub_id or assertion? Denis
- Re: [GNAP] DID as sub_id or assertion? Fabien Imbault
- Re: [GNAP] DID as sub_id or assertion? Adrian Gropper
- Re: [GNAP] DID as sub_id or assertion? Alan Karp
- Re: [GNAP] DID as sub_id or assertion? Alan Karp
- Re: [GNAP] DID as sub_id or assertion? Justin Richer
- Re: [GNAP] DID as sub_id or assertion? Fabien Imbault
- [GNAP] Should access tokens be opaque or not for … Denis
- Re: [GNAP] DID as sub_id or assertion? Justin Richer
- Re: [GNAP] DID as sub_id or assertion? Fabien Imbault
- Re: [GNAP] Should access tokens be opaque or not … Stephen Moore
- Re: [GNAP] Should access tokens be opaque or not … Justin Richer
- Re: [GNAP] Should access tokens be opaque or not … Stephen Moore
- Re: [GNAP] Should access tokens be opaque or not … Justin Richer
- Re: [GNAP] Should access tokens be opaque or not … Adrian Gropper
- Re: [GNAP] Should access tokens be opaque or not … Fabien Imbault
- Re: [GNAP] Should access tokens be opaque or not … Alejandro Iacobelli
- Re: [GNAP] Should access tokens be opaque or not … Adrian Gropper
- Re: [GNAP] Should access tokens be opaque or not … Justin Richer
- Re: [GNAP] Should access tokens be opaque or not … Alejandro Iacobelli
- Re: [GNAP] Should access tokens be opaque or not … Justin Richer
- Re: [GNAP] Should access tokens be opaque or not … Adrian Gropper
- Re: [GNAP] Should access tokens be opaque or not … Justin Richer
- Re: [GNAP] Should access tokens be opaque or not … Adrian Gropper
- Re: [GNAP] Should access tokens be opaque or not … Justin Richer
- Re: [GNAP] Should access tokens be opaque or not … Fabien Imbault
- Re: [GNAP] Should access tokens be opaque or not … Adrian Gropper