Re: [GNAP] draft-ietf-gnap-core-protocol-00 feedback
Dick Hardt <dick.hardt@gmail.com> Wed, 21 October 2020 17:36 UTC
Return-Path: <dick.hardt@gmail.com>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 725E83A13C7 for <txauth@ietfa.amsl.com>; Wed, 21 Oct 2020 10:36:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1pqNRXL_k8Fo for <txauth@ietfa.amsl.com>; Wed, 21 Oct 2020 10:36:30 -0700 (PDT)
Received: from mail-lf1-x132.google.com (mail-lf1-x132.google.com [IPv6:2a00:1450:4864:20::132]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A19443A13C5 for <txauth@ietf.org>; Wed, 21 Oct 2020 10:36:29 -0700 (PDT)
Received: by mail-lf1-x132.google.com with SMTP id l2so4223233lfk.0 for <txauth@ietf.org>; Wed, 21 Oct 2020 10:36:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Ak7RfcCsRlMCHwzT2X/Q0XHjNmP7KYYfrEELAos2DQs=; b=flDkXMT9YyhXTq7WTSN7jXdCIHSdHMVHwUdt1/nYUO/ja0gQo6HHXNysXaqMYb5bmt Gf2Ta6wSRzZOuowRiE7mZrjwgsR6jxpAtJhVcuZAYztvZPyU/XKTLifxqzXyIxbZcWB5 dYylCKaNNfhVty3NtMP8ze+bfRgtOHVt5iCrziuhO7+XM/ck1Ax7udz/dZ5m+vmJsR1k 9pD2x7rtTCfvRnlNl9wJm2l7Klj4pSYqXgbPP+dM0VP3T3zz+W4RJ8uNqWuVjli4zQbr h7/Sgq+W5f2ixslnViesTi7omct3R/du42U8pCuAShArdAzf8R4KZ5VWeqCEswfDxlge 5/ag==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Ak7RfcCsRlMCHwzT2X/Q0XHjNmP7KYYfrEELAos2DQs=; b=EqXHR9WejR92Et26fogA6b/JeAE7QUApqMZZjJWaznZ4ADdzm8MTYQ4TwlJYofXvEp 82Wut0iaPB8i6czMwEHoBe/nR0N4JfT3m1wqFkERt+rg1IO8nVFcaTyCoQ3PWUp0tqp9 6rKi2WDUsRJs/ab4N4RZab4J4HbCLG4f5kGsNFyLwvMn89sNxTfsunBi8rgZrhow3fTc QnkQWO1ZM8qKXM18xI3WbrjtCAvZjLXCS+AF5jeYSp+X6NNdehs3vDYlJ0dEA5kneW4/ j3Ua+JgNaS0XItVhiZqyftwBTO8PYiZ17HXeQptWsaexF6wmQuAHREi8c9WhVyVXOeKe KUIg==
X-Gm-Message-State: AOAM530T06oub02NSvNb3nfn7AZ3DIOH9R5c9go6Gdp/sbbWSm+QjqmB gm0/ODo/nWaB0R9en5TMowvKTj7mopNEtsNoUjo=
X-Google-Smtp-Source: ABdhPJxYkqYq/tPAbdQ8eFMtQ/dQaAfglMxhAiDSAZm62Wib4wclLLXp52Kj7orcytijSPIFfjdKXppWBo7BafZJakg=
X-Received: by 2002:a05:6512:68a:: with SMTP id t10mr1554441lfe.221.1603301787622; Wed, 21 Oct 2020 10:36:27 -0700 (PDT)
MIME-Version: 1.0
References: <CAD9ie-v7uUxBzMz6K_n=xpVAvnJY=GHe1iB7hBOBj4xxdbp0wg@mail.gmail.com> <CAM8feuTP=9+dDv5m2fMKru=DuLLbjv3AStkEWgwjdWCmrdpDzg@mail.gmail.com> <CAD9ie-uCC7uDrVCCuzWYgOf9WM=PBRgCh2+EmKVPr6MrramNBw@mail.gmail.com> <CAM8feuS=ZxFqf9X8usGQah778gYkufWjqzKfNYhPSYFB8xSBFw@mail.gmail.com>
In-Reply-To: <CAM8feuS=ZxFqf9X8usGQah778gYkufWjqzKfNYhPSYFB8xSBFw@mail.gmail.com>
From: Dick Hardt <dick.hardt@gmail.com>
Date: Wed, 21 Oct 2020 10:35:51 -0700
Message-ID: <CAD9ie-tBF4Ydz0kxXWmzEb+hkt+28UPeUMdRCFSiQfYQn4ciLg@mail.gmail.com>
To: Fabien Imbault <fabien.imbault@gmail.com>
Cc: GNAP Mailing List <txauth@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000084e25e05b231c95b"
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/piE8nBw1fkmZ4Z-e_SUlVAaV0VQ>
Subject: Re: [GNAP] draft-ietf-gnap-core-protocol-00 feedback
X-BeenThere: txauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <txauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/txauth>, <mailto:txauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth/>
List-Post: <mailto:txauth@ietf.org>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/txauth>, <mailto:txauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Oct 2020 17:36:32 -0000
Hi Fabien There *could* be value in GNAP creating yet-another-user-identifier if the identifier was guaranteed to be globally unique -- a property not held by "sub" in an ID Token. Using the SecEvent subject identifier draft for a client to share which user the client *thinks* it has is useful -- that is what the draft was intended for. In my opinion, querying for identifiers independent of what is already defined in OpenID and other standards is a path for developer misery. I don't think the hash provides any extra value if the redirect URL provided by the client to the AS is unique to the transaction. It has no value in a push back to the client, or a decoupled interaction -- both of which are susceptible to session fixation / phishing attacks. ᐧ On Wed, Oct 21, 2020 at 1:16 AM Fabien Imbault <fabien.imbault@gmail.com> wrote: > Thanks Dick, it clarifies a few points. In the core of your email, I focus > on 2 items : sub_ids and hash. > > Beyond that we will also need a further description of the > possibilities/tradeoffs in section 8, to clarify for everyone (not included > here, but will be useful). > > There are quite a few places where practical implementations could help us > decide, beyond theorical arguments. > > Fabien > > Le mar. 20 oct. 2020 à 19:45, Dick Hardt <dick.hardt@gmail.com> a écrit : > >> Responses inline with sections without comments deleted ... >> >> On Tue, Oct 20, 2020 at 2:40 AM Fabien Imbault <fabien.imbault@gmail.com> >> wrote: >> >>> Hi >>> >>> Some comments marked with FI. >>> >>> Fabien >>> >>> Le mar. 20 oct. 2020 à 05:27, Dick Hardt <dick.hardt@gmail.com> a >>> écrit : >>> >>>> *Previous Feedback* >>>> The following items were discussed in the design team, but did not make >>>> it into the draft for WG discussion. A concern I have with many of the >>>> editor notes (which I point out) is that they are heavily biased by >>>> Justin's vision and misrepresent the options. >>>> >>> >>> FI : I'm sure we can get past hard feelings and focus on the core of the >>> concerns. The editor's notes do their best to point where discussion should >>> happen. If some of them need further clarification, we can certainly do >>> that. >>> >> >> While I am disappointed that the design team did not decide on the best >> features or XYZ and XAuth, and instead started with the XYZ doc, I was not >> trying to express any hard feelings! >> >> Reading the draft, Justin clearly has a bias to using HTTP Signing rather >> than a self contained JOSE token. >> His comments (as noted below) on 8.2 misrepresent, and do not call out >> the advantage over all the other mechanisms of being self contained. >> >> Except for at the bottom, these are points for discussion that I brought >> up in the design team that did not make it into the draft for discussion. >> >> >>>> *2.3.1 *Do we need to support symmetric keys? Most OAuth clients >>>> support a secret, not a key. >>>> >>> >>> FI : it's difficult to assume people with use public key cryptography >>> for everything. Seems to me the text is clear enough on what this implies. >>> >> >> We are requiring HTTPS -- so the client has support for asymmetric >> crypto. My point is that the editor notes should bring up this question, >> which I asked in the design team. >> > >> >>> >>>> *2.4.1* identifying the user >>>> this identifier would be useful if it had properties that other opaque >>>> identifiers did not have: being globally unique. A reason developers have >>>> used the email in ID Tokens was that it was a globally unique string in >>>> contrast to the tuple of "iss" and "sub" in the ID Token which was much >>>> more complicated to add and work with in a DB. Otherwise, we are creating >>>> yet another user identifier. >>>> >>> >>> FI : OK but how would you make this a global identifier? Seems close to >>> what DIF Keri is looking for (although I find the way they're doing it is >>> overly/unnecessarily complex). >>> >> >> Lots of options. No requirement to specify how the identifier is ensured >> to be unique as it should be opaque to the client. It could be a URI that >> starts with the AS URI, or a UUID. >> >> My point is that a note on this option should be in the draft. >> > > FI : so the minimal requirement on which we agree is to have an opaque > identifier. So typically this would be unique for the AS and transmitted > through a user_handle (already in the spec). The client could make its own > local mapping if it already knows something about the user. > > To know more about the user, it is possible to : > - use a verifiable identity layer such as OIDC or equivalent > - (TBD) use sub_ids, based on the information already locally available at > the AS (with the limitations mentioned previously) ; or maybe we could use > an alternative/complementary design. For instance a more explicit json on > what is transmitted, or carry a correlation ID given by the client, or etc. > > > >> >> >>> Would that replace sub_ids? >>> >> >> yes >> >> >>> >>>> *3.* The URI can be stable, and the access token is potentially >>>> superfluous. As the client is authenticating with the same key in all >>>> subsequent requests, rotation of the URI or access token may be >>>> superfluous. Having an access token for the AS seems that is used while >>>> authenticating vs the typical access token for an RS seems very confusing >>>> to a developer. >>>> >>> >>> FI : why would that be confusing? >>> >> >> Because developers don't use access tokens when accessing an OAuth AS or >> an OIDC OP? >> > >> >>> >>>> Additionally, putting the access token for calls to the AS in the HTTP >>>> Authorization header precludes using the HTTP Authorization header for >>>> client authentication in 8. >>>> >>> >>> FI : that's one of the choices we need to make. But that doesn't mean >>> what is proposed is worse, it's just a different design with different >>> tradeoffs. This requires a complete discussion on section 8 (which already >>> occurred in the small group, but Justin will be able to comment). >>> >> >> Agreed. I had asked for this to be called out as a discussion point in >> the editor notes. It was not. >> >> >>> >>>> *4.4.2 *This functionality looks like a WebHook, and perhaps belongs >>>> in the API between the client and the AS rather than an interaction that >>>> involves the user. Also, this functionality provides no protection to >>>> session fixation. The interaction reference has no value. >>>> >>>> *4.4.3 *While it is good to see an editor's note that a unique >>>> callback URL could be used, the statement "but it would not prevent an >>>> attacker from injecting an unrelated interaction reference into this >>>> channel." is misleading. This would only happen if the client did not >>>> ensure it is the same user, as that would be linked to the correct URL. >>>> Similarly, the interaction reference does not provide protection if the >>>> client does not ensure it is the same user. >>>> Using a unique callback URL would be much simpler, and appears to >>>> provide the same protection as the interaction reference and the hashing. >>>> >>> >>> FI : having to rely on the client only to ensure it is the same user is >>> precisely what you want to avoid. Hence the hashing. >>> >> >> The hashing does not protect against session fixation if the client does >> not ensure it has the same user before and after the redirect. >> >> For example, if the user has a decoupled interaction such as scanning a >> QR code on their PC with their phone, the client cannot ensure it is the >> same user coming back. An attacker can trick a user into clicking on the >> decoupled URL that the attacker obtained from the AS. The hashing does not >> protect against this. >> > > FI : good point. We certainly need to handle that case correctly. We > should note that to make sure we don't forget. > That said, this comes as an additional requirement for some decoupled > interaction modes, not as a replacement of the entire scheme. > >> >> /Dick >> ᐧ >> >
- [GNAP] draft-ietf-gnap-core-protocol-00 feedback Dick Hardt
- Re: [GNAP] draft-ietf-gnap-core-protocol-00 feedb… Fabien Imbault
- Re: [GNAP] draft-ietf-gnap-core-protocol-00 feedb… Dick Hardt
- Re: [GNAP] draft-ietf-gnap-core-protocol-00 feedb… Fabien Imbault
- Re: [GNAP] draft-ietf-gnap-core-protocol-00 feedb… Dick Hardt
- Re: [GNAP] draft-ietf-gnap-core-protocol-00 feedb… Fabien Imbault
- Re: [GNAP] draft-ietf-gnap-core-protocol-00 feedb… Justin Richer
- Re: [GNAP] draft-ietf-gnap-core-protocol-00 feedb… Dick Hardt