IETF Logo Mail Archive

Re: [GNAP] DID as sub_id or assertion?

Fabien Imbault <fabien.imbault@gmail.com> Thu, 18 March 2021 03:43 UTC

Return-Path: <fabien.imbault@gmail.com>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D4D4C3A1ECF for <txauth@ietfa.amsl.com>; Wed, 17 Mar 2021 20:43:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.086
X-Spam-Level:
X-Spam-Status: No, score=-2.086 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, T_SPF_TEMPERROR=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7nMNN3ZE-D2m for <txauth@ietfa.amsl.com>; Wed, 17 Mar 2021 20:43:18 -0700 (PDT)
Received: from mail-il1-x133.google.com (mail-il1-x133.google.com [IPv6:2607:f8b0:4864:20::133]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0A2143A1ECE for <txauth@ietf.org>; Wed, 17 Mar 2021 20:43:18 -0700 (PDT)
Received: by mail-il1-x133.google.com with SMTP id z9so3574012ilb.4 for <txauth@ietf.org>; Wed, 17 Mar 2021 20:43:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=KYfOR6JKb6UMHQSemsXZiANVzLILDudAC/Bbs7OSYfE=; b=NPGPoNZ90mAMkjY9OUAC3jqUpIdi3OIa8XwNDmDplwpBMU9lDV0atlo3GAhjifKT/P LQLrSQ8AXiE9Mgb92tB7lwjU3fxO87MzGs9LjzpWNiZfRq/AmHXX87PqkTRApZr+4Ihv nDzJNyqF6WptXXZCVs7Tbj8tuC7BR00UqzughA6yI0hNNOdm5r2qYkvgNmkH0C2Typ9n 9CrtyfbiB4OMBLx18uFQZ4dkSYBc1lvRS29tlRJmM+q9UpneNovJcs7n7yrETIsZnJRF V95Q82FQoXHGi4lJCqrAPCKPX69ltMziHgHpVPzp7NLBr+lxZb4OIt8aDlw74HWSmyVF jEew==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=KYfOR6JKb6UMHQSemsXZiANVzLILDudAC/Bbs7OSYfE=; b=PKlJGpYgYu7zaYfkNHDgOQClxCZTNOZSAijyM+7CrKCYAift5h2GBqVO4ZBc7cZP+g 2vhXMH6CLRy35VfLm63h2ykpYElgAk9n8/nrtho3CQM9q+cvY/mEuB9clXgMLqpcaGGJ Nfn3RRUKk5HhA+gRhAASizJfP8My/TbnV6DRy2qHEBrfjtim/3QIU8ExaPl9eYpKKdHO fGLPT5om2Hn3y8o+W0EufOj4/ytdEOwXy/NJtjDg2Atk+xgEA0hp7bsG3B5zxVTiuOwN ar1N5OokeyGCXn1Gn16/vMZFQxQLFEKaxjcqIw5g3YdlVK79qq4d3RWaGuImPdxXoSVl 2SZQ==
X-Gm-Message-State: AOAM533fgWb9/X2Sn5134G6EhWzJBZWEkBQO3niUl44eqbSScYzoMAGp wDEvUOTwrRIv74nTzg5NXAmypZSngkBcE856bsA=
X-Google-Smtp-Source: ABdhPJwXlHeCjEOw9G7DelijeGf2iRYeQ7oy9rWBltAKj84aAtbPOL4W58CvpsSvn6S8UjsAda56f/AfIlUTUXuxED0=
X-Received: by 2002:a92:1a11:: with SMTP id a17mr10496959ila.188.1616038996449; Wed, 17 Mar 2021 20:43:16 -0700 (PDT)
MIME-Version: 1.0
References: <CAM8feuQ5Q1LrGtniCH3WN5gyf6QhBa-9e+2kzaV0fxzA5D5m7w@mail.gmail.com> <B3A02C1B-5DF6-46AE-B806-8DBBF5F6B701@mit.edu> <CAM8feuRuCyKGCDNYXP_gwc=wk986q6m_-DDOcXR8T9k+LdoX9g@mail.gmail.com> <CAM8feuRHQJF6sWGBcvt41kH6V6fwXK0-O15aUgvRRiK9q8vefA@mail.gmail.com> <CAJmmfSSY03c1nn3qtQDhY+Zk490d++zftyftSWPOGPdgPOnkag@mail.gmail.com> <CAM8feuTSWko8q+Agn+0+tLmSAOG6NYH_dMCV697NLna1U-Sxew@mail.gmail.com> <CANYRo8immAFJ08pvd00U6zT6-zRsrHkJ28NuKyC28Fdx=F=USQ@mail.gmail.com> <CAM8feuQbDJfPqym-2VAb4VyDuL8rm_Yk-sGyrb8_qAapUBtEuw@mail.gmail.com> <CAM8feuS332Ng_Bi=doXzq0WEgLc7_+tOmB4uE71+bpJ_g4P-aw@mail.gmail.com> <CANYRo8jG+ZutU6Bhy7zSrKcgnVxjMze7i-y_UpU3+PWvsWfLvA@mail.gmail.com> <CAM8feuSixNA2oFTtYR0Y3vngc+3UbsOSqSBCA6RUEEByB25eNA@mail.gmail.com> <CANYRo8hts6P_4QNjjcUr-H9B9wGJeVckWw+3V3N9hdPHf_idLQ@mail.gmail.com> <CAM8feuQEQyCEOErds8rpcipaqyPm3L3XMdrbQ6X2t3y9xcO4dQ@mail.gmail.com> <CAJmmfSQKZWm=YsjBVV8O+vU9zzC+eka0CCaQO-xFP-GcWzEigw@mail.gmail.com> <CANYRo8jw9gHQESDk__aKM3jK-C9FvYTFYOzb-8iYzbc_hVjMPA@mail.gmail.com> <EDB79C39-D706-43B2-B7D6-234CB32F7411@mit.edu> <CANYRo8inRJa0bAe6gqOkLKqHnt-qxPrzhDufBLwXd-S4wfjdxg@mail.gmail.com> <CAM8feuS98hqZ36hjCHg_=wpueDyXHb7t156OXnL_8MXtzpiyjA@mail.gmail.com> <CANYRo8i4gVpV5Fv7Yr9AFLNSq658EayHK5yJ+vp2ecUaRJ6fYw@mail.gmail.com>
In-Reply-To: <CANYRo8i4gVpV5Fv7Yr9AFLNSq658EayHK5yJ+vp2ecUaRJ6fYw@mail.gmail.com>
From: Fabien Imbault <fabien.imbault@gmail.com>
Date: Thu, 18 Mar 2021 04:43:03 +0100
Message-ID: <CAM8feuSC2EDHbVHXjHAkgV8jfYP9+gQ_ZV-+y=aoEjf97Rbyqg@mail.gmail.com>
To: Adrian Gropper <agropper@healthurl.com>
Cc: Justin Richer <jricher@mit.edu>, Tobias Looker <tobias.looker@mattr.global>, GNAP Mailing List <txauth@ietf.org>, Alan Karp <alanhkarp@gmail.com>, Mark Miller <erights@gmail.com>
Content-Type: multipart/alternative; boundary="000000000000539d5205bdc766c2"
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/qfs9--DifzRG571BzOD3z2T3KPs>
Subject: Re: [GNAP] DID as sub_id or assertion?
X-BeenThere: txauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: GNAP <txauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/txauth>, <mailto:txauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth/>
List-Post: <mailto:txauth@ietf.org>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/txauth>, <mailto:txauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Mar 2021 03:43:23 -0000

Thanks for that.

Trying to reframe it:
GNAP is defined as a delegation protocol so the main intent is related to a
delegate of the RO (i.e. the end user) that wishes to access the RO's
protected resources, through the client.

Fabien

Le jeu. 18 mars 2021 à 04:29, Adrian Gropper <agropper@healthurl.com> a
écrit :

> At various points in the lifecycle of the protected resource the client at
> the resource server (RS) might be:
>
>    - The RO (subject) user agent trading payment for a service promise
>    - The RO user agent using the promise to access the protected resource
>    - A delegate of the RO user agent using a different client
>
> What's vague is where the GNAP AS enters the picture as described above.
> How would you describe it?
>
> Adrian
>
>
> On Wed, Mar 17, 2021 at 10:20 PM Fabien Imbault <fabien.imbault@gmail.com>
> wrote:
>
>> Hi Adrian
>>
>> I'm still confused why you're saying the terminology is vague.
>> I get the "power" neutrality is not to your liking, but RQ / user agent
>> is no better in my view.
>>
>> Can you elaborate?
>>
>> Fabien
>>
>> Le jeu. 18 mars 2021 à 00:18, Adrian Gropper <agropper@healthurl.com> a
>> écrit :
>>
>>> I'm sure you're right. Our vague terminology around client and end-user
>>> leads to my confusion. If GNAP is primarily about delegation then, of
>>> course, we should avoid any incentives to impersonate or we're wasting our
>>> time. This is partly why I'm trying to study up on capabilities and asking
>>> for expert advice from folks like Alan Karp and Mark Miller (cc'd)
>>>
>>> As best I can understand it, the RS has only two choices, it can:
>>>
>>>    - store an attribute of the RO a [DID, email address, GNAP AS URL],
>>>    or
>>>    - hand the RO a capability as a sort-of promise and avoid making any
>>>    entries in an ACL or equivalent.
>>>
>>> When a token comes back to the RS, it will either be:
>>>
>>>    - validated according to something associated with the stored RO
>>>    attribute, or
>>>    - signed by the RS itself.
>>>
>>> Either way, trust in the client seems moot.
>>>
>>> Adrian
>>>
>>>
>>>
>>> On Wed, Mar 17, 2021 at 5:29 PM Justin Richer <jricher@mit.edu> wrote:
>>>
>>>> On Mar 17, 2021, at 4:55 PM, Adrian Gropper <agropper@healthurl.com>
>>>> wrote:
>>>>
>>>>
>>>> On Wed, Mar 17, 2021 at 4:23 PM Tobias Looker <
>>>> tobias.looker@mattr.global> wrote:
>>>>
>>>>> <snip>
>>>>> > A client might not have a DID but it could have a VC as a
>>>>> certificate of authenticity linked to some audit mechanism.
>>>>>
>>>>> To me a VC would come under the assertions umbrella (that is to say a
>>>>> VC could be one type of valid assertion). The client may possess or been
>>>>> presented with a VC that it could include in its request to the AS as a way
>>>>> to identify the subject and perhaps prove authentication and authorization.
>>>>>
>>>>
>>>> I do not assume that the client that interacts with the AS to make a
>>>> request and receive a token is the same as the client that will present the
>>>> token to the RS. In the US HIPAA use-case, for example, the root of trust
>>>> is a contract between the patient-subject and the doctor-requesting party
>>>> but the doctor workflow is expected to delegate the token to some other
>>>> end-user that may be using a totally different client such as an EHR.
>>>>
>>>>
>>>> If the client that gets the token is not same as the client that uses
>>>> the token, that is a violation of core security principles as it allows for
>>>> (and really designs for) impersonation by client software. I would have no
>>>> reason to trust client software that would hand its credentials over to
>>>> another piece of software, and in fact I shouldn’t trust it.
>>>>
>>>> I think you may be conflating several different kinds of parties under
>>>> the “client” umbrella here, though. It’s entirely possible that one client
>>>> might call an RS that in turn acts as a client for something else down
>>>> stream. But each of those hops is different from the last.
>>>>
>>>>  — Justin
>>>>
>>>>

v2.23.0 | Report a Bug | By Email