IETF Logo Mail Archive

Re: [Txauth] Call for charter consensus - TxAuth WG

Fabien Imbault <fabien.imbault@gmail.com> Wed, 11 March 2020 19:11 UTC

Return-Path: <fabien.imbault@gmail.com>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EC0EE3A03EF for <txauth@ietfa.amsl.com>; Wed, 11 Mar 2020 12:11:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.099
X-Spam-Level:
X-Spam-Status: No, score=-0.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, PDS_OTHER_BAD_TLD=1.998, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id h-m4ArGwsRTq for <txauth@ietfa.amsl.com>; Wed, 11 Mar 2020 12:10:59 -0700 (PDT)
Received: from mail-ot1-x335.google.com (mail-ot1-x335.google.com [IPv6:2607:f8b0:4864:20::335]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9B9B03A02BE for <txauth@ietf.org>; Wed, 11 Mar 2020 12:10:59 -0700 (PDT)
Received: by mail-ot1-x335.google.com with SMTP id j14so3298457otq.3 for <txauth@ietf.org>; Wed, 11 Mar 2020 12:10:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=NNqO60AScIwBhzooihJmWFK5YVGwAAC/3YcfU8oaHjY=; b=SEpuBcESiqz5BUFtTRaBMp0Xft562T/CzTSrUOEP932hv4djR8/n53sfpdKAz2mco9 f2odIXxcnyGT3Oq9uqvzi7DngMoym4PqQlpsm+uBJUjDb110hyEzmizpI346EhCVBHnb y4eehq/cpbF5gYjeltTkueZyldfGLjldBQAAWeDL3ulWAXROlNeHlfaiQgQUht2pYg/l UW53ypJ8xe4xTeEx4NO5lB9pR7eq9b8x0drnDTapveoXs1nklc3Qv0MoLeIfZeV0p1zj WsSRclKedht+A004YPK8iPzNHgc+Zhq1d2b3TNN4xT8P6HbtFXC5eTJ6qVEUhtf+WnLu Bcdw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=NNqO60AScIwBhzooihJmWFK5YVGwAAC/3YcfU8oaHjY=; b=qwCnXsC4l6UziAfmEwyFsJbmVzpb4boc/37WwlSUpSfLnQ6jGNHIDR6T3RjD/XNNLS AXs4Gyv87NAU8c1UWpjx13zRSDyLb5umNlitVURrMIecXqRLDomXKqQRCnwNwVgx9tWn RoKFr+n4TAeJM2aN8QJyO/6BdHY8InuoqciRvWly09Wg7nH8MHE3dsaNSj8YXnC5k1Js xAVGF7qfYeJOGsOZTuxH3PvJiv2ODCddPVDdP2v79IQbfvGSnLjZz3pUZN/idwkzc0gu dqIQRZS4o8KuJ7//4T2wqv6YgV3FQOwEkxUK+HrcAiO8L2FgFxiQ3YaD+I0ndVfD5q7S 3qNQ==
X-Gm-Message-State: ANhLgQ3jNF2vPZa75cFo/qImsqacbwRSFTOCzHax0RRz+71YChq1RufJ 7C+uUGa3NJI0sE3h3Md6UiZxaPQHS7cZriyGuLA=
X-Google-Smtp-Source: ADFU+vvs879dcGiRiQm4AysBdsQfvT7GcsdBj03buNBEBkktpCqsdg6xRVH9GAot0s8//s41Eg0K0GffavxDWMHuios=
X-Received: by 2002:a05:6830:19e2:: with SMTP id t2mr3331186ott.97.1583953858722; Wed, 11 Mar 2020 12:10:58 -0700 (PDT)
MIME-Version: 1.0
References: <CAM8feuQg1H8MPn_3ycy+n19T+G=nY6dwaY8qygPxyjhg2s6zKA@mail.gmail.com> <001C0D78-3B44-4E68-A796-FCDC3BB33434@mit.edu>
In-Reply-To: <001C0D78-3B44-4E68-A796-FCDC3BB33434@mit.edu>
From: Fabien Imbault <fabien.imbault@gmail.com>
Date: Wed, 11 Mar 2020 20:10:48 +0100
Message-ID: <CAM8feuTSXM6SaG639b4mtSxYDu=Ph36P1RR4_fRaXvDaG=YE6g@mail.gmail.com>
To: Justin Richer <jricher@mit.edu>
Cc: txauth@ietf.org
Content-Type: multipart/alternative; boundary="00000000000016fe3905a098ffdd"
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/qx5Xu7vQ0uaec4yWYJyU6xrBSDI>
Subject: Re: [Txauth] Call for charter consensus - TxAuth WG
X-BeenThere: txauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <txauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/txauth>, <mailto:txauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth/>
List-Post: <mailto:txauth@ietf.org>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/txauth>, <mailto:txauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Mar 2020 19:11:02 -0000

Hi Justin,

Thanks, I think your answer makes perfect sense and clarifies better the
intent. I'm good with that and certainly agree not to over-engineer.
I'm available to help on the current WG, and later on for
TxAuth-But-For-Tiny-Things ;-)

Cheers.

Fabien

On Wed, Mar 11, 2020 at 7:53 PM Justin Richer <jricher@mit.edu> wrote:

> Hi Fabian,
>
> Thanks for the note about the charter. Hopefully I can explain what we
> mean by the current scope language.
>
> The intent was to build a protocol that is bound to HTTP and not to other
> transport mechanisms. However, the design goal is to build it in such a way
> that when we use an HTTP feature, such as a header or verbs or URL
> parameters, we’re explicit about what we’re using and how. Therefore, when
> someone wants to map this concept and structure to another protocol stack,
> they’ll be able to say things like “I need the equivalent of an HTTP header
> for this part of the protocol” and use what best applies within their
> chosen space.
>
> What I explicitly wanted to avoid was this group defining something that
> was completely abstract with a nominal “binding” to HTTP as a transport
> mechanism. In my experience, this inevitably leads to an abstraction layer
> that doesn’t make sense in practice, and ultimately a confusing set of
> documents where people are trying to figure out which document has the
> details for what they care about. Especially since the first binding is
> often the only one that gets picked up and used by implementors.
> Abstracting things too early just leads to disaster, in other words.
>
> That’s why I think we’re better of doing something with an explicit
> connection to other layers, specifically including HTTP, JSON, TLS, and
> even JOSE the like. That way when someone wants to build TxAuth on top of
> CORE, CBOR, DTLS, and COSE, they can do the translations from the original
> protocol in ways that make the most sense. For instance, such an
> implementation would likely want to use OSCORE/COSE for a key presentation
> and proofing mechanism. This protocol set allows you to encapsulate the
> messages in ways that even HTTP signatures don’t. But if we build the
> entire protocol around, for instance, JOSE objects within an HTTP message,
> then we lose the ability to make that kind of translation.
>
> I also think it’s probably too much for this group to start with IoT and
> alternate transports on its plate, especially because, as you note, there
> are many of them and they’re often pretty different from each other. But we
> can have these in mind as we are developing TxAuth, and especially if a
> specifically interested party such as your own group is tracking TxAuth and
> making those translations in real time as we move the base protocol.
>
> Maybe the constrained version of TxAuth will find a home in this WG, maybe
> it’ll find a home elsewhere like ACE, or maybe we’ll have
> TxAuth-But-For-Tiny-Things as a WG in the future. In all of these cases,
> the people working on this are likely going to overlap at least a little
> with the people working on TxAuth itself.
>
> I hope this clears up the intent behind the wording of the charter! If
> there’s a better way to state that, please suggest some succinct text.
> Thanks!
>
>  — Justin
>
> On Mar 11, 2020, at 5:49 AM, Fabien Imbault <fabien.imbault@gmail.com>
> wrote:
>
> Hello,
>
> Thanks for the work being done. I'm new to IETF (but have worked in the
> past with other collaborative orgs) so please forgive any unusual habits if
> any, will try to catch up.
>
> > 1.  Do you support the charter text provided at the end of this email?
> Or do you have major objections, blocking concerns or feedback (if so
> please elaborate)?
>
> Yes, with comments.
>
> I believe the last part of the charter : "will strive to enable simple mapping to other protocols such as COAP when doing so does not conflict with the primary focus" should be modified, to acknowledge what is really in the scope and what is not. As it is written, I actually don't know very well.
>
> Certainly the main goal is HTTP support and that is already a large challenge which needs to be handled with priority.
>
> However we need to acknowledge contrained devices are now very common, people want to manage them properly but usually those devices don't speak well over HTTP. From the content available on oauth.xyz, I have the impression that the use case is in the scope. That makes also be a great differentiation compared to OAuth2, and one doesn't have to fight so much with change management as the field is much newer, compared to webapps. In the IoT domain, that would be very useful because implementing delegation at scale is a real/unsolved issue.
>
> But as the charter is currently written, it is unclear what "simple mapping" really means and whether that could work out in practice as an after thought. I also have the feeling that saying the mapping to other protocols should not conflict with the primary focus doesn't make it so much clearer on what is exactly expected.
>
> Supporting a variety of IoT protocols is obviously out of question. So I suggest we get back to the requirements, and would propose the following: the protocol shall be usable by constrained devices, provided they can discuss over an IP network such as CoAP (see the work on OAuth2 ACE for instance), SCHC (which is also an upcoming IETF RFC) or other future protocols that would allow the interface to match with HTTP behaviour (through an adaptor). For those types of clients, the communication stack (supported and/or prefered) could be declared in a pre-register phase.
>
> What would still be out of scope is to design network protocol independance within TXAUTH. For instance, stateful data centric protocols such as MQTT would be out of scope.
>
> My team and myself are available to work on this (both on spec and opensource implementation prototype), and make constrained devices a first class citizen, if you agree that's indeed a common need. Of course, I do not intend this to be the priority, but more as a way to take feedback and make sure the protocol's design doesn't forbid such demands, likely to become mainstream.
>
> Please let me know what you think.
>
>
> > 2.  Are you willing to author or participate in the development of the
> drafts of this WG?
>
> Yes.
>
> > 3.  Are you willing to help review the drafts of this WG?
>
> Yes.
>
> > 4.  Are you interested in implementing drafts of this WG?
>
> Yes, rust implementation (and webassembly bindings).
>
> Best regards,
>
> Fabien
> --
> Txauth mailing list
> Txauth@ietf.org
> https://www.ietf.org/mailman/listinfo/txauth
>
>
>

v2.23.0 | Report a Bug | By Email