IETF Logo Mail Archive

Re: [GNAP] draft-ietf-gnap-core-protocol-00 feedback

Dick Hardt <dick.hardt@gmail.com> Tue, 20 October 2020 17:45 UTC

Return-Path: <dick.hardt@gmail.com>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 94FF03A121B for <txauth@ietfa.amsl.com>; Tue, 20 Oct 2020 10:45:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id c2pxvA32DAdp for <txauth@ietfa.amsl.com>; Tue, 20 Oct 2020 10:45:54 -0700 (PDT)
Received: from mail-lj1-x236.google.com (mail-lj1-x236.google.com [IPv6:2a00:1450:4864:20::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 31E7D3A121F for <txauth@ietf.org>; Tue, 20 Oct 2020 10:45:54 -0700 (PDT)
Received: by mail-lj1-x236.google.com with SMTP id i2so2960539ljg.4 for <txauth@ietf.org>; Tue, 20 Oct 2020 10:45:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=/l2Y6ux/xM9W7+R0Sb4YQXyFmUNkXCdjHq01ZpUMYhM=; b=aH0LJoQ/lw57N/OZ8Mhnv2pbdicIzXfTVrDA1a3F3wSlqmWdmh60SmiK+hO6q+yNtm zdS7TgCARzrbZq7y8n+z+lQerVUoMb7n1lLujT5TJ7sALsUUEnaWt/AMgyqYJzOIsrV3 8MkSTqB9AihW+DoBMI8xmWdxOPpI/5XYVA8NQeoDRGcZWaZ6VMmNsxUsK1IIl7W72gMQ ea1b8CkJBz1yYxp5KZEJAJzlmFOIRR7fSFVxjmKG6RYR2zRElALXqLTGVPUvu1ycUeB8 +qnbTHvTYiifOIHvii4rwTUtRqj4R29S3QRSv9MpNDf8TIvsviMrCQ/art6nuFn5yuO3 1KFQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=/l2Y6ux/xM9W7+R0Sb4YQXyFmUNkXCdjHq01ZpUMYhM=; b=Wfq5DlmVTgUrFKMu8fInRr7/CONLT6LCQSi5ktSdECShm5mdj2wiI1qw4Tjl+L9HbI SVVcxVGVaxG3u12nMkUmZXq6yWHrq5RKgL0Dij4jsIhb1+1Tq3/FdHRB1A1RmFsuVgaY +f8uzfyxlVBFjzbEUW1r2Wn5LN8BdgkySIPEhWmm0NiSZV6z09dOcH69cH01ctDHnw7o XsIUtSXR1mugjpuIS733A+lSPxfe1w5i2kzojj1K+4AN4IpoyXMixRTRDq9aKPqd+9VT AV7DipSf6TBR3seDb1r3kziBEdSUA8y3xKu5zh4bOBPHZ4D/DfzCNE5OVEIQ7zJV0n+J lkeA==
X-Gm-Message-State: AOAM531I9uOu+oUoikLf3v8FDd24A021bVkAGCH+CbwY/5W+1jpeM/aE wo+9OUvSEEhcsufWL9ECyxsoWCfW83/FJYi/aocDOUL/1GM=
X-Google-Smtp-Source: ABdhPJyi2nNQfJqoumth43P7YC5NNP2RIPIoxRxSqdQWfsZ4RzOiyymPcB3eFr8lwIH7B9n1sAe6+cNJhpONLI7JZ8U=
X-Received: by 2002:a2e:8853:: with SMTP id z19mr1621792ljj.142.1603215952209; Tue, 20 Oct 2020 10:45:52 -0700 (PDT)
MIME-Version: 1.0
References: <CAD9ie-v7uUxBzMz6K_n=xpVAvnJY=GHe1iB7hBOBj4xxdbp0wg@mail.gmail.com> <CAM8feuTP=9+dDv5m2fMKru=DuLLbjv3AStkEWgwjdWCmrdpDzg@mail.gmail.com>
In-Reply-To: <CAM8feuTP=9+dDv5m2fMKru=DuLLbjv3AStkEWgwjdWCmrdpDzg@mail.gmail.com>
From: Dick Hardt <dick.hardt@gmail.com>
Date: Tue, 20 Oct 2020 10:45:15 -0700
Message-ID: <CAD9ie-uCC7uDrVCCuzWYgOf9WM=PBRgCh2+EmKVPr6MrramNBw@mail.gmail.com>
To: Fabien Imbault <fabien.imbault@gmail.com>
Cc: GNAP Mailing List <txauth@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000546bb305b21dcd85"
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/rmC6u2oqdNohsIerdt0NxfVgCxY>
Subject: Re: [GNAP] draft-ietf-gnap-core-protocol-00 feedback
X-BeenThere: txauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <txauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/txauth>, <mailto:txauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth/>
List-Post: <mailto:txauth@ietf.org>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/txauth>, <mailto:txauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Oct 2020 17:45:57 -0000

Responses inline with sections without comments deleted ...

On Tue, Oct 20, 2020 at 2:40 AM Fabien Imbault <fabien.imbault@gmail.com>
wrote:

> Hi
>
> Some comments marked with FI.
>
> Fabien
>
> Le mar. 20 oct. 2020 à 05:27, Dick Hardt <dick.hardt@gmail.com> a écrit :
>
>> *Previous Feedback*
>> The following items were discussed in the design team, but did not make
>> it into the draft for WG discussion. A concern I have with many of the
>> editor notes (which I point out) is that they are heavily biased by
>> Justin's vision and misrepresent the options.
>>
>
> FI : I'm sure we can get past hard feelings and focus on the core of the
> concerns. The editor's notes do their best to point where discussion should
> happen. If some of them need further clarification, we can certainly do
> that.
>

While I am disappointed that the design team did not decide on the best
features or XYZ and XAuth, and instead started with the XYZ doc, I was not
trying to express any hard feelings!

Reading the draft, Justin clearly has a bias to using HTTP Signing rather
than a self contained JOSE token.
His comments (as noted below) on 8.2 misrepresent, and do not call out the
advantage over all the other mechanisms of being self contained.

Except for at the bottom, these are points for discussion that I brought up
in the design team that did not make it into the draft for discussion.


>> *2.3.1 *Do we need to support symmetric keys? Most OAuth clients support
>> a secret, not a key.
>>
>
> FI : it's difficult to assume people with use public key cryptography for
> everything. Seems to me the text is clear enough on what this implies.
>

We are requiring HTTPS -- so the client has support for asymmetric crypto.
My point is that the editor notes should bring up this question, which I
asked in the design team.


>
>> *2.4.1* identifying the user
>> this identifier would be useful if it had properties that other opaque
>> identifiers did not have: being globally unique. A reason developers have
>> used the email in ID Tokens was that it was a globally unique string in
>> contrast to the tuple of "iss" and "sub" in the ID Token which was much
>> more complicated to add and work with in a DB. Otherwise, we are creating
>> yet another user identifier.
>>
>
> FI : OK but how would you make this a global identifier? Seems close to
> what DIF Keri is looking for (although I find the way they're doing it is
> overly/unnecessarily complex).
>

Lots of options. No requirement to specify how the identifier is ensured to
be unique as it should be opaque to the client. It could be a URI that
starts with the AS URI, or a UUID.

My point is that a note on this option should be in the draft.



> Would that replace sub_ids?
>

yes


>
>> *3.* The URI can be stable, and the access token is potentially
>> superfluous. As the client is authenticating with the same key in all
>> subsequent requests, rotation of the URI or access token may be
>> superfluous. Having an access token for the AS seems that is used while
>> authenticating vs the typical access token for an RS seems very confusing
>> to a developer.
>>
>
> FI : why would that be confusing?
>

Because developers don't use access tokens when accessing an OAuth AS or an
OIDC OP?


>
>> Additionally, putting the access token for calls to the AS in the HTTP
>> Authorization header precludes using the HTTP Authorization header for
>> client authentication in 8.
>>
>
> FI : that's one of the choices we need to make. But that doesn't mean what
> is proposed is worse, it's just a different design with different
> tradeoffs. This requires a complete discussion on section 8 (which already
> occurred in the small group, but Justin will be able to comment).
>

Agreed. I had asked for this to be called out as a discussion point in the
editor notes. It was not.


>
>> *4.4.2 *This functionality looks like a WebHook, and perhaps belongs in
>> the API between the client and the AS rather than an interaction that
>> involves the user. Also, this functionality provides no protection to
>> session fixation. The interaction reference has no value.
>>
>> *4.4.3 *While it is good to see an editor's note that a unique
>> callback URL could be used, the statement "but it would not prevent an
>> attacker from injecting an unrelated interaction reference into this
>> channel." is misleading. This would only happen if the client did not
>> ensure it is the same user, as that would be linked to the correct URL.
>> Similarly, the interaction reference does not provide protection if the
>> client does not ensure it is the same user.
>> Using a unique callback URL would be much simpler, and appears to provide
>> the same protection as the interaction reference and the hashing.
>>
>
> FI : having to rely on the client only to ensure it is the same user is
> precisely what you want to avoid. Hence the hashing.
>

The hashing does not protect against session fixation if the client does
not ensure it has the same user before and after the redirect.

For example, if the user has a decoupled interaction such as scanning a QR
code on their PC with their phone, the client cannot ensure it is the same
user coming back. An attacker can trick a user into clicking on the
decoupled URL that the attacker obtained from the AS. The hashing does not
protect against this.

/Dick
ᐧ

v2.23.0 | Report a Bug | By Email