Re: [Txauth] Key handle vs client id & handle

Justin Richer <jricher@mit.edu> Mon, 13 July 2020 13:48 UTC

Return-Path: <jricher@mit.edu>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2F2343A11F1 for <txauth@ietfa.amsl.com>; Mon, 13 Jul 2020 06:48:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.92
X-Spam-Level:
X-Spam-Status: No, score=-1.92 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FTDUaoiINGkZ for <txauth@ietfa.amsl.com>; Mon, 13 Jul 2020 06:48:35 -0700 (PDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 740BB3A11EF for <txauth@ietf.org>; Mon, 13 Jul 2020 06:48:35 -0700 (PDT)
Received: from [192.168.1.7] (static-71-174-62-56.bstnma.fios.verizon.net [71.174.62.56]) (authenticated bits=0) (User authenticated as jricher@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id 06DDmTNr005598 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 13 Jul 2020 09:48:30 -0400
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.80.23.2.2\))
From: Justin Richer <jricher@mit.edu>
In-Reply-To: <CAD9ie-uEEbky1O0tiaszSd=myX3LUwiARPZ_O6oRAwc5DG3kjw@mail.gmail.com>
Date: Mon, 13 Jul 2020 09:48:29 -0400
Cc: txauth@ietf.org, Mike Jones <Michael.Jones=40microsoft.com@dmarc.ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <6C9868E7-0F82-42AC-AA0A-4D348F946320@mit.edu>
References: <CAD9ie-uEEbky1O0tiaszSd=myX3LUwiARPZ_O6oRAwc5DG3kjw@mail.gmail.com>
To: Dick Hardt <dick.hardt@gmail.com>
X-Mailer: Apple Mail (2.3608.80.23.2.2)
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/sC8bMpdob1ZhDYN8OGGMwz4VIw8>
Subject: Re: [Txauth] Key handle vs client id & handle
X-BeenThere: txauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <txauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/txauth>, <mailto:txauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth/>
List-Post: <mailto:txauth@ietf.org>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/txauth>, <mailto:txauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Jul 2020 13:48:37 -0000

The problem I have with this approach is that it artificially encodes two, and only two, tiers of client within the protocol needlessly. In my experience with systems that support dynamic registration, it’s not a black and white world like that. There are clients who can present :some: form of proof that they’re legit, but they haven’t been statically registered with the AS. (See MODRNA and OBUK, for instance.) There are clients whose identities are tied explicitly to the current user (like a Solid pod). There are clients who are “statically” registered but through a developer-facing portal, vs clients that are registered through an admin-only interface. 

As you say below, if the AS needs to differentiate between classes, it can decide to do so based on the key or identifier and the policies associated with it. I disagree with encoding these two tiers, or any tiers, into the protocol itself. This is ultimately a matter of the AS and its policy. In OAuth 2 there is no differentiation between a “static” or “dynamic” client ID, and yet an AS today can still differentiate between them — because it knows the context in which the client ID was generated. It’s the same with the “key handle” concept in XYZ: the AS knows where the handle came from and can apply different policies regardless. 

Now, it’s a bigger question what the “handle” refers to. XYZ started with it being tied to “all client software information” and then broke it into pieces, with the “key” portion being the cornerstone piece. While I still think this makes sense, I think that’s something that GNAP needs to figure out with more input from the community than just my own experience.

 — Justin

> On Jul 10, 2020, at 4:16 PM, Dick Hardt <dick.hardt@gmail.com> wrote:
> 
> + Mike as he had interest in this topic
> 
> My understanding is that an existing OAuth 2 client would use their current client id as their key handle, and a dynamic client (one that was not pre-registered) would be given a key handle by the AS.
> 
> There are potentially some significant differences between a registered client, and a dynamic client to an AS.
> 
> The AS is likely to know the identity of a registered client, and have different policies between the two types of clients. For example, a registered client may have access to a 'write" scope, while a dynamic client does not.
> 
> The AS may have 100s or 1000s of registered clients, but a dynamic client may have 10Ms or 100Ms of instances, which may dictate separate storage services. Additionally, internal to the AS, which systems can write to the registered client store is going to be different than the dynamic client store.
> 
> In XYZ, subsequent calls to the AS, both registered clients and dynamic clients pass a key handle, so there is no easy way to differentiate between the two.
> 
> While the AS could embed semantics in the key handle identifier to indicate which identifiers are pre-registered vs dynamic, there are many cases where the AS does need to know the difference, so making the difference a feature of GNAP seems like a better path.
> 
>