Re: [GNAP] AD review of draft-ietf-gnap-core-protocol-15
Justin Richer <jricher@mit.edu> Thu, 07 September 2023 15:42 UTC
Return-Path: <jricher@mit.edu>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B695FC14CE30 for <txauth@ietfa.amsl.com>; Thu, 7 Sep 2023 08:42:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.107
X-Spam-Level:
X-Spam-Status: No, score=-7.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=mit.edu
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0mcJEr35dOep for <txauth@ietfa.amsl.com>; Thu, 7 Sep 2023 08:42:19 -0700 (PDT)
Received: from outgoing-exchange-1.mit.edu (outgoing-exchange-1.mit.edu [18.9.28.15]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 276E9C14CE25 for <txauth@ietf.org>; Thu, 7 Sep 2023 08:42:18 -0700 (PDT)
Received: from w92exedge3.exchange.mit.edu (W92EXEDGE3.EXCHANGE.MIT.EDU [18.7.73.15]) by outgoing-exchange-1.mit.edu (8.14.7/8.12.4) with ESMTP id 387Fev37009703; Thu, 7 Sep 2023 11:42:13 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mit.edu; s=outgoing; t=1694101334; bh=ncMWjmncDDmej/zGfO731yXAtk6C0/4ypKo839tAJUg=; h=From:Subject:Date:Message-ID:Content-Type:MIME-Version; b=CiK6WJ7VodrAup0gl5m6p+FGZYPIhMziHRQ5MU1Urgai3Ihge1GNPOhYyD9BRcpy9 EA0Ez45wJmUETStl4M52jNjmw/Ef3LWD99u4XBXGwLNDASfc+ncIXuqDeGW/0YM7um AvPU1Mkt5Bu1xBV6q6bILNnf1v7EAuHakv1CCtz29f3a7P5t300LqaOFxvXZQ8ZsBg juOxddzdypI7RiQb0P1VaZHJXLXaCJWwsRhPwVLxvEaMtiyxuREng5yZabtPf3BGls rIYc6H8iyXl39PUupoi+68X1meUHnZ6Sba0WeG5O5JXgkevfvFZjLy5ob4twQ7Q70o e8NSjsLAlL15A==
Received: from w92expo28.exchange.mit.edu (18.7.74.34) by w92exedge3.exchange.mit.edu (18.7.73.15) with Microsoft SMTP Server (TLS) id 15.0.1497.48; Thu, 7 Sep 2023 11:40:32 -0400
Received: from oc11exhyb5.exchange.mit.edu (18.9.1.110) by w92expo28.exchange.mit.edu (18.7.74.34) with Microsoft SMTP Server (TLS) id 15.0.1497.42; Thu, 7 Sep 2023 11:41:11 -0400
Received: from NAM10-DM6-obe.outbound.protection.outlook.com (104.47.58.108) by oc11exhyb5.exchange.mit.edu (18.9.1.110) with Microsoft SMTP Server (TLS) id 15.0.1497.48 via Frontend Transport; Thu, 7 Sep 2023 11:41:10 -0400
Received: from DM6PR01MB4444.prod.exchangelabs.com (2603:10b6:5:78::15) by PH0PR01MB6280.prod.exchangelabs.com (2603:10b6:510:18::6) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6745.34; Thu, 7 Sep 2023 15:41:08 +0000
Received: from DM6PR01MB4444.prod.exchangelabs.com ([fe80::7fe8:9de9:e874:3835]) by DM6PR01MB4444.prod.exchangelabs.com ([fe80::7fe8:9de9:e874:3835%4]) with mapi id 15.20.6745.034; Thu, 7 Sep 2023 15:41:08 +0000
From: Justin Richer <jricher@mit.edu>
To: "rdd@cert.org" <rdd@cert.org>
CC: "txauth@ietf.org" <txauth@ietf.org>
Thread-Topic: [GNAP] AD review of draft-ietf-gnap-core-protocol-15
Thread-Index: AdnhEGaZz7I/z31LSuKdCt/5BASAXwAkUsGA
Date: Thu, 07 Sep 2023 15:41:08 +0000
Message-ID: <EC43C248-0370-479E-9E69-778E2E0D5887@mit.edu>
References: <BN2P110MB1107AE91B428DE2FEAC1C378DCEFA@BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM>
In-Reply-To: <BN2P110MB1107AE91B428DE2FEAC1C378DCEFA@BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=mit.edu;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: DM6PR01MB4444:EE_|PH0PR01MB6280:EE_
x-ms-office365-filtering-correlation-id: 7c25bcc5-3027-4aa8-a117-08dbafb8dae5
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 37lW/wX2BrMWZ7yvKjCzUrRgjcW0mJLhnMJkMzzdvLUUNhFW68ew4RjgU4PneImDYtLZ/LHe6dprZH8T+/vIvQXksKtyqShVLnS2bP5wCl+2BvNMXD4ghZQzCnOpkG+m+VL0yyppSFwV+mfKHyg86qIhkfOga5GucYOfDjWpTeiKJXDku2o9nple8uqFTVr9S6lBbNiTeixEAp9QJohzuAdKou2djuwMbqndq41qTwXhnUzm/Sa780X4SFL9hj11F9288JBppf/Lep7yf1bt+58DGasWdICq0fsX7RLdsf+CISyU7om/5dtEa9YqdzyDSM/lUSbPy5bY60GhIEzN6BjMXcCnYHVhWX1om8t/8SktxOEyqJucOAnYwH1KL5akh4kKz3zk+ynreIglf+V/QO99apx49s3bN/3OwMg/H5RfI/mlzziht/da20AnoUzXq5hwr0HDzwe6NuZFelBi6o3SWOirXeEAYxemZK2q6grHAGPvLPordz+rLgOGfm0hTD4qifU/rKIskwK4BFwP0P0syP7mFEXdRjUoF6WENjT4TmQ5rFYIEg6Hrzv1Ckf74FJVTnHdVanFDyRRLU8OtDgaMFewJd56hyuU3RcjRek=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DM6PR01MB4444.prod.exchangelabs.com; PTR:; CAT:NONE; SFS:(13230031)(39860400002)(366004)(346002)(136003)(396003)(376002)(451199024)(186009)(1800799009)(478600001)(30864003)(71200400001)(966005)(6512007)(91956017)(6506007)(6486002)(316002)(6916009)(786003)(2616005)(8676002)(5660300002)(26005)(41300700001)(8936002)(83380400001)(66574015)(2906002)(4326008)(66556008)(76116006)(122000001)(38070700005)(38100700002)(33656002)(36756003)(64756008)(53546011)(66446008)(66946007)(86362001)(66476007)(75432002); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: CWBl2Cl4pv+ebaOJ/jZBFMdwnu2gnA7mwbeKWOiE+ZCsxotlmGXfPno0pwf9iDqgBb7Dm0jZ2KdDj8XKpUDZbt3mN999ABBp59DN9hfEu4G8Dz+vRzMY/7hncEDAutctCTImYV2eqPwnc7ZXOHY1f3BlMLV7m2xJ0Z9qrFtVbE4k3hOyOiQ+bWy9o6kdQs/0MUO+nFlDOZ/MVKYKUY+DzHrTr+c9CwW4h0fvOJO84ie9iqIhpGOGBYknGcmJ8Po9W178z0RZJNTJ5K3adjnQUgVOVYM8vUamrdlp2NePJit1kp8swJb33BVp+1BGqKmOfMUMkDduQx+ANyYH2xssW6yNkPSiSqldgogHSDFvLR46nY1WPGTIIlfafPfV98XzP1oRU6k/xiI77oZukfOmC/CVx3Qtw8WEhPPS6MRi4Wc6lXYtSXW3taQlSjmvu/LpdE3wjAUzq0eKBByoK+zwmF4uo91vGSFou0fYb3n3s6kU1E90q0FYq0TIZbgeKVJL0vkkksOKkXD6GkzvtjHkohS3R5YfvSf/xVOmJ5jxrleqeo8/jDXANd2JyarFcWHG2Vvhvy9OoER71dYGI93tPyxvvkHVc/IYaekn8CdOqbW/oiHPLoAlfmjKprcibzPnY6K6T79VxfpdQ4opn3DoLcpUlyPQn1NINQP02ae0+w9SdCjoBAYpVxwxteT0yHk46gx8DKzalaIwv2yuw96g3rntjpYEMSwLFPhAbiutgIQP3Qf9kMBk9EMGcEuRN+M83gA2oteCayhe0gUHrYLye1V9OIVks25eyrDleHEPCk0As4ucVv8K2Axc2wCsB1drra9cVpkjx/OpQ7/rYWVoWmYcLJcj28gl8uWc/7vRfWSmqQd+GaZsrzc9f8NHW4+0Y/+I/T5MLRhPsyzDZ7xYp5Q1JID36DC7rnoHdlX53qHHG/yGaG8G/+ECty87BXT5H6X1dbCqxbCez+5gAIhvVxlOWScI86QakIUa9bmWG97MQhg7XJAYfu/1yBMokZWF5ySJoGyYiNhzGT24krF75TvdqdkzbSfWhTylNMlDdJuYGT2SeHfmMCoKbhlmdOidsjm7eM56narBmm6gv2cJ/E/kFpjhJ7Wt8rVlYHW5TrhrC+TbVK4b4C6gnITolIDe74MsbMfInxa5dNwTeBngA3cARjdHQfbI0piQ/JmfraAoAjT7+ppVKHj3KYqC+phATj2bJAwwhoyMjTwyFK5j9pWKpO93JzZKjcdObKGLVXluUjTeCuFTM6w0qweu5NXxiwGcPt4mEl47M0weIiCLZiHCQAGWdAEas73HSGl+vcuUADMP4A6zlwZHsPde0e5NPTU3jqmbnSaKCbDfRytx4O7klzlhv9HJ4SAxmBHdmYAy7qGzV5JztH8TQOs6507W2am+okIMtpo5xXyEM92vySc9Z/Xgy/DmwPgBGE0gko4FfeUYL3+goXQ7hog7GNM5R9SByrLf3A4GOKra+vf3Xa8Dtub7l1QBFCrnuy1zTOzVqVuAx6iMwoCNWgJV2QblzkcC9bwirHlawjJoBfXyedd1XjLPxYgRfoD/5iu3C/LdhY2FvelL4ZvS3HvX9Z2P
Content-Type: text/plain; charset="utf-8"
Content-ID: <1BD6827E586C084282E656ADBC2FAAD5@prod.exchangelabs.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: DM6PR01MB4444.prod.exchangelabs.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 7c25bcc5-3027-4aa8-a117-08dbafb8dae5
X-MS-Exchange-CrossTenant-originalarrivaltime: 07 Sep 2023 15:41:08.4199 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: cNxiD2XFdkySv/6SmIh/EJISu7XVRqi+Jozht9NlW90VzbcnxiybNU0LBBK6tdRQ
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH0PR01MB6280
X-OriginatorOrg: mit.edu
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/vaBxj2Fu3J_CNemzqeIVKqPeKao>
Subject: Re: [GNAP] AD review of draft-ietf-gnap-core-protocol-15
X-BeenThere: txauth@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: GNAP <txauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/txauth>, <mailto:txauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth/>
List-Post: <mailto:txauth@ietf.org>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/txauth>, <mailto:txauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 07 Sep 2023 15:42:23 -0000
Hi Roman, thanks for the thorough review, and I wanted to confirm that we saw it. Fabien and I going to go through all of these items. On a quick skim I don’t see anything shocking, but I know we need to do a more deep and thorough read through before responding. Thanks again, it’s a big document and a lot to cover! — Justin > On Sep 6, 2023, at 6:23 PM, Roman Danyliw <rdd@cert.org> wrote: > > Hi! > > I performed an AD review of draft-ietf-gnap-core-protocol-15. Congrats on getting this core deliverable out of the WG. This took a tremendous amount of work. I appreciate everyone's patience as I reviewed this document. Below is my feedback and it contains no show-stopping protocol feedback. The majority of it points to places where additional clarity and process would be helpful. > > > ** Section 1. Editorial. > GNAP > and OAuth 2.0 will likely exist in parallel for many deployments, and > considerations have been taken to facilitate the mapping and > transition from legacy systems to GNAP. Some examples of these can > be found in Appendix C.5. > > The example in Appendix C.5 appears be constructed around OAuth 2.0. Is this text suggesting that OAuth is somehow a legacy protocol? Please rephrase. > > ** Section 1.2. Editorial > The > client is operated by the end user or it runs autonomously on > behalf of a resource owner. > > Example: a client can be a mobile application, a web application, > etc. > > These examples seem like ones where there is a end-user. What is an example of client which runs autonomously on behalf of the resource owner? > > ** Section 1.2. Editorial. > Resource Server (RS): server that provides operations on protected > Resources > > “Provides operations” is difficult to parse. How is this definition different than OAuth’s in RFC6749: > > ==[ snip ]== > The server hosting the protected resources, capable of accepting > and responding to protected resource requests using access tokens. > ==[ snip ]== > > ** Section 1.3. At the level of detail provided here, what is the difference between an “attribute” and “subject information”? > > ** Section 1.4. Editorial. > Client developers promise to implement > requirements and generally some recommendations or best practices, > so that the end users may confidently use their software. > > Is that true? Do developers of applications make such promises? > > ** Section 1.4 > However, end users might also be facing some attacker's client > software, without even realizing it. > > -- Editorial. s/also be facing some attacker’s/also be facing an attacker’s/ > > -- Isn’t the end user also equally exposed to incorrectly or poorly implemented clients > > ** Section 1.4 > * end user/AS: when the client supports it (see Section 3.3), the > end user gets to interact with front-channel URIs provided by the > AS. > > -- Please define the concept of a “front channel URI”? > > -- How does GNAP work is the end user doesn’t engage the AS? I ask because the text is written … “when the client support its …”, which would suggest a client at time when it does not. What happens then? > > ** Section 1.4 > * RS/RO: the RS promises it protects its resources from unauthorized > access, and only accepts valid access tokens issued by a trusted > AS. In case tokens are key bound, proper validation is expected > from the RS. > > If this text is about the RO trusting the RS, none of the text here mentions the RO. > > ** Section 1.5. Editorial. Consider providing a forward reference for “continuation access token”? > > ** Section 2.3 > Both the display and class_id are self-declarative and thus the AS > SHOULD exercise caution in their interpretation, taking them as a > hint but not as absolute truth. > > -- Is “self-declarative” the same as “free-form”? Interoperability is not expected and it’s use requires further profiling? > > -- Since SHOULD is used, when would the AS NOT exercise caution? > > ** Section 2.3. Editorial. > > The class_id field can be used in a > variety of ways to help the a variety of ways to help the AS make > sense of the particular context in which the client instance is > operating. > > s/can be used in a variety of ways to help the a variety of ways/can be used in a variety of ways to help/. > > ** Section 2.3 > it SHOULD return an > invalid_client error (Section 3.6) or choose to return lesser levels > of privileges. > > Given the significant flexibility afforded to the “class_id”, is there confidence returning a lesser level of privilege is a normative SHOULD? > > ** Section 2.3 > If the AS does not know the client instance's public > key ahead of time, the AS MAY accept or reject the request based on > AS policy, attestations within the client request, and other > mechanisms. > > Isn’t “AS policy” all encompassing and already covers “attestations within the client request and other mechanisms”? > > ** Section 2.3 > A client instance that is capable of talking to multiple AS's SHOULD > use a different key for each AS to prevent a class of mix-up attacks > as described in Section 13.30. > > When would it be a prudent or necessary for the client to use the same key across ASs? Put in another way, why this flexibility? > > ** Section 2.4. Editorial. Please provide an internal references to the format of “assertions”. > > ** Section 2.4. Editorial. Expand “IdP”. > > ** Section 2.5. Editorial > In this non-normative example, the client instance is indicating that > it can redirect (Section 2.5.1.1) the end user to an arbitrary URI > and can receive a redirect (Section 2.5.2.1) through a browser > request. > > "interact": { > "start": ["redirect"], > "finish": { > "method": "redirect", > "uri": "https://client.example.net/return/123455", > "nonce": "LKLTI25DK82FX4T4QFZC" > } > } > > The example after this one explicitly mentions that this client cannot accept a redirect or push callback. Isn’t push call back also not supported here? > > ** Section 2.5 > > In this non-normative example, the client instance is indicating that > it can display a user code (Section 2.5.1.3) and direct the end user > to an arbitrary URI (Section 2.5.1.1) on a secondary device, but it > cannot accept a redirect or push callback. > > "interact": { > "start": ["redirect", "user_code"] > } > > Which part of this example suggests a secondary device? The definition of “redirect” and “user_code” in Section 2.5.1.1 make no reference to a secondary device. > > ** Section 2.5 > > If the client instance does not provide a suitable interaction > mechanism, the AS cannot contact the RO asynchronously, and the AS > determines that interaction is required, then the AS SHOULD return an > invalid_interaction error (Section 3.6) since the client instance > will be unable to complete the request without authorization. > > The sending of an error message seems to be optional. When is a silent failure acceptable? > > ** Section 2.5.2. nonce. Is there a minimal or recommended nonce size? > > ** Section 2.5.2. Editorial. s/the the/the/ > > ** Section 2.5.2.1 and 2.5.2.2. > > -- method=redirect says, “The client instance's URI MUST be protected by HTTPS, …” > > -- method=push says, “The client instance's URI MUST be an HTTP URI and MUST be protected by HTTPS or equivalent” > > What is the difference in intent? > > What is envisioned with “equivalent”? This phrase is used a few other times. > > ** Section 3. Editorial. s/eg,/e.g.,/ > > ** Section 3.1. Editorial. s/an an/an/ > > ** Section 3.3.4. Please use one of the example domains instead of “srv.ex” > > ** Section 3.5. Is there any minimum guidance on the length of an instance_id? > > ** Section 4. > The client instance MUST use each interaction method at most once. > The AS SHOULD handle any interact request as a one-time-use mechanism > and SHOULD apply suitable timeouts to any interaction start methods > provided, including user codes and redirection URIs. The client > instance SHOULD apply suitable timeouts to any interaction finish > method. > > There is a nuance of the client instance being constrained to using an interaction only once (MUST) but the AS seemingly having some flexibility. Could this be clarified? > > ** Section 4.1. > If the client instance does not start an interaction start mode > within an AS-determined amount of time, the AS SHOULD reject attempts > to use the interaction start modes. > > If the AS sets a policy that the interaction mode needs to occur in a determined amount of time, why wouldn’t the AS reject the start attempt? > > ** Section 4.1.2 and 3.3.3. Could the text please be clearer on the permitted “alphabet” for the user code. > > -- Section 3.3.3 says “To facilitate usability, this string MUST consist only of characters that can be easily typed by the end user (such as ASCII letters or numbers)” > > -- Section 4.1.2 says “To facilitate this, it is RECOMMENDED that the AS use only ASCII letters and numbers as valid characters for the user code.” > > The guidance in Section 3.3.3 seems subjective and doesn’t seem like it would lead to consistent implementations. > > Same comments apply for Section 4.1.3. > > ** Section 4.1.2. > As a > consequence, these URIs SHOULD be short. > > I understand the spirit of this guidance but “short” is subjective. Please be more specific or use alternative language. > > ** Section 4.1.3. Editorial. Much of this guidance seems to be verbatim repetition of section 4.1.2. Is that needed? > > ** Section 4.2. > If a > finish method is not available, the AS SHOULD instruct the RO to > return to the client instance upon completion. > > What is the alternative to this approach if a finish method is not available? > > ** Section 4.2.2. Does the interact_ref share the same properties as the nonce defined in Section 2.5.2. For example, is it an ASCII string? Does it use the whole ASCII alphabet? > > ** Section 5. Typo. s/contination/continuation/ > > ** Section 5 and 9.1 > POST /continue/KSKUOMUKM HTTP/1.1 > Authorization: GNAP 80UPRY5NM33OMUKMKSKU > Host: server.example.com > Content-Length: 0 > Signature-Input: sig1=... > Signature: sig1=... > > This example (and a number of them later) appear to be showing a new “GNAP HTTP Authentication Scheme” (i.e., “Authorization: GNAP 80UPRY5NM33OMUKMKSKU”). Section 9.1 also references “responding with the WWW-Authenticate header field and a GNAP challenge.” > > Where is the GNAP authentication scheme formally described and registered? https://www.iana.org/assignments/http-authschemes/http-authschemes.xhtml has no such registration and there no IANA action in this document to add it. > > ** Section 5.4 > The AS SHOULD revoke all associated > access tokens, if possible. The AS SHOULD disable all token rotation > and other token management functions on such access tokens, if > possible. > > Wouldn’t the use of SHOULD instead of MUST here present an issue. If a client issues a “DELETE” for its access tokens with an AS how does it know that all of it’s tokens have been removed if this flexibility is provided? > > ** Section 6.1 > To rotate an access token, the client instance makes an HTTP POST to > the token management URI with no message body, sending the access > token in the appropriate header and signing the request with the > appropriate key. > > What is the “appropriate header” here? > > ** Section 6.1 > If the AS is unable or unwilling to rotate the value of the access > token, the AS responds with an invalid_rotation error (Section 3.6). > Upon receiving such an error, the client instance SHOULD consider the > access token to not have changed its state. > > Can the second sentence be clarified? When would a rejection translate to state change? > > ** Section 7.3. Typo. s/defines defines/defines/ > > ** Section 7.3 > Key binding method definitions SHOULD > enumerate how these requirements are fulfilled. > > -- Is this guidance to the Designated Expert who is going to review future key binding methods? > > -- If so, why would it be acceptable for a new key binding method NOT to explain how it fulfills its requirements? > > ** Section 7.3.1 > > The signer > SHOULD include the nonce parameter with a unique and unguessable > value. When included, the verifier MUST determine that the nonce > value is unique within a reasonably short time period such as several > minutes. > > How does the verifier determine that the freshness of the nonce to a “short time period”? > > ** Section 8. Should it be explicitly said that no interoperability across types? > > ** Section 8. Typo. s/the the/the/ > > ** Section 8. > Specific API > implementations SHOULD re-use these fields with the same semantics > and syntax. > > Why wouldn’t deviations from the semantics defined here require custom labels from being defined? > > ** Section 8. locations. If these strings aren’t URIs, how else would the RS location be defined? > > ** Section 8. > > The access requested for each object in the array is the cross- > product of all fields of the object. > > Is this statement explaining the example or a general statement about interpreting each object in the array? > > ** Section 9.1 > The opaque access reference MUST be sufficient for at least > the action the client instance was attempting to take at the RS and > MAY be more powerful. > > Could this guidance be clarified? How is this access reference have any “power” beyond being an identifier that needs to brought to the AS? > > ** Section 11. It appears that all of the registries in Section 11.* have a mandatory column to reference the specification document. Given that requirement, why is the registration policy not “Specification Required” which also includes “Expert Review”? > > ** Section 11. The OAuth registries (FWIW, all OAuth registries are specification required -- https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml.) were all very particular about having a change control column. Do the circumstances that necessitated that apply to GNAP? > > ** Section 11.4.2. Is citing Section 2.2 and 3.4 for id_token and saml2 the right approach? Those two sections don’t seem to provide anything specific for those mechanisms? Why isn’t the specification document [OIDC] And [SAML2]? > > ** Section 13.1 > > All requests in GNAP have to be made over TLS or equivalent as > outlined in [BCP195] > > “or equivalent” doesn’t mean anything relative to BCP195 which is scoped to (D)TLS. What is meant by “equivalent”? > > ** Section 13.1. > > … and any > back-end communications such as from an RS to an AS as described in > [I-D.ietf-gnap-resource-servers] > > It seems odd to provide normative requirements for another draft. > > ** Section 13.1. Editorial. This section seems to repeat itself a lot. > > (a) All requests in GNAP have to be made over TLS or equivalent as > outlined in [BCP195] to protect the contents of the request and > response from manipulation and interception by an attacker. This > includes all requests from a client instance to the AS, all requests > from the client instance to an RS, any requests back to a client > instance such as the push-based interaction finish method, and any > back-end communications such as from an RS to an AS as described in > [I-D.ietf-gnap-resource-servers]. Additionally, all requests between > a browser and other components, such as during redirect-based > interaction, need to be made over TLS or use equivalent protection. > > (b) The use of key-bound access tokens does not negate the requirement > for protecting calls to the RS with TLS. > > (c) TLS or equivalent protection also needs to be used between the > browser and any other components. > > The text in (a) seems helpfully clear that all GNAP communication regardless of the parties needs to be over TLS. (b) and (c) seem to repeat that. > > ** Section 13.3. Editorial. Expand “SPAs”. > > ** Section 13.18. > > PKI has historically been difficult to deploy, especially at > scale, but it remains an appropriate solution for systems where the > required overhead is not an impediment. > > Recommend against this statement without citation or being specific about client-oriented certificates. Server certificates in the WebPKI, especially since ACME seems to going quite well. > > ** Section 13.23. “… (in most cases over HTTP)”, should this be HTTPS? > > ** Section 13.24. Typo. s/defence/defense/ > > ** Section 13.24. Typo. s/Prerequesits/Prerequisites/ > > ** IDNITs reports: > > == Outdated reference: draft-ietf-httpbis-client-cert-field has been > published as RFC 9440 > > -- > TXAuth mailing list > TXAuth@ietf.org > https://www.ietf.org/mailman/listinfo/txauth
- [GNAP] AD review of draft-ietf-gnap-core-protocol… Roman Danyliw
- Re: [GNAP] AD review of draft-ietf-gnap-core-prot… Justin Richer
- Re: [GNAP] AD review of draft-ietf-gnap-core-prot… Justin Richer
- Re: [GNAP] AD review of draft-ietf-gnap-core-prot… Justin Richer
- Re: [GNAP] AD review of draft-ietf-gnap-core-prot… Justin Richer
- Re: [GNAP] AD review of draft-ietf-gnap-core-prot… Roman Danyliw
- Re: [GNAP] AD review of draft-ietf-gnap-core-prot… Justin Richer