From nobody Tue Mar  1 04:48:59 2022
Return-Path: <fabien.imbault@gmail.com>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1])
 by ietfa.amsl.com (Postfix) with ESMTP id 6A93D3A0897
 for <txauth@ietfa.amsl.com>; Tue,  1 Mar 2022 04:48:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.107
X-Spam-Level: 
X-Spam-Status: No, score=-7.107 tagged_above=-999 required=5
 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
 DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001,
 HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001]
 autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key)
 header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44])
 by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id 5kkHO8FlcWSl for <txauth@ietfa.amsl.com>;
 Tue,  1 Mar 2022 04:48:55 -0800 (PST)
Received: from mail-il1-x134.google.com (mail-il1-x134.google.com
 [IPv6:2607:f8b0:4864:20::134])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (No client certificate requested)
 by ietfa.amsl.com (Postfix) with ESMTPS id F0CC43A0881
 for <txauth@ietf.org>; Tue,  1 Mar 2022 04:48:54 -0800 (PST)
Received: by mail-il1-x134.google.com with SMTP id f2so12454364ilq.1
 for <txauth@ietf.org>; Tue, 01 Mar 2022 04:48:54 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; 
 h=mime-version:references:in-reply-to:from:date:message-id:subject:to
 :cc; bh=JklxEtzj4pkpHBfVv/ZoVfb3bSW9qbFe7M9Mc3SF4hE=;
 b=bxbLflPtMJt9TB4FJocrUpZDXNgk/cdtQaO12Gf5gg8yIryctvPIgOI3bCgGqv/uD2
 JT2h3EzkUQJVy2+KzuFewwbPQk8HKMrsmjYSyfKZlyM3onyEqY3gYJFel+XuDXt7X/Lq
 BiR/PbeI32xmb2KIaLQ3larmzfNbsjSZxt2pIZNtGX5lvRic7hCg+1DzAcqY+qqEWRKd
 ZSe8CvkJYi14ATzIOSQsMBBm+l6QZnquaXt5gWLX/4UB9CBC4xOPHc0LVOCYPjhRmiAL
 Oxgcn68dBZD8KyaYwQ72LloH9Tf9uPAUS3rbhC1sGk8NN70PIZxsi3FRCl2U35MUa4Ra
 mRxg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20210112;
 h=x-gm-message-state:mime-version:references:in-reply-to:from:date
 :message-id:subject:to:cc;
 bh=JklxEtzj4pkpHBfVv/ZoVfb3bSW9qbFe7M9Mc3SF4hE=;
 b=7IiU1vNeh8ihzJEKntpqBOAiuONN/EYu+oEUhuhNBVHG93hp4Fqsag3XcK6U9tkfs+
 DmRdks/PdujzEpjpDrxcty2og+Av66XsjVxlc5p08Jlg+YBnkcrST/OzGgqIC/yqM/U3
 rgPA1hO8XcBR5qcZkdLiiYjPmF5Q4MeFfPXt2XD5Rjga5Rnz9kPlBS8n02ucAv+tVxaa
 rzLpbygxG1f8rx575RaMhOirUXlD9VP4XbPcVvNRqAPTaKLm0gkN8NP0a/Fpke1B8wBe
 782GJL3sRHfFj7CKuRFmrkGnciq1tXwW2BUf/bdgg3rFHfBUiCivJgWiIue/ICTRaMcE
 Owfg==
X-Gm-Message-State: AOAM533d590eP6LQPJ5Nn0beDi++YvUU+2PbAmBRpVbgRgvMys7A47Pm
 yRJziA3i64Gn7ZhS6zMLYrc4OIw2yPkYvJcEVuk=
X-Google-Smtp-Source: ABdhPJw0ctQuAk6e26/BgPSyjCgnNYE2GVthalJA/WOfc5tSm1hZq12kVLclqjhsE18XroVIdGoeO86LBHU/cNTJcTo=
X-Received: by 2002:a05:6e02:1585:b0:2c2:5b2c:e3e5 with SMTP id
 m5-20020a056e02158500b002c25b2ce3e5mr24731475ilu.76.1646138934007; Tue, 01
 Mar 2022 04:48:54 -0800 (PST)
MIME-Version: 1.0
References: <5d89f969-2e67-32f4-e06b-e230453a906f@free.fr>
In-Reply-To: <5d89f969-2e67-32f4-e06b-e230453a906f@free.fr>
From: Fabien Imbault <fabien.imbault@gmail.com>
Date: Tue, 1 Mar 2022 13:48:42 +0100
Message-ID: <CAM8feuQ84ECPZnTsWcbrt4sqR2kS5bgP8m3=RSO9bq-4qJngFg@mail.gmail.com>
To: Denis <denis.ietf@free.fr>
Cc: GNAP Mailing List <txauth@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000699c6005d9279668"
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/y7GDcLJz3EpinoZuWxs7DYt4tfA>
Subject: Re: [GNAP] Concerns with the lack of progression of GNAP after 20
 months of work
X-BeenThere: txauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: GNAP <txauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/txauth>,
 <mailto:txauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth/>
List-Post: <mailto:txauth@ietf.org>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/txauth>,
 <mailto:txauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 01 Mar 2022 12:48:58 -0000

--000000000000699c6005d9279668
Content-Type: text/plain; charset="UTF-8"

Dear Denis,

Sorry I have to say this, but repeating your misconceptions don't make them
true. That's currently not helping anyone going forward.

The editors and chairs welcome anyone with helpful contribution.
Already the spec had many great improvements, from many outstanding
individuals cited in the text. Including on security and privacy.

We are now stabilizing the core draft and focusing on real world
implementations to demonstrate the value and interoperability.

Best regards,
Fabien (speaking only in my own name)




On Tue, 1 Mar 2022, 12:49 Denis, <denis.ietf@free.fr> wrote:

> Hello everybody,
>
> GNAP has four main components : users, clients, ASs and RSs.
>
> GNAP is supposed to describe a protocol. A protocol is a set of rules
> that control the way data is exchanged between computers.
> A reader would expect to find the description of the data sent by a client
> to a RS (which are indeed described in ietf-wg-gnap/core-protocol),
> but also find how that data *shall be handled by a RS* which is supposed
> to be described in draft-ietf-gnap-resource-servers. Unfortunately,
> this is not the case.
>
> The focus has been placed on the "core" protocol, leaving aside the the RS.
>
> The core document (ietf-wg-gnap/core-protocol) has now got more than 400
> issues !
>
> Besides the editors (and the chair), very few members are active and at
> this time it is unlikely that more members will participate
> since *the main driving line for the construction of GNAP has been los**t*
> .
>
> The recent message called "embedding GNAP" got no reply from the WG,
> except one from a co-editor.
> IMO, this demonstrates that *GNAP is still a **moving target* *after 20
> months of work.*
>
> Does this mean that all the WG members agree with the very few emails that
> are exchanged or that the WG members are
> no longer really able to participate to the discussion since such
> participation would involve a lot of days to get "up to speed" again ?
> I would guess that the right answer is the latter.
>
> The core document has still *no security model *and hence its security is
> more than questionable.
>
> The core document is AS centric and hence *the **privacy concerns of the
> users cannot be addressed*. Is this deliberate ?
> When the work started, privacy was supposed to be a major concern to be
> taken into consideration, but in practice, this is not the case.
>
> The core document still does not address the general use case.
>
> There are so many options that *interoperability will not be possible*.
>
> *draft-ietf-gnap-resource-servers-01** expired on 13 January 2022*.  We
> are now close to an IETF meeting and no draft is available.
> The milestones are outdated and, anyway, are not observed (see
> https://datatracker.ietf.org/doc/charter-ietf-gnap/writeup/)
>
> Milestones:
>
>   Jul 2021 - Core delegation protocol in WGLC
>
>   Oct 2021 - Key presentation mechanism binding to the core protocol, TLS, to WGLC
>
>   Oct 2021 - Key presentation mechanism binding to the core protocol, detached HTTP signatures, to WGLC
>
>   Oct 2021 - Key presentation mechanism binding to the core protocol, embedded HTTP signature, to WGLC
>
>   Dec 2021 - Guidelines for use of protocol extension points to WGLC
>
>   Feb 2022 - Guidelines on migration paths, implementation, and operations to WGLC
>
>
> At the next IETF meeting, rather than addressing, *as usual,* the last
> technical issues that no one or very few people will be able to follow or
> understand,
> I would suggest that the editors address the following topics:
> *interoperability*, *privacy *and *security *at a level that will allow
> everybody to understand
> the real issues behind these three words and by presenting *a balanced
> view*.
> Denis
>
> PS: If we were working within ISO, this WG would already have been closed.
>
> --
> TXAuth mailing list
> TXAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/txauth
>

--000000000000699c6005d9279668
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"auto"><div>Dear Denis,<div dir=3D"auto"><br></div><div dir=3D"a=
uto">Sorry I have to say this, but repeating your misconceptions don&#39;t =
make them true. That&#39;s currently not helping anyone going forward.</div=
><div dir=3D"auto"><br></div><div dir=3D"auto">The editors and chairs welco=
me anyone with helpful contribution.=C2=A0</div><div dir=3D"auto">Already t=
he spec had many great improvements, from many outstanding individuals cite=
d in the text. Including on security and privacy.</div><div dir=3D"auto"><b=
r></div><div dir=3D"auto">We are now stabilizing the core draft and focusin=
g on real world implementations to demonstrate the value and interoperabili=
ty.=C2=A0</div><div dir=3D"auto"><br></div><div dir=3D"auto">Best regards,<=
/div><div dir=3D"auto">Fabien (speaking only in my own name)</div><div dir=
=3D"auto"><br></div><div dir=3D"auto"><br></div><br><br><div class=3D"gmail=
_quote"><div dir=3D"ltr" class=3D"gmail_attr">On Tue, 1 Mar 2022, 12:49 Den=
is, &lt;<a href=3D"mailto:denis.ietf@free.fr" rel=3D"noreferrer noreferrer"=
 target=3D"_blank">denis.ietf@free.fr</a>&gt; wrote:<br></div><blockquote c=
lass=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;=
padding-left:1ex">
 =20

   =20
 =20
  <div>
    <p>Hello everybody,<br>
      <span id=3D"m_7161345808286313555m_6066375261535833907m_6506138452035=
884450protocol__14"><span id=3D"m_7161345808286313555m_6066375261535833907m=
_6506138452035884450protocol__48"></span></span></p>
    <p><span id=3D"m_7161345808286313555m_6066375261535833907m_650613845203=
5884450protocol__14"><span id=3D"m_7161345808286313555m_6066375261535833907=
m_6506138452035884450protocol__48">GNAP has four main components : users,
          clients, ASs and RSs.</span></span></p>
    <p>GNAP is supposed to describe a protocol. A protocol is <span id=3D"m=
_7161345808286313555m_6066375261535833907m_6506138452035884450protocol__14"=
><span id=3D"m_7161345808286313555m_6066375261535833907m_650613845203588445=
0protocol__48">a set of rules that control the way data is
          exchanged between computers.<br>
          A reader would expect to find the description of the data sent
          by a client to a RS (which are indeed described in </span></span>=
<span id=3D"m_7161345808286313555m_6066375261535833907m_6506138452035884450=
protocol__14"><span id=3D"m_7161345808286313555m_6066375261535833907m_65061=
38452035884450protocol__48"><span id=3D"m_7161345808286313555m_606637526153=
5833907m_6506138452035884450protocol__14"><span id=3D"m_7161345808286313555=
m_6066375261535833907m_6506138452035884450protocol__48">ietf-wg-gnap/core-p=
rotocol)</span></span>,
          <br>
          but also find how that data <b>shall be handled by a RS</b>
          which is supposed to be described in </span></span><span id=3D"m_=
7161345808286313555m_6066375261535833907m_6506138452035884450protocol__14">=
<span id=3D"m_7161345808286313555m_6066375261535833907m_6506138452035884450=
protocol__48">draft-ietf-gnap-resource-servers.
          Unfortunately, <br>
          this is not the case. </span></span></p>
    <p><span id=3D"m_7161345808286313555m_6066375261535833907m_650613845203=
5884450protocol__14"><span id=3D"m_7161345808286313555m_6066375261535833907=
m_6506138452035884450protocol__48">The focus has been placed on the &quot;c=
ore&quot;
          protocol, leaving aside the the RS.<br>
        </span></span><br>
      <span id=3D"m_7161345808286313555m_6066375261535833907m_6506138452035=
884450protocol__14"><span id=3D"m_7161345808286313555m_6066375261535833907m=
_6506138452035884450protocol__48">The core document
          (ietf-wg-gnap/core-protocol) has now got more than 400 issues
          ! <br>
        </span></span></p>
    <p><span id=3D"m_7161345808286313555m_6066375261535833907m_650613845203=
5884450protocol__14"><span id=3D"m_7161345808286313555m_6066375261535833907=
m_6506138452035884450protocol__48">Besides the editors (and the chair), ver=
y
          few members are active and at this time it is unlikely that
          more members will participate <br>
          since <b>the main driving line for the construction of GNAP
            has been los</b><b>t</b>.<br>
        </span></span></p>
    <p>The recent message called &quot;embedding GNAP&quot; got no reply fr=
om the
      WG, except one from a co-editor.<br>
      IMO, this demonstrates that <font color=3D"#0000ff"><b>GNAP is
          still a </b><b>moving target</b> </font><b><font color=3D"#0000ff=
">after 20 months of work</font>.</b><br>
      <br>
      Does this mean that all the WG members agree with the very few
      emails that are exchanged or that the WG members are <br>
      no longer really able to participate to the discussion since such
      participation would involve a lot of days to get &quot;up to speed&qu=
ot;
      again ? <br>
      I would guess that the right answer is the latter.</p>
    <p><span id=3D"m_7161345808286313555m_6066375261535833907m_650613845203=
5884450protocol__14"><span id=3D"m_7161345808286313555m_6066375261535833907=
m_6506138452035884450protocol__48">The core document has still <b>no securi=
ty
            model </b>and hence its security is more than questionable.<br>
          <br>
          The core document is AS centric and hence <b>the </b><b>privacy
            concerns of the users cannot be addressed</b>. Is this
          deliberate ?<br>
        </span></span><span id=3D"m_7161345808286313555m_606637526153583390=
7m_6506138452035884450protocol__14"><span id=3D"m_7161345808286313555m_6066=
375261535833907m_6506138452035884450protocol__48">When the work started, pr=
ivacy
          was supposed to be a major concern to be taken into
          consideration, but in practice, this is not the case.</span></spa=
n><br>
      <span id=3D"m_7161345808286313555m_6066375261535833907m_6506138452035=
884450protocol__14"><span id=3D"m_7161345808286313555m_6066375261535833907m=
_6506138452035884450protocol__48"><span id=3D"m_7161345808286313555m_606637=
5261535833907m_6506138452035884450protocol__14"><span id=3D"m_7161345808286=
313555m_6066375261535833907m_6506138452035884450protocol__48"><span id=3D"m=
_7161345808286313555m_6066375261535833907m_6506138452035884450protocol__14"=
><span id=3D"m_7161345808286313555m_6066375261535833907m_650613845203588445=
0protocol__48"><br>
                  The core document</span></span> still does not address
              the general use case.</span></span></span></span></p>
    <p><span id=3D"m_7161345808286313555m_6066375261535833907m_650613845203=
5884450protocol__14"><span id=3D"m_7161345808286313555m_6066375261535833907=
m_6506138452035884450protocol__48">There are so many options that <b>intero=
perability
            will not be possible</b>. <br>
        </span></span></p>
    <p><b>draft-ietf-gnap-resource-servers-01</b><b> expired on 13
        January 2022</b>.=C2=A0 We are now close to an IETF meeting and no
      draft is available.</p>
    The milestones are outdated and, anyway, are not observed (see<font col=
or=3D"#0000ff"> <a href=3D"https://datatracker.ietf.org/doc/charter-ietf-gn=
ap/writeup/" rel=3D"noreferrer noreferrer noreferrer" target=3D"_blank">htt=
ps://datatracker.ietf.org/doc/charter-ietf-gnap/writeup/</a></font>)<br>
    <pre>Milestones:

  Jul 2021 - Core delegation protocol in WGLC

  Oct 2021 - Key presentation mechanism binding to the core protocol, TLS, =
to WGLC

  Oct 2021 - Key presentation mechanism binding to the core protocol, detac=
hed HTTP signatures, to WGLC

  Oct 2021 - Key presentation mechanism binding to the core protocol, embed=
ded HTTP signature, to WGLC

  Dec 2021 - Guidelines for use of protocol extension points to WGLC

  Feb 2022 - Guidelines on migration paths, implementation, and operations =
to WGLC

</pre>
    <p>At the next IETF meeting, rather than addressing, <i>as usual,</i>
      the last technical issues that no one or very few people will be
      able to follow or understand, <br>
      I would suggest that the editors address the following topics: <b>int=
eroperability</b>,
      <b>privacy </b>and <b>security </b>at a level that will allow
      everybody to understand <br>
      the real issues behind these three words and by presenting <font colo=
r=3D"#0000ff"><b>a balanced view</b></font>.<br>
    </p>
    Denis
    <p>PS: If we were working within ISO, this WG would already have
      been closed.<br>
      <br>
    </p>
  </div>

-- <br>
TXAuth mailing list<br>
<a href=3D"mailto:TXAuth@ietf.org" rel=3D"noreferrer noreferrer noreferrer"=
 target=3D"_blank">TXAuth@ietf.org</a><br>
<a href=3D"https://www.ietf.org/mailman/listinfo/txauth" rel=3D"noreferrer =
noreferrer noreferrer noreferrer" target=3D"_blank">https://www.ietf.org/ma=
ilman/listinfo/txauth</a><br>
</blockquote></div>
</div></div>

--000000000000699c6005d9279668--

