Re: [GNAP] RS draft - some comments
Yaron Sheffer <yaronf.ietf@gmail.com> Thu, 07 September 2023 15:26 UTC
Return-Path: <yaronf.ietf@gmail.com>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B92A3C151539 for <txauth@ietfa.amsl.com>; Thu, 7 Sep 2023 08:26:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.106
X-Spam-Level:
X-Spam-Status: No, score=-2.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cRepbG9QVgeY for <txauth@ietfa.amsl.com>; Thu, 7 Sep 2023 08:26:55 -0700 (PDT)
Received: from mail-pl1-x62b.google.com (mail-pl1-x62b.google.com [IPv6:2607:f8b0:4864:20::62b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E4FAAC14CF1B for <txauth@ietf.org>; Thu, 7 Sep 2023 08:26:54 -0700 (PDT)
Received: by mail-pl1-x62b.google.com with SMTP id d9443c01a7336-1bf55a81eeaso8165125ad.0 for <txauth@ietf.org>; Thu, 07 Sep 2023 08:26:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1694100414; x=1694705214; darn=ietf.org; h=mime-version:in-reply-to:references:thread-topic:message-id:to:from :subject:date:user-agent:from:to:cc:subject:date:message-id:reply-to; bh=rYGUQcs6c65Eu0cP+BLyJhrT5kqRECy4IaNvX1V6SKo=; b=M0hU8ROUm54GMV6Yqw98pK6bzOlexdOouAQipO9f3aFCrqvOoUBNQgyYbEEHXWuRsA m6E7ZOh3G/Umz0dpvrzEWD2u7KYAubFbZkcp9mkW0Pg52t/wOVPGbAhq6JC/SyncBFbx tl9VRiOTOMQYC/2lBi/HwO9YgQjLJCyQgaLU8A4gWP+GfgTg2B9D4f/QJgPF+oKhXyV0 bsFUjjTj0YTIjzSD6PQvrhb8gi68h1HIpr+1jOMfQitnU5MtxoIZVlMJO+C7yDG/eph0 4zQ9whM3CZf+dn24wEmAes3QawnnTOa9LdsIYex81g/z+kw8NkLiPkFE+Xq+CTH2EGKr ha6w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1694100414; x=1694705214; h=mime-version:in-reply-to:references:thread-topic:message-id:to:from :subject:date:user-agent:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=rYGUQcs6c65Eu0cP+BLyJhrT5kqRECy4IaNvX1V6SKo=; b=RVnQXyKmDGh46Dvs2IthmUhytLH/GtvBWk0PAt2ExpTLwvjOlqi3TXRyhYFOCo0EAs BAKG2hIhS5I/tk8xsDvlwdDFbgTN39Ule2uvN+iAYDgMG/9NQjNaS7BuytQyz44N495S ZaH7L1e4k7ISk3NpXLEII3zjkSc9owLUbvOxgxH+J83Ztv+CWiOeMd29Goj+pq63xJMr YN76t2kyJc/CdSpZwRK2hynVpqWwmCNrJPjcu43onsGg6RF+cGgbsvZRg8KtLIknZfaM ii8uGPB1IrVXT9C2ALKtTUHFbeEqZI+wXJQyYOhmX89XYkTUJqNweY+O+TUZ52jFzFgN f/BA==
X-Gm-Message-State: AOJu0YznhWK3YWmdqzoBYWp9ot1J83c14rsdqH6IF1N25Z8MnHqO+/Z7 Sf7zuWL0PrOqXpWlh2Z2N7s07DEmFq8pD3ig
X-Google-Smtp-Source: AGHT+IGqdskK8OoaEYwDBkLE/NDe7a7LsJoehkDSBQQKyd7y2Uyx0QlYMWzTDs4nmpP/pR7X+A3fag==
X-Received: by 2002:a17:902:74c9:b0:1c0:e6e1:4a11 with SMTP id f9-20020a17090274c900b001c0e6e14a11mr15827138plt.54.1694100413998; Thu, 07 Sep 2023 08:26:53 -0700 (PDT)
Received: from [172.20.1.59] (076-053-041-226.inf.spectrum.com. [76.53.41.226]) by smtp.gmail.com with ESMTPSA id iy12-20020a170903130c00b001b05e96d859sm12950305plb.135.2023.09.07.08.26.53 for <txauth@ietf.org> (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 07 Sep 2023 08:26:53 -0700 (PDT)
User-Agent: Microsoft-MacOutlook/16.76.23082700
Date: Thu, 07 Sep 2023 08:26:52 -0700
From: Yaron Sheffer <yaronf.ietf@gmail.com>
To: GNAP Mailing List <txauth@ietf.org>
Message-ID: <B251CCF2-BAE7-4B05-9CD8-C3EF07262AE6@gmail.com>
Thread-Topic: RS draft - some comments
References: <9C49C06C-84BA-4646-896F-82A916E895EB@gmail.com>
In-Reply-To: <9C49C06C-84BA-4646-896F-82A916E895EB@gmail.com>
Mime-version: 1.0
Content-type: multipart/alternative; boundary="B_3776920013_1750778898"
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/y7a8C33ue27CqVdTu5obii7blFg>
Subject: Re: [GNAP] RS draft - some comments
X-BeenThere: txauth@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: GNAP <txauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/txauth>, <mailto:txauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth/>
List-Post: <mailto:txauth@ietf.org>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/txauth>, <mailto:txauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 07 Sep 2023 15:26:55 -0000
Quick reminder to the authors. Thanks! From: Yaron Sheffer <yaronf.ietf@gmail.com> Date: Sunday, 27 August 2023 at 4:17 To: GNAP Mailing List <txauth@ietf.org> Subject: RS draft - some comments Hi, I have read the latest version of the draft (the editor’s copy). Here are some comments. Let’s discuss the on the list first, and then open issues as needed. Macaroons and Biscuits - please include references. RS-facing discovery: I suppose the .well-known URL needs to be registered in the IANA section. RS-facing discovery: please add Optional/Required to all fields in the discovery response. Introspection: semantics of the access element in the request is not clear, and it may be easier to remove it completely. Otherwise, we should say that the access element in the response MUST be filtered per the request. On a related note: is it explicitly stated anywhere that an empto access array means no access is allowed? Introspection: I'm wondering about the key element in the response. How does the AS know that the token is bound, and how does it know what key the Client should be using? In fact does it (and should it) even know who the Client is? Also, if I understand the situation correctly, the RS is supposed to send a not-fully-trusted access token to the AS first, and only then validate that it's bound to the correct key. This can easily go wrong. Resource registration: the token_introspection_required element doesn't seem useful. If set to false but the AS receives an introspection call, should it reject it? If set to true and the call is not made, the AS would never know! Resource registration: how is the returned resource_reference used? Perhaps it should also be returned in an introspection request, to allow the RS to validate that the Client is using the right token for the resource? Deriving a downstream token: should we say that the AS MUST verify that the existing_access_token is targeted at RS1? Thanks, Yaron
- [GNAP] RS draft - some comments Yaron Sheffer
- Re: [GNAP] RS draft - some comments Yaron Sheffer
- Re: [GNAP] RS draft - some comments Justin Richer