Re: [Txauth] alternative charter writeup
Dick Hardt <dick.hardt@gmail.com> Tue, 14 January 2020 05:12 UTC
Return-Path: <dick.hardt@gmail.com>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9FE8812001E for <txauth@ietfa.amsl.com>; Mon, 13 Jan 2020 21:12:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.996
X-Spam-Level:
X-Spam-Status: No, score=-1.996 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZAd5t0f26L8J for <txauth@ietfa.amsl.com>; Mon, 13 Jan 2020 21:12:15 -0800 (PST)
Received: from mail-lj1-x230.google.com (mail-lj1-x230.google.com [IPv6:2a00:1450:4864:20::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 37DE8120019 for <txauth@ietf.org>; Mon, 13 Jan 2020 21:12:15 -0800 (PST)
Received: by mail-lj1-x230.google.com with SMTP id u71so12735550lje.11 for <txauth@ietf.org>; Mon, 13 Jan 2020 21:12:15 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=v27LKMQVdZKsrqbffCKz4yydqPin74pdpClZJlCwe6o=; b=KKNrF1RrMBmQxAdKvJP5Dk7NF3IbUctjN59ypmiOHzesDuXSnjh2cWFBGhpGTFeROT w2Jc09qiAkdt8fi37jO6BCp+m0qG6WTO4PXgnWaUDHLk5FMb9BP8jZo1mCfBwE8Ae79l DMH2MZe97jRTOEaOUIyxLrUzDZAfN6ZPbeZUJrOQPZ4f2qNObyaAOk5CWCZI7y+6k6tm dc1yOLOLLB7hA1FxvcjB8Psc3G4COv/87o0xm3+ptqmt/il+/qcQyzU6W1wpIaZ2OhuR 3vp8qv649gg5O6E5kEi16ewYsi8x6vzuWdq7cq8gaPlWopea0dmDZic0RpGsAmgz65hd lahw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=v27LKMQVdZKsrqbffCKz4yydqPin74pdpClZJlCwe6o=; b=hbjZfy0cJtlWvniSC1ouDNsyW0XQFO20A0hTXnMOahn2yapOv9seKJqDGqac8u3UOt /oo/NdzOZeWR1UNCqt7JQRGVupRe76kQ4cB9sySUuICK58SvSAuSOUU09NlBGXnaNYWL 7sh75S1LhieiX2ioZGG2AA8pxmGEEoGidUm5yFq9suBjTXCWGBooajz7KfDscVeXjfXL 65fN4HPboy06l/VBk+jeqF4VZCe50wT6VI98c3VbEWaSBRd/oxrMFWVuTRXwwQt26l6r uXamO6+Y5KhUOAZr+IeFuF+96xw4yzwrxqQ3R4HHY1rbMsgr93krSsG3K7nXM2qaiTHp Z+ag==
X-Gm-Message-State: APjAAAVcEJvQdgESQP388tCfiyNwHfTB+wU5z6XrypdssI8khRg74jHU W6Dz43OTjgo/3HxWsARQPLoCLm9x+XkK4GFlDVU=
X-Google-Smtp-Source: APXvYqw2RChq0EbC6qCJztrND4z9ko0L+W+7U3ZP1qQBliq8juL+PpLuT8cqCv2mVr2ol6CjOgz9C19OuVrxiyGFLYI=
X-Received: by 2002:a2e:9ad8:: with SMTP id p24mr13635521ljj.148.1578978733384; Mon, 13 Jan 2020 21:12:13 -0800 (PST)
MIME-Version: 1.0
References: <CAD9ie-sGfRGPFa4jBUeoVcG+CO=PvG-Ys-HrUMs7kVdt1zT3vA@mail.gmail.com> <FE8064D0-02CF-4BF1-AF25-0E52D9362D27@mit.edu> <CAD9ie-tAquhg=o1_cmKg_rO3mn9FeqCTDtY07XMqMOdhRWrD5Q@mail.gmail.com> <B758A8F2-211F-4637-84AE-3FD6974C546F@amazon.com> <CAD9ie-u5aV+FShiseuNRu_Ayp3EJjrN=zM1XBJW+vc9wDdL3NQ@mail.gmail.com> <A6D90193-D3FC-4BDB-8F4C-55A30ED252EE@amazon.com> <B88684FE-9ECE-4326-8DA2-F6A14E0D6ED0@mit.edu>
In-Reply-To: <B88684FE-9ECE-4326-8DA2-F6A14E0D6ED0@mit.edu>
From: Dick Hardt <dick.hardt@gmail.com>
Date: Mon, 13 Jan 2020 21:12:02 -0800
Message-ID: <CAD9ie-tgXONsgr1cW=5X12Wdi+=iGZrnDtCfMzy-Vf-maezFHg@mail.gmail.com>
To: Justin Richer <jricher@mit.edu>
Cc: "Richard Backman, Annabelle" <richanna@amazon.com>, "txauth@ietf.org" <txauth@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000082e838059c12a26f"
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/ycJXLJWQqju0myQZK5VW2D1SNxc>
Subject: Re: [Txauth] alternative charter writeup
X-BeenThere: txauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <txauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/txauth>, <mailto:txauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth/>
List-Post: <mailto:txauth@ietf.org>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/txauth>, <mailto:txauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Jan 2020 05:12:18 -0000
Sounds good to me. On Mon, Jan 13, 2020 at 6:24 PM Justin Richer <jricher@mit.edu> wrote: > I can get behind this kind of addition. I like Annabelle’s framing of it > in terms of decoupling, and some explanation of why we’re doing it in > relation to OAuth 2’s approach. One of the key things, to me, is that we’re > making a break from OAuth 2’s core architecture but doing so for very > specific reasons. > > — Justin > > On Jan 13, 2020, at 8:54 PM, Richard Backman, Annabelle < > richanna@amazon.com> wrote: > > It’s not just about the initial communication, though. I the key thing to > emphasize is the decoupling the protocol from delegation channels, which > addresses the aforementioned security/complexity issues and also provides a > path to support future delegation channel types without significant changes > to the protocol (unlike OAuth 2.0, where extensions like Device Flow and > PAR introduce substantial changes to the core protocol flow on both client > and AS). Since the protocol isn’t assuming a particular front channel, it’s > easier to add support for a new one. > > Proposal, altered from Dick’s suggestion: > This group is chartered to develop a delegated identity and authorization > protocol. The use cases supported by this protocol will include widely > deployed use cases currently supported by OAuth 2.0, and OpenID Connect, an > extension of OAuth 2.0. This protocol will be decoupled from delegation > channels such as an end user’s web browser and operate primarily through a > channel between the client and the authorization server, avoiding many of > the security concerns and technical challenges of OAuth 2.0 and providing a > non-invasive path for adding support for future types of clients and > delegation channels. > > – > Annabelle Richard Backman > AWS Identity > > > *From: *Dick Hardt <dick.hardt@gmail.com> > *Date: *Monday, January 13, 2020 at 4:35 PM > *To: *"Richard Backman, Annabelle" <richanna@amazon.com> > *Cc: *Justin Richer <jricher@mit.edu>, "txauth@ietf.org" <txauth@ietf.org> > *Subject: *Re: [Txauth] alternative charter writeup > > I agree, some more "why" would help a broader audience understand the > motivations. How about this change to the first paragraph? > > This group is chartered to develop a delegated identity and authorization > protocol. The use cases supported by this protocol will include widely > deployed use cases currently supported by OAuth 2.0, and OpenID Connect, an > extension of OAuth 2.0. In contrast to OAuth 2.0, where the protocol is > initiated by redirecting the user's browser to an authorization server, > this protocol will be initiated by the client directly interacting with the > authorization server, which will mitigate many of the security concerns and > technical challenges of OAuth 2.0. > > > On Mon, Jan 13, 2020 at 3:38 PM Richard Backman, Annabelle < > richanna@amazon.com> wrote: > > While I agree with the goals stated in this charter, if I read this from > the perspective of someone who hasn’t been our meetings or listened to > Justin’s presentations, I’m hard pressed to see what the point of this > group is, relative to the OAuth WG. I’d expect this charter to provide at > least a cursory explanation of what problem it is trying to solve. In this > case, the problem should be partially defined in relation to OAuth. What > will this WG do that the OAuth WG hasn’t already done or isn’t already > doing? > > How about adding something like the following to paragraph 2: > > The protocol will mitigate many of the security concerns and technical > challenges of OAuth 2.0 by communicating over secure channels between the > client and the authorization server, and minimizing the amount of > information transmitted over untrusted channels. > > – > Annabelle Richard Backman > AWS Identity > > > *From: *Txauth <txauth-bounces@ietf.org> on behalf of Dick Hardt < > dick.hardt@gmail.com> > *Date: *Friday, January 10, 2020 at 6:57 PM > *To: *Justin Richer <jricher@mit.edu> > *Cc: *"txauth@ietf.org" <txauth@ietf.org> > *Subject: *Re: [Txauth] alternative charter writeup > > This looks even better! Thanks Justin. > > What do others think of the proposed charter now? > ᐧ > > On Fri, Jan 10, 2020 at 12:43 PM Justin Richer <jricher@mit.edu> wrote: > > Thanks, Dick. I’ve been working on an updated charter based on everyone’s > feedback, and I was aiming to have out today anyway, so this timing is > helpful. So here’s my take on a new charter, incorporating some of your > points below: > > > This group is chartered to develop a delegation protocol for identity, > authorization, and API access. This protocol will allow an authorizing > party to delegate access to client software through an authorization > server. The use cases supported by this protocol will include widely > deployed use cases currently supported by OAuth 2.0 and OpenID Connect. > > The delegation process will be acted upon by multiple parties in the > protocol, each performing a specific role. The protocol will be initiated > by the client interacting directly with the authorization server (in > contrast with OAuth 2 which is initiated by the client redirecting the > user’s browser). The client will involve the authorizing party as necessary > through interaction mechanisms indicated by the protocol. > > Additionally, the delegation process will allow for: > > - Fine-grained specification of resource access > - Approval of identity claims and multiple resources in a single > interaction > - Delegation between multiple users > - Web, mobile, single-page, and other types of client applications > > The group will define extension points for this protocol to allow for > flexibility in areas including: > > - Cryptographic agility for keys, message signatures, and proof of > possession > - User interaction mechanisms including web and non-web methods > - Mechanisms for providing user, software, organization, and other pieces > of information used in authorization decisions > - Token presentation mechanisms and key bindings > > Additionally, the group will provide mechanisms for management of the > protocol lifecycle including: > > - Discovery of the authorization server > - Revocation of active tokens > - Query of token rights by resource servers > > Although the artifacts for this work are not intended or expected to be > backwards-compatible with OAuth 2.0 or OpenID Connect, the group > will attempt to simplify porting from OAuth 2.0 and OpenID Connect to the > new protocol where possible. > > While the initial work will focus on using HTTP for communication between > the client and the authorization server, the working group will seek to > take advantage of optimization features of HTTP2 and HTTP3, and will strive > to enable simple mapping to other protocols such as COAP. > > > On Jan 10, 2020, at 12:04 PM, Dick Hardt <dick.hardt@gmail.com> wrote: > > Hey > > I've written an alternative charter that I hope captures some of the > feedback on Justin's charter. > > I found it easier to rewrite the charter to broaden the marketplace of > ideas. > > Key ideas: > > - This work supports existing OAuth 2.0, and OpenID Connect use cases. > > - The client interacts directly with the authorization server. > > /Dick > > ---- > > This group is chartered to develop a delegated identity and authorization > protocol.. The use cases supported by this protocol will include widely > deployed use cases currently supported by OAuth 2.0, and OpenID Connect. In > contrast to OAuth 2.0 and OpenID Connect, where the protocol is initiated > by redirecting the user's browser to an authorization server, this protocol > will be initiated by the client directly interacting with the authorization > server.. > > Additionally, the protocol will allow: > - fine-grained specification of resource access > - the user to approve requests for identity claims and access to multiple > resources in one interaction > - web, mobile, single-page, and other client applications > - taking advantage of optimization features in HTTP2 and HTTP3 > > The group will define extension points for this protocol to allow for > flexibility in areas including: > > - discovery of the authorization server > - cryptographic agility for keys, message signatures, and proof of > possession > - user interaction mechanisms including web and non-web methods- token > presentation mechanisms and key bindings > > Although the artifacts for this work are not intended or expected to be > backwards-compatible with OAuth 2.0 or OpenID Connect, they will attempt to > simplify porting from OAuth 2.0 and OpenID Connect, and strive to reuse > existing semantics such as client identifiers, OAuth 2.0 scopes and access > tokens, and OpenID Connect ID Tokens and claims. > > While the initial work will focus on using HTTP for communication between > the client and the authorization server, the working group will strive to > enable simple mapping to other protocols such as COAP. > > > ᐧ > -- > Txauth mailing list > Txauth@ietf.org > https://www.ietf.org/mailman/listinfo/txauth > > >
- [Txauth] alternative charter writeup Dick Hardt
- Re: [Txauth] alternative charter writeup Justin Richer
- Re: [Txauth] alternative charter writeup Dick Hardt
- Re: [Txauth] alternative charter writeup Adrian Hope-Bailie
- Re: [Txauth] alternative charter writeup Yaron Sheffer
- Re: [Txauth] alternative charter writeup Lee McGovern
- Re: [Txauth] alternative charter writeup Justin Richer
- Re: [Txauth] alternative charter writeup Dick Hardt
- Re: [Txauth] alternative charter writeup Richard Backman, Annabelle
- Re: [Txauth] alternative charter writeup Dick Hardt
- Re: [Txauth] alternative charter writeup Richard Backman, Annabelle
- Re: [Txauth] alternative charter writeup Justin Richer
- Re: [Txauth] alternative charter writeup Dick Hardt
- Re: [Txauth] alternative charter writeup Justin Richer
- Re: [Txauth] alternative charter writeup Torsten Lodderstedt
- Re: [Txauth] alternative charter writeup Thomas Hardjono
- Re: [Txauth] alternative charter writeup Justin Richer
- Re: [Txauth] alternative charter writeup Justin Richer
- Re: [Txauth] alternative charter writeup Richard Backman, Annabelle
- Re: [Txauth] alternative charter writeup Justin Richer
- Re: [Txauth] alternative charter writeup Thomas Hardjono
- Re: [Txauth] alternative charter writeup Richard Backman, Annabelle
- Re: [Txauth] alternative charter writeup Dick Hardt
- Re: [Txauth] alternative charter writeup Justin Richer
- Re: [Txauth] alternative charter writeup Justin Richer
- Re: [Txauth] alternative charter writeup Dick Hardt
- Re: [Txauth] alternative charter writeup Thomas Hardjono
- Re: [Txauth] alternative charter writeup Dick Hardt
- Re: [Txauth] alternative charter writeup Justin Richer
- Re: [Txauth] alternative charter writeup Justin Richer
- Re: [Txauth] alternative charter writeup Justin Richer
- Re: [Txauth] alternative charter writeup Richard Backman, Annabelle
- Re: [Txauth] alternative charter writeup Justin Richer