IETF Logo Mail Archive

Re: [Txauth] alternative charter writeup

Dick Hardt <dick.hardt@gmail.com> Tue, 14 January 2020 05:12 UTC

Return-Path: <dick.hardt@gmail.com>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9FE8812001E for <txauth@ietfa.amsl.com>; Mon, 13 Jan 2020 21:12:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.996
X-Spam-Level:
X-Spam-Status: No, score=-1.996 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZAd5t0f26L8J for <txauth@ietfa.amsl.com>; Mon, 13 Jan 2020 21:12:15 -0800 (PST)
Received: from mail-lj1-x230.google.com (mail-lj1-x230.google.com [IPv6:2a00:1450:4864:20::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 37DE8120019 for <txauth@ietf.org>; Mon, 13 Jan 2020 21:12:15 -0800 (PST)
Received: by mail-lj1-x230.google.com with SMTP id u71so12735550lje.11 for <txauth@ietf.org>; Mon, 13 Jan 2020 21:12:15 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=v27LKMQVdZKsrqbffCKz4yydqPin74pdpClZJlCwe6o=; b=KKNrF1RrMBmQxAdKvJP5Dk7NF3IbUctjN59ypmiOHzesDuXSnjh2cWFBGhpGTFeROT w2Jc09qiAkdt8fi37jO6BCp+m0qG6WTO4PXgnWaUDHLk5FMb9BP8jZo1mCfBwE8Ae79l DMH2MZe97jRTOEaOUIyxLrUzDZAfN6ZPbeZUJrOQPZ4f2qNObyaAOk5CWCZI7y+6k6tm dc1yOLOLLB7hA1FxvcjB8Psc3G4COv/87o0xm3+ptqmt/il+/qcQyzU6W1wpIaZ2OhuR 3vp8qv649gg5O6E5kEi16ewYsi8x6vzuWdq7cq8gaPlWopea0dmDZic0RpGsAmgz65hd lahw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=v27LKMQVdZKsrqbffCKz4yydqPin74pdpClZJlCwe6o=; b=hbjZfy0cJtlWvniSC1ouDNsyW0XQFO20A0hTXnMOahn2yapOv9seKJqDGqac8u3UOt /oo/NdzOZeWR1UNCqt7JQRGVupRe76kQ4cB9sySUuICK58SvSAuSOUU09NlBGXnaNYWL 7sh75S1LhieiX2ioZGG2AA8pxmGEEoGidUm5yFq9suBjTXCWGBooajz7KfDscVeXjfXL 65fN4HPboy06l/VBk+jeqF4VZCe50wT6VI98c3VbEWaSBRd/oxrMFWVuTRXwwQt26l6r uXamO6+Y5KhUOAZr+IeFuF+96xw4yzwrxqQ3R4HHY1rbMsgr93krSsG3K7nXM2qaiTHp Z+ag==
X-Gm-Message-State: APjAAAVcEJvQdgESQP388tCfiyNwHfTB+wU5z6XrypdssI8khRg74jHU W6Dz43OTjgo/3HxWsARQPLoCLm9x+XkK4GFlDVU=
X-Google-Smtp-Source: APXvYqw2RChq0EbC6qCJztrND4z9ko0L+W+7U3ZP1qQBliq8juL+PpLuT8cqCv2mVr2ol6CjOgz9C19OuVrxiyGFLYI=
X-Received: by 2002:a2e:9ad8:: with SMTP id p24mr13635521ljj.148.1578978733384; Mon, 13 Jan 2020 21:12:13 -0800 (PST)
MIME-Version: 1.0
References: <CAD9ie-sGfRGPFa4jBUeoVcG+CO=PvG-Ys-HrUMs7kVdt1zT3vA@mail.gmail.com> <FE8064D0-02CF-4BF1-AF25-0E52D9362D27@mit.edu> <CAD9ie-tAquhg=o1_cmKg_rO3mn9FeqCTDtY07XMqMOdhRWrD5Q@mail.gmail.com> <B758A8F2-211F-4637-84AE-3FD6974C546F@amazon.com> <CAD9ie-u5aV+FShiseuNRu_Ayp3EJjrN=zM1XBJW+vc9wDdL3NQ@mail.gmail.com> <A6D90193-D3FC-4BDB-8F4C-55A30ED252EE@amazon.com> <B88684FE-9ECE-4326-8DA2-F6A14E0D6ED0@mit.edu>
In-Reply-To: <B88684FE-9ECE-4326-8DA2-F6A14E0D6ED0@mit.edu>
From: Dick Hardt <dick.hardt@gmail.com>
Date: Mon, 13 Jan 2020 21:12:02 -0800
Message-ID: <CAD9ie-tgXONsgr1cW=5X12Wdi+=iGZrnDtCfMzy-Vf-maezFHg@mail.gmail.com>
To: Justin Richer <jricher@mit.edu>
Cc: "Richard Backman, Annabelle" <richanna@amazon.com>, "txauth@ietf.org" <txauth@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000082e838059c12a26f"
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/ycJXLJWQqju0myQZK5VW2D1SNxc>
Subject: Re: [Txauth] alternative charter writeup
X-BeenThere: txauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <txauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/txauth>, <mailto:txauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth/>
List-Post: <mailto:txauth@ietf.org>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/txauth>, <mailto:txauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Jan 2020 05:12:18 -0000

Sounds good to me.

On Mon, Jan 13, 2020 at 6:24 PM Justin Richer <jricher@mit.edu> wrote:

> I can get behind this kind of addition. I like Annabelle’s framing of it
> in terms of decoupling, and some explanation of why we’re doing it in
> relation to OAuth 2’s approach. One of the key things, to me, is that we’re
> making a break from OAuth 2’s core architecture but doing so for very
> specific reasons.
>
>  — Justin
>
> On Jan 13, 2020, at 8:54 PM, Richard Backman, Annabelle <
> richanna@amazon.com> wrote:
>
> It’s not just about the initial communication, though. I the key thing to
> emphasize is the decoupling the protocol from delegation channels, which
> addresses the aforementioned security/complexity issues and also provides a
> path to support future delegation channel types without significant changes
> to the protocol (unlike OAuth 2.0, where extensions like Device Flow and
> PAR introduce substantial changes to the core protocol flow on both client
> and AS). Since the protocol isn’t assuming a particular front channel, it’s
> easier to add support for a new one.
>
> Proposal, altered from Dick’s suggestion:
> This group is chartered to develop a delegated identity and authorization
> protocol. The use cases supported by this protocol will include widely
> deployed use cases currently supported by OAuth 2.0, and OpenID Connect, an
> extension of OAuth 2.0. This protocol will be decoupled from delegation
> channels such as an end user’s web browser and operate primarily through a
> channel between the client and the authorization server, avoiding many of
> the security concerns and technical challenges of OAuth 2.0 and providing a
> non-invasive path for adding support for future types of clients and
> delegation channels.
>
> –
> Annabelle Richard Backman
> AWS Identity
>
>
> *From: *Dick Hardt <dick.hardt@gmail.com>
> *Date: *Monday, January 13, 2020 at 4:35 PM
> *To: *"Richard Backman, Annabelle" <richanna@amazon.com>
> *Cc: *Justin Richer <jricher@mit.edu>, "txauth@ietf.org" <txauth@ietf.org>
> *Subject: *Re: [Txauth] alternative charter writeup
>
> I agree, some more "why" would help a broader audience understand the
> motivations. How about this change to the first paragraph?
>
> This group is chartered to develop a delegated identity and authorization
> protocol. The use cases supported by this protocol will include widely
> deployed use cases currently supported by OAuth 2.0, and OpenID Connect, an
> extension of OAuth 2.0. In contrast to OAuth 2.0, where the protocol is
> initiated by redirecting the user's browser to an authorization server,
> this protocol will be initiated by the client directly interacting with the
> authorization server, which will mitigate many of the security concerns and
> technical challenges of OAuth 2.0.
>
>
> On Mon, Jan 13, 2020 at 3:38 PM Richard Backman, Annabelle <
> richanna@amazon.com> wrote:
>
> While I agree with the goals stated in this charter, if I read this from
> the perspective of someone who hasn’t been our meetings or listened to
> Justin’s presentations, I’m hard pressed to see what the point of this
> group is, relative to the OAuth WG. I’d expect this charter to provide at
> least a cursory explanation of what problem it is trying to solve. In this
> case, the problem should be partially defined in relation to OAuth. What
> will this WG do that the OAuth WG hasn’t already done or isn’t already
> doing?
>
> How about adding something like the following to paragraph 2:
>
> The protocol will mitigate many of the security concerns and technical
> challenges of OAuth 2.0 by communicating over secure channels between the
> client and the authorization server, and minimizing the amount of
> information transmitted over untrusted channels.
>
> –
> Annabelle Richard Backman
> AWS Identity
>
>
> *From: *Txauth <txauth-bounces@ietf.org> on behalf of Dick Hardt <
> dick.hardt@gmail.com>
> *Date: *Friday, January 10, 2020 at 6:57 PM
> *To: *Justin Richer <jricher@mit.edu>
> *Cc: *"txauth@ietf.org" <txauth@ietf.org>
> *Subject: *Re: [Txauth] alternative charter writeup
>
> This looks even better! Thanks Justin.
>
> What do others think of the proposed charter now?
> ᐧ
>
> On Fri, Jan 10, 2020 at 12:43 PM Justin Richer <jricher@mit.edu> wrote:
>
> Thanks, Dick. I’ve been working on an updated charter based on everyone’s
> feedback, and I was aiming to have out today anyway, so this timing is
> helpful. So here’s my take on a new charter, incorporating some of your
> points below:
>
>
> This group is chartered to develop a delegation protocol for identity,
> authorization, and API access. This protocol will allow an authorizing
> party to delegate access to client software through an authorization
> server. The use cases supported by this protocol will include widely
> deployed use cases currently supported by OAuth 2.0 and OpenID Connect.
>
> The delegation process will be acted upon by multiple parties in the
> protocol, each performing a specific role. The protocol will be initiated
> by the client interacting directly with the authorization server (in
> contrast with OAuth 2 which is initiated by the client redirecting the
> user’s browser). The client will involve the authorizing party as necessary
> through interaction mechanisms indicated by the protocol.
>
> Additionally, the delegation process will allow for:
>
> - Fine-grained specification of resource access
> - Approval of identity claims and multiple resources in a single
> interaction
> - Delegation between multiple users
> - Web, mobile, single-page, and other types of client applications
>
> The group will define extension points for this protocol to allow for
> flexibility in areas including:
>
> - Cryptographic agility for keys, message signatures, and proof of
> possession
> - User interaction mechanisms including web and non-web methods
> - Mechanisms for providing user, software, organization, and other pieces
> of information used in authorization decisions
> - Token presentation mechanisms and key bindings
>
> Additionally, the group will provide mechanisms for management of the
> protocol lifecycle including:
>
> - Discovery of the authorization server
> - Revocation of active tokens
> - Query of token rights by resource servers
>
> Although the artifacts for this work are not intended or expected to be
> backwards-compatible with OAuth 2.0 or OpenID Connect, the group
> will attempt to simplify porting from OAuth 2.0 and OpenID Connect to the
> new protocol where possible.
>
> While the initial work will focus on using HTTP for communication between
> the client and the authorization server, the working group will seek to
> take advantage of optimization features of HTTP2 and HTTP3, and will strive
> to enable simple mapping to other protocols such as COAP.
>
>
> On Jan 10, 2020, at 12:04 PM, Dick Hardt <dick.hardt@gmail.com> wrote:
>
> Hey
>
> I've written an alternative charter that I hope captures some of the
> feedback on Justin's charter.
>
> I found it easier to rewrite the charter to broaden the marketplace of
> ideas.
>
> Key ideas:
>
> - This work supports existing OAuth 2.0, and OpenID Connect use cases.
>
> - The client interacts directly with the authorization server.
>
> /Dick
>
> ----
>
> This group is chartered to develop a delegated identity and authorization
> protocol.. The use cases supported by this protocol will include widely
> deployed use cases currently supported by OAuth 2.0, and OpenID Connect. In
> contrast to OAuth 2.0 and OpenID Connect, where the protocol is initiated
> by redirecting the user's browser to an authorization server, this protocol
> will be initiated by the client directly interacting with the authorization
> server..
>
> Additionally, the protocol will allow:
> - fine-grained specification of resource access
> - the user to approve requests for identity claims and access to multiple
> resources in one interaction
> - web, mobile, single-page, and other client applications
> - taking advantage of optimization features in HTTP2 and HTTP3
>
> The group will define extension points for this protocol to allow for
> flexibility in areas including:
>
> - discovery of the authorization server
> - cryptographic agility for keys, message signatures, and proof of
> possession
> - user interaction mechanisms including web and non-web methods- token
> presentation mechanisms and key bindings
>
> Although the artifacts for this work are not intended or expected to be
> backwards-compatible with OAuth 2.0 or OpenID Connect, they will attempt to
> simplify porting from OAuth 2.0 and OpenID Connect, and strive to reuse
> existing semantics such as client identifiers, OAuth 2.0 scopes and access
> tokens, and OpenID Connect ID Tokens and claims.
>
> While the initial work will focus on using HTTP for communication between
> the client and the authorization server, the working group will strive to
> enable simple mapping to other protocols such as COAP.
>
>
> ᐧ
> --
> Txauth mailing list
> Txauth@ietf.org
> https://www.ietf.org/mailman/listinfo/txauth
>
>
>

v2.23.0 | Report a Bug | By Email