IETF Logo Mail Archive

[GNAP] Resource Servers draft

Yaron Sheffer <yaronf.ietf@gmail.com> Sun, 09 May 2021 13:59 UTC

Return-Path: <yaronf.ietf@gmail.com>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C65C33A0E1B for <txauth@ietfa.amsl.com>; Sun, 9 May 2021 06:59:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.098
X-Spam-Level:
X-Spam-Status: No, score=-0.098 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, MIME_HTML_ONLY=0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UX65fUJ3ZKIt for <txauth@ietfa.amsl.com>; Sun, 9 May 2021 06:59:57 -0700 (PDT)
Received: from mail-wr1-x430.google.com (mail-wr1-x430.google.com [IPv6:2a00:1450:4864:20::430]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 277063A0E1A for <txauth@ietf.org>; Sun, 9 May 2021 06:59:57 -0700 (PDT)
Received: by mail-wr1-x430.google.com with SMTP id v12so13873259wrq.6 for <txauth@ietf.org>; Sun, 09 May 2021 06:59:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:date:from:subject:thread-topic:message-id:to :content-transfer-encoding; bh=vP96Zlvce/wPLMmlxX46tLy5w177XjI02tDoXUxpux8=; b=JcqqpdjNN0cfkiS/le3YYpmHl1SNhCaPbW6LD7tXl5rA0Po9kqQZ+sE7D2PD0jDA6W ECtnvYMwz+1ZNenBQYMH9TLQa9X8Ce3KiHpUWQ6++vQ/j1mkS4i5qytJMriJq5FH6eDe fUuKQqGDWQJhDSBOb/I+y+tqmS9diNIVoLlZekDMGbywxMAjv6cbI/7IqvqiqRSywxI/ Ww6oTpwQZvt4Riz8DnfEWY9714e2fSrvW8y+mWsp788IOYavbI3prr7aRB20PhAITUlr mXO3MKyxhuq/wKimXgAYsfTlme+k31wSJo/44mDCMxjdVxlGVB42nlmzkt3ZO2O1GCXt Hc5Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:date:from:subject:thread-topic :message-id:to:content-transfer-encoding; bh=vP96Zlvce/wPLMmlxX46tLy5w177XjI02tDoXUxpux8=; b=qqR9TEGuow+P5/WpltxJrX6x/mLyunh4kmSEvbjtxyFHDBvrb8fIDanFBgiTx+PrHM ww/UKz8mNRvik5/4bBQxQk/H83PMS7K7m2uLmv0KD+1pAXcKPzPGaVct0sOAZnKy6k7d ImSj4fijoChXsEXW9joDYh2jRweVUWOexYG2CJRyXpmmWlFYCEPmH3pAAB1Xp3Y7J+rX keDJ4IGGNWHP7OW+jzr3QQ1lfxvFIyYOccWk+CV6nFdi1ziUJHpL6wS9QaHgzAbOeP9t Tbo5HffvTFamiA8VFm+A9rij15CilWdxiH1YayLwmfVaXdydIwC9vUcKx7Lvr56B9N1t /R+Q==
X-Gm-Message-State: AOAM533htfK6ih9g7tRoO+/v8/SerGzJr5CUmIiPzOpoGh3w54AQYx7c YO5iCzKurW0GoB0xytPC5tHD8nfk40py0w==
X-Google-Smtp-Source: ABdhPJzCBckKl4Xb/h+0jrJwk81pmMR+Ekw22JstIbX0Ur6KZjZM8T57xUstaCOo9bObLps4mEKC6g==
X-Received: by 2002:adf:fe8e:: with SMTP id l14mr25372505wrr.305.1620568794722; Sun, 09 May 2021 06:59:54 -0700 (PDT)
Received: from INTUL183d7d6fa (pub-corp-42-8.intuit.com. [91.102.42.8]) by smtp.gmail.com with ESMTPSA id f20sm17199888wmh.41.2021.05.09.06.59.53 for <txauth@ietf.org> (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Sun, 09 May 2021 06:59:54 -0700 (PDT)
MIME-Version: 1.0
Date: Sun, 09 May 2021 16:59:50 +0300
From: Yaron Sheffer <yaronf.ietf@gmail.com>
Thread-Topic: Resource Servers draft
Message-ID: <8517AD16-92CD-7743-92CC-D8ABC4DAAEC9@hxcore.ol>
To: GNAP Mailing List <txauth@ietf.org>
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html; charset="utf-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/zhAJzOjDKEYOAqyUCm8pcOF_TBM>
Subject: [GNAP] Resource Servers draft
X-BeenThere: txauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: GNAP <txauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/txauth>, <mailto:txauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth/>
List-Post: <mailto:txauth@ietf.org>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/txauth>, <mailto:txauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 09 May 2021 13:59:59 -0000

Hi Editors,

 

Here’s a bunch of comments to the latest version (Editor’s Draft as of today). Please respond with what is easy to fix, and what I should open an issue for.

 

Thanks,

                Yaron

 

  • Abstract: better use more concrete terms than "piece of software". Even if this creates a dependency on the Terminology section.
  • Typo: by (AS).
  • "client-facing discovery mechanism" - I'm not seeing any client-facing protocol in the document (and it wouldn't belong here anyway).
  • Terminology: include a reference to the Terminology section of the Core doc.
  • Access Token Formats: IMO we should specify a minimal, generic format in an appendix, as a non-normative starting point for developers. It would be better than having each implementation make its own mistakes.
  • Macaroons, biscuits, other baked goods: add a reference.
  • AS Discovery: why do we need a "well known" URI? Either we use GNAP Core to pass the AS address to the RS, and then we could pass a full URI, or we don't, and then how does the RS even know how to find the AS?
  • Protecting RS requests to the AS: the RS, by definition, owns resources. This means that it needs to have a persistent identity, in addition to the (ephemeral) keys being presented. Otherwise (especially with TOFU registration) we could easily have Resource Servers squatting on other people’s resources. It is very hard to manage the mapping of RS to resources if we don't have such a persistent identity.
  • Token Introspection: it is not clear to what depth we are defining the API: is it only the existence of the "introspect" endpoint? Or do we define a minimal set of standard attributes that need to be returned? The API would not be useful for interoperability unless we define some of the returned attributes. At the very least: "active".
  • "client instance's request" - should be "Resource Server's request".
  • And we should add: the AS MUST validate that the token is appropriate for the RS that presented it, and return an error otherwise.
  • Typo: internal link to "token format".
  • IANA Considerations: the "well known" URL should be registered (BTW, it's a well-known *URI*). Also, please list the registries that we need to establish.

v2.23.0 | Report a Bug | By Email