Re: [Txauth] Client Registration (Was: Key handle vs client id & handle
Tom Jones <thomasclinganjones@gmail.com> Tue, 14 July 2020 23:26 UTC
Return-Path: <thomasclinganjones@gmail.com>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9AB8E3A00B0 for <txauth@ietfa.amsl.com>; Tue, 14 Jul 2020 16:26:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BsIOPTUdfc9k for <txauth@ietfa.amsl.com>; Tue, 14 Jul 2020 16:26:23 -0700 (PDT)
Received: from mail-ot1-x333.google.com (mail-ot1-x333.google.com [IPv6:2607:f8b0:4864:20::333]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3EC043A0975 for <txauth@ietf.org>; Tue, 14 Jul 2020 16:25:31 -0700 (PDT)
Received: by mail-ot1-x333.google.com with SMTP id h13so78154otr.0 for <txauth@ietf.org>; Tue, 14 Jul 2020 16:25:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=uSdaOlaK2Wh6QSTlwwgo1tNo0oVmI0BS+9v2Z4glG+E=; b=qXzXdT5EJXHRoaTcgOHH+jB7X/kKaIz3hWydl6rQurZLOqHDN3TXAIC/Lq3PD6s7yP 07qvO+hLglMYUoRYKXcecQ4KuUGWLFnUS/xmETmsknJmNBY56lAQHYAuKep8ZoEvNb0S v9/+GXIoauqjFIzqhioHB51l1rz/05A8sP3UTQpLTf9o0UpJ3yYzY0roS8kiTzU32tDg dNQE6GTu0dQbe3HFsKDQmaHcezFWqtNhUGBFfvd1mzWaYrjYoAPxUECiVywqFtkfeV7J Jcu2qH9dw2U3PRlO5mAHMmg/9HnHwoJJqQv8TNwJdokPxj2n3D3W6tdkbQHAoWat0xPM tqLA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=uSdaOlaK2Wh6QSTlwwgo1tNo0oVmI0BS+9v2Z4glG+E=; b=e2Edmvri+WcYuL9oZ7eVTAjCg5YZT++GmnN6SkpJlt9GabsSJ+jlx7niEd3n15u7Ea KfQtXDCaSxtsz5ePQBkjY5O5puE7xCPpjvNx7Hi8Uv9jseqUAhsBDXX8nkGHCsLcFc3Z sfekxHMhv9bZKUNZ+T+2UzRv9lz93HyMI8VWve74xHcaNTFKUpQxPwhkoN+5QEI2QFDY gzWmYCVyyqgycCC+YxLjCMYjZHZqeTkZKdqCZNVNAH/XrN/cE+WnaUq1A5535wlbEdUs BjrE2omLsj87UpmsxuTh3Xb+PrA30jsb1BtiJhaQ3gEfkRS5jkm7goXoOM9DyR4UGWy5 /orw==
X-Gm-Message-State: AOAM532bxPJho2e6caSRT9iPGRdL/BVNBEoubZQoEEKp6N53+qUUUJQs zhCuJP4cSONG58KMUu++zosqs2fwtI3vC3hb9mE=
X-Google-Smtp-Source: ABdhPJzvczawDioI7s91plasfxG92lWBAWHRWk0ekB1pSq+bObtoZpBsGKKKiTODdRzOKVrIQ48yw+avRY7bZhyUdwI=
X-Received: by 2002:a9d:66ca:: with SMTP id t10mr6056041otm.358.1594769130386; Tue, 14 Jul 2020 16:25:30 -0700 (PDT)
MIME-Version: 1.0
References: <29AAF03B-12B6-4E61-9BF4-EF951506931B@securekey.com> <CAD9ie-u8hT42pP0t2i=uuTt80fZA6ad03qGJnpWP79rGUcxR1w@mail.gmail.com>
In-Reply-To: <CAD9ie-u8hT42pP0t2i=uuTt80fZA6ad03qGJnpWP79rGUcxR1w@mail.gmail.com>
From: Tom Jones <thomasclinganjones@gmail.com>
Date: Tue, 14 Jul 2020 16:25:18 -0700
Message-ID: <CAK2Cwb68pUSY8kVYiSVF=i8HcaM+mMvu2gVyA4TjdnLh-i=Ehw@mail.gmail.com>
To: Dick Hardt <dick.hardt@gmail.com>
Cc: Mike Varley <mike.varley@securekey.com>, Mike Jones <Michael.Jones=40microsoft.com@dmarc.ietf.org>, Justin Richer <jricher@mit.edu>, "txauth@ietf.org" <txauth@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000083f92e05aa6f1fbc"
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/zmoRzsR07fNYV4bRwr2wc3EG2G4>
Subject: Re: [Txauth] Client Registration (Was: Key handle vs client id & handle
X-BeenThere: txauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <txauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/txauth>, <mailto:txauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth/>
List-Post: <mailto:txauth@ietf.org>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/txauth>, <mailto:txauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Jul 2020 23:26:27 -0000
I suggested earlier to use the entity statement of the Openid federation spec, but heard no feedback. Why not? thx ..Tom (mobile) On Tue, Jul 14, 2020, 1:00 PM Dick Hardt <dick.hardt@gmail.com> wrote: > (changing subject to reflect topic) > > In my opinion, client registration is in scope. > > In both XYZ and XAuth, the client can provide some information about > itself, and get back an ID it can use in subsequent calls. No one has said > that should NOT be in scope so far. > > Myself, I do support adding other mechanisms for a Client to share > information about itself with an AS such as software statements, or a URI > that binds a URI to information retrieved from that URI, and to the Client. > > I agree that we don't want to define software statements per se, but we > should refer to some standards so that interop between clients and ASs. > > /Dick > > On Tue, Jul 14, 2020 at 10:54 AM Mike Varley <mike.varley@securekey.com> > wrote: > >> Is client registration in scope for the protocol? >> >> >> >> A generic way of handling clients (via ID or Handle or Key or whatever) >> is to have processing rule on the AS such as “if the AS recognizes the >> client ID (and authentication of that client ID) then it may process the >> request on behalf of that client. If the AS does not recognize the client >> ID, it must treat this as a new client registration and evaluate any >> authorization evidence the client provides before enabling the client and >> mapping policies to that client” (this means dynamic or automatic clients >> need to provide additional assertions / software statements whatever to >> register their ID. >> >> >> >> Something like this allows for very flexible systems: >> >> System A can be unknown to the AS but can dynamically registered each >> time with an appropriate software statement >> >> System B can have a fairly stable client ID at the AS, but rotate that ID >> every month through automatic registration (with an assertion it got from >> the AS during a pre-registration for example) >> >> System C can pre-register with the AS for a client ID because it doesn’t >> deal with software statements etc… >> >> … >> >> And even ‘StatelessAS’ can operate by never storing client IDs because it >> will always just rely on the software statements. >> >> >> >> I think a client registration protocol that allows these scenarios would >> be very useful in GNAP, but hopefully avoiding having to define what >> ‘evidence’ the AS needs to accept for each scenario. >> >> >> >> Thanks, >> >> >> >> MV >> >> >> >> *From: *Txauth <txauth-bounces@ietf.org> on behalf of Mike Jones >> <Michael.Jones=40microsoft.com@dmarc.ietf.org> >> *Date: *Tuesday, July 14, 2020 at 12:18 PM >> *To: *Dick Hardt <dick.hardt@gmail.com>, "txauth@ietf.org" < >> txauth@ietf.org>, Justin Richer <jricher@mit.edu> >> *Subject: *Re: [Txauth] Key handle vs client id & handle >> >> >> >> I agree that there are significant differences between statically and >> dynamically registered clients and that’s appropriate to be able to >> syntactically differentiate between them at runtime. For one thing, the >> resource requirements at the authorization server can be very different. >> >> >> >> We should also be thinking about how to include what the OpenID Connect >> Federation spec >> https://openid.net/specs/openid-connect-federation-1_0.html calls >> “Automatic Registration”. This lets the client encode a registration >> request reference in the client ID, so no static or dynamic registration >> even occurs. See >> https://openid.net/specs/openid-connect-federation-1_0-12.html#rfc.section.9.1 >> . >> >> >> >> -- Mike >> >> >> >> *From:* Dick Hardt <dick.hardt@gmail.com> >> *Sent:* Friday, July 10, 2020 1:17 PM >> *To:* txauth@ietf..org <txauth@ietf.org>; Justin Richer <jricher@mit.edu>; >> Mike Jones <Michael.Jones@microsoft.com> >> *Subject:* Key handle vs client id & handle >> >> >> >> + Mike as he had interest in this topic >> >> >> >> My understanding is that an existing OAuth 2 client would use their >> current client id as their key handle, and a dynamic client (one that was >> not pre-registered) would be given a key handle by the AS. >> >> >> >> There are potentially some significant differences between a registered >> client, and a dynamic client to an AS. >> >> >> >> The AS is likely to know the identity of a registered client, and have >> different policies between the two types of clients. For example, a >> registered client may have access to a 'write" scope, while a dynamic >> client does not. >> >> >> >> The AS may have 100s or 1000s of registered clients, but a dynamic client >> may have 10Ms or 100Ms of instances, which may dictate separate storage >> services. Additionally, internal to the AS, which systems can write to the >> registered client store is going to be different than the dynamic >> client store. >> >> >> >> In XYZ, subsequent calls to the AS, both registered clients and dynamic >> clients pass a key handle, so there is no easy way to differentiate between >> the two. >> >> >> >> While the AS could embed semantics in the key handle identifier to >> indicate which identifiers are pre-registered vs dynamic, there are many >> cases where the AS does need to know the difference, so making the >> difference a feature of GNAP seems like a better path. >> >> >> >> >> >> This email and any attachments are for the sole use of the intended >> recipients and may be privileged, confidential or otherwise exempt from >> disclosure under law. Any distribution, printing or other use by anyone >> other than the intended recipient is prohibited. If you are not an intended >> recipient, please contact the sender immediately, and permanently delete >> this email and its attachments. >> > ᐧ > -- > Txauth mailing list > Txauth@ietf.org > https://www.ietf.org/mailman/listinfo/txauth >
- [Txauth] Key handle vs client id & handle Dick Hardt
- Re: [Txauth] Key handle vs client id & handle Justin Richer
- Re: [Txauth] Key handle vs client id & handle Mike Jones
- Re: [Txauth] Key handle vs client id & handle Mike Varley
- Re: [Txauth] Key handle vs client id & handle Justin Richer
- [Txauth] Client Registration (Was: Key handle vs … Dick Hardt
- Re: [Txauth] Client Registration (Was: Key handle… Tom Jones
- Re: [Txauth] Client Registration (Was: Key handle… Mike Varley
- Re: [Txauth] Key handle vs client id & handle Fabien Imbault
- Re: [Txauth] Key handle vs client id & handle Justin Richer
- Re: [Txauth] Key handle vs client id & handle Dick Hardt
- Re: [Txauth] Key handle vs client id & handle Justin Richer
- Re: [Txauth] Key handle vs client id & handle Dick Hardt
- Re: [Txauth] Key handle vs client id & handle Justin Richer
- Re: [Txauth] Key handle vs client id & handle Tom Jones
- Re: [Txauth] Key handle vs client id & handle Francis Pouatcha
- Re: [Txauth] Key handle vs client id & handle Dick Hardt
- Re: [Txauth] Key handle vs client id & handle Tom Jones
- Re: [Txauth] Key handle vs client id & handle Francis Pouatcha
- Re: [Txauth] Key handle vs client id & handle Tom Jones
- Re: [Txauth] Key handle vs client id & handle Justin Richer