Re: [regext] id_token parameter usage in rdap-openid

2022-01-17 Thread Mario Loffredo 

Hi Tom,

please find my commnets inline.

Il 17/01/2022 02:07, Tom Harrison ha scritto:

Hi Mario,

On Fri, Jan 14, 2022 at 09:19:55AM +0100, Mario Loffredo wrote:

Il 11/01/2022 12:03, Tom Harrison ha scritto:

On Fri, Dec 17, 2021 at 11:54:57AM +0100, Mario Loffredo wrote:

Il 17/12/2021 06:59, Tom Harrison ha scritto:

I'm not sure that it's possible to remove the ID token parameter
from the document, at least as it's currently written.  If no ID
token is provided, then the RDAP server will have only an access
token to work with, and the RDAP server must treat that token as
opaque, since it's a relying party (only the resource server can
interrogate the access token).  If all that the RDAP server gets
is an opaque access token, then it won't know which authorization
server to contact in order to verify that access token, so it
won't be able to verify that the user is authorized.

In theory, RFC6749 does not mandate any specific format for the
access token but, in practice, many Auth 2.0 implementations has
elected to use JWT (see
https://www.rfc-editor.org/rfc/rfc9068.html#name-introduction).

Hence, RDAP clients would probably be required to send an
unnecessary ID Token.

But the relying party must treat the access token as opaque,
regardless of whether it uses JWT or similar.  From RFC 9068:

  6.  Privacy Considerations

 As JWT access tokens carry information by value, it now
 becomes possible for clients and potentially even end users
 to directly peek inside the token claims collection of
 unencrypted tokens.

 The client MUST NOT inspect the content of the access
 token: the authorization server and the resource server
 might decide to change the token format at any time (for
 example, by switching from this profile to opaque tokens);
 hence, any logic in the client relying on the ability to
 read the access token content would break without recourse.
 The OAuth 2.0 framework assumes that access tokens are
 treated as opaque by clients.

[ML] I think that in the sentence above the term "client" refers to
the frontend application that is normally used in the classic OIDC
pattern.

That's right.  A "client" that uses OIDC is referred to as a "relying
party" in the OIDC context, too.  In the draft, the RDAP server is a
"client" per OAuth 2 and a "relying party" per OIDC.


In that pattern, the client does not need to inspect the access
token because it contains only information useful for the resource
server.

I don't understand this point.  Even if the (OAuth) client might make
use of the information in the access token, the (OAuth) client is not
permitted to inspect it, and must treat it as if it were opaque.


[ML] What I meant to say is that in the OIDC reference interaction 
pattern, the RDAP server would act as a Resource Server. An RDAP client 
would act as a Relying Party.


Normally, the RP, that is a frontend for the RS, is a trusted 
application and it doesn't need to inspect the access token. On the 
contrary, the RS inspects tha access token to make access control decisions


based on some claims designed for being included in the access token 
such as groups, roles, entitlements.


In the draft, an RDAP client is normally untrusted so the RDAP server 
acts as an RP but we cannot ignore that the RDAP server is still an RS.


I think that both the OAuth and the OIDC actors was defined for the 
reference pattern so we cannot apply them to the draft pattern 
straightforwardly because otherwise we'll face some inconsistencies.


For example, now the mostly used access token format is JWT. Such a 
format is perfectly consistent with the reference pattern because it 
isn't normally exchanged outside a trusted context.


So, with reference to the draft, we cannot say that  the access token 
MUST be opaque but we can say that it MUST be treated as opaque by the 
RDAP client and, anyway, it MUST NOT include sensitive information.


In addition, we cannot say that the RDAP server MUST treat the access 
token as opaque because it is normally inspected by the RS.


Definitively, we have two patterns: the classic one that is likely to be 
currently used in practice and the one proposed by the draft that in my 
opinion should be harmonized with the former to make them coexist.


Hope I made myself clear.




On the contrary, I'm much more worried about what is stated in the
subsequent paragraphs of the same section of RFC 9068:

In scenarios in which JWT access tokens are accessible to the end
user, it should be evaluated whether the information can be accessed
without privacy violations (for example, if an end user would simply
access his or her own personal information) or if steps must be taken
to enforce confidentiality.

Possible measures to prevent leakage of information to clients and
end users include: encrypting the access token, encrypting the
sensitive claims

[regext] Call for agenda items IETF 113

2022-01-17 Thread Antoin Verschuren 
Hi All,

Ii’s time to think about agenda items for IETF 113 to see how much time we need 
for our meeting.
The deadline for requesting a meeting slot will be end of next week.
Jim and I are thinking to request a same one hour time slot as last IETF 112 
meeting, unless we get a lot of requests from you for new work.

So if you intend to request for a presentation, please let the chairs know 
before next Monday so we can make a good judgement.

Regards,

Jim and Antoin


___
regext mailing list
regext@ietf.org
https://www.ietf.org/mailman/listinfo/regext

Re: [regext] CALL FOR ADOPTION: draft-flanagan-regext-datadictionary

2022-01-17 Thread James Galvin 
This CALL FOR ADOPTION is now closed.  There were no objections and 6 
indications of support from Stephane Bortzmeyer, Tim Wicinski, Jiankang Yao, 
George Michaelson, Dmitry Belyavsky, and John Levine, therefore the document is 
adopted for work by REGEXT.

During the call for adoption there were a number of details highlighted for 
review that will need to be addressed, as well as the following broad topic.  
The scope of the work - this document seems to suggest that it is limited to 
just DNS registration data and the discussion during the call for adoption 
suggests that the data dictionary has broader applicability.  This is a 
significant issue and should be addressed as the first item for this document 
in REGEXT.

With this message the chairs ask the authors to submit version 00 of a working 
group document, that is the same as the current document, using the following 
draft name:

draft-ietf-regext-datadictionary

The document authors must also identify a document shepherd.  If you would like 
to volunteer please let them know.

Work can begin as soon as the 00 is published.

Thanks,

Antoin and Jim



On 20 Dec 2021, at 9:27, James Galvin wrote:

> This is the formal adoption request for DNS Data Dictionary:
>
>   https://datatracker.ietf.org/doc/draft-flanagan-regext-datadictionary/
>
> Please review this draft to see if you think it is suitable for adoption by 
> REGEXT and comment to the list, clearly stating your view.
>
> This Call For Adoption will close on Monday, 10 January.
>
> If there are no objections, the chairs will consider this document adopted.
>
> Thanks,
>
> Your REGEXT co-chairs Antoin and Jim

___
regext mailing list
regext@ietf.org
https://www.ietf.org/mailman/listinfo/regext

[regext] I-D Action: draft-ietf-regext-datadictionary-00.txt

2022-01-17 Thread internet-drafts 


A New Internet-Draft is available from the on-line Internet-Drafts directories.
This draft is a work item of the Registration Protocols Extensions WG of the 
IETF.

Title   : DNS Data Dictionary
Authors : Heather Flanagan
  Steve Crocker
Filename: draft-ietf-regext-datadictionary-00.txt
Pages   : 13
Date: 2022-01-17

Abstract:
   Multiple applications related to the domain name system are built
   around a list of data elements.  There is currently no unified public
   list of these data elements, nor is there an organized and
   independent change control process.  This document codifies the
   multiple similar but not quite identical lists of data elements into
   a neutral DNS Data Dictionary to be maintained as an independent IANA
   Registry.


The IETF datatracker status page for this draft is:
https://datatracker.ietf.org/doc/draft-ietf-regext-datadictionary/

There is also an htmlized version available at:
https://datatracker.ietf.org/doc/html/draft-ietf-regext-datadictionary-00


Internet-Drafts are also available by rsync at rsync.ietf.org::internet-drafts


___
regext mailing list
regext@ietf.org
https://www.ietf.org/mailman/listinfo/regext