Home
Contribute Contact Us Browse all meetings
Home Contribute Contact Us Browse all meetings
Internet Engineering Task Force / 112 / 11 Nov 2021
Internet Engineering Task Force / 112 / 11 Nov 2021
Previous Meeting Next Meeting
Add meeting Rate page Subscribe
youtube image
From YouTube: IETF112-GNAP-20211111-1200

Description

GNAP meeting session at IETF112
2021/11/11 1200

https://datatracker.ietf.org/meeting/112/proceedings/

A

I apologize guys apologies uh to the audience uh we're having a few technical problems, we'll get started in one or two minutes.

B

Alessandra, could you give us a hand we're still having some difficulty on sharing the slides out of the data tracker.

B

Yeah in the meantime,.

A

Screenshow instead and let's get going.

A

All right.

A

So sorry about this delay and welcome everyone to the gnab meeting.

A

We'll start with the note 12 everything we say in this meeting is subject to the itf note 12.. If you haven't yet please, please read it carefully uh and pay attention to the ipr issues that are described at length.

A

Oh, I'm glad to see leaf joining hello leaf.

A

Still, no idea, though,.

A

No.

A

We are also subject to the itf code of contact conduct and, in contrast to other organizations where the code of conduct is purely around bias or anti-bias, which is a very important issue in itself.

A

The itf code of conduct is broader and it boils down to having respectful conversations with one another focusing on the subjects rather than the individuals. Please read this summary on the slide and I apologize for the font and.

A

And uh please uh go to rfc7154.

A

For more more depth on the code of contact.

A

Still not done was still trying to show the slides to meet echo uh in the meantime uh for audio and video, as you can see, metacore is uh working fine. Please uh keep your video off unless you're sharing unless you're presenting.

A

Please also use the video when you're asking questions to make for a better discussion and make sure you're, muted but yeah after two years of zoom. You know that.

A

No blue sheets, we already we've forgotten what blue sheets are by now. uh We do need a minute taker.

A

And in fact this is the point uh where traditionally, we stop and wait for a volunteer to take minutes. We cannot move forward without minutes and if you want to take minutes, um it's much easier for everybody. If you take it on hedge dock, which is what replaces etherpad so a collaborative meeting note taker volunteers, please.

A

Please either.

A

Activate your audio, or else just put it on the chat.

A

This is a good opportunity if you're new to the working group a good opportunity to get familiar with, uh with both the subject and the people. So please stand up and join us as a as a minute taker.

A

I really really don't like to call out names.

A

Thank you very much kathleen.

C

I'm happy to help. I just have to figure out where and how. I know you posted a link, but that wasn't a clickable one. So you'll have to give me a couple of minutes to figure this out.

A

The link is.

C

Actually, on the.

A

Main agenda where it's still called etherpad.

C

Okay, all right, I have it now. I just had to click an extra button that I didn't see at first. Thank you.

A

Okay, great, oh and here's leaf uh yeah.

B

Third, browser is the charm indeed,.

A

All right and most of the session uh will be around the uh the core protocol and the resource server protocol uh led by the editors, and then we have a 20-minute session for denis who has some concerns with the latest draft and has in fact published his own internet draft with his view on on how this should work, and so that's after we're done with the editor's part after the gnap meeting, uh feel free to join us on gather room 6 a good opportunity to get to know your your fellow members of this community talk to the editors talk to the church, and with that I believe by now we should have the slides uploaded.

A

So let me see if this magic works for me.

A

No, it does not leave for using the any short slides.

D

Or not.

A

You are not okay in that case, can is it justin is that you will be presenting.

E

uh Yes, I'm I'm gonna be presenting today. Let's.

A

See if you can screen share yeah, okay, so please screenshot yeah and you can go ahead.

E

Yep just give me a sec to clean up the desktop a little bit more and we should be good.

E

Okay,.

E

All right so there's that should be sending video there's the video all right. I you guys need to approve the screen share, request.

E

Give me one sec.

E

All right so uh because of this, I'm not going to be able to see the chat so uh chairs. Please let me know.

E

All right, okay, so can everybody see the uh the slide back?

E

Yes, here all right, fantastic, um okay, hi everybody uh good day. um You know whatever time zone it is for you.

E

I've got some nice strong tea this morning and um uh my name's justin and uh I'm joined today with fabian um co-editors on the draft uh aaron couldn't make it today he had a scheduling conflict with uh with something else, but um we, the three editors met, went over uh all the content of the slide, so he's got some stuff in here that we're gonna do our best to cover um the current versions of the draft.

E

Are the core protocol 08 and resource servers one um today we're going to go over all of the changes that have happened since ietf 111 um in the core draft? That's uh two full revisions. um We're going to talk through about the editorial and functional changes. Excuse me in that draft um the rs draft. We actually have not published a new revision since 111.

E

There have been a a handful of small changes and some uh you know some small issues that have been addressed, but the editors looked at the diff and it wasn't worth publishing a full revision because there's not a lot to talk about. There hasn't been a lot of focus on the rs draft, yet um more on that when we get to the uh to the roadmap. At the end, um we are going to take some time talking about some formal security analysis.

E

That's been applied to uh the map core protocol um and uh some attacks and proposed mitigations and the uh some of the other kinds of stuff. That's happening around the protocol.

E

um All right, uh if you download the uh the deck. These are our clickable links. um You can look at the diffs between uh six and eight. uh As I said before, the resource server draft is is the same version. um You'll see that most of the differences are in new sections that have been added for uh for trust, security and privacy. Consideration sections there's other stuff peppered through, but that's the majority of the text changes that you'll see there.

E

um We have merged 32, pull requests on uh core and three pull requests on the uh resource server draft uh in the last few months since the last ietf meeting um again, these are clickable links in the downloaded copy, um and uh this is just in the space between uh the the cutoff for draft publication for 08 and uh and today we have closed 55 issues with those pull requests, though um the editors went through and uh there was a lot there were a lot of interrelated issues that a lot of them boiled down to.

E

You know there's this specific uh issue that needs a discussion section and so that either went into privacy or security considerations. There were a bunch that were about the trust model between different parties. Now that all that's been added, we've been able to close a lot of those issues and uh five issues closed on the resource service draft as well um like.

E

I said, though uh no new publication, but you can see the editor's draft on uh the resource server uh from the github page, uh if you're interested in seeing any of that um all right on to the issues onto the pull requests themselves. um So these are all pull request. Numbers, um as you can see. Most of the uh most of those pull requests uh are what we would consider really editorial changes.

E

A lot of them uh came from folks in the community. uh Andreas and florian specifically um have contributed a lot of little changes where the text was not internally consistent. Some things were was referred to as a flag in one place and a value in another place, um or there were leftovers in the descriptive text from when uh the normative text changed or leftovers in examples from when the normative text changed.

E

um So lots of cleanup there's probably still a bit more to go, but uh thank you so much for um for those contributions. uh They are immensely helpful for making sure that uh the protocol actually makes sense and uh it speaks to people really reading through this document uh with you know an eye for fine details, which is a really really important thing for this stage of the document.

E

uh A handful of other things were truly editorial stuff. uh Either you know typos or misspellings or formatting, changes and stuff, like that um we've started to use this configuration uh called editor config to uh to hopefully minimize the amount of um sort of spurious changes from from the different editors and community contributors for uh things like white space changes and uh the the one that's always getting, especially fabian, and I is the um uh extraneous white space at the end of um at the end of lines.

E

um Our editors treat those differently our editing software treats those differently, so um we were running into that a lot until aaron added the editor config controls there and that will hopefully clean that up a lot we've also added a few contributors like I mentioned people that have been um putting in this work. uh We are very grateful.

E

uh You are, um you know, definitely contributing to the specification, um and I I really want to say that, even though these, like all of these pull requests, aren't, like you know, deep technical protocol edits and things like that. These are all really really important. um You know for the for the text to actually read consistently and read well to somebody that's sitting down and using this. So, thank you very much for that and, finally, the release and cleanup commit for draft o8.

E

So functional changes um in the protocol itself, uh the top uh three bullets are we're. Gonna talk about uh we're gonna talk about all of these, but the top three bullets are the new major sections. There's uh trust relationships and fabian uh is here on the call uh he'll be talking about that and how that works.

E

There's the security considerations section um and the privacy considerations section, um there's also a change that we've made a couple of changes that we've made to how the subject identifier is handled um and how the client instance identifier is handled.

E

These are largely continuations as you'll see um sort of building on previous work and making things making the protocol itself more internally, consistent and making use of, and taking advantage of aspects of the protocol that we have now that we didn't have in the past, um to you know, make things make make more sense to somebody hopefully make more sense to somebody sitting down and implementing it uh fabian. You want to go ahead and talk about trust relationships.

E

Please.

E

Fabian are you here.

E

All right I'll try to um I'm not hearing fabian, so I'm going to uh talk through this best, as I can all right. Oh, is that you go ahead. Yes, yes, oh.

F

Excellent, all right, yep.

F

um So, yes, we've been working on trust relationships, uh especially since um it was something that was expected for for a long time, together with privacy and security considerations.

F

So it's a new section section 1.4 and what we've been adding is basically the details on on what each party is actually doing and expecting from others um so detailing for each pair of of relationships like end user resource owner and user client and user authorization, server, et cetera, et cetera. So compared to the last interim discussion that we had for those of you that were present, we actually added the end user authorization server, a relationship in in the last draft or eighth.

F

um The general idea is, we are actually using promise theory. um So it's actually an alternative thresh model to produce iso descriptions um which is um actually taking the description a bit further in the sense that you're actually describing what each agent is promising to others and you're building the trust relationship. Based on that.

F

So that's, basically the part that you've got here, so trust is defined as an agent's expectation that the promise will be kept. Of course, there can be a lot of promises in our protocol, and so what you can do is you can actually execute each promise as as a base in probability. So it's not. uh The trust itself is not a zero or or one it's something that you're going to build up um and that's actually more um more looking into reality, not in that area, because it's not something. That's.

F

When you look at the entirety of the protocol, some parts may present some vulnerabilities, especially if you didn't implement security considerations in full, and so you can actually have something that you're going to be able to assess marginally, and what we want to do is to build a formal security verification based on that and, for instance, we've got some participation, that's planned for the oauth security conference in at the end of november, and so you can read through that. uh The entire description is available in in the give-up repository.

E

All right, thank you, and um the uh the one last bit that I I want to point out that fabian touched on is that uh one of the best things about this theory is that it's always about these relationships uh between the different parties. It's not just about the parties and a lot of the the early discussions about use. Cases in the protocol um were really about getting into what those relationships are, how they're formed uh how they're modified over time that kind of stuff.

F

Yeah something also interesting. Is we really tried very hard not to repeat ourselves between what trust this is about and what security and privacy configurations are about. So when we need that into a trust relationship here we actually describe what we link to to the parts which are relevant in in the rest of the documentation in the specification.

F

So we are trying not to repeat ourselves, which is otherwise something you would tend to do if you are not describing it like that, but of course we are really looking into your your feedbacks and but we think it's something interesting to to get into more detail.

F

Excellent.

E

All right so uh the next come on. There we go. The next big section is the security considerations uh which now now counts to 25 subsections um and, as you would expect in a protocol like this, uh that's security focused there's a lot of different stuff to cover here um and I'm not going to go into detail of every single uh bit uh in that section here on today's call, uh but we do ask the editors to ask people to read through this section, because there probably needs to be more subsections.

E

There probably needs to be more aspects that need to be covered about all of these different things, and um the editors do know that the organization of that section isn't isn't the best right now, I'm taking full blame for that. uh It's just kind of a one top level bucket at the moment we are. uh We are working on kind of organizing these into into categories, and things like that.

E

um But some of the uh some of the larger things that uh covers is that, um even though you're signing requests, you still have to use tls because signatures don't provide confidentiality in transit, but you still have to sign things because tls doesn't provide um identification um and your signatures need to be able to cover uh the message, uh the relevant message, content um in order for signatures and anything like this to be trusted.

E

You have to protect your keys if you're sharing the keys that you're signing things with with other parties, those parties can sign for you and you probably don't want that, um and uh and also if you're, using bearer tokens. There are no signatures uh with it. So anybody who sees the token is allowed to use the token, regardless of the contents of the token. So this is the kind of stuff that uh is obvious to a lot of practitioners in our space, but still absolutely needs to be enumerated.

E

um Then there's more subtle stuff, uh like the crypto algorithms and the uh the random number generator algorithms that you choose could have their own susceptibilities, uh their own weaknesses.

E

uh So, uh for example, uh if you're using um a bad pseudo-random number generation in order to generate some of these, um you know ephemeral handles, like the uh say, you're using a handle-based access token. um You know a reference-based access token, so no internal content or structure somebody could try to either guess or exhaust your access token space if you're not using a good, even random, number generator.

E

We also have a couple of uh sections that point out uh the ways that front channel redirects are kind of inherently susceptible to attacks like phishing attacks like session capture um and how aspects of gnapp um can combat that when used properly uh but still there is this notion of you are giving away control of the system to uh an untrusted party for a bit and then waiting to come back. So there's there is inherent risk in that that you need to understand before you just go start applying this.

E

um If you guys will remember earlier, in the year, uh we had some researchers point out um a uh a an authorization server mix-up attack against canap um and the mitigation for that is the interaction hash in the front channel, um and so we've got text. Now that describes why it's important to check that hash and all of the signatures on all of the various messages.

E

Along with the keys like, I said, exactly, these need to be binned and um I'm like editing the bins in my head as I'm going through. Even this list, um the uh pre-registering, your keys, uh solves some problems but creates other problems. uh So just because you know a key ahead of time, especially client instances key ahead of time doesn't mean that you can necessarily always trust it to not have been exfiltrated and copied and charity. It just moves the uh the focus of that trust, um which is something that's part of the.

E

uh The trust theory that uh favian was just talking about um using mutual tls everywhere, um doesn't actually solve a lot of the uh the problems that uh that it tends to get applied to um that people apply it for, um and uh so there's discussion about that and also different ways that tls can be deployed.

E

So you can deploy with a ca you can deploy with just explicitly trusting uh self-signed certificates and things like that, um and uh and finally, uh since we are, we do allow the protocol to um to touch complex things like identity assertions um processing. Those assertions has its own set of vulnerabilities.

E

uh There have been attacks against xml dc against saml against jose, and uh if you are working with those assertions that use those technologies, then uh you are susceptible to those attacks as well. So somebody could do a um you know, an ex an xml fork bomb attack against you, if they're just trying to get you to parse a saml assertion and you're doing it naively.

E

So um what this basically means is that, if you need to, if you need to work with these other data structures in these other formats, you also have to like really pay attention to all of the susceptibilities that they have and they they carry with them.

E

So there's there's other details. There's there's other security considerations in there uh the editors ask that everybody please go read through those read through them thoroughly. We have tried to uh add forward-facing links to uh the rest of the document um where appropriate, uh so so, where we have a normative discussion about something it'll say see: section 12.6 uh for discussion of different attacks or you know or whatever. um If there are other places that we can add those links.

E

If there are places we can add backlinks uh for uh greater explanations uh from the security considerations. uh You know please help us to do that as well.

A

Justin, unless you have a slide about it, I think this is a a great place to stop and mention the old security workshop.

E

Oh, we don't have a slide. Thank you yarn. um So the oauth security workshop is an online event. That's happening in a couple of weeks. uh I shut down my calendar, so it wouldn't pop up, but if somebody has the date, um um this is a free online event. um I will be presenting um sort of the uh the core structure of gnapp as a protocol uh fabian's going to be presenting formal security analysis.

E

uh You know a lot of the trust and security modeling of knapp. There um there's also going to be a lot of discussion on oauth and open id connect and uh related protocols. So uh it is a free event. It's happening in a couple of weeks. um You know uh if you can make it please do. um This is a place where a lot of very in-depth uh sort of gloves off discussion happens in terms of like well. You know, if you do things this way, then it's going to fall apart. So how do we?

E

How do we make sure this bit doesn't doesn't actually fall apart? um An app is in a really good uh position to be uh kind of part of this community. Now this is the first time that can apple is that can app is formally part of the oauth security workshop um um agenda and so we're in a really good position for this now, because, while the core protocol is fairly stable, we're not yet final, so we can still tweak things. We can still fix things.

E

We can still call things out as we're gonna be doing uh later today. So please make the security workshop. If you can fabian- and I will be there um and did anybody do- does anybody have the date or that or if it's in the chat? That would be great, you can google it too.

E

The link on the chat all right, perfect. Thank you uh kathleen. If you could add that to the notes. That would be perfect. uh Just the link um all right, so privacy considerations.

E

We were we, we are lucky in the itf to have rfc 6973 that actually lays out uh topics and uh sort of major categories um to analyze uh specification um and just like the security considerations. These are all things that you need to be aware of that. This is something that could happen. Sometimes it's it turns out. This is actually something that you want. Sometimes it's something that you might not have realized could happen.

E

So, on the surveillance side, you could be surveilled by the client.

E

You could be surveilled by the authorization server and those can actually happen in ways that you might not realize um you know, for example, if uh the authorization server, um we would expect that, uh as it's you know, by its nature, we would expect that to be able to know where you're making calls and things like that, because you're asking it for access tokens, but uh you might not expect it to have all of the exact uh information about like when you are making those calls and what calls you're making, because that's something the resource server might be calling back to the authorization server to get uh sort of policy decisions on.

E

So we laid out that type of uh information, um the the data that you're storing. um You know uh the shared references because of all the identity stuff uh that uh that can be added into gnapp um the references to uh to user information. um So an opaque identifier from an as if that's reused, across multiple systems and that's actually disclosing more information than um then you might expect it to. You might not expect two different resource servers or two different domains to know that you're, the same user.

E

And these are considerations that need to be made for pretty much all of the implementers in the system, so people are building clients, building resource servers, building authorization servers and the support components for for each of these kinds of things.

E

uh One of the ones that um that shows up- uh and this is this- is also going to be part of the security considerations- that if a client uses the same key to talk to the authorization server and every resource server, then all of those resource servers. Even if they don't know any information about about the user. They're just they're just serving some non-user related stuff. Those resource servers would be able to correlate hey, I'm seeing the same key used for signature that you're seeing so this is probably the same person.

E

This is this is the same piece of software, um and that might not be something that uh that the client actually wants. uh The client might actually want to hide that from those different systems, gnapp allows that hiding, but a developer might not realize that when they're sitting down and they might take the easy path of just using the same key everywhere, the same identifier everywhere, all the same sort of other information across all of these different systems.

E

And so that's why it's important to really call all of these out um for implementers to be able to make those decisions um as they go forward all right. So that's it for the major sort of trust, security and privacy considerations sections um I. I will pause before we get into the more detailed stuff. If anybody has um questions about these major sections uh because, as I said before, these are these are the major new sections uh to to the document.

E

So yarn in life- just let me know if anybody's on the queue or if I should move on.

D

It doesn't look like it.

A

All right, or maybe I will ask so just to get everybody on the same page. We obviously have two protocols. You talked about security and privacy, uh consideration two drafts. We, you talked about security and privacy considerations in one of the drafts, the core protocol. Can you speak to how it relates to the other one.

E

That, oh okay, fantastic question, um uh my apologies for not uh for not bringing this up, because you made the same point at the interim, so I should have remembered this. um These are all sections that have been added to the core draft. um The editors have not applied this um exercise to the resource server draft.

E

Yet um we expect that uh the resource server draft will uh inherit a lot of the uh considerations from the core and be able to point back to them, um but we do expect there to be additional considerations um that are going to be unique for uh for that uh draft and also things that you would want to go into more detail for that draft.

E

For example, um the resource server draft defines the introspection protocol, which is uh the mechanism by which an authorization server would learn that a given access, token is being actively used, add a bunch of different resource servers, and that is a trade-off of using uh introspection.

E

That might be something you actually want your authorization server to know in order to protect the users and protect the environment. That is its job, but it might also be something that you want to mask in some fashion um and or or avoid entirely by not using token introspection uh by using a structure token. Instead, um there are also going there are also security considerations for, if you're, using a structure token, what goes in a structure token versus what you don't return.

E

For example, I've done a lot of work in health care spaces where putting a user identifier in the access token is a gross privacy violation, because you do not want to allow these uh data endpoints to correlate a real-life person against a um a specific medical record, or um you know like a piece of medical imagery or something like that, um and they don't need that in order to function.

E

um So all of these kinds of trade-offs uh need to be discussed in depth in the resource draft, so we do expect there to be um additional stuff and expansion of stuff inside that draft, but we haven't. We haven't really gotten to that part. Yet.

A

Okay, thank you, there's, no one else on the queue. So, let's move on.

E

Fantastic all right, so symmetric cryptography. We had uh we had a lot of discussion back and forth in github and a bit on the list about this and uh what it boils down to uh the way that we have it right now is that it is allowed, but it is restricted. uh A lot of the reason that it's allowed is that the underlying crypto methods um allow for symmetric cryptography.

E

So it's a little. It would be awkward at best and silly at worst, for gnap to uh to attempt to disallow something like that. um What we do disallow, though, is using gnat for symmetric key distribution, so knapp's mechanisms for introducing keys uh by value um are only allowed to be used for uh for public private key uh crypto.

E

um The reason for that being obvious, if somebody has your symmetric key, they can actually go and do things uh you're only allowed to pass around key identifiers how you set up those identifiers is up to you uh you, but we have text now in security considerations, which explains some ways that you might actually want to do that some things you can consider uh like key derivation uh functions in order to get to asymmetric key.

E

So you can pass in an identifier run that through a derivation function to get the appropriate key in the right place.

E

um You can do things like uh use a key escrowing service uh to actually do all of the crypto for you, so that your code never actually sees the key, and you are locked out to only do verification, for example, um and you never actually see the key for that, um and um what we wanted to make sure was that there are ways uh for people to do this to not do it naively uh and not approach this in a way that uh that leads people to believe. Oh symmetric is easier.

E

Therefore I'll just do that everywhere, um and we wanted to get away from defaulting to shared secrets in the way that oauth2 does now oauth2 defaults, not only to shared secrets but shared bearer secrets, uh which is even worse, but um so we're at least we're at least away from that. uh However, there are some big drawbacks to using symmetric crypto, but there are enough compelling use cases uh where it would be useful to do that.

E

The editors are very interested to see how something like um hpke hk, the hybrid key thing from cfc cfrg, wow alphabet soup. Sorry, um uh the the hybrid key uh hybrid public, key encryption hpke there, it is- um could be used uh as a key derivation mechanism inside of knapp and how that could be potentially signaled on top of the existing um crypto methods, because that's really a key agreement method.

E

um But uh we we haven't profiled that we haven't seen anybody profile that yet um I think it would be really interesting to see where that might go um so pause here for a moment on symmetric crypto.

D

Nobody's running to the mic.

E

Thank you all right. The next thing that we changed is we used to have this thing called a user handle, um and the idea with this is that this was a special piece of information that the client instance had that it could send to the as to say, hey. As far as I know, this is the same user that has been here in the past.

E

um That's something that it kind of came in from uma and um with the persistent claims token, um but knapp goes a lot further in handling the identity uh and user-facing stuff.

E

What we have now um is a way to exchange opaque identifiers uh using the uh the subject, identifier, format from the security events working group, um these opaque identifiers we realized a bit ago- give us all of the power of this, uh of this special user handle construct that we had had previously, um but without inventing something new. So what we ended up doing was we took out that part of the protocol but didn't actually lose any of the functionality um of being of allowing the client to say hey.

E

As far as I know, it's the same user, because now the client can be told this user has this identifier according to me, the as and the client can just echo back hi as as far as I know, it's the same person now the as can take that and as with anything in the in the user section of the of the request. It can either trust that the client is probably telling the truth there and the client's probably correct, or it can say.

E

I don't believe you and I need to talk to the user myself and that's where the whole interaction thing falls through. And um but this is. This is just one of the ways that we've been able to kind of um shrink the protocol a bit without shrinking what it's capable of doing. We've been able, if you, if you've, been watching uh the changes of the protocol over the last six to nine months, or so um you you've, probably seen. We've been doing a lot of that.

E

We've been uh cutting out a lot of these like little special pieces and uh we've been able to use just sort of the core functions of the protocol in ways that still make sense.

E

um Part of that is that we now removed there was this whole handle discussion, uh because the original uh id uh that I had called xyz um had all sorts of different handles for all sorts of different things, so this user handle is now this opaque identifier uh about about the subject, the subject identifier, the resource handle that now is information that comes from the resource server um and that's something that's covered by the resource server draft. Now. The last thing that we have is also no longer called handle.

E

It's the client instance identifier, um and so we're actually wondering. Could we even simplify that we have an open issue for um trying to figure out uh dynamic, client registration management over time and that kind of stuff? This is really where this type of instance, identifier, really comes to play. As a reminder, this is an identifier that the client can use in lieu of presenting its key by value and all of its sort of display information by value that the as can dereference.

E

However, it likes to figure out that this is the piece of software or the instance of software. That's calling me right now, so we have a way for that to be provisioned dynamically sort of built into gnab, but could that actually be leveraged? To do things like allow the client to update itself over time, allow the client to rotate its keys over time, we'll get to that in just a moment. um So we think that there's there's more, that we can do with this.

E

That would actually simplify this entire handle discussion even further by using mechanisms that are really already built into the the protocol itself, all right now on to the formal security analysis, um and uh this is something that uh that the editors received an email about these are a couple of things that the editors received: an email about uh some researchers, um I'm terrible with names, but it's florian hemmerschmidt.

E

I think it's not personal, I'm honestly, just really bad with names and colleagues uh were um we're doing analysis of of gnapp in light of a lot of analysis, taking basically applying a lot of analysis. That's been done to oauth and uh related protocols, and so um with this they have figured out that there are some ways to exploit knapp um that are uh that do carry over from oauth.

E

um This shouldn't be particularly surprising, there's a lot of uh there's a lot of similarities, um and so now it's our job as a working group to figure out what our mitigations for these are going to be, and uh before I go into this, I want to remind everybody that the mitigation could uh can be um a change in the protocol. It can be a uh behavior recommendation. You know, don't do this bad thing that leads to this bad situation, um or it could just be a heads up if you're going to use this option.

E

This is something you need to worry about right, so the first of these is called the cuckoo token attack.

E

The preconditions for this attack are that the client instance is um talking to is able to talk to two authorization servers which in geneapp is not crazy, given sort of the dynamic first nature of the protocol, um but the client has decided to use the same keys when talking to both authorization servers again. This is a pretty reasonable, naive implementation of a client instance. You generate one key and just use that everywhere.

E

The interesting thing here is that the client instance gets tricked into using the attacker's authorization server in order to get a token for a particular resource server. So this can happen in a multitude of different configuration ways.

E

We saw this in various flavors of mix-up attack in uh against openid connect, where somebody points to the token endpoint of the attacker server and the user info endpoint of of the legitimate server, for example- um and the interesting thing here is that this attack actually works for keybound access tokens. It doesn't assume um bearer tokens.

E

um What happens is that the attacker manages to get a hold of a keybound access token, but not the keys. For that token, and then they replay that token to the client to the same client from their own authorization server um in order to uh in order to trick the client into using that token, with the key at the honest authors at the honest resource server for the attacker right, um this makes a little bit more sense in a diagram.

E

The access token here probably represents an end user. That is not the attacker, but the attacker has control over the client instance in this case. So this client instance is probably something that talks to multiple users as well, something like a web server or something like that, where it's using the same key to talk to multiple asses, so the attacker goes and pokes. The client instance and says: um go talk to my compromised as and the client instance does so, and it makes it makes its request.

E

And then the attacker's ask says: hey use this access token, with your key. The trick is that that access token is the token that the attacker stole from somebody else's account. Now the attacker can't use it on their own. They don't have the keys to just start using it, so they need to trick the client instance to use it for them.

E

So now that now the attacker has a client instance in it. That's in a state where it's got the stolen access, token that it's going to use with its own keys, and then it's going to use that at the resource server to get stuff representing whatever that access token was good for that the attacker doesn't actually have access to now. Remember the attacker controls the this as in the red over on the right. So you know they're not getting.

E

uh You know, they're they're not really being prompted for approval and all of this other stuff, it's it's their server um and it's spitting out the stolen access token. That then, is getting used on the resource, which is then releasing that, in the context of of the client instance that the attacker controls right. um So this is a problem. uh The editors have uh looked through this and talked uh talked with us a bit um uh about this with uh the researchers, and these are the proposed uh mitigations.

E

uh We're not now to be clear. We're not saying do all of these, um but these are possible things that we can do now. The client could send an identifier to the resource server. That says. Not only is this the token this is the authorization server that I got it from. This is the mitigation that is proposed in the paper uh on oauth.

E

This is a protocol change uh for token presentation. uh The client does have to track and send more data each time, um and the rs now actually has to check these for consistency. So it needs to know that this is a token and that this came from a specific authorization server and things like that. That might not always be tenable for a given uh resource server, uh depending on you know, network latencies and um and topologies and other things like that.

E

The biggest downside to this mitigation is that it is protocol change and more moving parts that would need to be tracked. The next mitigation would be to tell the client to use different keys with every authorization server. This might honestly just boil down to. This is actually a best security best practice.

E

This breaks this attack, because when the client calls the attacker's ass, it uses a different key, and so when um the resource server sees that access token, it's going to be checking it against the key that it was issued against from the good authorization server which the client won't be using it'll, be using a different key to sign that, and so the resource server will just naturally reject this. This is something that is mostly security. Consideration could even be normative text.

E

For you know, a client instance must use different keys uh somewhere in the up in the keys and security section, but for the most part it would be a security best practice that we would tell client developers to do.

E

um The next uh mitigation would be for the client to have a very strong binding between a resource server and an authorization server. um This stops the attack, because now the attacker can't convince the client to use the attacker's authorization server again. This is largely security consideration.

E

There are some discovery, runtime discovery aspects that can help this, so the rs first data dataflow, for example. um We, the editors, would like feedback from the working group. We will bring this uh to the list with more details uh for consideration.

E

um At the moment, the editors are leaning towards um adding uh text for the bottom two bullets uh in order to um mitigate this particular attack.

A

Before we move on, I see that we have.

E

Florian with.

A

Us so florian. If there's anything you'd like to add about the attack or the mitigations, can you please speak up.

G

I don't have anything to add, I think uh he explained it quite well.

A

Thank you, florian yeah,.

E

Thank you, and, um and uh just just as a side note, just as we did with the uh the mix-up attack that was uh previously discussed here in the working group uh once this is a you know. Once this is a published paper, uh we will gladly add it as a an informative reference in the document and link to it from the uh security consideration sections all right.

E

Next up is just an http, weirdness mechanical attack, um it's it's known against uh oauth2 and is already being incorporated to oauth 2.1. So we honestly just just need to do this um if you're using an http 307, there are cases where it will cause uh a post that was sent with a 307 being sent back to be reposted to the page that you're sent to the page that you're redirected to and depending on how you've implemented your site.

E

um This can leak information in including credentials uh user credentials so say, for example, um just give you an idea how how serious this could be um say, for example, you've got things set up so that you have a a form page that has that prompts the user for just keeping it simple, a username and password and ask them whether or not they they approve the decision.

E

You submit that as a form the as processes. All of that all in one go and says: yep, that's correct! I'm going to return you to the client instance and I'm going to use a an http 307, and it does so at that point.

E

Your browser could actually take everything from that form, including the username and password, and send it as a post back to the client, which means we have now leaked uh the end users credentials to the client software, which is one of the main things that delegation protocols are trying to stop happening.

E

So we need to be stricter about which http things are allowed to be used on all of the redirect based systems, and we need uh security considerations on that. uh Florian's already uh submitted some text for uh part of this. um We need to add the normative uh discussion for this as well, and the editors need to review that pr uh to make sure that all of that is in uh all of that is in the right place, um pretty straightforward attack and mitigation.

E

uh For this, like I said it's well known in the oauth world, not really surprising here, it's just you know we, we didn't have text for it. Yet uh any questions on the formal analysis pieces before we move on.

A

We had the question.

G

From padramadron.

A

Okay,.

G

Yes, hi. um I have a question on the second mitigation that you explained on page 17, so that was to basically use a different key for each a s and how would that work when using mtls, for example, because um that's basically on the tls deck right? So that would mean that um that the client would need a domain for each um as right.

E

um Yeah so.

E

It's it's harder if you're doing mtls, but not impossible, because one of the things with mtls as it works in canap, is that you don't necessarily have to use um a ca to uh to verify the certificate at the rs, because, ultimately, all that the rs cares about is that the certificate that's used is the certificate, that's being um that's being presented uh alongside the token right? Is the certificate that's supposed to be used with the token?

E

um You make a very good point, though, that and I'm I'm going to write a note right now to make sure that we talk about um uh different keys uh in mtls as part of that uh security consideration.

E

Thank you for that, um because it is possible, but uh mostly if you're, using uh self-signed certificates, if you're in an ecosystem, whereby uh the client has a registered certificate or has a pre-registered key that all asses will will know which happens in a bunch and a lot of different ecosystems, uh then you know you're not going to necessarily be able to do this. uh This mitigation and, uh and that does need to be called out.

G

Okay, thanks.

E

All right, thank you great question, though,.

E

Believe it or not, as an editor, I actually really love it. When people poke holes in these things, um it means people are paying attention in the in the right ways all right. So that brings us up to uh yeah we're at the top of the hour, and we've got some items for discussion.

E

um The editors met about um over the last few weeks, and uh this is what we are proposing to do. So these are kind of the next, the next major things that um that we're going to be doing pretty much between now and ietf 113 in the spring, which, hopefully maybe we'll see each other in person we'll see.

E

uh The biggest thing is that we're going to continue processing the issue backlog. um We went through these issues and uh realized that there once again were a couple of sort of major categories um that would each take care of sort of a you know a a chunk of issues at once, um and a lot of these are stuff. That's been sitting around for a long time, and it's just.

E

We just need to make a decision, have a discussion and move forward or have a discussion, make a decision and move forward. That's probably a better order, um and uh we just uh in a lot of cases. It's the issue is just like. Should we do a or b we need to just decide a or b or figure out, if there's a c out there um and I'm going to go through all of these uh all of these now so ellen by the way, please go. Look at the issue.

E

Trackers, there's lots of good stuff in there um first off uh there's a there are a bunch of issues that amount to what's your, what you're allowed to send and not allowed to send at each step of the process.

E

um So gnapp defines an api for managing these grant requests over time, and there are a lot of things that are that make a lot of sense in the initial request. That probably don't make sense in a continuation request, but we need to decide. Is it not allowed? Is it undefined? Does it have a specific?

E

um Does it? Does it have a specific semantics applied to it if it is allowed um and we need to kind of come down on what makes sense and what doesn't, because right now, we've got this kind of large there's a request, object, there's a response, object and stuff can just kind of show up, um and that leads that type of definition leads to uh weird corner cases where you end up with combinations of things that you didn't anticipate and we want to make sure that we don't have those as much as is possible.

E

um For example, are you allowed to send the client object on a continuation request? What does that mean? Does that mean that you are changing the display text? You are swapping out one client for another that shouldn't be allowed, but what is what does it mean to even send this? So should this actually be disallowed when you get back an interaction reference from the interaction finish method, are you allowed to send that multiple times or is that a one-time use or is that the client can only send it once?

E

But it's item potent at the as the oauth working group is actually tackling something very similar with the authorization code right now, so we're also paying attention and getting involved in those discussions, because a lot of the experience of wisdom with that is getting applied here.

E

um The interaction start methods right now kind of say that you're only supposed to do it once, but uh that needs to be made a lot clearer right. uh We've got probable answers to most of these kinds of things. What we're going to do uh is we're encouraging people to go um through the issue. Tracker we're going to go through these and propose text to close them and get discussion on uh sort of what closing it in this in a particular direction, actually means and move it forward.

E

So these will be protocol changes, but more so making the protocol more tightly defined. To say that this is what you're allowed to do in this. In this instance, key rotation. It keeps coming up uh in all of these conversations. We don't have a solution for it yet, uh except that we do have feedback from the working group that this is something that we want to do.

E

The editors have uh have come down with what we think is a probable direct, probably a good direction, and that's to tie the rotation mechanism to the key presentation type, because the way that you do, the type of um you know multiple key presentation and sort of signing the keys and stuff like that um uh ben has a post on the list from over a year ago.

E

Now I think that that talks that talks about this, uh the way that you present keys in a way that is uh that is trustable, um is going to vary depending on the type of key that it is, and the type of presentation mechanism that you have so previously.

E

One thing that's been kind of hanging us up is that the editors have been kind of waiting or trying to figure out. If there was this like one grand unified scheme of key rotation, we think that there might not actually be that it might be uh simply tied to the different presentation mechanisms such that with http sig.

E

You add multiple signatures and you sign the key value for as part of one of those signatures, and then you signal that, within within the protocol itself um with jose, you can wrap jose objects, you're, probably using jwk's as well. So you can sign the jwk values with the other keys things like that.

E

um What we're going to do is once again we're going to uh propose text that defines these and then applies them to all of the different places in the protocol that can use key rotation so for client instances and access tokens and grant continuation, which is a form of access token, um and we're going to try to use as much of the existing infrastructure.

E

That's in the protocol uh as we can in order to do this. We don't want to invent a lot of special stuff uh to handle this. If we can, because we've already got a lot of um complex security pieces in place, we want to be able to use those.

E

We want to be able to um to leverage that as much as we can, and um so we will propose text for these over over the next couple of months, as we can um in order to to kind of get what that uh actually looks like uh this. uh This does also uh touch on this same area as before of how do you even rotate keys, if you're doing mtls, uh you might just be doing pki, but if you're doing self-signed certs?

E

How are you even gonna be able to do that? We're not sure yet, but we're gonna, or maybe that's something you just you're not able to do in that case, if you're using that mechanism, that's a trade-off um that you can't dynamically rotate unless there's a clever way to do this that we haven't figured out yet anyway, we're going to be proposing text for uh for discussion on that. uh Look for pull requests for that.

E

Another very big question that needs to be answered, uh especially in the core protocol, is what is mandatory to implement.

A

We have a comment from the queue you, oh sure.

C

My thought on this: isn't um it's just to uh hit on the the key problem. Have you looked at acme and I I actually have a client draft to do code signing certificates, but it establishes different authentication mechanisms. The authors of six store, so it's um being used for code. Signing certificates are looking to add open identity into my client draft, and so there might be. While your solution is not the same, there might be enough ties that we could do something for the fast issuance of certificate, so basically they reissue.

C

The goal for them is to have certificates that last a few seconds so that in their instance, yes- and they use a transparency log which is already present in acme, um so their goal is to have code signing certificates that are used once right and so there there could be some ties here. So I can definitely hook you into that and um I actually had already said to them if they needed review on the open identity pieces, that I knew somebody which I meant a lot of you on this list.

E

Yes, and I'm I'm guessing, that is the draft that you emailed me about about. The code asked me to review. um I haven't read the draft yet, uh but uh I I thank you for that. I had uh I had not made the acne connection to mtls. That is a really really good idea. um So, uh if, as as much as we can point to existing tools existing uh structures, we should do so here. We should not be inventing um special stuff inside of uh inside of canap. So thank you.

C

For that, I should be getting a text proposal to add uh what they need for open identity into the.

E

Client.

C

Draft, so um you can even start from there and wait for them to provide something and my child, because I'm taking notes and he's off today is eating all of his halloween candy. So you guys owe.

E

Me a week thank.

C

You because I'm gonna have a hypey hit after this.

E

Good luck! Good luck! Kathleen!

E

All right! Thank you for those pointers. uh We'll definitely look into that. uh um I can say that the acme didn't come up when the editors were uh discussing this. So thank you for that pointer.

E

We will uh we'll definitely dig into that uh for the uh mtls and really just the certificate case in general, um great idea, uh but this is exactly the kind of thing that um this is why we want to go in this direction um of having a different mechanism, that's tied to the presentation type uh to the key presentation type, because um it allows us to do things like this to say, like oh you're doing mtls, then you know you've got different considerations. You've got different tools that are available that aren't elsewhere.

E

um So now that's great all right. So um anyone else on the cube, like I said, apology that I can't actually see chat or the queue no, no one, all right um so uh knapp is designed to be very, very flexible. Everything is.

E

People have argued that everything is optional, um but one of the key design differences with knapp is that it is built around this whole negotiation aspect, so you negotiate uh sort of the parameters of the transaction at runtime or you're able to negotiate that at runtime. By saying like this is what I can do. This is what you can do, and then you figure out the overlap, and sometimes there is no overlap, and the answer is no, but we need to answer beyond that sort of core negotiation piece.

E

Are there a set of features, uh or is there a set of functionality that would be mandatory to implement?

E

So is an authorization server required to um always provide continuation, or you know, is capable of providing continuation of the grant request, for example, um is a client instance uh required to do a uh be able to do a an http message, signature um as a baseline, um even if the as can support other things. um You know what are the kinds of things that the two people building map that are from sort of different spaces?

E

What can they expect to work when they plug things in together um and that's the kind of question that we need to be able to uh to answer? We don't have anything for that in the draft right now.

E

There is one uh one possibility here um that I know uh leif with his uh saml profiles. uh Background is gonna. Love uh is that maybe we have what we call gnap interoperability profiles, so we have the redirect based web application profile of gnapp. That says, do http signatures use the redirect uh authenti our interaction start and stop methods, and you know things like that. We already kind of described these kinds of profiles in the examples in gennapp.

E

So the question here is not really the just uh whether or not we talk about these. It's, whether or not we kind of formalize these and say that when you're doing this, if you declare you are this type of gnap client application, this is the kind of support that you want. uh Open. Id connect um has had a reasonable amount of success, doing this with its different client profiles. So maybe that's something that we can leverage here.

E

um And mti, of course, brings us sorry go ahead, putting myself on the queue and absolutely.

A

Heads.

E

Off.

A

I think we should have mandatory to implement features for sure in the core protocol, I'm very skeptical about interoperability profiles. I think you're very likely to end up with esoteric profiles um or else not think about what ends up as your most important profile.

A

So if we ever do profiles, maybe as a separate draft- but I don't think that's even necessary all right.

E

um Thanks john and one of one of the other things I will say with openid connect in particular, we've seen that a lot of the most successful functional profiles have actually come from um industry vertical groups, so open banking initiatives say take these specific features of openid connect and use it in this exact same way, and that is our profile for our vertical in our group, for everybody to plug everything in together, um that's stuff that is not controlled by the openid working group and openid foundation.

E

So there might be something like that that ends up happening with canap. We might see something else. I don't know um so. This is this is a set of things where the editors we are looking for feedback on.

E

um If there are things that are mandatory to implement, we do think that there probably are what are they and why are those mandatory? uh You know what what is driving this, because we also don't want the mti features to be things that people just have to implement and nobody uses.

A

And we have caslin on the queue.

C

Go ahead, sorry, I was also trying to write down minutes um so to tack onto yaron's points on the profiles. There are some other protocols that have gone heavy into the use of protocol uh profiles that are maintained in some central way and it's hurt adoption um and then the comparable protocols.

C

So so the uh the comparison here is um the sticks versus misp and those are information sharing protocols, so sticks is a really robust and full explanation of every way you can possibly shape information to share and because of that, there's multiple ways that you can do the same thing and so they needed profiles.

C

But then you have to check that you know centrally managed profile. Misc went the other direction and it has much higher adoption where it has a really slim core and then individual groups can create their own extension points and that has a much higher success rate in terms of adoption. So just um just a consideration point um you know, and- and that goes along with the theme of you- simplifying and using additional additional constructs right going more the direction that mist went.

E

All right, thank you, hope that helpful.

E

Sorry, what was that.

E

I thought I had hurt someone else all right, so um mti leads us to uh very naturally to extensions. uh There's been uh some stuff that we've pulled out of the core over the last year uh said that you know this is really better fit. As an extension, people are going to invent things that we haven't thought of here in this working group. um We've left a lot of spots of the protocol, which could be extended, but we don't really have discussion in the document about the right way to extend all of these different pieces.

E

uh So this goes beyond the fact that we just we need to write the iana registry section for a bunch of these bits, um but we need to. uh We also need to consider how things can be extended. So, for example, we anticipate that adding a new field in the request and in the response is something that people are probably going to want to do um that. Those are really natural places to put things. So what are the requirements for doing that? Like um you know, is it?

E

Do we give guidance to say this should be orthogonal to other functionality? That's already in there. uh It can't override something that's in another field, but how do we actually talk about that? Another thing, that's possible. Is that defining a different data type for an existing field, so, for example, this is a terrible straw. Man example, but, for example, say somebody wants to define behavior for uh sending a boolean value for the access token field. In a request.

E

I don't know what that would mean, but let's say we have an extension that does right now. The access token uh value is defined as either an object or an array of objects. So um what is it? What does it mean uh when you get a different data type there? uh Do we even allow extensions to do that, or do we lock down and say existing fields and existing data types? This is everything that's defined.

E

um We need to. We need to decide that um if you don't know an extension, are you allowed to ignore it? This seems to be reasonable until you realize that some of these extensions are going to be security focused and therefore it's actually dangerous. If you don't know the extension and and follow it, um but if you, if we do have logic that says an unknown extension, is ignored that actually influences how extensions get written uh such that um you know, the security properties uh do actually get added um in sort of the right.

E

The right ways, so pixie and oauth, for example, was uh was built in such a way that um if you ignore it, you don't get the benefit, but you also it doesn't make it worse.

E

um There are lots of different um things that are sort of other natural extension points, so the uh end user claims um so the uh the subject types, for example, the access data types. These are things that we've discussed, that there is already text in there for, but um we need to. We probably need to expand the discussion on all of these, um and probably one of the one of the hairiest bits is the whole interaction method and specifically the combinatorics of the start and finish methods.

E

So what does it mean when I use these start methods? With this new finish method?

E

Can I define another thing inside that interaction block beyond start and finish and hints? um You know because I feel, like my extension needs to go, do something else. That's not one of those things. Do we allow that, or is that part locked down um all of these? The editors think that we have an idea of what the right answer ought to be uh for a lot of these kinds of things um that all needs to get written down and, uh and the working group needs to discuss what we really want to do here.

E

So, as with the other things, the editors are going to be proposing text proposing discussion on that text and figure out. If that's the direction we want to go or if we want to do something else, all right, jose is used in exactly uh two sections in the draft right now: uh they're both key proofing mechanisms, there's the detached your ws header and the attached jws header, which you use when you have a request body and you use the detached jws header when you don't have a request body, so they really do stick together.

E

um These are the only jose dependencies in canapcore, so uh we brought this up during the key proofing discussion a while back. uh Should these really be used, uh should these really be their own spec, um and could these even possibly be used outside of canap? um You know these. These are these key proofing. Mechanisms are things that are general use. um You know we didn't invent http signing we're using that draft from the http working group.

E

uh This is something that was kind of invented uh in an earlier version of xyz um that got pulled into into xyz and axoth uh that got pulled into canap, and um so should this be pulled out into its own thing um as uh extensions for uh key mechanisms, and if so is that in the cap working group is that its own own draft? Is it something we adopt? Is it something we just let exist out there?

E

um That's something we need to decide back. When we had the key uh the keyproofing method discussion, there was not a strong feeling um to keep it or to remove it. So the editors took the more conservative approach of leaving it in there for now. uh In order to have this future discussion now that now that the rest has settled more.

E

And then um speaking to.

A

Move on okay, again, oh yeah go.

C

Ahead, sorry, I'm not more active on list because I probably could have uh provided some of these comments there. My take would be to include it in a draft because then it's part of the core protocol. If you put it in a separate draft, it becomes optional.

C

For other functions, I I think it's important to leave in the draft and that's a differentiator from oauth right, because you'll have the security bit right into the protocol, as opposed to you know something that has to show up in owasp lists on how to secure the protocol- and you know, vulnerabilities with the protocol- just bake it in.

E

Yep. Thank you for that kathleen uh to be clear, uh the http message signing and mtls keyproofing mechanisms are staying in court. There was. There was really strong support for that, so those two are absolutely staying all of that discussion. All of that is there and uh those may even uh end up being what's mandatory to implement. The question is just about the two jose based mechanisms um and not the uh not the key proofing in general.

C

So I guess if you have the actual function in another draft, but it's called out in the core draft that it's mandatory but then you're creating a dependency on that other draft right. So I think that would be the question, but I do think it's important to keep it in the core draft, either by reference as it being required that it's there okay um and then you have the dependency on publication.

E

All right, so you all right so just just to summarize and make sure I understand it. Your your take is that the jose mechanisms specifically should be uh kept in core um and be a core dependency.

C

Yes, because they provide object, level, security, protections right so so does the hdb.

E

Signing.

C

But they're not addressing the same functions. Are they? Yes? They are all right. I'll have to look at the draft. Then.

E

Okay, sorry, no, no worries no worries indeed. uh So basically, uh this is this is the kind of thing that you will be using http signing or mtls, or one of the two jose mechanisms for your keyproofing for any given transaction.

E

um So you always have to use one of a uh secure, keyproofing mechanism and message signing mechanism, um and there was uh the editors believe that there was consensus to keep http signing as a an object level. um You know sort of message, level, uh security, protection and mtls as a socket level protection um and uh as sort of the two core options, and so the jose pieces are a different way to do message: level protection. They have some pretty major drawbacks, but they do work.

E

And so the question is whether we keep these these bits, specifically in core, as as options or they live in their own draft. So we can take this discussion back onto the list because we we want feedback uh of what people plan to use, what what people actually plan to do with this kind of stuff, and this uh this is also going to help the uh the mti discussion as well.

A

Yeah, if I, if I may have to.

E

What.

A

And head off.

B

Again,.

A

If the methods that are mti, they obviously need to stay in the draft, otherwise, the more more content we can remove from the draft the main draft, the better off we are.

E

All right, thank you. Obviously, this needs a lot more discussion, um so we will. We will pull that into the list. um uh Fabian has uh uh proposed, at least in the editors meetings, that we've write up. What this jose draft would actually look like um and present that as as an id um just so that people could see like okay, if we take this out, this is the part that would be there, and this is how we might reference it.

E

But again, the the mti discussion is absolutely entwined with this all right um and then almost to the end here, uh the resource server draft still definitely needs a lot of work. um As we uh start wrapping up these major uh pieces- and you know sort of pare down the issues on the core draft. We are going to be turning our focus to the resource server draft. One of the biggest pieces of this is going to be a token model, not a token format, but a token model that could be represented in token formats.

E

If you wanted to have a formatted token, um if you wanted to have a reference based token, that would obviously still be possible and the access token itself would still remain opaque to the client inside the nap just like it is in omaha, but it's a lot. This is just a short way of saying we know there's a lot of work to do on the rs draft.

E

Still all right um implementation status has grown a little bit in the last couple of months, but uh there's still a lot of uh a lot of people kind of poking around uh at the edges of this. For both sort of the core stuff and the stuff around the dependencies, uh we will still at some point add an implementation status section to the draft. We haven't done that yet, um but we also as as we kind of predicted um back in the summer.

E

The the major turn of the protocol has remained quiet over the last four months, and um that is a good sign. It's obviously we're not done, but uh it is a good sign that this um that we're not changing out major swaths of the protocol on a regular basis anymore.

E

um So this is a really good time to uh to keep implementing things, to keep trying stuff out, applying it to use cases and figuring out how and where it works and doesn't that's all the editors had we've got about 10 minutes or so for open discussion.

E

So I'm going to stop sharing.

E

And, oh, I think my browser crashed am. I am I still connected.

A

Yes, you are okay,.

E

All right, so I oh there we are okay, it just it just took a while to un unshare all right, um let's see uh is there anyone in the queue.

D

I don't think there's anybody in the queue all right.

E

All right well, um so we know that there's a lot of new stuff uh in the draft uh there's a lot of new text in the draft. um Please read through that. um uh Please continue to help improve that and thank you again to everybody who has been doing so so far, so I I think we might be good to move on to the next section. Then.

A

All right, thank you, justin and the editor team and dna go on next.

H

I don't know whether you will present my slide or, if I can share my slide. I've never experienced that before I.

A

Can try to show your slides? It will take me a few seconds, though.

A

But you can get going in the meantime.

A

um Sorry.

A

It's not a good day for me to come a friend.

H

Would be able to pick the powerpoint slides instead of the pdf one.

A

Yeah, let me see if I can get uh miteko to collaborate with anything, and I will be there or at least to start with.

A

A pdf and then maybe I can switch, but let me see if I can get it to work.

A

No, I'm sorry.

E

uh

A

Leaf, could you try on your side.

D

Yes, if you tell me again what to try, because I missed your audio.

A

Yeah there's the middle button. Next to your name on, the top left is show screen and you need to have a separate application or separate browser instance with any slides.

H

I can try that to do it myself. If you just tell me how to do it,.

D

I'm I'm sorry uh jaron, I'm dropping your audio. uh Your audio is dropping periodically, so you gotta say that again, what do you want me.

A

To do share screen, show screen yeah with the new slides.

D

I you know, I I'm not sure this is going to work, because I'm dropping audio all the time here. So this is going to be a problem but they're problematic.

A

I think.

A

Let me try again.

D

Let me see if I can.

A

I think.

E

I pressed.

A

The block at some point and now it's.

A

Okay, now this should work.

A

All right.

H

There we go: okay, that's the pdf, which is better than nothing.

A

Yes and yeah.

H

Okay, so I have various concerns with draft eight and I propose some way to address them, so the first real slide, which is next one.

H

And it is about the fact that attributes are within the scope of the core document.

H

There are two definitions that have picked up, privilege and access token privilege is a right or attribute associated with a subject and an access token is a data artifact representing a set of rights and or attribute.

H

Currently, the draft 8 only supports rights which, in terms of security, are called capabilities, so I use acronym capability-based access control, but not attributes and usually attributes come with two flavors, whether they are attribute banks, access control are back or role based access control, and I propose that the support of attributes should be added to the core document.

H

Next slide.

H

Now this list to the following model, which is the model on the right there is in fact the resource owner that can work in collaboration with the authorization server or with the resource server.

H

Today, the resource owner is working in collaboration with the authorization server and it's a case of capability-based access control. Now, when the resource owner is working in collaboration with the resource server, it's a case of attribute exactly so. That makes a big difference between the two models, because in the model from drive 8 the second case, our attributes back access control is not supported.

H

Next, one.

H

So there are different reasons why they should be supported.

H

I took a recent reason because there was a proposal for amending a relation from european union that was posted in june this year, and the proposal considers a qualified trust service for the provision of electronic attestation attribute translated into our wording. It will mean access control that access token, that control contains end user attributes, and this end user attributes may come from multiple sources, which means from multiples authorization server and the core protocol should define two fields in access token, to distinguish very easily between rights and attributes.

H

Today, the argument is that there is an array, and you can put anything in the array.

H

Every rs should be able to immediately know whether the access token contains rights and or attributes, and what is very important when you consider attributes is to define some attribute types like what a first name a family name, a birth date and so on.

H

An example is those attribute defined in open id connect and an user should be able to query a given rs to know which attribute types and value are known by a given rs.

H

This is requesting end user information not requesting arrow information, not requesting user information or subject information as it is in the current draft, so requesting an user attribute is not supported. Currently next slide.

H

Now, in order to support attributes well, we should allow rs to indicate which attribute types and in some cases attribute values should be included into the access token. In order to allow given operation on a given protected resource. This can be done using an http option request to allow an user which rs plurals are appropriate for each attribute type to allow an user to know the reason why this attributes type should be disclosed, of course, in their preferred language.

H

This is your call user notice, of course, allow end user to accept or deny fetching those attribute types using the preferred language. This is called user choice and consent, of course, to allow a client to request to more or to one or more is such attribute types and something which is interesting in terms of privacy to allow client to hide to the as the identity of the rs.

H

Some rs some as may be too curious to know which rs are being accessed by their user, and this is possible using an unsigned part of the access token, as he said they proposed on the mailing list more than one year ago, but still not incorporated into the document, because, currently, as long as you support capabilities, you must disclose the identity of the rs. But when you support attributes, you don't necessarily need to disclose the identity of the rs.

H

Next, please now the benefits of the support of attributes, uh rs metrist, a set of authorization server for only some types of attributes.

H

There is no necessary to have a bilateral pre-relationship between an rs and a s, the rs trust, as uh as does not need necessarily to trust rs when attributes are being supported.

H

When you are using.

H

Attributes the ro is working in collaboration with an rs with where it is different, of course, when rights are being supported and the as can be kept ignorant of which action will be performed by your client and on which resources.

H

This is an important privacy consideration and, as I already indicated in some cases, which means not all cases the is can be kept, ignorant of which rs will be accessed, which means that the true identifier of the rs can be concealed to the client to the rs by the client, but the access token is still targeted to the rs.

H

And finally, the following privacy: property should be supported: user notice, user choice, user consent, and there is a third one that some people do not like, because they want access token to be opaque. But transparency means that the end user or the client working on behalf of the end user must be able to verify that what has been requested is really what has been obtained and for that. The analysis of the access token is needed.

H

Next. One.

H

Now draft 8 make a general assumption that an end user and arrow are the same entity. However, there is a note that say: pinup makes no general exception that they are well. Unfortunately, the note is incorrect when you look at section 1, 5, 1, 1, 5, 2 and all other section from 1 5. There is not a single example where the end user is not also the arrow and when the ro is an automatic process, so this will need to be corrected next, one.

H

Now trust relationship in draft 8, section 1 4, is supposed to be about trust relationship, but in fact it is not. It is based on the promised theory, which is a 300 pages document. Where you can read that the promises stated intention. Each agent defines its own valuation function of promise given or received.

H

You have to wait on page 108 to find the first definition of what trust is, and you just define you just discover that trust is an agent expectations that the promise will be kept and it's a bias and property with a value lying between zero and one. So you trust, 220, 25, 22, that's crazy!

H

In the iit community. Trust is a binary combination. It's one or zero: either you trust something or you don't trust and we should not mix trust relationship with preliminarities. Of course, there are availabilities in a system, but trust are remains the same well section. One four is failing to indicate relationship relationship that any exists between client instance and auto application, server, authorization, server, sorry and end user and alteration server, so the trace relationship condition are not complete and those that are described are incorrect.

H

Next, one.

H

Now, on the same track in draft eight, the link, if any between client instance authentication and end user authentication, is left undefined. How may a client instance be associated with an end user? I would guess that the editors knows that response. However, this is left undefined in the draft.

H

How may nas be confident that the legitimate user is using a given given client instance? This is also less left undefined. Now you can find an interesting sentence on page five of the draft. The end user operating the software may the world is important, may interact with the trojan server to authenticate, provide consent and authorize the request.

H

Hence the draft does not require an user to authenticate well, uh a thing that I just remarked on the flyer is that draft 8 will be enabled to comply with a directive from the european union, which is about the payment service directive or ps d2, which requires multi-factor authentication and how that's this shall be supported or may be. Supported is fully left undefined.

H

Next, one.

H

Now, what is what is more important is draft. 8 model is insecure.

H

There is a section called protection of client instance, key material, section, 12 3, and that section in fact, is not addressing the protection of this key instance immaterial anyway. Such a protection cannot be guaranteed. Even if you use a hardware security module to protect the private private key. You cannot access the value to the private key, but you can still use that private key. So as soon as two client instances collaborate the security foundation of the drive f collapse, a solution resistant to client collaborative attacks is needed and is possible next slide.

H

Well, it is in fact unfortunate that such solution is negated in draft 8.. This was new text that was added, and it is said, however, note that the lack of inclusion of a user identifier in an access token may be a risk if there is a concern that two users may voluntary share access. Token fine, then, since that is the solution since, on the contrary, the inclusion of the user identifier in an access token is able to prevent, to end user or to client to voluntary share access token between them.

H

Now we are going to consider the addition of a new field that I call the binding user identifier in an access token, that is able to prevent in some situation the access token from being voluntary shared next slide.

H

Now there are two concepts to be considered before diving into the fielder. In fact, you can, for example, want to access your bank account and when you do that, you are accessing what I call a long-term user account. You want some data to be kept by the bank about you when you unlock and when you reload again.

H

On the contrary, you may use short-term user account. An example. Is you make a transaction without the creation of a user account and when the session is closed, when you got your ticket, maybe send on your email address, the rs will not maintain any information about that temporary user account. It is closed next slide.

B

We are at the five or six minutes mark you may want to.

A

Either wrap up and take questions or continue up to you.

H

Well, we can go to the next one.

H

Well, there are five types of by by being using identifier, and what is very important is that the four types are exhibiting different privacy properties.

H

The first type is the best one, because it is able to prevent correlation of end user between rs, and it is also able to prevent the authorization server to know the identity of the rs that the uh the way to do that. However, to do that, you need a hardware security module, no a secure element from the end user.

H

You can have a unique pair for each asrs, but the inconvenience is that you must disclose to the as the identity of the rs and the two last cases are a loss correlation between rs, but have the advantage to hide to the as the identity of the rs.

H

The fifth type is used for short-term user accounts. Only next one.

H

So I will let you read that slide to know understand. Let you understand how that works, that this mechanism does not protect against impersonation. It allows bob.

H

It prevents bob to send his an access token to alice, so that alice can use it on her own user, long-term user account, and that is very important, because if bob is older than 18, he cannot transmit that access token to alice. That is younger than 18..

H

Next one.

H

Now there are different legislation uh in european unions and I believe they should be considered. The first one is the gdpr.

H

The second one is a psd2 directive and the last one is simply a proposal that highlights the fact that attributes are being the direction that is likely to be followed by the european union and at this time none of these theory of these documents are being considered. Last slide.

H

Now I propose a modify model where both attributes and capabilities should be supported where end user shall authenticate to the as where trust relationships are clear and understandable and where, in order to defeat collaborative attack, access token should be protected using the byd mechanism and in order to protect the impersonation access. Token should be protected using mutual cls with fml client key pairs, and that's it.

A

Thank you very much.

A

Any questions to deny, or in fact any other questions in the last two minutes.

G

Yes, fabian.

F

Yes, it's just to say that all these different uh issues have been discussed at length uh on the github repository and so um of course, if there are some criticisms to to reuse and implement into the draft, we're very open to that. But most of the comments that this has made um have already been answered and we've provided actually the rational for rejecting those. So, of course we we are very open to more discussion from from other people in the working group, but so far I think it's pretty clear.

F

It won't be included unless there's a general agreement on that.

A

Any other comments.

A

All right, thank you very much.

A

And thank you all for joining us. uh Please. If you can spare the next half hour, please join us in room six of gather and uh see you next time.

A

You.