On Fri, Jul 29, 2022 at 7:59 AM Mario Loffredo <[email protected]> wrote: > > > The authentication flows explored so far fit well the use cases where a > human occasionally submits a request. The case of authenticated software > agents submitting a lot of requests routinely doesn't find a practical > solution in this draft. I would like to remind everyone that EU > Parliament and EU Council has recently reached an agreement on core > elements of the e-Evidence proposal. Therefore, I guess that soon we > will have to figure out how to provide regular authenticated access to > registration data to categories of users legitimated for their purposes > such as authorities and cybercrime agencies. > > That being said, I see two big drawbacks in using the Client Credential > flow, at least as is: > > - Client Credential flow is for trusted clients. Clients need to be > registered by the OP before submitting a request for an access token. > But, RDAP clients are generally untrusted and I don't consider scalable > a solution where several RDAP clients are required to register by many > OPs including the local ones. In the approach described in this draft, > the trusted client is the RDAP server. > > - Roles and access grants are generally assigned to users not to > clients. In addition, think there would be a potential risk of providing > access to illegitimate users via legitimate clients. > > The Resource Owner Password Credential Flow would have fiited better but > it has been rightly deprecated by OAuth. I'm afraid that a usage of CC > Flow in a manner similar to the ROPC flow wouldn't be welcome by > security experts. > > I would suggest to explore another approach where a third-party > authority interconnects clients and servers that are mutually authenticated.
As long as one method is not to the exclusion of the others, I think we should consider both types of use cases. I agree that there are internet-wide scalability issues in an OP handing out credentials to specific clients. Yet, we have that today. LACNIC rate limits anonymous RDAP queries, and those rate limits may be exceeded if a client uses a LACNIC authorized credential. -andy _______________________________________________ regext mailing list [email protected] https://www.ietf.org/mailman/listinfo/regext
