> -----Original Message----- > From: Andrew Newton <[email protected]> > Sent: Monday, August 1, 2022 4:31 PM > To: Mario Loffredo <[email protected]> > Cc: Hollenbeck, Scott <[email protected]>; [email protected] > Subject: [EXTERNAL] Re: [regext] Federated Authentication for Machine-to- > Machine Interactions in RDAP > > Caution: This email originated from outside the organization. Do not click > links > or open attachments unless you recognize the sender and know the content > is safe. > > On Fri, Jul 29, 2022 at 7:59 AM Mario Loffredo <[email protected]> > wrote: > > > > > > The authentication flows explored so far fit well the use cases where > > a human occasionally submits a request. The case of authenticated > > software agents submitting a lot of requests routinely doesn't find a > > practical solution in this draft. I would like to remind everyone that > > EU Parliament and EU Council has recently reached an agreement on core > > elements of the e-Evidence proposal. Therefore, I guess that soon we > > will have to figure out how to provide regular authenticated access to > > registration data to categories of users legitimated for their > > purposes such as authorities and cybercrime agencies. > > > > That being said, I see two big drawbacks in using the Client > > Credential flow, at least as is: > > > > - Client Credential flow is for trusted clients. Clients need to be > > registered by the OP before submitting a request for an access token. > > But, RDAP clients are generally untrusted and I don't consider > > scalable a solution where several RDAP clients are required to > > register by many OPs including the local ones. In the approach > > described in this draft, the trusted client is the RDAP server. > > > > - Roles and access grants are generally assigned to users not to > > clients. In addition, think there would be a potential risk of > > providing access to illegitimate users via legitimate clients. > > > > The Resource Owner Password Credential Flow would have fiited better > > but it has been rightly deprecated by OAuth. I'm afraid that a usage > > of CC Flow in a manner similar to the ROPC flow wouldn't be welcome by > > security experts. > > > > I would suggest to explore another approach where a third-party > > authority interconnects clients and servers that are mutually authenticated. > > As long as one method is not to the exclusion of the others, I think we should > consider both types of use cases. > > I agree that there are internet-wide scalability issues in an OP handing out > credentials to specific clients. > Yet, we have that today. LACNIC rate limits anonymous RDAP queries, and > those rate limits may be exceeded if a client uses a LACNIC authorized > credential.
[SAH] So does it make sense to add support for the "Client Credentials Grant" in the draft? I agree that there are some risks to consider, but we can document those to the best of our ability. Mario, what exactly do you have in mind when you say, "another approach where a third-party authority interconnects clients and servers that are mutually authenticated"? Scott _______________________________________________ regext mailing list [email protected] https://www.ietf.org/mailman/listinfo/regext
