OAuth, Transactional Authorization @ IETF106

OAuth, Transactional Authorization, and other security related stuff Ryo Kajiwara
@ lepidum IETF106 Report Session, ISOC-JP

Why OAuth Now?

͍͍ͩͨ͜ͷهࣄͷԆ ௕ͷ࿩Λ͠·͢ https:/ /lepidum.co.jp/blog/ 2019-12-03/future-of-oauth/

OAuth 2.0ɺਓྨʹ͸ૣ ͗ͨ͢ͷͰ͸ʁ ͱ͸ݴΘͳ͍͚ΕͲ֦ு/मਖ਼ଟ͗͢ ໰୊

OAuth 2.0ͷ͓͞Β͍ OAuth 2.0(RFC 6749)ͷΞΫηετʔΫϯऔಘํ๏ʹ͸ • Authorization Code Grant •
Implicit Grant • Resource Owner Password Credentials Grant • Client Credentials Grant ͕͋Δɻ(࣍ϖʔδҎ߱ܰ͘ղઆ)

௚ײతʹ͸ҧ͍͕Θ͔Γʹ͍͕͘ɺଞͷ΋ͷͱͷܾఆతͳҧ͍͸ ʮΫϥΠΞϯτࣗ਎͕ϦιʔεΦʔφʔͰ͋Δʯέʔεʹ࢖͏΋ ͷͰ͋ΓɺΫϥΠΞϯτೝূΛ͢Δ͜ͱͰAuthorization Server͸Ξ ΫηετʔΫϯΛฦ͍ͯ͠Δɻ

Կ͕Ϛζ͍ͷ(1) • Implicit GrantͰ͸ϦμΠϨΫτURLதʹΞΫηετʔΫϯͦͷ΋ ͷΛؚΜͰฦ͍ͯ͠Δ͜ͱ͕໰୊ɻ • ϦΫΤετɾϨεϙϯεͷheader/body͸HTTPSͳΒ҉߸Խ͞ ΕΔ͕… • ྫ:
ΦʔϓϯϦμΠϨΫλΛ౿·͞ΕΔͱͦ͜ͷΞΫηεϩά ʹΞΫηετʔΫϯ͕࢒ͬͯ… • ྫ: ϦϯΫΛ౿ΉͱϦϑΝϥܦ༝ͰτʔΫϯ͕࿙Εͯ…

Կ͕Ϛζ͍ͷ(2) • Resource Owner Password Credentials Grant͸ը૾ͷ஫ऍͷ௨ Γɺதܧ͢ΔΫϥΠΞϯτ͕ϦιʔεΦʔφʔͷύεϫʔυΛ ஌Δ͜ͱ͕Ͱ͖ͯ͠·͏ɻ •
ύεϫʔυͰ͍͍ͪͪೝূͨ͘͠ͳ͍͔ΒΞΫηετʔΫϯ Ͱݖݶ༩͑Δͷ͕OAuth͡Όͳ͔͚ͬͨͬ…ʁ • ͳͷͰɺ΋ͱ΋ͱ͔Βͯ͠Ҡߦ໨తΛҙਤ͞Ε͍ͯͨɻ͕ɺ ࠓͰ΋࢖༻͠ଓ͚͍ͯΔ࣮૷͕ଘࡏ͢Δ… • ࠷৽ͷSecurity BCPʹ͸MUST NOT useͱॻ͔Ε͍ͯΔɻ

ฏͨ͘ݴ͏ͱ • RFC6749͚ͩಡΉͷͰෆे෼ʹͳͬͯ͠·ͬͨ • ؔ࿈υΩϡϝϯτ͕ࢁ΄Ͳ͋Δ • ͜ΕΛղܾ͠Α͏ͱ͍͏ಈ͖͕ग़͖ͯͨ

OAuth 2.1

͜Ε͸Կ ࠓճͷձ߹Ͱॳొ৔ͷఏҊͰɺʮOAuthؔ܎ͷυΩϡϝϯτͱͬͪ Β͔Γ͔͗ͩ͢Β1ͭυΩϡϝϯτಡΊ͹ؒҧ͍ͷͳ͍OAuth͕࣮ ૷Ͱ͖·ͬͤʯͱ͍͏υΩϡϝϯτΛ࡞Ζ͏ɺͱ͍͏΋ͷɻ ۩ମతʹ͸ɺRFC6749(OAuth 2.0ຊମ) + draft-ietf-oauth-security- topics-13(OAuth Security
BCP) + RFC 8628(Device Flow)ͷ͍͍ͱ͜औ Γ("OAuth: the Good Parts")ͱͯ͠ఏҊ͞Εͨɻ

OAuth 2.0Ͱ͸͜͏ͩͬͨ • Authorization Code Grant • Implicit Grant •
Resource Owner Password Credentials Grant • Client Credentials Grant

OAuth 2.1Ͱ͸͜͏ͳΔ • Authorization Code Grant • ͨͩ͠ɺPKCE(Proof Key for
Code Exchange; RFC7636)ͷར༻͕ ඞਢɺΑͬͯݫີʹ͸AuthCode͔ͩΒͱ͍ͬͯ2.0ͱԼํޓ ׵ੑ͕͋ΔΘ͚Ͱ͸ͳ͍ • Implicit Grant • Resource Owner Password Credentials Grant • Client Credentials Grant • Device Grant

PKCE URLͷҰ෦͔ΒImplicitͰ͸ΞΫηετʔΫϯ͕औΕΔͱઆ໌ͨ͠ ͕ɺAuthorization Code GrantͰ͸ΞΫηετʔΫϯʹҾ͖׵͑Մೳ ͳAuthorization Code͕URLதʹฦ͖ͬͯͯɺ߈ܸऀ͸͜ΕΛಘΔ͜ ͱ͕ՄೳɻεϚʔτϑΥϯͳͲͷΤϯυσόΠεʹਖ਼౰ͳΫϥΠΞ ϯτͱಉډ͢Δѱҙͷ͋ΔΞϓϦέʔγϣϯ͕͜ͷ஋Λར༻ͯ͠ ΞΫηετʔΫϯΛ৐ͬऔΔ͜ͱ͕Ͱ͖ͯ͠·͏ɻ
Authorization Codeͷ৐ͬऔΓʹΑΔ߈ܸΛchallenge-responseʹ Αͬͯ๷͙ͷ͕PKCEͷ໾໨ɻ

ࠓޙͲ͏ͳΔͷʁ IETF 106Ͱ͸ࠓޙͲ͏΍ͬͯਐΊΔ΂͖͔Λٞ࿦͢ΔαΠυϛʔ ςΟϯάཱ͕ͬͨɻ େଟ਺ͷࢀՃऀ͸OAuthͦͷ΋ͷͷෳࡶੑͱRFC6749ͱ͍͏େຊͷ υΩϡϝϯτʹݱࡏ࢖͑ͳ͍߲໨͕͋Δͱ͍͏͜ͱʹݒ೦͸ࣔ͠ ͍͕ͯͨɺҰํͰ(࣍ʹઆ໌͢Δ)txauthͷworkͱOAuth WGͷwork ͱฒߦͯ͠ਐΊΔ͜ͱͷࠔ೉͞΁ͷݒ೦Λ͍ࣔͯͨ͠ɻ

txauth Transactional Authorization and Delegation

ͦ΋ͦ΋ transactional ͱ͸ https:/ /datatracker.ietf.org/meeting/106/materials/slides-106-txauth- annabelle ʹ͋Δ໰୊ఏ͕ٞඇৗʹΘ͔Γ΍͍͢ɻʮΤϯυϢʔ βʔΛɺ͋Δϓϩηεͷ్தͰଞͷίϯςΩετʹ༠ಋ͠໭ͬͯ ͘Δʹ͸Ͳ͏ͨ͠ΒΑ͍͔ʁʯ (ྫ)
εϚʔτεϐʔΧʔʹຊͷߪೖͷࢦࣔΛग़͕ͨ͠ɺԿΒ͔ͷཧ ༝Ͱߪೖ͕ࣦഊͨ͠ɻࠓ·ͰͷೝՄͷ࢓૊ΈͰ͸ߪೖͷݪҼʹ ͳ͍ͬͯΔ໰୊Λղܾͨ͠ΒʮຊͷߪೖͰ͋Δʯͱ͍͏໋ྩ͕๨ ΕΒΕͯ͠·͍ͬͯͨɻ

ͦ΋ͦ΋ transactional ͱ͸ • γϣοϓͷαΠτͰߦ͏͜ͱ • ຊͷߪೖΛ͍ͨ͠ • ͔͠͠࢒ߴ͕଍Γͳ͍ •
ܾࡁखஈͷαΠτͰߦ͏͜ͱ • ೝূɺ࢒ߴͷิॆ • γϣοϓͷαΠτʹ໭ͬͯߦ͏͜ͱ • τϥϯβΫγϣϯͷ࠶։ → ࢒ߴ͕͋ΔͷͰߪೖ

ͦ΋ͦ΋ transactional ͱ͸ ࣗ෼ͷࡶͳղऍͱͯ͠͸ɺ ͋ΔߦҝΛߦ͏ೝՄΛಘΔखଓ͖ΛҰ࿈ͷτϥϯβΫγϣϯͱΈ ͳ͠ɺτϥϯβΫγϣϯʹೝՄʹඞཁͳഎܠ৘ใʢΞΫηετʔ ΫϯɺΞΫηετʔΫϯΛಘΔͨΊͷଐੑ৘ใɺ·ͨϦιʔε ΦʔφʔͷೝূͷͨΊͷূ໌ʣΛؔ࿈෇͚͍ͯ͘͜ͱ ͱ͍͏ղऍɻ

XYZͱ͸ Transactional AuthorizationΛ࣮ݱ͢ΔϓϩτίϧͷԾͷ໊শɻఏҊ ऀ͸OAuth 3.0ͱ͍͏ݴ͍ํΛ͢Δ͜ͱ΋͋ΔɻIETFతʹ͸draft- richer-transactional-authz-04ɻ OAuth 2.0ͱͷޓ׵ੑΛແࢹ͠ɺ৽͘͠ೝՄػೳΛઃܭ͠௚ͨ͠Β Ͳ͏ͳΔ͔ʁͱ͍͏ߟ͑Ͱ࡞ΒΕͨϓϩτίϧɻ txauth
BoF͸લճOAuth WG಺Ͱߦͬͨ͜ͷఏҊΛ΋ͱʹɺ৽͘͠ WGΛܗ੒͢ΔͨΊʹ։͔Εͨɻ

ղܾ͍ͨ͠ओཁͳ໰୊ • ϑϩϯτνϟϯωϧͷอޢ • ϒϥ΢βͱαʔόʔͷؒͰ৘ใΛ౉͢ํ๏ͷอޢͷͨΊʹͨ ͘͞Μͷ֦ு͕ੜ·Ε͍ͯΔ • dynamic registration •
OAuth͸ΫϥΠΞϯτͷ੩తͳొ࿥Λҙਤͯ͠࡞ΒΕ͕ͨɺ ࣮ࡍ͸ಈతʹ௥Ճ͞ΕΔ͜ͱ͕ଟ͘ɺͦΕʹ൐͍redirect URI ͷݕূͳͲͰηΩϡϦςΟ໰୊͕ੜ͍ͯ͡Δ

ղܾ͍ͨ͠ओཁͳ໰୊ • scope ͷఆٛ • ΞΫηε͍ͨ͠஋ʁ • Ͳ͏͍͏ػೳʁ(OIDCʹ͓͚Δ openid ͕ྫ)
• ͲͷϦιʔεαʔόʔʁ • ... https:/ /datatracker.ietf.org/meeting/106/materials/slides-106-txauth- limitations-of-oauth-2

ಛ௃(1) εϥΠυ https:/ /datatracker.ietf.org/meeting/106/materials/ slides-106-txauth-xyz Λ΋ͱʹઆ໌͢Δͱɺ • ΫϥΠΞϯτ͸ͲͷϦιʔε͕΄͍͔͠(p.10)ɺࣗ෼ࣗ਎ͷೝࣝ ํ๏(p.11-16; 伴ͷॴ༗ূ໌ํ๏·ͰؚΊ)ɺϢʔβʔͱͷΠϯλ
ϥΫγϣϯ(p.17-19)Λࢦఆ͠τϥϯβΫγϣϯΛ։࢝ • ͜ΕͰ৘ใ͕଍Γͳ͚Ε͹αʔόʔ͕࣍ʹ͜ͷ৘ใ͕΄͍͠ɺ ͱ͍͏͜ͱͰΠϯλϥΫγϣϯURLΛࢦఆ͢Δ(p.23)

ಛ௃(2) • ͜͜ͰॳΊͯϢʔβʔ͕ϑϩϯτνϟϯωϧͰ΍ΓͱΓΛ͢Δ (p.24) • Ϣʔβʔ͕αʔόʔͱ΍ΓͱΓΛͨ͋͠ͱɺAuthorization Server ͸"interaction handle"ͱͦͷϋογϡΛੜ੒(p.27-29)͠ɺͦΕΛ ΫϥΠΞϯτʹฦ͢
• ΫϥΠΞϯτ͸"transaction handle"ͱ"interaction handle"Λར༻ ͯ͠τϥϯβΫγϣϯΛ࠶։(p.32) • handle͸աڈͷ஋΁ͷࢀর

XYZҎ֎ͷఏҊ: Rich and Pushed Authorization Requests • https:/ /datatracker.ietf.org/doc/draft-lodderstedt-oauth-rar/ •
https:/ /datatracker.ietf.org/doc/draft-lodderstedt-oauth-par/

Rich Authorization Requests ۚ༥ܥ΍੓෎ܥͳͲͷڧ͍ηΩϡϦςΟ͕ٻΊΒΕΔྖҬͰOAuth Λ࢖͏͜ͱΛҙਤͯ͠ఏҊ͞ΕͨOAuth 2.0ͷ֦ுɻ ڧ͍ηΩϡϦςΟΛٻΊΒΕΔϢʔεέʔεͰ͸ݖݶ͕΋ͷ͘͢͝ ࡉཻ͔͍౓Ͱઃఆ͞Ε͍ͯΔ͕ɺݱঢ়ͷOAuthͷscopeͰ͸͜ΕΛ ఻͖͑Εͳ͍͠ɺݱঢ়ͷOAuthͰ͸αʔόʔݻ༗ͷΞΫηετʔΫ ϯΛ෷͍ग़͢ͳͲͷࡉ੍͔͍ޚ͕Ͱ͖ͳ͍ɻ

Rich Authorization Requests ੈͷதʹଘࡏ͢Δղ๏ͱͯ͠͸ • scope_detailsύϥϝʔλ֦ு (PolishAPI) • ผͷϦιʔεΛ࢖ͬͯڐ୚಺༰Λදݱ (UK
OB, NextGenPSD2, yes.com) ͕͋Δ͕͜ΕΛҰൠԽ͍ͨ͠ɻ

Pushed Authorization Requests Authorization Requestͷ৘ใΛࣄલʹAuthorization Serverʹpush͢ Δ͜ͱͰઐ༻ͷAuthorization Request URIΛಘΔ࢓૊Έɻ ΫϥΠΞϯτೝূʹඞཁͳ৘ใΛࣄલʹpushͰ͖ΔΑ͏ʹͳΔ͜
ͱͰΑΓڧྗͳೝূ͕Մೳɻ POSTϦΫΤετͰࣄલʹURLΛಘΔ࢓૊ΈͰ͋Δͷ΋ॏཁ(body͸ HTTPSͰอޢ͞ΕΔ)ɻ

Other WG Business • Security BCPͷupdate • ϒϥ΢βϕʔεΞϓϦͷͨΊͷOAuth 2.0ͷΨΠυ •
DPoP(Demonstration of Proof-of-Possession at the Application Layer) • εϥΠυ๯಄ʹSender-Constrained Access TokenͷͨΊͷPoP ͷྺ࢙Λ·ͱΊ͍ͯΔ

Sender-Constrained Access Token ͦͷ໊ͷ௨Γɺૹ৴ऀ͔͠஌Γಘͳ͍৘ใΛ࢖ͬͯɺΞΫηε τʔΫϯͷೳྗΛಛఆͷૹ৴ऀʹͷΈؔ࿈෇͚Δํ๏(<-> Bearer τʔΫϯ: τʔΫϯΛॴ͍࣋ͯ͠ΔਓʹΞΫηεݖΛ෇༩͢Δ)ɻ Token Binding
(draft-ietf-oauth-token-binding-08) ΍ Mutual TLS Client Authentication (draft-ietf-oauth-mtls-17) ͳͲͷํ๏͕ఏҊ͞ Ε͍ͯΔ͕ͲͪΒ΋work in progressɻ

એ఻: ٕज़ॻయ8 1೔໨(2/29) ೔ຊޠ࠷଎XYZղઆຊɺ ग़·͢ https:/ /cryptic-command.net/

OAuth, Transactional Authorization @ IETF106

OAuth, Transactional Authorization @ IETF106

sylph01

More Decks by sylph01

Other Decks in Technology

Featured

Transcript

OAuth, Transactional Authorization, and other security related stuff Ryo Kajiwara

Why OAuth Now?

͍͍ͩͨ͜ͷهࣄͷԆ ௕ͷ࿩Λ͠·͢ https:/ /lepidum.co.jp/blog/ 2019-12-03/future-of-oauth/

OAuth 2.0ɺਓྨʹ͸ૣ ͗ͨ͢ͷͰ͸ʁ ͱ͸ݴΘͳ͍͚ΕͲ֦ு/मਖ਼ଟ͗͢ ໰୊

OAuth 2.0ͷ͓͞Β͍ OAuth 2.0(RFC 6749)ͷΞΫηετʔΫϯऔಘํ๏ʹ͸ • Authorization Code Grant •

௚ײతʹ͸ҧ͍͕Θ͔Γʹ͍͕͘ɺଞͷ΋ͷͱͷܾఆతͳҧ͍͸ ʮΫϥΠΞϯτࣗ਎͕ϦιʔεΦʔφʔͰ͋Δʯέʔεʹ࢖͏΋ ͷͰ͋ΓɺΫϥΠΞϯτೝূΛ͢Δ͜ͱͰAuthorization Server͸Ξ ΫηετʔΫϯΛฦ͍ͯ͠Δɻ

Կ͕Ϛζ͍ͷ(1) • Implicit GrantͰ͸ϦμΠϨΫτURLதʹΞΫηετʔΫϯͦͷ΋ ͷΛؚΜͰฦ͍ͯ͠Δ͜ͱ͕໰୊ɻ • ϦΫΤετɾϨεϙϯεͷheader/body͸HTTPSͳΒ҉߸Խ͞ ΕΔ͕… • ྫ:

Կ͕Ϛζ͍ͷ(2) • Resource Owner Password Credentials Grant͸ը૾ͷ஫ऍͷ௨ Γɺதܧ͢ΔΫϥΠΞϯτ͕ϦιʔεΦʔφʔͷύεϫʔυΛ ஌Δ͜ͱ͕Ͱ͖ͯ͠·͏ɻ •

ฏͨ͘ݴ͏ͱ • RFC6749͚ͩಡΉͷͰෆे෼ʹͳͬͯ͠·ͬͨ • ؔ࿈υΩϡϝϯτ͕ࢁ΄Ͳ͋Δ • ͜ΕΛղܾ͠Α͏ͱ͍͏ಈ͖͕ग़͖ͯͨ

OAuth 2.1

͜Ε͸Կ ࠓճͷձ߹Ͱॳొ৔ͷఏҊͰɺʮOAuthؔ܎ͷυΩϡϝϯτͱͬͪ Β͔Γ͔͗ͩ͢Β1ͭυΩϡϝϯτಡΊ͹ؒҧ͍ͷͳ͍OAuth͕࣮ ૷Ͱ͖·ͬͤʯͱ͍͏υΩϡϝϯτΛ࡞Ζ͏ɺͱ͍͏΋ͷɻ ۩ମతʹ͸ɺRFC6749(OAuth 2.0ຊମ) + draft-ietf-oauth-security- topics-13(OAuth Security

OAuth 2.0Ͱ͸͜͏ͩͬͨ • Authorization Code Grant • Implicit Grant •

OAuth 2.1Ͱ͸͜͏ͳΔ • Authorization Code Grant • ͨͩ͠ɺPKCE(Proof Key for

txauth Transactional Authorization and Delegation

ͦ΋ͦ΋ transactional ͱ͸ https:/ /datatracker.ietf.org/meeting/106/materials/slides-106-txauth- annabelle ʹ͋Δ໰୊ఏ͕ٞඇৗʹΘ͔Γ΍͍͢ɻʮΤϯυϢʔ βʔΛɺ͋Δϓϩηεͷ్தͰଞͷίϯςΩετʹ༠ಋ͠໭ͬͯ ͘Δʹ͸Ͳ͏ͨ͠ΒΑ͍͔ʁʯ (ྫ)

ͦ΋ͦ΋ transactional ͱ͸ • γϣοϓͷαΠτͰߦ͏͜ͱ • ຊͷߪೖΛ͍ͨ͠ • ͔͠͠࢒ߴ͕଍Γͳ͍ •

XYZ

XYZͱ͸ Transactional AuthorizationΛ࣮ݱ͢ΔϓϩτίϧͷԾͷ໊শɻఏҊ ऀ͸OAuth 3.0ͱ͍͏ݴ͍ํΛ͢Δ͜ͱ΋͋ΔɻIETFతʹ͸draft- richer-transactional-authz-04ɻ OAuth 2.0ͱͷޓ׵ੑΛແࢹ͠ɺ৽͘͠ೝՄػೳΛઃܭ͠௚ͨ͠Β Ͳ͏ͳΔ͔ʁͱ͍͏ߟ͑Ͱ࡞ΒΕͨϓϩτίϧɻ txauth

ղܾ͍ͨ͠ओཁͳ໰୊ • ϑϩϯτνϟϯωϧͷอޢ • ϒϥ΢βͱαʔόʔͷؒͰ৘ใΛ౉͢ํ๏ͷอޢͷͨΊʹͨ ͘͞Μͷ֦ு͕ੜ·Ε͍ͯΔ • dynamic registration •

ղܾ͍ͨ͠ओཁͳ໰୊ • scope ͷఆٛ • ΞΫηε͍ͨ͠஋ʁ • Ͳ͏͍͏ػೳʁ(OIDCʹ͓͚Δ openid ͕ྫ)

ಛ௃(1) εϥΠυ https:/ /datatracker.ietf.org/meeting/106/materials/ slides-106-txauth-xyz Λ΋ͱʹઆ໌͢Δͱɺ • ΫϥΠΞϯτ͸ͲͷϦιʔε͕΄͍͔͠(p.10)ɺࣗ෼ࣗ਎ͷೝࣝ ํ๏(p.11-16; 伴ͷॴ༗ূ໌ํ๏·ͰؚΊ)ɺϢʔβʔͱͷΠϯλ

ಛ௃(2) • ͜͜ͰॳΊͯϢʔβʔ͕ϑϩϯτνϟϯωϧͰ΍ΓͱΓΛ͢Δ (p.24) • Ϣʔβʔ͕αʔόʔͱ΍ΓͱΓΛͨ͋͠ͱɺAuthorization Server ͸"interaction handle"ͱͦͷϋογϡΛੜ੒(p.27-29)͠ɺͦΕΛ ΫϥΠΞϯτʹฦ͢

XYZҎ֎ͷఏҊ: Rich and Pushed Authorization Requests • https:/ /datatracker.ietf.org/doc/draft-lodderstedt-oauth-rar/ •

Rich Authorization Requests ੈͷதʹଘࡏ͢Δղ๏ͱͯ͠͸ • scope_detailsύϥϝʔλ֦ு (PolishAPI) • ผͷϦιʔεΛ࢖ͬͯڐ୚಺༰Λදݱ (UK

Pushed Authorization Requests Authorization Requestͷ৘ใΛࣄલʹAuthorization Serverʹpush͢ Δ͜ͱͰઐ༻ͷAuthorization Request URIΛಘΔ࢓૊Έɻ ΫϥΠΞϯτೝূʹඞཁͳ৘ใΛࣄલʹpushͰ͖ΔΑ͏ʹͳΔ͜

Other WG Business • Security BCPͷupdate • ϒϥ΢βϕʔεΞϓϦͷͨΊͷOAuth 2.0ͷΨΠυ •

Sender-Constrained Access Token ͦͷ໊ͷ௨Γɺૹ৴ऀ͔͠஌Γಘͳ͍৘ใΛ࢖ͬͯɺΞΫηε τʔΫϯͷೳྗΛಛఆͷૹ৴ऀʹͷΈؔ࿈෇͚Δํ๏(<-> Bearer τʔΫϯ: τʔΫϯΛॴ͍࣋ͯ͠ΔਓʹΞΫηεݖΛ෇༩͢Δ)ɻ Token Binding

એ఻: ٕज़ॻయ8 1೔໨(2/29) ೔ຊޠ࠷଎XYZղઆຊɺ ग़·͢ https:/ /cryptic-command.net/