Re: [Ace] Security Domains
Eve Maler <eve@xmlgrrl.com> Wed, 04 June 2014 13:59 UTC
Return-Path: <eve@xmlgrrl.com>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 59D881A0246 for <ace@ietfa.amsl.com>; Wed, 4 Jun 2014 06:59:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.398
X-Spam-Level:
X-Spam-Status: No, score=-1.398 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FROM_DOMAIN_NOVOWEL=0.5, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CUenzV18Wt1k for <ace@ietfa.amsl.com>; Wed, 4 Jun 2014 06:59:35 -0700 (PDT)
Received: from mail.promanage-inc.com (eliasisrael.com [50.47.36.5]) by ietfa.amsl.com (Postfix) with ESMTP id 2D0EF1A0213 for <ace@ietf.org>; Wed, 4 Jun 2014 06:59:35 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mail.promanage-inc.com (Postfix) with ESMTP id 45F7C4775C6F; Wed, 4 Jun 2014 06:59:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at promanage-inc.com
Received: from mail.promanage-inc.com ([127.0.0.1]) by localhost (greendome.promanage-inc.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hZUdmZp1hl-r; Wed, 4 Jun 2014 06:59:26 -0700 (PDT)
Received: from [192.168.6.92] (ip-64-134-231-2.public.wayport.net [64.134.231.2]) by mail.promanage-inc.com (Postfix) with ESMTPSA id 34A044775C52; Wed, 4 Jun 2014 06:59:26 -0700 (PDT)
References: <538DA583.4070200@tzi.de> <538DD2FD.2020400@gmail.com> <521AAE69-A9C5-4EF9-BD11-86A6AE06A0DA@tzi.org> <538F2210.1020800@aol.com>
In-Reply-To: <538F2210.1020800@aol.com>
Mime-Version: 1.0 (1.0)
Content-Transfer-Encoding: 7bit
Content-Type: multipart/alternative; boundary="Apple-Mail-208C6462-CA82-4E3C-B4D3-7C5C9189DFE9"
Message-Id: <D835C0EC-B253-4909-931B-D91BF206D15A@xmlgrrl.com>
X-Mailer: iPad Mail (11D201)
From: Eve Maler <eve@xmlgrrl.com>
Date: Wed, 04 Jun 2014 06:59:24 -0700
To: George Fletcher <gffletch@aol.com>
Archived-At: http://mailarchive.ietf.org/arch/msg/ace/8cX6TAgK1D3m9RvwuO8cVhBFl0Q
Cc: Stefanie Gerdes <gerdes@tzi.de>, Carsten Bormann <cabo@tzi.org>, Rene Struik <rstruik.ext@gmail.com>, "ace@ietf.org" <ace@ietf.org>
Subject: Re: [Ace] Security Domains
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Jun 2014 13:59:37 -0000
If the two owners in question are, as described below, the resource owner and the client owner, this actually seems to align nicely with UMA's resource owner and requesting party (defined as "An end-user, or a corporation or other legal person, that uses the client to seek access to a protected resource. The requesting party may or may not be the same party as the resource owner."). A goodly part of the UMA architecture is dedicated to details necessary to separate these two entities. http://tools.ietf.org/html/draft-hardjono-oauth-umacore-09 Eve Maler (sent from my iPad) cell +1 425 345 6756 eve@xmlgrrl.com > On Jun 4, 2014, at 6:41 AM, George Fletcher <gffletch@aol.com> wrote: > > Just a quick comment. The OAuth2 flows started from a "single-owner" perspective and just doesn't cover a lot of use cases so the work by the User Managed Access (UMA) group in the Kantara Initiative is working to address access to resources by arbitrary (as yet not introduced) entities. Not exactly the same as the "multi-owner" problem but there are some similarities. > > I'm in favor of supporting a multi-owner model. > > Thanks, > George > >> On 6/3/14, 10:15 AM, Carsten Bormann wrote: >>> On 03 Jun 2014, at 15:51, Rene Struik <rstruik.ext@gmail.com> wrote: >>> >>> I did not really get yet what the disagreement is about, so maybe >>> someone can help me with that. >> Here in Stockholm there was a relatively extended discussion whether it is worth to separate the client owner and the resource owner function in the architecture and analogously separate out the Authorization Manager (less-constrained counterpart of the client) from the Authorization Server (less-constrained counterpart of the resource server). >> >> http://tools.ietf.org/html/draft-gerdes-ace-actors takes the view that this exercise is worthwhile. >> >> Obviously, this is an architectural model and does not say anything how these functions are mapped to specific devices in a specific deployment. If you don’t separate out the functions in the architecture, I believe the result will be single-owner thinking and it will be very hard to later address the multiple-owner aspect that is so central to the Internet of Things idea. Others believe that initial deployments will all be single-owner and it will be hard to drum up input to an architecture enabled for multiple owners, but it will be relatively easy to extend the single-owner architecture later. >> >> Grüße, Carsten >> >> _______________________________________________ >> Ace mailing list >> Ace@ietf.org >> https://www.ietf.org/mailman/listinfo/ace >> >> > > _______________________________________________ > Ace mailing list > Ace@ietf.org > https://www.ietf.org/mailman/listinfo/ace
- [Ace] Security Domains Stefanie Gerdes
- Re: [Ace] Security Domains Rene Struik
- Re: [Ace] Security Domains Carsten Bormann
- Re: [Ace] Security Domains Michael Richardson
- Re: [Ace] Security Domains George Fletcher
- Re: [Ace] Security Domains Eve Maler
- Re: [Ace] Security Domains Göran Selander
- Re: [Ace] Security Domains Stefanie Gerdes
- Re: [Ace] Security Domains Göran Selander