Re: [Ace] Terminology (again)
Stefanie Gerdes <gerdes@tzi.de> Wed, 30 September 2015 10:59 UTC
Return-Path: <gerdes@tzi.de>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B309A1B5CFE for <ace@ietfa.amsl.com>; Wed, 30 Sep 2015 03:59:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.349
X-Spam-Level:
X-Spam-Status: No, score=0.349 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, HELO_EQ_DE=0.35] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id e39MCjuka6-L for <ace@ietfa.amsl.com>; Wed, 30 Sep 2015 03:59:32 -0700 (PDT)
Received: from mailhost.informatik.uni-bremen.de (mailhost.informatik.uni-bremen.de [IPv6:2001:638:708:30c9::12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0789C1B5CFD for <ace@ietf.org>; Wed, 30 Sep 2015 03:59:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at informatik.uni-bremen.de
Received: from submithost.informatik.uni-bremen.de (submithost.informatik.uni-bremen.de [IPv6:2001:638:708:30c9::b]) by mailhost.informatik.uni-bremen.de (8.14.5/8.14.5) with ESMTP id t8UAxR10016362; Wed, 30 Sep 2015 12:59:27 +0200 (CEST)
Received: from [IPv6:2001:638:708:30da:98b5:c05d:9032:4f6e] (unknown [IPv6:2001:638:708:30da:98b5:c05d:9032:4f6e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by submithost.informatik.uni-bremen.de (Postfix) with ESMTPSA id 3nQvjW0V78z4pTX; Wed, 30 Sep 2015 12:59:27 +0200 (CEST)
To: Ludwig Seitz <ludwig@sics.se>, ace@ietf.org
References: <D23062F0.37BFD%goran.selander@ericsson.com> <560A9F74.6050004@tzi.de> <D2306CB1.37CA7%goran.selander@ericsson.com> <560AACEA.3090102@tzi.org> <06C1350B-F3BA-4783-8E03-432059567D7E@gmail.com> <D2317494.1E026%kepeng.lkp@alibaba-inc.com> <560B9B66.9030302@tzi.org> <560BA6BA.6090805@sics.se>
From: Stefanie Gerdes <gerdes@tzi.de>
X-Enigmail-Draft-Status: N1110
Message-ID: <560BC08E.5090502@tzi.de>
Date: Wed, 30 Sep 2015 12:59:26 +0200
User-Agent: Mozilla/5.0 (X11; Linux i686 on x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.2.0
MIME-Version: 1.0
In-Reply-To: <560BA6BA.6090805@sics.se>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: 8bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/ace/BjvoVzunKas_dqGNos3p_3RgSn4>
Subject: Re: [Ace] Terminology (again)
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Sep 2015 10:59:33 -0000
Hi Ludwig, On 09/30/2015 11:09 AM, Ludwig Seitz wrote: > On 2015-09-30 10:20, Carsten Bormann wrote: >> (Pulling the discussion out of a private exchange to the mailing list.) >> >>> I don’t think it is about the definitions not being clear. It is just >>> the >>> names of the nodes, where in the current draft 5 out of 6 terms are >>> imported from the analogous setting in OAuth/UMA and the 6th, CAS, is >>> coined by Carsten. >> >> The definitions in the current WG Actors draft are clear enough for me. >> They are just using terms that mean something different in OAuth. >> >> RFC 6749 says: >> >> authorization server >> The server issuing access tokens to the client after successfully >> authenticating the resource owner and obtaining authorization. >> >> Nope, that's not at all the AS in the Actors draft. >> > > I believe you are making an academic distinction here. Of course there > are differences between how the AS is used in OAuth and how the > different proposals use it in ACE, but the similarities are still quite > striking. > > 1. The ACE AS issues access tokens to the client (via the CAS if there > is one). > > 2. The ACE AS at some point in time will authenticate the resource > owner, when he/she configures the authorization policies that govern how > authorization for that resource can be obtained. > > How is that fundamentally different from the OAuth AS? First of all, we have an authorization manager, i.e. a less-constrained device, that is responsible for the client (what is called CAS in the terminology). That is different from the OAuth model where there is no such actor. If we cling to the OAuth terminology, we are not even allowed to call the Server's authorization manager SAS. It is called AS. That makes things very awkward and incomprehensible. The constrained devices are not capable of managing complex authentication and authorization tasks on their own. They need their authorization managers for that. Owners will not necessarily be present at the time of access. Therefore, the authorization managers will need to represent the owner, manage their authorization policies and security associations, and generate simplified authentication and authorization information that the constrained devices can digest. AMs therefore are the link between the constrained and the less constrained world. I think this is different from what an OAuth authorization server does (We don't call a cow a sheep only because it also has four legs). Authorization Managers can be integrated with OAuth Authorization Servers. An example for that can be found in draft-gerdes-ace-dcaf-examples [1]. > > Also OAuth has usecases where the AS is used in a way that is even more > similar to the ACE proposals (cf. the client credentials grant). > >> I have not yet heard a convincing reason why appropriating terms from a >> different domain is helping us here. What does this do? >> >> 1 -- People coming from the OAuth world will feel at home immediately. >> But that is a treacherous comfort: They'll expect things to be the same >> in the IoT world. They aren't.**) IoT authorization is almost, but not >> entirely, unlike Browser Web authorization. > > I think you underestimate the OAuth people. I am sure those > participating in the ACE work are well aware that there are significant > differences (but also overlaps). > >> 2 -- People coming from the IoT world first have to learn the OAuth >> terminology. I teach this stuff, and I can tell you, that terminology >> is suboptimal for learners. When they are done with this, see 1. > > They will have to learn some authorization terminology, so why not use > an existing one instead of making up yet another? > >> Choosing terms that are adapted to what we are actually trying to do has >> none of these problems, and it also allows to choose terms that are easy >> to remember and have the right connotations***). > > Instead we have the much bigger problem that we force people to learn > yet another set of (totally new) terminology which will lead to even > more confusion when the web world needs to interact with the IoT world > and the terminology is not aligned. I'd rather have people learn a new terminology and really understand what it means. As we have seen, people are already confused by the CAS-AS-RqP-RO-Terminology. This is the chance to use a terminology that is easier to digest. Best regards, Steffi [1] https://tools.ietf.org/pdf/draft-gerdes-ace-dcaf-examples-00.pdf
- Re: [Ace] Terminology (again) Carsten Bormann
- Re: [Ace] Terminology (again) Erik Wahlström neXus
- Re: [Ace] Terminology (again) Stefanie Gerdes
- Re: [Ace] Terminology (again) Carsten Bormann
- Re: [Ace] Terminology (again) Ludwig Seitz
- Re: [Ace] Terminology (again) Carsten Bormann
- Re: [Ace] Terminology (again) Stefanie Gerdes
- Re: [Ace] Terminology (again) Paul Madsen
- Re: [Ace] Terminology (again) Eve Maler