IETF Logo Mail Archive

Re: [Ace] Terminology (again)

Eve Maler <eve@xmlgrrl.com> Wed, 30 September 2015 18:47 UTC

Return-Path: <eve@xmlgrrl.com>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6C7D51A88F7 for <ace@ietfa.amsl.com>; Wed, 30 Sep 2015 11:47:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.4
X-Spam-Level:
X-Spam-Status: No, score=-1.4 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FROM_DOMAIN_NOVOWEL=0.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pPvVrflhywZA for <ace@ietfa.amsl.com>; Wed, 30 Sep 2015 11:47:05 -0700 (PDT)
Received: from mail.promanage-inc.com (eliasisrael.com [50.47.36.5]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 298DC1A88F2 for <ace@ietf.org>; Wed, 30 Sep 2015 11:47:05 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mail.promanage-inc.com (Postfix) with ESMTP id 2101894445DB; Wed, 30 Sep 2015 11:47:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at promanage-inc.com
Received: from mail.promanage-inc.com ([127.0.0.1]) by localhost (greendome.promanage-inc.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XghcrK8ArRgS; Wed, 30 Sep 2015 11:47:02 -0700 (PDT)
Received: from [10.28.129.163] (unknown [64.79.133.106]) by mail.promanage-inc.com (Postfix) with ESMTPSA id 4511C94445C3; Wed, 30 Sep 2015 11:47:02 -0700 (PDT)
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2104\))
Content-Type: text/plain; charset="windows-1252"
From: Eve Maler <eve@xmlgrrl.com>
In-Reply-To: <560BEA52.1050805@gmail.com>
Date: Wed, 30 Sep 2015 11:47:01 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <CA207111-5D75-49F3-90E0-C5CD46B661B7@xmlgrrl.com>
References: <D23062F0.37BFD%goran.selander@ericsson.com> <560A9F74.6050004@tzi.de> <D2306CB1.37CA7%goran.selander@ericsson.com> <560AACEA.3090102@tzi.org> <06C1350B-F3BA-4783-8E03-432059567D7E@gmail.com> <D2317494.1E026%kepeng.lkp@alibaba-inc.com> <560B9B66.9030302@tzi.org> <560BA6BA.6090805@sics.se> <560BC08E.5090502@tzi.de> <560BEA52.1050805@gmail.com>
To: Paul Madsen <paul.madsen@gmail.com>
X-Mailer: Apple Mail (2.2104)
Archived-At: <http://mailarchive.ietf.org/arch/msg/ace/IFM8U35Fu8llMnDsvfR1nJtlMh4>
Cc: ace@ietf.org
Subject: Re: [Ace] Terminology (again)
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Sep 2015 18:47:07 -0000

Hi folks— Yes, UMA has used OAuth-aligned terminology for some time now. BTW, the final V!.0 UMA specs are here:

https://docs.kantarainitiative.org/uma/rec-uma-core-v1_0.html
https://docs.kantarainitiative.org/uma/rec-oauth-resource-reg-v1_0.html

And there are even draft versions of patch releases out for review:

https://docs.kantarainitiative.org/uma/draft-uma-core-v1_0_1.html
https://docs.kantarainitiative.org/uma/draft-oauth-resource-reg-v1_0_1.html

(I’ll see about a more rationalized way of doing Kantara spec links/publications to ensure that mentions of the V1.0 draft get you to the latest version somehow.)

Today I happened to publish a diagram that may help in understanding the relationship between UMA and OAuth role terminology. This has come up in previous ACE discussions as well, so it seems to make sense to link it here too:

https://groups.google.com/forum/#!topic/kantara-initiative-uma-wg/DEfEjoBfFxs

In UMA, the user of the client (what UMA calls the requesting party) typically has to undergo a process of trust elevation, which requires that they authenticate to and/or present claims to the AS (same AS as the resource owner's) in order to get authorization to access the protected resource.

	Eve

> On 30 Sep 2015, at 6:57 AM, Paul Madsen <paul.madsen@gmail.com> wrote:
> 
> On the call I asserted that UMA used AM for 'Authorization Manager'
> 
> In looking at the UMA spec [https://docs.kantarainitiative.org/uma/draft-uma-core.html], it seems I was wrong.
> 
> I do believe earlier versions of UMA did define 'AM' but presumably they subsequently decided to deprecate in favour of AS (and so stay consistent with OAuth)
> 
> Regards
> 
> Paul
> 
> On 9/30/15 6:59 AM, Stefanie Gerdes wrote:
>> Hi Ludwig,
>> 
>> On 09/30/2015 11:09 AM, Ludwig Seitz wrote:
>>> On 2015-09-30 10:20, Carsten Bormann wrote:
>>>> (Pulling the discussion out of a private exchange to the mailing list.)
>>>> 
>>>>> I don’t think it is about the definitions not being clear. It is just
>>>>> the
>>>>> names of the nodes, where in the current draft 5 out of 6 terms are
>>>>> imported from the analogous setting in OAuth/UMA and the 6th, CAS, is
>>>>> coined by Carsten.
>>>> The definitions in the current WG Actors draft are clear enough for me.
>>>> They are just using terms that mean something different in OAuth.
>>>> 
>>>> RFC 6749 says:
>>>> 
>>>>     authorization server
>>>>        The server issuing access tokens to the client after successfully
>>>>        authenticating the resource owner and obtaining authorization.
>>>> 
>>>> Nope, that's not at all the AS in the Actors draft.
>>>> 
>>> I believe you are making an academic distinction here. Of course there
>>> are differences between how the AS is used in OAuth and how the
>>> different proposals use it in ACE, but the similarities are still quite
>>> striking.
>>> 
>>> 1. The ACE AS issues access tokens to the client (via the CAS if there
>>> is one).
>>> 
>>> 2. The ACE AS at some point in time will authenticate the resource
>>> owner, when he/she configures the authorization policies that govern how
>>> authorization for that resource can be obtained.
>>> 
>>> How is that fundamentally different from the OAuth AS?
>> First of all, we have an authorization manager, i.e. a less-constrained
>> device, that is responsible for the client (what is called CAS in the
>> terminology). That is different from the OAuth model where there is no
>> such actor. If we cling to the OAuth terminology, we are not even
>> allowed to call the Server's authorization manager SAS. It is called AS.
>> That makes things very awkward and incomprehensible.
>> 
>> The constrained devices are not capable of managing complex
>> authentication and authorization tasks on their own. They need their
>> authorization managers for that. Owners will not necessarily be present
>> at the time of access. Therefore, the authorization managers will need
>> to represent the owner, manage their authorization policies and security
>> associations, and generate simplified authentication and authorization
>> information that the constrained devices can digest. AMs therefore are
>> the link between the constrained and the less constrained world.
>> 
>> I think this is different from what an OAuth authorization server does
>> (We don't call a cow a sheep only because it also has four legs).
>> Authorization Managers can be integrated with OAuth Authorization
>> Servers. An example for that can be found in
>> draft-gerdes-ace-dcaf-examples [1].
>> 
>>> Also OAuth has usecases where the AS is used in a way that is even more
>>> similar to the ACE proposals (cf. the client credentials grant).
>>> 
>>>> I have not yet heard a convincing reason why appropriating terms from a
>>>> different domain is helping us here.  What does this do?
>>>> 
>>>> 1 -- People coming from the OAuth world will feel at home immediately.
>>>> But that is a treacherous comfort: They'll expect things to be the same
>>>> in the IoT world.  They aren't.**)  IoT authorization is almost, but not
>>>> entirely, unlike Browser Web authorization.
>>> I think you underestimate the OAuth people. I am sure those
>>> participating in the ACE work are well aware that there are significant
>>> differences (but also overlaps).
>>> 
>>>> 2 -- People coming from the IoT world first have to learn the OAuth
>>>> terminology.  I teach this stuff, and I can tell you, that terminology
>>>> is suboptimal for learners.  When they are done with this, see 1.
>>> They will have to learn some authorization terminology, so why not use
>>> an existing one instead of making up yet another?
>>> 
>>>> Choosing terms that are adapted to what we are actually trying to do has
>>>> none of these problems, and it also allows to choose terms that are easy
>>>> to remember and have the right connotations***).
>>> Instead we have the much bigger problem that we force people to learn
>>> yet another set of (totally new) terminology which will lead to even
>>> more confusion when the web world needs to interact with the IoT world
>>> and the terminology is not aligned.
>> I'd rather have people learn a new terminology and really understand
>> what it means. As we have seen, people are already confused by the
>> CAS-AS-RqP-RO-Terminology. This is the chance to use a terminology that
>> is easier to digest.
>> 
>> Best regards,
>> Steffi
>> 
>> [1] https://tools.ietf.org/pdf/draft-gerdes-ace-dcaf-examples-00.pdf
>> 
>> _______________________________________________
>> Ace mailing list
>> Ace@ietf.org
>> https://www.ietf.org/mailman/listinfo/ace
> 
> _______________________________________________
> Ace mailing list
> Ace@ietf.org
> https://www.ietf.org/mailman/listinfo/ace


Eve Maler | cell +1 425.345.6756 | Skype: xmlgrrl | Twitter: @xmlgrrl | Calendar: xmlgrrl@gmail.com

v2.23.0 | Report a Bug | By Email