Re: [Ace] Context-based Authorization
"Kumar, Sandeep" <sandeep.kumar@philips.com> Tue, 15 July 2014 07:30 UTC
Return-Path: <sandeep.kumar@philips.com>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7DE431B2834 for <ace@ietfa.amsl.com>; Tue, 15 Jul 2014 00:30:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Level:
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id N6ioilS-8SIz for <ace@ietfa.amsl.com>; Tue, 15 Jul 2014 00:30:52 -0700 (PDT)
Received: from emea01-am1-obe.outbound.protection.outlook.com (mail-am1lp0013.outbound.protection.outlook.com [213.199.154.13]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3205A1B2833 for <ace@ietf.org>; Tue, 15 Jul 2014 00:30:52 -0700 (PDT)
Received: from DBXPR04CA006.eurprd04.prod.outlook.com (10.255.191.154) by AM2PR04MB0627.eurprd04.prod.outlook.com (25.160.32.153) with Microsoft SMTP Server (TLS) id 15.0.985.8; Tue, 15 Jul 2014 07:30:49 +0000
Received: from AM1FFO11FD035.protection.gbl (2a01:111:f400:7e00::172) by DBXPR04CA006.outlook.office365.com (2a01:111:e400:9800::26) with Microsoft SMTP Server (TLS) id 15.0.985.8 via Frontend Transport; Tue, 15 Jul 2014 07:30:49 +0000
Received: from mail.philips.com (206.191.240.52) by AM1FFO11FD035.mail.protection.outlook.com (10.174.64.224) with Microsoft SMTP Server (TLS) id 15.0.980.11 via Frontend Transport; Tue, 15 Jul 2014 07:29:45 +0000
Received: from DBXPRD9003MB059.MGDPHG.emi.philips.com ([169.254.7.47]) by DBXPRD9003HT003.MGDPHG.emi.philips.com ([141.251.25.208]) with mapi id 14.16.0459.000; Tue, 15 Jul 2014 07:29:45 +0000
From: "Kumar, Sandeep" <sandeep.kumar@philips.com>
To: Ludwig Seitz <ludwig@sics.se>, "ace@ietf.org" <ace@ietf.org>
Thread-Topic: [Ace] Context-based Authorization
Thread-Index: Ac+f25RPZA4DKMAaSV63emGWMOjF3AAF+ZMAAAKa9oA=
Date: Tue, 15 Jul 2014 07:29:44 +0000
Message-ID: <BE6D13F6A4554947952B39008B0DC0153E7D4731@DBXPRD9003MB059.MGDPHG.emi.philips.com>
References: <34966E97BE8AD64EAE9D3D6E4DEE36F258177EE3@SZXEMA501-MBS.china.huawei.com> <53C4C5D6.30503@sics.se>
In-Reply-To: <53C4C5D6.30503@sics.se>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [130.138.227.40]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-EOPAttributedMessage: 0
X-Forefront-Antispam-Report: CIP:206.191.240.52; CTRY:US; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(6009001)(428002)(24454002)(13464003)(377454003)(53754006)(51704005)(55904004)(85714005)(189002)(199002)(479174003)(31966008)(95666004)(54356999)(68736004)(76176999)(81156004)(76482001)(44976005)(21056001)(80022001)(106466001)(55846006)(99396002)(69596002)(79102001)(85306003)(101416001)(77982001)(19580395003)(97756001)(77096002)(92726001)(15202345003)(104016003)(97736001)(19580405001)(87936001)(81542001)(81342001)(84676001)(15975445006)(64706001)(92566001)(66066001)(85852003)(47776003)(23726002)(50466002)(46102001)(86362001)(46406003)(105586002)(107046002)(107886001)(2656002)(20776003)(4396001)(83322001)(50986999)(74662001)(33656002)(83072002)(74502001)(6806004)(567094001); DIR:OUT; SFP:; SCL:1; SRVR:AM2PR04MB0627; H:mail.philips.com; FPR:; MLV:sfv; PTR:ErrorRetry; MX:1; A:1; LANG:en;
X-Microsoft-Antispam: BCL:0;PCL:0;RULEID:
X-Forefront-PRVS: 027367F73D
Received-SPF: None (: philips.com does not designate permitted sender hosts)
Authentication-Results: spf=none (sender IP is 206.191.240.52) smtp.mailfrom=sandeep.kumar@philips.com;
X-OriginatorOrg: philips.com
Archived-At: http://mailarchive.ietf.org/arch/msg/ace/Lkv6mJePxbZRrMLZpph-5Vi0i4U
Subject: Re: [Ace] Context-based Authorization
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Jul 2014 07:30:55 -0000
> -----Original Message----- > From: Ace [mailto:ace-bounces@ietf.org] On Behalf Of Ludwig Seitz > > On 07/15/2014 05:19 AM, Likepeng wrote: > > Hi all, > > > > Personally I am wondering whether or not we should support > > context-based authorization indicated in > > http://tools.ietf.org/html/draft-seitz-ace-usecases-01. > > > > For U2.4, do we want to achieve something like this: if time is 9:00 ~ > > 18:00, Client A is allowed to turn on a light, but Client B is not allowed? > > Yes that's one example. > > > > > To me, this is purely Resource Server side policy setting and > > enforcement. Does it require any information exchange with > > Authorization Server? Is it necessary? > > We are moving away from requirements here and getting into solutions, but > for the sake of clarification: I don't think this kind of policy should be on the > RS, it should be maintained and managed by the AS, for the same reasons we > want all the other authorization policies to be on the AS. The solution I have > in mind are conditional authorization decisions in the style: "You are > permitted to turn on the light, provided it is between 9:00 and 18:00". > [SK] Completely agree with Ludwig. Context-based policies are very relevant in IoT if they need invisibly mesh with our daily lives. How to implement it is something we need to discuss during the solution phase. However to me this does not sound like only a RS side policy setting, since RS still needs to figure out if it was A or B who is allowed within that context. Enforcement could be RS side depending on the ability of RS to verify context. regards Sandeep ________________________________ The information contained in this message may be confidential and legally protected under applicable law. The message is intended solely for the addressee(s). If you are not the intended recipient, you are hereby notified that any use, forwarding, dissemination, or reproduction of this message is strictly prohibited and may be unlawful. If you are not the intended recipient, please contact the sender by return e-mail and destroy all copies of the original message.
- [Ace] Context-based Authorization Likepeng
- Re: [Ace] Context-based Authorization Ludwig Seitz
- Re: [Ace] Context-based Authorization Kumar, Sandeep
- Re: [Ace] Context-based Authorization Robert Cragie
- Re: [Ace] Context-based Authorization Ludwig Seitz
- Re: [Ace] Context-based Authorization Robert Cragie
- Re: [Ace] Context-based Authorization Carsten Bormann
- Re: [Ace] Context-based Authorization Michael Richardson
- Re: [Ace] Context-based Authorization Ludwig Seitz
- Re: [Ace] Context-based Authorization Michael Richardson