IETF Logo Mail Archive

Re: [Ace] Transaction model

Olaf Bergmann <bergmann@tzi.org> Wed, 08 April 2015 14:00 UTC

Return-Path: <bergmann@tzi.org>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D90AB1A924B for <ace@ietfa.amsl.com>; Wed, 8 Apr 2015 07:00:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.349
X-Spam-Level:
X-Spam-Status: No, score=0.349 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, HELO_EQ_DE=0.35] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0uh_mkUWqsBh for <ace@ietfa.amsl.com>; Wed, 8 Apr 2015 07:00:00 -0700 (PDT)
Received: from mailhost.informatik.uni-bremen.de (mailhost.informatik.uni-bremen.de [IPv6:2001:638:708:30c9::12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AB38A1A87EB for <ace@ietf.org>; Wed, 8 Apr 2015 06:59:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at informatik.uni-bremen.de
Received: from submithost.informatik.uni-bremen.de (submithost.informatik.uni-bremen.de [IPv6:2001:638:708:30c9::b]) by mailhost.informatik.uni-bremen.de (8.14.5/8.14.5) with ESMTP id t38DxkTN004910; Wed, 8 Apr 2015 15:59:46 +0200 (CEST)
Received: from aung.tzi.org (unknown [IPv6:2001:638:708:30da:542c:ae99:2d81:3421]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by submithost.informatik.uni-bremen.de (Postfix) with ESMTPSA id 3lMS0K4w2Cz2t62; Wed, 8 Apr 2015 15:59:45 +0200 (CEST)
From: Olaf Bergmann <bergmann@tzi.org>
To: Eve Maler <eve@xmlgrrl.com>
Date: Wed, 08 Apr 2015 15:59:13 +0200
References: <CADrU+dJpJfpV57yomG+ES=mGcgRHy83LwDDK=4Y3HEpDuh5QKw@mail.gmail.com> <6031F4A5-C715-41E5-88D8-4D58C34EA73B@xmlgrrl.com>
Message-ID: <87384azpny.fsf@tzi.org>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.4 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <http://mailarchive.ietf.org/arch/msg/ace/SQmu1p1PRnVO7eniW0K1XlvN49c>
Cc: robert.cragie@gridmerge.com, "ace@ietf.org" <ace@ietf.org>
Subject: Re: [Ace] Transaction model
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Apr 2015 14:00:06 -0000

Eve,

Eve Maler <eve@xmlgrrl.com> writes:

> This nicely symmetrical diagram may be obscuring the fact that the
> relationship is still pretty asymmetrical. The client, by virtue of
> wanting a resource that it has identified (or whose location it has
> been provisioned with), essentially “trusts” that resource and
> resource server already. And because it is in the position of
> requesting the resource (let’s think of it as a “request-response”
> pattern), there’s already an asymmetry there too. The policy that the
> client and its owner thus apply to the proposition thus typically
> happen “off-stage” with respect to the authn/authz aspects of the
> picture.

The ACE problem statement as presented, e.g., during the WG session in
Dallas, clearly states that Client and Server do not know each other a
priori. Therefore, you cannot automatically assume that there is
pre-established "trust" between the client and the resource server.

For example, the client may have discovered the resource server and its
capabilities by searching a resource directory. Now, before it can
access that resource server, it has to check if the client owner (who
may or may not be the same individual as the resource owner) allows
this.

Sure, you can do this "off-stage", as pointed out in
<http://www.ietf.org/mail-archive/web/ace/current/msg01026.html>, and
there is a lot of authorization protocols that do this. The question
here is whether or not this authorization step is documented. The actors
draft documents this to avoid always having to say that there is this
pre-requisite of having installed a policy (which might be hidden in
program code, of course) out-of-band that establishes the trust between
client and resource server.

> (There is, I believe, one main difference between the UMA model and
> the DCAF-ish model other than terminology. In UMA, the CO/requesting
> party can be represented not just through an “AM”, but by claims
> gathered by a flexible choice of sources: the AS (on the RO side), the
> client, some other third-party identity/claim providers, etc.)

DCAF follows the generic model from the actors draft where the CO/RqP
may or may not be identical with the RO or something else. The nice
thing about the actors model is that it entirely covers the UMA model
(and all others on the table). The major difference between the actors
model and OAuth/UMA etc. is that it explicitly documents the CO/RqP-AM
part in terms of the tasks that are required to check that the
propositions you have mentioned really apply.

The mechanism described in draft-maler-ace-oauth-uma, e.g., perfectly
fits into the actor model (the client and the AM in this protocol would
reside non-distinguishable in the same piece of software).

DCAF also fits into this model, but with DCAF, you have the option to
create an AM that actively performs AM's tasks. This could be a separate
box or another process on the same device, or even the AS. One nice
characteristic of DCAF is that the implementer of the client side can
decide if she wants to have an explicit AM or combine it with the
client. The latter would be the same as UMA/OAuth do.

Grüße
Olaf

v2.23.0 | Report a Bug | By Email