Re: [Ace] New doc: draft-maler-ace-oauth-uma-00
Eve Maler <eve@xmlgrrl.com> Fri, 03 April 2015 00:37 UTC
Return-Path: <eve@xmlgrrl.com>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9EA911A8991 for <ace@ietfa.amsl.com>; Thu, 2 Apr 2015 17:37:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0
X-Spam-Level:
X-Spam-Status: No, score=0 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, FROM_DOMAIN_NOVOWEL=0.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lVUcg5hd5jAw for <ace@ietfa.amsl.com>; Thu, 2 Apr 2015 17:37:31 -0700 (PDT)
Received: from mail.promanage-inc.com (eliasisrael.com [50.47.36.5]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AC3D81A8990 for <ace@ietf.org>; Thu, 2 Apr 2015 17:37:31 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mail.promanage-inc.com (Postfix) with ESMTP id B5FAB7731043; Thu, 2 Apr 2015 17:37:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at promanage-inc.com
Received: from mail.promanage-inc.com ([127.0.0.1]) by localhost (greendome.promanage-inc.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id M17ZSh4zrHXV; Thu, 2 Apr 2015 17:37:29 -0700 (PDT)
Received: from [192.168.168.101] (unknown [192.168.168.101]) by mail.promanage-inc.com (Postfix) with ESMTPS id 7F6727731031; Thu, 2 Apr 2015 17:37:29 -0700 (PDT)
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2070.6\))
Content-Type: text/plain; charset="us-ascii"
From: Eve Maler <eve@xmlgrrl.com>
In-Reply-To: <E91E6B50-4FAD-4F11-8C99-0BBEBBEC4DDD@mit.edu>
Date: Thu, 02 Apr 2015 17:37:28 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <91A503A1-BD0D-4ABB-9081-48947673859A@xmlgrrl.com>
References: <59F1C792-B108-4DEC-8B5F-94CA8DC19BF8@xmlgrrl.com> <, > <87vbhpv13k.fsf@tzi.org> <E91E6B50-4FAD-4F11-8C99-0BBEBBEC4DDD@mit.edu>
To: Olaf Bergmann <bergmann@tzi.org>
X-Mailer: Apple Mail (2.2070.6)
Archived-At: <http://mailarchive.ietf.org/arch/msg/ace/w6X7tI4IANhXCl-W15ZU3ZjGjxI>
Cc: "ace@ietf.org" <ace@ietf.org>
Subject: Re: [Ace] New doc: draft-maler-ace-oauth-uma-00
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 03 Apr 2015 00:37:33 -0000
Hopefully it won't be too confusing if I offer a bit more nuance on top of Thomas's answer. (Sorry, I was away on a cruise ship last week and am just catching up on email!)
Registering a permission is, in fact, a required step. The *extent* of the permission is a judgment call that the resource server is allowed to apply. ("The resource server is free to choose the extent of the requested permission that it registers, as long as it minimally suffices for the access attempted by the client.")
You don't strictly need to create a profile of UMA that defines any missing parts at all; there are default (and, in some cases, mandatory-to-implement) profiles that you can use in all cases. However, in practice, there are points of variability where it is very likely that you will want to lock down deployment choices. The HEART WG is one example of a community of interest doing this profiling for both security and semantic reasons (health data sharing, in that case).
I, for one, don't actually believe that permission tickets are an area that will require profiling in most cases, because it's an artifact that is produced and consumed solely by the authorization server. However, I'm aware of some discussions around profiling permission tickets for various clever purposes. It's entirely okay to consider doing this.
Hopefully these thoughts are helpful.
Eve
> On 25 Mar 2015, at 9:14 AM, Thomas Hardjono <hardjono@mit.edu> wrote:
>
> Hi Olaf,
>
> In order to use UMA in a given IoT scenario, you will need to create a profile of UMA that defines the "missing parts", such as the contents of the permission ticket. This is what the HEART WG is doing in the OIF.
>
>
> /thomas/
>
>
>
>
>> On Mar 25, 2015, at 06:11, Olaf Bergmann <bergmann@tzi.org> wrote:
>>
>> Eve,
>>
>> Eve Maler <eve@xmlgrrl.com> writes:
>>
>>> http://tools.ietf.org/html/draft-maler-ace-oauth-uma-00
>>
>> Thanks for sharing this.
>>
>> One question: draft-hardjono-oauth-umacore-12 specifies that when a
>> client attempts to access a protected resource, the resource server must
>> register a requested permission with its authorization server to get an
>> RPT that the client must present to the authorization server. From
>> reading Section 5 of draft-maler-ace-oauth-uma, it is unclear to me
>> whether or not this step is required in this profile. Can you clarify
>> how this is supposed to work?
>>
>> Thanks
>> Olaf
>>
>> _______________________________________________
>> Ace mailing list
>> Ace@ietf.org
>> https://www.ietf.org/mailman/listinfo/ace
>
> _______________________________________________
> Ace mailing list
> Ace@ietf.org
> https://www.ietf.org/mailman/listinfo/ace
Eve Maler | cell +1 425.345.6756 | Skype: xmlgrrl | Twitter: @xmlgrrl
- Re: [Ace] New doc: draft-maler-ace-oauth-uma-00 Olaf Bergmann
- Re: [Ace] New doc: draft-maler-ace-oauth-uma-00 Thomas Hardjono
- Re: [Ace] New doc: draft-maler-ace-oauth-uma-00 Olaf Bergmann
- Re: [Ace] New doc: draft-maler-ace-oauth-uma-00 Thomas Hardjono
- Re: [Ace] New doc: draft-maler-ace-oauth-uma-00 Eve Maler
- [Ace] New doc: draft-maler-ace-oauth-uma-00 Eve Maler