IETF Logo Mail Archive

Re: [hrpc] [Iotops] Authorization for IoT devices

Hannes Tschofenig <Hannes.Tschofenig@arm.com> Wed, 28 July 2021 18:45 UTC

Return-Path: <Hannes.Tschofenig@arm.com>
X-Original-To: hrpc@ietfa.amsl.com
Delivered-To: hrpc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 444903A1BA2 for <hrpc@ietfa.amsl.com>; Wed, 28 Jul 2021 11:45:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.3
X-Spam-Level:
X-Spam-Status: No, score=-1.3 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001, URIBL_SBL=0.5, URIBL_SBL_A=0.1] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com header.b=MapZLrLX; dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com header.b=MapZLrLX
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 14SSlakvnTOP for <hrpc@ietfa.amsl.com>; Wed, 28 Jul 2021 11:45:06 -0700 (PDT)
Received: from EUR04-HE1-obe.outbound.protection.outlook.com (mail-eopbgr70051.outbound.protection.outlook.com [40.107.7.51]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6D8BB3A1BA6 for <hrpc@irtf.org>; Wed, 28 Jul 2021 11:45:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=EZYAj/FibObPlxbek8W9xY++xGh32n+ZnEAOPyQuXhU=; b=MapZLrLXneNjDXBZoWiNdVI8KR24VtiDV+lkpCvxTjgew1vfOwBxbNE7eD+peWZEztRbOL0i4bMQROUqvIjtuDIOrvqQNvuz46wpPoxXDF11ZOPTfLKIpjD1wBoDK7O6mb96fHoFDXl95ig6pO2yp8PRcovOW1i43zTDsEBBr6o=
Received: from AM6P191CA0070.EURP191.PROD.OUTLOOK.COM (2603:10a6:209:7f::47) by PR3PR08MB5804.eurprd08.prod.outlook.com (2603:10a6:102:83::15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4331.23; Wed, 28 Jul 2021 18:45:01 +0000
Received: from AM5EUR03FT037.eop-EUR03.prod.protection.outlook.com (2603:10a6:209:7f:cafe::51) by AM6P191CA0070.outlook.office365.com (2603:10a6:209:7f::47) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4373.17 via Frontend Transport; Wed, 28 Jul 2021 18:45:01 +0000
X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 63.35.35.123) smtp.mailfrom=arm.com; irtf.org; dkim=pass (signature was verified) header.d=armh.onmicrosoft.com;irtf.org; dmarc=pass action=none header.from=arm.com;
Received-SPF: Pass (protection.outlook.com: domain of arm.com designates 63.35.35.123 as permitted sender) receiver=protection.outlook.com; client-ip=63.35.35.123; helo=64aa7808-outbound-1.mta.getcheckrecipient.com;
Received: from 64aa7808-outbound-1.mta.getcheckrecipient.com (63.35.35.123) by AM5EUR03FT037.mail.protection.outlook.com (10.152.17.241) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4373.18 via Frontend Transport; Wed, 28 Jul 2021 18:45:00 +0000
Received: ("Tessian outbound 31e6e3649d31:v100"); Wed, 28 Jul 2021 18:44:59 +0000
X-CR-MTA-TID: 64aa7808
Received: from 3c4e7882d960.1 by 64aa7808-outbound-1.mta.getcheckrecipient.com id 32272C9F-D64B-4F24-B9A8-784A8BBA80B2.1; Wed, 28 Jul 2021 18:44:53 +0000
Received: from EUR04-DB3-obe.outbound.protection.outlook.com by 64aa7808-outbound-1.mta.getcheckrecipient.com with ESMTPS id 3c4e7882d960.1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384); Wed, 28 Jul 2021 18:44:53 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=BcJbxJuT2PEBpGP1h9JJ05ZT1viPsIlT0MK4P+JEzV91zn+BdrBGnjc9DkQFcDMG3A1KvZtHQMo1GDvFtr2Ea/X2yAPJOosTDvLfYIJ3SloBMbsskHuejgjnEbu82KbeQpf54liPm8G8ycuF3W5JrXZQpjJX4eNesGveVnZ3pfz6L4RYAHKDZPG+CCTExkVKwDAEUww9J6g+EEygCYjtVADyW1Cs6MQ66xet+PTkoIG5Hkk/5WYKO7y/wSESD9VPmVejHzAIuLdcPhVzRxZ9Vk7QQHvP4AyvjnocF8zx6jk9em69qkzTSKvrWlvvwJMwDfJYNGlNKrcElbR2BGPjJA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=EZYAj/FibObPlxbek8W9xY++xGh32n+ZnEAOPyQuXhU=; b=YjXi8+WJ3uQf81aVu3J3kr5voereg55O4UCyD1DsNgLQjkxbBnp6HTCpCRsLO51M/wukjllzs3jJ+8BvfpO39rMbrjuk+m63G1TShiRuyrVW8AT2VO8WO18WHLbY3RdfoYRFhND+jPsJK2+wMH7pKBrmCR2JTq3NB9Sv/hVWMTM0PffXSgf8t8p/JBkPuOFL2eBOJq417pApaXpdeChSeQGAkbMnXvwALJ4Xui/uGisZKjT6B+nRRqPtfdmeUME1TRLSBxrIDnS+owJTlb5I5YMXQqirQMqmzSkkeqQiivIGOjnCFGB7IyDr8VvOtgaZ6vrhIx7z3goAN9FUNzW2ng==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=arm.com; dmarc=pass action=none header.from=arm.com; dkim=pass header.d=arm.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=EZYAj/FibObPlxbek8W9xY++xGh32n+ZnEAOPyQuXhU=; b=MapZLrLXneNjDXBZoWiNdVI8KR24VtiDV+lkpCvxTjgew1vfOwBxbNE7eD+peWZEztRbOL0i4bMQROUqvIjtuDIOrvqQNvuz46wpPoxXDF11ZOPTfLKIpjD1wBoDK7O6mb96fHoFDXl95ig6pO2yp8PRcovOW1i43zTDsEBBr6o=
Received: from DBBPR08MB5915.eurprd08.prod.outlook.com (2603:10a6:10:20d::17) by DB9PR08MB6745.eurprd08.prod.outlook.com (2603:10a6:10:2a2::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4373.18; Wed, 28 Jul 2021 18:44:51 +0000
Received: from DBBPR08MB5915.eurprd08.prod.outlook.com ([fe80::55c7:8f34:351:9518]) by DBBPR08MB5915.eurprd08.prod.outlook.com ([fe80::55c7:8f34:351:9518%3]) with mapi id 15.20.4373.018; Wed, 28 Jul 2021 18:44:51 +0000
From: Hannes Tschofenig <Hannes.Tschofenig@arm.com>
To: Michael Richardson <mcr+ietf@sandelman.ca>
CC: "hrpc@irtf.org" <hrpc@irtf.org>, "iotops@ietf.org" <iotops@ietf.org>
Thread-Topic: [Iotops] Authorization for IoT devices
Thread-Index: AQHXgouVFWMKuox4kUWxdOEjkHQAe6tWlvdQgAEKVACAALMi8IAAYmqAgAAAYOA=
Date: Wed, 28 Jul 2021 18:44:50 +0000
Message-ID: <DBBPR08MB59155490AE76A5452A9F22BBFAEA9@DBBPR08MB5915.eurprd08.prod.outlook.com>
References: <18201.1627351357@localhost> <DBBPR08MB5915856184BCB76D521132FDFAE99@DBBPR08MB5915.eurprd08.prod.outlook.com> <23319.1627437136@localhost> <DBBPR08MB5915C85637CDD702C2250659FAEA9@DBBPR08MB5915.eurprd08.prod.outlook.com> <2926.1627496739@localhost>
In-Reply-To: <2926.1627496739@localhost>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ts-tracking-id: BB454F9660F4374993C26D4DB2B9E5E7.0
x-checkrecipientchecked: true
Authentication-Results-Original: sandelman.ca; dkim=none (message not signed) header.d=none; sandelman.ca; dmarc=none action=none header.from=arm.com;
x-ms-publictraffictype: Email
X-MS-Office365-Filtering-Correlation-Id: 68cdb2d4-dcf3-47ee-e2f5-08d951f7ce0d
x-ms-traffictypediagnostic: DB9PR08MB6745:|PR3PR08MB5804:
X-Microsoft-Antispam-PRVS: <PR3PR08MB5804F406188ADC3AC77215CFFAEA9@PR3PR08MB5804.eurprd08.prod.outlook.com>
x-checkrecipientrouted: true
nodisclaimer: true
x-ms-oob-tlc-oobclassifiers: OLM:9508;OLM:10000;
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam-Untrusted: BCL:0;
X-Microsoft-Antispam-Message-Info-Original: Wk32rZJ8wykCSiS6rnDa341VFj/JryzKjgfLNL6YHVHFTBosgw93WqJg4if3npqKLNlJwurPkhK8yXExSOIJIYviLCMdNUTryRxG6gTiLsebN3Q6lQpknJoKYLPoYyxRWcr7MweMiJRg13anb2bb1hPQvr6NW/2MZ9mtnqvaPGzRh0SgL0FVKfUCe3uGaNrTJeDTjvU8Yj7dHxj0MgUHTqt2WF3TEDX56d9FddXn4qUEGeXwu6hviGMDS2RjC74ZKf0t/jigTO3UC8jCVVa2oKqlfdkvBcKoW2WZXyAKJzv6eolgEouxKi5AU/0wJhU3JxxRzJKw/saLi1N9dHvC5rMj0xkqIrA3nxi8jEff5sULmd0DV22baErUayh0brkOK3vr+8af6edOzjbqi0neDDceGBrP40LNazmcAjlhrARyw7/XWJ/J5y9ZeswpbDturaq1w6Dmi5D7oRUwYEn2KHC5gCsZXe+0Ehl7APne5uFF4ty2EGyfjSzE6FixFBB6lM3nT225x+mdJV9pQUPhx5/Lzrt0IgvkfCoRLIkdT94B0ReYKPQ0yREeI0cLBpM3exbyUB5S0lSVGOvO4TkdpE7A3lYRWWyUqGhG/v4dEVRvV7ros/byGZ6QYcNYYIOWe7JCQznamquag8FZiETrsl+bMa9Z5ufqRaD7IhpkJfZ3At6dw5Zl/4Z+TX2wSGEX9/zkd9uajINQZZXDX266ZIR9M+Rg4lcu+PpG8GYSjyiO27fFNJYPT0ElhhCucdIUlCufSbKRrLO06eQvsZ5klo3U881fO+J6xQZxBv7iEmmd81rMHGHIHQDCEZId8PXdqSjmldG0M/FQi5cCH+/ru9F3NnSioTSTDzBc+tiKstU=
X-Forefront-Antispam-Report-Untrusted: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DBBPR08MB5915.eurprd08.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(136003)(396003)(39850400004)(376002)(366004)(346002)(66446008)(66946007)(64756008)(66476007)(66556008)(38100700002)(26005)(8936002)(122000001)(966005)(66574015)(4326008)(33656002)(9686003)(55016002)(38070700005)(76116006)(5660300002)(52536014)(54906003)(186003)(83380400001)(8676002)(71200400001)(316002)(478600001)(6506007)(16799955002)(2906002)(7696005)(86362001)(15398625002); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: 4TqyJOZTAgCCXCAalCrNnJ3GqL8++Udy5VH4wQsRbZpEB4XvbiSHBbDsSys+ZN7xghLrv+neyjf3PNacOYUodl+DE6fCm4TTd3u/PPZXflwKLL2iH2kjenjEsCREwehjoscqcljAAHqwneFA/FRQZn4/cfs5Wf/XHANyQPA2fvayBgh5a2Ye8/xeAgECS8+YDNDeZaIJG5nkIvyjnKB9CWmMJzgZ3QByvbveFSBcm2hXSXvcJBHfTGKTouSxFG2qLiJiKNUM5xIxtp5h75j91Lx6XkE65jwOL8X4+wnCLST44LtG4s4tEnImPhYSgS3bov8dmeUmJqtrhZ0/FROt5QqV+mt7MzwWbi16o7g4DA4AYNEGOVj4mYmPFv7i8CTUPuD1M+HVJXr7CJWT8udU4NdIJq0UTs5IaEGjOcMN9hzDvGfSWhrEe/l0CtugrW6X/9DGcUydNa9KTgQyrPF5A51iD+NmbPKROhckVDVNKRemT2BiOnzu1iafZ459xV1Z2f6Lsi3JZfZXDkSTT46NFqt0NgcD1hxcckoMaGEWzQujPC+79ufvdPlOav8fqicdL+Us25/jedNDNYmtNWSa2v1zzA3BusrzD0k+nWRfrv1SSgO+ot3/ty5teM4S4VYlDmXPUcEbJi8V+mJPX6eq/kqYJFWtRjDxMrGH9I3UjJiMvN2XqZhLX0kaVn46CyC73L3kOxDgwvE3P4CUxMpiIOKYExz1jQ5PIcpk+wQUTaHX+UF56kMmoW3h6HFXzY0njRsohaNt9h98fjyvpRLU2Hs8O72e1eUcSiJdh634pU/usXwC0LCxFCjuXGl4Km/dDabLHcgC77tO6ihIjaR7rn15gUDRNa8UG37wbiAWphj9R9YQAed/xlXbwKUg+MdGxlMhdMnwU6y9cSrJHfKgJFvAvA4/iM+Xes0hLaGECZMk83hFyX5uL19guwX51+7OlfPOHaw86a+YCBp1e72pNZUebY5zn5kPhsq+TowNboTIYFsMr512vIoumTCJxkYOA4I+0esfcmp+ftv4W99SEfX2chk6blo8ASPf4M8070O17sg9tO2BHlY+ji2k9VAOnynUlspuzexE0bGQzjekjhmt07BOp7FFJQaSvKIbK2DjGXsiPj1Isi+v+BuKLNgAaG+9sNSkbzAJxCMC7WAwtqeSLnSmxuU+q7K7yOfgxEeQPz3Z/roj5aLSp7aCpalP5r+5XJ2tq9tGuah+dLVIKR+QYQ5N9V/8HhEbhekIgdysYrVcWUvweVpQIY0P9un0i24ODof8nMWaY5E4zsLuM7nrg9KFVCWnMRPjdaBnPlXIbvNleh247dnavTsNw7hR
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB9PR08MB6745
Original-Authentication-Results: sandelman.ca; dkim=none (message not signed) header.d=none; sandelman.ca; dmarc=none action=none header.from=arm.com;
X-EOPAttributedMessage: 0
X-MS-Exchange-Transport-CrossTenantHeadersStripped: AM5EUR03FT037.eop-EUR03.prod.protection.outlook.com
X-MS-Office365-Filtering-Correlation-Id-Prvs: a4157c22-8cfb-4f98-7bd9-08d951f7c86d
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: bFhDgBqFO4TxH6N62GquGVNYb8r1CVfyUqTkeqXfWRR8HjlqqoeUCttO+yGfoDXkT+b5kzEqceT70DZgkj61JLH0EQnzk6T/LEqJKclajfrrN0vPAjgsCpigBzgcgO60lIkvOqV+4WK0H5K37tFiXJIZN9N8Hn/QVfsN6GJ9MZmkwpLDv0ofoFh/F8URuYAENrJgCE8UyvU+EwmThSyEEg1JaEDYbKfu0WZcyemEnXHCPmhLhMw1v/8qdNn7HjLegp8nG9sgbyWdY9Ox5fSPY5ZImj9RCWWukTbRFrUfKaxrXdCfc7pqLlGgL0Oi01J2g9sETJ0nn9J0m4gU7+iMbfVO7DVJhjfDWa36v+xDSXL23XP95hPKHlWhF6YIsKPEUhjVUqlt51VjO0sQ2Z/gyzHt/bc5ldnpsBu1JwO250Xhq2wshulUnSZbyNihF85xKHv2dnc+dkntttWBQ398M8CKfWS8ym2KEW5Vb3a7Cijlbrv5Dh2sehGlDYzfJmgsY+GA25o2QySTnR7jhnw6FCXiibkApM1DjM4HR7/BXu64koRFZd7q0Z/ddehYNM9+Ase0oR83Gd6c6+Fp2/4PEaD0mFj18esLCJOGrXpMDxo2GDdPJfsCQ0xkFDm4LU/Wx71lPEu2GxaqvrE8hG1/gErhbur2hIsjuMoJcjbWtSJGG1VyxlveKnU38lqol71WnF8vNG3fsNzf54VCnV554VJp7EtqL5OI+yNZy0BqKu5bFZ1w4xKoE621LniMpfcCS2dSR4du0qZK8f03VnYVOxXBzQQciUMQ3WH6tx6CBWATZLIugoDQUpfInJgdNJfxzqT4GqjB2fMUnVEJpKs8XyuwwsSkeAIVvUuf7bpEObI=
X-Forefront-Antispam-Report: CIP:63.35.35.123; CTRY:IE; LANG:en; SCL:1; SRV:; IPV:CAL; SFV:NSPM; H:64aa7808-outbound-1.mta.getcheckrecipient.com; PTR:ec2-63-35-35-123.eu-west-1.compute.amazonaws.com; CAT:NONE; SFS:(4636009)(39850400004)(136003)(376002)(346002)(396003)(36840700001)(46966006)(66574015)(356005)(36860700001)(83380400001)(82740400003)(81166007)(478600001)(6506007)(70586007)(33656002)(86362001)(316002)(8936002)(26005)(7696005)(966005)(70206006)(47076005)(186003)(52536014)(8676002)(2906002)(336012)(16799955002)(54906003)(9686003)(5660300002)(4326008)(55016002)(107886003)(82310400003)(6862004)(15398625002); DIR:OUT; SFP:1101;
X-OriginatorOrg: arm.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 28 Jul 2021 18:45:00.4814 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 68cdb2d4-dcf3-47ee-e2f5-08d951f7ce0d
X-MS-Exchange-CrossTenant-Id: f34e5979-57d9-4aaa-ad4d-b122a662184d
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=f34e5979-57d9-4aaa-ad4d-b122a662184d; Ip=[63.35.35.123]; Helo=[64aa7808-outbound-1.mta.getcheckrecipient.com]
X-MS-Exchange-CrossTenant-AuthSource: AM5EUR03FT037.eop-EUR03.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PR3PR08MB5804
Archived-At: <https://mailarchive.ietf.org/arch/msg/hrpc/N9IwvPtP5hSUYWHV21jcaqu7N2Q>
Subject: Re: [hrpc] [Iotops] Authorization for IoT devices
X-BeenThere: hrpc@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: hrpc discussion list <hrpc.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/hrpc>, <mailto:hrpc-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/hrpc/>
List-Post: <mailto:hrpc@irtf.org>
List-Help: <mailto:hrpc-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/hrpc>, <mailto:hrpc-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Jul 2021 18:45:11 -0000

Hi Michael,

~snip!
    Hannes> OAuth: Some of those scopes have been standardized.

Michael: Thank you for confirming my understanding.
Michael: I'm looking for a standard for the rules.
Michael: Why? because auditing, because humans need to understand them, because configuring the rules needs to be something non-experts can do.

Here are some examples on what has been standardized:

Section 5.4 of the OpenID Connect Core specification defines a few scope values related to identity management:
https://openid.net/specs/openid-connect-core-1_0.html

The healthcare specification in the OIDF defines scopes in their "Health Relationship Trust (HEART)" specification:
https://openid.net/specs/openid-heart-fhir-oauth2-1_0.html

More specs of the OIDF from other application domains can be found here:
https://openid.net/developers/specs/

In the OAuth working group we also have some work on scopes as part of the work on rich authorization requests. See Appendix A for examples:
https://datatracker.ietf.org/doc/html/draft-ietf-oauth-rar-05


    > There has also been an attempt to standardize more generic ACLs,
    > see draft-ietf-ace-aif.

Michael: Not even close, I think.

This is work in progress; so you can suggest changes.
You could push it all the way to turn it into XACML:
https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=xacml


    mcr> If I'm wrong please correct me.
    mcr> How would ACE-OAuth identify the local Sheriff?

    Hannes> The purpose of an authorization framework is not to identify a
    Hannes> specific person. That's the role of an identity management
    Hannes> framework.

Michael: It's not a specific person, it's a specific role in an particular geography.
Michael: That's why this problem is non-trivial.

This is why you will have to work out standards for certain application domains since otherwise this will get so complex that nobody is going to use it.

    > If you also want to add the identity management piece to ACE/OAuth
    > (which people have obviously done), then you can add OpenID Connect
    > and, for example, FIDO to the mix.

Michael: If we can really do this with those specifications, I'd be interested in knowing how, or seeing an example of a system which has done that.

FIDO has a whitepaper that talks about the interaction between FIDO and identity management technology, see
https://media.fidoalliance.org/wp-content/uploads/Enterprise_Adoption_Best_Practices_Federation_FIDO_Alliance.pdf
https://fidoalliance.org/fido-and-federation-protocols-tech-note/

FWIW we, as part of Pelion, even have a product doing this for IoT use cases. I blogged about it a while ago:
https://community.arm.com/developer/research/b/articles/posts/mbed-secure-device-access-enhancing-iot-device-management-with-user-authentication-and-fine-grained-access-control
Here is some more info about the product called "Secure Device Access":
https://developer.pelion.com/docs/device-management/v4.1/sda/index.html

Michael: I'm actually convinced that we don't need a lot of new work ("new ingredients") to make things go, but I think that we need a clear architecture on combining existing work ("better recipes")

That would obviously be good.

Ciao
Hannes

--
Michael Richardson <mcr+IETF@sandelman.ca>   . o O ( IPv6 IøT consulting )
           Sandelman Software Works Inc, Ottawa and Worldwide
IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.

v2.23.0 | Report a Bug | By Email