Re: [ogpx] Protocol for permitting policy decisions

[Morgaine <morgaine.dinova@googlemail.com>]

On Wed, Oct 7, 2009 at 11:13 PM, Joshua Bell <josh@lindenlab.com> wrote:

>
> VW1 and VW2 want to enable inter-VW tourism (i.e. AD1 agents can visit
> RD2). VW2 has a policy that they only allow in users of a certain quality
> (e.g. "speaks Latin"). Only a subset of AD1 agents have that quality.
> Therefore, RD2 would only accept teleports of AD1 agents that have that
> quality (based on the sort of handshake discussed earlier in this thread).
> However, RD2 needs some trust relationship with AD1, otherwise malicious AD3
> can come along which claims all of its users speak Latin and its users slip
> in. So VW1 and VW2 trade keys and sign some paperwork, and at that point
> (while the lawyers are busy) they could handshake on sharing "agent
> linguistic information profile v2.3" data.
>


That's a great description of the ultimate interop dystopia in which,
through definition of arbitrary set membership criteria by an arbitrary
number of policy makers, the result of transitive policy transference and
policy intersection is that the set of visitable worlds is the empty set.

Are we trying to create an interop protocol here, or a protocol for
preventing interop?

I'm leaning ever more strongly towards David's position that only services
should carry expressions of policy, not domains, because in the direction in
which this discussion is heading there will be no widespread interop at all.

Imagine if SMTP had been specified to manage a set of content-defining
keywords and to block anything unacceptable to an MTA's "policy" based on
such tagged content.  And then (this is the killer), imagine if *sources of
email had to adhere to such tag policies transitively*.  There would either
be no email except from closed groups, or the whole tagging thing would be
such a farce that it would be ignored.

For now, I'm affirming even more strongly Vaughn's principle of *advisary
policy only*  ---
http://www.ietf.org/mail-archive/web/ogpx/current/msg00524.html .  Anything
else is a recipe for building walled gardens and widespread denial of
interop through contagion.


Morgaine.






==========================================

On Wed, Oct 7, 2009 at 11:13 PM, Joshua Bell <josh@lindenlab.com> wrote:

> On Wed, Oct 7, 2009 at 2:07 PM, Meadhbh Hamrick <meadhbh.siobhan@gmail.com
> > wrote:
>
>> oh. hey. so i was just thinking about the "should we define global
>> keys for region meta-data?" question.
>>
>> i think if we were to move forward with the AD telling the RD what
>> it's concerned about plan, we _should_ have global identifiers. i just
>> think that if everyone had different identifiers for the same concept,
>> you would get protocol interop, but you would still have systems that
>> don't know what each other are talking about.
>>
>
> Thinking while I type here - these aren't finished thoughts, just some
> brainstorms:
>
> So fundamental to this, we're talking about one system making policy
> decisions based on data from another system that's in a different trust
> domain (e.g. separate organizations). That implies to me that they must have
> done an out-of-band trust negotiation, otherwise they have no reason to, er,
> trust the data, so the policy decision is advisory at best. And at that
> point, wouldn't we assume they're attempting to actively enable system
> interop and would therefore also have that opportunity to agree on a
> concept/identifier set? IMHO, that wouldn't live in the protocol itself, but
> perhaps a standard set of interchange profiles...
>
> Sample scenario (using the VW1=AD1+RD1, VW2=AD2+RD2 rough terminology we've
> been batting about):
>
> VW1 and VW2 want to enable inter-VW tourism (i.e. AD1 agents can visit
> RD2). VW2 has a policy that they only allow in users of a certain quality
> (e.g. "speaks Latin"). Only a subset of AD1 agents have that quality.
> Therefore, RD2 would only accept teleports of AD1 agents that have that
> quality (based on the sort of handshake discussed earlier in this thread).
> However, RD2 needs some trust relationship with AD1, otherwise malicious AD3
> can come along which claims all of its users speak Latin and its users slip
> in. So VW1 and VW2 trade keys and sign some paperwork, and at that point
> (while the lawyers are busy) they could handshake on sharing "agent
> linguistic information profile v2.3" data.
>
> On the other hand, there might be more hard-core requirements (age,
> security clearance, etc) that would use different profiles.
>
> Hopefully there's also the nil-trust case where this information might be
> shared on a purely informational basis - e.g. even ADx asserts some quality
> about an agent to RDy, ADx feels comfortable broadcasting that information
> (since it can't trust that RDy will keep it confidential) and RDy feels
> comfortable using that information even without trusting it (since it has no
> reason to believe ADx is telling the truth).
>
> Now... this all doesn't sound like it should new. I'm vaguely reminded of
> W3C's PICS (which died quietly after negligible adoption), but there weren't
> two active (and potentially liable...) entities involved in that, just the
> single provider and user. Surely there are other examples?
>
>
> _______________________________________________
> ogpx mailing list
> ogpx@ietf.org
> https://www.ietf.org/mailman/listinfo/ogpx
>
>