Re: [ogpx] Protocol for permitting policy decisions
Infinity Linden <infinity@lindenlab.com> Mon, 05 October 2009 19:38 UTC
Return-Path: <infinity@lindenlab.com>
X-Original-To: ogpx@core3.amsl.com
Delivered-To: ogpx@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix)
with ESMTP id 965F828C225 for <ogpx@core3.amsl.com>;
Mon, 5 Oct 2009 12:38:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.8
X-Spam-Level:
X-Spam-Status: No, score=-1.8 tagged_above=-999 required=5 tests=[AWL=0.177,
BAYES_00=-2.599, FM_FORGED_GMAIL=0.622]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com
[127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0ycXuSAPQIrC for
<ogpx@core3.amsl.com>; Mon, 5 Oct 2009 12:37:59 -0700 (PDT)
Received: from mail-pz0-f197.google.com (mail-pz0-f197.google.com
[209.85.222.197]) by core3.amsl.com (Postfix) with ESMTP id 7ECC43A686B for
<ogpx@ietf.org>; Mon, 5 Oct 2009 12:37:59 -0700 (PDT)
Received: by pzk35 with SMTP id 35so1387887pzk.29 for <ogpx@ietf.org>;
Mon, 05 Oct 2009 12:39:32 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.142.250.6 with SMTP id x6mr30370wfh.292.1254771572578;
Mon, 05 Oct 2009 12:39:32 -0700 (PDT)
In-Reply-To: <983F17705339E24699AA251B458249B50CC48CAEBF@EXCHANGE2K7.office.nic.se>
References: <983F17705339E24699AA251B458249B50CC48CAEBF@EXCHANGE2K7.office.nic.se>
Date: Mon, 5 Oct 2009 12:39:32 -0700
Message-ID: <3a880e2c0910051239t3dcae895x4f6d5f4bf5d64cd@mail.gmail.com>
From: Infinity Linden <infinity@lindenlab.com>
To: Magnus Zeisig <magnus.zeisig@iis.se>
Content-Type: text/plain; charset=ISO-8859-1
Cc: "ogpx@ietf.org" <ogpx@ietf.org>
Subject: Re: [ogpx] Protocol for permitting policy decisions
X-BeenThere: ogpx@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Virtual Worlds and the Open Grid Protocol <ogpx.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ogpx>,
<mailto:ogpx-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ogpx>
List-Post: <mailto:ogpx@ietf.org>
List-Help: <mailto:ogpx-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ogpx>,
<mailto:ogpx-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 05 Oct 2009 19:38:00 -0000
right. this is similar to what i was talking about in one of the previously mentioned options. i mentioned that the region might need to call back into the agent domain to get more information about a particular agent. to me it looks like you're suggesting a two-message handshake instead of the region turning around and querying the agent domain. lemme draw some diagrams: "name" and "age" are bits of data that, like you might expect, are an account identifier and the account holder's age. "rez cap" is the capability used to establish the agent's presence in that region. "age > X? cap" is a capability granted to the agent domain that's supposed to be used by the agent domain only if the agent domain agrees that the account holder is older than X. option 1: information push AD ------------ ( name, age ) ---------> RD AD <------------- (rez cap) ------------ RD option 2: RD queries the AD AD --------------- (name) -------------> RD AD <----- (is name older than X?) ------ RD AD -------------- (yes/no) ------------> RD AD <------------ (rez cap) ------------- RD option 3: multi-message handshake AD --------------- (name) -------------> RD AD <-------- (X, age > X? cap) --------- RD AD ------------------------------------> RD (age > X? cap) AD <------------ (rez cap) ------------- RD option 3 here is my attempt to model what magnus is talking about, but with a RESTful capability system. -cheers -meadhbh On Mon, Oct 5, 2009 at 1:55 AM, Magnus Zeisig <magnus.zeisig@iis.se> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > If I register with an agent domain, or authentication service, whichever > should be the proper name for it, I will most probably hand them some pieces > of information about myself that I don't want disseminated to anyone. > Therefore, I think the protocol for granting access to regions and other > services should not include such information explicitly, but rather let the > agent domain/authentication service just answer questions from the other > domain/service if the parameters are within acceptable range. > > Instead of the revealing (meta-handshake): > > Agent domain: > request access for > user: Title.FirstName.Initials.LastName.ExtraSomething@agentdomain.org > age: 18 > gender: male > sexuality: bi > country: pt > languages: pt, es, en, de > length: 1.82 > weight: 122 > color of socks: blue > > Region domain: > access granted for > user: Title.FirstName.Initials.LastName.ExtraSomething@agentdomain.org > > The handshake should instead be: > > Agent domain: > request access for > user: Title.FirstName.Initials.LastName.ExtraSomething@agentdomain.org > > Region domain: > require parameter values > languages: es AND (de OR hb OR ru) > length: [1.21-2.42] > color of socks: pink OR blue OR black > hairdo: shaved OR ponytail > > Agent domain: > required parameter values > languages: yes > length: yes > color of socks: yes > hairdo: n/a > > After which the region domain might decide that the missing hairdo parameter > is not crucial and grant access, or refuse access because of it: > > Region domain: > access denied for > user: Title.FirstName.Initials.LastName.ExtraSomething@agentdomain.org > > This has the benefit of permitting service providers to require what user > parameters they think are important, be it age or color of socks, but the > disadvantage of some extra overhead and the risk of balkanization because of > requirements of "odd" parameters only supported by few services. The latter, > however, I believe will become self-eliminating, because such services will > probably not find many users. Either way, I don't think the protocol in > itself should require any particular parameters, like age or color of socks, > just provide the means to communicate any parameters, and perhaps suggest a > list of possible, but not required, parameters and formats for values, like > options, ranges and enumerations. The same kind of handshake could also be > used when requesting access to asset services and the like, even if > parameters like "object types" and "ip agreements" may be more important > than "color of socks" there. > > Best regards, > > Magnus > > > -----BEGIN PGP SIGNATURE----- > Version: 9.8.3 (Build 4028) > Charset: utf-8 > > wsBVAwUBSsm0cO5MlU9XyaiSAQgEgAgAiNiznZa4fJN+iIm4Lul4iUpPNytexn9g > rJWLZ4oevewngvSCOwhslseXKN+OTCUpSPq0vGxRIl58n+u9P56q0X4pYBZ5wsqc > YAPdd6zGtQpR+21XQ8oWM948LEdGxba8mNO1gDygqtIyx0suBYkvYUWyYitwlDpu > ofvDew+JT140ApmX/d1dTyglxyYv6qnDf8iDsHsNiWYI1ImB5a/hvPK0TkCVFvzr > vLXfL5BfCXK0I3tJbLpv/OoUFEn5/emzehu3uavuQfQqQM0uBpw8WVSQGXqZziKb > 6i8YpDvBrIkNL4syGhmAs7ZLUqpZEfoWq2LbGasqhVMmDCBkakrPpg== > =H2Fj > -----END PGP SIGNATURE----- > > > _______________________________________________ > ogpx mailing list > ogpx@ietf.org > https://www.ietf.org/mailman/listinfo/ogpx > >
- [ogpx] Protocol for permitting policy decisions Magnus Zeisig
- Re: [ogpx] Protocol for permitting policy decisio… Dickson, Mike (ISS Software)
- Re: [ogpx] Protocol for permitting policy decisio… Meadhbh Siobhan
- Re: [ogpx] Protocol for permitting policy decisio… Dickson, Mike (ISS Software)
- Re: [ogpx] Protocol for permitting policy decisio… Morgaine
- Re: [ogpx] Protocol for permitting policy decisio… Morgaine
- Re: [ogpx] Protocol for permitting policy decisio… Dickson, Mike (ISS Software)
- Re: [ogpx] Protocol for permitting policy decisio… Infinity Linden
- Re: [ogpx] Protocol for permitting policy decisio… Infinity Linden
- Re: [ogpx] Protocol for permitting policy decisio… Infinity Linden
- Re: [ogpx] Protocol for permitting policy decisio… David W Levine
- Re: [ogpx] Protocol for permitting policy decisio… David W Levine
- Re: [ogpx] Protocol for permitting policy decisio… Infinity Linden
- Re: [ogpx] Protocol for permitting policy decisio… Infinity Linden
- Re: [ogpx] Protocol for permitting policy decisio… Magnus Zeisig
- Re: [ogpx] Protocol for permitting policy decisio… Carlo Wood
- Re: [ogpx] Protocol for permitting policy decisio… Carlo Wood
- Re: [ogpx] Protocol for permitting policy decisio… David W Levine
- Re: [ogpx] Protocol for permitting policy decisio… Vaughn Deluca
- Re: [ogpx] Protocol for permitting policy decisio… Carlo Wood
- Re: [ogpx] Protocol for permitting policy decisio… Vaughn Deluca
- Re: [ogpx] Protocol for permitting policy decisio… Carlo Wood
- Re: [ogpx] Protocol for permitting policy decisio… Carlo Wood
- Re: [ogpx] Protocol for permitting policy decisio… Meadhbh Hamrick
- Re: [ogpx] Protocol for permitting policy decisio… Meadhbh Hamrick
- Re: [ogpx] Protocol for permitting policy decisio… Morgaine
- Re: [ogpx] Protocol for permitting policy decisio… Joshua Bell
- Re: [ogpx] Protocol for permitting policy decisio… Meadhbh Hamrick
- Re: [ogpx] Protocol for permitting policy decisio… Dickson, Mike (ISS Software)
- Re: [ogpx] Protocol for permitting policy decisio… Morgaine
- Re: [ogpx] Protocol for permitting policy decisio… Meadhbh Hamrick
- Re: [ogpx] Protocol for permitting policy decisio… Magnus Zeisig
- Re: [ogpx] Protocol for permitting policy decisio… Morgaine
- Re: [ogpx] Protocol for permitting policy decisio… Magnus Zeisig
- [ogpx] VWRAP future (mostly out of protocol rambl… Magnus Zeisig
- Re: [ogpx] Protocol for permitting policy decisio… Carlo Wood
- Re: [ogpx] Protocol for permitting policy decisio… Morgaine
- Re: [ogpx] Protocol for permitting policy decisio… Magnus Zeisig
- Re: [ogpx] Protocol for permitting policy decisio… David W Levine
- Re: [ogpx] Protocol for permitting policy decisio… Magnus Zeisig
- Re: [ogpx] Protocol for permitting policy decisio… Carlo Wood
- Re: [ogpx] Protocol for permitting policy decisio… Joshua Bell
- Re: [ogpx] Protocol for permitting policy decisio… Infinity Linden (Meadhbh Hamrick)
- Re: [ogpx] Protocol for permitting policy decisio… David W Levine
- Re: [ogpx] Protocol for permitting policy decisio… David W Levine
- Re: [ogpx] Protocol for permitting policy decisio… Carlo Wood
- Re: [ogpx] Protocol for permitting policy decisio… Carlo Wood
- Re: [ogpx] Protocol for permitting policy decisio… Carlo Wood
- Re: [ogpx] Protocol for permitting policy decisio… Dickson, Mike (ISS Software)
- Re: [ogpx] Protocol for permitting policy decisio… Morgaine
- Re: [ogpx] Protocol for permitting policy decisio… Morgaine
- Re: [ogpx] Protocol for permitting policy decisio… David W Levine
- Re: [ogpx] Protocol for permitting policy decisio… Morgaine
- Re: [ogpx] Protocol for permitting policy decisio… Morgaine
- Re: [ogpx] Protocol for permitting policy decisio… Vaughn Deluca
- Re: [ogpx] Protocol for permitting policy decisio… Magnus Zeisig
- Re: [ogpx] VWRAP future (mostly out of protocol r… Vaughn Deluca
- Re: [ogpx] Protocol for permitting policy decisio… Infinity Linden (Meadhbh Hamrick)
- Re: [ogpx] Protocol for permitting policy decisio… Morgaine
- Re: [ogpx] Protocol for permitting policy decisio… Vaughn Deluca
- Re: [ogpx] Protocol for permitting policy decisio… Carlo Wood
- Re: [ogpx] Protocol for permitting policy decisio… David W Levine
- Re: [ogpx] Protocol for permitting policy decisio… Morgaine
- Re: [ogpx] Protocol for permitting policy decisio… Vaughn Deluca