IETF Logo Mail Archive

Re: [ogpx] Protocol for permitting policy decisions

Infinity Linden <infinity@lindenlab.com> Mon, 05 October 2009 19:38 UTC

Return-Path: <infinity@lindenlab.com>
X-Original-To: ogpx@core3.amsl.com
Delivered-To: ogpx@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 965F828C225 for <ogpx@core3.amsl.com>; Mon, 5 Oct 2009 12:38:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.8
X-Spam-Level:
X-Spam-Status: No, score=-1.8 tagged_above=-999 required=5 tests=[AWL=0.177, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0ycXuSAPQIrC for <ogpx@core3.amsl.com>; Mon, 5 Oct 2009 12:37:59 -0700 (PDT)
Received: from mail-pz0-f197.google.com (mail-pz0-f197.google.com [209.85.222.197]) by core3.amsl.com (Postfix) with ESMTP id 7ECC43A686B for <ogpx@ietf.org>; Mon, 5 Oct 2009 12:37:59 -0700 (PDT)
Received: by pzk35 with SMTP id 35so1387887pzk.29 for <ogpx@ietf.org>; Mon, 05 Oct 2009 12:39:32 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.142.250.6 with SMTP id x6mr30370wfh.292.1254771572578; Mon, 05 Oct 2009 12:39:32 -0700 (PDT)
In-Reply-To: <983F17705339E24699AA251B458249B50CC48CAEBF@EXCHANGE2K7.office.nic.se>
References: <983F17705339E24699AA251B458249B50CC48CAEBF@EXCHANGE2K7.office.nic.se>
Date: Mon, 5 Oct 2009 12:39:32 -0700
Message-ID: <3a880e2c0910051239t3dcae895x4f6d5f4bf5d64cd@mail.gmail.com>
From: Infinity Linden <infinity@lindenlab.com>
To: Magnus Zeisig <magnus.zeisig@iis.se>
Content-Type: text/plain; charset=ISO-8859-1
Cc: "ogpx@ietf.org" <ogpx@ietf.org>
Subject: Re: [ogpx] Protocol for permitting policy decisions
X-BeenThere: ogpx@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Virtual Worlds and the Open Grid Protocol <ogpx.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ogpx>, <mailto:ogpx-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ogpx>
List-Post: <mailto:ogpx@ietf.org>
List-Help: <mailto:ogpx-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ogpx>, <mailto:ogpx-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 05 Oct 2009 19:38:00 -0000

right. this is similar to what i was talking about in one of the
previously mentioned options. i mentioned that the region might need
to call back into the agent domain to get more information about a
particular agent. to me it looks like you're suggesting a two-message
handshake instead of the region turning around and querying the agent
domain.

lemme draw some diagrams:

"name" and "age" are bits of data that, like you might expect, are an
account identifier and the account holder's age. "rez cap" is the
capability used to establish the agent's presence in that region. "age
> X? cap" is a capability granted to the agent domain that's supposed
to be used by the agent domain only if the agent domain agrees that
the account holder is older than X.

option 1: information push

AD ------------ ( name, age ) ---------> RD
AD <------------- (rez cap) ------------ RD

option 2: RD queries the AD

AD --------------- (name) -------------> RD
AD <----- (is name older than X?) ------ RD
AD -------------- (yes/no) ------------> RD
AD <------------ (rez cap) ------------- RD

option 3: multi-message handshake

AD --------------- (name) -------------> RD
AD <-------- (X, age > X? cap) --------- RD

AD ------------------------------------> RD (age > X? cap)
AD <------------ (rez cap) ------------- RD


option 3 here is my attempt to model what magnus is talking about, but
with a RESTful capability system.

-cheers
-meadhbh

On Mon, Oct 5, 2009 at 1:55 AM, Magnus Zeisig <magnus.zeisig@iis.se> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> If I register with an agent domain, or authentication service, whichever
> should be the proper name for it, I will most probably hand them some pieces
> of information about myself that I don't want disseminated to anyone.
> Therefore, I think the protocol for granting access to regions and other
> services should not include such information explicitly, but rather let the
> agent domain/authentication service just answer questions from the other
> domain/service if the parameters are within acceptable range.
>
> Instead of the revealing (meta-handshake):
>
> Agent domain:
> request access for
> user: Title.FirstName.Initials.LastName.ExtraSomething@agentdomain.org
> age: 18
> gender: male
> sexuality: bi
> country: pt
> languages: pt, es, en, de
> length: 1.82
> weight: 122
> color of socks: blue
>
> Region domain:
> access granted for
> user: Title.FirstName.Initials.LastName.ExtraSomething@agentdomain.org
>
> The handshake should instead be:
>
> Agent domain:
> request access for
> user: Title.FirstName.Initials.LastName.ExtraSomething@agentdomain.org
>
> Region domain:
> require parameter values
> languages: es AND (de OR hb OR ru)
> length: [1.21-2.42]
> color of socks: pink OR blue OR black
> hairdo: shaved OR ponytail
>
> Agent domain:
> required parameter values
> languages: yes
> length: yes
> color of socks: yes
> hairdo: n/a
>
> After which the region domain might decide that the missing hairdo parameter
> is not crucial and grant access, or refuse access because of it:
>
> Region domain:
> access denied for
> user: Title.FirstName.Initials.LastName.ExtraSomething@agentdomain.org
>
> This has the benefit of permitting service providers to require what user
> parameters they think are important, be it age or color of socks, but the
> disadvantage of some extra overhead and the risk of balkanization because of
> requirements of "odd" parameters only supported by few services. The latter,
> however, I believe will become self-eliminating, because such services will
> probably not find many users. Either way, I don't think the protocol in
> itself should require any particular parameters, like age or color of socks,
> just provide the means to communicate any parameters, and perhaps suggest a
> list of possible, but not required, parameters and formats for values, like
> options, ranges and enumerations. The same kind of handshake could also be
> used when requesting access to asset services and the like, even if
> parameters like "object types" and "ip agreements" may be more important
> than "color of socks" there.
>
> Best regards,
>
> Magnus
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: 9.8.3 (Build 4028)
> Charset: utf-8
>
> wsBVAwUBSsm0cO5MlU9XyaiSAQgEgAgAiNiznZa4fJN+iIm4Lul4iUpPNytexn9g
> rJWLZ4oevewngvSCOwhslseXKN+OTCUpSPq0vGxRIl58n+u9P56q0X4pYBZ5wsqc
> YAPdd6zGtQpR+21XQ8oWM948LEdGxba8mNO1gDygqtIyx0suBYkvYUWyYitwlDpu
> ofvDew+JT140ApmX/d1dTyglxyYv6qnDf8iDsHsNiWYI1ImB5a/hvPK0TkCVFvzr
> vLXfL5BfCXK0I3tJbLpv/OoUFEn5/emzehu3uavuQfQqQM0uBpw8WVSQGXqZziKb
> 6i8YpDvBrIkNL4syGhmAs7ZLUqpZEfoWq2LbGasqhVMmDCBkakrPpg==
> =H2Fj
> -----END PGP SIGNATURE-----
>
>
> _______________________________________________
> ogpx mailing list
> ogpx@ietf.org
> https://www.ietf.org/mailman/listinfo/ogpx
>
>

v2.8.7 | Report a Bug | By Email