Re: [ogpx] Protocol for permitting policy decisions

Carlo Wood <carlo@alinoe.com> Thu, 08 October 2009 23:53 UTC

Date: Fri, 9 Oct 2009 01:56:38 +0200
From: Carlo Wood <carlo@alinoe.com>
To: Morgaine <morgaine.dinova@googlemail.com>
Message-ID: <20091008235638.GE13882@alinoe.com>
References: <983F17705339E24699AA251B458249B50CC48CAEBF@EXCHANGE2K7.office.nic.se> <3a880e2c0910051239t3dcae895x4f6d5f4bf5d64cd@mail.gmail.com> <20091007203535.GA13882@alinoe.com> <983F17705339E24699AA251B458249B50CC48CB683@EXCHANGE2K7.office.nic.se> <e0b04bba0910080241x548b6ff9tbc558aaa069b15be@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <e0b04bba0910080241x548b6ff9tbc558aaa069b15be@mail.gmail.com>
User-Agent: Mutt/1.5.18 (2008-05-17)
Cc: "ogpx@ietf.org" <ogpx@ietf.org>, Magnus Zeisig <magnus.zeisig@iis.se>
Subject: Re: [ogpx] Protocol for permitting policy decisions
Precedence: list

On Thu, Oct 08, 2009 at 10:41:54AM +0100, Morgaine wrote:
> Magnus,
> 
> If ADs are involved in region policy, then in the multi-world deployment
> pattern, AD2 will have to be consulted when agent A1 teleports from RD1 to RD2,
> because AD2 will be involved in region policy too.  It's symmetric with AD1.

Morgaine,

I'm pretty sure nobody on this list wants AD2 to be involved in anyway.
I'm also convinced that there is some misunderstanding involved here,
and it would be good to correct that...

The following isn't consensus yet, but I feel it's basically the truth,
and written down here as such because at least it is simple:

In the end there are only services. Services can be grouped as 'domain'
to make clear they are run by the same authority and therefore likely
will have use the same policies, but for the sake of the protocol you
can ignore that.

There are several types of services, so far we only concentrated on two
types:

1) A region (R1, R2, ...)
2) An authentication service (A1, A2, ...)

in principle, every service can be run by a different authority and thus
have different policies.

One user only uses a single authentication service at a time, every other
authentication service is not relevant (for that user).

If a user wants to teleport from R1 to R2, while using A3, only A3 and R2
have a say in this.

The only say that A3 has is true or false: yes or no allow the user to go
to R2. Once the user gets into R2, no policy of A3 matters anymore.

It makes no sense whatsoever to group A's with R's for the sake of understanding
or designing the protocol.

For a teleport decision (or initial connect) only ONE Agent service and ONE
region are involved.

Almost every policy (of both parties) can be negotiated out of band,
yet some of us (including me) are arguing that we need to keep the possibility
open for a region to change some abstract policies (based on trusted information
from the agent service) more real-time. Here trust is needed in both directions:
the region must trust the agent service to answer it's questions correctly
and the agent service must trust the region not to fool it into allowing
users in that the agent service based on it's own policy doesn't want to
allow in.

-- 
Carlo Wood <carlo@alinoe.com>

[ogpx] Protocol for permitting policy decisions Magnus Zeisig
Re: [ogpx] Protocol for permitting policy decisio… Dickson, Mike (ISS Software)
Re: [ogpx] Protocol for permitting policy decisio… Meadhbh Siobhan
Re: [ogpx] Protocol for permitting policy decisio… Dickson, Mike (ISS Software)
Re: [ogpx] Protocol for permitting policy decisio… Morgaine
Re: [ogpx] Protocol for permitting policy decisio… Morgaine
Re: [ogpx] Protocol for permitting policy decisio… Dickson, Mike (ISS Software)
Re: [ogpx] Protocol for permitting policy decisio… Infinity Linden
Re: [ogpx] Protocol for permitting policy decisio… Infinity Linden
Re: [ogpx] Protocol for permitting policy decisio… Infinity Linden
Re: [ogpx] Protocol for permitting policy decisio… David W Levine
Re: [ogpx] Protocol for permitting policy decisio… David W Levine
Re: [ogpx] Protocol for permitting policy decisio… Infinity Linden
Re: [ogpx] Protocol for permitting policy decisio… Infinity Linden
Re: [ogpx] Protocol for permitting policy decisio… Magnus Zeisig
Re: [ogpx] Protocol for permitting policy decisio… Carlo Wood
Re: [ogpx] Protocol for permitting policy decisio… Carlo Wood
Re: [ogpx] Protocol for permitting policy decisio… David W Levine
Re: [ogpx] Protocol for permitting policy decisio… Vaughn Deluca
Re: [ogpx] Protocol for permitting policy decisio… Carlo Wood
Re: [ogpx] Protocol for permitting policy decisio… Vaughn Deluca
Re: [ogpx] Protocol for permitting policy decisio… Carlo Wood
Re: [ogpx] Protocol for permitting policy decisio… Carlo Wood
Re: [ogpx] Protocol for permitting policy decisio… Meadhbh Hamrick
Re: [ogpx] Protocol for permitting policy decisio… Meadhbh Hamrick
Re: [ogpx] Protocol for permitting policy decisio… Morgaine
Re: [ogpx] Protocol for permitting policy decisio… Joshua Bell
Re: [ogpx] Protocol for permitting policy decisio… Meadhbh Hamrick
Re: [ogpx] Protocol for permitting policy decisio… Dickson, Mike (ISS Software)
Re: [ogpx] Protocol for permitting policy decisio… Morgaine
Re: [ogpx] Protocol for permitting policy decisio… Meadhbh Hamrick
Re: [ogpx] Protocol for permitting policy decisio… Magnus Zeisig
Re: [ogpx] Protocol for permitting policy decisio… Morgaine
Re: [ogpx] Protocol for permitting policy decisio… Magnus Zeisig
[ogpx] VWRAP future (mostly out of protocol rambl… Magnus Zeisig
Re: [ogpx] Protocol for permitting policy decisio… Carlo Wood
Re: [ogpx] Protocol for permitting policy decisio… Morgaine
Re: [ogpx] Protocol for permitting policy decisio… Magnus Zeisig
Re: [ogpx] Protocol for permitting policy decisio… David W Levine
Re: [ogpx] Protocol for permitting policy decisio… Magnus Zeisig
Re: [ogpx] Protocol for permitting policy decisio… Carlo Wood
Re: [ogpx] Protocol for permitting policy decisio… Joshua Bell
Re: [ogpx] Protocol for permitting policy decisio… Infinity Linden (Meadhbh Hamrick)
Re: [ogpx] Protocol for permitting policy decisio… David W Levine
Re: [ogpx] Protocol for permitting policy decisio… David W Levine
Re: [ogpx] Protocol for permitting policy decisio… Carlo Wood
Re: [ogpx] Protocol for permitting policy decisio… Carlo Wood
Re: [ogpx] Protocol for permitting policy decisio… Carlo Wood
Re: [ogpx] Protocol for permitting policy decisio… Dickson, Mike (ISS Software)
Re: [ogpx] Protocol for permitting policy decisio… Morgaine
Re: [ogpx] Protocol for permitting policy decisio… Morgaine
Re: [ogpx] Protocol for permitting policy decisio… David W Levine
Re: [ogpx] Protocol for permitting policy decisio… Morgaine
Re: [ogpx] Protocol for permitting policy decisio… Morgaine
Re: [ogpx] Protocol for permitting policy decisio… Vaughn Deluca
Re: [ogpx] Protocol for permitting policy decisio… Magnus Zeisig
Re: [ogpx] VWRAP future (mostly out of protocol r… Vaughn Deluca
Re: [ogpx] Protocol for permitting policy decisio… Infinity Linden (Meadhbh Hamrick)
Re: [ogpx] Protocol for permitting policy decisio… Morgaine
Re: [ogpx] Protocol for permitting policy decisio… Vaughn Deluca
Re: [ogpx] Protocol for permitting policy decisio… Carlo Wood
Re: [ogpx] Protocol for permitting policy decisio… David W Levine
Re: [ogpx] Protocol for permitting policy decisio… Morgaine
Re: [ogpx] Protocol for permitting policy decisio… Vaughn Deluca