Re: [ogpx] Protocol for permitting policy decisions

["Dickson, Mike (ISS Software)" <mike.dickson@hp.com>]

I think Magnus’ message is a good synopsis of the requirements, IMO.  I see a need to negotiate *both* capabilities and constraints in the protocol where both should be ideally attributes in an extensible list (that is the list isn’t hard coded in the protocol definition).  So, IMO, authentication isn’t enough.  Beyond authenticating there’s an exchange around caps and constraints that needs to take place.  I’d use that mechanism to handle “Adult only” regions, membership in a group where the group is defined outside the scope of the protocol, etc.

Mike

From: ogpx-bounces@ietf.org [mailto:ogpx-bounces@ietf.org] On Behalf Of Magnus Zeisig
Sent: Monday, October 05, 2009 3:55 AM
To: ogpx@ietf.org
Subject: [ogpx] Protocol for permitting policy decisions

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

If I register with an agent domain, or authentication service, whichever should be the proper name for it, I will most probably hand them some pieces of information about myself that I don't want disseminated to anyone. Therefore, I think the protocol for granting access to regions and other services should not include such information explicitly, but rather let the agent domain/authentication service just answer questions from the other domain/service if the parameters are within acceptable range.

Instead of the revealing (meta-handshake):

Agent domain:
request access for
user: Title.FirstName.Initials.LastName.ExtraSomething@agentdomain.org
age: 18
gender: male
sexuality: bi
country: pt
languages: pt, es, en, de
length: 1.82
weight: 122
color of socks: blue

Region domain:
access granted for
user: Title.FirstName.Initials.LastName.ExtraSomething@agentdomain.org

The handshake should instead be:

Agent domain:
request access for
user: Title.FirstName.Initials.LastName.ExtraSomething@agentdomain.org

Region domain:
require parameter values
languages: es AND (de OR hb OR ru)
length: [1.21-2.42]
color of socks: pink OR blue OR black
hairdo: shaved OR ponytail

Agent domain:
required parameter values
languages: yes
length: yes
color of socks: yes
hairdo: n/a

After which the region domain might decide that the missing hairdo parameter is not crucial and grant access, or refuse access because of it:

Region domain:
access denied for
user: Title.FirstName.Initials.LastName.ExtraSomething@agentdomain.org

This has the benefit of permitting service providers to require what user parameters they think are important, be it age or color of socks, but the disadvantage of some extra overhead and the risk of balkanization because of requirements of "odd" parameters only supported by few services. The latter, however, I believe will become self-eliminating, because such services will probably not find many users. Either way, I don't think the protocol in itself should require any particular parameters, like age or color of socks, just provide the means to communicate any parameters, and perhaps suggest a list of possible, but not required, parameters and formats for values, like options, ranges and enumerations. The same kind of handshake could also be used when requesting access to asset services and the like, even if parameters like "object types" and "ip agreements" may be more important than "color of socks" there.

Best regards,

Magnus


-----BEGIN PGP SIGNATURE-----
Version: 9.8.3 (Build 4028)
Charset: utf-8

wsBVAwUBSsm0cO5MlU9XyaiSAQgEgAgAiNiznZa4fJN+iIm4Lul4iUpPNytexn9g
rJWLZ4oevewngvSCOwhslseXKN+OTCUpSPq0vGxRIl58n+u9P56q0X4pYBZ5wsqc
YAPdd6zGtQpR+21XQ8oWM948LEdGxba8mNO1gDygqtIyx0suBYkvYUWyYitwlDpu
ofvDew+JT140ApmX/d1dTyglxyYv6qnDf8iDsHsNiWYI1ImB5a/hvPK0TkCVFvzr
vLXfL5BfCXK0I3tJbLpv/OoUFEn5/emzehu3uavuQfQqQM0uBpw8WVSQGXqZziKb
6i8YpDvBrIkNL4syGhmAs7ZLUqpZEfoWq2LbGasqhVMmDCBkakrPpg==
=H2Fj
-----END PGP SIGNATURE-----