Re: [P2PSIP] Ben Campbell's No Objection on draft-ietf-p2psip-share-09: (with COMMENT)

["Ben Campbell" <ben@nostrum.com>]

On 4 Nov 2016, at 17:51, Thomas C. Schmidt wrote:

> HI Ben,
>
> On 04.11.2016 23:17, Ben Campbell wrote:
>
>>>>>> ----------------------------------------------------------------------
>>>>>> COMMENT:
>>>>>> ----------------------------------------------------------------------
>>>>>>
>
>>>>>  ... then you identify the user in the ACL and walk up the
>>>>> delegation
>>>>> chain.
>>>>>
>>>>> In step 5, you have arrived at the root of the delegation tree. 
>>>>> This
>>>>> is the case, when the to_user equals the signer equals the owner 
>>>>> of
>>>>> the resources (see see Figure 1). This is also how it terminates -
>>>>> the
>>>>> owner of the resource is the root of the trust chain.
>>>>
>>>> I'm probably being dense here, but my confusion is in the phrasing 
>>>> of
>>>> "the "to_user" value user name of the signer of the previously
>>>> selected
>>>> ACL item".  Won't that always be true for every ACL item up the 
>>>> chain
>>>> after the first?
>>>>
>>>
>>> No, the selected ACL item from the previous step is the row you are
>>> in. It basically says that the "to_user" value equals the username 
>>> of
>>> the signer. This is the "A  A" case in row 4 in your example below.
>>> This row should be in an ACL only once and the user must be the 
>>> owner
>>> of the resource, which is requested to be verified separately.
>>>
>>>> As an example, Lets say I have a delegation chain of A,B,C,D, where 
>>>> A
>>>> is
>>>> the owner. Would the ACL chain look like the following (in
>>>> leave-to-root
>>>> order )?
>>>>
>>>>    signer to_user
>>>> 1   C        D
>>>> 2   B        C
>>>> 3   A        B
>>>> 4   A        A
>>>>
>>>> If so, then ACL 2 seems to have a to_user that matches the signer 
>>>> of
>>>> ACL
>>>> 1 (the previously selected ACL), which seems to terminate early.
>>>>
>>>> Again, I'm sure I'm missing something.
>>>>
>>>
>>> I believe the confusion comes from the "previously" - this is meant 
>>> to
>>> refer to the "previous step" and the actual row. We changed
>>> "previously" to "previous step" to avoid this confusion.
>>
>> I still think I'm confused. Step 5 basically says iterate over steps 
>> 3
>> and 4. If I'm currently looking at the ACL from the Nth iteration of 
>> 3
>> and 4, it seems to me that the "ACL from the previous step" is ACL 
>> N-1.
>>
>
> The delegation is a tree - so it's not a linear chain.
>
>> If the terminal condition is when you find an ACL where the signer 
>> and
>> the to_user are the same, then I you could say _that_ without getting
>> into "previous steps."
>>
>
> Guess you are right. Why don't we simplify the sentence to
>
> "Repeat steps 3 and 4 until the "to_user" value is equal to the user 
> name of the signer of the ACL in the selected item." ?

Assuming that gives the right results (I'll leave that to you to 
decide), I think it would be easier to understand.

Thanks!

Ben.

>
> Thanks,
>  thomas
>
> -- 
>
> Prof. Dr. Thomas C. Schmidt
> ° Hamburg University of Applied Sciences                   Berliner 
> Tor 7 °
> ° Dept. Informatik, Internet Technologies Group    20099 Hamburg, 
> Germany °
> ° http://www.haw-hamburg.de/inet                   Fon: 
> +49-40-42875-8452 °
> ° http://www.informatik.haw-hamburg.de/~schmidt    Fax: 
> +49-40-42875-8409 °