IETF Logo Mail Archive

Re: [Txauth] Reviewing draft-hardt-xauth-protocol-11 - Dictionary

Dick Hardt <dick.hardt@gmail.com> Tue, 21 July 2020 17:59 UTC

Return-Path: <dick.hardt@gmail.com>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 125983A0D4D for <txauth@ietfa.amsl.com>; Tue, 21 Jul 2020 10:59:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VrTB46YoUYxE for <txauth@ietfa.amsl.com>; Tue, 21 Jul 2020 10:59:05 -0700 (PDT)
Received: from mail-lj1-x229.google.com (mail-lj1-x229.google.com [IPv6:2a00:1450:4864:20::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E9A143A0D60 for <txauth@ietf.org>; Tue, 21 Jul 2020 10:59:04 -0700 (PDT)
Received: by mail-lj1-x229.google.com with SMTP id q4so25122592lji.2 for <txauth@ietf.org>; Tue, 21 Jul 2020 10:59:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=pkOtdZw0uAEAsu2Xxku64D2MaNm0/kpgaBRLDj88mPI=; b=MHjQfV0P1GbE8AcZ0iYzCSQzwWxF3RaSSmmYcTl0D3vsuoJzGi2ddvPbAnO3TVzGVn JnCtQlwV1k4UvzDqcVz9XS4cEfz0dZpNoYtJoW9et4ZTZfTwnqEwAhbejsa1wkpX4AVd 8/RAehhUQkWtNqJNdOdJ+fBBtiWZgZQNBjuvPQZeMdxnGPr37hqwQRU28pXa31ZkSbyE zL7c/kF+2Nwxj90auHQdeYBYe9wwft1H33Jy7T8CwfGw0IxUY9y8MHKesjIySp+4L1Rq ixR0X68QVPTbU+c1OnBYHppLQlkwI3RULKrnzA2SlE5KrPxcvQmnR0RJaewp6tSF9wv0 MUyQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=pkOtdZw0uAEAsu2Xxku64D2MaNm0/kpgaBRLDj88mPI=; b=TOgBjOdbOyFM4VPkVhzwy9KsmKlYKzPC7USF9gkBXpY97TgT6dWxr2buoCPTb96KRY PVdDkPEL9JMR5g480wNcJn/WND8C1XdmWjbz44Gb65Yloi3UHFY/OrYKTbYRgIhnEcyi s2E7PBOUyK4pSbt5OABL9QWfawY5ljMlOvLDupYXcerwGvyd6NYEortfAxAqB86/R38g JB0RVJNMsxa2VRKokufJJY9nj4Z7bHSNwophledC1HBzJrAwluRrL8tplgPCJJlBynVf 3Pz87wpPzBRR0R7C967hjRHi5VkOAyqcH2qfLNm+VUpxSqaZhwHrNz8HJ7NqZxVYeULw zlkg==
X-Gm-Message-State: AOAM5311w4JwgDn5J8rgozjDOFsK7yufbJmrpp/CV+Xpd8SWrMSYAX8K 9uQugO/Xbw+ubIwsW4hRtr6seQ602HXDMN44APaw0Yr6
X-Google-Smtp-Source: ABdhPJy/e81d+fhe8fNTkpbboGkOmX4gl7Aaky3nOHSb5+I4BzBlRHNQeG0H+8paIKG+JqCzlGcJIRl2g9/oSAYdYsE=
X-Received: by 2002:a2e:9611:: with SMTP id v17mr13997814ljh.110.1595354342881; Tue, 21 Jul 2020 10:59:02 -0700 (PDT)
MIME-Version: 1.0
References: <CAOW4vyO2C1E3Sg58CrSVT81t0T3iCTY87tdAx+a8d2A+cNa3nA@mail.gmail.com> <CAD9ie-vMzepgmaP-jUunKSo-chWrGpB230TWgJq7u8Yt-afDxA@mail.gmail.com> <CAOW4vyObyZC7USUqsW_qdDV9Hcpvg9OHKmM1yMEjSUvmjx0UZQ@mail.gmail.com>
In-Reply-To: <CAOW4vyObyZC7USUqsW_qdDV9Hcpvg9OHKmM1yMEjSUvmjx0UZQ@mail.gmail.com>
From: Dick Hardt <dick.hardt@gmail.com>
Date: Tue, 21 Jul 2020 10:58:26 -0700
Message-ID: <CAD9ie-sWn41XDiwyFMcTgV3a8MMESXqf36fNJcTaSYDKwU+LPg@mail.gmail.com>
To: Francis Pouatcha <fpo@adorsys.de>
Cc: txauth@ietf.org
Content-Type: multipart/alternative; boundary="000000000000e5fe0005aaf760ba"
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/1o5giC-UalTxg61tCTCc0qfT6X4>
Subject: Re: [Txauth] Reviewing draft-hardt-xauth-protocol-11 - Dictionary
X-BeenThere: txauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <txauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/txauth>, <mailto:txauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth/>
List-Post: <mailto:txauth@ietf.org>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/txauth>, <mailto:txauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Jul 2020 17:59:07 -0000

FYI: I consider the release of claims to be an "authorization" as well.

IE, the user authorizes the GS to release a DOB claim to a Client.



On Tue, Jul 21, 2020 at 10:42 AM Francis Pouatcha <fpo@adorsys.de> wrote:

>
> On Tue, Jul 21, 2020 at 12:00 PM Dick Hardt <dick.hardt@gmail.com> wrote:
>
>> Thanks for putting this together Francis. I like how you have put
>> different aspects of a definition into separate points. It reinforces the
>> multiple aspects.
>>
>> I don't see identity claims in your definitions. Was that intentional, or
>> an oversight.
>>
> The extensive dictionary will surely include more terms.
>
> I limited the list to terms relevant to the abstract sequence for now.
> Making an effort to keep the discussion focused on the abstract sequence.
>
> As we are talking authorization, identities are second class citizens,
> focus shall be on Negotiating and Obtaining the AuthZ to access a Resource.
>
>>
>> wrt. Registered Client / Dynamic Client - in my experience putting the
>> definitions together helps a reader grasp all the various terms used.
>>
> Yes, this clarification belongs in the dictionary. Intentionally left it
> out here to avoid diverging the discussion.
>
>>
>> Curious why you include "party" in the definition. I would not have
>> thought that had a definition unique to GNAP.
>>
> I derived this from your subsection "Parties". As all participants in the
> abstract sequence are "parties", the word seems too heavy to be left
> undefined. Also essential to know which words in the dictionary do not
> refer to parties like Resource, Grant, AuthZ, ...
>
>>
>>
>> On Mon, Jul 20, 2020 at 6:01 PM Francis Pouatcha <fpo@adorsys.de> wrote:
>>
>>> Hello Dick,
>>>
>>> Here is (in a new thread) the promised attempt to define terms of
>>> interest in the GNAP protocol.
>>>
>>> Party - represents a role in the GNAP protocol flow. A party can take
>>> the form of a web service, an application installed on the user device and
>>> acting autonomously or the form of a natural person (resp. of an autonomous
>>> device) using an application to interact with other parties.
>>>
>>> Resource - a piece of data or web service
>>>       - controlled by a Resource Owner (RO),
>>>       - held and guarded by a Resource Server (RS) and
>>>       - serviced by the RS to a Client, if the Client provides a valid
>>> Authorization.
>>>
>>> Resource Owner (RO) - the party that
>>>       - owns a Resource,
>>>       - relies on the services the GS to manage access to that Resource
>>> and
>>>       - relies on the services of a RS to hold the Resource and guard
>>> access to that Resource.
>>>
>>> Resource Server (RS) - the party that
>>>       - holds a resource and guards access to that resource on behalf of
>>> the RO,
>>>       - services the Resource to the requesting Client, provided the
>>> Client presents a valid Authorization.
>>>       The RS is generally deployed as a web service.
>>>
>>> Grant Server (GS) - the party that manages access to a Resource on
>>> behalf of the RO. For each Resource access request, the GS might request
>>> the consent of the RO and produce a corresponding Authorization that is
>>> given to the requesting Client.
>>>
>>> Consent - act of an RO approving the release of a Resource he owns to a
>>> Client.
>>>
>>> Grant - material form of an RO Consent. In order not to interact with
>>> the RO on each Resource access request, the GS might store the RO Consent
>>> in the form of a Grant for reuse.
>>>
>>> Authorization - externalized form of a Grant as known to the GS and the
>>> RS.
>>>       - The GS converts a Grant into an Authorization for use in a
>>> Resource access request.
>>>       - The RS evaluates an Authorization to decide on whether or not to
>>> release the Resource to the Client.
>>>
>>> Client - the party that provides the infrastructure used by a User to
>>> access a Resource. The client infrastructure is designed to:
>>>       - Receive the resource access request from the User,
>>>       - Interact with the RS to discover authorization requirements,
>>>       - Interact with the GS to obtain an Authorization to access the
>>> Resource,
>>>       - Interact with the RS to access the Resource on behalf of the
>>> User.
>>>
>>> User - the party using the infrastructure of the Client to gain access
>>> to a Resource.
>>>
>>> This dictionary is supposed to be the base for further discussions that
>>> will allow us to provide each term with just enough description to reduce
>>> ambiguities and misunderstandings in further exchanges. I intentionally
>>> omitted the specification of the type and nature of each party (For example
>>> Client / Registered Client / Dynamic Client). Such elaborations belong IMO
>>> in proper subsections.
>>>
>>> Comments are welcome.
>>>
>>> Best regards.
>>> --
>>> Francis Pouatcha
>>> Co-Founder and Technical Lead
>>> adorsys GmbH & Co. KG
>>> https://adorsys-platform.de/solutions/
>>>
>>
>
> --
> Francis Pouatcha
> Co-Founder and Technical Lead
> adorsys GmbH & Co. KG
> https://adorsys-platform.de/solutions/
>

v2.23.0 | Report a Bug | By Email