IETF Logo Mail Archive

[GNAP] Comments on the GNAP Wiki Terminology

Denis <denis.ietf@free.fr> Fri, 18 December 2020 16:47 UTC

Return-Path: <denis.ietf@free.fr>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CB4113A0A71 for <txauth@ietfa.amsl.com>; Fri, 18 Dec 2020 08:47:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.497
X-Spam-Level:
X-Spam-Status: No, score=-1.497 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, KHOP_HELO_FCRDNS=0.399, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id M_I6loGL7aYo for <txauth@ietfa.amsl.com>; Fri, 18 Dec 2020 08:47:34 -0800 (PST)
Received: from smtp.smtpout.orange.fr (smtp02.smtpout.orange.fr [80.12.242.124]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CADDD3A0A4C for <txauth@ietf.org>; Fri, 18 Dec 2020 08:47:33 -0800 (PST)
Received: from [192.168.1.11] ([90.79.54.243]) by mwinf5d78 with ME id 5snV240025Eqqlm03snVci; Fri, 18 Dec 2020 17:47:30 +0100
X-ME-Helo: [192.168.1.11]
X-ME-Auth: ZGVuaXMucGlua2FzQG9yYW5nZS5mcg==
X-ME-Date: Fri, 18 Dec 2020 17:47:30 +0100
X-ME-IP: 90.79.54.243
To: txauth gnap <txauth@ietf.org>
From: Denis <denis.ietf@free.fr>
Message-ID: <17e16653-178a-3f55-1e19-b9b5e055f46e@free.fr>
Date: Fri, 18 Dec 2020 17:47:33 +0100
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.5.0
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="------------A4002E4398D757C0A4FC1143"
Content-Language: fr
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/5Dqk0tk2vH8HKtxt_SoLejiBhIc>
Subject: [GNAP] Comments on the GNAP Wiki Terminology
X-BeenThere: txauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: GNAP <txauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/txauth>, <mailto:txauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth/>
List-Post: <mailto:txauth@ietf.org>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/txauth>, <mailto:txauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 18 Dec 2020 16:47:38 -0000

FYI, the wiki page is 
there:https://github.com/ietf-wg-gnap/gnap-core-protocol/wiki/Terminology


      FYI first, there is a useful web page where you can find all the
      ISO definitions as well as the text for any ISO standard (up to
      its definition section only):
      https://www.iso.org/obp


      This may provide some ideas and you will notice that a given term
      may be used in different ISO standards with a different definition.

      I have nine comments (each one being numbered).
      _
      1) Current definition of AS_:

      The current definition is:

      *Authorization Server (AS) *
            Definition: server that grants privileges to a particular
      end-user and that provides them to a client in the form of an
      access token


      This is fine in general (but see later another comment about it),
      but the word privileges is left undefined.
      _
      2) Definition of a privilege__
      _


      A suggested "privilege" definition has been proposed in the wiki
      page: "A privilege is the right to perform an operation (or
      action) on a Resource." See also other def
      <https://open-measure.atlassian.net/wiki/spaces/DIC/pages/67568310/Privilege+Dictionary+Entry>
      .
      In the "other def.", the term is considered to be a synonym of a
      permission.

      ISO/IEC 29146:2016(en), 3.8 (very long) definition is the following :

            privilege
      access right
      permission
      authorization to a subject (3.15)
      <https://www.iso.org/obp/ui#:term:3.15> to access a resource
      (3.14) <https://www.iso.org/obp/ui#:term:3.14>

      Note 1 to entry: Privilege is a necessary but not sufficient
      condition for access. Access occurs when the access request is
      granted according to its access control policy.
                                     The access control policy is based
      on privileges and may include other environmental factors (e.g.
      time-of-day, location, etc.)

      Note 2 to entry: Privileges take the form of data presented by a
      subject or obtained for a subject that is used by a Policy
      Decision Point in order to grant or deny an operation
                                     that a subject is willing to
      perform on a resource.
      (...)


      I propose the following:

      *privilege*: right or attribute associated with an end-user


      with:
      *right*: ability given to an end-user to perform a given operation
      on an object under the control of a RS

      *attribute*: characteristics or property related to an end-user

      __


      _3) Definition of a Client

      _


      The current definition is:


      *Client *
            Definition: application that consumes resources from one or
      several RSs, possibly requiring a negotiation of access privileges
      with one or several ASs

            Note: this specification differentiates between a specific
      instance (the client instance, identified by its public key) and
      the software running the instance
                     (the client software). For some kinds of client
      software, there could be many instances of a single piece of
      client software.
      Example: a client can be a mobile application, a web application, etc.

      Previously, I proposed:

      *Client*: application used by an end-user to interact with an AS
      or a RS

      The current definition is missing to indicate who is operating the
      client. It is an end-user, i.e. it is not another application, nor
      a process, nor an entity.
      The definition should capture this point.



      A second point: the current definition is using the wording
      "requiring a negotiation". There is no "negotiation". Either the
      AS has or has not the "access privileges".
      The words "a negotiation of" should be deleted.

      This raises the point where this definition of a "Client" is using
      the wording "/access privileges/" whereas the definition of an
      "Authorization Server (AS)"
      is using the word "/privileges/". We should make both definitions
      consistent. I have a slight preference for "access privileges",
      but I could also live with "privileges".

      Hence my proposals:

      *     Client *
            application /operated/ /by an end-user /that consumes
      resources from one or several RSs, possibly requiring /access
      privileges from/ one or several ASs
      *
      **    Authorization Server (AS) *
            server that grants /access/ privileges to a particular
      end-user and that provides them to a client in the form of an
      access token

      _4) Definition of a Resource Server (RS)
      _
      The current definition is:
      *
      **     Resource Server (RS) *


            Definition: server that provides operations on /protected
      /resources; such operations require that the client provides valid
      access tokens issued by an AS


      A RS may offer both public resources and protected resources.
      Valid access tokens are only needed for protected resources.
      I propose the following definition while merging the two sentences:



      *Resource Server (RS) *
             server that provides operations on resources /where/
      protected operations require that the client provides /one or
      more/ valid access tokens issued by /one or more ASs/


      In theabove modification I added "/one or more /". I am presuming
      that GNAP will allow the presentation of more that one access
      token from different ASs
      in order to allow an end-user to perform one operation on a
      protected resource.

      _5) Definition of Resource Owner_ _
      _
      The current definition is:


      *Resource Owner (RO) *
            Definition: personal or organizational entity that may grant
      privileges on resources it has authority upon
      Note: the act of granting privileges may be manual (i.e. through
      an interaction) or automatic (i.e. through predefined rules).

      I don't know what a "personal entity" is but I know what a
      "natural person" is.

      Furthermore, a Resource Owner is not granting privileges (or
      access privileges) in the same way an AS is doing.

      It is interesting to take a look at ISO 20078-1:2019(en), 3.1.4
      where Resource Owner (RO) is defined as:

             responsible party for the Resource(s)
             Note 1 to entry: The Resource Owner is responsible for
      granting, denying, and revoking Access to Resource(s).
             Note 2 to entry: The responsible Resource Owner is
      determined by the concrete Resource.


      I propose:


      *Resource Owner (RO) *
      /natural person /or organizational entity that may grant or deny
      operations on resources it has authority upon
      Note: the act of /granting or denying/ an operation may be manual
      (i.e. through an interaction) or automatic (i.e. through
      predefined rules).
      __


      _
      6) Definition of Access Token__
      _


      The current definition is:


            Access token
            Definition: digitally signed data that contains specific
      rights and/or attributes
      Note 1: the access token can be issued to an end-user (usually
      requiring his authentication) and subsequently refreshed.
      The AS usually provides a method for the RO to revoke the
      privileges at any point in time.
           Note 2: an access token may act as a capability (i.e. bearer
      token) or require an additional authentication by binding to a key
      (i.e. bound token)


      The definition is fine, but not the two Notes.


      The second sentence from the Note 1 is stating: "The AS usually
      provides a method for the RO to revoke the privileges at any point
      in time".
      Revoking "the privileges" is different from revoking an "access
      token". The second sentence of this Note 1 which is supposed to be
      about access token is confusing.
      The privileges may be changed at any point in time using a
      management function. Access tokens can be short-lived and thus
      don't need to be revoked.
      Any call-back from a RS to an AS should be avoided in order to
      respect the user's privacy.

      Therefore, I propose to remove the second part of this Note 1 and
      to replace "the" by "a" at the beginning of the first sentence.
      Note 2 is stating:
      Note 2: an access token may act as a capability (i.e. bearer
      token) or require an additional authentication by binding to a key
      (i.e. bound token)


       From the discussion on the list, I believe that we don't consider
      bearer tokens. Note 2 should be removed.


      So my proposal is as follows:


      *     Access token *
            digitally signed data that contains specific rights and/or
      attributes
      Note: an access token can be issued to an end-user (usually
      requiring his authentication) and subsequently refreshed.
      __


      _
      7) Definition of Grant__
      _


      The current definition is:


      *     Grant *
            Definition: (verb): to permit, as a privilege given to an
      end-user to exercise some rights and/or assert attributes during a
      specific duration
      Definition: (noun): the act of granting

      The words ", as a privilege given to" are unnecessary"


      I propose:


            Grant
            (verb): to permit an end-user to exercise some rights and/or
      /to/ assert /some /attributes /at a specific time and /during a
      specific duration
      (noun): the act of granting


      _8) Definition of Resource_ _
      _


      The current definition is:


      *     Resource *
             Definition: protected API served by a RS and accessed by a
      client, if and only if a valid access token is provided


      This definition is incorrect. This definition would be fine for a
      Protected Resource. Change it into "Protected Resource":


      *     Protected Resource *
            protected API served by a RS and /that can be /accessed by a
      client, if and only if a valid access token is provided


      If a definition of a Resource is needed, I propose:


      *     Resource **
      ***public or protected resource from a RS


      _
      9) Definition of Subject Information
      _
      The current definition is:

      *Subject Information*
      Definition: claim asserted locally by an AS about a person,
      organization or device
      Source:
      https://tools.ietf.org/html/draft-ietf-secevent-subject-identifiers-06
      <https://tools.ietf.org/html/draft-ietf-secevent-subject-identifiers-06>
      (unless we plan to use something specific to GNAP)

      This is information returned by an AS about an end-user.


      I would thus simply propose instead:
      *
      **     Subject Information *
            information returned to a Client by an AS about an end-user

      Denis

v2.23.0 | Report a Bug | By Email