Re: [Txauth] A model with a User Consent Element (with a clean figure)
Fabien Imbault <fabien.imbault@gmail.com> Sat, 18 July 2020 06:15 UTC
Return-Path: <fabien.imbault@gmail.com>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7D50F3A0C2E for <txauth@ietfa.amsl.com>; Fri, 17 Jul 2020 23:15:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4IHPy5bPhazQ for <txauth@ietfa.amsl.com>; Fri, 17 Jul 2020 23:15:11 -0700 (PDT)
Received: from mail-io1-xd2a.google.com (mail-io1-xd2a.google.com [IPv6:2607:f8b0:4864:20::d2a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3C14C3A0C2A for <txauth@ietf.org>; Fri, 17 Jul 2020 23:15:11 -0700 (PDT)
Received: by mail-io1-xd2a.google.com with SMTP id e64so12593344iof.12 for <txauth@ietf.org>; Fri, 17 Jul 2020 23:15:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=U5I/8gfLLOmAx3oQEhjnvSKwNXveu3IbHuL9S0YqOr8=; b=cXm/chl3WA+tLLHnA6drOTWrjhbmIDFrCZChVsmOmk3fzfulzdbUaAEWysPHREmjfi 0BodJXxNtGsRo2qMdPkv6lJBnJ5P0StcUnZMZwb5RHZFnT3JtJJuIZda3t76t4oKT09+ GaX8ug0nrsC3RZG+rCOC19LdUYgCcS/BdxvdjbQciddva6SAVflVRNZHoovqVUnjRte/ qjAc4ckl32/YHzvrXptLwqQnLSfgijY5Ff9yUuws2a/OOSp8ZIL5trk/Rpp75kaJjhU/ IHWooOmmogaXifgRxifihIk1Gdq9YYcaFFaagKvrSaL9uy23gegti4mD5/dFPkl0yN91 rcQw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=U5I/8gfLLOmAx3oQEhjnvSKwNXveu3IbHuL9S0YqOr8=; b=cSWv6hqsiM4wRPtX7tkVtsGaICeInzGAeoK8lXIWnIe0Xwcjt9ayAK0MQatmjz2v9k hV12kTG+V5zfI/+mR0YXVOD+O9sDhOphVc1qOYU2e2IZrip50vYapsCtidWHVOZgP48j O8NQ2+QttFbmwnn543Sgo3gNd0ekidonqnPC12k0JRL7sJneMOFE7NZIJVbHOAcOU4a1 OFfVUwepJr12ZeYP5yj+jNte32DMQlM/TyutHzy32iLg6SMiexOFLmAWdb9XE6Hi8wwv X43MA6pjm1YRV2qQ6usSJjYyOXEzV0NLSxHqffQ7XYt2ZEKz0VTa3axs1q2tIrZqBhyF dwCg==
X-Gm-Message-State: AOAM531Q2OAsvIOMHx0GsJhzYd4FwoGEtewS0aqIfPu7gc1x4+2X3IMo 2B78fs/WuloZUiRVcKTW3l0vwoqCwvqF6uM0yuI=
X-Google-Smtp-Source: ABdhPJwvuLvWDPUSvZzm6HQpDbqu3cZahRfes2AFQbQHPi9izgAv0/SUcZGstqnV8WQPYmGTPunWjy7zsUSiOH70gSc=
X-Received: by 2002:a02:1a06:: with SMTP id 6mr14992385jai.8.1595052910277; Fri, 17 Jul 2020 23:15:10 -0700 (PDT)
MIME-Version: 1.0
References: <CAM8feuQh6ztVfLyZSx0P5DMHtsz2OYRgv-5moN_O9mRO-XGXqQ@mail.gmail.com> <382b5f57-6825-3537-c66b-fb2c38e5140c@free.fr> <CAM8feuRw8RysLKu3-f1KMpuXzJ0jiUg32zXrYcDdOjSs6EUL0Q@mail.gmail.com> <ca7008e6-bc9c-bc41-d2d9-518f37556f27@free.fr> <CAM8feuSM465E_kfdEWw1_BkST1mj9dQZmj=1aLZQD30KnO51aA@mail.gmail.com> <49ff9f53-6f75-6bd7-f09f-2ac8c2bc5ba2@free.fr>
In-Reply-To: <49ff9f53-6f75-6bd7-f09f-2ac8c2bc5ba2@free.fr>
From: Fabien Imbault <fabien.imbault@gmail.com>
Date: Sat, 18 Jul 2020 08:14:57 +0200
Message-ID: <CAM8feuSyz_Q0ODfaPE_fTtJ3UWorDoMWbzj1skeOZ9PbxVR01w@mail.gmail.com>
To: Denis <denis.ietf@free.fr>
Cc: txauth@ietf.org
Content-Type: multipart/alternative; boundary="0000000000001d761205aab1329d"
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/CIO8DcIugutH2frrGl6fx5osyuA>
Subject: Re: [Txauth] A model with a User Consent Element (with a clean figure)
X-BeenThere: txauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <txauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/txauth>, <mailto:txauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth/>
List-Post: <mailto:txauth@ietf.org>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/txauth>, <mailto:txauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 18 Jul 2020 06:15:15 -0000
Thanks Denis. I think that's clear. By "we", I meant myself and a few colleagues. So far it's just a bunch of quick MVPs and it's expected to grow overtime as an independant opensource implementation. I think it's important we take the specs and try to implement them to make sure it's easily understandable by external devs. Fabien Le ven. 17 juil. 2020 à 18:16, Denis <denis.ietf@free.fr> a écrit : > Hi Fabien, > > Thanks Denis for your answers. > > I think what you call delegation is a slightly different requirement than > how the term is generally used in our context. > Instead of delegation, I would rather suggest to call it a "resource > chain" (and as in any supply chain, those could come from different > parties). > > Whatever you call it, I believe that the model should be able to support > it. > > I think the privacy concern is important, and it would be interesting to > get back to prior art on the issue. > for instance, https://github.com/samuelgoto/WebID provides an interesting > analysis on RP or IdP collusion > (here more focused on the ID part), a similar vein of work may enable > richer discussions whether/when the GS > is the right place for user consent, or not. > > The way and the place the user consent is captured is indeed critical. > > Then on user consent : implementations of XYZ do handle user consent. In > our case, we've also decoupled the consent part (as a separate project). > > You are using the word "we". Do you mean that you are part of the design > team or of the implementers team of XYZ ? > > Initially we did that to simplify the implementation of the AS core flow > (between client and AS), while covering the UX requirements in a > separate project. > But the nice thing about that is that it doesn't change the core flow, and > depending on the use case, one may either place it on the AS part (as we've > implemented so far, > and as most people would do today) or on the client part (as you think it > should be). This demonstrates that depending how we assemble parts, we may > end up > with a solution that may fit various requirements. > > In addition to the place where the user consent is captured, there is the > need to consider the assurances that the user can obtain about the respect > of his choices. > > I have explained that such assurance can be obtained when the choice is > made by the client and when the returned access tokens are not considered > to be opaque to the client. > It is also obvious that the GS/AS is kept ignorant of the proposed choices > and is only informed about which user attributes should be inserted into > the access token. > > At this time, no equivalent explanations have been provided when/if the > user consent interface is handled by the GS/AS. > > Denis > > > Fabien > > On Mon, Jul 13, 2020 at 10:40 AM Denis <denis.ietf@free.fr> wrote: > >> Hi Fabien, >> >> Thank you for your responses. Rather than responding in the text, I will >> pick up two of your comments: >> >> FI : as far as I'm concerned, there are many more interactions than >> Oauth/XYZ/Xauth. >> Your view seems to be that it is simpler because AS are way less central, >> but it seems to me >> that RS are much more complex to implement correctly. >> >> In XYZ/Xauth there is a protocol needed between the GS and many ROs. This >> protocol is "out of the scope" of these drafts and this is where the >> complexity is hidden. >> So it looks simpler for the client but it is much more complicated for >> the management of the delegation at the GS. This also makes the assumption >> that a single GS >> will be able to handle the delegation case because all the RSs are >> supposed to be in the same domain which is a very restrictive case. My >> proposal is able to handle >> the multi-domain case. >> >> Every RS is best placed to know where to forward an operation when it >> can't respond to it of its own. A RO should not need to inform a GS to tell >> what its relationships >> with other RSs are. A GS should not be in a position to know everything >> about the relationships between RSs and to be informed in real time of any >> change about these >> relationships. >> >> In term of trust, I mentioned: >> >> - If a user has an account opened with an AS, then he trusts that AS >> to deliver the requested and genuine attributes into an access token. >> >> This is it. There is no other trust relationship. The user does not trust >> or rely on any collaboration between a RO and a GS. >> >> >> A second of your comments: >> >> FI: if we can't do it with maximum privacy, then we won't do it; which is >> a design choice, >> >> I would rather say: If we can do it with maximum privacy, let us do it. >> At this time : >> >> - in draft-hardt-xauth-protocol-12, the word "privacy" does not even >> exist. >> - in draft-richer-transactional-authz-06, there is a single sentence >> in the privacy considerations section: >> >> Handles are passed between parties and therefore should be >> stateful and not contain any internal structure or information, >> which could leak private data. >> >> About the user consent. At this time : >> >> - in draft-richer-transactional-authz-06, the user consent is never >> addressed. >> - in draft-hardt-xauth-protocol-12, the user consent is captured by >> the GS whereas it should be captured by the Client. >> >> The client has no way to verify that the user consent has indeed >> been followed by the GS because the client >> cannot verify that what happens "behind the scenery" at the GS >> is conformant with what the user has consented. >> >> Denis >> >> Hi Denis, >> >> Thanks for your answer. >> >> My comments are embedded in the text, marked with FI. >> >> Fabien >> >> >> Le ven. 10 juil. 2020 à 17:53, Denis <denis.ietf@free.fr> a écrit : >> >>> Hi Fabien, >>> >>> It would have been appreciated that you kept the original message in >>> your response. I have copied it again at the end of this email. >>> >> >> FI : sorry, not always easy on a mobile. Will make sure that's the case >> next time. >> >>> >>> Comments are between the lines. >>> >>> Hi Denis, >>> >>> I think it's interesting, but also very different to XYZ/XAuth so it >>> raises many questions ;-) >>> The figure is impossible to read. >>> >>> Use a PC. Copy and paste and then use the Courier font. On my PC (with >>> the clear figure) it was perfect. >>> >>> So let me try to summarize the suggested approach, with a concrete >>> example, to make sure we understand well: >>> >>> *0. The client authN to the AS (in whatever way is supported)* >>> Ex : client is a corporate financing called "finapp". finapp contacts >>> AS0 for authentication (say an openbanking service). >>> User is John Doe, CFO at NeedMoney Inc. (+ other identity claims if >>> needed, maybe some verified credential from NeedMoney Holding that John is >>> indeed CFO). >>> >>> *Dear John, * >>> *to access to your finapp, please identify yourself through your >>> prefered openbanking account.* >>> *Thanks* >>> >>> If I understand you correctly, finapp is a local application e.g. on >>> your smartphone. >>> >> FI : not necessarily, the client could be a mobile app, a web app, etc., >> making api calls to backend protected services. >> >>> *1. The client contacts a RS in a discovery phase, which includes the >>> selection of (at least) an operation, for which the RS returns the required >>> authZ attributes * >>> Ex : finapp needs to use NeedMoney's data to evaluate how much credit it >>> can offer. >>> >>> Op1 : compute the credit rating, from RS1 (this is outsourced to an >>> external credit analyst), through the external service's own AS1. >>> But to do that, RS needs your historic bank statements. >>> Op2 : get your list of banks, RS2 (as registered within finapp), >>> through openbanking AS0 and retrieve the bank statements : >>> Op3a : get historic data from his main bank, RS2a (say an international >>> bank), through openbanking AS0 >>> Op3b : same from a second bank account, RS2b (say a local bank), through >>> openbanking AS0 >>> >>> Why don't you make your very first example a little bit more complicated >>> ? with RS1, RS2a, RS2b, ... AS0, AS1, ... >>> >>> :-) >>> >> FI : fair point. But i believe it's important to grasp what it means on a >> realistic example, especially as the proposed protocol would be very much >> dependant on the way RS calls are made. >> >>> >>> The intent of the *first *email was to discuss a *basic *model and to >>> place the highlights on the way to capture the *user's consent* >>> in an interoperable manner without letting know to any RS or AS the >>> choices of the user. This is a fundamental feature of the model. >>> In XAuth, the user's consent is not formalized in the protocol : "User >>> consent is *often *required at the GS". >>> >> FI : in the context of xauth, this seems pretty clear I think. >> >>> *2. User consent * >>> RS1 aggregates the list of attributes required (from all RS) and sends >>> it to finapp. >>> >>> *Dear John, * >>> *To evaluate your credit request, we need the following information: * >>> *- your list of bank accounts (retrieved from your finapp account)* >>> *- the associated banking statements over the past 12 months (from each >>> bank)* >>> *- we'll pass that data to the credit agency, which will return your >>> credit score * >>> *Do you agree ?* >>> >>> John approves (or not..., maybe he'll agree only for one specific bank), >>> via finapp directly >>> (I like that, albeit in a more traditional flow, I'm also separating the >>> UI from the rest of the protocol of XYZ, and it works too). >>> >>> As described, the user could simply push to the RS the banking >>> statements over the past 12 months (from each bank). >>> The user consent is not about : "*Do you agree that* >>> * we pass the data to the credit agency, which will return your credit >>> score" *since no attributes nor ASs are involved in the question. >>> >> FI : this is possible of course, but pretty surprising. Today most >> implementations are using oauth to delegate the implementation to some >> specialized component, while here each RS would be responsible for >> authentication. That is not an innocent choice from an implementation and >> deployment perspective. >> >>> >>> I guess you want the user to get access tokens targeted for RS2x so that >>> each bank will accept to disclose his banking statements over the past 12 >>> months. >>> >>> The consent is whether the user accepts to get access tokens from some >>> of his banks targeted for RS2x for the following operation: >>> "Retrieval of the past 12 months banking statements" which corresponds >>> to an API for each bank and then to send these access tokens to RS1. >>> >>> In practice, the client (e.g. using FIDO) will connect transparently to >>> each of the appropriate AS from the banks and will get the requested access >>> tokens >>> with a requested validity period of about 5 minutes. >>> >> FI : yes. >> >>> *3. Requests to the protected resources * >>> The client gets the access tokens and uses the services for which access >>> was granted. >>> >>> *Analysis: (maybe I didn't get everything right, if so let me know) * >>> The trust model is focused around the relationship between the enduser >>> (John) and his application (finapp), which seems fine. >>> >>> No. The trust model is not making a focus on that specific relationship. >>> BTW, no access token is necessarily needed by the user to be able to use >>> finapp. >>> >> FI : maybe, maybe not. As soon as I want to fetch api calls, I need >> access tokens. >> >>> => I see some potential issues : >>> >>> a. it will be really difficult for an end user to understand what AS0 >>> and AS1 are, why they're different, and why he needs to authenticate to >>> each of them. >>> How do you enable a federated experience? (especially as there could be >>> many) >>> >>> I fear that you have not fully captured what the user consent is about. >>> See the above explanations. In addition, there is no concept of federation. >>> >> FI : your notion of consent is very specific to what you have in mind. It >> would require a kind of automated system to work. >> As for the concept of federation, this is required in practice in you >> don't hypothesize a dependancy on FIDO. The Uma2 standard is probably the >> closest to some of your ideas and focuses a lot on federation. >> >>> b. deciding what is the main RS (here RS1) to be called by the client >>> seems very critical, as it is the one that needs to orchestrate everything. >>> This seems a very hierarchical and imperative model which seems somewhat >>> counter intuitive in terms of developer experience (as least >>> as it is made today, we clearly don't go into so much details). The call >>> hierarchy may quickly become very complex, which may also become >>> a problem when separate services evolve. >>> >>> The client calls the main RS (here RS1). What may happen next is fully >>> dependant upon the operation that the user is willing to perform and >>> this is unpredictable (since the back end service may change at any >>> point of time). >>> >> FI : OK, but is it good engineering practice to have to deal with the >> internals of service calls? The reason why people delegate APIs is >> precisely to avoid that complexity. Today with OAuth, and tomorrow with >> XYZ/Xauth, the programming model is way simpler. Privacy may be a good >> reason to change that, but we need to be very thoughtful about that. >> >>> c. RS1 gets all the information required to access all sub-resources, >>> and therefore gets also a lot of responsibility (and power). But from >>> finapp's >>> point of view, it is the one that has the relationship with the user and >>> is providing the core value proposition, while RS1 is just an external >>> service. >>> >>> So is it really a problem ? >>> >> FI : I think so. If I'm finapp, I don't want to be this dependant on RS1 >> for a lot of good and bad reasons. What I hope the example conveys is that >> there's no reason why RS1 would suddenly become the center of orchestration >> for all queries, while all the underlying data is actually elsewhere. >> The fact that the proposed protocol mandates this behaviour is surprising >> and I don't see why that is. >> >>> d. multi-user (common B2B scenario): John wants to authorize a read >>> access to his finapp account to his external auditor, Ann (who is not a >>> direct user >>> of finapp herself, but might already be registered by openbanking AS0). >>> How do you do that? Does it require the access token itself to be able to >>> delegate rights? >>> >>> The intent of the short description I sent was to describe two simple >>> scenarios, so that we could start discussing about them. >>> At this point, the intent is not to cover all the scenarios you may >>> dream of. >>> >> FI : fair point. However, as previously discussed, this is a big concern >> as we don't know whether you think this is a valid use case or whether this >> is out of scope (so far, I understood it was more, if we can't do it with >> maximum privacy, then we won't do it; which is a design choice, but >> standards are usually about consensus with people that need to deal with >> real life problems). >> >>> e. more generally, a threat model would be required, as there are many >>> more interactions now. >>> >>> There are less interactions than in XAuth: there is no protocol between >>> ASs and RSs, nor between ROs and ASs. >>> >> FI : as far as I'm concerned, there are many more interactions than >> Oauth/XYZ/Xauth. Your view seems to be that it is simpler because AS are >> way less central, but it seems to me that RS are much more complex to >> implement correctly. >> >>> >>> Before a threat model, a trust model is needed. Do we have a trust model >>> for XAuth ? >>> Unfortunately not, since the word "trust" is absent in the main body of >>> draft-hardt-xauth-protocol-12. >>> >> FI : sorry but I don't need the word trust to do threat modeling... >> >>> In this model, the trust relationships are as follows: >>> >>> - The user trusts its client. >>> - If a user has an account opened with an AS, then he trusts that AS >>> to deliver the requested and genuine attributes into an access token. >>> - A RS may trust one or more ASs for one or more types of attributes >>> *and* for performing a given operation. >>> - A RS may be administered remotely by one or more RO. >>> >>> *Note*: for authentication, a RS may accept either FIDO or one or more >>> types of attributes from one or more ASs. >>> >> Denis >>> >>> Cheers, >>> Fabien >>> >>> >>> This is a new thread. >>> >>> >>> Preamble: This model is quite different from the XAuth model. >>> In particular, a RO has no relationship with any AS and a Client does >>> not need to be associated with any AS prior to any access to a RS. >>> >>> A key point of this model is that the user's consent is handled locally >>> by the Client and hence no AS nor RS is handling a man machine interface >>> for the user consent. This allows to support locally the user consent >>> for multiple ASs while keeping all ASs ignorant about the choices of the >>> user >>> made for accessing a particular RS. >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> * +--------+ +------------+ | >>> User | | Resource | | >>> | | Owner (RO) | +--------+ >>> +------------+ | >>> \ | | >>> \ | | >>> \ | | >>> \ | +-----------+ +---------------+ >>> +------------+ | |---->| Authorization | | | >>> | | (2) | Server (AS) | | | | >>> |<----| | | | | Client | >>> +---------------+ | | | >>> |-------------------------->| Resource | | User | >>> (1) | Server | | Consent >>> |<--------------------------| (RS) | | element >>> | | | | >>> |-------------------------->| |------> | >>> | (3) | | (4) | >>> |<--------------------------| |<------ >>> +-----------+ +------------+ * >>> The flow of operations is as follows: >>> >>> The Client (which may have been previously authenticated using FIDO) >>> contacts the RS and after some dialogue with the RS selects an operation >>> that it wants to perform on the RS (1a). Note that it may also indicate >>> directly the operation that it wants to perform on the RS without any prior >>> dialogue. >>> In return (1b), the RS informs the Client about which attributes are >>> needed by the RS for performing the requested operation and from which >>> Attributes Servers >>> they may be obtained. >>> >>> This information is specifically marked to indicate that it shall be >>> handled by the "User Consent element" from the Client. >>> The presentation of that information is up to the man machine interface >>> supported by the "User Consent element" from the Client. >>> >>> The user can see which attributes are requested by the RS for performing >>> the requested operation and, if it consents, the Client contacts one or >>> more >>> appropriate Authorization Servers (2a). The user consent is hence >>> captured locally by the Client (i.e. there is no dialogue with any AS nor >>> any RS). >>> >>> When the Client got the access tokens from these authorization servers >>> (2b), it sends all of them in a single request to the RS (3a). >>> >>> End of the story for a simple access >>> >>> >>> Start of a subsequent story for a delegation case >>> >>> Let us now suppose that the RS is unable to fulfil the request by its >>> own and that it needs to contact another RS. RS1 contacts RS2 (4a) and >>> indicates the operation >>> that it wants to perform on RS2 (that operation may not be the same as >>> the original operation). In return (4b), RS2 informs RS1 about which >>> attributes are needed >>> by RS2 for performing the requested operation and from which Attributes >>> Servers they may be obtained. RS1 forwards that information to the Client. >>> >>> This information is marked to indicate that it shall be handled by the >>> "User Consent element" from the Client. The presentation of that >>> information is up to the man machine >>> interface from the Client. The user can see which attributes are >>> requested by RS2 for performing the new requested operation and, if it >>> consents, the Client contacts one or more >>> appropriate Authorization Servers. The user consent is hence captured >>> locally by the "User Consent element" from the Client. (i.e. there is no >>> dialogue with any AS, nor RS1, nor RS2). >>> >>> When the Client got the access token(s) from the authorization >>> server(s), it sends all of them in a single request to RS1. RS1 then >>> forwards the additional access token(s) to RS2. >>> >>> >>> Some observations: >>> >>> The user nor the Client are linked with any particular AS. A user may >>> use today an AS of the Bank of America and may change tomorrow to the Bank >>> of Missouri. >>> As soon as he will be registered with the Bank of Missouri, he will be >>> able to get access tokens from the AS of the Bank of Missouri. The AS of >>> Bank of America >>> has not been able to know where its access tokens have been used. This >>> will be the same for AS of the Bank of Missouri. There is no need for any >>> direct dialogue >>> between any AS and any RS at the time a client is making an access. >>> There is no need for any RO to contact any AS. >>> >>> This model has been constructed following a "Privacy by Design" approach. >>> Denis >>> >> >> -- >> Txauth mailing list >> Txauth@ietf.org >> https://www.ietf.org/mailman/listinfo/txauth >> > >
- [Txauth] A model with a User Consent Element Denis
- [Txauth] A model with a User Consent Element (wit… Denis
- Re: [Txauth] A model with a User Consent Element … Daniel Fett
- Re: [Txauth] A model with a User Consent Element … Denis
- Re: [Txauth] A model with a User Consent Element … Fabien Imbault
- Re: [Txauth] A model with a User Consent Element David Pyke
- Re: [Txauth] A model with a User Consent Element Tom Jones
- Re: [Txauth] A model with a User Consent Element … Dick Hardt
- Re: [Txauth] A model with a User Consent Element … Denis
- Re: [Txauth] A model with a User Consent Element … Denis
- Re: [Txauth] A model with a User Consent Element … Dick Hardt
- Re: [Txauth] A model with a User Consent Element … Fabien Imbault
- Re: [Txauth] A model with a User Consent Element … Denis
- Re: [Txauth] A model with a User Consent Element … Denis
- Re: [Txauth] A model with a User Consent Element … Dick Hardt
- Re: [Txauth] A model with a User Consent Element … Justin Richer
- Re: [Txauth] A model with a User Consent Element … Denis
- Re: [Txauth] A model with a User Consent Element … Dick Hardt
- Re: [Txauth] A model with a User Consent Element … Denis
- Re: [Txauth] A model with a User Consent Element … Dick Hardt
- Re: [Txauth] A model with a User Consent Element … Fabien Imbault
- Re: [Txauth] A model with a User Consent Element … Denis
- Re: [Txauth] A model with a User Consent Element … Fabien Imbault