Re: [GNAP] Enterprise servers and Internet servers use cases
Fabien Imbault <fabien.imbault@gmail.com> Tue, 18 August 2020 10:48 UTC
Return-Path: <fabien.imbault@gmail.com>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 620E03A0839 for <txauth@ietfa.amsl.com>; Tue, 18 Aug 2020 03:48:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1kzNx7s_niw2 for <txauth@ietfa.amsl.com>; Tue, 18 Aug 2020 03:48:45 -0700 (PDT)
Received: from mail-il1-x12d.google.com (mail-il1-x12d.google.com [IPv6:2607:f8b0:4864:20::12d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A18D63A083D for <txauth@ietf.org>; Tue, 18 Aug 2020 03:48:45 -0700 (PDT)
Received: by mail-il1-x12d.google.com with SMTP id q14so17180556ilj.8 for <txauth@ietf.org>; Tue, 18 Aug 2020 03:48:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=sv4pO2X/+QWxIX5A18L8Z/SJPbczsOUWMU1Xn3Vr9w4=; b=aq/K/a64vmR9ke9EmdbdCy64QGJDhXqG+tudBFvZIoaWsOS09DFwTDMQ83oGlfxBOz ARCH4IyjY44/vFKNJZyvJOrb8xWZMtOpRwH4jiWadr2k8fZwzdyGnWWFpiquusNrTt9U kVda1y8gWSuViceYfvItf/vGbXlIGyoDmbCocGkhfR1qGgXaw4B4fqlJDa2xCo+X6JRh FmR2NKcMO59mn96Ic1WMJQHL6DiRQlzESo88TCBFGWSgEj5k9T2F8ViD5z1nQuRrAn6h TgsKvak3tqiYpRNGSeUg3z7JGEvGimfsar55/JmW/2RAVa5oQr4ENkafsHVerr+BApAT WDMw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=sv4pO2X/+QWxIX5A18L8Z/SJPbczsOUWMU1Xn3Vr9w4=; b=JxU7IkvU+mx0b0QAqtDQHcOY34P2lnEe5YPQiZmCB7nYzYjrz4bYZ3n244lqhU8FYa OewBSqirQoipncsyxRnmYPG1342zzUGi5clBrT9HlNhsjP9BmnXSRlqhW6jmIhzfez+c zVYoAc4b05xg+IJmaxU1s7jLbhOMz4wc4I9mLF0IBPs7XTt7wguXoD+3Hpucl1yb21Rf tnfgeod/081OGJOHlU4zufk0iuB54YxiHiNXDv2NJqhxx3Jumx2HxcA0p1bV+8QkRxfi 0N7Zfcaxm+F0D8s+EOx3UOF1mNOsB9Kuc39yghRF0LsAaOxpXrUVQZLZWnKlkiUUahW2 P0Vg==
X-Gm-Message-State: AOAM530D4jUp+audHz7Vpd6o2NqumMMkb0BAOojXZcG9SGMV9Lr67nvK eqC6CrXreXDp5F/87dddMRJGEL4GigWI+EtgY24=
X-Google-Smtp-Source: ABdhPJz7NjpKEyKVsSaVSqlEjf0okaMrU2ieuDqwH8/Ez6q+oH9fNEoIbFSY7jgt1VDtCMxsF3uLwGJ3g1rQbztXNNg=
X-Received: by 2002:a92:c092:: with SMTP id h18mr17821276ile.178.1597747724728; Tue, 18 Aug 2020 03:48:44 -0700 (PDT)
MIME-Version: 1.0
References: <94edca87-ee06-566e-a71a-d6a902ee2684@free.fr>
In-Reply-To: <94edca87-ee06-566e-a71a-d6a902ee2684@free.fr>
From: Fabien Imbault <fabien.imbault@gmail.com>
Date: Tue, 18 Aug 2020 12:48:33 +0200
Message-ID: <CAM8feuT4=GFEzqU8k-TBSZe0fZOKpGUa_1isGqNDqOyea-pSfA@mail.gmail.com>
To: Denis <denis.ietf@free.fr>
Cc: "txauth@ietf.org" <txauth@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000092bfe105ad24a159"
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/Dv2E5QxEre03iMH8T52rgMqI7v0>
Subject: Re: [GNAP] Enterprise servers and Internet servers use cases
X-BeenThere: txauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <txauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/txauth>, <mailto:txauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth/>
List-Post: <mailto:txauth@ietf.org>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/txauth>, <mailto:txauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Aug 2020 10:48:47 -0000
Hi Denis, If I understand correctly, your use case is about supporting ABAC, which is nice and should be fairly easy to do. I think you could make the use case much simpler, however. The description is currently very misleading. You're using the term "capability" is a sense that is very different from the context in which it is used by everyone else (i.e. ocaps litterature). I actually don't really understand why you want to use that term here. RBAC vs ABAC pros and cons are already well known (see for instance https://www.dnsstuff.com/rbac-vs-abac-access-control), and you don't really need to introduce capabilities into the mix. Fabien On Tue, Aug 18, 2020 at 12:22 PM Denis <denis.ietf@free.fr> wrote: > Hello, > > I have posted a new use case (unfortunately as usual for me in the wrong > directory) under the name: > * Enterprise servers and Internet servers use cases*. > > It is available from: > https://github.com/ietf-wg-gnap/general/wiki/Enterprise-servers-and-Internet-servers-use-cases > > At the end of this paper, I have summarized the terminology used in this > paper. > > - User : human person > - individual client : application that requests access tokens on > behalf of a User > - User Agent : User Interface associated with an individual client > that manages the User Consent and choices > - enterprise client: application that requests access tokens on behalf > of the application > - attribute: characteristic of a User or of an Application > - capability: pair of elements granted by an AS that indicates which > method is allowed on which data object > - Attribute-based Access Control (ABAC): access control scheme based > on a policy that uses one or more attributes to grant or to deny an > operation > - User access token: access token that contains attributes related to > the User or /and capabilities granted to the User > - application access token: access token that contains attributes > related to the application or /and capabilities granted to an enterprise > client application > > Denis > > PS. If some one could post a message explaining how to place a use case in > the right directory, it might be useful for a next time. :-) > > > > > -- > TXAuth mailing list > TXAuth@ietf.org > https://www.ietf.org/mailman/listinfo/txauth >