IETF Logo Mail Archive

Re: [GNAP] Comments on the GNAP Wiki Terminology

Fabien Imbault <fabien.imbault@gmail.com> Fri, 18 December 2020 17:02 UTC

Return-Path: <fabien.imbault@gmail.com>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C4BA13A0A50 for <txauth@ietfa.amsl.com>; Fri, 18 Dec 2020 09:02:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Abt9KY5UgJjN for <txauth@ietfa.amsl.com>; Fri, 18 Dec 2020 09:02:24 -0800 (PST)
Received: from mail-io1-xd2f.google.com (mail-io1-xd2f.google.com [IPv6:2607:f8b0:4864:20::d2f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D0A7C3A0AD3 for <txauth@ietf.org>; Fri, 18 Dec 2020 09:02:23 -0800 (PST)
Received: by mail-io1-xd2f.google.com with SMTP id q137so2646679iod.9 for <txauth@ietf.org>; Fri, 18 Dec 2020 09:02:23 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=BeHlYYgtIxBNRVw3OnRNpAXn6z29ys0Yf/xUZAYZQ7g=; b=PnUwVgmn/u/3LqtukJzfxJPRfE2wDq8Ru9UPHtZMlSKGH4DcY3kFs3SlUmO9lfjU9R eyKUYcoTG56BhITVE4U5WER1meGmIToa4aHxQ1Uyb66i68B5tr5U90fkrPAoxcBe/MQ/ gES/2pSVp5Iob5rNeBU0rJENE4HWHJHkRnHwOLwV+wOlD4KEhNA/dkMSaeaNAGo4+yhS DuGwl0epFnZLSntvadauhFXNmepLmuh2heeFAAO6MPMJpb0R0K5zfkBZs/zHpovaSV9x X+4Zp2nLJxsfV/JDcf5Ij4Y9T1g1Q2J/Kpo2VS4NFygX8a6WzF8NkjWf3tb2cfjniJGV wAMw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=BeHlYYgtIxBNRVw3OnRNpAXn6z29ys0Yf/xUZAYZQ7g=; b=FDnbSEiw33yOWpBEev0773EI+Tg5ldvSuBA7e4ShdgAjjN4irULNZetNGWa55ll8Nu rT//c8d83Szsb7019mgSjdMPLUgiCUkIijPMNj7WRi/y0Bj5qzuZu8Cn5jlgreo4i+3Y 6r+V2VbxmoR/rxItSxL0/E/PxyrERWZCkbikQ+QCDr1At6klQ9c9YsK2xUoJtVd5LH3B NgJis1QFR4erFDT6Yg0XNWfXoMfkuXBG+0ZEjs+uX/KJbeZVgM70dBRITznfDSsqGLjk 8SrnMmUfvMnIZQwDm5sMVwa5eLklXyeN5rQHLPxqGrMlAf35jRAyWyzDPCH2zMzVCrL8 fkwQ==
X-Gm-Message-State: AOAM532O9Z1u9o7biP7agSTvwj2mcjjB2tdgaaeBZImEfXSGdEn4uOx1 2xcKXzYUb7RYov1ZYl56VzGDd7eP8rLBtV50KUQ=
X-Google-Smtp-Source: ABdhPJyylHCY2gHrIFcVS+a3S15s22qqsbaf3OGEujmbuCQNdYwvL/ML5BwrAO4yCp38Gq01LdoS2FFCrFc2VujGtZY=
X-Received: by 2002:a02:4b42:: with SMTP id q63mr4441659jaa.77.1608310942894; Fri, 18 Dec 2020 09:02:22 -0800 (PST)
MIME-Version: 1.0
References: <17e16653-178a-3f55-1e19-b9b5e055f46e@free.fr>
In-Reply-To: <17e16653-178a-3f55-1e19-b9b5e055f46e@free.fr>
From: Fabien Imbault <fabien.imbault@gmail.com>
Date: Fri, 18 Dec 2020 18:02:09 +0100
Message-ID: <CAM8feuT19t71WgCa5U95J5a4b6M1KpiNdTaPz_jr_makLTfvpA@mail.gmail.com>
To: Denis <denis.ietf@free.fr>
Cc: txauth gnap <txauth@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000007096e305b6c0122f"
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/MWDH9uxz3A3-oYrHS8Am3sT0jG4>
Subject: Re: [GNAP] Comments on the GNAP Wiki Terminology
X-BeenThere: txauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: GNAP <txauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/txauth>, <mailto:txauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth/>
List-Post: <mailto:txauth@ietf.org>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/txauth>, <mailto:txauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 18 Dec 2020 17:02:27 -0000

Thanks Denis, that's a really useful feedback. I'll review that in more
detail, but something that's really not clear to me is the last one,
subject information.

1) is it about the end-user ? or the RO ? (as is the current definition in
V02)
2) why do we even need to call it subject information ? For instance if
it's about the end-user, it should only be end-user information.
3) do we want to use entity or subject in the definitions ? (cf RO for
instance). Regarding natural person vs entity we had a discussion on the
mailing list previously.

Cheers,
Fabien

On Fri, Dec 18, 2020 at 5:47 PM Denis <denis.ietf@free.fr> wrote:

> FYI, the wiki page is there:
> https://github.com/ietf-wg-gnap/gnap-core-protocol/wiki/Terminology
> FYI first, there is a useful web page where you can find all the ISO
> definitions as well as the text for any ISO standard (up to its definition
> section only):
> https://www.iso.org/obp
> This may provide some ideas and you will notice that a given term may be
> used in different ISO standards with a different definition.
>
> I have nine comments (each one being numbered).
>
> * 1) Current definition of AS*:
>
> The current definition is:
>
>      *Authorization Server (AS) *
>      Definition: server that grants privileges to a particular end-user
> and that provides them to a client in the form of an access token
> This is fine in general (but see later another comment about it), but the
> word privileges is left undefined.
>
> * 2) Definition of a privilege*
> A suggested "privilege" definition has been proposed in the wiki page: "A
> privilege is the right to perform an operation (or action) on a Resource."
> See also other def
> <https://open-measure.atlassian.net/wiki/spaces/DIC/pages/67568310/Privilege+Dictionary+Entry>
> .
> In the "other def.", the term is considered to be a synonym of a
> permission.
>
> ISO/IEC 29146:2016(en), 3.8 (very long) definition is the following :
>
>      privilege
>     access right
>     permission
>     authorization to a subject (3.15)
> <https://www.iso.org/obp/ui#:term:3.15> to access a resource (3.14)
> <https://www.iso.org/obp/ui#:term:3.14>
>
>     Note 1 to entry: Privilege is a necessary but not sufficient
> condition for access. Access occurs when the access request is granted
> according to its access control policy.
>                               The access control policy is based on
> privileges and may include other environmental factors (e.g. time-of-day,
> location, etc.)
>
>     Note 2 to entry: Privileges take the form of data presented by a
> subject or obtained for a subject that is used by a Policy Decision Point
> in order to grant or deny an operation
>                               that a subject is willing to perform on a
> resource.
> (...)
> I propose the following:
>
>         *privilege*: right or attribute associated with an end-user
> with:
>         *right*: ability given to an end-user to perform a given
> operation on an object under the control of a RS
>
>       *attribute*: characteristics or property related to an end-user
>
>
>
> *3) Definition of a Client * The current definition is:
>      *Client *
>      Definition: application that consumes resources from one or several
> RSs, possibly requiring a negotiation of access privileges with one or
> several ASs
>
>      Note: this specification differentiates between a specific instance
> (the client instance, identified by its public key) and the software
> running the instance
>               (the client software). For some kinds of client software,
> there could be many instances of a single piece of client software.
>     Example: a client can be a mobile application, a web application, etc.
>
> Previously, I proposed:
>
>       *Client*: application used by an end-user to interact with an AS or
> a RS
>
> The current definition is missing to indicate who is operating the client.
> It is an end-user, i.e. it is not another application, nor a process, nor
> an entity.
> The definition should capture this point.
> A second point: the current definition is using the wording "requiring a
> negotiation". There is no "negotiation". Either the AS has or has not the
> "access privileges".
> The words "a negotiation of" should be deleted.
>
> This raises the point where this definition of a "Client" is using the
> wording "*access privileges*" whereas the definition of an "Authorization
> Server (AS)"
> is using the word "*privileges*". We should make both definitions
> consistent. I have a slight preference for "access privileges", but I could
> also live with "privileges".
>
> Hence my proposals:
>
> *     Client *
>      application *operated* *by an end-user *that consumes resources from
> one or several RSs, possibly requiring *access privileges from* one or
> several ASs
>
> *    Authorization Server (AS) *
>      server that grants *access* privileges to a particular end-user and
> that provides them to a client in the form of an access token
>
>
> *4) Definition of a Resource Server (RS) *
> The current definition is:
>
> *     Resource Server (RS) *
>      Definition: server that provides operations on *protected *resources;
> such operations require that the client provides valid access tokens issued
> by an AS
> A RS may offer both public resources and protected resources. Valid access
> tokens are only needed for protected resources.
> I propose the following definition while merging the two sentences:
>
>       *Resource Server (RS) *
>       server that provides operations on resources *where* protected
> operations require that the client provides *one or more* valid access
> tokens issued by *one or more ASs*
> In the  above modification I added "*one or more *". I am presuming that
> GNAP will allow the presentation of more that one access token from
> different ASs
> in order to allow an end-user to perform one operation on a protected
> resource.
>
> *5) Definition of Resource Owner*
>
> The current definition is:
>     * Resource Owner (RO) *
>      Definition: personal or organizational entity that may grant
> privileges on resources it has authority upon
>     Note: the act of granting privileges may be manual (i.e. through an
> interaction) or automatic (i.e. through predefined rules).
>
> I don't know what a "personal entity" is but I know what a "natural
> person" is.
>
> Furthermore, a Resource Owner is not granting privileges (or access
> privileges) in the same way an AS is doing.
>
> It is interesting to take a look at ISO 20078-1:2019(en), 3.1.4 where
> Resource Owner (RO) is defined as:
>
>       responsible party for the Resource(s)
>       Note 1 to entry: The Resource Owner is responsible for granting,
> denying, and revoking Access to Resource(s).
>       Note 2 to entry: The responsible Resource Owner is determined by the
> concrete Resource.
> I propose:
>      *Resource Owner (RO) *
>      *natural person *or organizational entity that may grant or deny
> operations on resources it has authority upon
>     Note: the act of *granting or denying* an operation may be manual
> (i.e. through an interaction) or automatic (i.e. through predefined rules).
>
> * 6) Definition of Access Token*
> The current definition is:
>      Access token
>      Definition: digitally signed data that contains specific rights
> and/or attributes
>     Note 1: the access token can be issued to an end-user (usually
> requiring his authentication) and subsequently refreshed.
>                 The AS usually provides a method for the RO to revoke the
> privileges at any point in time.
>     Note 2: an access token may act as a capability (i.e. bearer token)
> or require an additional authentication by binding to a key (i.e. bound
> token)
> The definition is fine, but not the two Notes.
> The second sentence from the Note 1 is stating: "The AS usually provides
> a method for the RO to revoke the privileges at any point in time".
> Revoking "the privileges" is different from revoking an "access token".
> The second sentence of this Note 1 which is supposed to be about access
> token is confusing.
> The privileges may be changed at any point in time using a management
> function. Access tokens can be short-lived and thus don't need to be
> revoked.
> Any call-back from a RS to an AS should be avoided in order to respect the
> user's privacy.
>
> Therefore, I propose to remove the second part of this Note 1 and to
> replace "the" by "a" at the beginning of the first sentence.
> Note 2 is stating:
>       Note 2: an access token may act as a capability (i.e. bearer token)
> or require an additional authentication by binding to a key (i.e. bound
> token)
> From the discussion on the list, I believe that we don't consider bearer
> tokens. Note 2 should be removed.
> So my proposal is as follows:
> *     Access token *
>      digitally signed data that contains specific rights and/or attributes
>
>     Note: an access token can be issued to an end-user (usually requiring
> his authentication) and subsequently refreshed.
>
> * 7) Definition of Grant*
> The current definition is:
> *     Grant *
>      Definition: (verb): to permit, as a privilege given to an end-user to exercise
> some rights and/or assert attributes during a specific duration
>     Definition: (noun): the act of granting
>
> The words ", as a privilege given to" are unnecessary"
> I propose:
>      Grant
>      (verb): to permit an end-user to exercise some rights and/or *to*
> assert *some *attributes *at a specific time and *during a specific
> duration
>     (noun): the act of granting
>
>
> *8) Definition of Resource*
> The current definition is:
> *     Resource *
>       Definition: protected API served by a RS and accessed by a client,
> if and only if a valid access token is provided
> This definition is incorrect. This definition would be fine for a
> Protected Resource. Change it into "Protected Resource":
> *     Protected Resource *
>      protected API served by a RS and *that can be *accessed by a client,
> if and only if a valid access token is provided
> If a definition of a Resource is needed, I propose:
> *     Resource *
>      public or protected resource from a RS
>
> * 9) Definition of Subject Information *
> The current definition is:
>
> *Subject Information*
> Definition: claim asserted locally by an AS about a person, organization
> or device
> Source:
> https://tools.ietf.org/html/draft-ietf-secevent-subject-identifiers-06
> (unless we plan to use something specific to GNAP)
>
> This is information returned by an AS about an end-user.
> I would thus simply propose instead:
>
> *     Subject Information *
>      information returned to a Client by an AS about an end-user
>
> Denis
>
> --
> TXAuth mailing list
> TXAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/txauth
>

v2.23.0 | Report a Bug | By Email