Re: [GNAP] Comments on the GNAP Wiki Terminology
Fabien Imbault <fabien.imbault@gmail.com> Fri, 18 December 2020 17:02 UTC
Return-Path: <fabien.imbault@gmail.com>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C4BA13A0A50 for <txauth@ietfa.amsl.com>; Fri, 18 Dec 2020 09:02:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Abt9KY5UgJjN for <txauth@ietfa.amsl.com>; Fri, 18 Dec 2020 09:02:24 -0800 (PST)
Received: from mail-io1-xd2f.google.com (mail-io1-xd2f.google.com [IPv6:2607:f8b0:4864:20::d2f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D0A7C3A0AD3 for <txauth@ietf.org>; Fri, 18 Dec 2020 09:02:23 -0800 (PST)
Received: by mail-io1-xd2f.google.com with SMTP id q137so2646679iod.9 for <txauth@ietf.org>; Fri, 18 Dec 2020 09:02:23 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=BeHlYYgtIxBNRVw3OnRNpAXn6z29ys0Yf/xUZAYZQ7g=; b=PnUwVgmn/u/3LqtukJzfxJPRfE2wDq8Ru9UPHtZMlSKGH4DcY3kFs3SlUmO9lfjU9R eyKUYcoTG56BhITVE4U5WER1meGmIToa4aHxQ1Uyb66i68B5tr5U90fkrPAoxcBe/MQ/ gES/2pSVp5Iob5rNeBU0rJENE4HWHJHkRnHwOLwV+wOlD4KEhNA/dkMSaeaNAGo4+yhS DuGwl0epFnZLSntvadauhFXNmepLmuh2heeFAAO6MPMJpb0R0K5zfkBZs/zHpovaSV9x X+4Zp2nLJxsfV/JDcf5Ij4Y9T1g1Q2J/Kpo2VS4NFygX8a6WzF8NkjWf3tb2cfjniJGV wAMw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=BeHlYYgtIxBNRVw3OnRNpAXn6z29ys0Yf/xUZAYZQ7g=; b=FDnbSEiw33yOWpBEev0773EI+Tg5ldvSuBA7e4ShdgAjjN4irULNZetNGWa55ll8Nu rT//c8d83Szsb7019mgSjdMPLUgiCUkIijPMNj7WRi/y0Bj5qzuZu8Cn5jlgreo4i+3Y 6r+V2VbxmoR/rxItSxL0/E/PxyrERWZCkbikQ+QCDr1At6klQ9c9YsK2xUoJtVd5LH3B NgJis1QFR4erFDT6Yg0XNWfXoMfkuXBG+0ZEjs+uX/KJbeZVgM70dBRITznfDSsqGLjk 8SrnMmUfvMnIZQwDm5sMVwa5eLklXyeN5rQHLPxqGrMlAf35jRAyWyzDPCH2zMzVCrL8 fkwQ==
X-Gm-Message-State: AOAM532O9Z1u9o7biP7agSTvwj2mcjjB2tdgaaeBZImEfXSGdEn4uOx1 2xcKXzYUb7RYov1ZYl56VzGDd7eP8rLBtV50KUQ=
X-Google-Smtp-Source: ABdhPJyylHCY2gHrIFcVS+a3S15s22qqsbaf3OGEujmbuCQNdYwvL/ML5BwrAO4yCp38Gq01LdoS2FFCrFc2VujGtZY=
X-Received: by 2002:a02:4b42:: with SMTP id q63mr4441659jaa.77.1608310942894; Fri, 18 Dec 2020 09:02:22 -0800 (PST)
MIME-Version: 1.0
References: <17e16653-178a-3f55-1e19-b9b5e055f46e@free.fr>
In-Reply-To: <17e16653-178a-3f55-1e19-b9b5e055f46e@free.fr>
From: Fabien Imbault <fabien.imbault@gmail.com>
Date: Fri, 18 Dec 2020 18:02:09 +0100
Message-ID: <CAM8feuT19t71WgCa5U95J5a4b6M1KpiNdTaPz_jr_makLTfvpA@mail.gmail.com>
To: Denis <denis.ietf@free.fr>
Cc: txauth gnap <txauth@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000007096e305b6c0122f"
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/MWDH9uxz3A3-oYrHS8Am3sT0jG4>
Subject: Re: [GNAP] Comments on the GNAP Wiki Terminology
X-BeenThere: txauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: GNAP <txauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/txauth>, <mailto:txauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth/>
List-Post: <mailto:txauth@ietf.org>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/txauth>, <mailto:txauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 18 Dec 2020 17:02:27 -0000
Thanks Denis, that's a really useful feedback. I'll review that in more detail, but something that's really not clear to me is the last one, subject information. 1) is it about the end-user ? or the RO ? (as is the current definition in V02) 2) why do we even need to call it subject information ? For instance if it's about the end-user, it should only be end-user information. 3) do we want to use entity or subject in the definitions ? (cf RO for instance). Regarding natural person vs entity we had a discussion on the mailing list previously. Cheers, Fabien On Fri, Dec 18, 2020 at 5:47 PM Denis <denis.ietf@free.fr> wrote: > FYI, the wiki page is there: > https://github.com/ietf-wg-gnap/gnap-core-protocol/wiki/Terminology > FYI first, there is a useful web page where you can find all the ISO > definitions as well as the text for any ISO standard (up to its definition > section only): > https://www.iso.org/obp > This may provide some ideas and you will notice that a given term may be > used in different ISO standards with a different definition. > > I have nine comments (each one being numbered). > > * 1) Current definition of AS*: > > The current definition is: > > *Authorization Server (AS) * > Definition: server that grants privileges to a particular end-user > and that provides them to a client in the form of an access token > This is fine in general (but see later another comment about it), but the > word privileges is left undefined. > > * 2) Definition of a privilege* > A suggested "privilege" definition has been proposed in the wiki page: "A > privilege is the right to perform an operation (or action) on a Resource." > See also other def > <https://open-measure.atlassian.net/wiki/spaces/DIC/pages/67568310/Privilege+Dictionary+Entry> > . > In the "other def.", the term is considered to be a synonym of a > permission. > > ISO/IEC 29146:2016(en), 3.8 (very long) definition is the following : > > privilege > access right > permission > authorization to a subject (3.15) > <https://www.iso.org/obp/ui#:term:3.15> to access a resource (3.14) > <https://www.iso.org/obp/ui#:term:3.14> > > Note 1 to entry: Privilege is a necessary but not sufficient > condition for access. Access occurs when the access request is granted > according to its access control policy. > The access control policy is based on > privileges and may include other environmental factors (e.g. time-of-day, > location, etc.) > > Note 2 to entry: Privileges take the form of data presented by a > subject or obtained for a subject that is used by a Policy Decision Point > in order to grant or deny an operation > that a subject is willing to perform on a > resource. > (...) > I propose the following: > > *privilege*: right or attribute associated with an end-user > with: > *right*: ability given to an end-user to perform a given > operation on an object under the control of a RS > > *attribute*: characteristics or property related to an end-user > > > > *3) Definition of a Client * The current definition is: > *Client * > Definition: application that consumes resources from one or several > RSs, possibly requiring a negotiation of access privileges with one or > several ASs > > Note: this specification differentiates between a specific instance > (the client instance, identified by its public key) and the software > running the instance > (the client software). For some kinds of client software, > there could be many instances of a single piece of client software. > Example: a client can be a mobile application, a web application, etc. > > Previously, I proposed: > > *Client*: application used by an end-user to interact with an AS or > a RS > > The current definition is missing to indicate who is operating the client. > It is an end-user, i.e. it is not another application, nor a process, nor > an entity. > The definition should capture this point. > A second point: the current definition is using the wording "requiring a > negotiation". There is no "negotiation". Either the AS has or has not the > "access privileges". > The words "a negotiation of" should be deleted. > > This raises the point where this definition of a "Client" is using the > wording "*access privileges*" whereas the definition of an "Authorization > Server (AS)" > is using the word "*privileges*". We should make both definitions > consistent. I have a slight preference for "access privileges", but I could > also live with "privileges". > > Hence my proposals: > > * Client * > application *operated* *by an end-user *that consumes resources from > one or several RSs, possibly requiring *access privileges from* one or > several ASs > > * Authorization Server (AS) * > server that grants *access* privileges to a particular end-user and > that provides them to a client in the form of an access token > > > *4) Definition of a Resource Server (RS) * > The current definition is: > > * Resource Server (RS) * > Definition: server that provides operations on *protected *resources; > such operations require that the client provides valid access tokens issued > by an AS > A RS may offer both public resources and protected resources. Valid access > tokens are only needed for protected resources. > I propose the following definition while merging the two sentences: > > *Resource Server (RS) * > server that provides operations on resources *where* protected > operations require that the client provides *one or more* valid access > tokens issued by *one or more ASs* > In the above modification I added "*one or more *". I am presuming that > GNAP will allow the presentation of more that one access token from > different ASs > in order to allow an end-user to perform one operation on a protected > resource. > > *5) Definition of Resource Owner* > > The current definition is: > * Resource Owner (RO) * > Definition: personal or organizational entity that may grant > privileges on resources it has authority upon > Note: the act of granting privileges may be manual (i.e. through an > interaction) or automatic (i.e. through predefined rules). > > I don't know what a "personal entity" is but I know what a "natural > person" is. > > Furthermore, a Resource Owner is not granting privileges (or access > privileges) in the same way an AS is doing. > > It is interesting to take a look at ISO 20078-1:2019(en), 3.1.4 where > Resource Owner (RO) is defined as: > > responsible party for the Resource(s) > Note 1 to entry: The Resource Owner is responsible for granting, > denying, and revoking Access to Resource(s). > Note 2 to entry: The responsible Resource Owner is determined by the > concrete Resource. > I propose: > *Resource Owner (RO) * > *natural person *or organizational entity that may grant or deny > operations on resources it has authority upon > Note: the act of *granting or denying* an operation may be manual > (i.e. through an interaction) or automatic (i.e. through predefined rules). > > * 6) Definition of Access Token* > The current definition is: > Access token > Definition: digitally signed data that contains specific rights > and/or attributes > Note 1: the access token can be issued to an end-user (usually > requiring his authentication) and subsequently refreshed. > The AS usually provides a method for the RO to revoke the > privileges at any point in time. > Note 2: an access token may act as a capability (i.e. bearer token) > or require an additional authentication by binding to a key (i.e. bound > token) > The definition is fine, but not the two Notes. > The second sentence from the Note 1 is stating: "The AS usually provides > a method for the RO to revoke the privileges at any point in time". > Revoking "the privileges" is different from revoking an "access token". > The second sentence of this Note 1 which is supposed to be about access > token is confusing. > The privileges may be changed at any point in time using a management > function. Access tokens can be short-lived and thus don't need to be > revoked. > Any call-back from a RS to an AS should be avoided in order to respect the > user's privacy. > > Therefore, I propose to remove the second part of this Note 1 and to > replace "the" by "a" at the beginning of the first sentence. > Note 2 is stating: > Note 2: an access token may act as a capability (i.e. bearer token) > or require an additional authentication by binding to a key (i.e. bound > token) > From the discussion on the list, I believe that we don't consider bearer > tokens. Note 2 should be removed. > So my proposal is as follows: > * Access token * > digitally signed data that contains specific rights and/or attributes > > Note: an access token can be issued to an end-user (usually requiring > his authentication) and subsequently refreshed. > > * 7) Definition of Grant* > The current definition is: > * Grant * > Definition: (verb): to permit, as a privilege given to an end-user to exercise > some rights and/or assert attributes during a specific duration > Definition: (noun): the act of granting > > The words ", as a privilege given to" are unnecessary" > I propose: > Grant > (verb): to permit an end-user to exercise some rights and/or *to* > assert *some *attributes *at a specific time and *during a specific > duration > (noun): the act of granting > > > *8) Definition of Resource* > The current definition is: > * Resource * > Definition: protected API served by a RS and accessed by a client, > if and only if a valid access token is provided > This definition is incorrect. This definition would be fine for a > Protected Resource. Change it into "Protected Resource": > * Protected Resource * > protected API served by a RS and *that can be *accessed by a client, > if and only if a valid access token is provided > If a definition of a Resource is needed, I propose: > * Resource * > public or protected resource from a RS > > * 9) Definition of Subject Information * > The current definition is: > > *Subject Information* > Definition: claim asserted locally by an AS about a person, organization > or device > Source: > https://tools.ietf.org/html/draft-ietf-secevent-subject-identifiers-06 > (unless we plan to use something specific to GNAP) > > This is information returned by an AS about an end-user. > I would thus simply propose instead: > > * Subject Information * > information returned to a Client by an AS about an end-user > > Denis > > -- > TXAuth mailing list > TXAuth@ietf.org > https://www.ietf.org/mailman/listinfo/txauth >
- [GNAP] Comments on the GNAP Wiki Terminology Denis
- Re: [GNAP] Comments on the GNAP Wiki Terminology Fabien Imbault
- Re: [GNAP] Comments on the GNAP Wiki Terminology Denis
- Re: [GNAP] Comments on the GNAP Wiki Terminology Justin Richer
- Re: [GNAP] Comments on the GNAP Wiki Terminology Fabien Imbault
- Re: [GNAP] Comments on the GNAP Wiki Terminology Tom Jones
- Re: [GNAP] Comments on the GNAP Wiki Terminology Fabien Imbault
- Re: [GNAP] Comments on the GNAP Wiki Terminology Denis
- Re: [GNAP] Comments on the GNAP Wiki Terminology Fabien Imbault
- Re: [GNAP] Comments on the GNAP Wiki Terminology Tom Jones
- Re: [GNAP] Comments on the GNAP Wiki Terminology Fabien Imbault