[Txauth] Use Case: Directed Tokens

Fabien Imbault <fabien.imbault@gmail.com> Wed, 08 July 2020 07:53 UTC

Return-Path: <fabien.imbault@gmail.com>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 370E33A0C1F for <txauth@ietfa.amsl.com>; Wed, 8 Jul 2020 00:53:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NRZKf1toXHpO for <txauth@ietfa.amsl.com>; Wed, 8 Jul 2020 00:53:58 -0700 (PDT)
Received: from mail-io1-xd29.google.com (mail-io1-xd29.google.com [IPv6:2607:f8b0:4864:20::d29]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E4EBC3A0C1C for <Txauth@ietf.org>; Wed, 8 Jul 2020 00:53:54 -0700 (PDT)
Received: by mail-io1-xd29.google.com with SMTP id o5so45902296iow.8 for <Txauth@ietf.org>; Wed, 08 Jul 2020 00:53:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=NuYGk/orGWdF8xFJx50ocr7eg1XOiheZZi9F1u5jM68=; b=KlMsGqzyt6ezPdVMcdYSGp0RVM6r/3qY2DXVns1ztYBgBoAeg+SfSk5oXycAdHxL2t UU/Act96Di2anonb75/jocOZgczo3YOF0+M2+xudU5X06Ynr0I4AKYRc38CzvU4NSs9c 6OOrZuCixwPsV4KFBv/QggOhUQrcacTW/nENg/Bs4VLWHcrfn/HxhPSVqo4QwVXVexko XH4tJc/q5tIsQYhdWfblbaiq1trYwoTvFKb4loXWz24vy2dKi2xXYbufQmad41ndX4OV tSFA8eqJBCmOivV1KRN1qABZLQoABGTqWVzCW8r9yLNo1+UGtfj1+yq4cgs54tG6jXOA fbDw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=NuYGk/orGWdF8xFJx50ocr7eg1XOiheZZi9F1u5jM68=; b=foBYgQ6LyKOw+nHOQ4G8JmbiaFxdFxrsyKYrpC0vMKOba9cU8jHDTLxeD1skUJl08g 4H7yNwWKhb9A0WUFtpLToS7MXCO8UNl7SHn5i3+fRm/9tNsv8qDtHJBboLtz20a5ZHpU OclQJOC8JIQZqnXHEEIB7lAsHneBEj9X+jdtqw3g9MDkFuoA4IXyJBdp8sKAnb00zVzl tm16gz9NbUO+jb1gGHYyuQLkstSDxBoSgptU7pUSz7NvFJbpeWTlDEcPSoLhF9ec8GF0 jGCVKoGwMq3IT2YlxrAEF2hKk/MMLb4RvE/ZBB2koq7tMlCxN9Rsojp7kLezMhry4MPg MD0w==
X-Gm-Message-State: AOAM531EVjxp0cHoSXHZTgLAEDCvx5o+t5Ky/eGLh2yfHP6wpJRGrdOJ gepfu//8TibGYY2rpcHAmb29RkyhFXhTkxTrfPJME75L
X-Google-Smtp-Source: ABdhPJxRVloLEUXLbrUxftiNvxqYrSQjH0BEzG/K8/xQhb7bgxljdsNAwIrUrqI7FZVN0UQhb2v5ZnLMqYzR1/mFTIM=
X-Received: by 2002:a5e:d90c:: with SMTP id n12mr34736072iop.144.1594194833951; Wed, 08 Jul 2020 00:53:53 -0700 (PDT)
MIME-Version: 1.0
From: Fabien Imbault <fabien.imbault@gmail.com>
Date: Wed, 8 Jul 2020 09:53:39 +0200
Message-ID: <CAM8feuRuZdeE1eOFz8Lzwmta6TSURFj8erQco8WUVi+MiPPb4A@mail.gmail.com>
To: Txauth@ietf.org
Content-Type: multipart/alternative; boundary="000000000000c7d07305a9e96821"
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/SLvlNGRE1AwWwUoJeqL_XSVT7_c>
Subject: [Txauth] Use Case: Directed Tokens
X-BeenThere: txauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <txauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/txauth>, <mailto:txauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth/>
List-Post: <mailto:txauth@ietf.org>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/txauth>, <mailto:txauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Jul 2020 07:53:59 -0000

Hi Justin,

Following up on the capability discussion : indeed the pattern is
interesting and has demonstrated better security than traditional role
based access controls.
Note that the system itself is not bound to json-ld, so one may simply use
ocaps without the additional semantic layer. Still when defined as in zcap,
it remains quite easy to use. I understand some of your concerns, but
believe you should see json-ld as helping for interoperability (rather than
limiting), since it explicits the context in which it is used.

This line of work builds quite extensively on academia, and especially on
debates between T.B.Lee and M.Miller. But having recently worked on VC for
identity coupled with ocaps for access works like a charm, in practice.

More generally, the remarks made by Denis are interesting, even if we may
well encounter many other / more familiar scenarios too. So I agree that we
should stay open to these different views.

Fabien