Re: [Txauth] Reviewing draft-hardt-xauth-protocol-11 - Dictionary

Francis Pouatcha <> Tue, 21 July 2020 17:28 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 051D93A0CB9 for <>; Tue, 21 Jul 2020 10:28:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.087
X-Spam-Status: No, score=-2.087 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, T_SPF_TEMPERROR=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 17Oizswkwjop for <>; Tue, 21 Jul 2020 10:28:36 -0700 (PDT)
Received: from ( [IPv6:2a00:1450:4864:20::42a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 0A8CA3A0C99 for <>; Tue, 21 Jul 2020 10:28:35 -0700 (PDT)
Received: by with SMTP id r12so21883506wrj.13 for <>; Tue, 21 Jul 2020 10:28:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=dbc+HO7K0KYvqVU0YsAt271Ro+6tXF6+BlQuAGEQBbE=; b=LPuikorqEJd9uDgNviK4wne87rPi4CVXhozS2wcFsbnaM39qIWt4m+HQuTdIQJittI GtH9dKIzZFdLxItlXoabbIL61JNs6PTTInVmq+PivFz/Pc+xoutSgtRTLOTk+eaK7xSZ /T3RkRh3uaWEqv8jRUY9cb+FiB/jm/Lkr/ckQ=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=dbc+HO7K0KYvqVU0YsAt271Ro+6tXF6+BlQuAGEQBbE=; b=li3kSd26yFjVbtLo7a671IKJQFFfRR2rzFxTWNcjDuPV8y1q5UwEeowKmvfALwr0bE D6UeZI2cmT/LvslzZ2kOlt6R6PL4/SG0S8ser9GI9kBSEwzsGaM/P8bk0iK1cxvcFtmt L6tMtEA1YMi4WSe2pHbAqWIQvH9D3+mpqRuxqTaG4fbwOaKps9TTEbDUsLqNX5K/Zp+E hHPYsVaQyFJW9UQ+/Idap5CIlSiWJ+Cd/nCqF1LU77dW0rLvTmjnvUpk9hESq4L6wP7a tceG07fQE5iyjeIGyfwkkjoy7PkbKa+aIt5JKOCCHYbwldHejxuY9Gkhaoe1wZO4nFRm yBIQ==
X-Gm-Message-State: AOAM531Z4ukBwJjRrq0MzYtHxG+erKHWCq0a7ayREq3sWbaLDqJWZOit /w2KyV8c41l9rbBrNMfnMRLg2oCj5P+0kC0M5vPv+g==
X-Google-Smtp-Source: ABdhPJy0K/sCQr1OGY+ubD8nbFmmBDL3mli7X3qmXphiyRJHn4FaMUZ0IIcuX9ddyACj5xZJcZ8yL2eBVmSj4aKgfZQ=
X-Received: by 2002:a5d:65d2:: with SMTP id e18mr11796250wrw.70.1595352514237; Tue, 21 Jul 2020 10:28:34 -0700 (PDT)
MIME-Version: 1.0
References: <> <>
In-Reply-To: <>
From: Francis Pouatcha <>
Date: Tue, 21 Jul 2020 13:28:20 -0400
Message-ID: <>
To: Tom Jones <>
Cc:, Dick Hardt <>
Content-Type: multipart/alternative; boundary="000000000000e7428905aaf6f3a8"
Archived-At: <>
Subject: Re: [Txauth] Reviewing draft-hardt-xauth-protocol-11 - Dictionary
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 21 Jul 2020 17:28:47 -0000

On Mon, Jul 20, 2020 at 10:30 PM Tom Jones <>

> that sounds like a good start - some points.
> 1. Many of the statements, like the RO owns the data, are technically or
> legally incorrect, but i think we know what you mean. - controls access
> might be more appropo.

> 2. the user may be a delegate of the RO and have some sort of token that
> proves his authority. It would be interesting to know if that token is in
> scope.  If not perhaps I can find someone else to own it.
Talking Grant Negotiation, the happy path assumes that the User/Client is
not in possession of an AuthZ.

- If a Client is in possession of an AuthZ he assumes valid, he can
directly proceed with step (6) ServiceRequest(AuthZ)
- If the client does not the authorization requirement, we could allow the
request in "step (1) ServiceIntent" to present an existing AuthZ to the RS.
If RS judges this AuthZ to be sufficient, the returned AuthZChallenge can
contain an Exemption from further Authorization, instructing the Client to
proceed with "step (6) ServiceRequest(AuthZ)".

Peace ..tom
> On Mon, Jul 20, 2020 at 6:01 PM Francis Pouatcha <fpo=
> <>> wrote:
>> Hello Dick,
>> Here is (in a new thread) the promised attempt to define terms of
>> interest in the GNAP protocol.
>> Party - represents a role in the GNAP protocol flow. A party can take the
>> form of a web service, an application installed on the user device and
>> acting autonomously or the form of a natural person (resp. of an autonomous
>> device) using an application to interact with other parties.
>> Resource - a piece of data or web service
>>       - controlled by a Resource Owner (RO),
>>       - held and guarded by a Resource Server (RS) and
>>       - serviced by the RS to a Client, if the Client provides a valid
>> Authorization.
>> Resource Owner (RO) - the party that
>>       - owns a Resource,
>>       - relies on the services the GS to manage access to that Resource
>> and
>>       - relies on the services of a RS to hold the Resource and guard
>> access to that Resource.
>> Resource Server (RS) - the party that
>>       - holds a resource and guards access to that resource on behalf of
>> the RO,
>>       - services the Resource to the requesting Client, provided the
>> Client presents a valid Authorization.
>>       The RS is generally deployed as a web service.
>> Grant Server (GS) - the party that manages access to a Resource on behalf
>> of the RO. For each Resource access request, the GS might request the
>> consent of the RO and produce a corresponding Authorization that is given
>> to the requesting Client.
>> Consent - act of an RO approving the release of a Resource he owns to a
>> Client.
>> Grant - material form of an RO Consent. In order not to interact with the
>> RO on each Resource access request, the GS might store the RO Consent in
>> the form of a Grant for reuse.
>> Authorization - externalized form of a Grant as known to the GS and the
>> RS.
>>       - The GS converts a Grant into an Authorization for use in a
>> Resource access request.
>>       - The RS evaluates an Authorization to decide on whether or not to
>> release the Resource to the Client.
>> Client - the party that provides the infrastructure used by a User to
>> access a Resource. The client infrastructure is designed to:
>>       - Receive the resource access request from the User,
>>       - Interact with the RS to discover authorization requirements,
>>       - Interact with the GS to obtain an Authorization to access the
>> Resource,
>>       - Interact with the RS to access the Resource on behalf of the User.
>> User - the party using the infrastructure of the Client to gain access to
>> a Resource.
>> This dictionary is supposed to be the base for further discussions that
>> will allow us to provide each term with just enough description to reduce
>> ambiguities and misunderstandings in further exchanges.. I intentionally
>> omitted the specification of the type and nature of each party (For example
>> Client / Registered Client / Dynamic Client). Such elaborations belong IMO
>> in proper subsections.
>> Comments are welcome.
>> Best regards.
>> --
>> Francis Pouatcha
>> Co-Founder and Technical Lead
>> adorsys GmbH & Co. KG
>> --
>> Txauth mailing list

Francis Pouatcha
Co-Founder and Technical Lead
adorsys GmbH & Co. KG