Re: [GNAP] Enterprise servers and Internet servers use cases
Fabien Imbault <fabien.imbault@gmail.com> Tue, 18 August 2020 14:11 UTC
Return-Path: <fabien.imbault@gmail.com>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 117BD3A0A7D for <txauth@ietfa.amsl.com>; Tue, 18 Aug 2020 07:11:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hyllESqOHs2h for <txauth@ietfa.amsl.com>; Tue, 18 Aug 2020 07:11:13 -0700 (PDT)
Received: from mail-il1-x12f.google.com (mail-il1-x12f.google.com [IPv6:2607:f8b0:4864:20::12f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 44C2C3A0A83 for <txauth@ietf.org>; Tue, 18 Aug 2020 07:11:13 -0700 (PDT)
Received: by mail-il1-x12f.google.com with SMTP id p18so13883457ilm.7 for <txauth@ietf.org>; Tue, 18 Aug 2020 07:11:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=ZhbqqyhJmIHXhI2dYgJi+Oj5hisXUZHP9qPYjZWPSig=; b=jgykChZzxNYv/1b1uLEEuUYDqxmm1FWkmfwJr0+L8FSj/DRNvlLbfqMUAPCLcXDqXG LAgvwMpxap1hIyJnKWq5lcNqtqVppUr1DpjVAGhsSOZCf0ZQ9fb/MQT0IHn1jVAAbbCO l7Apw7H2kvHknvIHqxGVDTdalbQmFNR+b5JbWvH0RnjoMaDexH2uzCqahad/gQpBxBOA 3O+olu/ZIzeJWa2QIYBVhW1MhnSGF2fS1rav5PbWMP9MmvC68kHfajoaWY9CzuLHPlWU RKUzYqFcdl++zDABOTU4lLcPy6eR79soDvt5atVYdScL74ClnfJwheAeIJnL39zip78z rFGg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=ZhbqqyhJmIHXhI2dYgJi+Oj5hisXUZHP9qPYjZWPSig=; b=KjXtv3Z7RW498NMWX7PIW3xlKLdcMTe+jDKEtnZ43N1SqvyDNt0cV6PDYTv4ULvlqm 5DPzHNo3UKQAc/1FerbKaujY356mLpmLrdX+B21p1CYEoBmBO7bPxWwLrMxj4fJFWj/x 1Map1G+BbPiJYpmFUUOZekMdqNd8g+AANuwMk5rMgr1z+MJqZlEKNv/gOOMDnAtmc6eA B8mHHRSv0uPoIwaSOmAcqAW7b5NhDPr0C4oBjAyl9C/B20DKgYdcz/1evxKlgth+/wmb +fKutPZGduk8ZWEWb/pSkKusG+CAfgu3jQ3VkYOuldTvBjgqJVKzGE5DWTAs/PJcywaq zncw==
X-Gm-Message-State: AOAM530zoD1Z0j37ewWsn/OR9lh4DTVKWpFzNlNRO0uyeCD6ACojqBDb H9luI+gm1mInRAYYRMckMH3KPrbW5Y9b87LQs/4m8rln6uWWKg==
X-Google-Smtp-Source: ABdhPJyt9bqTngFeZeSSGmuoE+aetJJJRdQXfohe8llfACqeDDcYbdgnMNf1qjSoqdolvqpFCG+N762mcXnMcHoug4U=
X-Received: by 2002:a92:bb0e:: with SMTP id w14mr16454214ili.68.1597759872441; Tue, 18 Aug 2020 07:11:12 -0700 (PDT)
MIME-Version: 1.0
References: <94edca87-ee06-566e-a71a-d6a902ee2684@free.fr> <CAM8feuT4=GFEzqU8k-TBSZe0fZOKpGUa_1isGqNDqOyea-pSfA@mail.gmail.com> <f773c62b-4ec1-ae4b-891e-e5f37726df4d@free.fr>
In-Reply-To: <f773c62b-4ec1-ae4b-891e-e5f37726df4d@free.fr>
From: Fabien Imbault <fabien.imbault@gmail.com>
Date: Tue, 18 Aug 2020 16:11:00 +0200
Message-ID: <CAM8feuRAbHsRWk-KOPnwAO=Vp4ewaMzBAySgtW+-69PLmM8WBg@mail.gmail.com>
To: Denis <denis.ietf@free.fr>
Cc: "txauth@ietf.org" <txauth@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000a2232105ad2775e4"
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/UlQY4-mTFyH-fDDj3b1Rkj-BXQE>
Subject: Re: [GNAP] Enterprise servers and Internet servers use cases
X-BeenThere: txauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <txauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/txauth>, <mailto:txauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth/>
List-Post: <mailto:txauth@ietf.org>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/txauth>, <mailto:txauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Aug 2020 14:11:15 -0000
Hi Denis, You may read for instance : http://habitatchronicles.com/2017/05/what-are-capabilities/ Defined more specifically as ocaps = object capabilities, an alternative to ACLs. The canonical example is the valey key for a car. If your argument is not about RBAC vs ABAC, I haven't understood what you're looking for. But unless you define it, the term“capabilities” itself is quite confusing. What's your main concern? Fabien On Tue, Aug 18, 2020 at 3:52 PM Denis <denis.ietf@free.fr> wrote: > Hi Fabien, > > Hi Denis, > > If I understand correctly, your use case is about supporting ABAC, which > is nice and should be fairly easy to do. I think you could make the use > case much simpler, however. > > The most complex case is being addressed where a RS is trusting more than > one AS and is willing, using ABAC, to obtain different attributes for the > same user. > From there, simplifications exist in the real world. > > The most important is that I propose a single model where both > capabilities and ABAC can be used, at the full discretion of the Resource > Controller. > > The description is currently very misleading. You're using the term > "capability" is a sense that is very different from the context in which it > is used by everyone else > > I am using the term "capability" since it is fully appropriate. A > capability is a pair of elements granted by an AS that indicates "which > method is allowed on which data object". > In another context, I would say "which operation (e.g. read or write) is > allowed on which data". > > (i.e. ocaps litterature). I actually don't really understand why you want > to use that term here. > > I am sorry, but I don't know what ocaps means. I used: > https://acronyms.thefreedictionary.com/OCAPS and I got the following > results : > > OCAPS Office of Clinical Administrative and Program Support > (Illinois) > OCAPS Ohio Coalition for Adult Protective Services (Columbus, OH) > OCAPS Out of Control Action Plans > OCAPS Ottawa Citizens against Pollution by Sewage (Canada) > > I do mean capability. Please, take a look at: > > https://prosuncsedu.wordpress.com/2014/08/21/comparing-object-centric-access-control-mechanisms-acl-capability-list-attribute-based-access-control/ > > RBAC vs ABAC pros and cons are already well known (see for instance > https://www.dnsstuff.com/rbac-vs-abac-access-control), and you don't > really need > to introduce capabilities into the mix. > > My argumentation has nothing to do about RBAC versus ABAC. > > Denis > > > Fabien > > On Tue, Aug 18, 2020 at 12:22 PM Denis <denis.ietf@free.fr> wrote: > >> Hello, >> >> I have posted a new use case (unfortunately as usual for me in the wrong >> directory) under the name: >> * Enterprise servers and Internet servers use cases*. >> >> It is available from: >> https://github.com/ietf-wg-gnap/general/wiki/Enterprise-servers-and-Internet-servers-use-cases >> >> At the end of this paper, I have summarized the terminology used in this >> paper. >> >> - User : human person >> - individual client : application that requests access tokens on >> behalf of a User >> - User Agent : User Interface associated with an individual client >> that manages the User Consent and choices >> - enterprise client: application that requests access tokens on >> behalf of the application >> - attribute: characteristic of a User or of an Application >> - capability: pair of elements granted by an AS that indicates which >> method is allowed on which data object >> - Attribute-based Access Control (ABAC): access control scheme based >> on a policy that uses one or more attributes to grant or to deny an >> operation >> - User access token: access token that contains attributes related to >> the User or /and capabilities granted to the User >> - application access token: access token that contains attributes >> related to the application or /and capabilities granted to an enterprise >> client application >> >> Denis >> >> PS. If some one could post a message explaining how to place a use case >> in the right directory, it might be useful for a next time. :-) >> >> >> >> >> -- >> TXAuth mailing list >> TXAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/txauth >> > > -- > TXAuth mailing list > TXAuth@ietf.org > https://www.ietf.org/mailman/listinfo/txauth >