Re: [GNAP] Enterprise servers and Internet servers use cases

Fabien Imbault <fabien.imbault@gmail.com> Tue, 18 August 2020 14:11 UTC

Return-Path: <fabien.imbault@gmail.com>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 117BD3A0A7D for <txauth@ietfa.amsl.com>; Tue, 18 Aug 2020 07:11:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hyllESqOHs2h for <txauth@ietfa.amsl.com>; Tue, 18 Aug 2020 07:11:13 -0700 (PDT)
Received: from mail-il1-x12f.google.com (mail-il1-x12f.google.com [IPv6:2607:f8b0:4864:20::12f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 44C2C3A0A83 for <txauth@ietf.org>; Tue, 18 Aug 2020 07:11:13 -0700 (PDT)
Received: by mail-il1-x12f.google.com with SMTP id p18so13883457ilm.7 for <txauth@ietf.org>; Tue, 18 Aug 2020 07:11:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=ZhbqqyhJmIHXhI2dYgJi+Oj5hisXUZHP9qPYjZWPSig=; b=jgykChZzxNYv/1b1uLEEuUYDqxmm1FWkmfwJr0+L8FSj/DRNvlLbfqMUAPCLcXDqXG LAgvwMpxap1hIyJnKWq5lcNqtqVppUr1DpjVAGhsSOZCf0ZQ9fb/MQT0IHn1jVAAbbCO l7Apw7H2kvHknvIHqxGVDTdalbQmFNR+b5JbWvH0RnjoMaDexH2uzCqahad/gQpBxBOA 3O+olu/ZIzeJWa2QIYBVhW1MhnSGF2fS1rav5PbWMP9MmvC68kHfajoaWY9CzuLHPlWU RKUzYqFcdl++zDABOTU4lLcPy6eR79soDvt5atVYdScL74ClnfJwheAeIJnL39zip78z rFGg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=ZhbqqyhJmIHXhI2dYgJi+Oj5hisXUZHP9qPYjZWPSig=; b=KjXtv3Z7RW498NMWX7PIW3xlKLdcMTe+jDKEtnZ43N1SqvyDNt0cV6PDYTv4ULvlqm 5DPzHNo3UKQAc/1FerbKaujY356mLpmLrdX+B21p1CYEoBmBO7bPxWwLrMxj4fJFWj/x 1Map1G+BbPiJYpmFUUOZekMdqNd8g+AANuwMk5rMgr1z+MJqZlEKNv/gOOMDnAtmc6eA B8mHHRSv0uPoIwaSOmAcqAW7b5NhDPr0C4oBjAyl9C/B20DKgYdcz/1evxKlgth+/wmb +fKutPZGduk8ZWEWb/pSkKusG+CAfgu3jQ3VkYOuldTvBjgqJVKzGE5DWTAs/PJcywaq zncw==
X-Gm-Message-State: AOAM530zoD1Z0j37ewWsn/OR9lh4DTVKWpFzNlNRO0uyeCD6ACojqBDb H9luI+gm1mInRAYYRMckMH3KPrbW5Y9b87LQs/4m8rln6uWWKg==
X-Google-Smtp-Source: ABdhPJyt9bqTngFeZeSSGmuoE+aetJJJRdQXfohe8llfACqeDDcYbdgnMNf1qjSoqdolvqpFCG+N762mcXnMcHoug4U=
X-Received: by 2002:a92:bb0e:: with SMTP id w14mr16454214ili.68.1597759872441; Tue, 18 Aug 2020 07:11:12 -0700 (PDT)
MIME-Version: 1.0
References: <94edca87-ee06-566e-a71a-d6a902ee2684@free.fr> <CAM8feuT4=GFEzqU8k-TBSZe0fZOKpGUa_1isGqNDqOyea-pSfA@mail.gmail.com> <f773c62b-4ec1-ae4b-891e-e5f37726df4d@free.fr>
In-Reply-To: <f773c62b-4ec1-ae4b-891e-e5f37726df4d@free.fr>
From: Fabien Imbault <fabien.imbault@gmail.com>
Date: Tue, 18 Aug 2020 16:11:00 +0200
Message-ID: <CAM8feuRAbHsRWk-KOPnwAO=Vp4ewaMzBAySgtW+-69PLmM8WBg@mail.gmail.com>
To: Denis <denis.ietf@free.fr>
Cc: "txauth@ietf.org" <txauth@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000a2232105ad2775e4"
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/UlQY4-mTFyH-fDDj3b1Rkj-BXQE>
Subject: Re: [GNAP] Enterprise servers and Internet servers use cases
X-BeenThere: txauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <txauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/txauth>, <mailto:txauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth/>
List-Post: <mailto:txauth@ietf.org>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/txauth>, <mailto:txauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Aug 2020 14:11:15 -0000

Hi Denis,

You may read for instance :
http://habitatchronicles.com/2017/05/what-are-capabilities/
Defined more specifically as ocaps = object capabilities, an alternative to
ACLs.
The canonical example is the valey key for a car.

If your argument is not about RBAC vs ABAC, I haven't understood what
you're looking for. But unless you define it, the term“capabilities” itself
is quite confusing.
What's your main concern?

Fabien

On Tue, Aug 18, 2020 at 3:52 PM Denis <denis.ietf@free.fr> wrote:

> Hi Fabien,
>
> Hi Denis,
>
> If I understand correctly, your use case is about supporting ABAC, which
> is nice and should be fairly easy to do. I think you could make the use
> case much simpler, however.
>
> The most complex case is being addressed where a RS is trusting more than
> one AS and is willing, using ABAC, to obtain different attributes for the
> same user.
> From there, simplifications exist in the real world.
>
> The most important is that I propose a single model where both
> capabilities and ABAC can be used, at the full discretion of the Resource
> Controller.
>
> The description is currently very misleading. You're using the term
> "capability" is a sense that is very different from the context in which it
> is used by everyone else
>
> I am using the term "capability" since it is fully appropriate. A
> capability is a pair of elements granted by an AS that indicates "which
> method is allowed on which data object".
> In another context, I would say "which operation (e.g. read or write) is
> allowed on which data".
>
> (i.e. ocaps litterature). I actually don't really understand why you want
> to use that term here.
>
> I am sorry, but I don't know what ocaps means. I used:
> https://acronyms.thefreedictionary.com/OCAPS and I got the following
> results :
>
>    OCAPS    Office of Clinical Administrative and Program Support
> (Illinois)
>    OCAPS    Ohio Coalition for Adult Protective Services (Columbus, OH)
>    OCAPS    Out of Control Action Plans
>    OCAPS    Ottawa Citizens against Pollution by Sewage (Canada)
>
> I do mean capability. Please, take a look at:
>
> https://prosuncsedu.wordpress.com/2014/08/21/comparing-object-centric-access-control-mechanisms-acl-capability-list-attribute-based-access-control/
>
> RBAC vs ABAC pros and cons are already well known (see for instance
> https://www.dnsstuff.com/rbac-vs-abac-access-control), and you don't
> really need
> to introduce capabilities into the mix.
>
> My argumentation has nothing to do about RBAC versus ABAC.
>
> Denis
>
>
> Fabien
>
> On Tue, Aug 18, 2020 at 12:22 PM Denis <denis.ietf@free.fr> wrote:
>
>> Hello,
>>
>> I have posted a new use case (unfortunately as usual for me in the wrong
>> directory) under the name:
>> * Enterprise servers and Internet servers use cases*.
>>
>> It is available from:
>> https://github.com/ietf-wg-gnap/general/wiki/Enterprise-servers-and-Internet-servers-use-cases
>>
>> At the end of this paper, I have summarized the terminology used in this
>> paper.
>>
>>    - User : human person
>>    - individual client : application that requests access tokens on
>>    behalf of a User
>>    - User Agent : User Interface associated with an individual client
>>    that manages the User Consent and choices
>>    - enterprise client: application that requests access tokens on
>>    behalf of the application
>>    - attribute: characteristic of a User or of an Application
>>    - capability: pair of elements granted by an AS that indicates which
>>    method is allowed on which data object
>>    - Attribute-based Access Control (ABAC): access control scheme based
>>    on a policy that uses one or more attributes to grant or to deny an
>>    operation
>>    - User access token: access token that contains attributes related to
>>    the User or /and capabilities granted to the User
>>    - application access token: access token that contains attributes
>>    related to the application or /and capabilities granted to an enterprise
>>    client application
>>
>> Denis
>>
>> PS. If some one could post a message explaining how to place a use case
>> in the right directory, it might be useful for a next time.  :-)
>>
>>
>>
>>
>> --
>> TXAuth mailing list
>> TXAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/txauth
>>
>
> --
> TXAuth mailing list
> TXAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/txauth
>